Implement initiator-name and initiator-portal restrictions.

Sponsored by:	The FreeBSD Foundation

1 files changed, 27 insertions, 0 deletions

diff --git a/usr.sbin/ctld/login.c b/usr.sbin/ctld/login.c
index 758138f..662f84f 100644
--- a/usr.sbin/ctld/login.c
+++ b/usr.sbin/ctld/login.c
@@ -936,6 +936,33 @@ login(struct connection *conn)
 	}
 
 	/*
+	 * Enforce initiator-name and initiator-portal.
+	 */
+	if (auth_name_defined(ag)) {
+		if (auth_name_find(ag, initiator_name) == NULL) {
+			login_send_error(request, 0x02, 0x02);
+			log_errx(1, "initiator does not match allowed "
+			    "initiator names");
+		}
+		log_debugx("initiator matches allowed initiator names");
+	} else {
+		log_debugx("auth-group does not define initiator name "
+		    "restrictions");
+	}
+
+	if (auth_portal_defined(ag)) {
+		if (auth_portal_find(ag, conn->conn_initiator_addr) == NULL) {
+			login_send_error(request, 0x02, 0x02);
+			log_errx(1, "initiator does not match allowed "
+			    "initiator portals");
+		}
+		log_debugx("initiator matches allowed initiator portals");
+	} else {
+		log_debugx("auth-group does not define initiator portal "
+		    "restrictions");
+	}
+
+	/*
 	 * Let's see if the initiator intends to do any kind of authentication
 	 * at all.
 	 */