usr.sbin/inetd/inetd.c

1553Srgrimes/*
1553Srgrimes * Copyright (c) 1983, 1991, 1993, 1994
1553Srgrimes *	The Regents of the University of California.  All rights reserved.
1553Srgrimes *
1553Srgrimes * Redistribution and use in source and binary forms, with or without
1553Srgrimes * modification, are permitted provided that the following conditions
1553Srgrimes * are met:
1553Srgrimes * 1. Redistributions of source code must retain the above copyright
1553Srgrimes *    notice, this list of conditions and the following disclaimer.
1553Srgrimes * 2. Redistributions in binary form must reproduce the above copyright
1553Srgrimes *    notice, this list of conditions and the following disclaimer in the
1553Srgrimes *    documentation and/or other materials provided with the distribution.
1553Srgrimes * 3. All advertising materials mentioning features or use of this software
1553Srgrimes *    must display the following acknowledgement:
1553Srgrimes *	This product includes software developed by the University of
1553Srgrimes *	California, Berkeley and its contributors.
1553Srgrimes * 4. Neither the name of the University nor the names of its contributors
1553Srgrimes *    may be used to endorse or promote products derived from this software
1553Srgrimes *    without specific prior written permission.
1553Srgrimes *
1553Srgrimes * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1553Srgrimes * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1553Srgrimes * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1553Srgrimes * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1553Srgrimes * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1553Srgrimes * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1553Srgrimes * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1553Srgrimes * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1553Srgrimes * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1553Srgrimes * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1553Srgrimes * SUCH DAMAGE.
1553Srgrimes */
1553Srgrimes
1553Srgrimes#ifndef lint
29602Scharnierstatic const char copyright[] =
1553Srgrimes"@(#) Copyright (c) 1983, 1991, 1993, 1994\n\
1553Srgrimes	The Regents of the University of California.  All rights reserved.\n";
1553Srgrimes#endif /* not lint */
1553Srgrimes
1553Srgrimes#ifndef lint
29602Scharnier#if 0
29602Scharnierstatic char sccsid[] = "@(#)from: inetd.c	8.4 (Berkeley) 4/13/94";
29602Scharnier#endif
1553Srgrimes#endif /* not lint */
1553Srgrimes
98563Sjmallett#include <sys/cdefs.h>
98563Sjmallett__FBSDID("$FreeBSD: head/usr.sbin/inetd/inetd.c 128501 2004-04-20 23:34:39Z brooks $");
98563Sjmallett
1553Srgrimes/*
1553Srgrimes * Inetd - Internet super-server
1553Srgrimes *
1553Srgrimes * This program invokes all internet services as needed.  Connection-oriented
1553Srgrimes * services are invoked each time a connection is made, by creating a process.
1553Srgrimes * This process is passed the connection as file descriptor 0 and is expected
1553Srgrimes * to do a getpeername to find out the source host and port.
1553Srgrimes *
1553Srgrimes * Datagram oriented services are invoked when a datagram
1553Srgrimes * arrives; a process is created and passed a pending message
1553Srgrimes * on file descriptor 0.  Datagram servers may either connect
1553Srgrimes * to their peer, freeing up the original socket for inetd
1553Srgrimes * to receive further messages on, or ``take over the socket'',
1553Srgrimes * processing all arriving datagrams and, eventually, timing
1553Srgrimes * out.	 The first type of server is said to be ``multi-threaded'';
8857Srgrimes * the second type of server ``single-threaded''.
1553Srgrimes *
1553Srgrimes * Inetd uses a configuration file which is read at startup
1553Srgrimes * and, possibly, at some later time in response to a hangup signal.
1553Srgrimes * The configuration file is ``free format'' with fields given in the
67514Sdwmalone * order shown below.  Continuation lines for an entry must begin with
1553Srgrimes * a space or tab.  All fields must be present in each entry.
1553Srgrimes *
78356Sdwmalone *	service name			must be in /etc/services
78356Sdwmalone *					or name a tcpmux service
78356Sdwmalone *					or specify a unix domain socket
1553Srgrimes *	socket type			stream/dgram/raw/rdm/seqpacket
78356Sdwmalone *	protocol			tcp[4][6][/faith,ttcp], udp[4][6], unix
1553Srgrimes *	wait/nowait			single-threaded/multi-threaded
1553Srgrimes *	user				user to run daemon as
1553Srgrimes *	server program			full path name
1553Srgrimes *	server program arguments	maximum of MAXARGS (20)
1553Srgrimes *
1553Srgrimes * TCP services without official port numbers are handled with the
1553Srgrimes * RFC1078-based tcpmux internal service. Tcpmux listens on port 1 for
1553Srgrimes * requests. When a connection is made from a foreign host, the service
1553Srgrimes * requested is passed to tcpmux, which looks it up in the servtab list
1553Srgrimes * and returns the proper entry for the service. Tcpmux returns a
1553Srgrimes * negative reply if the service doesn't exist, otherwise the invoked
1553Srgrimes * server is expected to return the positive reply if the service type in
1553Srgrimes * inetd.conf file has the prefix "tcpmux/". If the service type has the
1553Srgrimes * prefix "tcpmux/+", tcpmux will return the positive reply for the
1553Srgrimes * process; this is for compatibility with older server code, and also
1553Srgrimes * allows you to invoke programs that use stdin/stdout without putting any
1553Srgrimes * special server code in them. Services that use tcpmux are "nowait"
1553Srgrimes * because they do not have a well-known port and hence cannot listen
1553Srgrimes * for new requests.
1553Srgrimes *
2657Scsgr * For RPC services
2657Scsgr *	service name/version		must be in /etc/rpc
2657Scsgr *	socket type			stream/dgram/raw/rdm/seqpacket
100127Salfred *	protocol			rpc/tcp[4][6], rpc/udp[4][6]
2657Scsgr *	wait/nowait			single-threaded/multi-threaded
2657Scsgr *	user				user to run daemon as
2657Scsgr *	server program			full path name
2657Scsgr *	server program arguments	maximum of MAXARGS
2657Scsgr *
1553Srgrimes * Comment lines are indicated by a `#' in column 1.
56590Sshin *
56590Sshin * #ifdef IPSEC
56590Sshin * Comment lines that start with "#@" denote IPsec policy string, as described
56590Sshin * in ipsec_set_policy(3).  This will affect all the following items in
56590Sshin * inetd.conf(8).  To reset the policy, just use "#@" line.  By default,
56590Sshin * there's no IPsec policy.
56590Sshin * #endif
1553Srgrimes */
1553Srgrimes#include <sys/param.h>
1553Srgrimes#include <sys/ioctl.h>
1553Srgrimes#include <sys/wait.h>
1553Srgrimes#include <sys/time.h>
1553Srgrimes#include <sys/resource.h>
78356Sdwmalone#include <sys/stat.h>
78356Sdwmalone#include <sys/un.h>
1553Srgrimes
1553Srgrimes#include <netinet/in.h>
36042Sguido#include <netinet/tcp.h>
1553Srgrimes#include <arpa/inet.h>
2657Scsgr#include <rpc/rpc.h>
19617Sjulian#include <rpc/pmap_clnt.h>
1553Srgrimes
106054Swollman#include <ctype.h>
1553Srgrimes#include <errno.h>
29602Scharnier#include <err.h>
1553Srgrimes#include <fcntl.h>
30807Sache#include <grp.h>
106054Swollman#include <libutil.h>
106054Swollman#include <limits.h>
1553Srgrimes#include <netdb.h>
1553Srgrimes#include <pwd.h>
1553Srgrimes#include <signal.h>
1553Srgrimes#include <stdio.h>
1553Srgrimes#include <stdlib.h>
1553Srgrimes#include <string.h>
106054Swollman#include <sysexits.h>
1553Srgrimes#include <syslog.h>
48279Ssheldonh#include <tcpd.h>
1553Srgrimes#include <unistd.h>
1553Srgrimes
48981Ssheldonh#include "inetd.h"
48981Ssheldonh#include "pathnames.h"
48981Ssheldonh
56590Sshin#ifdef IPSEC
56590Sshin#include <netinet6/ipsec.h>
56590Sshin#ifndef IPSEC_POLICY_IPSEC	/* no ipsec support on old ipsec */
56590Sshin#undef IPSEC
56590Sshin#endif
56590Sshin#endif
56590Sshin
56590Sshin/* wrapper for KAME-special getnameinfo() */
56590Sshin#ifndef NI_WITHSCOPEID
56590Sshin#define NI_WITHSCOPEID	0
56590Sshin#endif
56590Sshin
45089Smarkm#ifndef LIBWRAP_ALLOW_FACILITY
45089Smarkm# define LIBWRAP_ALLOW_FACILITY LOG_AUTH
45089Smarkm#endif
45089Smarkm#ifndef LIBWRAP_ALLOW_SEVERITY
45089Smarkm# define LIBWRAP_ALLOW_SEVERITY LOG_INFO
45089Smarkm#endif
45089Smarkm#ifndef LIBWRAP_DENY_FACILITY
45089Smarkm# define LIBWRAP_DENY_FACILITY LOG_AUTH
45089Smarkm#endif
45089Smarkm#ifndef LIBWRAP_DENY_SEVERITY
45089Smarkm# define LIBWRAP_DENY_SEVERITY LOG_WARNING
45089Smarkm#endif
45089Smarkm
48382Ssheldonh#define ISWRAP(sep)	\
48697Ssheldonh	   ( ((wrap_ex && !(sep)->se_bi) || (wrap_bi && (sep)->se_bi)) \
78356Sdwmalone	&& (sep->se_family == AF_INET || sep->se_family == AF_INET6) \
48382Ssheldonh	&& ( ((sep)->se_accept && (sep)->se_socktype == SOCK_STREAM) \
48382Ssheldonh	    || (sep)->se_socktype == SOCK_DGRAM))
48382Ssheldonh
21640Speter#ifdef LOGIN_CAP
21640Speter#include <login_cap.h>
30792Sache
30792Sache/* see init.c */
30792Sache#define RESOURCE_RC "daemon"
30792Sache
21640Speter#endif
21640Speter
33794Spst#ifndef	MAXCHILD
33794Spst#define	MAXCHILD	-1		/* maximum number of this service
33794Spst					   < 0 = no limit */
33794Spst#endif
33794Spst
33794Spst#ifndef	MAXCPM
33794Spst#define	MAXCPM		-1		/* rate limit invocations from a
33794Spst					   single remote address,
33794Spst					   < 0 = no limit */
33794Spst#endif
33794Spst
101474Sume#ifndef	MAXPERIP
101474Sume#define	MAXPERIP	-1		/* maximum number of this service
101474Sume					   from a single remote address,
101474Sume					   < 0 = no limit */
101474Sume#endif
101474Sume
64197Sdwmalone#ifndef TOOMANY
2659Scsgr#define	TOOMANY		256		/* don't start more than TOOMANY */
64197Sdwmalone#endif
1553Srgrimes#define	CNT_INTVL	60		/* servers in CNT_INTVL sec. */
1553Srgrimes#define	RETRYTIME	(60*10)		/* retry after bind or server fail */
19618Sjulian#define MAX_MAXCHLD	32767		/* max allowable max children */
1553Srgrimes
1553Srgrimes#define	SIGBLOCK	(sigmask(SIGCHLD)|sigmask(SIGHUP)|sigmask(SIGALRM))
1553Srgrimes
98562Sjmallettvoid		close_sep(struct servtab *);
98562Sjmallettvoid		flag_signal(int);
98562Sjmallettvoid		flag_config(int);
98562Sjmallettvoid		config(void);
98562Sjmallettint		cpmip(const struct servtab *, int);
98562Sjmallettvoid		endconfig(void);
98562Sjmallettstruct servtab *enter(struct servtab *);
98562Sjmallettvoid		freeconfig(struct servtab *);
98562Sjmallettstruct servtab *getconfigent(void);
98562Sjmallettint		matchservent(const char *, const char *, const char *);
98562Sjmallettchar	       *nextline(FILE *);
98562Sjmallettvoid		addchild(struct servtab *, int);
98562Sjmallettvoid		flag_reapchild(int);
98562Sjmallettvoid		reapchild(void);
98562Sjmallettvoid		enable(struct servtab *);
98562Sjmallettvoid		disable(struct servtab *);
98562Sjmallettvoid		flag_retry(int);
98562Sjmallettvoid		retry(void);
98562Sjmallettint		setconfig(void);
98562Sjmallettvoid		setup(struct servtab *);
78694Sdwmalone#ifdef IPSEC
98562Sjmallettvoid		ipsecsetup(struct servtab *);
78694Sdwmalone#endif
98562Sjmallettvoid		unregisterrpc(register struct servtab *sep);
101474Sumestatic struct conninfo *search_conn(struct servtab *sep, int ctrl);
101474Sumestatic int	room_conn(struct servtab *sep, struct conninfo *conn);
101474Sumestatic void	addchild_conn(struct conninfo *conn, pid_t pid);
101474Sumestatic void	reapchild_conn(pid_t pid);
101474Sumestatic void	free_conn(struct conninfo *conn);
101474Sumestatic void	resize_conn(struct servtab *sep, int maxperip);
101474Sumestatic void	free_connlist(struct servtab *sep);
101474Sumestatic void	free_proc(struct procinfo *);
101474Sumestatic struct procinfo *search_proc(pid_t pid, int add);
101474Sumestatic int	hashval(char *p, int len);
78694Sdwmalone
48279Ssheldonhint	allow_severity;
48279Ssheldonhint	deny_severity;
48697Ssheldonhint	wrap_ex = 0;
48279Ssheldonhint	wrap_bi = 0;
1553Srgrimesint	debug = 0;
121766Speterint	dolog = 0;
48988Ssheldonhint	maxsock;			/* highest-numbered descriptor */
1553Srgrimesfd_set	allsock;
1553Srgrimesint	options;
1553Srgrimesint	timingout;
1553Srgrimesint	toomany = TOOMANY;
48069Ssheldonhint	maxchild = MAXCHILD;
48069Ssheldonhint	maxcpm = MAXCPM;
101474Sumeint	maxperip = MAXPERIP;
1553Srgrimesstruct	servent *sp;
2657Scsgrstruct	rpcent *rpc;
56590Sshinchar	*hostname = NULL;
56590Sshinstruct	sockaddr_in *bind_sa4;
102938Sdwmaloneint	v4bind_ok = 0;
56590Sshin#ifdef INET6
56590Sshinstruct	sockaddr_in6 *bind_sa6;
102938Sdwmaloneint	v6bind_ok = 0;
56590Sshin#endif
42122Sdesint	signalpipe[2];
48991Ssheldonh#ifdef SANITY_CHECK
48991Ssheldonhint	nsock;
48991Ssheldonh#endif
78356Sdwmaloneuid_t	euid;
78356Sdwmalonegid_t	egid;
78356Sdwmalonemode_t	mask;
1553Srgrimes
48981Ssheldonhstruct	servtab *servtab;
1553Srgrimes
48981Ssheldonhextern struct biltin biltins[];
1553Srgrimes
78694Sdwmaloneconst char	*CONFIG = _PATH_INETDCONF;
78694Sdwmaloneconst char	*pid_file = _PATH_INETDPID;
13142Speter
100127Salfredstruct netconfig *udpconf, *tcpconf, *udp6conf, *tcp6conf;
100127Salfred
101474Sumestatic LIST_HEAD(, procinfo) proctable[PERIPSIZE];
101474Sume
1553Srgrimesint
98558Sjmallettgetvalue(const char *arg, int *value, const char *whine)
33794Spst{
33794Spst	int  tmp;
33794Spst	char *p;
33794Spst
33794Spst	tmp = strtol(arg, &p, 0);
64197Sdwmalone	if (tmp < 0 || *p) {
33794Spst		syslog(LOG_ERR, whine, arg);
33794Spst		return 1;			/* failure */
33794Spst	}
33794Spst	*value = tmp;
33794Spst	return 0;				/* success */
33794Spst}
33794Spst
110802Sumestatic sa_family_t
110802Sumewhichaf(struct request_info *req)
110802Sume{
110802Sume	struct sockaddr *sa;
110802Sume
110802Sume	sa = (struct sockaddr *)req->client->sin;
110802Sume	if (sa == NULL)
110802Sume		return AF_UNSPEC;
110802Sume	if (sa->sa_family == AF_INET6 &&
110802Sume	    IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)sa)->sin6_addr))
110802Sume		return AF_INET;
110802Sume	return sa->sa_family;
110802Sume}
110802Sume
33794Spstint
98558Sjmallettmain(int argc, char **argv)
1553Srgrimes{
1553Srgrimes	struct servtab *sep;
1553Srgrimes	struct passwd *pwd;
30807Sache	struct group *grp;
48962Ssheldonh	struct sigaction sa, saalrm, sachld, sahup, sapipe;
121555Speter	int ch, dofork;
1553Srgrimes	pid_t pid;
1553Srgrimes	char buf[50];
21640Speter#ifdef LOGIN_CAP
21640Speter	login_cap_t *lc = NULL;
21640Speter#endif
45089Smarkm	struct request_info req;
45089Smarkm	int denied;
45089Smarkm	char *service = NULL;
56590Sshin	union {
56590Sshin		struct sockaddr peer_un;
56590Sshin		struct sockaddr_in peer_un4;
56590Sshin		struct sockaddr_in6 peer_un6;
56590Sshin		struct sockaddr_storage peer_max;
56590Sshin	} p_un;
56590Sshin#define peer	p_un.peer_un
56590Sshin#define peer4	p_un.peer_un4
56590Sshin#define peer6	p_un.peer_un6
56590Sshin#define peermax	p_un.peer_max
47972Ssheldonh	int i;
56590Sshin	struct addrinfo hints, *res;
78694Sdwmalone	const char *servname;
56590Sshin	int error;
101474Sume	struct conninfo *conn;
1553Srgrimes
97293Sjwd	openlog("inetd", LOG_PID | LOG_NOWAIT | LOG_PERROR, LOG_DAEMON);
1553Srgrimes
101474Sume	while ((ch = getopt(argc, argv, "dlwWR:a:c:C:p:s:")) != -1)
1553Srgrimes		switch(ch) {
1553Srgrimes		case 'd':
1553Srgrimes			debug = 1;
1553Srgrimes			options |= SO_DEBUG;
1553Srgrimes			break;
2659Scsgr		case 'l':
121766Speter			dolog = 1;
2659Scsgr			break;
33794Spst		case 'R':
33794Spst			getvalue(optarg, &toomany,
33794Spst				"-R %s: bad value for service invocation rate");
1553Srgrimes			break;
33794Spst		case 'c':
33794Spst			getvalue(optarg, &maxchild,
33794Spst				"-c %s: bad value for maximum children");
33794Spst			break;
33794Spst		case 'C':
33794Spst			getvalue(optarg, &maxcpm,
33794Spst				"-C %s: bad value for maximum children/minute");
33794Spst			break;
17482Sjulian		case 'a':
56590Sshin			hostname = optarg;
17482Sjulian			break;
17482Sjulian		case 'p':
17482Sjulian			pid_file = optarg;
17482Sjulian			break;
101474Sume		case 's':
101474Sume			getvalue(optarg, &maxperip,
101474Sume				"-s %s: bad value for maximum children per source address");
101474Sume			break;
48279Ssheldonh		case 'w':
48697Ssheldonh			wrap_ex++;
48279Ssheldonh			break;
48697Ssheldonh		case 'W':
48697Ssheldonh			wrap_bi++;
48697Ssheldonh			break;
1553Srgrimes		case '?':
1553Srgrimes		default:
1553Srgrimes			syslog(LOG_ERR,
48697Ssheldonh				"usage: inetd [-dlwW] [-a address] [-R rate]"
33794Spst				" [-c maximum] [-C rate]"
17482Sjulian				" [-p pidfile] [conf-file]");
19617Sjulian			exit(EX_USAGE);
1553Srgrimes		}
56590Sshin	/*
56590Sshin	 * Initialize Bind Addrs.
