PR/56963: Mark Davies: inetd not configured for rpc
Move RPC includes to inetd.h

PR bin/56963 Mark Davies: inetd not configured for rpc

Instead of using negative flags to turn on positive flags, set -DRPC
in the makefile. Corrects a problem where the SunRPC code in parse.c
was accidentally left disabled.

This is a prime example of why we don't like negative flags...

To an alias address, or in a multihoming environment, the internal dgram
server may respond from a different address than the destination address
sent by the client.
To solve this problem, I introduce sendfromto() and recvfromto() so that
the server can reply from the correct address, i.e., the destination address
used in the request.

This change also has the aspect of a reference implementation using the
RECVDSTADDR and PKTINFO socket options.

inetd: remove trailing whitespace, add space after 'if' and 'for'

No functional change.

PR/56448: Solomon Ritzow: Various improvements.

Rate limiting code has been moved to ratelimit.c. I renamed
clear_ip_list to rl_clear_ip_list and broke the code up into more
functions. I have also made the per-IP rate limiting allocation more
efficient. IP addresses are now stored in their network format instead
of a string from getnameinfo (see inetd.h struct rl_ip_node). malloc
calls use only the space needed by the structure by using offsetof on
union members (I suppose this can be a bit dangerous if not done
correctly...). Per-IP rate limiting still supports textual comparison
using getnameinfo for address families other than AF_INET and AF_INET6, but I
don't think there are any that are actually compatible or used by inetd (I
haven't tested UNIX sockets with a remote bound to another file, but I did test
using IPv6 with the textual format by commenting out the IPv6 specific
code, and it works properly). Still potentially handy for the future.
The IP node list (se_rl_ip_list) now uses the <sys/queue.h> SLIST macros
instead of a custom list. I've broken rl_process up into helper functions
for each type of rate limiting and created a separate function for
address stringification, for use with printouts from the -d flag. I
tried to reduce stack memory use by moving printing code involving
string buffers into separate functions. I haven't tested rl_ipv6_eq on
a 32-bit system.

The code for the positional syntax has also been moved to parse.c.
Function try_biltin has been added to remove parse.c:parse_server's
dependency on the biltin structure definition.

File inetd.h has been updated with the proper function prototypes, and
the servtab structure has been update with the new IP node SLIST. I also
moved things around a bit. The way we (a peer and myself)
formatted inetd.h previously was somewhat confusing. Function and global
variable prototypes are now organized by the source file they are
defined in.

I also added a -f flag that I saw in another problem report
(https://gnats.netbsd.org/12823) that I thought could be useful. It
runs inetd in the foreground but without debug printouts or SO_DEBUG.
I'm not completely sure about the line "if (foreground) setsid()" that
I changed from "if (debug) setsid()".

inetd: remove redundant tests before calling isspace

inetd: remove redundant null check before free

No functional change.

inetd: prepare for lint's strict bool mode

Lint's strict bool mode considers bool incompatible with the other
scalar types. This makes the type of expressions more visible in the
code. In particular, conditions of the form '!strcmp(...)' are no
longer allowed, they have to be written as 'strcmp(...) == 0'.

The operator '!' cannot be used with sep->se_wait since that has type
pid_t, not bool.

No change to the resulting binary.

inetd: normalize indentation and alignment in comments

inetd: fix Clang build

error: implicit conversion changes signedness: 'service_type' to 'int'

inetd: raise WARNS from 5 to 6

The necessary fixes include:
* explicit integer conversions, to get rid of mixed signedness
* function prototypes for parameterless functions

While here:
* add space after comma
* add space after 'if'
* place the '{' of a function definition on a separate line
* rename variables 'bits' and 'temp' to 'hi' and 'lo'
* in parse_quote, prefer expressions over assignments
* make hex_to_bits static

No functional change.

inetd: remove trailing whitespace

Fix reverted logic when parsing server program.
Compare pointer with NULL not 0.

fix printf formats (intmax -> j)

Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
https://www.mail-archive.com/tech-userlevel@netbsd.org/msg03114.html
And developed in:
https://github.com/ritzow/src/pull/1

From their notes:

All new functionality should be explained by the updated manpage.

The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.

getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.

memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.

The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.

Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()

parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.

Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.

The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.

setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.

Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()

We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.

Security related:

The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?

We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.

s/suport/support/

branches: 1.125.4;
Bump MAXARGV from 20 to 64 - with bozohttpd and all config on the command
line it is easy to hit the (silent) limit.

Don't setup SPs if no policy sepecifier is specified

We expect that SPs are set up iff some policy sepecifier(s) are specified.

Found on investigating an issue reported by Robert Swindells

branches: 1.123.4;
Increase buffer size reported to strlcpy() to be one larger than the
length of the string we copy in so that there is space for the '\0'.

branches: 1.122.2; 1.122.6; 1.122.10;
Use base 10 when logging the exit status or exit signal for sub-processes,
instead of hexadecimal.

branches: 1.121.6;
PR/47318: Henning Petersen: Replace (r)index with str(r)chr in inetd.c
And while here strncpy with strlcpy

branches: 1.120.6;
include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))

branches: 1.119.2;
Use __dead

RLIMIT_NOFILE stabilized in NetBSD 17 years ago, so it's safe now
to remove the #ifdef's from around code which uses it.

Nuke conditionally compiled MULOG stuff. Itojun wanted to do it
already 8 years ago when he fixed the compilation last time, and
again it hasn't been buildable in years.

Avoid SIGSEGV in forked child process for (some?) instant-disconnect clients.

Back out mDNS changes which were not discussed.
There is design work that needs to be done first.

Add mDNS Service Directory support to inetd(8).
inetd(8) can now advertize services in the mDNS-SD.
(Per service configuration option in inetd.conf(5).)

Rename internal getline() function to get_line() so it does
conflict with the soon to be added getline(3) libc function.

print the proper client address (ryo shimizu)

Fix -Wsign-compare issue

branches: 1.110.2;
- when we close an se_fd, set it to -1
- fix int/ssize_t/size_t/socklen_t issues
- fix casts
- remove unused variables
- fix prototypes
- fix const
- remove unneeded casts

PR/40340: Ed Ravin: Print the numeric address in addition to the hostname.

Print the numeric address of the host.

Add accept filters, ported from FreeBSD by Coyote Point Systems. Add inetd
support for specifying an accept filter for a service (mostly as a usage
example, but it can be handy for other things). Manual pages to follow
in a day or so.

OK core@.

Remove the \n and tabs from the __COPYRIGHT() strings.
Tweak to use a consistent format.

