diff options
author | mav <mav@FreeBSD.org> | 2014-03-06 17:33:27 +0000 |
---|---|---|
committer | mav <mav@FreeBSD.org> | 2014-03-06 17:33:27 +0000 |
commit | 1e800dd8ab05cb2ace3c61684e7d9ece5dc68e9e (patch) | |
tree | 0e5488d340c60622be8a60a72e9c8e91358f95d5 /usr.sbin/rpcbind | |
parent | 0cbc38e5217d5590c1c49578a0693e5d359b1d00 (diff) | |
download | FreeBSD-src-1e800dd8ab05cb2ace3c61684e7d9ece5dc68e9e.zip FreeBSD-src-1e800dd8ab05cb2ace3c61684e7d9ece5dc68e9e.tar.gz |
Disable libwrap (TCP wrappers) support in rpcbind by default, introducing
new command line options -W, to enable it when needed.
On my tests this change by almost ten times improves rpcbind performance.
No objections: many, net@
Diffstat (limited to 'usr.sbin/rpcbind')
-rw-r--r-- | usr.sbin/rpcbind/rpcbind.8 | 4 | ||||
-rw-r--r-- | usr.sbin/rpcbind/rpcbind.c | 19 | ||||
-rw-r--r-- | usr.sbin/rpcbind/rpcbind.h | 3 | ||||
-rw-r--r-- | usr.sbin/rpcbind/security.c | 16 |
4 files changed, 31 insertions, 11 deletions
diff --git a/usr.sbin/rpcbind/rpcbind.8 b/usr.sbin/rpcbind/rpcbind.8 index 0ecf895..0df1fd0 100644 --- a/usr.sbin/rpcbind/rpcbind.8 +++ b/usr.sbin/rpcbind/rpcbind.8 @@ -2,7 +2,7 @@ .\" Copyright 1989 AT&T .\" Copyright 1991 Sun Microsystems, Inc. .\" $FreeBSD$ -.Dd April 23, 2007 +.Dd March 6, 2014 .Dt RPCBIND 8 .Os .Sh NAME @@ -133,6 +133,8 @@ to use non-privileged ports for outgoing connections, preventing non-privileged clients from using .Nm to connect to services from a privileged port. +.It Fl W +Enable libwrap (TCP wrappers) support. .El .Sh NOTES All RPC servers must be restarted if diff --git a/usr.sbin/rpcbind/rpcbind.c b/usr.sbin/rpcbind/rpcbind.c index e692c6e..67c7f7b 100644 --- a/usr.sbin/rpcbind/rpcbind.c +++ b/usr.sbin/rpcbind/rpcbind.c @@ -88,6 +88,9 @@ rpcblist_ptr list_rbl; /* A list of version 3/4 rpcbind services */ int runasdaemon = 0; int insecure = 0; int oldstyle_local = 0; +#ifdef LIBWRAP +int libwrap = 0; +#endif int verboselog = 0; char **hosts = NULL; @@ -785,7 +788,12 @@ parseargs(int argc, char *argv[]) #else #define WSOP "" #endif - while ((c = getopt(argc, argv, "6adh:iLls" WSOP)) != -1) { +#ifdef LIBWRAP +#define WRAPOP "W" +#else +#define WRAPOP "" +#endif + while ((c = getopt(argc, argv, "6adh:iLls" WRAPOP WSOP)) != -1) { switch (c) { case '6': ipv6_only = 1; @@ -818,6 +826,11 @@ parseargs(int argc, char *argv[]) case 's': runasdaemon = 1; break; +#ifdef LIBWRAP + case 'W': + libwrap = 1; + break; +#endif #ifdef WARMSTART case 'w': warmstart = 1; @@ -825,8 +838,8 @@ parseargs(int argc, char *argv[]) #endif default: /* error */ fprintf(stderr, - "usage: rpcbind [-6adiLls%s] [-h bindip]\n", - WSOP); + "usage: rpcbind [-6adiLls%s%s] [-h bindip]\n", + WRAPOP, WSOP); exit (1); } } diff --git a/usr.sbin/rpcbind/rpcbind.h b/usr.sbin/rpcbind/rpcbind.h index f76bf3e..4aba420 100644 --- a/usr.sbin/rpcbind/rpcbind.h +++ b/usr.sbin/rpcbind/rpcbind.h @@ -66,6 +66,9 @@ struct r_rmtcall_args { extern int debugging; extern int doabort; +#ifdef LIBWRAP +extern int libwrap; +#endif extern int verboselog; extern int insecure; extern int oldstyle_local; diff --git a/usr.sbin/rpcbind/security.c b/usr.sbin/rpcbind/security.c index 8657247..2cff10a 100644 --- a/usr.sbin/rpcbind/security.c +++ b/usr.sbin/rpcbind/security.c @@ -108,13 +108,15 @@ check_access(SVCXPRT *xprt, rpcproc_t proc, void *args, unsigned int rpcbvers) } #ifdef LIBWRAP - if (addr->sa_family == AF_LOCAL) - return 1; - request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0); - sock_methods(&req); - if(!hosts_access(&req)) { - logit(deny_severity, addr, proc, prog, ": request from unauthorized host"); - return 0; + if (libwrap && addr->sa_family != AF_LOCAL) { + request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, + 0); + sock_methods(&req); + if(!hosts_access(&req)) { + logit(deny_severity, addr, proc, prog, + ": request from unauthorized host"); + return 0; + } } #endif if (verboselog) |