[icinga-devel] [patch] IPv6 support for nrpe and check_nrpe

Florian Obser florian at narrans.de
Sun Aug 22 11:25:11 CEST 2010


the attached 700+ lines monstrosity implements IPv6 support for nrpe
and check_nrpe by switching socket related code to getaddrinfo.

As getaddrinfo expects a char* as second argument for the service name
from /etc/services or decimal port it's more convenient to treat the
port as string from configure.in downwards.

Because of the switch to getaddrinfo in wait_for_connections
(src/nrpe.c) it's now possible to configure a name for
server_address. However depending on you DNS configuration this might
not result in what you expect. If you have an AAAA and A
record for the name you will only get an IPv6 socket because
wait_for_connections only accepts on the *first* addrinfo to which it
can bind.
There is a similar problem with leaving server_address empty. This
will result in a socket listening on in6addr_any. On a default
GNU/Linux installation you get a socket listening on IPv4 and IPv6
because IPv4 connects are mapped to the IPv6 socket. This behavior can
be changed in /proc. On systems like OpenBSD which by choice do not
implement this mapping you will only get an IPv6 socket.
In any case it appears to be best to configure an explicit IP address
for server_address.

is_an_allowed_host (src/nrpe.c) now compares sockaddr structs using
new helper function sockaddr_equal (src/utils.c).

get_ip_str and get_port helper functions (src/utils.c) were taken from
/ inspired by Owen DeLong's IPv6 Porting Information
( http://owend.corp.he.net/ipv6/ ).
sockaddr_equal was inspired by similar code in samba

The patch tries to mimic the style of the surrounding code, e.g. no
line breaks after 80 characters, closing brackets on the same level as
the containing block.

We are using the patch in production at the company I work for since
about a week. We are monitoring approximately 400 hosts and each host
has at least four check_nrpe checks. We replaced the check_nrpe binary
with the patched version so all check_nrpe checks use the patch.
We are using the patched nrpe daemon on three IPv6 only hosts and on
one dual stacked host. All other hosts use the unpatched nrpe daemon
from nagios.
So far we didn't see any problems.

The patch was tested on OpenBSD 4.7 and Debian Lenny. Additionally 10k
checks were send to the nrpe daemon in a tight loop and no memory leak
was observed. (If there are leaks they should be contained in forked
processes which die quickly.)

I tried to send the patch inline and while my mail client didn't touch
the long lines it non the less managed to mangle the patch in ways
that it would no longer apply. If the attachment is filtered / lost
you can pull from:

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: nrpe-ipv6.patch
Type: text/x-patch
Size: 19533 bytes
Desc: not available
URL: <http://lists.icinga.org/pipermail/icinga-devel/attachments/20100822/e95be21d/attachment.bin>

More information about the icinga-devel mailing list