When running a builtin service (a what? yeah, a piece of useless
legacy code), if the builtin service forks (not all do), avoid leaking
listening sockets into the child process.

If the child process were to keep copies of the listening sockets
around and then hang about for a long time, it would prevent inetd
from being able to re-bind them upon restart.

The listening sockets are tagged close-on-exec, but that doesn't help
when one doesn't exec.

Patch from my own very old PR 8253.

branches: 1.104.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.103.10;
* Don't include headers twice
* Remove a few trailing whitespaces
* Rearrange and join to one #if for some headers

Patch contributed by Slava Semushin <slava.semushin@gmail.com>
in private mail.

Fixed gcc warnings about comparison between signed and unsigned, as well
as one case where a variable had been used for two different purposes
(which also required different types).

- use socklen_t where appropriate
- avoid lvalue casts

Don't ignore SIGCHLD, because we are not going to get kqueue notifications
about it if we do.

Simplify code a bit, and whitespace.

Add (unsigned char) cast to ctype functions

Add two missing `#ifdef INET6's.

Change the log that is produced when the maximum spawn count per
last 60 second interval is reached to more accurately reflect
what has happened.

Also, break up a few long strings, obey 80 columns, and remove a
superfluous newline passed to syslog(3).

Allow quoting using single or double quotes inside inetd.conf. Closes
PR 24192 by Tyler Retzlaff.

Don't assign NULL to an integer.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22366, verified by myself.

use strlcpy

"user:group=foo.bar" is weird. use colon on both sides

always configure IPV6_FAITH explicitly to avoid misconfiguring it on SIGHUP.
sync w/kame

Because signals are delivered synchronously via kqueue(2) there is no
reason to block and release them at various places.

Now that signal handling is done via kqueue(2) we need to enter
the event loop even if no sockets were created. This should fix
PR bin/20369 by Martin Husemann.

Improve kqueue(2) utilization:
- Don't invoke kevent(2) for every single event change. Instead collect
event changes and try to do them in the event loop.
- Handle signals via kevent(2) to avoid race conditions for SIGHUP (which
probably exist in the select(2) based implementation, too).

KNF.

Rewrite inetd(8) to use kqueue(2) for enhanced performance and scalability.

If we can't set FD_CLOEXEC on a listening socket, close it rather than allowing
it to be passed down to inetd's children.
Note: Setting FD_CLOEXEC can't actually fail, but we did check for the error
anyway...

correct udp-from-broadcast check. From: andre@ae-35.com

on internal udp echoback service, reject request if source address is a
broadcast address.

no need for inetd_dummy variable. from openbsd

minor KNF

cleanup main() by splitting it up in two. inspired by openbsd change

socklen_t cleanup. make MULOG code actually compile (is there anyone using
it? otherwise, i'd like to nuke it)

use setproctitle(3); from itojun.

deamon -> daemon

Convert some 'long's to 'uint32_t's. Now rdate works against an LP64 box.

Negative exit code cleanup: Replace exit(-x) with exit(x).
As seen on tech-userlevel.

convert to use getprogname()

use explicit name rather than __progname in openlog

be more paranoid about UDP-based echo services validation. namely,
reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
hint from deraadt.

Remove bogus typeof hack, and just use the type directly.

permit square-bracket notation (as in RFC2732) for the first element
in inetd.conf. otherwise, we'll have (minor) problem putting IPv6 address in.
sync with kame.

[::1]:ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll

explicitly check if the address family is supported, by using socket(2).

more change on getaddrinfo error handling.

XXX enami, I admit it is not a good thing to check the error code from
getaddrinfo. it is sometimes mandatory, however. gai_strerror message
can be too generic in some cases. we can't really extend getaddrinfo,
as it was not invented by kame (see RFC2553)

add faithd(8) support. with "faith/tcp6" protocol specification,
it will open a socket with setsockopt(IPV6_FAITH).

emit more friendly message on nonexistent service name.
From: enami

check for mux service by ISMUX(), not by != NORM_TYPE
(the assumption can bite us if we extend se_type to have more cases).

remove duplicated ipsec setup code. we always call setup() on
socket reinitialization (like SIGHUP).
sync with kame.

branches: 1.62.2;
Modify to support RPC over IPv6.

branches: 1.61.2;
use LOG_WARNING for syslog output for address family mismatch.
suggested by: thorpej

correct extremely unfriendly error message when the kernel does not
support the address family (like including "tcp6" in inetd.conf, on
non-IPv6 kernel).

was:
inetd[185]: ftp/tcp6: *: hostname nor servname provided, or not known
now:
inetd[315]: ftp/tcp6: *: the address family is not supported by the kernel

fix IPsec policy parser. #@ should affect multiple lines as documented.

sync with latest libipsec.
since outgoing and incoming policy is separated, inetd can take multiple
policy specification, separated by ";".

make error check against getnameinfo().

call sigsetmask() on ipsec initialization failure.

A colon is the preferred way to split a user and group name pair; make this
possible and depreciate the use of dot.

branches: 1.54.2;
fix internal servers (like echo) so that they can accept AF_INET6 connections.
add AF_INET6 support for port_good_dg().

Fix PR7739: correct -DRPC rot in inetd.c

query service name properly on libwrap warnings.

NetBSD PR: 8101

se_wait stores pids; make it a pid_t.

be more friendly with non-IPsec kernel (hide warnings).

dual-stack inetd. you can write "tcp6" or "tcp4" into "protocol" field.
(the style is the rough consensus among v6 implementers so it will be
the standard style)

TODO: test rpc and tcpmux on IPv6.
TODO: test identd over IPv6.

Use pidfile(3).

Prevent sending udp data to the obvious bad ports that are used for
DoS attacks (e.g. looping packets between two echo ports).
This should "fix" PR bin/2455.
Could please anyone with an appropriate "hacker tools" check this?

Revert previous.

Make all listening sockets non-blocking.

use AF_LOCAL instead of AF_UNIX

From "buqtraq": avoid file descriptor leak if service is looping.

Add support for specifying the send and receive socket buffer sizes. This
is especially useful for TCP servers which must specify the receive
socket buffer size before the connection is made so that the connection's
window scale factor can be properly advertised.

Example /etc/inetd.conf configuration line:

shell stream tcp,rcvbuf=1m nowait root /usr/libexec/rshd rshd

That line will cause the rshd to advertise a 1 megabyte window, which could
improve the performance of an rcp in some situations.

Reset the SIGPIPE handler to SIG_DFL after forking.

PR/4837: Jeff Thieleke: inetd does not compile without libwrap.

