2 * Copyright (c) 1983, 1991, 1993, 1994
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 static const char copyright[] =
36 "@(#) Copyright (c) 1983, 1991, 1993, 1994\n\
37 The Regents of the University of California. All rights reserved.\n";
42 static char sccsid[] = "@(#)from: inetd.c 8.4 (Berkeley) 4/13/94";
44 static const char rcsid[] =
49 * Inetd - Internet super-server
51 * This program invokes all internet services as needed. Connection-oriented
52 * services are invoked each time a connection is made, by creating a process.
53 * This process is passed the connection as file descriptor 0 and is expected
54 * to do a getpeername to find out the source host and port.
56 * Datagram oriented services are invoked when a datagram
57 * arrives; a process is created and passed a pending message
58 * on file descriptor 0. Datagram servers may either connect
59 * to their peer, freeing up the original socket for inetd
60 * to receive further messages on, or ``take over the socket'',
61 * processing all arriving datagrams and, eventually, timing
62 * out. The first type of server is said to be ``multi-threaded'';
63 * the second type of server ``single-threaded''.
65 * Inetd uses a configuration file which is read at startup
66 * and, possibly, at some later time in response to a hangup signal.
67 * The configuration file is ``free format'' with fields given in the
68 * order shown below. Continuation lines for an entry must begin with
69 * a space or tab. All fields must be present in each entry.
71 * service name must be in /etc/services
72 * or name a tcpmux service
73 * or specify a unix domain socket
74 * socket type stream/dgram/raw/rdm/seqpacket
75 * protocol tcp[4][6][/faith,ttcp], udp[4][6], unix
76 * wait/nowait single-threaded/multi-threaded
77 * user user to run daemon as
78 * server program full path name
79 * server program arguments maximum of MAXARGS (20)
81 * TCP services without official port numbers are handled with the
82 * RFC1078-based tcpmux internal service. Tcpmux listens on port 1 for
83 * requests. When a connection is made from a foreign host, the service
84 * requested is passed to tcpmux, which looks it up in the servtab list
85 * and returns the proper entry for the service. Tcpmux returns a
86 * negative reply if the service doesn't exist, otherwise the invoked
87 * server is expected to return the positive reply if the service type in
88 * inetd.conf file has the prefix "tcpmux/". If the service type has the
89 * prefix "tcpmux/+", tcpmux will return the positive reply for the
90 * process; this is for compatibility with older server code, and also
91 * allows you to invoke programs that use stdin/stdout without putting any
92 * special server code in them. Services that use tcpmux are "nowait"
93 * because they do not have a well-known port and hence cannot listen
97 * service name/version must be in /etc/rpc
98 * socket type stream/dgram/raw/rdm/seqpacket
99 * protocol rpc/tcp, rpc/udp
100 * wait/nowait single-threaded/multi-threaded
101 * user user to run daemon as
102 * server program full path name
103 * server program arguments maximum of MAXARGS
105 * Comment lines are indicated by a `#' in column 1.
108 * Comment lines that start with "#@" denote IPsec policy string, as described
109 * in ipsec_set_policy(3). This will affect all the following items in
110 * inetd.conf(8). To reset the policy, just use "#@" line. By default,
111 * there's no IPsec policy.
114 #include <sys/param.h>
115 #include <sys/ioctl.h>
116 #include <sys/wait.h>
117 #include <sys/time.h>
118 #include <sys/resource.h>
119 #include <sys/stat.h>
122 #include <netinet/in.h>
123 #include <netinet/tcp.h>
124 #include <arpa/inet.h>
126 #include <rpc/pmap_clnt.h>
142 #include <sysexits.h>
146 #include "pathnames.h"
149 #include <netinet6/ipsec.h>
150 #ifndef IPSEC_POLICY_IPSEC /* no ipsec support on old ipsec */
155 /* wrapper for KAME-special getnameinfo() */
156 #ifndef NI_WITHSCOPEID
157 #define NI_WITHSCOPEID 0
160 #ifndef LIBWRAP_ALLOW_FACILITY
161 # define LIBWRAP_ALLOW_FACILITY LOG_AUTH
163 #ifndef LIBWRAP_ALLOW_SEVERITY
164 # define LIBWRAP_ALLOW_SEVERITY LOG_INFO
166 #ifndef LIBWRAP_DENY_FACILITY
167 # define LIBWRAP_DENY_FACILITY LOG_AUTH
169 #ifndef LIBWRAP_DENY_SEVERITY
170 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
173 #define ISWRAP(sep) \
174 ( ((wrap_ex && !(sep)->se_bi) || (wrap_bi && (sep)->se_bi)) \
175 && (sep->se_family == AF_INET || sep->se_family == AF_INET6) \
176 && ( ((sep)->se_accept && (sep)->se_socktype == SOCK_STREAM) \
177 || (sep)->se_socktype == SOCK_DGRAM))
180 #include <login_cap.h>
183 #define RESOURCE_RC "daemon"
188 #define MAXCHILD -1 /* maximum number of this service
193 #define MAXCPM -1 /* rate limit invocations from a
194 single remote address,
199 #define TOOMANY 256 /* don't start more than TOOMANY */
201 #define CNT_INTVL 60 /* servers in CNT_INTVL sec. */
202 #define RETRYTIME (60*10) /* retry after bind or server fail */
203 #define MAX_MAXCHLD 32767 /* max allowable max children */
205 #define SIGBLOCK (sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM))
207 void close_sep __P((struct servtab *));
208 void flag_signal __P((int));
209 void flag_config __P((int));
210 void config __P((void));
211 int cpmip __P((const struct servtab *, int));
212 void endconfig __P((void));
213 struct servtab *enter __P((struct servtab *));
214 void freeconfig __P((struct servtab *));
215 struct servtab *getconfigent __P((void));
216 int matchservent __P((const char *, const char *, const char *));
217 char *nextline __P((FILE *));
218 void addchild __P((struct servtab *, int));
219 void flag_reapchild __P((int));
220 void reapchild __P((void));
221 void enable __P((struct servtab *));
222 void disable __P((struct servtab *));
223 void flag_retry __P((int));
224 void retry __P((void));
225 int setconfig __P((void));
226 void setup __P((struct servtab *));
228 void ipsecsetup __P((struct servtab *));
230 void unregisterrpc __P((register struct servtab *sep));
238 int maxsock; /* highest-numbered descriptor */
242 int toomany = TOOMANY;
243 int maxchild = MAXCHILD;
247 char *hostname = NULL;
248 struct sockaddr_in *bind_sa4;
251 struct sockaddr_in6 *bind_sa6;
262 struct servtab *servtab;
264 extern struct biltin biltins[];
266 #define NUMINT (sizeof(intab) / sizeof(struct inent))
267 const char *CONFIG = _PATH_INETDCONF;
268 const char *pid_file = _PATH_INETDPID;
271 getvalue(arg, value, whine)
272 const char *arg, *whine;
278 tmp = strtol(arg, &p, 0);
280 syslog(LOG_ERR, whine, arg);
281 return 1; /* failure */
284 return 0; /* success */
295 struct sigaction sa, saalrm, sachld, sahup, sapipe;
296 int tmpint, ch, dofork;
300 login_cap_t *lc = NULL;
302 struct request_info req;
304 char *service = NULL;
306 struct sockaddr peer_un;
307 struct sockaddr_in peer_un4;
308 struct sockaddr_in6 peer_un6;
309 struct sockaddr_storage peer_max;
311 #define peer p_un.peer_un
312 #define peer4 p_un.peer_un4
313 #define peer6 p_un.peer_un6
314 #define peermax p_un.peer_max
316 struct addrinfo hints, *res;
317 const char *servname;
320 openlog("inetd", LOG_PID | LOG_NOWAIT | LOG_PERROR, LOG_DAEMON);
322 while ((ch = getopt(argc, argv, "dlwWR:a:c:C:p:")) != -1)
332 getvalue(optarg, &toomany,
333 "-R %s: bad value for service invocation rate");
336 getvalue(optarg, &maxchild,
337 "-c %s: bad value for maximum children");
340 getvalue(optarg, &maxcpm,
341 "-C %s: bad value for maximum children/minute");
358 "usage: inetd [-dlwW] [-a address] [-R rate]"
359 " [-c maximum] [-C rate]"
360 " [-p pidfile] [conf-file]");
364 * Initialize Bind Addrs.