56590Sshin	 *   When hostname is NULL, wild card bind addrs are obtained from
56590Sshin	 *   getaddrinfo(). But getaddrinfo() requires at least one of
56590Sshin	 *   hostname or servname is non NULL.
56590Sshin	 *   So when hostname is NULL, set dummy value to servname.
128501Sbrooks	 *   Since getaddrinfo() doesn't accept numeric servname, and
128501Sbrooks	 *   we doesn't use ai_socktype of struct addrinfo returned
128501Sbrooks	 *   from getaddrinfo(), we set dummy value to ai_socktype.
56590Sshin	 */
128501Sbrooks	servname = (hostname == NULL) ? "0" /* dummy */ : NULL;
56590Sshin
56590Sshin	bzero(&hints, sizeof(struct addrinfo));
56590Sshin	hints.ai_flags = AI_PASSIVE;
56590Sshin	hints.ai_family = AF_UNSPEC;
128501Sbrooks	hints.ai_socktype = SOCK_STREAM;	/* dummy */
56590Sshin	error = getaddrinfo(hostname, servname, &hints, &res);
56590Sshin	if (error != 0) {
56590Sshin		syslog(LOG_ERR, "-a %s: %s", hostname, gai_strerror(error));
56590Sshin		if (error == EAI_SYSTEM)
56590Sshin			syslog(LOG_ERR, "%s", strerror(errno));
56590Sshin		exit(EX_USAGE);
56590Sshin	}
56590Sshin	do {
56590Sshin		if (res->ai_addr == NULL) {
56590Sshin			syslog(LOG_ERR, "-a %s: getaddrinfo failed", hostname);
56590Sshin			exit(EX_USAGE);
56590Sshin		}
56590Sshin		switch (res->ai_addr->sa_family) {
56590Sshin		case AF_INET:
102938Sdwmalone			if (v4bind_ok)
56590Sshin				continue;
56590Sshin			bind_sa4 = (struct sockaddr_in *)res->ai_addr;
56590Sshin			/* init port num in case servname is dummy */
56590Sshin			bind_sa4->sin_port = 0;
102938Sdwmalone			v4bind_ok = 1;
56590Sshin			continue;
56590Sshin#ifdef INET6
56590Sshin		case AF_INET6:
102938Sdwmalone			if (v6bind_ok)
56590Sshin				continue;
56590Sshin			bind_sa6 = (struct sockaddr_in6 *)res->ai_addr;
56590Sshin			/* init port num in case servname is dummy */
56590Sshin			bind_sa6->sin6_port = 0;
102938Sdwmalone			v6bind_ok = 1;
56590Sshin			continue;
56590Sshin#endif
56590Sshin		}
102938Sdwmalone		if (v4bind_ok
56590Sshin#ifdef INET6
102938Sdwmalone		    && v6bind_ok
56590Sshin#endif
56590Sshin		    )
56590Sshin			break;
56590Sshin	} while ((res = res->ai_next) != NULL);
102938Sdwmalone	if (!v4bind_ok
56590Sshin#ifdef INET6
102938Sdwmalone	    && !v6bind_ok
56590Sshin#endif
56590Sshin	    ) {
56590Sshin		syslog(LOG_ERR, "-a %s: unknown address family", hostname);
56590Sshin		exit(EX_USAGE);
56590Sshin	}
56590Sshin
78356Sdwmalone	euid = geteuid();
78356Sdwmalone	egid = getegid();
78356Sdwmalone	umask(mask = umask(0777));
78356Sdwmalone
1553Srgrimes	argc -= optind;
1553Srgrimes	argv += optind;
1553Srgrimes
1553Srgrimes	if (argc > 0)
1553Srgrimes		CONFIG = argv[0];
127301Sdwmalone	if (access(CONFIG, R_OK) < 0)
127301Sdwmalone		syslog(LOG_ERR, "Accessing %s: %m, continuing anyway.", CONFIG);
1553Srgrimes	if (debug == 0) {
11447Swollman		FILE *fp;
12024Speter		if (daemon(0, 0) < 0) {
12024Speter			syslog(LOG_WARNING, "daemon(0,0) failed: %m");
12024Speter		}
97293Sjwd		/* From now on we don't want syslog messages going to stderr. */
97293Sjwd		closelog();
97293Sjwd		openlog("inetd", LOG_PID | LOG_NOWAIT, LOG_DAEMON);
12024Speter		/*
12024Speter		 * In case somebody has started inetd manually, we need to
12024Speter		 * clear the logname, so that old servers run as root do not
12024Speter		 * get the user's logname..
12024Speter		 */
12024Speter		if (setlogin("") < 0) {
12024Speter			syslog(LOG_WARNING, "cannot clear logname: %m");
12024Speter			/* no big deal if it fails.. */
12024Speter		}
11447Swollman		pid = getpid();
17482Sjulian		fp = fopen(pid_file, "w");
11447Swollman		if (fp) {
11447Swollman			fprintf(fp, "%ld\n", (long)pid);
11447Swollman			fclose(fp);
11447Swollman		} else {
17482Sjulian			syslog(LOG_WARNING, "%s: %m", pid_file);
11447Swollman		}
1553Srgrimes	}
100127Salfred
101474Sume	for (i = 0; i < PERIPSIZE; ++i)
101474Sume		LIST_INIT(&proctable[i]);
101474Sume
102938Sdwmalone	if (v4bind_ok) {
100127Salfred		udpconf = getnetconfigent("udp");
100127Salfred		tcpconf = getnetconfigent("tcp");
100127Salfred		if (udpconf == NULL || tcpconf == NULL) {
102860Sdwmalone			syslog(LOG_ERR, "unknown rpc/udp or rpc/tcp");
100127Salfred			exit(EX_USAGE);
100127Salfred		}
100127Salfred	}
100127Salfred#ifdef INET6
102938Sdwmalone	if (v6bind_ok) {
100127Salfred		udp6conf = getnetconfigent("udp6");
100127Salfred		tcp6conf = getnetconfigent("tcp6");
100127Salfred		if (udp6conf == NULL || tcp6conf == NULL) {
102860Sdwmalone			syslog(LOG_ERR, "unknown rpc/udp6 or rpc/tcp6");
100127Salfred			exit(EX_USAGE);
100127Salfred		}
100127Salfred	}
100127Salfred#endif
100127Salfred
35948Sbde	sa.sa_flags = 0;
35948Sbde	sigemptyset(&sa.sa_mask);
35948Sbde	sigaddset(&sa.sa_mask, SIGALRM);
35948Sbde	sigaddset(&sa.sa_mask, SIGCHLD);
35948Sbde	sigaddset(&sa.sa_mask, SIGHUP);
42122Sdes	sa.sa_handler = flag_retry;
48962Ssheldonh	sigaction(SIGALRM, &sa, &saalrm);
42122Sdes	config();
42122Sdes	sa.sa_handler = flag_config;
48962Ssheldonh	sigaction(SIGHUP, &sa, &sahup);
42122Sdes	sa.sa_handler = flag_reapchild;
48962Ssheldonh	sigaction(SIGCHLD, &sa, &sachld);
35848Sguido	sa.sa_handler = SIG_IGN;
35948Sbde	sigaction(SIGPIPE, &sa, &sapipe);
1553Srgrimes
1553Srgrimes	{
1553Srgrimes		/* space for daemons to overwrite environment for ps */
1553Srgrimes#define	DUMMYSIZE	100
1553Srgrimes		char dummy[DUMMYSIZE];
1553Srgrimes
19298Salex		(void)memset(dummy, 'x', DUMMYSIZE - 1);
1553Srgrimes		dummy[DUMMYSIZE - 1] = '\0';
1553Srgrimes		(void)setenv("inetd_dummy", dummy, 1);
1553Srgrimes	}
1553Srgrimes
42250Sdes	if (pipe(signalpipe) != 0) {
52219Scharnier		syslog(LOG_ERR, "pipe: %m");
42250Sdes		exit(EX_OSERR);
42122Sdes	}
111324Sdwmalone	if (fcntl(signalpipe[0], F_SETFD, FD_CLOEXEC) < 0 ||
111324Sdwmalone	    fcntl(signalpipe[1], F_SETFD, FD_CLOEXEC) < 0) {
111324Sdwmalone		syslog(LOG_ERR, "signalpipe: fcntl (F_SETFD, FD_CLOEXEC): %m");
111324Sdwmalone		exit(EX_OSERR);
111324Sdwmalone	}
42122Sdes	FD_SET(signalpipe[0], &allsock);
48991Ssheldonh#ifdef SANITY_CHECK
47015Sdes	nsock++;
48991Ssheldonh#endif
48989Ssheldonh	if (signalpipe[0] > maxsock)
48989Ssheldonh	    maxsock = signalpipe[0];
48989Ssheldonh	if (signalpipe[1] > maxsock)
48989Ssheldonh	    maxsock = signalpipe[1];
41685Sdillon
1553Srgrimes	for (;;) {
1553Srgrimes	    int n, ctrl;
1553Srgrimes	    fd_set readable;
1553Srgrimes
48991Ssheldonh#ifdef SANITY_CHECK
1553Srgrimes	    if (nsock == 0) {
47015Sdes		syslog(LOG_ERR, "%s: nsock=0", __FUNCTION__);
47015Sdes		exit(EX_SOFTWARE);
1553Srgrimes	    }
48991Ssheldonh#endif
1553Srgrimes	    readable = allsock;
42122Sdes	    if ((n = select(maxsock + 1, &readable, (fd_set *)0,
42122Sdes		(fd_set *)0, (struct timeval *)0)) <= 0) {
42122Sdes		    if (n < 0 && errno != EINTR) {
1553Srgrimes			syslog(LOG_WARNING, "select: %m");
28907Simp			sleep(1);
28907Simp		    }
1553Srgrimes		    continue;
1553Srgrimes	    }
42122Sdes	    /* handle any queued signal flags */
42250Sdes	    if (FD_ISSET(signalpipe[0], &readable)) {
71399Sdwmalone		int nsig;
71399Sdwmalone		if (ioctl(signalpipe[0], FIONREAD, &nsig) != 0) {
42122Sdes		    syslog(LOG_ERR, "ioctl: %m");
42122Sdes		    exit(EX_OSERR);
42122Sdes		}
71399Sdwmalone		while (--nsig >= 0) {
42250Sdes		    char c;
42250Sdes		    if (read(signalpipe[0], &c, 1) != 1) {
42250Sdes			syslog(LOG_ERR, "read: %m");
42250Sdes			exit(EX_OSERR);
42250Sdes		    }
42250Sdes		    if (debug)
56482Scharnier			warnx("handling signal flag %c", c);
42250Sdes		    switch(c) {
42250Sdes		    case 'A': /* sigalrm */
42250Sdes			retry();
42250Sdes			break;
42250Sdes		    case 'C': /* sigchld */
42250Sdes			reapchild();
42250Sdes			break;
42250Sdes		    case 'H': /* sighup */
42250Sdes			config();
42250Sdes			break;
42250Sdes		    }
42250Sdes		}
42122Sdes	    }
1553Srgrimes	    for (sep = servtab; n && sep; sep = sep->se_next)
1553Srgrimes	        if (sep->se_fd != -1 && FD_ISSET(sep->se_fd, &readable)) {
1553Srgrimes		    n--;
1553Srgrimes		    if (debug)
29602Scharnier			    warnx("someone wants %s", sep->se_service);
101474Sume		    dofork = !sep->se_bi || sep->se_bi->bi_fork || ISWRAP(sep);
101474Sume		    conn = NULL;
19618Sjulian		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM) {
53256Speter			    i = 1;
53256Speter			    if (ioctl(sep->se_fd, FIONBIO, &i) < 0)
53256Speter				    syslog(LOG_ERR, "ioctl (FIONBIO, 1): %m");
1553Srgrimes			    ctrl = accept(sep->se_fd, (struct sockaddr *)0,
71399Sdwmalone				(socklen_t *)0);
1553Srgrimes			    if (debug)
29602Scharnier				    warnx("accept, ctrl %d", ctrl);
1553Srgrimes			    if (ctrl < 0) {
1553Srgrimes				    if (errno != EINTR)
1553Srgrimes					    syslog(LOG_WARNING,
1553Srgrimes						"accept (for %s): %m",
37844Sphk						sep->se_service);
37816Sphk                                      if (sep->se_accept &&
37816Sphk                                          sep->se_socktype == SOCK_STREAM)
37816Sphk                                              close(ctrl);
1553Srgrimes				    continue;
1553Srgrimes			    }
53256Speter			    i = 0;
53256Speter			    if (ioctl(sep->se_fd, FIONBIO, &i) < 0)
53256Speter				    syslog(LOG_ERR, "ioctl1(FIONBIO, 0): %m");
53256Speter			    if (ioctl(ctrl, FIONBIO, &i) < 0)
53256Speter				    syslog(LOG_ERR, "ioctl2(FIONBIO, 0): %m");
30847Sdima			    if (cpmip(sep, ctrl) < 0) {
30847Sdima				close(ctrl);
30847Sdima				continue;
30847Sdima			    }
101474Sume			    if (dofork &&
101474Sume				(conn = search_conn(sep, ctrl)) != NULL &&
101474Sume				!room_conn(sep, conn)) {
101474Sume				close(ctrl);
101474Sume				continue;
101474Sume			    }
1553Srgrimes		    } else
1553Srgrimes			    ctrl = sep->se_fd;
121766Speter		    if (dolog && !ISWRAP(sep)) {
71399Sdwmalone			    char pname[INET6_ADDRSTRLEN] = "unknown";
71399Sdwmalone			    socklen_t sl;
71399Sdwmalone			    sl = sizeof peermax;
48382Ssheldonh			    if (getpeername(ctrl, (struct sockaddr *)
71399Sdwmalone					    &peermax, &sl)) {
71399Sdwmalone				    sl = sizeof peermax;
48382Ssheldonh				    if (recvfrom(ctrl, buf, sizeof(buf),
48382Ssheldonh					MSG_PEEK,
56590Sshin					(struct sockaddr *)&peermax,
71399Sdwmalone					&sl) >= 0) {
56590Sshin				      getnameinfo((struct sockaddr *)&peermax,
57383Sshin						  peer.sa_len,
56590Sshin						  pname, sizeof(pname),
56590Sshin						  NULL, 0,
56590Sshin						  NI_NUMERICHOST|
56590Sshin						  NI_WITHSCOPEID);
56590Sshin				    }
56590Sshin			    } else {
56590Sshin			            getnameinfo((struct sockaddr *)&peermax,
57383Sshin						peer.sa_len,
56590Sshin						pname, sizeof(pname),
56590Sshin						NULL, 0,
56590Sshin						NI_NUMERICHOST|
56590Sshin						NI_WITHSCOPEID);
48382Ssheldonh			    }
71399Sdwmalone			    syslog(LOG_INFO,"%s from %s", sep->se_service, pname);
48382Ssheldonh		    }
42122Sdes		    (void) sigblock(SIGBLOCK);
1553Srgrimes		    pid = 0;
47972Ssheldonh		    /*
48958Ssheldonh		     * Fork for all external services, builtins which need to
48958Ssheldonh		     * fork and anything we're wrapping (as wrapping might
48958Ssheldonh		     * block or use hosts_options(5) twist).
