/etc/hosts support for s6-tcpclient and s6-tcpserver-access

Signed-off-by: Laurent Bercot <ska@appnovation.com>

5 files changed, 30 insertions, 12 deletions

diff --git a/doc/s6-tcpclient.html b/doc/s6-tcpclient.html
index 0ec9220..0421524 100644
--- a/doc/s6-tcpclient.html
+++ b/doc/s6-tcpclient.html
@@ -28,7 +28,7 @@ then executes into a program.
 <h2> Interface </h2>
 
 <pre>
-     s6-tcpclient [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -r | -R ] [ -h | -H ] [ -n | -N ] [ -t <em>timeout</em> ] [ -l <em>localname</em> ] [ -T <em>timeoutconn</em> ] [ -i <em>localip</em> ] [ -p <em>localport</em> ] <em>host</em> <em>port</em> <em>prog...</em>
+     s6-tcpclient [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -r | -R ] [ -h ] [ -H ] [ -n | -N ] [ -t <em>timeout</em> ] [ -l <em>localname</em> ] [ -T <em>timeoutconn</em> ] [ -i <em>localip</em> ] [ -p <em>localport</em> ] <em>host</em> <em>port</em> <em>prog...</em>
 </pre>
 
 <ul>
@@ -98,10 +98,13 @@ IDENT protocol. This is obsolete and unreliable, and should only be used for
 compatibility with legacy programs. </li>
  <li> <tt>-R</tt>&nbsp;: do not use the IDENT protocol. This is the
 default. </li>
- <li> <tt>-h</tt>&nbsp;: try and obtain the remote host name via DNS.
-This is the default. </li>
- <li> <tt>-H</tt>&nbsp;: do not try and obtain the remote host name
-via DNS. </li>
+ <li> <tt>-h</tt>&nbsp;: Consult the <tt>/etc/hosts</tt> database before
+performing DNS queries. The default, when this option is not given, is to
+ignore <tt>/etc/hosts</tt>. The <tt>-H</tt> option overrides <tt>-h</tt> and
+voids any kind of lookup. </li>
+ <li> <tt>-H</tt>&nbsp;: do not try and obtain the local or remote host names
+via DNS. The default, when this option is not given, is to look up the
+local and remote host IPs in the DNS database to get the corresponding names. </li>
  <li> <tt>-n</tt>&nbsp;: qualify <em>host</em> when resolving it to
 find suitable IP addresses. This is the default. </li>
  <li> <tt>-N</tt>&nbsp;: do not qualify <em>host</em>. </li>
diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html
index 4ef3302..cdbecfb 100644
--- a/doc/s6-tcpserver-access.html
+++ b/doc/s6-tcpserver-access.html
@@ -30,7 +30,7 @@ just like tcpwrappers' <tt>tcpd</tt> program.
 <h2> Interface </h2>
 
 <pre>
-     s6-tcpserver-access [ -v <em>verbosity</em> ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l <em>localname</em> ] [ -B <em>banner</em> ] [ -t <em>timeout</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em>
+     s6-tcpserver-access [ -v <em>verbosity</em> ] [ -W | -w ] [ -D | -d ] [ -H ] [ -h ] [ -R | -r ] [ -P | -p ] [ -l <em>localname</em> ] [ -B <em>banner</em> ] [ -t <em>timeout</em> ] [ -i <em>rulesdir</em> | -x <em>rulesfile</em> ] <em>prog...</em>
 </pre>
 