365 * When hostname is NULL, wild card bind addrs are obtained from
366 * getaddrinfo(). But getaddrinfo() requires at least one of
367 * hostname or servname is non NULL.
368 * So when hostname is NULL, set dummy value to servname.
370 servname = (hostname == NULL) ? "discard" /* dummy */ : NULL;
372 bzero(&hints, sizeof(struct addrinfo));
373 hints.ai_flags = AI_PASSIVE;
374 hints.ai_family = AF_UNSPEC;
375 error = getaddrinfo(hostname, servname, &hints, &res);
377 syslog(LOG_ERR, "-a %s: %s", hostname, gai_strerror(error));
378 if (error == EAI_SYSTEM)
379 syslog(LOG_ERR, "%s", strerror(errno));
383 if (res->ai_addr == NULL) {
384 syslog(LOG_ERR, "-a %s: getaddrinfo failed", hostname);
387 switch (res->ai_addr->sa_family) {
391 bind_sa4 = (struct sockaddr_in *)res->ai_addr;
392 /* init port num in case servname is dummy */
393 bind_sa4->sin_port = 0;
400 bind_sa6 = (struct sockaddr_in6 *)res->ai_addr;
401 /* init port num in case servname is dummy */
402 bind_sa6->sin6_port = 0;
413 } while ((res = res->ai_next) != NULL);
419 syslog(LOG_ERR, "-a %s: unknown address family", hostname);
425 umask(mask = umask(0777));
434 if (daemon(0, 0) < 0) {
435 syslog(LOG_WARNING, "daemon(0,0) failed: %m");
437 /* From now on we don't want syslog messages going to stderr. */
439 openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON);
441 * In case somebody has started inetd manually, we need to
442 * clear the logname, so that old servers run as root do not
443 * get the user's logname..
445 if (setlogin("") < 0) {
446 syslog(LOG_WARNING, "cannot clear logname: %m");
447 /* no big deal if it fails.. */
450 fp = fopen(pid_file, "w");
452 fprintf(fp, "%ld\n", (long)pid);
455 syslog(LOG_WARNING, "%s: %m", pid_file);
459 sigemptyset(&sa.sa_mask);
460 sigaddset(&sa.sa_mask, SIGALRM);
461 sigaddset(&sa.sa_mask, SIGCHLD);
462 sigaddset(&sa.sa_mask, SIGHUP);
463 sa.sa_handler = flag_retry;
464 sigaction(SIGALRM, &sa, &saalrm);
466 sa.sa_handler = flag_config;
467 sigaction(SIGHUP, &sa, &sahup);
468 sa.sa_handler = flag_reapchild;
469 sigaction(SIGCHLD, &sa, &sachld);
470 sa.sa_handler = SIG_IGN;
471 sigaction(SIGPIPE, &sa, &sapipe);
474 /* space for daemons to overwrite environment for ps */
475 #define DUMMYSIZE 100
476 char dummy[DUMMYSIZE];
478 (void)memset(dummy, 'x', DUMMYSIZE - 1);
479 dummy[DUMMYSIZE - 1] = '\0';
480 (void)setenv("inetd_dummy", dummy, 1);
483 if (pipe(signalpipe) != 0) {
484 syslog(LOG_ERR, "pipe: %m");
487 FD_SET(signalpipe[0], &allsock);
491 if (signalpipe[0] > maxsock)
492 maxsock = signalpipe[0];
493 if (signalpipe[1] > maxsock)
494 maxsock = signalpipe[1];
502 syslog(LOG_ERR, "%s: nsock=0", __FUNCTION__);
507 if ((n = select(maxsock + 1, &readable, (fd_set *)0,
508 (fd_set *)0, (struct timeval *)0)) <= 0) {
509 if (n < 0 && errno != EINTR) {
510 syslog(LOG_WARNING, "select: %m");
515 /* handle any queued signal flags */
516 if (FD_ISSET(signalpipe[0], &readable)) {
518 if (ioctl(signalpipe[0], FIONREAD, &nsig) != 0) {
519 syslog(LOG_ERR, "ioctl: %m");
522 while (--nsig >= 0) {
524 if (read(signalpipe[0], &c, 1) != 1) {
525 syslog(LOG_ERR, "read: %m");
529 warnx("handling signal flag %c", c);
531 case 'A': /* sigalrm */
534 case 'C': /* sigchld */
537 case 'H': /* sighup */
543 for (sep = servtab; n && sep; sep = sep->se_next)
544 if (sep->se_fd != -1 && FD_ISSET(sep->se_fd, &readable)) {
547 warnx("someone wants %s", sep->se_service);
548 if (sep->se_accept && sep->se_socktype == SOCK_STREAM) {
550 if (ioctl(sep->se_fd, FIONBIO, &i) < 0)
551 syslog(LOG_ERR, "ioctl (FIONBIO, 1): %m");
552 ctrl = accept(sep->se_fd, (struct sockaddr *)0,
555 warnx("accept, ctrl %d", ctrl);
559 "accept (for %s): %m",
561 if (sep->se_accept &&
562 sep->se_socktype == SOCK_STREAM)
567 if (ioctl(sep->se_fd, FIONBIO, &i) < 0)
568 syslog(LOG_ERR, "ioctl1(FIONBIO, 0): %m");
569 if (ioctl(ctrl, FIONBIO, &i) < 0)
570 syslog(LOG_ERR, "ioctl2(FIONBIO, 0): %m");
571 if (cpmip(sep, ctrl) < 0) {
577 if (log && !ISWRAP(sep)) {
578 char pname[INET6_ADDRSTRLEN] = "unknown";
581 if (getpeername(ctrl, (struct sockaddr *)
584 if (recvfrom(ctrl, buf, sizeof(buf),
586 (struct sockaddr *)&peermax,
588 getnameinfo((struct sockaddr *)&peermax,
590 pname, sizeof(pname),
596 getnameinfo((struct sockaddr *)&peermax,
598 pname, sizeof(pname),
603 syslog(LOG_INFO,"%s from %s", sep->se_service, pname);
605 (void) sigblock(SIGBLOCK);
608 * Fork for all external services, builtins which need to
609 * fork and anything we're wrapping (as wrapping might
610 * block or use hosts_options(5) twist).