47972Ssheldonh		     */
1553Srgrimes		    if (dofork) {
1553Srgrimes			    if (sep->se_count++ == 0)
37856Sache				(void)gettimeofday(&sep->se_time, (struct timezone *)NULL);
64197Sdwmalone			    else if (toomany > 0 && sep->se_count >= toomany) {
1553Srgrimes				struct timeval now;
1553Srgrimes
37856Sache				(void)gettimeofday(&now, (struct timezone *)NULL);
1553Srgrimes				if (now.tv_sec - sep->se_time.tv_sec >
1553Srgrimes				    CNT_INTVL) {
1553Srgrimes					sep->se_time = now;
1553Srgrimes					sep->se_count = 1;
1553Srgrimes				} else {
1553Srgrimes					syslog(LOG_ERR,
1553Srgrimes			"%s/%s server failing (looping), service terminated",
1553Srgrimes					    sep->se_service, sep->se_proto);
67415Sdwmalone					if (sep->se_accept &&
67415Sdwmalone					    sep->se_socktype == SOCK_STREAM)
67415Sdwmalone						close(ctrl);
1553Srgrimes					close_sep(sep);
101474Sume					free_conn(conn);
42122Sdes					sigsetmask(0L);
1553Srgrimes					if (!timingout) {
1553Srgrimes						timingout = 1;
1553Srgrimes						alarm(RETRYTIME);
1553Srgrimes					}
1553Srgrimes					continue;
1553Srgrimes				}
1553Srgrimes			    }
1553Srgrimes			    pid = fork();
1553Srgrimes		    }
1553Srgrimes		    if (pid < 0) {
1553Srgrimes			    syslog(LOG_ERR, "fork: %m");
19618Sjulian			    if (sep->se_accept &&
1553Srgrimes				sep->se_socktype == SOCK_STREAM)
1553Srgrimes				    close(ctrl);
101474Sume			    free_conn(conn);
42122Sdes			    sigsetmask(0L);
1553Srgrimes			    sleep(1);
1553Srgrimes			    continue;
1553Srgrimes		    }
101474Sume		    if (pid) {
101474Sume			addchild_conn(conn, pid);
19618Sjulian			addchild(sep, pid);
101474Sume		    }
42122Sdes		    sigsetmask(0L);
1553Srgrimes		    if (pid == 0) {
1553Srgrimes			    if (dofork) {
48962Ssheldonh				sigaction(SIGALRM, &saalrm, (struct sigaction *)0);
48962Ssheldonh				sigaction(SIGCHLD, &sachld, (struct sigaction *)0);
48962Ssheldonh				sigaction(SIGHUP, &sahup, (struct sigaction *)0);
48962Ssheldonh				/* SIGPIPE reset before exec */
1553Srgrimes			    }
35829Sguido			    /*
35829Sguido			     * Call tcpmux to find the real service to exec.
35829Sguido			     */
35829Sguido			    if (sep->se_bi &&
78694Sdwmalone				sep->se_bi->bi_fn == (bi_fn_t *) tcpmux) {
35829Sguido				    sep = tcpmux(ctrl);
35829Sguido				    if (sep == NULL) {
35829Sguido					    close(ctrl);
35829Sguido					    _exit(0);
35829Sguido				    }
35829Sguido			    }
48382Ssheldonh			    if (ISWRAP(sep)) {
48698Ssheldonh				inetd_setproctitle("wrapping", ctrl);
47972Ssheldonh				service = sep->se_server_name ?
47972Ssheldonh				    sep->se_server_name : sep->se_service;
127865Sdwmalone				request_init(&req, RQ_DAEMON, service, RQ_FILE, ctrl, 0);
45089Smarkm				fromhost(&req);
47972Ssheldonh				deny_severity = LIBWRAP_DENY_FACILITY|LIBWRAP_DENY_SEVERITY;
47972Ssheldonh				allow_severity = LIBWRAP_ALLOW_FACILITY|LIBWRAP_ALLOW_SEVERITY;
45089Smarkm				denied = !hosts_access(&req);
45089Smarkm				if (denied) {
45089Smarkm				    syslog(deny_severity,
96224Sume				        "refused connection from %.500s, service %s (%s%s)",
96224Sume				        eval_client(&req), service, sep->se_proto,
110802Sume					(whichaf(&req) == AF_INET6) ? "6" : "");
48382Ssheldonh				    if (sep->se_socktype != SOCK_STREAM)
48382Ssheldonh					recv(ctrl, buf, sizeof (buf), 0);
64059Sdwmalone				    if (dofork) {
64059Sdwmalone					sleep(1);
48382Ssheldonh					_exit(0);
64059Sdwmalone				    }
45089Smarkm				}
121766Speter				if (dolog) {
45089Smarkm				    syslog(allow_severity,
96224Sume				        "connection from %.500s, service %s (%s%s)",
96224Sume					eval_client(&req), service, sep->se_proto,
110802Sume					(whichaf(&req) == AF_INET6) ? "6" : "");
45089Smarkm				}
45089Smarkm			    }
19617Sjulian			    if (sep->se_bi) {
1553Srgrimes				(*sep->se_bi->bi_fn)(ctrl, sep);
19617Sjulian			    } else {
1553Srgrimes				if (debug)
29602Scharnier					warnx("%d execl %s",
29602Scharnier						getpid(), sep->se_server);
111324Sdwmalone				/* Clear close-on-exec. */
111324Sdwmalone				if (fcntl(ctrl, F_SETFD, 0) < 0) {
111324Sdwmalone					syslog(LOG_ERR,
111324Sdwmalone					    "%s/%s: fcntl (F_SETFD, 0): %m",
111324Sdwmalone						sep->se_service, sep->se_proto);
111324Sdwmalone					_exit(EX_OSERR);
111324Sdwmalone				}
111324Sdwmalone				if (ctrl != 0) {
111324Sdwmalone					dup2(ctrl, 0);
111324Sdwmalone					close(ctrl);
111324Sdwmalone				}
1553Srgrimes				dup2(0, 1);
1553Srgrimes				dup2(0, 2);
1553Srgrimes				if ((pwd = getpwnam(sep->se_user)) == NULL) {
1553Srgrimes					syslog(LOG_ERR,
56482Scharnier					    "%s/%s: %s: no such user",
1553Srgrimes						sep->se_service, sep->se_proto,
1553Srgrimes						sep->se_user);
1553Srgrimes					if (sep->se_socktype != SOCK_STREAM)
1553Srgrimes						recv(0, buf, sizeof (buf), 0);
19617Sjulian					_exit(EX_NOUSER);
1553Srgrimes				}
30807Sache				grp = NULL;
30807Sache				if (   sep->se_group != NULL
30807Sache				    && (grp = getgrnam(sep->se_group)) == NULL
30807Sache				   ) {
30807Sache					syslog(LOG_ERR,
56482Scharnier					    "%s/%s: %s: no such group",
30807Sache						sep->se_service, sep->se_proto,
30807Sache						sep->se_group);
30807Sache					if (sep->se_socktype != SOCK_STREAM)
30807Sache						recv(0, buf, sizeof (buf), 0);
30807Sache					_exit(EX_NOUSER);
30807Sache				}
30807Sache				if (grp != NULL)
30807Sache					pwd->pw_gid = grp->gr_gid;
21640Speter#ifdef LOGIN_CAP
30792Sache				if ((lc = login_getclass(sep->se_class)) == NULL) {
30792Sache					/* error syslogged by getclass */
30792Sache					syslog(LOG_ERR,
30792Sache					    "%s/%s: %s: login class error",
37850Sache						sep->se_service, sep->se_proto,
37850Sache						sep->se_class);
30792Sache					if (sep->se_socktype != SOCK_STREAM)
30792Sache						recv(0, buf, sizeof (buf), 0);
30792Sache					_exit(EX_NOUSER);
30792Sache				}
21640Speter#endif
12024Speter				if (setsid() < 0) {
12024Speter					syslog(LOG_ERR,
12024Speter						"%s: can't setsid(): %m",
12024Speter						 sep->se_service);
19617Sjulian					/* _exit(EX_OSERR); not fatal yet */
12024Speter				}
21640Speter#ifdef LOGIN_CAP
21640Speter				if (setusercontext(lc, pwd, pwd->pw_uid,
109349Srwatson				    LOGIN_SETALL & ~LOGIN_SETMAC)
108951Srwatson				    != 0) {
21640Speter					syslog(LOG_ERR,
21640Speter					 "%s: can't setusercontext(..%s..): %m",
21640Speter					 sep->se_service, sep->se_user);
21640Speter					_exit(EX_OSERR);
21640Speter				}
111323Sdwmalone				login_close(lc);
21640Speter#else
1553Srgrimes				if (pwd->pw_uid) {
12024Speter					if (setlogin(sep->se_user) < 0) {
12024Speter						syslog(LOG_ERR,
12024Speter						 "%s: can't setlogin(%s): %m",
12024Speter						 sep->se_service, sep->se_user);
19617Sjulian						/* _exit(EX_OSERR); not yet */
12024Speter					}
1553Srgrimes					if (setgid(pwd->pw_gid) < 0) {
1553Srgrimes						syslog(LOG_ERR,
8857Srgrimes						  "%s: can't set gid %d: %m",
1553Srgrimes						  sep->se_service, pwd->pw_gid);
19617Sjulian						_exit(EX_OSERR);
1553Srgrimes					}
1553Srgrimes					(void) initgroups(pwd->pw_name,
1553Srgrimes							pwd->pw_gid);
1553Srgrimes					if (setuid(pwd->pw_uid) < 0) {
1553Srgrimes						syslog(LOG_ERR,
8857Srgrimes						  "%s: can't set uid %d: %m",
1553Srgrimes						  sep->se_service, pwd->pw_uid);
19617Sjulian						_exit(EX_OSERR);
1553Srgrimes					}
1553Srgrimes				}
21640Speter#endif
35948Sbde				sigaction(SIGPIPE, &sapipe,
35948Sbde				    (struct sigaction *)0);
1553Srgrimes				execv(sep->se_server, sep->se_argv);
45089Smarkm				syslog(LOG_ERR,
45089Smarkm				    "cannot execute %s: %m", sep->se_server);
1553Srgrimes				if (sep->se_socktype != SOCK_STREAM)
1553Srgrimes					recv(0, buf, sizeof (buf), 0);
1553Srgrimes			    }
47972Ssheldonh			    if (dofork)
47972Ssheldonh				_exit(0);
1553Srgrimes		    }
19618Sjulian		    if (sep->se_accept && sep->se_socktype == SOCK_STREAM)
1553Srgrimes			    close(ctrl);
1553Srgrimes		}
1553Srgrimes	}
1553Srgrimes}
1553Srgrimes
19618Sjulian/*
42122Sdes * Add a signal flag to the signal flag queue for later handling
42122Sdes */
42122Sdes
78694Sdwmalonevoid
98558Sjmallettflag_signal(int c)
42122Sdes{
69546Sdwmalone	char ch = c;
69546Sdwmalone
69546Sdwmalone	if (write(signalpipe[1], &ch, 1) != 1) {
42250Sdes		syslog(LOG_ERR, "write: %m");
48985Ssheldonh		_exit(EX_OSERR);
42250Sdes	}
42122Sdes}
42122Sdes
42122Sdes/*
19618Sjulian * Record a new child pid for this service. If we've reached the
19618Sjulian * limit on children, then stop accepting incoming requests.
19618Sjulian */
19618Sjulian
1553Srgrimesvoid
19618Sjulianaddchild(struct servtab *sep, pid_t pid)
19618Sjulian{
64197Sdwmalone	if (sep->se_maxchild <= 0)
64197Sdwmalone		return;
19618Sjulian#ifdef SANITY_CHECK
19618Sjulian	if (sep->se_numchild >= sep->se_maxchild) {
19618Sjulian		syslog(LOG_ERR, "%s: %d >= %d",
19618Sjulian		    __FUNCTION__, sep->se_numchild, sep->se_maxchild);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
19618Sjulian#endif
19618Sjulian	sep->se_pids[sep->se_numchild++] = pid;
19618Sjulian	if (sep->se_numchild == sep->se_maxchild)
19618Sjulian		disable(sep);
19618Sjulian}
19618Sjulian
19618Sjulian/*
19618Sjulian * Some child process has exited. See if it's on somebody's list.