Ignore SIGPIPE, which may be caused by non-forking internal TCP services if
the remote side closes the connection before we answer.

branches: 1.38.2;
fix use of unix domain socketname length, and signal error if this
is exceeded. from enami tsugutomo <enami@ba2.so-net.or.jp> [bin/3369]

Don't sleep if we get EINTR from select(2) (e.g. because we got
a SIGCHLD when something died). From PR 4056, by David Holland.

WARNS?=1

merge lite2 [actually, just update ucb sccs id's]

Don't do libwrap checking for UDP services; they must do it internally on
every packet to be correct.

Don't attempt to use libwrap for `stream wait' services, where
we only have the listening socket.

Oops; for waiting stream services, we don't do an accept(); we
pass down the fd of the listening socket.

Output a + line for the tcpmux `help' service, and list itself.

Move all of the libwrap checking and subprocess startup into a separate
function. Arrange for tcpmux() to be called like other builtins, and have it
call the aforementioned function recursively. This allows tcpmux to be
wrapped, and always runs it after forking, so we don't freeze everything
else.
Also, use FD_CLOEXEC to close file descriptors, rather than iterating through
them ourself.

Fix typo.

Make the previous dependent on LIBWRAP_INTERNAL, which is not defined by
default.

If we forked for an internal service, make sure we always exit afterward.

If we're using libwrap. always fork. This only affects the time and daytime
services anyway.

Slight rearrangement to forking code. Also, always close the new descriptor
after a fork failure, even for a waiting service.

Another bug fix to tcpmux.

Merge changes from Lite2 (with bug fixes). Adds tcpmux.

When rejecting a UDP connection, make sure to flush the right socket.

Oops; subprocess must exit when rejecting connection.

Do libwrap access checking *after* forking.

set proper length for sockaddr_un. fixes PR bin/3281 from Enami
Tsugutomo, but slightly differently; the code I added is basically
identical to SUN_LEN(), but avoids the unecessary strlen() call.

fix problem with restarting service after SIGHUP (PR 3093)
indicate proper invocation point and RCS ID police (PR 3098)

Per mail from Herb Peyerl, use LOG_AUTH for libwrap logging.

Get the local-address-part code in here (instead of "comsat" you can
use "127.0.0.1:comsat"). While I'm here, do trailing whitespace
cleanup, .Nm usage police in the manpage, and a couple of trivial text
typo fixes.

if se_argv[0] is NULL, use se_service.

syslog allow/deny at the right severity.

allow allow/deny severity to be compile-time configurable, use getservbyport()
correctly, and log the proto. from <jbernard@tater.Mines.EDU> in several PR's.

use the new libwrap functionality to provide tcpd-like functionality
as part of inetd. uses /etc/hosts.{allow,deny} as tcpd does, etc. it
is basically exactly like tcpd except that you don't need to change
the server to /usr/local/sbin/tcpd.

XXX should document better somewhere

Always swap most of the fields when updating a config file entry; otherwise
we can get weird lossage when deleting a field (e.g. the group).

Remove local declarations of ctime().

includes, for necessary prototypes, and avoid name collisions with the
include.

kill stupidity

Keep up with changed rlimit structure.

RLIMIT_OFILE => RLIMIT_NOFILE
Do something sensible when current RLIMIT_NOFILE turns out to be infinity.

Allow for a group name to be specified in the ``user'' field: user[.group]
Allow for max # of invocations to be specified; appended to ``wait''
field: wait/nowait[.max]
Allow for RPC specifications in numeric format.
Inetd now stores its pid in `/var/run/inetd.pid'.
Support for AF_UNIX family.

Don't core dump on blank lines.

Add RCS identifiers.

Add support for starting RPC servers.

branches: 1.1.1;
Initial revision

To an alias address, or in a multihoming environment, the internal dgram
server may respond from a different address than the destination address
sent by the client.
To solve this problem, I introduce sendfromto() and recvfromto() so that
the server can reply from the correct address, i.e., the destination address
used in the request.

This change also has the aspect of a reference implementation using the
RECVDSTADDR and PKTINFO socket options.

inetd: remove trailing whitespace, add space after 'if' and 'for'

No functional change.

PR/56448: Solomon Ritzow: Various improvements.

Rate limiting code has been moved to ratelimit.c. I renamed
clear_ip_list to rl_clear_ip_list and broke the code up into more
functions. I have also made the per-IP rate limiting allocation more
efficient. IP addresses are now stored in their network format instead
of a string from getnameinfo (see inetd.h struct rl_ip_node). malloc
calls use only the space needed by the structure by using offsetof on
union members (I suppose this can be a bit dangerous if not done
correctly...). Per-IP rate limiting still supports textual comparison
using getnameinfo for address families other than AF_INET and AF_INET6, but I
don't think there are any that are actually compatible or used by inetd (I
haven't tested UNIX sockets with a remote bound to another file, but I did test
using IPv6 with the textual format by commenting out the IPv6 specific
code, and it works properly). Still potentially handy for the future.
The IP node list (se_rl_ip_list) now uses the <sys/queue.h> SLIST macros
instead of a custom list. I've broken rl_process up into helper functions
for each type of rate limiting and created a separate function for
address stringification, for use with printouts from the -d flag. I
tried to reduce stack memory use by moving printing code involving
string buffers into separate functions. I haven't tested rl_ipv6_eq on
a 32-bit system.

The code for the positional syntax has also been moved to parse.c.
Function try_biltin has been added to remove parse.c:parse_server's
dependency on the biltin structure definition.

File inetd.h has been updated with the proper function prototypes, and
the servtab structure has been update with the new IP node SLIST. I also
moved things around a bit. The way we (a peer and myself)
formatted inetd.h previously was somewhat confusing. Function and global
variable prototypes are now organized by the source file they are
defined in.

I also added a -f flag that I saw in another problem report
(https://gnats.netbsd.org/12823) that I thought could be useful. It
runs inetd in the foreground but without debug printouts or SO_DEBUG.
I'm not completely sure about the line "if (foreground) setsid()" that
I changed from "if (debug) setsid()".

inetd: remove redundant tests before calling isspace

inetd: remove redundant null check before free

No functional change.

inetd: prepare for lint's strict bool mode

Lint's strict bool mode considers bool incompatible with the other
scalar types. This makes the type of expressions more visible in the
code. In particular, conditions of the form '!strcmp(...)' are no
longer allowed, they have to be written as 'strcmp(...) == 0'.

The operator '!' cannot be used with sep->se_wait since that has type
pid_t, not bool.