612 dofork = !sep->se_bi || sep->se_bi->bi_fork || ISWRAP(sep);
614 if (sep->se_count++ == 0)
615 (void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
616 else if (toomany > 0 && sep->se_count >= toomany) {
619 (void)gettimeofday(&now, (struct timezone *)NULL);
620 if (now.tv_sec - sep->se_time.tv_sec >
626 "%s/%s server failing (looping), service terminated",
627 sep->se_service, sep->se_proto);
628 if (sep->se_accept &&
629 sep->se_socktype == SOCK_STREAM)
643 syslog(LOG_ERR, "fork: %m");
644 if (sep->se_accept &&
645 sep->se_socktype == SOCK_STREAM)
657 warnx("+ closing from %d", maxsock);
658 for (tmpint = maxsock; tmpint > 2; tmpint--)
660 (void) close(tmpint);
661 sigaction(SIGALRM, &saalrm, (struct sigaction *)0);
662 sigaction(SIGCHLD, &sachld, (struct sigaction *)0);
663 sigaction(SIGHUP, &sahup, (struct sigaction *)0);
664 /* SIGPIPE reset before exec */
667 * Call tcpmux to find the real service to exec.
670 sep->se_bi->bi_fn == (bi_fn_t *) tcpmux) {
678 inetd_setproctitle("wrapping", ctrl);
679 service = sep->se_server_name ?
680 sep->se_server_name : sep->se_service;
681 request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
683 deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
684 allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
685 denied = !hosts_access(&req);
687 syslog(deny_severity,
688 "refused connection from %.500s, service %s (%s%s)",
689 eval_client(&req), service, sep->se_proto,
690 (((struct sockaddr *)req.client->sin)->sa_family == AF_INET6 && !IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)req.client->sin)->sin6_addr)) ? "6" : "");
691 if (sep->se_socktype != SOCK_STREAM)
692 recv(ctrl, buf, sizeof (buf), 0);
699 syslog(allow_severity,
700 "connection from %.500s, service %s (%s%s)",
701 eval_client(&req), service, sep->se_proto,
702 (((struct sockaddr *)req.client->sin)->sa_family == AF_INET6 && !IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)req.client->sin)->sin6_addr)) ? "6" : "");
706 (*sep->se_bi->bi_fn)(ctrl, sep);
710 getpid(), sep->se_server);
715 if ((pwd = getpwnam(sep->se_user)) == NULL) {
717 "%s/%s: %s: no such user",
718 sep->se_service, sep->se_proto,
720 if (sep->se_socktype != SOCK_STREAM)
721 recv(0, buf, sizeof (buf), 0);
725 if ( sep->se_group != NULL
726 && (grp = getgrnam(sep->se_group)) == NULL
729 "%s/%s: %s: no such group",
730 sep->se_service, sep->se_proto,
732 if (sep->se_socktype != SOCK_STREAM)
733 recv(0, buf, sizeof (buf), 0);
737 pwd->pw_gid = grp->gr_gid;
739 if ((lc = login_getclass(sep->se_class)) == NULL) {
740 /* error syslogged by getclass */
742 "%s/%s: %s: login class error",
743 sep->se_service, sep->se_proto,
745 if (sep->se_socktype != SOCK_STREAM)
746 recv(0, buf, sizeof (buf), 0);
752 "%s: can't setsid(): %m",
754 /* _exit(EX_OSERR); not fatal yet */
757 if (setusercontext(lc, pwd, pwd->pw_uid,
758 LOGIN_SETALL) != 0) {
760 "%s: can't setusercontext(..%s..): %m",
761 sep->se_service, sep->se_user);
766 if (setlogin(sep->se_user) < 0) {
768 "%s: can't setlogin(%s): %m",
769 sep->se_service, sep->se_user);
770 /* _exit(EX_OSERR); not yet */
772 if (setgid(pwd->pw_gid) < 0) {
774 "%s: can't set gid %d: %m",
775 sep->se_service, pwd->pw_gid);
778 (void) initgroups(pwd->pw_name,
780 if (setuid(pwd->pw_uid) < 0) {
782 "%s: can't set uid %d: %m",
783 sep->se_service, pwd->pw_uid);
788 sigaction(SIGPIPE, &sapipe,
789 (struct sigaction *)0);
790 execv(sep->se_server, sep->se_argv);
792 "cannot execute %s: %m", sep->se_server);
793 if (sep->se_socktype != SOCK_STREAM)
794 recv(0, buf, sizeof (buf), 0);
799 if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
806 * Add a signal flag to the signal flag queue for later handling
815 if (write(signalpipe[1], &ch, 1) != 1) {
816 syslog(LOG_ERR, "write: %m");
822 * Record a new child pid for this service. If we've reached the
823 * limit on children, then stop accepting incoming requests.
827 addchild(struct servtab *sep, pid_t pid)
829 if (sep->se_maxchild <= 0)
832 if (sep->se_numchild >= sep->se_maxchild) {
833 syslog(LOG_ERR, "%s: %d >= %d",
834 __FUNCTION__, sep->se_numchild, sep->se_maxchild);
838 sep->se_pids[sep->se_numchild++] = pid;
839 if (sep->se_numchild == sep->se_maxchild)
844 * Some child process has exited. See if it's on somebody's list.
