svn commit: r262860 - in head: . etc usr.sbin/rpcbind
Alexander Motin
mav at FreeBSD.org
Thu Mar 6 17:33:29 UTC 2014
Author: mav
Date: Thu Mar 6 17:33:27 2014
New Revision: 262860
URL: http://svnweb.freebsd.org/changeset/base/262860
Log:
Disable libwrap (TCP wrappers) support in rpcbind by default, introducing
new command line options -W, to enable it when needed.
On my tests this change by almost ten times improves rpcbind performance.
No objections: many, net@
Modified:
head/UPDATING
head/etc/hosts.allow
head/usr.sbin/rpcbind/rpcbind.8
head/usr.sbin/rpcbind/rpcbind.c
head/usr.sbin/rpcbind/rpcbind.h
head/usr.sbin/rpcbind/security.c
Modified: head/UPDATING
==============================================================================
--- head/UPDATING Thu Mar 6 17:33:12 2014 (r262859)
+++ head/UPDATING Thu Mar 6 17:33:27 2014 (r262860)
@@ -31,6 +31,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20140306:
+ Support for libwrap (TCP wrappers) in rpcbind was disabled by default
+ to improve performance. To re-enable it, if needed, run rpcbind
+ with command line option -W.
+
20140226:
Switched back to the GPL dtc compiler due to updates in the upstream
dts files not being supported by the BSDL dtc compiler. You will need
Modified: head/etc/hosts.allow
==============================================================================
--- head/etc/hosts.allow Thu Mar 6 17:33:12 2014 (r262859)
+++ head/etc/hosts.allow Thu Mar 6 17:33:27 2014 (r262860)
@@ -60,6 +60,7 @@ exim : localhost : allow
exim : ALL : allow
# Rpcbind is used for all RPC services; protect your NFS!
+# Rpcbind should be running with -W option to support this.
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
Modified: head/usr.sbin/rpcbind/rpcbind.8
==============================================================================
--- head/usr.sbin/rpcbind/rpcbind.8 Thu Mar 6 17:33:12 2014 (r262859)
+++ head/usr.sbin/rpcbind/rpcbind.8 Thu Mar 6 17:33:27 2014 (r262860)
@@ -2,7 +2,7 @@
.\" Copyright 1989 AT&T
.\" Copyright 1991 Sun Microsystems, Inc.
.\" $FreeBSD$
-.Dd April 23, 2007
+.Dd March 6, 2014
.Dt RPCBIND 8
.Os
.Sh NAME
@@ -133,6 +133,8 @@ to use non-privileged ports for outgoing
clients from using
.Nm
to connect to services from a privileged port.
+.It Fl W
+Enable libwrap (TCP wrappers) support.
.El
.Sh NOTES
All RPC servers must be restarted if
Modified: head/usr.sbin/rpcbind/rpcbind.c
==============================================================================
--- head/usr.sbin/rpcbind/rpcbind.c Thu Mar 6 17:33:12 2014 (r262859)
+++ head/usr.sbin/rpcbind/rpcbind.c Thu Mar 6 17:33:27 2014 (r262860)
@@ -88,6 +88,9 @@ rpcblist_ptr list_rbl; /* A list of vers
int runasdaemon = 0;
int insecure = 0;
int oldstyle_local = 0;
+#ifdef LIBWRAP
+int libwrap = 0;
+#endif
int verboselog = 0;
char **hosts = NULL;
@@ -785,7 +788,12 @@ parseargs(int argc, char *argv[])
#else
#define WSOP ""
#endif
- while ((c = getopt(argc, argv, "6adh:iLls" WSOP)) != -1) {
+#ifdef LIBWRAP
+#define WRAPOP "W"
+#else
+#define WRAPOP ""
+#endif
+ while ((c = getopt(argc, argv, "6adh:iLls" WRAPOP WSOP)) != -1) {
switch (c) {
case '6':
ipv6_only = 1;
@@ -818,6 +826,11 @@ parseargs(int argc, char *argv[])
case 's':
runasdaemon = 1;
break;
+#ifdef LIBWRAP
+ case 'W':
+ libwrap = 1;
+ break;
+#endif
#ifdef WARMSTART
case 'w':
warmstart = 1;
@@ -825,8 +838,8 @@ parseargs(int argc, char *argv[])
#endif
default: /* error */
fprintf(stderr,
- "usage: rpcbind [-6adiLls%s] [-h bindip]\n",
- WSOP);
+ "usage: rpcbind [-6adiLls%s%s] [-h bindip]\n",
+ WRAPOP, WSOP);
exit (1);
}
}
Modified: head/usr.sbin/rpcbind/rpcbind.h
==============================================================================
--- head/usr.sbin/rpcbind/rpcbind.h Thu Mar 6 17:33:12 2014 (r262859)
+++ head/usr.sbin/rpcbind/rpcbind.h Thu Mar 6 17:33:27 2014 (r262860)
@@ -66,6 +66,9 @@ struct r_rmtcall_args {
extern int debugging;
extern int doabort;
+#ifdef LIBWRAP
+extern int libwrap;
+#endif
extern int verboselog;
extern int insecure;
extern int oldstyle_local;
Modified: head/usr.sbin/rpcbind/security.c
==============================================================================
--- head/usr.sbin/rpcbind/security.c Thu Mar 6 17:33:12 2014 (r262859)
+++ head/usr.sbin/rpcbind/security.c Thu Mar 6 17:33:27 2014 (r262860)
@@ -108,13 +108,15 @@ check_access(SVCXPRT *xprt, rpcproc_t pr
}
#ifdef LIBWRAP
- if (addr->sa_family == AF_LOCAL)
- return 1;
- request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0);
- sock_methods(&req);
- if(!hosts_access(&req)) {
- logit(deny_severity, addr, proc, prog, ": request from unauthorized host");
- return 0;
+ if (libwrap && addr->sa_family != AF_LOCAL) {
+ request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr,
+ 0);
+ sock_methods(&req);
+ if(!hosts_access(&req)) {
+ logit(deny_severity, addr, proc, prog,
+ ": request from unauthorized host");
+ return 0;
+ }
}
#endif
if (verboselog)
More information about the svn-src-all
mailing list