19618Sjulian */
19618Sjulian
19618Sjulianvoid
98561Sjmallettflag_reapchild(int signo __unused)
1553Srgrimes{
42250Sdes	flag_signal('C');
42122Sdes}
42122Sdes
42122Sdesvoid
98558Sjmallettreapchild(void)
42122Sdes{
19618Sjulian	int k, status;
1553Srgrimes	pid_t pid;
1553Srgrimes	struct servtab *sep;
1553Srgrimes
1553Srgrimes	for (;;) {
1553Srgrimes		pid = wait3(&status, WNOHANG, (struct rusage *)0);
1553Srgrimes		if (pid <= 0)
1553Srgrimes			break;
1553Srgrimes		if (debug)
102939Sdwmalone			warnx("%d reaped, %s %u", pid,
102939Sdwmalone			    WIFEXITED(status) ? "status" : "signal",
102939Sdwmalone			    WIFEXITED(status) ? WEXITSTATUS(status)
102939Sdwmalone				: WTERMSIG(status));
19618Sjulian		for (sep = servtab; sep; sep = sep->se_next) {
19618Sjulian			for (k = 0; k < sep->se_numchild; k++)
19618Sjulian				if (sep->se_pids[k] == pid)
19618Sjulian					break;
19618Sjulian			if (k == sep->se_numchild)
19618Sjulian				continue;
19618Sjulian			if (sep->se_numchild == sep->se_maxchild)
19618Sjulian				enable(sep);
19618Sjulian			sep->se_pids[k] = sep->se_pids[--sep->se_numchild];
102939Sdwmalone			if (WIFSIGNALED(status) || WEXITSTATUS(status))
19618Sjulian				syslog(LOG_WARNING,
102939Sdwmalone				    "%s[%d]: exited, %s %u",
102939Sdwmalone				    sep->se_server, pid,
102939Sdwmalone				    WIFEXITED(status) ? "status" : "signal",
102939Sdwmalone				    WIFEXITED(status) ? WEXITSTATUS(status)
102939Sdwmalone					: WTERMSIG(status));
19618Sjulian			break;
19618Sjulian		}
101474Sume		reapchild_conn(pid);
1553Srgrimes	}
1553Srgrimes}
1553Srgrimes
1553Srgrimesvoid
98561Sjmallettflag_config(int signo __unused)
1553Srgrimes{
42250Sdes	flag_signal('H');
42122Sdes}
42122Sdes
78694Sdwmalonevoid
98558Sjmallettconfig(void)
42122Sdes{
19618Sjulian	struct servtab *sep, *new, **sepp;
42122Sdes	long omask;
100127Salfred	int new_nomapped;
111323Sdwmalone#ifdef LOGIN_CAP
111323Sdwmalone	login_cap_t *lc = NULL;
111323Sdwmalone#endif
1553Srgrimes
1553Srgrimes	if (!setconfig()) {
1553Srgrimes		syslog(LOG_ERR, "%s: %m", CONFIG);
1553Srgrimes		return;
1553Srgrimes	}
1553Srgrimes	for (sep = servtab; sep; sep = sep->se_next)
1553Srgrimes		sep->se_checked = 0;
19618Sjulian	while ((new = getconfigent())) {
30807Sache		if (getpwnam(new->se_user) == NULL) {
1553Srgrimes			syslog(LOG_ERR,
56482Scharnier				"%s/%s: no such user '%s', service ignored",
19618Sjulian				new->se_service, new->se_proto, new->se_user);
1553Srgrimes			continue;
1553Srgrimes		}
30807Sache		if (new->se_group && getgrnam(new->se_group) == NULL) {
30807Sache			syslog(LOG_ERR,
56482Scharnier				"%s/%s: no such group '%s', service ignored",
30807Sache				new->se_service, new->se_proto, new->se_group);
30807Sache			continue;
30807Sache		}
30792Sache#ifdef LOGIN_CAP
111323Sdwmalone		if ((lc = login_getclass(new->se_class)) == NULL) {
30792Sache			/* error syslogged by getclass */
30792Sache			syslog(LOG_ERR,
37850Sache				"%s/%s: %s: login class error, service ignored",
37850Sache				new->se_service, new->se_proto, new->se_class);
30792Sache			continue;
30792Sache		}
111323Sdwmalone		login_close(lc);
30792Sache#endif
100127Salfred		new_nomapped = new->se_nomapped;
1553Srgrimes		for (sep = servtab; sep; sep = sep->se_next)
19618Sjulian			if (strcmp(sep->se_service, new->se_service) == 0 &&
56590Sshin			    strcmp(sep->se_proto, new->se_proto) == 0 &&
100127Salfred			    sep->se_rpc == new->se_rpc &&
78356Sdwmalone			    sep->se_socktype == new->se_socktype &&
56590Sshin			    sep->se_family == new->se_family)
1553Srgrimes				break;
1553Srgrimes		if (sep != 0) {
1553Srgrimes			int i;
1553Srgrimes
98611Sjmallett#define SWAP(t,a, b) { t c = a; a = b; b = c; }
42122Sdes			omask = sigblock(SIGBLOCK);
56590Sshin			if (sep->se_nomapped != new->se_nomapped) {
100127Salfred				/* for rpc keep old nommaped till unregister */
100127Salfred				if (!sep->se_rpc)
100127Salfred					sep->se_nomapped = new->se_nomapped;
56590Sshin				sep->se_reset = 1;
56590Sshin			}
19618Sjulian			/* copy over outstanding child pids */
64197Sdwmalone			if (sep->se_maxchild > 0 && new->se_maxchild > 0) {
19618Sjulian				new->se_numchild = sep->se_numchild;
19618Sjulian				if (new->se_numchild > new->se_maxchild)
19618Sjulian					new->se_numchild = new->se_maxchild;
19618Sjulian				memcpy(new->se_pids, sep->se_pids,
19618Sjulian				    new->se_numchild * sizeof(*new->se_pids));
19618Sjulian			}
98611Sjmallett			SWAP(pid_t *, sep->se_pids, new->se_pids);
19618Sjulian			sep->se_maxchild = new->se_maxchild;
19618Sjulian			sep->se_numchild = new->se_numchild;
30847Sdima			sep->se_maxcpm = new->se_maxcpm;
101474Sume			resize_conn(sep, new->se_maxperip);
101474Sume			sep->se_maxperip = new->se_maxperip;
66544Sdwmalone			sep->se_bi = new->se_bi;
19618Sjulian			/* might need to turn on or off service now */
19618Sjulian			if (sep->se_fd >= 0) {
64197Sdwmalone			      if (sep->se_maxchild > 0
19618Sjulian				  && sep->se_numchild == sep->se_maxchild) {
19618Sjulian				      if (FD_ISSET(sep->se_fd, &allsock))
19618Sjulian					  disable(sep);
19618Sjulian			      } else {
19618Sjulian				      if (!FD_ISSET(sep->se_fd, &allsock))
19618Sjulian					  enable(sep);
19618Sjulian			      }
19618Sjulian			}
19618Sjulian			sep->se_accept = new->se_accept;
98611Sjmallett			SWAP(char *, sep->se_user, new->se_user);
98611Sjmallett			SWAP(char *, sep->se_group, new->se_group);
30792Sache#ifdef LOGIN_CAP
98611Sjmallett			SWAP(char *, sep->se_class, new->se_class);
30792Sache#endif
98611Sjmallett			SWAP(char *, sep->se_server, new->se_server);
98611Sjmallett			SWAP(char *, sep->se_server_name, new->se_server_name);
1553Srgrimes			for (i = 0; i < MAXARGV; i++)
98611Sjmallett				SWAP(char *, sep->se_argv[i], new->se_argv[i]);
56590Sshin#ifdef IPSEC
98611Sjmallett			SWAP(char *, sep->se_policy, new->se_policy);
56590Sshin			ipsecsetup(sep);
56590Sshin#endif
42122Sdes			sigsetmask(omask);
19618Sjulian			freeconfig(new);
1553Srgrimes			if (debug)
1553Srgrimes				print_service("REDO", sep);
1553Srgrimes		} else {
19618Sjulian			sep = enter(new);
1553Srgrimes			if (debug)
1553Srgrimes				print_service("ADD ", sep);
1553Srgrimes		}
1553Srgrimes		sep->se_checked = 1;
1553Srgrimes		if (ISMUX(sep)) {
1553Srgrimes			sep->se_fd = -1;
1553Srgrimes			continue;
1553Srgrimes		}
56590Sshin		switch (sep->se_family) {
56590Sshin		case AF_INET:
102938Sdwmalone			if (!v4bind_ok) {
56590Sshin				sep->se_fd = -1;
56590Sshin				continue;
56590Sshin			}
56590Sshin			break;
56590Sshin#ifdef INET6
56590Sshin		case AF_INET6:
102938Sdwmalone			if (!v6bind_ok) {
56590Sshin				sep->se_fd = -1;
56590Sshin				continue;
56590Sshin			}
56590Sshin			break;
56590Sshin#endif
56590Sshin		}
2657Scsgr		if (!sep->se_rpc) {
78356Sdwmalone			if (sep->se_family != AF_UNIX) {
78356Sdwmalone				sp = getservbyname(sep->se_service, sep->se_proto);
78356Sdwmalone				if (sp == 0) {
78356Sdwmalone					syslog(LOG_ERR, "%s/%s: unknown service",
78356Sdwmalone					sep->se_service, sep->se_proto);
78356Sdwmalone					sep->se_checked = 0;
78356Sdwmalone					continue;
78356Sdwmalone				}
2657Scsgr			}
56590Sshin			switch (sep->se_family) {
56590Sshin			case AF_INET:
56590Sshin				if (sp->s_port != sep->se_ctrladdr4.sin_port) {
56590Sshin					sep->se_ctrladdr4.sin_port =
56590Sshin						sp->s_port;
56590Sshin					sep->se_reset = 1;
56590Sshin				}
56590Sshin				break;
56590Sshin#ifdef INET6
56590Sshin			case AF_INET6:
56590Sshin				if (sp->s_port !=
56590Sshin				    sep->se_ctrladdr6.sin6_port) {
56590Sshin					sep->se_ctrladdr6.sin6_port =
56590Sshin						sp->s_port;
56590Sshin					sep->se_reset = 1;
56590Sshin				}
56590Sshin				break;
56590Sshin#endif
2657Scsgr			}
56590Sshin			if (sep->se_reset != 0 && sep->se_fd >= 0)
56590Sshin				close_sep(sep);
2657Scsgr		} else {
2657Scsgr			rpc = getrpcbyname(sep->se_service);
2657Scsgr			if (rpc == 0) {
52219Scharnier				syslog(LOG_ERR, "%s/%s unknown RPC service",
2657Scsgr					sep->se_service, sep->se_proto);
2657Scsgr				if (sep->se_fd != -1)
2657Scsgr					(void) close(sep->se_fd);
2657Scsgr				sep->se_fd = -1;
2657Scsgr					continue;
2657Scsgr			}
100127Salfred			if (sep->se_reset != 0 ||
100127Salfred			    rpc->r_number != sep->se_rpc_prog) {
2657Scsgr				if (sep->se_rpc_prog)
2657Scsgr					unregisterrpc(sep);
2657Scsgr				sep->se_rpc_prog = rpc->r_number;
2657Scsgr				if (sep->se_fd != -1)
2657Scsgr					(void) close(sep->se_fd);
2657Scsgr				sep->se_fd = -1;
2657Scsgr			}
100127Salfred			sep->se_nomapped = new_nomapped;
1553Srgrimes		}
100127Salfred		sep->se_reset = 0;
1553Srgrimes		if (sep->se_fd == -1)
1553Srgrimes			setup(sep);
1553Srgrimes	}
1553Srgrimes	endconfig();
1553Srgrimes	/*
1553Srgrimes	 * Purge anything not looked at above.
1553Srgrimes	 */
42122Sdes	omask = sigblock(SIGBLOCK);
1553Srgrimes	sepp = &servtab;
19617Sjulian	while ((sep = *sepp)) {
1553Srgrimes		if (sep->se_checked) {
1553Srgrimes			sepp = &sep->se_next;
1553Srgrimes			continue;
1553Srgrimes		}
1553Srgrimes		*sepp = sep->se_next;
1553Srgrimes		if (sep->se_fd >= 0)
1553Srgrimes			close_sep(sep);
1553Srgrimes		if (debug)
1553Srgrimes			print_service("FREE", sep);
2657Scsgr		if (sep->se_rpc && sep->se_rpc_prog > 0)
2657Scsgr			unregisterrpc(sep);
1553Srgrimes		freeconfig(sep);
71399Sdwmalone		free(sep);
1553Srgrimes	}
42122Sdes	(void) sigsetmask(omask);
1553Srgrimes}
1553Srgrimes
1553Srgrimesvoid
98558Sjmallettunregisterrpc(struct servtab *sep)
2657Scsgr{
78694Sdwmalone        u_int i;
2657Scsgr        struct servtab *sepp;
42122Sdes	long omask;
100127Salfred	struct netconfig *netid4, *netid6;
2657Scsgr
42122Sdes	omask = sigblock(SIGBLOCK);
100127Salfred	netid4 = sep->se_socktype == SOCK_DGRAM ? udpconf : tcpconf;
100127Salfred	netid6 = sep->se_socktype == SOCK_DGRAM ? udp6conf : tcp6conf;
100127Salfred	if (sep->se_family == AF_INET)
100127Salfred		netid6 = NULL;
100127Salfred	else if (sep->se_nomapped)
100127Salfred		netid4 = NULL;
100127Salfred	/*
100127Salfred	 * Conflict if same prog and protocol - In that case one should look
100127Salfred	 * to versions, but it is not interesting: having separate servers for
100127Salfred	 * different versions does not work well.
100127Salfred	 * Therefore one do not unregister if there is a conflict.