848 flag_reapchild(signo)
862 pid = wait3(&status, WNOHANG, (struct rusage *)0);
866 warnx("%d reaped, status %#x", pid, status);
867 for (sep = servtab; sep; sep = sep->se_next) {
868 for (k = 0; k < sep->se_numchild; k++)
869 if (sep->se_pids[k] == pid)
871 if (k == sep->se_numchild)
873 if (sep->se_numchild == sep->se_maxchild)
875 sep->se_pids[k] = sep->se_pids[--sep->se_numchild];
878 "%s[%d]: exit status 0x%x",
879 sep->se_server, pid, status);
895 struct servtab *sep, *new, **sepp;
899 syslog(LOG_ERR, "%s: %m", CONFIG);
902 for (sep = servtab; sep; sep = sep->se_next)
904 while ((new = getconfigent())) {
905 if (getpwnam(new->se_user) == NULL) {
907 "%s/%s: no such user '%s', service ignored",
908 new->se_service, new->se_proto, new->se_user);
911 if (new->se_group && getgrnam(new->se_group) == NULL) {
913 "%s/%s: no such group '%s', service ignored",
914 new->se_service, new->se_proto, new->se_group);
918 if (login_getclass(new->se_class) == NULL) {
919 /* error syslogged by getclass */
921 "%s/%s: %s: login class error, service ignored",
922 new->se_service, new->se_proto, new->se_class);
926 for (sep = servtab; sep; sep = sep->se_next)
927 if (strcmp(sep->se_service, new->se_service) == 0 &&
928 strcmp(sep->se_proto, new->se_proto) == 0 &&
929 sep->se_socktype == new->se_socktype &&
930 sep->se_family == new->se_family)
935 #define SWAP(a, b) { typeof(a) c = a; a = b; b = c; }
936 omask = sigblock(SIGBLOCK);
937 if (sep->se_nomapped != new->se_nomapped) {
938 sep->se_nomapped = new->se_nomapped;
941 /* copy over outstanding child pids */
942 if (sep->se_maxchild > 0 && new->se_maxchild > 0) {
943 new->se_numchild = sep->se_numchild;
944 if (new->se_numchild > new->se_maxchild)
945 new->se_numchild = new->se_maxchild;
946 memcpy(new->se_pids, sep->se_pids,
947 new->se_numchild * sizeof(*new->se_pids));
949 SWAP(sep->se_pids, new->se_pids);
950 sep->se_maxchild = new->se_maxchild;
951 sep->se_numchild = new->se_numchild;
952 sep->se_maxcpm = new->se_maxcpm;
953 sep->se_bi = new->se_bi;
954 /* might need to turn on or off service now */
955 if (sep->se_fd >= 0) {
956 if (sep->se_maxchild > 0
957 && sep->se_numchild == sep->se_maxchild) {
958 if (FD_ISSET(sep->se_fd, &allsock))
961 if (!FD_ISSET(sep->se_fd, &allsock))
965 sep->se_accept = new->se_accept;
966 SWAP(sep->se_user, new->se_user);
967 SWAP(sep->se_group, new->se_group);
969 SWAP(sep->se_class, new->se_class);
971 SWAP(sep->se_server, new->se_server);
972 SWAP(sep->se_server_name, new->se_server_name);
973 for (i = 0; i < MAXARGV; i++)
974 SWAP(sep->se_argv[i], new->se_argv[i]);
976 SWAP(sep->se_policy, new->se_policy);
982 print_service("REDO", sep);
986 print_service("ADD ", sep);
993 switch (sep->se_family) {
995 if (no_v4bind != 0) {
1002 if (no_v6bind != 0) {
1010 if (sep->se_family != AF_UNIX) {
1011 sp = getservbyname(sep->se_service, sep->se_proto);
1013 syslog(LOG_ERR, "%s/%s: unknown service",
1014 sep->se_service, sep->se_proto);
1015 sep->se_checked = 0;
1019 switch (sep->se_family) {
1021 if (sp->s_port != sep->se_ctrladdr4.sin_port) {
1022 sep->se_ctrladdr4.sin_port =
1030 sep->se_ctrladdr6.sin6_port) {
1031 sep->se_ctrladdr6.sin6_port =
1038 if (sep->se_reset != 0 && sep->se_fd >= 0)
1041 rpc = getrpcbyname(sep->se_service);
1043 syslog(LOG_ERR, "%s/%s unknown RPC service",
1044 sep->se_service, sep->se_proto);
1045 if (sep->se_fd != -1)
1046 (void) close(sep->se_fd);
1050 if (rpc->r_number != sep->se_rpc_prog) {
1051 if (sep->se_rpc_prog)
1053 sep->se_rpc_prog = rpc->r_number;
1054 if (sep->se_fd != -1)
1055 (void) close(sep->se_fd);
1059 if (sep->se_fd == -1)
1064 * Purge anything not looked at above.
1066 omask = sigblock(SIGBLOCK);
1068 while ((sep = *sepp)) {
1069 if (sep->se_checked) {
1070 sepp = &sep->se_next;
1073 *sepp = sep->se_next;
1074 if (sep->se_fd >= 0)
1077 print_service("FREE", sep);
1078 if (sep->se_rpc && sep->se_rpc_prog > 0)
1083 (void) sigsetmask(omask);
1088 struct servtab *sep;
1091 struct servtab *sepp;
1094 omask = sigblock(SIGBLOCK);
1095 for (sepp = servtab; sepp; sepp = sepp->se_next) {
1098 if (sep->se_checked == 0 ||
1100 sep->se_rpc_prog != sepp->se_rpc_prog)
1105 print_service("UNREG", sep);
1106 for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++)
1107 pmap_unset(sep->se_rpc_prog, i);
1108 if (sep->se_fd != -1)
1109 (void) close(sep->se_fd);
1111 (void) sigsetmask(omask);
1124 struct servtab *sep;
1127 for (sep = servtab; sep; sep = sep->se_next)
1128 if (sep->se_fd == -1 && !ISMUX(sep))
1134 struct servtab *sep;
