2

I configured NRPE daemon (/usr/local/nagios/etc/nrpe.cfg) in debug mode because of some startup problems and I realized that the ::1 found by default in the allowed_hosts directive:

allowed_hosts=127.0.0.1,::1,10.252.1.134

is magically turned into 52.0.0.0/14 according to the log:

Sep  6 08:56:44 myhost nrpe[30830]: Warning: Cannot open log file '/usr/local/nagios/var/nrpe.log' for writing
Sep  6 08:56:44 myhost nrpe[30830]: parse_allowed_hosts: parsing the allowed host string >127.0.0.1,::1,10.252.1.134< to add to ACL list
Sep  6 08:56:44 myhost nrpe[30830]: add_ipv4_to_acl: checking ip-address >127.0.0.1<
Sep  6 08:56:44 myhost nrpe[30830]: add_ipv4_to_acl: ip-address >127.0.0.1< correct, adding.
Sep  6 08:56:44 myhost nrpe[30830]: add_ipv4_to_acl: checking ip-address >10.252.1.134<
Sep  6 08:56:44 myhost nrpe[30830]: add_ipv4_to_acl: ip-address >10.252.1.134< correct, adding.
Sep  6 08:56:44 myhost nrpe[30830]: Showing ACL lists for both IP and DOMAIN acl's:
Sep  6 08:56:44 myhost nrpe[30830]:    IP ACL: 127.0.0.1/32 16777343
Sep  6 08:56:44 myhost nrpe[30830]:    IP ACL: 52.0.0.0/14 52
Sep  6 08:56:44 myhost nrpe[30830]:    IP ACL: 10.252.1.134/32 4269145354
Sep  6 08:56:44 myhost nrpe[30830]: INFO: SSL/TLS initialized. All network traffic will be encrypted.
Sep  6 08:56:44 myhost nrpe[30830]: Starting up daemon

Is there any explanation for that?

NRPE version is 3.2.0

Jdamian
  • 285
  • 3
  • 19
  • The log seems to suggest that it ignores (doesn't process) `::1`, so most likely this version doesn't support IPv6. Also, `52.0.0.0/14` appears to be an Amazon address, so a speculative guess is that it's obtaining this from something relating to the host it's running on (network interface?), but I have no idea why it would be doing so. – parkamark Sep 06 '17 at 10:38
  • does the host have an ipv6 loopback interface? and is it up? e.g., can you ping it? – Keith Sep 06 '17 at 20:56
  • @Keith, Yes. The hosts have a IPv6 loopback interface and it is up. It is *ping*able. – Jdamian Sep 08 '17 at 08:54

1 Answers1

2

After a quick glance on the source code (acl.c) I have found two issues:

  1. Unlike add_ipv4_to_acl function, the add_ipv6_to_acl hardly shows a message in debug mode because of lack of calls to logit() function. The add_ipv6_to_acl function has no logit() call when the IPv6 address is accepted, similar to this:

    if(debug == TRUE)
  logit(LOG_INFO, "add_ipv4_to_acl: ip-address >%s< correct, adding.", ipv4);

    notice: these lines shown are the last in the add_ipv4_to_acl function.

    That is why there is no line reporting >::1< correct, adding. in the log in debug mode.

  2. The function show_acl_lists(), which displays the IP adress list, uses the inet_ntoa() call. But, according to the manual pages, this function deals with IPv4 addresses, not with IPv6 ones:

    while (ip_acl_curr != NULL) {
        logit(LOG_INFO, "   IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr),
                 prefix_from_mask(ip_acl_curr->mask), ip_acl_curr->addr.s_addr);
        ip_acl_curr = ip_acl_curr->next;
}

Therefore I guess the problem here is that the 52.0.0.0/14 is the output of the inet_ntoa() function when a IPv6 address structure is used instead of a IPv4 address structure.

Yet I still have not compared both structures.

update 1

After installing NRPE in other node and having 4 IP addressed in the allowed_hosts directive, the ACL list entry shown for ::1 is different -- now it is 0.0.0.0/20:

Showing ACL lists for both IP and DOMAIN acl's:
IP ACL: 127.0.0.1/32 16777343
IP ACL: 0.0.0.0/20 0
IP ACL: 10.252.1.134/32 4269145354
IP ACL: 10.252.1.135/32 896662794
Jdamian
  • 285
  • 3
  • 19