100127Salfred	 * There is also transport conflict if destroying INET when INET46
100127Salfred	 * exists, or destroying INET46 when INET exists
100127Salfred	 */
2657Scsgr        for (sepp = servtab; sepp; sepp = sepp->se_next) {
2657Scsgr                if (sepp == sep)
2657Scsgr                        continue;
100127Salfred		if (sepp->se_checked == 0 ||
2657Scsgr                    !sepp->se_rpc ||
100127Salfred		    strcmp(sep->se_proto, sepp->se_proto) != 0 ||
2657Scsgr                    sep->se_rpc_prog != sepp->se_rpc_prog)
2657Scsgr			continue;
100127Salfred		if (sepp->se_family == AF_INET)
100127Salfred			netid4 = NULL;
100127Salfred		if (sepp->se_family == AF_INET6) {
100127Salfred			netid6 = NULL;
100127Salfred			if (!sep->se_nomapped)
100127Salfred				netid4 = NULL;
100127Salfred		}
100127Salfred		if (netid4 == NULL && netid6 == NULL)
100127Salfred			return;
2657Scsgr        }
2657Scsgr        if (debug)
2657Scsgr                print_service("UNREG", sep);
100127Salfred        for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) {
100127Salfred		if (netid4)
100127Salfred			rpcb_unset(sep->se_rpc_prog, i, netid4);
100127Salfred		if (netid6)
100127Salfred			rpcb_unset(sep->se_rpc_prog, i, netid6);
100127Salfred	}
2657Scsgr        if (sep->se_fd != -1)
2657Scsgr                (void) close(sep->se_fd);
2657Scsgr        sep->se_fd = -1;
42122Sdes	(void) sigsetmask(omask);
2657Scsgr}
2657Scsgr
2657Scsgrvoid
98561Sjmallettflag_retry(int signo __unused)
1553Srgrimes{
42250Sdes	flag_signal('A');
42122Sdes}
42122Sdes
42122Sdesvoid
98558Sjmallettretry(void)
42122Sdes{
1553Srgrimes	struct servtab *sep;
1553Srgrimes
1553Srgrimes	timingout = 0;
1553Srgrimes	for (sep = servtab; sep; sep = sep->se_next)
19617Sjulian		if (sep->se_fd == -1 && !ISMUX(sep))
1553Srgrimes			setup(sep);
1553Srgrimes}
1553Srgrimes
1553Srgrimesvoid
98558Sjmallettsetup(struct servtab *sep)
1553Srgrimes{
1553Srgrimes	int on = 1;
1553Srgrimes
56590Sshin	if ((sep->se_fd = socket(sep->se_family, sep->se_socktype, 0)) < 0) {
1553Srgrimes		if (debug)
29602Scharnier			warn("socket failed on %s/%s",
29602Scharnier				sep->se_service, sep->se_proto);
1553Srgrimes		syslog(LOG_ERR, "%s/%s: socket: %m",
1553Srgrimes		    sep->se_service, sep->se_proto);
1553Srgrimes		return;
1553Srgrimes	}
111324Sdwmalone	/* Set all listening sockets to close-on-exec. */
111324Sdwmalone	if (fcntl(sep->se_fd, F_SETFD, FD_CLOEXEC) < 0) {
111324Sdwmalone		syslog(LOG_ERR, "%s/%s: fcntl (F_SETFD, FD_CLOEXEC): %m",
111324Sdwmalone		    sep->se_service, sep->se_proto);
111324Sdwmalone		close(sep->se_fd);
111324Sdwmalone		return;
111324Sdwmalone	}
1553Srgrimes#define	turnon(fd, opt) \
1553Srgrimessetsockopt(fd, SOL_SOCKET, opt, (char *)&on, sizeof (on))
1553Srgrimes	if (strcmp(sep->se_proto, "tcp") == 0 && (options & SO_DEBUG) &&
1553Srgrimes	    turnon(sep->se_fd, SO_DEBUG) < 0)
1553Srgrimes		syslog(LOG_ERR, "setsockopt (SO_DEBUG): %m");
1553Srgrimes	if (turnon(sep->se_fd, SO_REUSEADDR) < 0)
1553Srgrimes		syslog(LOG_ERR, "setsockopt (SO_REUSEADDR): %m");
25253Swollman#ifdef SO_PRIVSTATE
13956Swollman	if (turnon(sep->se_fd, SO_PRIVSTATE) < 0)
13956Swollman		syslog(LOG_ERR, "setsockopt (SO_PRIVSTATE): %m");
25253Swollman#endif
56590Sshin	/* tftpd opens a new connection then needs more infos */
56590Sshin	if ((sep->se_family == AF_INET6) &&
56590Sshin	    (strcmp(sep->se_proto, "udp") == 0) &&
56590Sshin	    (sep->se_accept == 0) &&
121559Sume	    (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_RECVPKTINFO,
56590Sshin			(char *)&on, sizeof (on)) < 0))
56590Sshin		syslog(LOG_ERR, "setsockopt (IPV6_RECVPKTINFO): %m");
58935Sume	if (sep->se_family == AF_INET6) {
58935Sume		int flag = sep->se_nomapped ? 1 : 0;
100505Sume		if (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_V6ONLY,
58935Sume			       (char *)&flag, sizeof (flag)) < 0)
100505Sume			syslog(LOG_ERR, "setsockopt (IPV6_V6ONLY): %m");
58935Sume	}
1553Srgrimes#undef turnon
36042Sguido	if (sep->se_type == TTCP_TYPE)
36042Sguido		if (setsockopt(sep->se_fd, IPPROTO_TCP, TCP_NOPUSH,
36042Sguido		    (char *)&on, sizeof (on)) < 0)
36042Sguido			syslog(LOG_ERR, "setsockopt (TCP_NOPUSH): %m");
56590Sshin#ifdef IPV6_FAITH
56590Sshin	if (sep->se_type == FAITH_TYPE) {
56590Sshin		if (setsockopt(sep->se_fd, IPPROTO_IPV6, IPV6_FAITH, &on,
56590Sshin				sizeof(on)) < 0) {
56590Sshin			syslog(LOG_ERR, "setsockopt (IPV6_FAITH): %m");
56590Sshin		}
56590Sshin	}
56590Sshin#endif
56590Sshin#ifdef IPSEC
56590Sshin	ipsecsetup(sep);
56590Sshin#endif
78356Sdwmalone	if (sep->se_family == AF_UNIX) {
78356Sdwmalone		(void) unlink(sep->se_ctrladdr_un.sun_path);
78356Sdwmalone		umask(0777); /* Make socket with conservative permissions */
78356Sdwmalone	}
1553Srgrimes	if (bind(sep->se_fd, (struct sockaddr *)&sep->se_ctrladdr,
56590Sshin	    sep->se_ctrladdr_size) < 0) {
1553Srgrimes		if (debug)
29602Scharnier			warn("bind failed on %s/%s",
29602Scharnier				sep->se_service, sep->se_proto);
1553Srgrimes		syslog(LOG_ERR, "%s/%s: bind: %m",
1553Srgrimes		    sep->se_service, sep->se_proto);
1553Srgrimes		(void) close(sep->se_fd);
1553Srgrimes		sep->se_fd = -1;
1553Srgrimes		if (!timingout) {
1553Srgrimes			timingout = 1;
1553Srgrimes			alarm(RETRYTIME);
1553Srgrimes		}
78356Sdwmalone		if (sep->se_family == AF_UNIX)
78356Sdwmalone			umask(mask);
1553Srgrimes		return;
1553Srgrimes	}
78356Sdwmalone	if (sep->se_family == AF_UNIX) {
78356Sdwmalone		/* Ick - fch{own,mod} don't work on Unix domain sockets */
78356Sdwmalone		if (chown(sep->se_service, sep->se_sockuid, sep->se_sockgid) < 0)
78356Sdwmalone			syslog(LOG_ERR, "chown socket: %m");
78356Sdwmalone		if (chmod(sep->se_service, sep->se_sockmode) < 0)
78356Sdwmalone			syslog(LOG_ERR, "chmod socket: %m");
78356Sdwmalone		umask(mask);
78356Sdwmalone	}
2657Scsgr        if (sep->se_rpc) {
78694Sdwmalone		u_int i;
71399Sdwmalone		socklen_t len = sep->se_ctrladdr_size;
100127Salfred		struct netconfig *netid, *netid2 = NULL;
100127Salfred		struct sockaddr_in sock;
100127Salfred		struct netbuf nbuf, nbuf2;
2657Scsgr
8857Srgrimes                if (getsockname(sep->se_fd,
2657Scsgr				(struct sockaddr*)&sep->se_ctrladdr, &len) < 0){
2657Scsgr                        syslog(LOG_ERR, "%s/%s: getsockname: %m",
2657Scsgr                               sep->se_service, sep->se_proto);
2657Scsgr                        (void) close(sep->se_fd);
2657Scsgr                        sep->se_fd = -1;
8857Srgrimes                        return;
2657Scsgr                }
100127Salfred		nbuf.buf = &sep->se_ctrladdr;
100127Salfred		nbuf.len = sep->se_ctrladdr.sa_len;
100127Salfred		if (sep->se_family == AF_INET)
100127Salfred			netid = sep->se_socktype==SOCK_DGRAM? udpconf:tcpconf;
100127Salfred		else  {
100127Salfred			netid = sep->se_socktype==SOCK_DGRAM? udp6conf:tcp6conf;
100127Salfred			if (!sep->se_nomapped) { /* INET and INET6 */
100127Salfred				netid2 = netid==udp6conf? udpconf:tcpconf;
100127Salfred				memset(&sock, 0, sizeof sock);	/* ADDR_ANY */
100127Salfred				nbuf2.buf = &sock;
100127Salfred				nbuf2.len = sock.sin_len = sizeof sock;
100127Salfred				sock.sin_family = AF_INET;
100127Salfred				sock.sin_port = sep->se_ctrladdr6.sin6_port;
100127Salfred			}
100127Salfred		}
2657Scsgr                if (debug)
2657Scsgr                        print_service("REG ", sep);
2657Scsgr                for (i = sep->se_rpc_lowvers; i <= sep->se_rpc_highvers; i++) {
100127Salfred			rpcb_unset(sep->se_rpc_prog, i, netid);
100127Salfred			rpcb_set(sep->se_rpc_prog, i, netid, &nbuf);
100127Salfred			if (netid2) {
100127Salfred				rpcb_unset(sep->se_rpc_prog, i, netid2);
100127Salfred				rpcb_set(sep->se_rpc_prog, i, netid2, &nbuf2);
100127Salfred			}
2657Scsgr                }
2657Scsgr        }
1553Srgrimes	if (sep->se_socktype == SOCK_STREAM)
17197Sdg		listen(sep->se_fd, 64);
19618Sjulian	enable(sep);
1553Srgrimes	if (debug) {
29602Scharnier		warnx("registered %s on %d",
1553Srgrimes			sep->se_server, sep->se_fd);
1553Srgrimes	}
1553Srgrimes}
1553Srgrimes
56590Sshin#ifdef IPSEC
56590Sshinvoid
56590Sshinipsecsetup(sep)
56590Sshin	struct servtab *sep;
56590Sshin{
56590Sshin	char *buf;
56590Sshin	char *policy_in = NULL;
56590Sshin	char *policy_out = NULL;
56590Sshin	int level;
56590Sshin	int opt;
56590Sshin
56590Sshin	switch (sep->se_family) {
56590Sshin	case AF_INET:
56590Sshin		level = IPPROTO_IP;
56590Sshin		opt = IP_IPSEC_POLICY;
56590Sshin		break;
56590Sshin#ifdef INET6
56590Sshin	case AF_INET6:
56590Sshin		level = IPPROTO_IPV6;
56590Sshin		opt = IPV6_IPSEC_POLICY;
56590Sshin		break;
56590Sshin#endif
56590Sshin	default:
56590Sshin		return;
56590Sshin	}
56590Sshin
56590Sshin	if (!sep->se_policy || sep->se_policy[0] == '\0') {
78694Sdwmalone		static char def_in[] = "in entrust", def_out[] = "out entrust";
78694Sdwmalone		policy_in = def_in;
78694Sdwmalone		policy_out = def_out;
56590Sshin	} else {
56590Sshin		if (!strncmp("in", sep->se_policy, 2))
56590Sshin			policy_in = sep->se_policy;
56590Sshin		else if (!strncmp("out", sep->se_policy, 3))
56590Sshin			policy_out = sep->se_policy;
56590Sshin		else {
56590Sshin			syslog(LOG_ERR, "invalid security policy \"%s\"",
56590Sshin				sep->se_policy);
56590Sshin			return;
56590Sshin		}
56590Sshin	}
56590Sshin
56590Sshin	if (policy_in != NULL) {
56590Sshin		buf = ipsec_set_policy(policy_in, strlen(policy_in));
56590Sshin		if (buf != NULL) {
56590Sshin			if (setsockopt(sep->se_fd, level, opt,
56675Sshin					buf, ipsec_get_policylen(buf)) < 0 &&
56759Sshin			    debug != 0)
56759Sshin				warnx("%s/%s: ipsec initialization failed; %s",
56759Sshin				      sep->se_service, sep->se_proto,
56759Sshin				      policy_in);
56590Sshin			free(buf);
56590Sshin		} else
56590Sshin			syslog(LOG_ERR, "invalid security policy \"%s\"",
56590Sshin				policy_in);
56590Sshin	}
56590Sshin	if (policy_out != NULL) {
56590Sshin		buf = ipsec_set_policy(policy_out, strlen(policy_out));
56590Sshin		if (buf != NULL) {
56590Sshin			if (setsockopt(sep->se_fd, level, opt,
56675Sshin					buf, ipsec_get_policylen(buf)) < 0 &&
56759Sshin			    debug != 0)
56759Sshin				warnx("%s/%s: ipsec initialization failed; %s",
56759Sshin				      sep->se_service, sep->se_proto,
56759Sshin				      policy_out);
56590Sshin			free(buf);
56590Sshin		} else
56590Sshin			syslog(LOG_ERR, "invalid security policy \"%s\"",
56590Sshin				policy_out);
56590Sshin	}
56590Sshin}
56590Sshin#endif
56590Sshin
1553Srgrimes/*
1553Srgrimes * Finish with a service and its socket.
1553Srgrimes */
1553Srgrimesvoid
98558Sjmallettclose_sep(struct servtab *sep)
1553Srgrimes{
1553Srgrimes	if (sep->se_fd >= 0) {
19618Sjulian		if (FD_ISSET(sep->se_fd, &allsock))
19618Sjulian			disable(sep);
1553Srgrimes		(void) close(sep->se_fd);
1553Srgrimes		sep->se_fd = -1;
1553Srgrimes	}
1553Srgrimes	sep->se_count = 0;
19618Sjulian	sep->se_numchild = 0;	/* forget about any existing children */
1553Srgrimes}
1553Srgrimes
48467Ssheldonhint
98558Sjmallettmatchservent(const char *name1, const char *name2, const char *proto)
48467Ssheldonh{
78356Sdwmalone	char **alias, *p;
48467Ssheldonh	struct servent *se;
48467Ssheldonh
78356Sdwmalone	if (strcmp(proto, "unix") == 0) {
78356Sdwmalone		if ((p = strrchr(name1, '/')) != NULL)
78356Sdwmalone			name1 = p + 1;
78356Sdwmalone		if ((p = strrchr(name2, '/')) != NULL)
78356Sdwmalone			name2 = p + 1;
78356Sdwmalone	}
49026Sdes	if (strcmp(name1, name2) == 0)
49026Sdes		return(1);
48467Ssheldonh	if ((se = getservbyname(name1, proto)) != NULL) {
48467Ssheldonh		if (strcmp(name2, se->s_name) == 0)
48467Ssheldonh			return(1);
48467Ssheldonh		for (alias = se->s_aliases; *alias; alias++)
48467Ssheldonh			if (strcmp(name2, *alias) == 0)
48467Ssheldonh				return(1);
48467Ssheldonh	}
48467Ssheldonh	return(0);
48467Ssheldonh}
48467Ssheldonh
1553Srgrimesstruct servtab *
98558Sjmallettenter(struct servtab *cp)
1553Srgrimes{
1553Srgrimes	struct servtab *sep;
42122Sdes	long omask;
1553Srgrimes
1553Srgrimes	sep = (struct servtab *)malloc(sizeof (*sep));
1553Srgrimes	if (sep == (struct servtab *)0) {
49102Ssheldonh		syslog(LOG_ERR, "malloc: %m");
19617Sjulian		exit(EX_OSERR);
1553Srgrimes	}
1553Srgrimes	*sep = *cp;
1553Srgrimes	sep->se_fd = -1;
42122Sdes	omask = sigblock(SIGBLOCK);
1553Srgrimes	sep->se_next = servtab;
1553Srgrimes	servtab = sep;
42122Sdes	sigsetmask(omask);
1553Srgrimes	return (sep);
1553Srgrimes}
1553Srgrimes
19618Sjulianvoid
98558Sjmallettenable(struct servtab *sep)
19618Sjulian{
19618Sjulian	if (debug)
29602Scharnier		warnx(
19618Sjulian		    "enabling %s, fd %d", sep->se_service, sep->se_fd);
19618Sjulian#ifdef SANITY_CHECK
19618Sjulian	if (sep->se_fd < 0) {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian		    "%s: %s: bad fd", __FUNCTION__, sep->se_service);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
19618Sjulian	if (ISMUX(sep)) {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian		    "%s: %s: is mux", __FUNCTION__, sep->se_service);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
19618Sjulian	if (FD_ISSET(sep->se_fd, &allsock)) {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian		    "%s: %s: not off", __FUNCTION__, sep->se_service);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
48991Ssheldonh	nsock++;
19618Sjulian#endif
19618Sjulian	FD_SET(sep->se_fd, &allsock);
19618Sjulian	if (sep->se_fd > maxsock)
19618Sjulian		maxsock = sep->se_fd;
19618Sjulian}
19618Sjulian
19618Sjulianvoid
98558Sjmallettdisable(struct servtab *sep)
19618Sjulian{
19618Sjulian	if (debug)
29602Scharnier		warnx(
19618Sjulian		    "disabling %s, fd %d", sep->se_service, sep->se_fd);
19618Sjulian#ifdef SANITY_CHECK
19618Sjulian	if (sep->se_fd < 0) {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian		    "%s: %s: bad fd", __FUNCTION__, sep->se_service);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
19618Sjulian	if (ISMUX(sep)) {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian		    "%s: %s: is mux", __FUNCTION__, sep->se_service);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
19618Sjulian	if (!FD_ISSET(sep->se_fd, &allsock)) {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian		    "%s: %s: not on", __FUNCTION__, sep->se_service);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
19618Sjulian	if (nsock == 0) {
19618Sjulian		syslog(LOG_ERR, "%s: nsock=0", __FUNCTION__);
19618Sjulian		exit(EX_SOFTWARE);
19618Sjulian	}
48991Ssheldonh	nsock--;
19618Sjulian#endif
19618Sjulian	FD_CLR(sep->se_fd, &allsock);
19618Sjulian	if (sep->se_fd == maxsock)
19618Sjulian		maxsock--;
19618Sjulian}
19618Sjulian
1553SrgrimesFILE	*fconfig = NULL;
1553Srgrimesstruct	servtab serv;
1553Srgrimeschar	line[LINE_MAX];
1553Srgrimes
1553Srgrimesint
98558Sjmallettsetconfig(void)
1553Srgrimes{
1553Srgrimes
1553Srgrimes	if (fconfig != NULL) {
1553Srgrimes		fseek(fconfig, 0L, SEEK_SET);
1553Srgrimes		return (1);
1553Srgrimes	}
1553Srgrimes	fconfig = fopen(CONFIG, "r");
1553Srgrimes	return (fconfig != NULL);
1553Srgrimes}
1553Srgrimes
1553Srgrimesvoid
98558Sjmallettendconfig(void)
1553Srgrimes{
1553Srgrimes	if (fconfig) {
1553Srgrimes		(void) fclose(fconfig);
1553Srgrimes		fconfig = NULL;
1553Srgrimes	}
1553Srgrimes}
1553Srgrimes
1553Srgrimesstruct servtab *
98558Sjmallettgetconfigent(void)
1553Srgrimes{
1553Srgrimes	struct servtab *sep = &serv;
1553Srgrimes	int argc;
19618Sjulian	char *cp, *arg, *s;
2657Scsgr	char *versp;
1553Srgrimes	static char TCPMUX_TOKEN[] = "tcpmux/";
1553Srgrimes#define MUX_LEN		(sizeof(TCPMUX_TOKEN)-1)
56590Sshin#ifdef IPSEC
102861Sdwmalone	char *policy;
56590Sshin#endif
102861Sdwmalone	int v4bind;
56590Sshin#ifdef INET6
102861Sdwmalone	int v6bind;
56590Sshin#endif
101474Sume	int i;
1553Srgrimes
102861Sdwmalone#ifdef IPSEC
102861Sdwmalone	policy = NULL;
102861Sdwmalone#endif
1553Srgrimesmore:
102861Sdwmalone	v4bind = 0;
102861Sdwmalone#ifdef INET6
102861Sdwmalone	v6bind = 0;
102861Sdwmalone#endif
56590Sshin	while ((cp = nextline(fconfig)) != NULL) {
56590Sshin#ifdef IPSEC
56590Sshin		/* lines starting with #@ is not a comment, but the policy */
56590Sshin		if (cp[0] == '#' && cp[1] == '@') {
56590Sshin			char *p;
56590Sshin			for (p = cp + 2; p && *p && isspace(*p); p++)
56590Sshin				;
56590Sshin			if (*p == '\0') {
56590Sshin				if (policy)
56590Sshin					free(policy);
56590Sshin				policy = NULL;
56590Sshin			} else if (ipsec_get_policylen(p) >= 0) {
56590Sshin				if (policy)
56590Sshin					free(policy);
56590Sshin				policy = newstr(p);
56590Sshin			} else {
56590Sshin				syslog(LOG_ERR,
56590Sshin					"%s: invalid ipsec policy \"%s\"",
56590Sshin					CONFIG, p);
56590Sshin				exit(EX_CONFIG);
56590Sshin			}
56590Sshin		}
56590Sshin#endif
56590Sshin		if (*cp == '#' || *cp == '\0')
56590Sshin			continue;
56590Sshin		break;
56590Sshin	}
1553Srgrimes	if (cp == NULL)
1553Srgrimes		return ((struct servtab *)0);
1553Srgrimes	/*
1553Srgrimes	 * clear the static buffer, since some fields (se_ctrladdr,
1553Srgrimes	 * for example) don't get initialized here.