1138 if ((sep->se_fd = socket(sep->se_family, sep->se_socktype, 0)) < 0) {
1140 warn("socket failed on %s/%s",
1141 sep->se_service, sep->se_proto);
1142 syslog(LOG_ERR, "%s/%s: socket: %m",
1143 sep->se_service, sep->se_proto);
1146 #define turnon(fd, opt) \
1147 setsockopt(fd, SOL_SOCKET, opt, (char *)&on, sizeof (on))
1148 if (strcmp(sep->se_proto, "tcp") == 0 && (options & SO_DEBUG) &&
1149 turnon(sep->se_fd, SO_DEBUG) < 0)
1150 syslog(LOG_ERR, "setsockopt (SO_DEBUG): %m");
1151 if (turnon(sep->se_fd, SO_REUSEADDR) < 0)
1152 syslog(LOG_ERR, "setsockopt (SO_REUSEADDR): %m");
1154 if (turnon(sep->se_fd, SO_PRIVSTATE) < 0)
1155 syslog(LOG_ERR, "setsockopt (SO_PRIVSTATE): %m");
1157 /* tftpd opens a new connection then needs more infos */
1158 if ((sep->se_family == AF_INET6) &&
1159 (strcmp(sep->se_proto, "udp") == 0) &&
1160 (sep->se_accept == 0) &&
1161 (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_PKTINFO,
1162 (char *)&on, sizeof (on)) < 0))
1163 syslog(LOG_ERR, "setsockopt (IPV6_RECVPKTINFO): %m");
1164 #ifdef IPV6_BINDV6ONLY
1165 if (sep->se_family == AF_INET6) {
1166 int flag = sep->se_nomapped ? 1 : 0;
1167 if (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_BINDV6ONLY,
1168 (char *)&flag, sizeof (flag)) < 0)
1169 syslog(LOG_ERR, "setsockopt (IPV6_BINDV6ONLY): %m");
1171 #endif /* IPV6_BINDV6ONLY */
1173 if (sep->se_type == TTCP_TYPE)
1174 if (setsockopt(sep->se_fd, IPPROTO_TCP, TCP_NOPUSH,
1175 (char *)&on, sizeof (on)) < 0)
1176 syslog(LOG_ERR, "setsockopt (TCP_NOPUSH): %m");
1178 if (sep->se_type == FAITH_TYPE) {
1179 if (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_FAITH, &on,
1181 syslog(LOG_ERR, "setsockopt (IPV6_FAITH): %m");
1188 if (sep->se_family == AF_UNIX) {
1189 (void) unlink(sep->se_ctrladdr_un.sun_path);
1190 umask(0777); /* Make socket with conservative permissions */
1192 if (bind(sep->se_fd, (struct sockaddr *)&sep->se_ctrladdr,
1193 sep->se_ctrladdr_size) < 0) {
1195 warn("bind failed on %s/%s",
1196 sep->se_service, sep->se_proto);
1197 syslog(LOG_ERR, "%s/%s: bind: %m",
1198 sep->se_service, sep->se_proto);
1199 (void) close(sep->se_fd);
1205 if (sep->se_family == AF_UNIX)
1209 if (sep->se_family == AF_UNIX) {
1210 /* Ick - fch{own,mod} don't work on Unix domain sockets */
1211 if (chown(sep->se_service, sep->se_sockuid, sep->se_sockgid) < 0)
1212 syslog(LOG_ERR, "chown socket: %m");
1213 if (chmod(sep->se_service, sep->se_sockmode) < 0)
1214 syslog(LOG_ERR, "chmod socket: %m");
1219 socklen_t len = sep->se_ctrladdr_size;
1221 if (sep->se_family != AF_INET) {
1223 "%s/%s: unsupported address family for rpc",
1224 sep->se_service, sep->se_proto);
1225 (void) close(sep->se_fd);
1229 if (getsockname(sep->se_fd,
1230 (struct sockaddr*)&sep->se_ctrladdr, &len) < 0){
1231 syslog(LOG_ERR, "%s/%s: getsockname: %m",
1232 sep->se_service, sep->se_proto);
1233 (void) close(sep->se_fd);
1238 print_service("REG ", sep);
1239 for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) {
1240 pmap_unset(sep->se_rpc_prog, i);
1241 pmap_set(sep->se_rpc_prog, i,
1242 (sep->se_socktype == SOCK_DGRAM)
1243 ? IPPROTO_UDP : IPPROTO_TCP,
1244 ntohs(sep->se_ctrladdr4.sin_port));
1247 if (sep->se_socktype == SOCK_STREAM)
1248 listen(sep->se_fd, 64);
1251 warnx("registered %s on %d",
1252 sep->se_server, sep->se_fd);
1259 struct servtab *sep;
1262 char *policy_in = NULL;
1263 char *policy_out = NULL;
1267 switch (sep->se_family) {
1270 opt = IP_IPSEC_POLICY;
1274 level = IPPROTO_IPV6;
1275 opt = IPV6_IPSEC_POLICY;
1282 if (!sep->se_policy || sep->se_policy[0] == '\0') {
1283 static char def_in[] = "in entrust", def_out[] = "out entrust";
1285 policy_out = def_out;
1287 if (!strncmp("in", sep->se_policy, 2))
1288 policy_in = sep->se_policy;
1289 else if (!strncmp("out", sep->se_policy, 3))
1290 policy_out = sep->se_policy;
1292 syslog(LOG_ERR, "invalid security policy \"%s\"",
1298 if (policy_in != NULL) {
1299 buf = ipsec_set_policy(policy_in, strlen(policy_in));
1301 if (setsockopt(sep->se_fd, level, opt,
1302 buf, ipsec_get_policylen(buf)) < 0 &&
1304 warnx("%s/%s: ipsec initialization failed; %s",
1305 sep->se_service, sep->se_proto,
1309 syslog(LOG_ERR, "invalid security policy \"%s\"",
1312 if (policy_out != NULL) {
1313 buf = ipsec_set_policy(policy_out, strlen(policy_out));
1315 if (setsockopt(sep->se_fd, level, opt,
1316 buf, ipsec_get_policylen(buf)) < 0 &&
1318 warnx("%s/%s: ipsec initialization failed; %s",
1319 sep->se_service, sep->se_proto,
1323 syslog(LOG_ERR, "invalid security policy \"%s\"",
1330 * Finish with a service and its socket.