No change to the resulting binary.

inetd: normalize indentation and alignment in comments

inetd: fix Clang build

error: implicit conversion changes signedness: 'service_type' to 'int'

inetd: raise WARNS from 5 to 6

The necessary fixes include:
* explicit integer conversions, to get rid of mixed signedness
* function prototypes for parameterless functions

While here:
* add space after comma
* add space after 'if'
* place the '{' of a function definition on a separate line
* rename variables 'bits' and 'temp' to 'hi' and 'lo'
* in parse_quote, prefer expressions over assignments
* make hex_to_bits static

No functional change.

inetd: remove trailing whitespace

Fix reverted logic when parsing server program.
Compare pointer with NULL not 0.

fix printf formats (intmax -> j)

Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
https://www.mail-archive.com/tech-userlevel@netbsd.org/msg03114.html
And developed in:
https://github.com/ritzow/src/pull/1

From their notes:

All new functionality should be explained by the updated manpage.

The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.

getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.

memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.

The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.

Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()

parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.

Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.

The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.

setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.

Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()

We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.

Security related:

The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?

We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.

s/suport/support/

branches: 1.125.4;
Bump MAXARGV from 20 to 64 - with bozohttpd and all config on the command
line it is easy to hit the (silent) limit.

Don't setup SPs if no policy sepecifier is specified

We expect that SPs are set up iff some policy sepecifier(s) are specified.

Found on investigating an issue reported by Robert Swindells

branches: 1.123.4;
Increase buffer size reported to strlcpy() to be one larger than the
length of the string we copy in so that there is space for the '\0'.

branches: 1.122.2; 1.122.6; 1.122.10;
Use base 10 when logging the exit status or exit signal for sub-processes,
instead of hexadecimal.

branches: 1.121.6;
PR/47318: Henning Petersen: Replace (r)index with str(r)chr in inetd.c
And while here strncpy with strlcpy

branches: 1.120.6;
include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))

branches: 1.119.2;
Use __dead

RLIMIT_NOFILE stabilized in NetBSD 17 years ago, so it's safe now
to remove the #ifdef's from around code which uses it.

Nuke conditionally compiled MULOG stuff. Itojun wanted to do it
already 8 years ago when he fixed the compilation last time, and
again it hasn't been buildable in years.

Avoid SIGSEGV in forked child process for (some?) instant-disconnect clients.

Back out mDNS changes which were not discussed.
There is design work that needs to be done first.

Add mDNS Service Directory support to inetd(8).
inetd(8) can now advertize services in the mDNS-SD.
(Per service configuration option in inetd.conf(5).)

Rename internal getline() function to get_line() so it does
conflict with the soon to be added getline(3) libc function.

print the proper client address (ryo shimizu)

Fix -Wsign-compare issue

branches: 1.110.2;
- when we close an se_fd, set it to -1
- fix int/ssize_t/size_t/socklen_t issues
- fix casts
- remove unused variables
- fix prototypes
- fix const
- remove unneeded casts

PR/40340: Ed Ravin: Print the numeric address in addition to the hostname.

Print the numeric address of the host.

Add accept filters, ported from FreeBSD by Coyote Point Systems. Add inetd
support for specifying an accept filter for a service (mostly as a usage
example, but it can be handy for other things). Manual pages to follow
in a day or so.

OK core@.

Remove the \n and tabs from the __COPYRIGHT() strings.
Tweak to use a consistent format.

When running a builtin service (a what? yeah, a piece of useless
legacy code), if the builtin service forks (not all do), avoid leaking
listening sockets into the child process.

If the child process were to keep copies of the listening sockets
around and then hang about for a long time, it would prevent inetd
from being able to re-bind them upon restart.

The listening sockets are tagged close-on-exec, but that doesn't help
when one doesn't exec.

Patch from my own very old PR 8253.

branches: 1.104.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.103.10;
* Don't include headers twice
* Remove a few trailing whitespaces
* Rearrange and join to one #if for some headers

Patch contributed by Slava Semushin <slava.semushin@gmail.com>
in private mail.

Fixed gcc warnings about comparison between signed and unsigned, as well
as one case where a variable had been used for two different purposes
(which also required different types).

- use socklen_t where appropriate
- avoid lvalue casts

Don't ignore SIGCHLD, because we are not going to get kqueue notifications
about it if we do.

Simplify code a bit, and whitespace.

Add (unsigned char) cast to ctype functions

Add two missing `#ifdef INET6's.

Change the log that is produced when the maximum spawn count per
last 60 second interval is reached to more accurately reflect
what has happened.

Also, break up a few long strings, obey 80 columns, and remove a
superfluous newline passed to syslog(3).

Allow quoting using single or double quotes inside inetd.conf. Closes
PR 24192 by Tyler Retzlaff.

Don't assign NULL to an integer.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22366, verified by myself.

use strlcpy

"user:group=foo.bar" is weird. use colon on both sides

always configure IPV6_FAITH explicitly to avoid misconfiguring it on SIGHUP.
sync w/kame

Because signals are delivered synchronously via kqueue(2) there is no
reason to block and release them at various places.

Now that signal handling is done via kqueue(2) we need to enter
the event loop even if no sockets were created. This should fix
PR bin/20369 by Martin Husemann.

Improve kqueue(2) utilization:
- Don't invoke kevent(2) for every single event change. Instead collect
event changes and try to do them in the event loop.
- Handle signals via kevent(2) to avoid race conditions for SIGHUP (which
probably exist in the select(2) based implementation, too).

KNF.

Rewrite inetd(8) to use kqueue(2) for enhanced performance and scalability.

If we can't set FD_CLOEXEC on a listening socket, close it rather than allowing
it to be passed down to inetd's children.
Note: Setting FD_CLOEXEC can't actually fail, but we did check for the error
anyway...

correct udp-from-broadcast check. From: andre@ae-35.com

on internal udp echoback service, reject request if source address is a
broadcast address.

no need for inetd_dummy variable. from openbsd

minor KNF

cleanup main() by splitting it up in two. inspired by openbsd change

socklen_t cleanup. make MULOG code actually compile (is there anyone using
it? otherwise, i'd like to nuke it)

use setproctitle(3); from itojun.

deamon -> daemon

Convert some 'long's to 'uint32_t's. Now rdate works against an LP64 box.

Negative exit code cleanup: Replace exit(-x) with exit(x).
As seen on tech-userlevel.

convert to use getprogname()

use explicit name rather than __progname in openlog

be more paranoid about UDP-based echo services validation. namely,
reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
hint from deraadt.

Remove bogus typeof hack, and just use the type directly.

permit square-bracket notation (as in RFC2732) for the first element
in inetd.conf. otherwise, we'll have (minor) problem putting IPv6 address in.
sync with kame.

