3
@@ -175,6 +175,11 @@ size_t strlcpy(char *, const char *, siz
4
#define CNT_INTVL 60 /* servers in CNT_INTVL sec. */
5
#define RETRYTIME (60*10) /* retry after bind or server fail */
15
@@ -347,7 +352,7 @@ main(int argc, char *argv[], char *envp[
17
initsetproctitle(argc, argv, envp);
19
- while ((ch = getopt(argc, argv, "dER:")) != -1)
20
+ while ((ch = getopt(argc, argv, "dElR:")) != -1)
24
@@ -355,6 +360,15 @@ main(int argc, char *argv[], char *envp[
33
+ fprintf(stderr, "%s: libwrap support not enabled",
37
case 'R': { /* invocation rate */
40
@@ -372,7 +386,7 @@ main(int argc, char *argv[], char *envp[
44
- "usage: %s [-dE] [-R rate] [configuration file]\n",
45
+ "usage: %s [-dEl] [-R rate] [configuration file]\n",
49
@@ -1970,6 +1984,47 @@ spawn(struct servtab *sep, int ctrl)
51
sigprocmask(SIG_SETMASK, &emptymask, NULL);
54
+ if (lflag && !sep->se_wait && sep->se_socktype == SOCK_STREAM) {
55
+ struct request_info req;
58
+ /* do not execute tcpd if it is in the config */
59
+ if (strcmp(sep->se_server, "/usr/sbin/tcpd") == 0) {
62
+ free(sep->se_server);
63
+ name = sep->se_server = sep->se_argv[0];
64
+ for (p = name; *p; p++)
67
+ sep->se_argv[0] = newstr(name);
70
+ request_init(&req, RQ_DAEMON, sep->se_argv[0],
71
+ RQ_FILE, ctrl, NULL);
73
+ if (getnameinfo(&sep->se_ctrladdr,
74
+ sizeof(sep->se_ctrladdr), NULL, 0, buf,
75
+ sizeof(buf), 0) != 0) {
76
+ /* shouldn't happen */
77
+ snprintf(buf, sizeof buf, "%d",
78
+ ntohs(sep->se_ctrladdr_in.sin_port));
81
+ if (!hosts_access(&req)) {
82
+ syslog(deny_severity, "refused connection"
83
+ " from %.500s, service %s (%s)",
84
+ eval_client(&req), service, sep->se_proto);
85
+ if (sep->se_socktype != SOCK_STREAM)
86
+ recv(0, buf, sizeof (buf), 0);
89
+ syslog(allow_severity,
90
+ "connection from %.500s, service %s (%s)",
91
+ eval_client(&req), service, sep->se_proto);
95
(*sep->se_bi->bi_fn)(ctrl, sep);
105
.Op Ar configuration file
107
@@ -70,6 +71,13 @@ from laundering the environment. Withou
108
potentially harmful environent variables, including
110
will be removed and not inherited by services.
112
+Turns on libwrap connection logging and access control.
113
+Internal services cannot be wrapped. When enabled,
115
+is silently not executed even if present in
117
+and instead libwrap is called directly by inetd.
119
Specify the maximum number of times a service can be invoked
120
in one minute; the default is 256.
121
@@ -353,6 +361,23 @@ is reread.
123
.Em /var/run/inetd.pid
124
that contains its process identifier.
128
+wrappers is included with
130
+to provide built-in tcpd-like access control functionality.
131
+An external tcpd program is not needed.
132
+You do not need to change the
134
+server-program entry to enable this capability.
137
+.Pa /etc/hosts.allow
140
+for access control facility configurations, as described in
141
+.Xr hosts_access 5 .
142
.Ss IPv6 TCP/UDP behavior
143
If you wish to run a server for IPv4 and IPv6 traffic,
144
you'll need to run two separate processes for the same server program,