From 3b835ea0429e9c034348fa9c1666a81df8ed144f Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 6 Jul 2026 22:15:23 +0000 Subject: Do not imply -w with -p in s6-tcpserver-access --- doc/s6-tcpserver-access.html | 5 +++-- src/conn-tools/s6-tcpserver-access.c | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html index 3746118..6de1ca6 100644 --- a/doc/s6-tcpserver-access.html +++ b/doc/s6-tcpserver-access.html @@ -123,8 +123,9 @@ for legacy programs that need it.
  • -p : paranoid. After looking up a name for the remote host, s6-tcpserver-access will lookup IP addresses for this name, and drop the connection if none of the results matches the address the connection -is originating from. Note that this still does not replace real -authentication via a cryptographic protocol.
  • +is originating from. For safest results, pair that option with -w +so any DNS error drops the connection. (Note that this still does not replace real +authentication via a cryptographic protocol.)
  • -l localname : use localname as the value for the ${PROTO}LOCALHOST environment variable, instead of looking it up in the DNS.
  • diff --git a/src/conn-tools/s6-tcpserver-access.c b/src/conn-tools/s6-tcpserver-access.c index cd9d1e0..8db7bf9 100644 --- a/src/conn-tools/s6-tcpserver-access.c +++ b/src/conn-tools/s6-tcpserver-access.c @@ -123,7 +123,7 @@ int main (int argc, char const *const *argv) } if (!argc) dieusage() ; if (!*argv[0]) dieusage() ; - if (flagparanoid) flagdnslookup = flagfatal = 1 ; + if (flagparanoid) flagdnslookup = 1 ; proto = getenv("PROTO") ; if (!proto) strerr_dienotset(100, "PROTO") ; -- cgit v1.3.1