[::1]:ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll

explicitly check if the address family is supported, by using socket(2).

more change on getaddrinfo error handling.

XXX enami, I admit it is not a good thing to check the error code from
getaddrinfo. it is sometimes mandatory, however. gai_strerror message
can be too generic in some cases. we can't really extend getaddrinfo,
as it was not invented by kame (see RFC2553)

add faithd(8) support. with "faith/tcp6" protocol specification,
it will open a socket with setsockopt(IPV6_FAITH).

emit more friendly message on nonexistent service name.
From: enami

check for mux service by ISMUX(), not by != NORM_TYPE
(the assumption can bite us if we extend se_type to have more cases).

remove duplicated ipsec setup code. we always call setup() on
socket reinitialization (like SIGHUP).
sync with kame.

branches: 1.62.2;
Modify to support RPC over IPv6.

branches: 1.61.2;
use LOG_WARNING for syslog output for address family mismatch.
suggested by: thorpej

correct extremely unfriendly error message when the kernel does not
support the address family (like including "tcp6" in inetd.conf, on
non-IPv6 kernel).

was:
inetd[185]: ftp/tcp6: *: hostname nor servname provided, or not known
now:
inetd[315]: ftp/tcp6: *: the address family is not supported by the kernel

fix IPsec policy parser. #@ should affect multiple lines as documented.

sync with latest libipsec.
since outgoing and incoming policy is separated, inetd can take multiple
policy specification, separated by ";".

make error check against getnameinfo().

call sigsetmask() on ipsec initialization failure.

A colon is the preferred way to split a user and group name pair; make this
possible and depreciate the use of dot.

branches: 1.54.2;
fix internal servers (like echo) so that they can accept AF_INET6 connections.
add AF_INET6 support for port_good_dg().

Fix PR7739: correct -DRPC rot in inetd.c

query service name properly on libwrap warnings.

NetBSD PR: 8101

se_wait stores pids; make it a pid_t.

be more friendly with non-IPsec kernel (hide warnings).

dual-stack inetd. you can write "tcp6" or "tcp4" into "protocol" field.
(the style is the rough consensus among v6 implementers so it will be
the standard style)

TODO: test rpc and tcpmux on IPv6.
TODO: test identd over IPv6.

Use pidfile(3).

Prevent sending udp data to the obvious bad ports that are used for
DoS attacks (e.g. looping packets between two echo ports).
This should "fix" PR bin/2455.
Could please anyone with an appropriate "hacker tools" check this?

Revert previous.

Make all listening sockets non-blocking.

use AF_LOCAL instead of AF_UNIX

From "buqtraq": avoid file descriptor leak if service is looping.

Add support for specifying the send and receive socket buffer sizes. This
is especially useful for TCP servers which must specify the receive
socket buffer size before the connection is made so that the connection's
window scale factor can be properly advertised.

Example /etc/inetd.conf configuration line:

shell stream tcp,rcvbuf=1m nowait root /usr/libexec/rshd rshd

That line will cause the rshd to advertise a 1 megabyte window, which could
improve the performance of an rcp in some situations.

Reset the SIGPIPE handler to SIG_DFL after forking.

PR/4837: Jeff Thieleke: inetd does not compile without libwrap.

Ignore SIGPIPE, which may be caused by non-forking internal TCP services if
the remote side closes the connection before we answer.

branches: 1.38.2;
fix use of unix domain socketname length, and signal error if this
is exceeded. from enami tsugutomo <enami@ba2.so-net.or.jp> [bin/3369]

Don't sleep if we get EINTR from select(2) (e.g. because we got
a SIGCHLD when something died). From PR 4056, by David Holland.

WARNS?=1

merge lite2 [actually, just update ucb sccs id's]

Don't do libwrap checking for UDP services; they must do it internally on
every packet to be correct.

Don't attempt to use libwrap for `stream wait' services, where
we only have the listening socket.

Oops; for waiting stream services, we don't do an accept(); we
pass down the fd of the listening socket.

Output a + line for the tcpmux `help' service, and list itself.

Move all of the libwrap checking and subprocess startup into a separate
function. Arrange for tcpmux() to be called like other builtins, and have it
call the aforementioned function recursively. This allows tcpmux to be
wrapped, and always runs it after forking, so we don't freeze everything
else.
Also, use FD_CLOEXEC to close file descriptors, rather than iterating through
them ourself.

Fix typo.

Make the previous dependent on LIBWRAP_INTERNAL, which is not defined by
default.

If we forked for an internal service, make sure we always exit afterward.

If we're using libwrap. always fork. This only affects the time and daytime
services anyway.

Slight rearrangement to forking code. Also, always close the new descriptor
after a fork failure, even for a waiting service.

Another bug fix to tcpmux.

Merge changes from Lite2 (with bug fixes). Adds tcpmux.

When rejecting a UDP connection, make sure to flush the right socket.

Oops; subprocess must exit when rejecting connection.

Do libwrap access checking *after* forking.

set proper length for sockaddr_un. fixes PR bin/3281 from Enami
Tsugutomo, but slightly differently; the code I added is basically
identical to SUN_LEN(), but avoids the unecessary strlen() call.

fix problem with restarting service after SIGHUP (PR 3093)
indicate proper invocation point and RCS ID police (PR 3098)

Per mail from Herb Peyerl, use LOG_AUTH for libwrap logging.

Get the local-address-part code in here (instead of "comsat" you can
use "127.0.0.1:comsat"). While I'm here, do trailing whitespace
cleanup, .Nm usage police in the manpage, and a couple of trivial text
typo fixes.

if se_argv[0] is NULL, use se_service.

syslog allow/deny at the right severity.

allow allow/deny severity to be compile-time configurable, use getservbyport()
correctly, and log the proto. from <jbernard@tater.Mines.EDU> in several PR's.

use the new libwrap functionality to provide tcpd-like functionality
as part of inetd. uses /etc/hosts.{allow,deny} as tcpd does, etc. it
is basically exactly like tcpd except that you don't need to change
the server to /usr/local/sbin/tcpd.

XXX should document better somewhere

Always swap most of the fields when updating a config file entry; otherwise
we can get weird lossage when deleting a field (e.g. the group).

Remove local declarations of ctime().

includes, for necessary prototypes, and avoid name collisions with the
include.

kill stupidity

Keep up with changed rlimit structure.

RLIMIT_OFILE => RLIMIT_NOFILE
Do something sensible when current RLIMIT_NOFILE turns out to be infinity.

Allow for a group name to be specified in the ``user'' field: user[.group]
Allow for max # of invocations to be specified; appended to ``wait''
field: wait/nowait[.max]
Allow for RPC specifications in numeric format.
Inetd now stores its pid in `/var/run/inetd.pid'.
Support for AF_UNIX family.

