From fe92ab33f813b446ff18a55e2edcd078e0837b9f Mon Sep 17 00:00:00 2001
From: sheldonh <sheldonh@FreeBSD.org>
Date: Wed, 30 Jun 1999 23:36:39 +0000
Subject: Enable wrapping for dgram services and fix logging so that -l really
 does log all connections.

---
 usr.sbin/inetd/inetd.8 | 27 ++++++++++++++++++------
 usr.sbin/inetd/inetd.c | 57 ++++++++++++++++++++++++++------------------------
 2 files changed, 51 insertions(+), 33 deletions(-)

(limited to 'usr.sbin/inetd')

diff --git a/usr.sbin/inetd/inetd.8 b/usr.sbin/inetd/inetd.8
index 161ec4c..6df8a15 100644
--- a/usr.sbin/inetd/inetd.8
+++ b/usr.sbin/inetd/inetd.8
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)inetd.8	8.3 (Berkeley) 4/13/94
-.\"	$Id: inetd.8,v 1.28 1999/06/27 18:05:33 sheldonh Exp $
+.\"	$Id: inetd.8,v 1.29 1999/06/27 21:07:55 sheldonh Exp $
 .\"
 .Dd February 7, 1996
 .Dt INETD 8
@@ -389,10 +389,8 @@ When given the
 .Fl l
 option
 .Nm
-will log an entry to syslog each time an 
-.Xr accept 2 
-is made, which notes the
-service selected and the IP-number of the remote requestor.
+will log an entry to syslog each time a connection is accepted, noting the
+service selected and the IP-number of the remote requestor if available.
 .Pp
 The
 .Nm
@@ -412,7 +410,9 @@ When given the
 option,
 .Nm
 will wrap all services specified as
-.Dq stream tcp nowait
+.Dq stream nowait
+or
+.Dq dgram
 except for 
 .Dq internal
 services. If the
@@ -421,6 +421,21 @@ option is given twice, such
 .Dq internal
 services will be wrapped as well.
 .Pp
+If the
+.Fl l
+option is specified, all connection attempts are logged, whether they are
+allowed, denied or not wrapped at all. Otherwise, only denied requests will
+be logged.
+.Pp
+Note that
+.Nm
+only wraps requests for a
+.Dq wait
+service while no servers are available to service requests. Once a
+connection to such a service has been allowed, inetd has no control
+over subsequent connections to the service until no more servers
+are left listening for connection requests.
+.Pp
 When wrapping is enabled, the
 .Pa tcpd
 daemon is not required, as that functionality is builtin.
diff --git a/usr.sbin/inetd/inetd.c b/usr.sbin/inetd/inetd.c
index 913c648..fdfb448 100644
--- a/usr.sbin/inetd/inetd.c
+++ b/usr.sbin/inetd/inetd.c
@@ -42,7 +42,7 @@ static const char copyright[] =
 static char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
 #endif
 static const char rcsid[] =
-	"$Id: inetd.c,v 1.53 1999/06/28 09:28:17 sheldonh Exp $";
+	"$Id: inetd.c,v 1.54 1999/06/28 11:27:14 sheldonh Exp $";
 #endif /* not lint */
 
 /*
@@ -146,6 +146,11 @@ static const char rcsid[] =
 # define LIBWRAP_DENY_SEVERITY LOG_WARNING
 #endif
 
+#define ISWRAP(sep)	\
+	   ( ((wrap && !(sep)->se_bi) || (wrap_bi && (sep)->se_bi)) \
+	&& ( ((sep)->se_accept && (sep)->se_socktype == SOCK_STREAM) \
+	    || (sep)->se_socktype == SOCK_DGRAM))
+
 #ifdef LOGIN_CAP
 #include <login_cap.h>
 
@@ -350,6 +355,7 @@ main(argc, argv, envp)
 	struct request_info req;
 	int denied;
 	char *service = NULL;
+	char *pnm;
 	struct  sockaddr_in peer;
 	int i;
 
@@ -541,32 +547,30 @@ main(argc, argv, envp)
 				close(ctrl);
 				continue;
 			    }
-			    if (!wrap && log) {
-				i = sizeof peer;
-				if (getpeername(ctrl, (struct sockaddr *)
-						&peer, &i)) {
-					syslog(LOG_WARNING,
-						"getpeername(for %s): %m",
-						sep->se_service);
-					close(ctrl);
-					continue;
-				}
-				syslog(LOG_INFO,"%s from %s",
-					sep->se_service,
-					inet_ntoa(peer.sin_addr));
-			    }
 		    } else
 			    ctrl = sep->se_fd;
+		    if (log && !ISWRAP(sep)) {
+			    pnm = "unknown";
+			    i = sizeof peer;
+			    if (getpeername(ctrl, (struct sockaddr *)
+					    &peer, &i)) {
+				    i = sizeof peer;
+				    if (recvfrom(ctrl, buf, sizeof(buf),
+					MSG_PEEK,
+					(struct sockaddr *)&peer, &i) >= 0)
+					    pnm = inet_ntoa(peer.sin_addr);
+			    }
+			    else
+				    pnm = inet_ntoa(peer.sin_addr);
+			    syslog(LOG_INFO,"%s from %s", sep->se_service, pnm);
+		    }
 		    (void) sigblock(SIGBLOCK);
 		    pid = 0;
 		    /*
-		     * When builtins are wrapped, avoid a minor optimization
-		     * that breaks hosts_options(5) twist.
+		     * Fork for any service except a non-forking builtin,
+		     * which might twist (hosts_options(5)).
 		     */
-		    if (wrap_bi)
-			   dofork = 1;
-		    else
-			   dofork = (sep->se_bi == 0 || sep->se_bi->bi_fork);
+		    dofork = !sep->se_bi || sep->se_bi->bi_fork || ISWRAP(sep);
 		    if (dofork) {
 			    if (sep->se_count++ == 0)
 				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
@@ -624,9 +628,7 @@ main(argc, argv, envp)
 					    _exit(0);
 				    }
 			    }
-			    if ((wrap && (!sep->se_bi || wrap_bi))
-				&& sep->se_accept
-				&& sep->se_socktype == SOCK_STREAM) {
+			    if (ISWRAP(sep)) {
 				service = sep->se_server_name ?
 				    sep->se_server_name : sep->se_service;
 				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, NULL);
@@ -638,7 +640,10 @@ main(argc, argv, envp)
 				    syslog(deny_severity,
 				        "refused connection from %.500s, service %s (%s)",
 				        eval_client(&req), service, sep->se_proto);
-				    goto reject;
+				    if (sep->se_socktype != SOCK_STREAM)
+					recv(ctrl, buf, sizeof (buf), 0);
+				    if (dofork)
+					_exit(0);
 				}
 				if (log) {
 				    syslog(allow_severity,
@@ -648,7 +653,6 @@ main(argc, argv, envp)
 			    }
 			    if (sep->se_bi) {
 				(*sep->se_bi->bi_fn)(ctrl, sep);
-				/* NOTREACHED */
 			    } else {
 				if (debug)
 					warnx("%d execl %s",
@@ -735,7 +739,6 @@ main(argc, argv, envp)
 				execv(sep->se_server, sep->se_argv);
 				syslog(LOG_ERR,
 				    "cannot execute %s: %m", sep->se_server);
-			    reject:
 				if (sep->se_socktype != SOCK_STREAM)
 					recv(0, buf, sizeof (buf), 0);
 			    }
-- 
cgit v1.1