1553Srgrimes	 */
71399Sdwmalone	memset(sep, 0, sizeof *sep);
1553Srgrimes	arg = skip(&cp);
1553Srgrimes	if (cp == NULL) {
1553Srgrimes		/* got an empty line containing just blanks/tabs. */
1553Srgrimes		goto more;
1553Srgrimes	}
78356Sdwmalone	if (arg[0] == ':') { /* :user:group:perm: */
78356Sdwmalone		char *user, *group, *perm;
78356Sdwmalone		struct passwd *pw;
78356Sdwmalone		struct group *gr;
78356Sdwmalone		user = arg+1;
78356Sdwmalone		if ((group = strchr(user, ':')) == NULL) {
78356Sdwmalone			syslog(LOG_ERR, "no group after user '%s'", user);
78356Sdwmalone			goto more;
78356Sdwmalone		}
78356Sdwmalone		*group++ = '\0';
78356Sdwmalone		if ((perm = strchr(group, ':')) == NULL) {
78356Sdwmalone			syslog(LOG_ERR, "no mode after group '%s'", group);
78356Sdwmalone			goto more;
78356Sdwmalone		}
78356Sdwmalone		*perm++ = '\0';
78356Sdwmalone		if ((pw = getpwnam(user)) == NULL) {
78356Sdwmalone			syslog(LOG_ERR, "no such user '%s'", user);
78356Sdwmalone			goto more;
78356Sdwmalone		}
78356Sdwmalone		sep->se_sockuid = pw->pw_uid;
78356Sdwmalone		if ((gr = getgrnam(group)) == NULL) {
78356Sdwmalone			syslog(LOG_ERR, "no such user '%s'", group);
78356Sdwmalone			goto more;
78356Sdwmalone		}
78356Sdwmalone		sep->se_sockgid = gr->gr_gid;
78356Sdwmalone		sep->se_sockmode = strtol(perm, &arg, 8);
78356Sdwmalone		if (*arg != ':') {
78356Sdwmalone			syslog(LOG_ERR, "bad mode '%s'", perm);
78356Sdwmalone			goto more;
78356Sdwmalone		}
78356Sdwmalone		*arg++ = '\0';
78356Sdwmalone	} else {
78356Sdwmalone		sep->se_sockuid = euid;
78356Sdwmalone		sep->se_sockgid = egid;
78356Sdwmalone		sep->se_sockmode = 0200;
78356Sdwmalone	}
1553Srgrimes	if (strncmp(arg, TCPMUX_TOKEN, MUX_LEN) == 0) {
1553Srgrimes		char *c = arg + MUX_LEN;
1553Srgrimes		if (*c == '+') {
1553Srgrimes			sep->se_type = MUXPLUS_TYPE;
1553Srgrimes			c++;
1553Srgrimes		} else
1553Srgrimes			sep->se_type = MUX_TYPE;
1553Srgrimes		sep->se_service = newstr(c);
1553Srgrimes	} else {
1553Srgrimes		sep->se_service = newstr(arg);
1553Srgrimes		sep->se_type = NORM_TYPE;
1553Srgrimes	}
1553Srgrimes	arg = sskip(&cp);
1553Srgrimes	if (strcmp(arg, "stream") == 0)
1553Srgrimes		sep->se_socktype = SOCK_STREAM;
1553Srgrimes	else if (strcmp(arg, "dgram") == 0)
1553Srgrimes		sep->se_socktype = SOCK_DGRAM;
1553Srgrimes	else if (strcmp(arg, "rdm") == 0)
1553Srgrimes		sep->se_socktype = SOCK_RDM;
1553Srgrimes	else if (strcmp(arg, "seqpacket") == 0)
1553Srgrimes		sep->se_socktype = SOCK_SEQPACKET;
1553Srgrimes	else if (strcmp(arg, "raw") == 0)
1553Srgrimes		sep->se_socktype = SOCK_RAW;
1553Srgrimes	else
1553Srgrimes		sep->se_socktype = -1;
36042Sguido
36042Sguido	arg = sskip(&cp);
56590Sshin	if (strncmp(arg, "tcp", 3) == 0) {
56590Sshin		sep->se_proto = newstr(strsep(&arg, "/"));
56590Sshin		if (arg != NULL) {
56590Sshin			if (strcmp(arg, "ttcp") == 0)
56590Sshin				sep->se_type = TTCP_TYPE;
56590Sshin			else if (strcmp(arg, "faith") == 0)
56590Sshin				sep->se_type = FAITH_TYPE;
56590Sshin		}
77518Sume	} else {
77518Sume		if (sep->se_type == NORM_TYPE &&
77518Sume		    strncmp(arg, "faith/", 6) == 0) {
77518Sume			arg += 6;
77518Sume			sep->se_type = FAITH_TYPE;
77518Sume		}
36042Sguido		sep->se_proto = newstr(arg);
77518Sume	}
2657Scsgr        if (strncmp(sep->se_proto, "rpc/", 4) == 0) {
19237Sjoerg                memmove(sep->se_proto, sep->se_proto + 4,
19237Sjoerg                    strlen(sep->se_proto) + 1 - 4);
2657Scsgr                sep->se_rpc = 1;
2657Scsgr                sep->se_rpc_prog = sep->se_rpc_lowvers =
2657Scsgr			sep->se_rpc_lowvers = 0;
56590Sshin		memcpy(&sep->se_ctrladdr4, bind_sa4,
56590Sshin		       sizeof(sep->se_ctrladdr4));
2657Scsgr                if ((versp = rindex(sep->se_service, '/'))) {
2657Scsgr                        *versp++ = '\0';
102859Sdwmalone                        switch (sscanf(versp, "%u-%u",
2657Scsgr                                       &sep->se_rpc_lowvers,
2657Scsgr                                       &sep->se_rpc_highvers)) {
2657Scsgr                        case 2:
2657Scsgr                                break;
2657Scsgr                        case 1:
2657Scsgr                                sep->se_rpc_highvers =
2657Scsgr                                        sep->se_rpc_lowvers;
2657Scsgr                                break;
2657Scsgr                        default:
8857Srgrimes                                syslog(LOG_ERR,
52219Scharnier					"bad RPC version specifier; %s",
2657Scsgr					sep->se_service);
2657Scsgr                                freeconfig(sep);
2657Scsgr                                goto more;
2657Scsgr                        }
2657Scsgr                }
2657Scsgr                else {
2657Scsgr                        sep->se_rpc_lowvers =
2657Scsgr                                sep->se_rpc_highvers = 1;
2657Scsgr                }
2657Scsgr        }
56590Sshin	sep->se_nomapped = 0;
78356Sdwmalone	if (strcmp(sep->se_proto, "unix") == 0) {
78356Sdwmalone	        sep->se_family = AF_UNIX;
102937Sdwmalone	} else {
102937Sdwmalone		while (isdigit(sep->se_proto[strlen(sep->se_proto) - 1])) {
56590Sshin#ifdef INET6
102937Sdwmalone			if (sep->se_proto[strlen(sep->se_proto) - 1] == '6') {
102937Sdwmalone				sep->se_proto[strlen(sep->se_proto) - 1] = '\0';
102937Sdwmalone				v6bind = 1;
102937Sdwmalone				continue;
102937Sdwmalone			}
102937Sdwmalone#endif
102937Sdwmalone			if (sep->se_proto[strlen(sep->se_proto) - 1] == '4') {
102937Sdwmalone				sep->se_proto[strlen(sep->se_proto) - 1] = '\0';
102937Sdwmalone				v4bind = 1;
102937Sdwmalone				continue;
102937Sdwmalone			}
102937Sdwmalone			/* illegal version num */
102937Sdwmalone			syslog(LOG_ERR,	"bad IP version for %s", sep->se_proto);
100127Salfred			freeconfig(sep);
100127Salfred			goto more;
100127Salfred		}
102937Sdwmalone#ifdef INET6
102938Sdwmalone		if (v6bind && !v6bind_ok) {
102937Sdwmalone			syslog(LOG_INFO, "IPv6 bind is ignored for %s",
56590Sshin			       sep->se_service);
102938Sdwmalone			if (v4bind && v4bind_ok)
102937Sdwmalone				v6bind = 0;
102937Sdwmalone			else {
102937Sdwmalone				freeconfig(sep);
102937Sdwmalone				goto more;
102937Sdwmalone			}
56590Sshin		}
102938Sdwmalone		if (v6bind) {
102937Sdwmalone			sep->se_family = AF_INET6;
102938Sdwmalone			if (!v4bind || !v4bind_ok)
102937Sdwmalone				sep->se_nomapped = 1;
102937Sdwmalone		} else
102937Sdwmalone#endif
102937Sdwmalone		{ /* default to v4 bind if not v6 bind */
102938Sdwmalone			if (!v4bind_ok) {
102937Sdwmalone				syslog(LOG_NOTICE, "IPv4 bind is ignored for %s",
102937Sdwmalone				       sep->se_service);
102937Sdwmalone				freeconfig(sep);
102937Sdwmalone				goto more;
102937Sdwmalone			}
102937Sdwmalone			sep->se_family = AF_INET;
102937Sdwmalone		}
56590Sshin	}
56590Sshin	/* init ctladdr */
56590Sshin	switch(sep->se_family) {
56590Sshin	case AF_INET:
56590Sshin		memcpy(&sep->se_ctrladdr4, bind_sa4,
56590Sshin		       sizeof(sep->se_ctrladdr4));
56590Sshin		sep->se_ctrladdr_size =	sizeof(sep->se_ctrladdr4);
56590Sshin		break;
56590Sshin#ifdef INET6
56590Sshin	case AF_INET6:
56590Sshin		memcpy(&sep->se_ctrladdr6, bind_sa6,
56590Sshin		       sizeof(sep->se_ctrladdr6));
56590Sshin		sep->se_ctrladdr_size =	sizeof(sep->se_ctrladdr6);
56590Sshin		break;
56590Sshin#endif
78356Sdwmalone	case AF_UNIX:
78356Sdwmalone		if (strlen(sep->se_service) >= sizeof(sep->se_ctrladdr_un.sun_path)) {
78356Sdwmalone			syslog(LOG_ERR,
78356Sdwmalone			    "domain socket pathname too long for service %s",
78356Sdwmalone			    sep->se_service);
78356Sdwmalone			goto more;
78356Sdwmalone		}
78356Sdwmalone		memset(&sep->se_ctrladdr, 0, sizeof(sep->se_ctrladdr));
78356Sdwmalone		sep->se_ctrladdr_un.sun_family = sep->se_family;
78356Sdwmalone		sep->se_ctrladdr_un.sun_len = strlen(sep->se_service);
78356Sdwmalone		strcpy(sep->se_ctrladdr_un.sun_path, sep->se_service);
78356Sdwmalone		sep->se_ctrladdr_size = SUN_LEN(&sep->se_ctrladdr_un);
56590Sshin	}
1553Srgrimes	arg = sskip(&cp);
19618Sjulian	if (!strncmp(arg, "wait", 4))
19618Sjulian		sep->se_accept = 0;
19618Sjulian	else if (!strncmp(arg, "nowait", 6))
19618Sjulian		sep->se_accept = 1;
19618Sjulian	else {
19618Sjulian		syslog(LOG_ERR,
19618Sjulian			"%s: bad wait/nowait for service %s",
19618Sjulian			CONFIG, sep->se_service);
19618Sjulian		goto more;
19618Sjulian	}
48069Ssheldonh	sep->se_maxchild = -1;
48069Ssheldonh	sep->se_maxcpm = -1;
101474Sume	sep->se_maxperip = -1;
19618Sjulian	if ((s = strchr(arg, '/')) != NULL) {
19618Sjulian		char *eptr;
19618Sjulian		u_long val;
19618Sjulian
19618Sjulian		val = strtoul(s + 1, &eptr, 10);
30847Sdima		if (eptr == s + 1 || val > MAX_MAXCHLD) {
19618Sjulian			syslog(LOG_ERR,
19618Sjulian				"%s: bad max-child for service %s",
19618Sjulian				CONFIG, sep->se_service);
19618Sjulian			goto more;
19618Sjulian		}
48069Ssheldonh		if (debug)
48069Ssheldonh			if (!sep->se_accept && val != 1)
48069Ssheldonh				warnx("maxchild=%lu for wait service %s"
48069Ssheldonh				    " not recommended", val, sep->se_service);
19618Sjulian		sep->se_maxchild = val;
30847Sdima		if (*eptr == '/')
30847Sdima			sep->se_maxcpm = strtol(eptr + 1, &eptr, 10);
101474Sume		if (*eptr == '/')
101474Sume			sep->se_maxperip = strtol(eptr + 1, &eptr, 10);
30847Sdima		/*
30847Sdima		 * explicitly do not check for \0 for future expansion /
30847Sdima		 * backwards compatibility
30847Sdima		 */
19618Sjulian	}
1553Srgrimes	if (ISMUX(sep)) {
1553Srgrimes		/*
19618Sjulian		 * Silently enforce "nowait" mode for TCPMUX services
19618Sjulian		 * since they don't have an assigned port to listen on.