Don't core dump on blank lines.

Add RCS identifiers.

Add support for starting RPC servers.

branches: 1.1.1;
Initial revision

inetd: remove redundant tests before calling isspace

inetd: remove redundant null check before free

No functional change.

inetd: prepare for lint's strict bool mode

Lint's strict bool mode considers bool incompatible with the other
scalar types. This makes the type of expressions more visible in the
code. In particular, conditions of the form '!strcmp(...)' are no
longer allowed, they have to be written as 'strcmp(...) == 0'.

The operator '!' cannot be used with sep->se_wait since that has type
pid_t, not bool.

No change to the resulting binary.

inetd: normalize indentation and alignment in comments

inetd: fix Clang build

error: implicit conversion changes signedness: 'service_type' to 'int'

inetd: raise WARNS from 5 to 6

The necessary fixes include:
* explicit integer conversions, to get rid of mixed signedness
* function prototypes for parameterless functions

While here:
* add space after comma
* add space after 'if'
* place the '{' of a function definition on a separate line
* rename variables 'bits' and 'temp' to 'hi' and 'lo'
* in parse_quote, prefer expressions over assignments
* make hex_to_bits static

No functional change.

inetd: remove trailing whitespace

Fix reverted logic when parsing server program.
Compare pointer with NULL not 0.

fix printf formats (intmax -> j)

Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
https://www.mail-archive.com/tech-userlevel@netbsd.org/msg03114.html
And developed in:
https://github.com/ritzow/src/pull/1

From their notes:

All new functionality should be explained by the updated manpage.

The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.

getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.

memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.

The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.

Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()

parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.

Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.

The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.

setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.

Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()

We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.

Security related:

The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?

We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.

s/suport/support/

branches: 1.125.4;
Bump MAXARGV from 20 to 64 - with bozohttpd and all config on the command
line it is easy to hit the (silent) limit.

Don't setup SPs if no policy sepecifier is specified

We expect that SPs are set up iff some policy sepecifier(s) are specified.

Found on investigating an issue reported by Robert Swindells

branches: 1.123.4;
Increase buffer size reported to strlcpy() to be one larger than the
length of the string we copy in so that there is space for the '\0'.

branches: 1.122.2; 1.122.6; 1.122.10;
Use base 10 when logging the exit status or exit signal for sub-processes,
instead of hexadecimal.

branches: 1.121.6;
PR/47318: Henning Petersen: Replace (r)index with str(r)chr in inetd.c
And while here strncpy with strlcpy

branches: 1.120.6;
include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))

branches: 1.119.2;
Use __dead

RLIMIT_NOFILE stabilized in NetBSD 17 years ago, so it's safe now
to remove the #ifdef's from around code which uses it.

Nuke conditionally compiled MULOG stuff. Itojun wanted to do it
already 8 years ago when he fixed the compilation last time, and
again it hasn't been buildable in years.

Avoid SIGSEGV in forked child process for (some?) instant-disconnect clients.

Back out mDNS changes which were not discussed.
There is design work that needs to be done first.

Add mDNS Service Directory support to inetd(8).
inetd(8) can now advertize services in the mDNS-SD.
(Per service configuration option in inetd.conf(5).)

Rename internal getline() function to get_line() so it does
conflict with the soon to be added getline(3) libc function.

print the proper client address (ryo shimizu)

Fix -Wsign-compare issue

branches: 1.110.2;
- when we close an se_fd, set it to -1
- fix int/ssize_t/size_t/socklen_t issues
- fix casts
- remove unused variables
- fix prototypes
- fix const
- remove unneeded casts

PR/40340: Ed Ravin: Print the numeric address in addition to the hostname.

Print the numeric address of the host.

Add accept filters, ported from FreeBSD by Coyote Point Systems. Add inetd
support for specifying an accept filter for a service (mostly as a usage
example, but it can be handy for other things). Manual pages to follow
in a day or so.

OK core@.

Remove the \n and tabs from the __COPYRIGHT() strings.
Tweak to use a consistent format.

When running a builtin service (a what? yeah, a piece of useless
legacy code), if the builtin service forks (not all do), avoid leaking
listening sockets into the child process.

If the child process were to keep copies of the listening sockets
around and then hang about for a long time, it would prevent inetd
from being able to re-bind them upon restart.

The listening sockets are tagged close-on-exec, but that doesn't help
when one doesn't exec.

Patch from my own very old PR 8253.

branches: 1.104.2;
Remove clause 3 and 4 from TNF licenses

branches: 1.103.10;
* Don't include headers twice
* Remove a few trailing whitespaces
* Rearrange and join to one #if for some headers

Patch contributed by Slava Semushin <slava.semushin@gmail.com>
in private mail.

Fixed gcc warnings about comparison between signed and unsigned, as well
as one case where a variable had been used for two different purposes
(which also required different types).

- use socklen_t where appropriate
- avoid lvalue casts

Don't ignore SIGCHLD, because we are not going to get kqueue notifications
about it if we do.

Simplify code a bit, and whitespace.

Add (unsigned char) cast to ctype functions

Add two missing `#ifdef INET6's.

Change the log that is produced when the maximum spawn count per
last 60 second interval is reached to more accurately reflect
what has happened.

Also, break up a few long strings, obey 80 columns, and remove a
superfluous newline passed to syslog(3).

Allow quoting using single or double quotes inside inetd.conf. Closes
PR 24192 by Tyler Retzlaff.

Don't assign NULL to an integer.

Move UCB-licensed code from 4-clause to 3-clause licence.

Patches provided by Joel Baker in PR 22366, verified by myself.

use strlcpy

"user:group=foo.bar" is weird. use colon on both sides

always configure IPV6_FAITH explicitly to avoid misconfiguring it on SIGHUP.
sync w/kame

Because signals are delivered synchronously via kqueue(2) there is no
reason to block and release them at various places.

Now that signal handling is done via kqueue(2) we need to enter
the event loop even if no sockets were created. This should fix
PR bin/20369 by Martin Husemann.

Improve kqueue(2) utilization:
- Don't invoke kevent(2) for every single event change. Instead collect
event changes and try to do them in the event loop.
- Handle signals via kevent(2) to avoid race conditions for SIGHUP (which
probably exist in the select(2) based implementation, too).

KNF.

Rewrite inetd(8) to use kqueue(2) for enhanced performance and scalability.