 <ul>
@@ -106,8 +106,14 @@ drop the connection. </li>
 flag on the network socket. </li>
  <li> <tt>-d</tt>&nbsp;: enable Nagle's algorithm. This is the default. </li>
  <li> <tt>-H</tt>&nbsp;: disable DNS lookups for the ${PROTO}LOCALHOST and
-${PROTO}REMOTEHOST environment variables. </li>
- <li> <tt>-h</tt>&nbsp;: enable DNS lookups. This is the default. </li>
+${PROTO}REMOTEHOST environment variables. The default, when this option
+is not given, is to try and read them from DNS. </li>
+ <li> <tt>-h</tt>&nbsp;: consult <tt>/etc/hosts</tt> before DNS. The default,
+when this option is not given, is to ignore <tt>/etc/hosts</tt>. Note 1:
+the <tt>-H</tt> option overrides this one, no DNS lookups means that the
+hosts database won't be consulted either. Note 2: if a name is obtained
+via the hosts database instead of DNS, any <tt>-p</tt> checks will be
+disabled for it. </li>
  <li> <tt>-R</tt>&nbsp;: disable IDENT lookups for the ${PROTO}REMOTEINFO
 environment variable. This is the default. </li>
  <li> <tt>-r</tt>&nbsp;: enable IDENT lookups. This should only be done
diff --git a/doc/s6-tlsclient.html b/doc/s6-tlsclient.html
index 09276d4..fe92d96 100644
--- a/doc/s6-tlsclient.html
+++ b/doc/s6-tlsclient.html
@@ -130,8 +130,9 @@ generally work: the defaults are sensible.
  <li> <tt>-4</tt>, <tt>-6</tt>&nbsp;: stick to IPv4 or IPv6 addresses </li>
  <li> <tt>-d</tt>, <tt>-D</tt>&nbsp;: enable or disable Nagle's algorithm </li>
  <li> <tt>-r</tt>, <tt>-R</tt>&nbsp;: enable or disable IDENT lookup </li>
- <li> <tt>-h</tt>, <tt>-H</tt>&nbsp;: enable or disable DNS lookups </li>
- <li> <tt>-l <em>localname</em></tt>&nbsp;: get the local name from the command line, not from a DNS lookup </li>
+ <li> <tt>-H</tt>&nbsp;: disable DNS lookups </li>
+ <li> <tt>-h</tt>&nbsp;: consult <tt>/etc/hosts</tt> before DNS </li>
+ <li> <tt>-l <em>localname</em></tt>&nbsp;: get the local name from the command line, don't look it up </li>
  <li> <tt>-n</tt>, <tt>-N</tt>&nbsp;: qualify the host or not when resolving it </li>
  <li> <tt>-t <em>timeout</em></tt>&nbsp;: global timeout on the connection attempt </li>
  <li> <tt>-i <em>localip</em></tt>, <tt>-p <em>localport</em></tt>&nbsp;: force local socket parameters </li>
diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html
index 8713235..6f199e7 100644
--- a/doc/s6-tlsserver.html
+++ b/doc/s6-tlsserver.html
@@ -164,8 +164,9 @@ certificates, you probably still want TCP access rules.
  <li> <tt>-d</tt>, <tt>-D</tt>&nbsp;: enable or disable Nagle's algorithm </li>
  <li> <tt>-r</tt>, <tt>-R</tt>&nbsp;: enable or disable IDENT lookups </li>
  <li> <tt>-p</tt>, <tt>-P</tt>&nbsp;: enable or disable paranoid DNS cross-checking </li>
- <li> <tt>-h</tt>, <tt>-H</tt>&nbsp;: enable or disable DNS lookups </li>
- <li> <tt>-l <em>localname</em></tt>&nbsp;: get the local name from the command line, not from DNS </li>
+ <li> <tt>-H</tt>&nbsp;: disable DNS lookups </li>
+ <li> <tt>-h</tt>&nbsp;: consult <tt>/etc/hosts</tt> before DNS </li>
+ <li> <tt>-l <em>localname</em></tt>&nbsp;: get the local name from the command line, don't look it up </li>
  <li> <tt>-B <em>banner</em></tt>&nbsp;: initial server-side banner </li>
  <li> <tt>-t <em>timeout</em></tt>&nbsp;: set a timeout for all the lookups </li>
  <li> <tt>-i <em>rulesdir</em></tt>, <tt>-x <em>rulesfile</em></tt>&nbsp;: TCP access control </li>
diff --git a/doc/upgrade.html b/doc/upgrade.html
index 8ae492b..a688976 100644
--- a/doc/upgrade.html
+++ b/doc/upgrade.html
@@ -30,6 +30,13 @@ side. This allows users to invoke it directly when it is relevant. </li>
 <a href="s6-tlsc-io.html">s6-tlsc-io</a>. </li>
  <li> The <tt>-K</tt> option to TLS programs has slightly changed semantics:
 it now indicates a timeout for the whole handshake. </li>
+ <li> The <tt>-h</tt> option to
+<a href="s6-tcpclient.html">s6-tcpclient</a>,
+<a href="s6-tcpserver-access.html">s6-tcpserver-access</a>,
+<a href="s6-tlsclient.html">s6-tlsclient</a>, and
+<a href="s6-tlsserver.html">s6-tlsserver</a>, has changed semantics.
+Previously it was a no-op except to cancel a prior <tt>-H</tt> option.
+Now it means that DNS lookups should also include <tt>/etc/hosts</tt>. </li>
 </ul>
 
 <h2> in 2.6.0.0 </h2>