sqlnet-proxy — format of sqlnet-proxy component configuration
General syntax rules of Kernun Firewall configuration files are described in configuration(7). This man page describes types, sections and items specific for the sqlnet-proxy component configuration.
Repeatable sections/items are marked by
the '*' before section/item name.
Configuration directives have attributes of several value-types. For the basic types description, see configuration(7).
Enumeration is a list of words (names) representing integer values. Some enumerations accept both names and direct integer values; in this case, enumeration description contains values for every name (in parenthesis next to name). For other enumerations, using of names is obligatory.
The following enumerations are used in sqlnet-proxy configuration directives:
yes-no (see common(5))on-off (see common(5))direction (see common(5))ip-version (see common(5))osi4-proto (see common(5))time-cond (see common(5))zip-mode (see common(5))obligation (see common(5))dbglev (see log(5))logfail-mode (see log(5))week-day (see time(5))month (see time(5))lock-type (see ipc(5))auth-method (see auth(5))source-address-mode (see source-address(5))transparency (see acl(5))user-auth-spec (see acl(5))doctype-ident-method (see acl(5))listen-on-sock (see listen-on(5))redirection-mode (name-usage obligatory)
follow, ignore
Configuration of sqlnet-proxy library component consists of following prototypes:
* sqlnet-proxy name { ... }
sqlnet-proxy name {
phase ... ;
* tag ... ;
log-debug { ... }
log-stats { ... }
use-resolver ... ;
cfg-resolution ... ;
monitoring { ... }
stats-daily { ... }
stats-weekly { ... }
stats-monthly { ... }
nodaemon ... ;
singleproc ... ;
app-user ... ;
idle-timeout ... ;
run-block-sigalrm ... ;
listen-on { ... }
tcpserver { ... }
doctype-identification { ... }
client-conn { ... }
server-conn { ... }
init-timeout ... ;
protocol-version ... ;
max-service-name-len ... ;
check-reserved-bits ... ;
connect-string-charset ... ;
connect-packet-sizelimit ... ;
* session-acl name { ... }
* service-acl name { ... }
}
This section defines SQL*Net-proxy attributes.
sqlnet-proxy section is derived from
proxy section prototype.
For detail description of it, see application(5).
sqlnet-proxy section:Section udpserver is not valid.
Item source-address is not valid.
At least one SESSION-ACL must be specified (proxy must be named in some SYSTEM.ACL.SERVICES).
At least one SERVICE-ACL must be specified.
Cannot use DB-USER for unknown protocol versions.
monitoring (see monitoring(5))Item aproxy-user is not valid.
Item data used as uri.
listen-on.non-transparent (see listen-on(5))Element port is optional, default: 1521.
Element proto is optional, default: tcp.
listen-on.transparent (see listen-on(5))Element port is optional, default: 1521.
Element proto is optional, default: tcp.
client-conn {
conn-timeout ... ;
recv-timeout ... ;
recv-bufsize ... ;
send-timeout ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Client connection options.
client-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
server-conn {
conn-timeout ... ;
recv-timeout ... ;
recv-bufsize ... ;
send-timeout ... ;
close-timeout ... ;
send-bufsize ... ;
log-limit ... ;
}
Server connection options.
server-conn section is derived from
sock-opt section prototype.
For detail description of it, see netio(5).
init-timeout [seconds];Initialization timeout.
seconds (type: uint16, optional, default: 10)protocol-version [list];Permitted versions of TNS protocol.
By default, SQL*Net proxy permits communication only for known protocol versions (3.07 and 3.10 through 3.13). This item defines permission for other versions. However, unknown versions have some restrictions, e.g. disabled user-checking. If a version different from above and not specified here is detected, proxy tries to continue operation, but warn admin by alert level log message
list (type: uint16-set, optional, default: {})Versions (307 for 3.07 etc.)
max-service-name-len [chars];Limit to SERVICE_NAME length.
Setting this parameter to nonzero value can avoid buffer overrun errors in many SQL*Net listenners. Setting it to zero switches the check off.
chars (type: uint16, optional, default: 40)check-reserved-bits [val];Enforce checking of reserved bits.
Some TNS listenners crash when receive packet with non-zero reserved bits.
val (type: on-off, optional, default: on=1)connect-string-charset [chars];Character set for CN string values.
Some clients use nonstandard characters in parameter values of CONNECT string. This item allows administrators to pass character set checks. The default value is reasonable for typical clients.
chars (type: str, optional, default: ".@:-/\\")Allowed character set (will be completed by adding of all alphanumeric characters).
CN string charset must be at most 256 chars long.
connect-packet-sizelimit [bytes];Maximal length of CN packet.