If we can't set FD_CLOEXEC on a listening socket, close it rather than allowing
it to be passed down to inetd's children.
Note: Setting FD_CLOEXEC can't actually fail, but we did check for the error
anyway...

correct udp-from-broadcast check. From: andre@ae-35.com

on internal udp echoback service, reject request if source address is a
broadcast address.

no need for inetd_dummy variable. from openbsd

minor KNF

cleanup main() by splitting it up in two. inspired by openbsd change

socklen_t cleanup. make MULOG code actually compile (is there anyone using
it? otherwise, i'd like to nuke it)

use setproctitle(3); from itojun.

deamon -> daemon

Convert some 'long's to 'uint32_t's. Now rdate works against an LP64 box.

Negative exit code cleanup: Replace exit(-x) with exit(x).
As seen on tech-userlevel.

convert to use getprogname()

use explicit name rather than __progname in openlog

be more paranoid about UDP-based echo services validation. namely,
reject the following sources:
0.0.0.0/8 127.0.0.0/8 240.0.0.0/4 255.0.0.0/8
ff00::/8 ::/128
::ffff:0.0.0.0/96 and ::0.0.0.0/96 obeys IPv4 rule.
hint from deraadt.

Remove bogus typeof hack, and just use the type directly.

permit square-bracket notation (as in RFC2732) for the first element
in inetd.conf. otherwise, we'll have (minor) problem putting IPv6 address in.
sync with kame.

[::1]:ftp stream tcp6 nowait root /usr/libexec/ftpd ftpd -ll

explicitly check if the address family is supported, by using socket(2).

more change on getaddrinfo error handling.

XXX enami, I admit it is not a good thing to check the error code from
getaddrinfo. it is sometimes mandatory, however. gai_strerror message
can be too generic in some cases. we can't really extend getaddrinfo,
as it was not invented by kame (see RFC2553)

add faithd(8) support. with "faith/tcp6" protocol specification,
it will open a socket with setsockopt(IPV6_FAITH).

emit more friendly message on nonexistent service name.
From: enami

check for mux service by ISMUX(), not by != NORM_TYPE
(the assumption can bite us if we extend se_type to have more cases).

remove duplicated ipsec setup code. we always call setup() on
socket reinitialization (like SIGHUP).
sync with kame.

branches: 1.62.2;
Modify to support RPC over IPv6.

branches: 1.61.2;
use LOG_WARNING for syslog output for address family mismatch.
suggested by: thorpej

correct extremely unfriendly error message when the kernel does not
support the address family (like including "tcp6" in inetd.conf, on
non-IPv6 kernel).

was:
inetd[185]: ftp/tcp6: *: hostname nor servname provided, or not known
now:
inetd[315]: ftp/tcp6: *: the address family is not supported by the kernel

fix IPsec policy parser. #@ should affect multiple lines as documented.

sync with latest libipsec.
since outgoing and incoming policy is separated, inetd can take multiple
policy specification, separated by ";".

make error check against getnameinfo().

call sigsetmask() on ipsec initialization failure.

A colon is the preferred way to split a user and group name pair; make this
possible and depreciate the use of dot.

branches: 1.54.2;
fix internal servers (like echo) so that they can accept AF_INET6 connections.
add AF_INET6 support for port_good_dg().

Fix PR7739: correct -DRPC rot in inetd.c

query service name properly on libwrap warnings.

NetBSD PR: 8101

se_wait stores pids; make it a pid_t.

be more friendly with non-IPsec kernel (hide warnings).

dual-stack inetd. you can write "tcp6" or "tcp4" into "protocol" field.
(the style is the rough consensus among v6 implementers so it will be
the standard style)

TODO: test rpc and tcpmux on IPv6.
TODO: test identd over IPv6.

Use pidfile(3).

Prevent sending udp data to the obvious bad ports that are used for
DoS attacks (e.g. looping packets between two echo ports).
This should "fix" PR bin/2455.
Could please anyone with an appropriate "hacker tools" check this?

Revert previous.

Make all listening sockets non-blocking.

use AF_LOCAL instead of AF_UNIX

From "buqtraq": avoid file descriptor leak if service is looping.

Add support for specifying the send and receive socket buffer sizes. This
is especially useful for TCP servers which must specify the receive
socket buffer size before the connection is made so that the connection's
window scale factor can be properly advertised.

Example /etc/inetd.conf configuration line:

shell stream tcp,rcvbuf=1m nowait root /usr/libexec/rshd rshd

That line will cause the rshd to advertise a 1 megabyte window, which could
improve the performance of an rcp in some situations.

Reset the SIGPIPE handler to SIG_DFL after forking.

PR/4837: Jeff Thieleke: inetd does not compile without libwrap.

Ignore SIGPIPE, which may be caused by non-forking internal TCP services if
the remote side closes the connection before we answer.

branches: 1.38.2;
fix use of unix domain socketname length, and signal error if this
is exceeded. from enami tsugutomo <enami@ba2.so-net.or.jp> [bin/3369]

Don't sleep if we get EINTR from select(2) (e.g. because we got
a SIGCHLD when something died). From PR 4056, by David Holland.

WARNS?=1

merge lite2 [actually, just update ucb sccs id's]

Don't do libwrap checking for UDP services; they must do it internally on
every packet to be correct.

Don't attempt to use libwrap for `stream wait' services, where
we only have the listening socket.

Oops; for waiting stream services, we don't do an accept(); we
pass down the fd of the listening socket.

Output a + line for the tcpmux `help' service, and list itself.

Move all of the libwrap checking and subprocess startup into a separate
function. Arrange for tcpmux() to be called like other builtins, and have it
call the aforementioned function recursively. This allows tcpmux to be
wrapped, and always runs it after forking, so we don't freeze everything
else.
Also, use FD_CLOEXEC to close file descriptors, rather than iterating through
them ourself.

Fix typo.

Make the previous dependent on LIBWRAP_INTERNAL, which is not defined by
default.

If we forked for an internal service, make sure we always exit afterward.

If we're using libwrap. always fork. This only affects the time and daytime
services anyway.

Slight rearrangement to forking code. Also, always close the new descriptor
after a fork failure, even for a waiting service.

Another bug fix to tcpmux.

Merge changes from Lite2 (with bug fixes). Adds tcpmux.

When rejecting a UDP connection, make sure to flush the right socket.

Oops; subprocess must exit when rejecting connection.

Do libwrap access checking *after* forking.

set proper length for sockaddr_un. fixes PR bin/3281 from Enami
Tsugutomo, but slightly differently; the code I added is basically
identical to SUN_LEN(), but avoids the unecessary strlen() call.

fix problem with restarting service after SIGHUP (PR 3093)
indicate proper invocation point and RCS ID police (PR 3098)

Per mail from Herb Peyerl, use LOG_AUTH for libwrap logging.