1334 struct servtab *sep;
1336 if (sep->se_fd >= 0) {
1337 if (FD_ISSET(sep->se_fd, &allsock))
1339 (void) close(sep->se_fd);
1343 sep->se_numchild = 0; /* forget about any existing children */
1347 matchservent(name1, name2, proto)
1348 const char *name1, *name2, *proto;
1353 if (strcmp(proto, "unix") == 0) {
1354 if ((p = strrchr(name1, '/')) != NULL)
1356 if ((p = strrchr(name2, '/')) != NULL)
1359 if (strcmp(name1, name2) == 0)
1361 if ((se = getservbyname(name1, proto)) != NULL) {
1362 if (strcmp(name2, se->s_name) == 0)
1364 for (alias = se->s_aliases; *alias; alias++)
1365 if (strcmp(name2, *alias) == 0)
1375 struct servtab *sep;
1378 sep = (struct servtab *)malloc(sizeof (*sep));
1379 if (sep == (struct servtab *)0) {
1380 syslog(LOG_ERR, "malloc: %m");
1385 omask = sigblock(SIGBLOCK);
1386 sep->se_next = servtab;
1394 struct servtab *sep;
1398 "enabling %s, fd %d", sep->se_service, sep->se_fd);
1400 if (sep->se_fd < 0) {
1402 "%s: %s: bad fd", __FUNCTION__, sep->se_service);
1407 "%s: %s: is mux", __FUNCTION__, sep->se_service);
1410 if (FD_ISSET(sep->se_fd, &allsock)) {
1412 "%s: %s: not off", __FUNCTION__, sep->se_service);
1417 FD_SET(sep->se_fd, &allsock);
1418 if (sep->se_fd > maxsock)
1419 maxsock = sep->se_fd;
1424 struct servtab *sep;
1428 "disabling %s, fd %d", sep->se_service, sep->se_fd);
1430 if (sep->se_fd < 0) {
1432 "%s: %s: bad fd", __FUNCTION__, sep->se_service);
1437 "%s: %s: is mux", __FUNCTION__, sep->se_service);
1440 if (!FD_ISSET(sep->se_fd, &allsock)) {
1442 "%s: %s: not on", __FUNCTION__, sep->se_service);
1446 syslog(LOG_ERR, "%s: nsock=0", __FUNCTION__);
1451 FD_CLR(sep->se_fd, &allsock);
1452 if (sep->se_fd == maxsock)
1456 FILE *fconfig = NULL;
1457 struct servtab serv;
1458 char line[LINE_MAX];
1464 if (fconfig != NULL) {
1465 fseek(fconfig, 0L, SEEK_SET);
1468 fconfig = fopen(CONFIG, "r");
1469 return (fconfig != NULL);
1476 (void) fclose(fconfig);
1484 struct servtab *sep = &serv;
1488 static char TCPMUX_TOKEN[] = "tcpmux/";
1489 #define MUX_LEN (sizeof(TCPMUX_TOKEN)-1)
1491 char *policy = NULL;
1499 while ((cp = nextline(fconfig)) != NULL) {
1501 /* lines starting with #@ is not a comment, but the policy */
1502 if (cp[0] == '#' && cp[1] == '@') {
1504 for (p = cp + 2; p && *p && isspace(*p); p++)
1510 } else if (ipsec_get_policylen(p) >= 0) {
1516 "%s: invalid ipsec policy \"%s\"",
1522 if (*cp == '#' || *cp == '\0')
1527 return ((struct servtab *)0);
1529 * clear the static buffer, since some fields (se_ctrladdr,
1530 * for example) don't get initialized here.
1532 memset(sep, 0, sizeof *sep);
1535 /* got an empty line containing just blanks/tabs. */
1538 if (arg[0] == ':') { /* :user:group:perm: */
1539 char *user, *group, *perm;
1543 if ((group = strchr(user, ':')) == NULL) {
1544 syslog(LOG_ERR, "no group after user '%s'", user);
1548 if ((perm = strchr(group, ':')) == NULL) {
1549 syslog(LOG_ERR, "no mode after group '%s'", group);
1553 if ((pw = getpwnam(user)) == NULL) {
1554 syslog(LOG_ERR, "no such user '%s'", user);
1557 sep->se_sockuid = pw->pw_uid;
1558 if ((gr = getgrnam(group)) == NULL) {
1559 syslog(LOG_ERR, "no such user '%s'", group);
1562 sep->se_sockgid = gr->gr_gid;
1563 sep->se_sockmode = strtol(perm, &arg, 8);
1565 syslog(LOG_ERR, "bad mode '%s'", perm);
1570 sep->se_sockuid = euid;
1571 sep->se_sockgid = egid;
1572 sep->se_sockmode = 0200;
1574 if (strncmp(arg, TCPMUX_TOKEN, MUX_LEN) == 0) {
1575 char *c = arg + MUX_LEN;
1577 sep->se_type = MUXPLUS_TYPE;
1580 sep->se_type = MUX_TYPE;
1581 sep->se_service = newstr(c);
1583 sep->se_service = newstr(arg);
1584 sep->se_type = NORM_TYPE;
1587 if (strcmp(arg, "stream") == 0)
1588 sep->se_socktype = SOCK_STREAM;
1589 else if (strcmp(arg, "dgram") == 0)
1590 sep->se_socktype = SOCK_DGRAM;
1591 else if (strcmp(arg, "rdm") == 0)
1592 sep->se_socktype = SOCK_RDM;
1593 else if (strcmp(arg, "seqpacket") == 0)
1594 sep->se_socktype = SOCK_SEQPACKET;
1595 else if (strcmp(arg, "raw") == 0)
1596 sep->se_socktype = SOCK_RAW;
1598 sep->se_socktype = -1;
1601 if (strncmp(arg, "tcp", 3) == 0) {
1602 sep->se_proto = newstr(strsep(&arg, "/"));
1604 if (strcmp(arg, "ttcp") == 0)
1605 sep->se_type = TTCP_TYPE;
1606 else if (strcmp(arg, "faith") == 0)
1607 sep->se_type = FAITH_TYPE;
1610 if (sep->se_type == NORM_TYPE &&
1611 strncmp(arg, "faith/", 6) == 0) {
1613 sep->se_type = FAITH_TYPE;
1615 sep->se_proto = newstr(arg);
1617 if (strncmp(sep->se_proto, "rpc/", 4) == 0) {
1618 if (no_v4bind != 0) {
1619 syslog(LOG_NOTICE, "IPv4 bind is ignored for %s",
1624 memmove(sep->se_proto, sep->se_proto + 4,
1625 strlen(sep->se_proto) + 1 - 4);
1627 sep->se_rpc_prog = sep->se_rpc_lowvers =
1628 sep->se_rpc_lowvers = 0;
1629 memcpy(&sep->se_ctrladdr4, bind_sa4,
1630 sizeof(sep->se_ctrladdr4));