1553Srgrimes		 */
19618Sjulian		sep->se_accept = 1;
1553Srgrimes		if (strcmp(sep->se_proto, "tcp")) {
8857Srgrimes			syslog(LOG_ERR,
1553Srgrimes				"%s: bad protocol for tcpmux service %s",
1553Srgrimes				CONFIG, sep->se_service);
1553Srgrimes			goto more;
1553Srgrimes		}
1553Srgrimes		if (sep->se_socktype != SOCK_STREAM) {
8857Srgrimes			syslog(LOG_ERR,
1553Srgrimes				"%s: bad socket type for tcpmux service %s",
1553Srgrimes				CONFIG, sep->se_service);
1553Srgrimes			goto more;
1553Srgrimes		}
1553Srgrimes	}
1553Srgrimes	sep->se_user = newstr(sskip(&cp));
30792Sache#ifdef LOGIN_CAP
30792Sache	if ((s = strrchr(sep->se_user, '/')) != NULL) {
30792Sache		*s = '\0';
30792Sache		sep->se_class = newstr(s + 1);
30792Sache	} else
30792Sache		sep->se_class = newstr(RESOURCE_RC);
30792Sache#endif
30807Sache	if ((s = strrchr(sep->se_user, ':')) != NULL) {
30807Sache		*s = '\0';
30807Sache		sep->se_group = newstr(s + 1);
30807Sache	} else
30807Sache		sep->se_group = NULL;
1553Srgrimes	sep->se_server = newstr(sskip(&cp));
45588Smarkm	if ((sep->se_server_name = rindex(sep->se_server, '/')))
45588Smarkm		sep->se_server_name++;
1553Srgrimes	if (strcmp(sep->se_server, "internal") == 0) {
1553Srgrimes		struct biltin *bi;
1553Srgrimes
1553Srgrimes		for (bi = biltins; bi->bi_service; bi++)
49026Sdes			if (bi->bi_socktype == sep->se_socktype &&
48467Ssheldonh			    matchservent(bi->bi_service, sep->se_service,
48467Ssheldonh			    sep->se_proto))
1553Srgrimes				break;
1553Srgrimes		if (bi->bi_service == 0) {
1553Srgrimes			syslog(LOG_ERR, "internal service %s unknown",
1553Srgrimes				sep->se_service);
1553Srgrimes			goto more;
1553Srgrimes		}
19618Sjulian		sep->se_accept = 1;	/* force accept mode for built-ins */
1553Srgrimes		sep->se_bi = bi;
1553Srgrimes	} else
1553Srgrimes		sep->se_bi = NULL;
101474Sume	if (sep->se_maxperip < 0)
101474Sume		sep->se_maxperip = maxperip;
48069Ssheldonh	if (sep->se_maxcpm < 0)
48069Ssheldonh		sep->se_maxcpm = maxcpm;
45588Smarkm	if (sep->se_maxchild < 0) {	/* apply default max-children */
48069Ssheldonh		if (sep->se_bi && sep->se_bi->bi_maxchild >= 0)
19618Sjulian			sep->se_maxchild = sep->se_bi->bi_maxchild;
48069Ssheldonh		else if (sep->se_accept)
48069Ssheldonh			sep->se_maxchild = maxchild > 0 ? maxchild : 0;
19618Sjulian		else
48069Ssheldonh			sep->se_maxchild = 1;
45588Smarkm	}
64197Sdwmalone	if (sep->se_maxchild > 0) {
19618Sjulian		sep->se_pids = malloc(sep->se_maxchild * sizeof(*sep->se_pids));
19618Sjulian		if (sep->se_pids == NULL) {
49102Ssheldonh			syslog(LOG_ERR, "malloc: %m");
19618Sjulian			exit(EX_OSERR);
19618Sjulian		}
19618Sjulian	}
1553Srgrimes	argc = 0;
1553Srgrimes	for (arg = skip(&cp); cp; arg = skip(&cp))
19618Sjulian		if (argc < MAXARGV) {
1553Srgrimes			sep->se_argv[argc++] = newstr(arg);
19618Sjulian		} else {
19618Sjulian			syslog(LOG_ERR,
19618Sjulian				"%s: too many arguments for service %s",
19618Sjulian				CONFIG, sep->se_service);
19618Sjulian			goto more;
19618Sjulian		}
1553Srgrimes	while (argc <= MAXARGV)
1553Srgrimes		sep->se_argv[argc++] = NULL;
101474Sume	for (i = 0; i < PERIPSIZE; ++i)
101474Sume		LIST_INIT(&sep->se_conn[i]);
56590Sshin#ifdef IPSEC
56590Sshin	sep->se_policy = policy ? newstr(policy) : NULL;
56590Sshin#endif
1553Srgrimes	return (sep);
1553Srgrimes}
1553Srgrimes
1553Srgrimesvoid
98558Sjmallettfreeconfig(struct servtab *cp)
1553Srgrimes{
1553Srgrimes	int i;
1553Srgrimes
1553Srgrimes	if (cp->se_service)
1553Srgrimes		free(cp->se_service);
1553Srgrimes	if (cp->se_proto)
1553Srgrimes		free(cp->se_proto);
1553Srgrimes	if (cp->se_user)
1553Srgrimes		free(cp->se_user);
30807Sache	if (cp->se_group)
30807Sache		free(cp->se_group);
30792Sache#ifdef LOGIN_CAP
30792Sache	if (cp->se_class)
30792Sache		free(cp->se_class);
30792Sache#endif
1553Srgrimes	if (cp->se_server)
1553Srgrimes		free(cp->se_server);
19618Sjulian	if (cp->se_pids)
19618Sjulian		free(cp->se_pids);
1553Srgrimes	for (i = 0; i < MAXARGV; i++)
1553Srgrimes		if (cp->se_argv[i])
1553Srgrimes			free(cp->se_argv[i]);
101474Sume	free_connlist(cp);
56590Sshin#ifdef IPSEC
56590Sshin	if (cp->se_policy)
56590Sshin		free(cp->se_policy);
56590Sshin#endif
1553Srgrimes}
1553Srgrimes
1553Srgrimes
1553Srgrimes/*
1553Srgrimes * Safe skip - if skip returns null, log a syntax error in the
1553Srgrimes * configuration file and exit.
1553Srgrimes */
1553Srgrimeschar *
98558Sjmallettsskip(char **cpp)
1553Srgrimes{
1553Srgrimes	char *cp;
1553Srgrimes
1553Srgrimes	cp = skip(cpp);
1553Srgrimes	if (cp == NULL) {
1553Srgrimes		syslog(LOG_ERR, "%s: syntax error", CONFIG);
19617Sjulian		exit(EX_DATAERR);
1553Srgrimes	}
1553Srgrimes	return (cp);
1553Srgrimes}
1553Srgrimes
1553Srgrimeschar *
98558Sjmallettskip(char **cpp)
1553Srgrimes{
1553Srgrimes	char *cp = *cpp;
1553Srgrimes	char *start;
11933Sadam	char quote = '\0';
1553Srgrimes
1553Srgrimesagain:
1553Srgrimes	while (*cp == ' ' || *cp == '\t')
1553Srgrimes		cp++;
1553Srgrimes	if (*cp == '\0') {
1553Srgrimes		int c;
1553Srgrimes
1553Srgrimes		c = getc(fconfig);
1553Srgrimes		(void) ungetc(c, fconfig);
1553Srgrimes		if (c == ' ' || c == '\t')
19617Sjulian			if ((cp = nextline(fconfig)))
1553Srgrimes				goto again;
1553Srgrimes		*cpp = (char *)0;
1553Srgrimes		return ((char *)0);
1553Srgrimes	}
11933Sadam	if (*cp == '"' || *cp == '\'')
11933Sadam		quote = *cp++;
1553Srgrimes	start = cp;
11933Sadam	if (quote)
11933Sadam		while (*cp && *cp != quote)
11933Sadam			cp++;
11933Sadam	else
11933Sadam		while (*cp && *cp != ' ' && *cp != '\t')
11933Sadam			cp++;
1553Srgrimes	if (*cp != '\0')
1553Srgrimes		*cp++ = '\0';
1553Srgrimes	*cpp = cp;
1553Srgrimes	return (start);
1553Srgrimes}
1553Srgrimes
1553Srgrimeschar *
98558Sjmallettnextline(FILE *fd)
1553Srgrimes{
1553Srgrimes	char *cp;
1553Srgrimes
1553Srgrimes	if (fgets(line, sizeof (line), fd) == NULL)
1553Srgrimes		return ((char *)0);
1553Srgrimes	cp = strchr(line, '\n');
1553Srgrimes	if (cp)
1553Srgrimes		*cp = '\0';
1553Srgrimes	return (line);
1553Srgrimes}
1553Srgrimes
1553Srgrimeschar *
98558Sjmallettnewstr(const char *cp)
1553Srgrimes{
78694Sdwmalone	char *cr;
78694Sdwmalone
78694Sdwmalone	if ((cr = strdup(cp != NULL ? cp : "")))
78694Sdwmalone		return (cr);
1553Srgrimes	syslog(LOG_ERR, "strdup: %m");
19617Sjulian	exit(EX_OSERR);
1553Srgrimes}
1553Srgrimes
1553Srgrimesvoid
98558Sjmallettinetd_setproctitle(const char *a, int s)
1553Srgrimes{
71399Sdwmalone	socklen_t size;
56590Sshin	struct sockaddr_storage ss;
56590Sshin	char buf[80], pbuf[INET6_ADDRSTRLEN];
1553Srgrimes
56590Sshin	size = sizeof(ss);
56590Sshin	if (getpeername(s, (struct sockaddr *)&ss, &size) == 0) {
56590Sshin		getnameinfo((struct sockaddr *)&ss, size, pbuf, sizeof(pbuf),
56590Sshin			    NULL, 0, NI_NUMERICHOST|NI_WITHSCOPEID);
56590Sshin		(void) sprintf(buf, "%s [%s]", a, pbuf);
56590Sshin	} else
13142Speter		(void) sprintf(buf, "%s", a);
13142Speter	setproctitle("%s", buf);
13142Speter}
13142Speter
78694Sdwmaloneint
98558Sjmallettcheck_loop(const struct sockaddr *sa, const struct servtab *sep)
5182Swollman{
5182Swollman	struct servtab *se2;
56590Sshin	char pname[INET6_ADDRSTRLEN];
5182Swollman
5182Swollman	for (se2 = servtab; se2; se2 = se2->se_next) {
5182Swollman		if (!se2->se_bi || se2->se_socktype != SOCK_DGRAM)
5182Swollman			continue;
5182Swollman
56590Sshin		switch (se2->se_family) {
56590Sshin		case AF_INET:
78694Sdwmalone			if (((const struct sockaddr_in *)sa)->sin_port ==
56590Sshin			    se2->se_ctrladdr4.sin_port)
56590Sshin				goto isloop;
56590Sshin			continue;
56590Sshin#ifdef INET6
56590Sshin		case AF_INET6:
78694Sdwmalone			if (((const struct sockaddr_in *)sa)->sin_port ==
56590Sshin			    se2->se_ctrladdr4.sin_port)
56590Sshin				goto isloop;
56590Sshin			continue;
56590Sshin#endif
56590Sshin		default:
56590Sshin			continue;
5182Swollman		}
56590Sshin	isloop:
56590Sshin		getnameinfo(sa, sa->sa_len, pname, sizeof(pname), NULL, 0,
56590Sshin			    NI_NUMERICHOST|NI_WITHSCOPEID);
56590Sshin		syslog(LOG_WARNING, "%s/%s:%s/%s loop request REFUSED from %s",
56590Sshin		       sep->se_service, sep->se_proto,
56590Sshin		       se2->se_service, se2->se_proto,
56590Sshin		       pname);
56590Sshin		return 1;
5182Swollman	}
5182Swollman	return 0;
5182Swollman}
5182Swollman
1553Srgrimes/*
1553Srgrimes * print_service:
1553Srgrimes *	Dump relevant information to stderr
1553Srgrimes */
1553Srgrimesvoid
98558Sjmallettprint_service(const char *action, const struct servtab *sep)
1553Srgrimes{
19617Sjulian	fprintf(stderr,
56590Sshin	    "%s: %s proto=%s accept=%d max=%d user=%s group=%s"
30792Sache#ifdef LOGIN_CAP
56590Sshin	    "class=%s"
30792Sache#endif
56590Sshin	    " builtin=%p server=%s"
56590Sshin#ifdef IPSEC
56590Sshin	    " policy=\"%s\""
56590Sshin#endif
56590Sshin	    "\n",
19617Sjulian	    action, sep->se_service, sep->se_proto,
30807Sache	    sep->se_accept, sep->se_maxchild, sep->se_user, sep->se_group,
30792Sache#ifdef LOGIN_CAP
30792Sache	    sep->se_class,
30792Sache#endif
56590Sshin	    (void *) sep->se_bi, sep->se_server
56590Sshin#ifdef IPSEC
56590Sshin	    , (sep->se_policy ? sep->se_policy : "")
56590Sshin#endif
56590Sshin	    );
1553Srgrimes}
1553Srgrimes
30847Sdima#define CPMHSIZE	256
30847Sdima#define CPMHMASK	(CPMHSIZE-1)
30847Sdima#define CHTGRAN		10
30847Sdima#define CHTSIZE		6
30847Sdima
30847Sdimatypedef struct CTime {
30847Sdima	unsigned long 	ct_Ticks;
30847Sdima	int		ct_Count;
30847Sdima} CTime;
30847Sdima
30847Sdimatypedef struct CHash {
56590Sshin	union {
56590Sshin		struct in_addr	c4_Addr;
56590Sshin		struct in6_addr	c6_Addr;
56590Sshin	} cu_Addr;
56590Sshin#define	ch_Addr4	cu_Addr.c4_Addr
56590Sshin#define	ch_Addr6	cu_Addr.c6_Addr
56590Sshin	int		ch_Family;
30847Sdima	time_t		ch_LTime;
30847Sdima	char		*ch_Service;
30847Sdima	CTime		ch_Times[CHTSIZE];
30847Sdima} CHash;
30847Sdima
30847SdimaCHash	CHashAry[CPMHSIZE];
30847Sdima
30847Sdimaint
98558Sjmallettcpmip(const struct servtab *sep, int ctrl)
30847Sdima{
56590Sshin	struct sockaddr_storage rss;
71399Sdwmalone	socklen_t rssLen = sizeof(rss);
30847Sdima	int r = 0;
30847Sdima
30847Sdima	/*
30847Sdima	 * If getpeername() fails, just let it through (if logging is
30847Sdima	 * enabled the condition is caught elsewhere)
30847Sdima	 */
30847Sdima
30847Sdima	if (sep->se_maxcpm > 0 &&
56590Sshin	    getpeername(ctrl, (struct sockaddr *)&rss, &rssLen) == 0 ) {
30847Sdima		time_t t = time(NULL);
30847Sdima		int hv = 0xABC3D20F;
30847Sdima		int i;
30847Sdima		int cnt = 0;
30847Sdima		CHash *chBest = NULL;
30847Sdima		unsigned int ticks = t / CHTGRAN;
78694Sdwmalone		struct sockaddr_in *sin4;
56590Sshin#ifdef INET6
56590Sshin		struct sockaddr_in6 *sin6;
56590Sshin#endif
30847Sdima
78694Sdwmalone		sin4 = (struct sockaddr_in *)&rss;
56590Sshin#ifdef INET6
56590Sshin		sin6 = (struct sockaddr_in6 *)&rss;
56590Sshin#endif
30847Sdima		{
30847Sdima			char *p;
78694Sdwmalone			int addrlen;
30847Sdima
56590Sshin			switch (rss.ss_family) {
56590Sshin			case AF_INET:
78694Sdwmalone				p = (char *)&sin4->sin_addr;
56590Sshin				addrlen = sizeof(struct in_addr);
56590Sshin				break;
56590Sshin#ifdef INET6
56590Sshin			case AF_INET6:
56590Sshin				p = (char *)&sin6->sin6_addr;
56590Sshin				addrlen = sizeof(struct in6_addr);
56590Sshin				break;
56590Sshin#endif
56590Sshin			default:
56590Sshin				/* should not happen */
56590Sshin				return -1;
56590Sshin			}
56590Sshin
56590Sshin			for (i = 0; i < addrlen; ++i, ++p) {
30847Sdima				hv = (hv << 5) ^ (hv >> 23) ^ *p;
30847Sdima			}
30847Sdima			hv = (hv ^ (hv >> 16));
30847Sdima		}
30847Sdima		for (i = 0; i < 5; ++i) {
30847Sdima			CHash *ch = &CHashAry[(hv + i) & CPMHMASK];
30847Sdima
56590Sshin			if (rss.ss_family == AF_INET &&
56590Sshin			    ch->ch_Family == AF_INET &&
78694Sdwmalone			    sin4->sin_addr.s_addr == ch->ch_Addr4.s_addr &&
30847Sdima			    ch->ch_Service && strcmp(sep->se_service,
30847Sdima			    ch->ch_Service) == 0) {
30847Sdima				chBest = ch;
30847Sdima				break;
30847Sdima			}
56590Sshin#ifdef INET6
56590Sshin			if (rss.ss_family == AF_INET6 &&
56590Sshin			    ch->ch_Family == AF_INET6 &&
56590Sshin			    IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
56590Sshin					       &ch->ch_Addr6) != 0 &&
56590Sshin			    ch->ch_Service && strcmp(sep->se_service,
56590Sshin			    ch->ch_Service) == 0) {
56590Sshin				chBest = ch;
56590Sshin				break;
56590Sshin			}
56590Sshin#endif
30847Sdima			if (chBest == NULL || ch->ch_LTime == 0 ||
30847Sdima			    ch->ch_LTime < chBest->ch_LTime) {
30847Sdima				chBest = ch;
30847Sdima			}
30847Sdima		}
56590Sshin		if ((rss.ss_family == AF_INET &&
56590Sshin		     (chBest->ch_Family != AF_INET ||
78694Sdwmalone		      sin4->sin_addr.s_addr != chBest->ch_Addr4.s_addr)) ||
30847Sdima		    chBest->ch_Service == NULL ||
30847Sdima		    strcmp(sep->se_service, chBest->ch_Service) != 0) {
78694Sdwmalone			chBest->ch_Family = sin4->sin_family;
78694Sdwmalone			chBest->ch_Addr4 = sin4->sin_addr;
30847Sdima			if (chBest->ch_Service)
30847Sdima				free(chBest->ch_Service);
30847Sdima			chBest->ch_Service = strdup(sep->se_service);
30847Sdima			bzero(chBest->ch_Times, sizeof(chBest->ch_Times));
30847Sdima		}
56590Sshin#ifdef INET6
56590Sshin		if ((rss.ss_family == AF_INET6 &&
56590Sshin		     (chBest->ch_Family != AF_INET6 ||
56590Sshin		      IN6_ARE_ADDR_EQUAL(&sin6->sin6_addr,
56590Sshin					 &chBest->ch_Addr6) == 0)) ||
56590Sshin		    chBest->ch_Service == NULL ||
56590Sshin		    strcmp(sep->se_service, chBest->ch_Service) != 0) {
56590Sshin			chBest->ch_Family = sin6->sin6_family;
56590Sshin			chBest->ch_Addr6 = sin6->sin6_addr;
56590Sshin			if (chBest->ch_Service)
56590Sshin				free(chBest->ch_Service);
56590Sshin			chBest->ch_Service = strdup(sep->se_service);
56590Sshin			bzero(chBest->ch_Times, sizeof(chBest->ch_Times));
56590Sshin		}
56590Sshin#endif
30847Sdima		chBest->ch_LTime = t;
30847Sdima		{
30847Sdima			CTime *ct = &chBest->ch_Times[ticks % CHTSIZE];
30847Sdima			if (ct->ct_Ticks != ticks) {
30847Sdima				ct->ct_Ticks = ticks;
30847Sdima				ct->ct_Count = 0;
30847Sdima			}
30847Sdima			++ct->ct_Count;
30847Sdima		}
30847Sdima		for (i = 0; i < CHTSIZE; ++i) {
30847Sdima			CTime *ct = &chBest->ch_Times[i];
30847Sdima			if (ct->ct_Ticks <= ticks &&
30847Sdima			    ct->ct_Ticks >= ticks - CHTSIZE) {
30847Sdima				cnt += ct->ct_Count;
30847Sdima			}
30847Sdima		}
117644Sdwmalone		if ((cnt * 60) / (CHTSIZE * CHTGRAN) > sep->se_maxcpm) {
56590Sshin			char pname[INET6_ADDRSTRLEN];
56590Sshin
56590Sshin			getnameinfo((struct sockaddr *)&rss,
56590Sshin				    ((struct sockaddr *)&rss)->sa_len,
56590Sshin				    pname, sizeof(pname), NULL, 0,
56590Sshin				    NI_NUMERICHOST|NI_WITHSCOPEID);
30847Sdima			r = -1;
30847Sdima			syslog(LOG_ERR,
33794Spst			    "%s from %s exceeded counts/min (limit %d/min)",
56590Sshin			    sep->se_service, pname,
33794Spst			    sep->se_maxcpm);
30847Sdima		}
30847Sdima	}
30847Sdima	return(r);
30847Sdima}
101474Sume
101474Sumestatic struct conninfo *
101474Sumesearch_conn(struct servtab *sep, int ctrl)
101474Sume{
101474Sume	struct sockaddr_storage ss;
101474Sume	socklen_t sslen = sizeof(ss);
101474Sume	struct conninfo *conn;
101474Sume	int hv;
101474Sume	char pname[NI_MAXHOST],  pname2[NI_MAXHOST];
101474Sume
101474Sume	if (sep->se_maxperip <= 0)
101474Sume		return NULL;
101474Sume
101474Sume	/*
101474Sume	 * If getpeername() fails, just let it through (if logging is
101474Sume	 * enabled the condition is caught elsewhere)
101474Sume	 */
101474Sume	if (getpeername(ctrl, (struct sockaddr *)&ss, &sslen) != 0)
101474Sume		return NULL;
101474Sume
101474Sume	switch (ss.ss_family) {
101474Sume	case AF_INET:
101474Sume		hv = hashval((char *)&((struct sockaddr_in *)&ss)->sin_addr,
101474Sume		    sizeof(struct in_addr));
101474Sume		break;
101474Sume#ifdef INET6
101474Sume	case AF_INET6:
101474Sume		hv = hashval((char *)&((struct sockaddr_in6 *)&ss)->sin6_addr,
101474Sume		    sizeof(struct in6_addr));
101474Sume		break;
101474Sume#endif
101474Sume	default:
101474Sume		/*
101474Sume		 * Since we only support AF_INET and AF_INET6, just
101474Sume		 * let other than AF_INET and AF_INET6 through.
101474Sume		 */
101474Sume		return NULL;
101474Sume	}
101474Sume
101474Sume	if (getnameinfo((struct sockaddr *)&ss, sslen, pname, sizeof(pname),
101474Sume	    NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID) != 0)
101474Sume		return NULL;
101474Sume
101474Sume	LIST_FOREACH(conn, &sep->se_conn[hv], co_link) {
101474Sume		if (getnameinfo((struct sockaddr *)&conn->co_addr,
101474Sume		    conn->co_addr.ss_len, pname2, sizeof(pname2), NULL, 0,
101474Sume		    NI_NUMERICHOST | NI_WITHSCOPEID) == 0 &&
101474Sume		    strcmp(pname, pname2) == 0)
101474Sume			break;
101474Sume	}
101474Sume
101474Sume	if (conn == NULL) {
101474Sume		if ((conn = malloc(sizeof(struct conninfo))) == NULL) {
101474Sume			syslog(LOG_ERR, "malloc: %m");
101474Sume			exit(EX_OSERR);
101474Sume		}
101474Sume		conn->co_proc = malloc(sep->se_maxperip * sizeof(*conn->co_proc));
101474Sume		if (conn->co_proc == NULL) {
101474Sume			syslog(LOG_ERR, "malloc: %m");
101474Sume			exit(EX_OSERR);
101474Sume		}
101474Sume		memcpy(&conn->co_addr, (struct sockaddr *)&ss, sslen);
101474Sume		conn->co_numchild = 0;
101474Sume		LIST_INSERT_HEAD(&sep->se_conn[hv], conn, co_link);
101474Sume	}
101474Sume
101474Sume	/*
101474Sume	 * Since a child process is not invoked yet, we cannot
101474Sume	 * determine a pid of a child.  So, co_proc and co_numchild
101474Sume	 * should be filled leter.
101474Sume	 */
101474Sume
101474Sume	return conn;
101474Sume}
101474Sume
101474Sumestatic int
101474Sumeroom_conn(struct servtab *sep, struct conninfo *conn)
101474Sume{
101474Sume	char pname[NI_MAXHOST];
101474Sume
101474Sume	if (conn->co_numchild >= sep->se_maxperip) {
101474Sume		getnameinfo((struct sockaddr *)&conn->co_addr,
101474Sume		    conn->co_addr.ss_len, pname, sizeof(pname), NULL, 0,
101474Sume		    NI_NUMERICHOST | NI_WITHSCOPEID);
101474Sume		syslog(LOG_ERR, "%s from %s exceeded counts (limit %d)",
101474Sume		    sep->se_service, pname, sep->se_maxperip);
101474Sume		return 0;
101474Sume	}
101474Sume	return 1;
101474Sume}
101474Sume
101474Sumestatic void
101474Sumeaddchild_conn(struct conninfo *conn, pid_t pid)
101474Sume{
101474Sume	struct procinfo *proc;
101474Sume
101474Sume	if (conn == NULL)
101474Sume		return;
101474Sume
101474Sume	if ((proc = search_proc(pid, 1)) != NULL) {
101474Sume		if (proc->pr_conn != NULL) {
101474Sume			syslog(LOG_ERR,
101474Sume			    "addchild_conn: child already on process list");
101474Sume			exit(EX_OSERR);
101474Sume		}
101474Sume		proc->pr_conn = conn;
101474Sume	}
101474Sume
101474Sume	conn->co_proc[conn->co_numchild++] = proc;
101474Sume}
101474Sume
101474Sumestatic void
101474Sumereapchild_conn(pid_t pid)
101474Sume{
101474Sume	struct procinfo *proc;
101474Sume	struct conninfo *conn;
101474Sume	int i;
101474Sume
101474Sume	if ((proc = search_proc(pid, 0)) == NULL)
101474Sume		return;
101474Sume	if ((conn = proc->pr_conn) == NULL)
101474Sume		return;
101474Sume	for (i = 0; i < conn->co_numchild; ++i)
101474Sume		if (conn->co_proc[i] == proc) {
101474Sume			conn->co_proc[i] = conn->co_proc[--conn->co_numchild];
101474Sume			break;
101474Sume		}
101474Sume	free_proc(proc);
101474Sume	free_conn(conn);
101474Sume}
101474Sume
101474Sumestatic void
102859Sdwmaloneresize_conn(struct servtab *sep, int maxpip)
101474Sume{
101474Sume	struct conninfo *conn;
101474Sume	int i, j;
101474Sume
101474Sume	if (sep->se_maxperip <= 0)
101474Sume		return;
102859Sdwmalone	if (maxpip <= 0) {
101474Sume		free_connlist(sep);
101474Sume		return;
101474Sume	}
101474Sume	for (i = 0; i < PERIPSIZE; ++i) {
101474Sume		LIST_FOREACH(conn, &sep->se_conn[i], co_link) {
102859Sdwmalone			for (j = maxpip; j < conn->co_numchild; ++j)
101474Sume				free_proc(conn->co_proc[j]);
101474Sume			conn->co_proc = realloc(conn->co_proc,
102859Sdwmalone			    maxpip * sizeof(*conn->co_proc));
101474Sume			if (conn->co_proc == NULL) {
101474Sume				syslog(LOG_ERR, "realloc: %m");
101474Sume				exit(EX_OSERR);
101474Sume			}
102859Sdwmalone			if (conn->co_numchild > maxpip)
102859Sdwmalone				conn->co_numchild = maxpip;
101474Sume		}
101474Sume	}
101474Sume}
101474Sume
101474Sumestatic void
101474Sumefree_connlist(struct servtab *sep)
101474Sume{
101474Sume	struct conninfo *conn;
101474Sume	int i, j;
101474Sume
101474Sume	for (i = 0; i < PERIPSIZE; ++i) {
101474Sume		while ((conn = LIST_FIRST(&sep->se_conn[i])) != NULL) {
101474Sume			for (j = 0; j < conn->co_numchild; ++j)
101474Sume				free_proc(conn->co_proc[j]);
101474Sume			conn->co_numchild = 0;
101474Sume			free_conn(conn);
101474Sume		}
101474Sume	}
101474Sume}
101474Sume
101474Sumestatic void
101474Sumefree_conn(struct conninfo *conn)
101474Sume{
101474Sume	if (conn == NULL)
101474Sume		return;
101474Sume	if (conn->co_numchild <= 0) {
101474Sume		LIST_REMOVE(conn, co_link);
101474Sume		free(conn->co_proc);
101474Sume		free(conn);
101474Sume	}
101474Sume}
101474Sume
101474Sumestatic struct procinfo *
101474Sumesearch_proc(pid_t pid, int add)
101474Sume{
101474Sume	struct procinfo *proc;
101474Sume	int hv;
101474Sume
101474Sume	hv = hashval((char *)&pid, sizeof(pid));
101474Sume	LIST_FOREACH(proc, &proctable[hv], pr_link) {
101474Sume		if (proc->pr_pid == pid)
101474Sume			break;
101474Sume	}
101474Sume	if (proc == NULL && add) {
101474Sume		if ((proc = malloc(sizeof(struct procinfo))) == NULL) {
101474Sume			syslog(LOG_ERR, "malloc: %m");
101474Sume			exit(EX_OSERR);
101474Sume		}
101474Sume		proc->pr_pid = pid;
101474Sume		proc->pr_conn = NULL;
101474Sume		LIST_INSERT_HEAD(&proctable[hv], proc, pr_link);
101474Sume	}
101474Sume	return proc;
101474Sume}
101474Sume
101474Sumestatic void
101474Sumefree_proc(struct procinfo *proc)
101474Sume{
101474Sume	if (proc == NULL)
101474Sume		return;
101474Sume	LIST_REMOVE(proc, pr_link);
101474Sume	free(proc);
101474Sume}
101474Sume
101474Sumestatic int
101474Sumehashval(char *p, int len)
101474Sume{
101474Sume	int i, hv = 0xABC3D20F;
101474Sume
101474Sume	for (i = 0; i < len; ++i, ++p)
101474Sume		hv = (hv << 5) ^ (hv >> 23) ^ *p;
101474Sume	hv = (hv ^ (hv >> 16)) & (PERIPSIZE - 1);
101474Sume	return hv;
101474Sume}