Get the local-address-part code in here (instead of "comsat" you can
use "127.0.0.1:comsat"). While I'm here, do trailing whitespace
cleanup, .Nm usage police in the manpage, and a couple of trivial text
typo fixes.

if se_argv[0] is NULL, use se_service.

syslog allow/deny at the right severity.

allow allow/deny severity to be compile-time configurable, use getservbyport()
correctly, and log the proto. from <jbernard@tater.Mines.EDU> in several PR's.

use the new libwrap functionality to provide tcpd-like functionality
as part of inetd. uses /etc/hosts.{allow,deny} as tcpd does, etc. it
is basically exactly like tcpd except that you don't need to change
the server to /usr/local/sbin/tcpd.

XXX should document better somewhere

Always swap most of the fields when updating a config file entry; otherwise
we can get weird lossage when deleting a field (e.g. the group).

Remove local declarations of ctime().

includes, for necessary prototypes, and avoid name collisions with the
include.

kill stupidity

Keep up with changed rlimit structure.

RLIMIT_OFILE => RLIMIT_NOFILE
Do something sensible when current RLIMIT_NOFILE turns out to be infinity.

Allow for a group name to be specified in the ``user'' field: user[.group]
Allow for max # of invocations to be specified; appended to ``wait''
field: wait/nowait[.max]
Allow for RPC specifications in numeric format.
Inetd now stores its pid in `/var/run/inetd.pid'.
Support for AF_UNIX family.

Don't core dump on blank lines.

Add RCS identifiers.

Add support for starting RPC servers.

branches: 1.1.1;
Initial revision

inetd: fix Clang build

error: implicit conversion changes signedness: 'service_type' to 'int'

inetd: raise WARNS from 5 to 6

The necessary fixes include:
* explicit integer conversions, to get rid of mixed signedness
* function prototypes for parameterless functions

While here:
* add space after comma
* add space after 'if'
* place the '{' of a function definition on a separate line
* rename variables 'bits' and 'temp' to 'hi' and 'lo'
* in parse_quote, prefer expressions over assignments
* make hex_to_bits static

No functional change.

inetd: remove trailing whitespace

Fix reverted logic when parsing server program.
Compare pointer with NULL not 0.

fix printf formats (intmax -> j)

Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow
Described in:
https://www.mail-archive.com/tech-userlevel@netbsd.org/msg03114.html
And developed in:
https://github.com/ritzow/src/pull/1

From their notes:

All new functionality should be explained by the updated manpage.

The manpage has been refactored a bit: A new section "Directives"
has been added and the information about default hostnames and
IPsec directives has been moved there, and the new file include
directive information is also there.

getconfigent has the most major changes. A newline is no longer
read immediately, but is called only by a "goto more" (inside an
if(false) block). This allows multiple definitions or directives
to exist on a single line for anything that doesn't terminate using
a newline. This means a key-values service definition can be followed
by another key-values service definition, a positional definition,
or an ipsec, hostname, or .include directive on the same line.

memset is no longer used explicitly to clear the servtab structure,
a function init_servtab() is used instead, which uses a C struct
initializer.

The servtab se_group field is its own allocation now, and not just
a pointer into the user:group string.

Refactored some stuff out of getconfigent to separate functions
for use by parse_v2.c. These functions in inetd.c are named with
the form parse_*()

parse_v2.c only has code for parsing a key-values service definition
into a provided servtab. It should not have anything that affects
global state other than line and line_number.

Some function prototypes, structures, and #defines have been moved
from inetd.c to inetd.h.

The function config_root replaces config as the function called on
a config file load/reload. The code removed from the end of
config(void) is now called in config_root, so it is not run on each
recursive config call.

setconfig(void) was removed and its code added into config_root
because that is the only place it is called, and redundant checks
for non-null globals were removed because they are always freed by
endconfig. The fseek code was also removed because the config files
are always closed by endconfig.

Rate limiting code was updated to add a per-service per-IP rate
limiting form. Some of that code was refactored out of other places
into functions with names in the form rl_*()

We have not added any of the license or version information to the
new files parse_v2.c, parse_v2.h, and inetd.h and we have not
updated the license or version info for inetd.c.

Security related:

The behavior when reading invalid IPsec strings has changed. Inetd
no longer exits, it quits reading the current config file instead.
Could this impact program security?

We have not checked for memory leaks. Solomon tried to use dmalloc
without success. getconfigent seemed to have a memory leak at each
"goto more". It seems like inetd has never free'd allocated strings
when throwing away erroneous service definitions during parsing
(i.e. when "goto more" is called when parsing fields). OpenBSD's
version calls freeconfig on "goto more"
(https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049)
but NetBSD only calls it when service definitions are no longer
needed. This has been fixed. freeconfig is called immediately before
any "goto more". There shouldn't be any time when a servtab is in
an invalid state where freeconfig would break.

s/suport/support/

branches: 1.125.4;
Bump MAXARGV from 20 to 64 - with bozohttpd and all config on the command
line it is easy to hit the (silent) limit.

Don't setup SPs if no policy sepecifier is specified

We expect that SPs are set up iff some policy sepecifier(s) are specified.

Found on investigating an issue reported by Robert Swindells

branches: 1.123.4;
Increase buffer size reported to strlcpy() to be one larger than the
length of the string we copy in so that there is space for the '\0'.

branches: 1.122.2; 1.122.6; 1.122.10;
Use base 10 when logging the exit status or exit signal for sub-processes,
instead of hexadecimal.

branches: 1.121.6;
PR/47318: Henning Petersen: Replace (r)index with str(r)chr in inetd.c
And while here strncpy with strlcpy

branches: 1.120.6;
include <netipsec/ipsec.h> rather than <netinet6/ipsec.h> from userland
where possible, for consistency and compatibility to FreeBSD
(exception: KAME specific statistics gathering in netstat(1) and systat(1))

branches: 1.119.2;
Use __dead

RLIMIT_NOFILE stabilized in NetBSD 17 years ago, so it's safe now
to remove the #ifdef's from around code which uses it.

Nuke conditionally compiled MULOG stuff. Itojun wanted to do it
already 8 years ago when he fixed the compilation last time, and
again it hasn't been buildable in years.

Avoid SIGSEGV in forked child process for (some?) instant-disconnect clients.

Back out mDNS changes which were not discussed.
There is design work that needs to be done first.

Add mDNS Service Directory support to inetd(8).
inetd(8) can now advertize services in the mDNS-SD.
(Per service configuration option in inetd.conf(5).)