1631 if ((versp = rindex(sep->se_service, '/'))) {
1633 switch (sscanf(versp, "%d-%d",
1634 &sep->se_rpc_lowvers,
1635 &sep->se_rpc_highvers)) {
1639 sep->se_rpc_highvers =
1640 sep->se_rpc_lowvers;
1644 "bad RPC version specifier; %s",
1651 sep->se_rpc_lowvers =
1652 sep->se_rpc_highvers = 1;
1655 sep->se_nomapped = 0;
1656 while (isdigit(sep->se_proto[strlen(sep->se_proto) - 1])) {
1658 if (sep->se_proto[strlen(sep->se_proto) - 1] == '6') {
1659 if (no_v6bind != 0) {
1660 syslog(LOG_NOTICE, "IPv6 bind is ignored for %s",
1665 sep->se_proto[strlen(sep->se_proto) - 1] = '\0';
1670 if (sep->se_proto[strlen(sep->se_proto) - 1] == '4') {
1671 sep->se_proto[strlen(sep->se_proto) - 1] = '\0';
1675 /* illegal version num */
1676 syslog(LOG_ERR, "bad IP version for %s", sep->se_proto);
1680 if (strcmp(sep->se_proto, "unix") == 0) {
1681 sep->se_family = AF_UNIX;
1685 sep->se_family = AF_INET6;
1686 if (v4bind == 0 || no_v4bind != 0)
1687 sep->se_nomapped = 1;
1690 { /* default to v4 bind if not v6 bind */
1691 if (no_v4bind != 0) {
1692 syslog(LOG_NOTICE, "IPv4 bind is ignored for %s",
1697 sep->se_family = AF_INET;
1700 switch(sep->se_family) {
1702 memcpy(&sep->se_ctrladdr4, bind_sa4,
1703 sizeof(sep->se_ctrladdr4));
1704 sep->se_ctrladdr_size = sizeof(sep->se_ctrladdr4);
1708 memcpy(&sep->se_ctrladdr6, bind_sa6,
1709 sizeof(sep->se_ctrladdr6));
1710 sep->se_ctrladdr_size = sizeof(sep->se_ctrladdr6);
1714 if (strlen(sep->se_service) >= sizeof(sep->se_ctrladdr_un.sun_path)) {
1716 "domain socket pathname too long for service %s",
1720 memset(&sep->se_ctrladdr, 0, sizeof(sep->se_ctrladdr));
1721 sep->se_ctrladdr_un.sun_family = sep->se_family;
1722 sep->se_ctrladdr_un.sun_len = strlen(sep->se_service);
1723 strcpy(sep->se_ctrladdr_un.sun_path, sep->se_service);
1724 sep->se_ctrladdr_size = SUN_LEN(&sep->se_ctrladdr_un);
1727 if (!strncmp(arg, "wait", 4))
1729 else if (!strncmp(arg, "nowait", 6))
1733 "%s: bad wait/nowait for service %s",
1734 CONFIG, sep->se_service);
1737 sep->se_maxchild = -1;
1738 sep->se_maxcpm = -1;
1739 if ((s = strchr(arg, '/')) != NULL) {
1743 val = strtoul(s + 1, &eptr, 10);
1744 if (eptr == s + 1 || val > MAX_MAXCHLD) {
1746 "%s: bad max-child for service %s",
1747 CONFIG, sep->se_service);
1751 if (!sep->se_accept && val != 1)
1752 warnx("maxchild=%lu for wait service %s"
1753 " not recommended", val, sep->se_service);
1754 sep->se_maxchild = val;
1756 sep->se_maxcpm = strtol(eptr + 1, &eptr, 10);
1758 * explicitly do not check for \0 for future expansion /
1759 * backwards compatibility
1764 * Silently enforce "nowait" mode for TCPMUX services
1765 * since they don't have an assigned port to listen on.
1768 if (strcmp(sep->se_proto, "tcp")) {
1770 "%s: bad protocol for tcpmux service %s",
1771 CONFIG, sep->se_service);
1774 if (sep->se_socktype != SOCK_STREAM) {
1776 "%s: bad socket type for tcpmux service %s",
1777 CONFIG, sep->se_service);
1781 sep->se_user = newstr(sskip(&cp));
1783 if ((s = strrchr(sep->se_user, '/')) != NULL) {
1785 sep->se_class = newstr(s + 1);
1787 sep->se_class = newstr(RESOURCE_RC);
1789 if ((s = strrchr(sep->se_user, ':')) != NULL) {
1791 sep->se_group = newstr(s + 1);
1793 sep->se_group = NULL;
1794 sep->se_server = newstr(sskip(&cp));
1795 if ((sep->se_server_name = rindex(sep->se_server, '/')))
1796 sep->se_server_name++;
1797 if (strcmp(sep->se_server, "internal") == 0) {
1800 for (bi = biltins; bi->bi_service; bi++)
1801 if (bi->bi_socktype == sep->se_socktype &&
1802 matchservent(bi->bi_service, sep->se_service,
1805 if (bi->bi_service == 0) {
1806 syslog(LOG_ERR, "internal service %s unknown",
1810 sep->se_accept = 1; /* force accept mode for built-ins */
1814 if (sep->se_maxcpm < 0)
1815 sep->se_maxcpm = maxcpm;
1816 if (sep->se_maxchild < 0) { /* apply default max-children */
1817 if (sep->se_bi && sep->se_bi->bi_maxchild >= 0)
1818 sep->se_maxchild = sep->se_bi->bi_maxchild;
1819 else if (sep->se_accept)
1820 sep->se_maxchild = maxchild > 0 ? maxchild : 0;
1822 sep->se_maxchild = 1;
1824 if (sep->se_maxchild > 0) {
1825 sep->se_pids = malloc(sep->se_maxchild * sizeof(*sep->se_pids));
1826 if (sep->se_pids == NULL) {
1827 syslog(LOG_ERR, "malloc: %m");
1832 for (arg = skip(&cp); cp; arg = skip(&cp))
1833 if (argc < MAXARGV) {
1834 sep->se_argv[argc++] = newstr(arg);
1837 "%s: too many arguments for service %s",
1838 CONFIG, sep->se_service);
1841 while (argc <= MAXARGV)
1842 sep->se_argv[argc++] = NULL;
1844 sep->se_policy = policy ? newstr(policy) : NULL;
1856 free(cp->se_service);
1868 free(cp->se_server);
1871 for (i = 0; i < MAXARGV; i++)
1873 free(cp->se_argv[i]);
1876 free(cp->se_policy);
1882 * Safe skip - if skip returns null, log a syntax error in the
1883 * configuration file and exit.
