svn commit: r262860 - in head: . etc usr.sbin/rpcbind

Thu Mar 6 17:33:29 UTC 2014

Author: mav
Date: Thu Mar  6 17:33:27 2014
New Revision: 262860
URL: http://svnweb.freebsd.org/changeset/base/262860

Log:
  Disable libwrap (TCP wrappers) support in rpcbind by default, introducing
  new command line options -W, to enable it when needed.
  
  On my tests this change by almost ten times improves rpcbind performance.
  
  No objections:	many, net@

Modified:
  head/UPDATING
  head/etc/hosts.allow
  head/usr.sbin/rpcbind/rpcbind.8
  head/usr.sbin/rpcbind/rpcbind.c
  head/usr.sbin/rpcbind/rpcbind.h
  head/usr.sbin/rpcbind/security.c

Modified: head/UPDATING
==============================================================================

--- head/UPDATING	Thu Mar  6 17:33:12 2014	(r262859)
+++ head/UPDATING	Thu Mar  6 17:33:27 2014	(r262860)
@@ -31,6 +31,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20140306:
+	Support for libwrap (TCP wrappers) in rpcbind was disabled by default
+	to improve performance.  To re-enable it, if needed, run rpcbind
+	with command line option -W.
+
 20140226:
 	Switched back to the GPL dtc compiler due to updates in the upstream
 	dts files not being supported by the BSDL dtc compiler. You will need

Modified: head/etc/hosts.allow
==============================================================================
--- head/etc/hosts.allow	Thu Mar  6 17:33:12 2014	(r262859)
+++ head/etc/hosts.allow	Thu Mar  6 17:33:27 2014	(r262860)
@@ -60,6 +60,7 @@ exim : localhost : allow
 exim : ALL : allow
 
 # Rpcbind is used for all RPC services; protect your NFS!
+# Rpcbind should be running with -W option to support this.
 # (IP addresses rather than hostnames *MUST* be used here)
 #rpcbind : 192.0.2.32/255.255.255.224 : allow
 #rpcbind : 192.0.2.96/255.255.255.224 : allow

Modified: head/usr.sbin/rpcbind/rpcbind.8
==============================================================================
--- head/usr.sbin/rpcbind/rpcbind.8	Thu Mar  6 17:33:12 2014	(r262859)
+++ head/usr.sbin/rpcbind/rpcbind.8	Thu Mar  6 17:33:27 2014	(r262860)
@@ -2,7 +2,7 @@
 .\" Copyright 1989 AT&T
 .\" Copyright 1991 Sun Microsystems, Inc.
 .\" $FreeBSD$
-.Dd April 23, 2007
+.Dd March 6, 2014
 .Dt RPCBIND 8
 .Os
 .Sh NAME
@@ -133,6 +133,8 @@ to use non-privileged ports for outgoing
 clients from using
 .Nm
 to connect to services from a privileged port.
+.It Fl W
+Enable libwrap (TCP wrappers) support.
 .El
 .Sh NOTES
 All RPC servers must be restarted if

Modified: head/usr.sbin/rpcbind/rpcbind.c
==============================================================================
--- head/usr.sbin/rpcbind/rpcbind.c	Thu Mar  6 17:33:12 2014	(r262859)
+++ head/usr.sbin/rpcbind/rpcbind.c	Thu Mar  6 17:33:27 2014	(r262860)
@@ -88,6 +88,9 @@ rpcblist_ptr list_rbl;	/* A list of vers
 int runasdaemon = 0;
 int insecure = 0;
 int oldstyle_local = 0;
+#ifdef LIBWRAP
+int libwrap = 0;
+#endif
 int verboselog = 0;
 
 char **hosts = NULL;
@@ -785,7 +788,12 @@ parseargs(int argc, char *argv[])
 #else
 #define	WSOP	""
 #endif
-	while ((c = getopt(argc, argv, "6adh:iLls" WSOP)) != -1) {
+#ifdef LIBWRAP
+#define WRAPOP	"W"
+#else
+#define WRAPOP	""
+#endif
+	while ((c = getopt(argc, argv, "6adh:iLls" WRAPOP WSOP)) != -1) {
 		switch (c) {
 		case '6':
 			ipv6_only = 1;
@@ -818,6 +826,11 @@ parseargs(int argc, char *argv[])
 		case 's':
 			runasdaemon = 1;
 			break;
+#ifdef LIBWRAP
+		case 'W':
+			libwrap = 1;
+			break;
+#endif
 #ifdef WARMSTART
 		case 'w':
 			warmstart = 1;
@@ -825,8 +838,8 @@ parseargs(int argc, char *argv[])
 #endif
 		default:	/* error */
 			fprintf(stderr,
-			    "usage: rpcbind [-6adiLls%s] [-h bindip]\n",
-			    WSOP);
+			    "usage: rpcbind [-6adiLls%s%s] [-h bindip]\n",
+			    WRAPOP, WSOP);
 			exit (1);
 		}
 	}

Modified: head/usr.sbin/rpcbind/rpcbind.h
==============================================================================
--- head/usr.sbin/rpcbind/rpcbind.h	Thu Mar  6 17:33:12 2014	(r262859)
+++ head/usr.sbin/rpcbind/rpcbind.h	Thu Mar  6 17:33:27 2014	(r262860)
@@ -66,6 +66,9 @@ struct r_rmtcall_args {
 
 extern int debugging;
 extern int doabort;
+#ifdef LIBWRAP
+extern int libwrap;
+#endif
 extern int verboselog;
 extern int insecure;
 extern int oldstyle_local;

Modified: head/usr.sbin/rpcbind/security.c
==============================================================================
--- head/usr.sbin/rpcbind/security.c	Thu Mar  6 17:33:12 2014	(r262859)
+++ head/usr.sbin/rpcbind/security.c	Thu Mar  6 17:33:27 2014	(r262860)
@@ -108,13 +108,15 @@ check_access(SVCXPRT *xprt, rpcproc_t pr
 	}
 
 #ifdef LIBWRAP
-	if (addr->sa_family == AF_LOCAL)
-		return 1;
-	request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0);
-	sock_methods(&req);
-	if(!hosts_access(&req)) {
-		logit(deny_severity, addr, proc, prog, ": request from unauthorized host");
-		return 0;
+	if (libwrap && addr->sa_family != AF_LOCAL) {
+		request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr,
+		    0);
+		sock_methods(&req);
+		if(!hosts_access(&req)) {
+			logit(deny_severity, addr, proc, prog,
+			    ": request from unauthorized host");
+			return 0;
+		}
 	}
 #endif
 	if (verboselog)