Some servers have limitation to size of CN packet. This item allows to control which CN packets will be sent to server splitted.
bytes (type: uint16, optional, default: 288)session-acl name {
* from ... ;
* to ... ;
* time ... ;
time-period-set { ... }
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
auth ... ;
idle-timeout ... ;
source-address ... ;
plug-to ... ;
redirections ... ;
}
The first level ACL decides only between acceptation and denial of the incoming connection.
session-acl section is derived from
acl-1 section prototype.
For detail description of it, see acl(5).
session-acl section:Item user is not valid.
Item idle-timeout-peer is not valid.
Only out-of-band authentication is supported in this proxy.
redirections [follow] [hops];redirections ignore [hops];Redirection (RD) packets handling.
The current version of SQL*Net proxy handles RD packets by itself. It means that it checks the packet and tries to connect to the new server. For each client session, the maximal number of RD answers from servers is defined here. If more (than maximum) servers send RD packet, this is assumed to be an infinite loop and the session is terminated.
By default, the proxy follows the RD string information. Sometimes, another mode may be desired when proxy ignores RD and respects its own configuration. Specially, this is important for the SESSION-ACL.PLUG-TO directive. However, use this IGNORE mode with care because it can simply lead to the infinite redirection loop. The SERVICE-ACL.PLUG-TO directive (if any) is respected in either mode.
redirection-mode, optional, default: follow)hops (type: uint16, optional, default: 10)Maximum of redirections allowed.
[End of section sqlnet-proxy.session-acl description.]
service-acl name {
* from ... ;
* server ... ;
* user ... ;
* time ... ;
time-period-set { ... }
* session-acl ... ;
deny ... ;
accept ... ;
* doctype-ident-order ... ;
rule ... ;
plug-to ... ;
source-address ... ;
service-name ... ;
default-port ... ;
db-user ... ;
client-altq ... ;
server-altq ... ;
}
The second level ACL decides how to handle particular connection according to data contained in the connect (CN) string.
service-acl section is derived from
acl-2 section prototype.
For detail description of it, see acl(5).
service-acl section:Item parent-acl used as session-acl.
plug-to addr;Final destination server.
addr (type: sock)Address/port of final destination server.
If port is zero, then original port is used.
source-address [client] [addr4 addr4] [addr6 addr6] cluster [cluster];source-address [client] [addr4 addr4] [addr6 addr6] [physical];source-address [client] [addr4 addr4] [addr6 addr6] no-fallback;Source address for outgoing connections to servers.
If omitted, the proper address of the proxy will be used, i.e. in the case of a cluster, the cluster address will be used.
If not specified by the SOURCE-PORT item, a generic port will be used.
The elements entered within this item will be used by the proxy until the first of them is applicable:
- The CLIENT keyword means the original client IP address is used. This mode will be succesful in all cases except mismatch of IP address families.
- The ADDR4/ADDR6 keyword-value pairs mean that the specified address is used for a connection of corresponding address family.
- The CLUSTER keyword means that one of cluster addresses will be used. By default, the main address of the bridge is used, however, any preferred alias address can be listed in the cluster list.- The PHYSICAL option means that the address of the physical interface is used instead of the cluster one.
- The DEFAULT option means the default behavior - i.e. using of the physical address.
- The NO-FALLBACK option means that if no other way of setting the address is acceptable, the session is rejected. Without this option, the system tries to find a suitable source IP address automatically.
client (type: key, optional)addr4 addr4 (type: host, optional, default: [0.0.0.0])addr6 addr6 (type: host, optional, default: [::])source-address-mode, optional, default: physical)cluster (type: host-list, optional, default: {})Address family must respect the element's address family..
service-name [set];Additional criteria for session-acl: SID/SERVICE_NAME value.
set (type: str-set, optional, default: *)default-port [value];Default port when (PORT=?) attribute is missing in CN string or servername is present in SID w/o port specification.
value (type: port, optional, default: 1521)db-user names;This item switches database-user checking on and defines set of allowed user names.
Checking is allowed only for known TNS protocol versions.
names (type: str-set)client-altq altq [paltq paltq];ALTQ queues for data sent to client.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
server-altq altq [paltq paltq];ALTQ queues for data sent to server.
altq (type: name of pf-queue, see pf-queue(5))queue name
paltq paltq (type: name of pf-queue, see pf-queue(5), optional, default: NULL)priority queue name (if set, used for TCP ACK without data)
[End of section sqlnet-proxy.service-acl description.]
[End of section sqlnet-proxy description.]
configuration(7), acl(5), application(5), auth(5), common(5), ipc(5), listen-on(5), log(5), monitoring(5), netio(5), pf-queue(5), source-address(5), time(5)