1893 syslog(LOG_ERR, "%s: syntax error", CONFIG);
1908 while (*cp == ' ' || *cp == '\t')
1914 (void) ungetc(c, fconfig);
1915 if (c == ' ' || c == '\t')
1916 if ((cp = nextline(fconfig)))
1921 if (*cp == '"' || *cp == '\'')
1925 while (*cp && *cp != quote)
1928 while (*cp && *cp != ' ' && *cp != '\t')
1942 if (fgets(line, sizeof (line), fd) == NULL)
1944 cp = strchr(line, '\n');
1956 if ((cr = strdup(cp != NULL ? cp : "")))
1958 syslog(LOG_ERR, "strdup: %m");
1963 inetd_setproctitle(a, s)
1968 struct sockaddr_storage ss;
1969 char buf[80], pbuf[INET6_ADDRSTRLEN];
1972 if (getpeername(s, (struct sockaddr *)&ss, &size) == 0) {
1973 getnameinfo((struct sockaddr *)&ss, size, pbuf, sizeof(pbuf),
1974 NULL, 0, NI_NUMERICHOST|NI_WITHSCOPEID);
1975 (void) sprintf(buf, "%s [%s]", a, pbuf);
1977 (void) sprintf(buf, "%s", a);
1978 setproctitle("%s", buf);
1983 const struct sockaddr *sa;
1984 const struct servtab *sep;
1986 struct servtab *se2;
1987 char pname[INET6_ADDRSTRLEN];
1989 for (se2 = servtab; se2; se2 = se2->se_next) {
1990 if (!se2->se_bi || se2->se_socktype != SOCK_DGRAM)
1993 switch (se2->se_family) {
1995 if (((const struct sockaddr_in *)sa)->sin_port ==
1996 se2->se_ctrladdr4.sin_port)
2001 if (((const struct sockaddr_in *)sa)->sin_port ==
2002 se2->se_ctrladdr4.sin_port)
2010 getnameinfo(sa, sa->sa_len, pname, sizeof(pname), NULL, 0,
2011 NI_NUMERICHOST|NI_WITHSCOPEID);
2012 syslog(LOG_WARNING, "%s/%s:%s/%s loop request REFUSED from %s",
2013 sep->se_service, sep->se_proto,
2014 se2->se_service, se2->se_proto,
2023 * Dump relevant information to stderr
2026 print_service(action, sep)
2028 const struct servtab *sep;
2031 "%s: %s proto=%s accept=%d max=%d user=%s group=%s"
2035 " builtin=%p server=%s"
2040 action, sep->se_service, sep->se_proto,
2041 sep->se_accept, sep->se_maxchild, sep->se_user, sep->se_group,
2045 (void *) sep->se_bi, sep->se_server
2047 , (sep->se_policy ? sep->se_policy : "")
2052 #define CPMHSIZE 256
2053 #define CPMHMASK (CPMHSIZE-1)
2057 typedef struct CTime {
2058 unsigned long ct_Ticks;
2062 typedef struct CHash {
2064 struct in_addr c4_Addr;
2065 struct in6_addr c6_Addr;
2067 #define ch_Addr4 cu_Addr.c4_Addr
2068 #define ch_Addr6 cu_Addr.c6_Addr
2072 CTime ch_Times[CHTSIZE];
2075 CHash CHashAry[CPMHSIZE];
2079 const struct servtab *sep;
2082 struct sockaddr_storage rss;
2083 socklen_t rssLen = sizeof(rss);
2087 * If getpeername() fails, just let it through (if logging is
2088 * enabled the condition is caught elsewhere)
2091 if (sep->se_maxcpm > 0 &&
2092 getpeername(ctrl, (struct sockaddr *)&rss, &rssLen) == 0 ) {
2093 time_t t = time(NULL);
2094 int hv = 0xABC3D20F;
2097 CHash *chBest = NULL;
2098 unsigned int ticks = t / CHTGRAN;
2099 struct sockaddr_in *sin4;
2101 struct sockaddr_in6 *sin6;
2104 sin4 = (struct sockaddr_in *)&rss;
2106 sin6 = (struct sockaddr_in6 *)&rss;
2112 switch (rss.ss_family) {
2114 p = (char *)&sin4->sin_addr;
2115 addrlen = sizeof(struct in_addr);
2119 p = (char *)&sin6->sin6_addr;
2120 addrlen = sizeof(struct in6_addr);
2124 /* should not happen */
2128 for (i = 0; i < addrlen; ++i, ++p) {
2129 hv = (hv << 5) ^ (hv >> 23) ^ *p;
2131 hv = (hv ^ (hv >> 16));
2133 for (i = 0; i < 5; ++i) {
2134 CHash *ch = &CHashAry[(hv + i) & CPMHMASK];
2136 if (rss.ss_family == AF_INET &&
2137 ch->ch_Family == AF_INET &&
2138 sin4->sin_addr.s_addr == ch->ch_Addr4.s_addr &&
2139 ch->ch_Service && strcmp(sep->se_service,
2140 ch->ch_Service) == 0) {
2145 if (rss.ss_family == AF_INET6 &&
2146 ch->ch_Family == AF_INET6 &&
2147 IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
2148 &ch->ch_Addr6) != 0 &&
2149 ch->ch_Service && strcmp(sep->se_service,
2150 ch->ch_Service) == 0) {
2155 if (chBest == NULL || ch->ch_LTime == 0 ||
2156 ch->ch_LTime < chBest->ch_LTime) {
2160 if ((rss.ss_family == AF_INET &&
2161 (chBest->ch_Family != AF_INET ||
2162 sin4->sin_addr.s_addr != chBest->ch_Addr4.s_addr)) ||
2163 chBest->ch_Service == NULL ||
2164 strcmp(sep->se_service, chBest->ch_Service) != 0) {
2165 chBest->ch_Family = sin4->sin_family;
2166 chBest->ch_Addr4 = sin4->sin_addr;
2167 if (chBest->ch_Service)
2168 free(chBest->ch_Service);
2169 chBest->ch_Service = strdup(sep->se_service);
2170 bzero(chBest->ch_Times, sizeof(chBest->ch_Times));
2173 if ((rss.ss_family == AF_INET6 &&
2174 (chBest->ch_Family != AF_INET6 ||
2175 IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
2176 &chBest->ch_Addr6) == 0)) ||
2177 chBest->ch_Service == NULL ||
2178 strcmp(sep->se_service, chBest->ch_Service) != 0) {
2179 chBest->ch_Family = sin6->sin6_family;
2180 chBest->ch_Addr6 = sin6->sin6_addr;
2181 if (chBest->ch_Service)
2182 free(chBest->ch_Service);
2183 chBest->ch_Service = strdup(sep->se_service);
2184 bzero(chBest->ch_Times, sizeof(chBest->ch_Times));
2187 chBest->ch_LTime = t;
2189 CTime *ct = &chBest->ch_Times[ticks % CHTSIZE];
2190 if (ct->ct_Ticks != ticks) {
2191 ct->ct_Ticks = ticks;
2196 for (i = 0; i < CHTSIZE; ++i) {
2197 CTime *ct = &chBest->ch_Times[i];
2198 if (ct->ct_Ticks <= ticks &&
2199 ct->ct_Ticks >= ticks - CHTSIZE) {
2200 cnt += ct->ct_Count;
2203 if (cnt * (CHTSIZE * CHTGRAN) / 60 > sep->se_maxcpm) {
2204 char pname[INET6_ADDRSTRLEN];
2206 getnameinfo((struct sockaddr *)&rss,
2207 ((struct sockaddr *)&rss)->sa_len,
2208 pname, sizeof(pname), NULL, 0,
2209 NI_NUMERICHOST|NI_WITHSCOPEID);
2212 "%s from %s exceeded counts/min (limit %d/min)",
2213 sep->se_service, pname,
projects / FreeBSD / FreeBSD.git / blob