From owner-svn-src-head@FreeBSD.ORG Thu Mar 6 17:33:29 2014 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B1D3154; Thu, 6 Mar 2014 17:33:29 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5B8B4151; Thu, 6 Mar 2014 17:33:29 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s26HXTdr013195; Thu, 6 Mar 2014 17:33:29 GMT (envelope-from mav@svn.freebsd.org) Received: (from mav@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s26HXSsF013188; Thu, 6 Mar 2014 17:33:28 GMT (envelope-from mav@svn.freebsd.org) Message-Id: <201403061733.s26HXSsF013188@svn.freebsd.org> From: Alexander Motin Date: Thu, 6 Mar 2014 17:33:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r262860 - in head: . etc usr.sbin/rpcbind X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2014 17:33:29 -0000 Author: mav Date: Thu Mar 6 17:33:27 2014 New Revision: 262860 URL: http://svnweb.freebsd.org/changeset/base/262860 Log: Disable libwrap (TCP wrappers) support in rpcbind by default, introducing new command line options -W, to enable it when needed. On my tests this change by almost ten times improves rpcbind performance. No objections: many, net@ Modified: head/UPDATING head/etc/hosts.allow head/usr.sbin/rpcbind/rpcbind.8 head/usr.sbin/rpcbind/rpcbind.c head/usr.sbin/rpcbind/rpcbind.h head/usr.sbin/rpcbind/security.c Modified: head/UPDATING ============================================================================== --- head/UPDATING Thu Mar 6 17:33:12 2014 (r262859) +++ head/UPDATING Thu Mar 6 17:33:27 2014 (r262860) @@ -31,6 +31,11 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 11 disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20140306: + Support for libwrap (TCP wrappers) in rpcbind was disabled by default + to improve performance. To re-enable it, if needed, run rpcbind + with command line option -W. + 20140226: Switched back to the GPL dtc compiler due to updates in the upstream dts files not being supported by the BSDL dtc compiler. You will need Modified: head/etc/hosts.allow ============================================================================== --- head/etc/hosts.allow Thu Mar 6 17:33:12 2014 (r262859) +++ head/etc/hosts.allow Thu Mar 6 17:33:27 2014 (r262860) @@ -60,6 +60,7 @@ exim : localhost : allow exim : ALL : allow # Rpcbind is used for all RPC services; protect your NFS! +# Rpcbind should be running with -W option to support this. # (IP addresses rather than hostnames *MUST* be used here) #rpcbind : 192.0.2.32/255.255.255.224 : allow #rpcbind : 192.0.2.96/255.255.255.224 : allow Modified: head/usr.sbin/rpcbind/rpcbind.8 ============================================================================== --- head/usr.sbin/rpcbind/rpcbind.8 Thu Mar 6 17:33:12 2014 (r262859) +++ head/usr.sbin/rpcbind/rpcbind.8 Thu Mar 6 17:33:27 2014 (r262860) @@ -2,7 +2,7 @@ .\" Copyright 1989 AT&T .\" Copyright 1991 Sun Microsystems, Inc. .\" $FreeBSD$ -.Dd April 23, 2007 +.Dd March 6, 2014 .Dt RPCBIND 8 .Os .Sh NAME @@ -133,6 +133,8 @@ to use non-privileged ports for outgoing clients from using .Nm to connect to services from a privileged port. +.It Fl W +Enable libwrap (TCP wrappers) support. .El .Sh NOTES All RPC servers must be restarted if Modified: head/usr.sbin/rpcbind/rpcbind.c ============================================================================== --- head/usr.sbin/rpcbind/rpcbind.c Thu Mar 6 17:33:12 2014 (r262859) +++ head/usr.sbin/rpcbind/rpcbind.c Thu Mar 6 17:33:27 2014 (r262860) @@ -88,6 +88,9 @@ rpcblist_ptr list_rbl; /* A list of vers int runasdaemon = 0; int insecure = 0; int oldstyle_local = 0; +#ifdef LIBWRAP +int libwrap = 0; +#endif int verboselog = 0; char **hosts = NULL; @@ -785,7 +788,12 @@ parseargs(int argc, char *argv[]) #else #define WSOP "" #endif - while ((c = getopt(argc, argv, "6adh:iLls" WSOP)) != -1) { +#ifdef LIBWRAP +#define WRAPOP "W" +#else +#define WRAPOP "" +#endif + while ((c = getopt(argc, argv, "6adh:iLls" WRAPOP WSOP)) != -1) { switch (c) { case '6': ipv6_only = 1; @@ -818,6 +826,11 @@ parseargs(int argc, char *argv[]) case 's': runasdaemon = 1; break; +#ifdef LIBWRAP + case 'W': + libwrap = 1; + break; +#endif #ifdef WARMSTART case 'w': warmstart = 1; @@ -825,8 +838,8 @@ parseargs(int argc, char *argv[]) #endif default: /* error */ fprintf(stderr, - "usage: rpcbind [-6adiLls%s] [-h bindip]\n", - WSOP); + "usage: rpcbind [-6adiLls%s%s] [-h bindip]\n", + WRAPOP, WSOP); exit (1); } } Modified: head/usr.sbin/rpcbind/rpcbind.h ============================================================================== --- head/usr.sbin/rpcbind/rpcbind.h Thu Mar 6 17:33:12 2014 (r262859) +++ head/usr.sbin/rpcbind/rpcbind.h Thu Mar 6 17:33:27 2014 (r262860) @@ -66,6 +66,9 @@ struct r_rmtcall_args { extern int debugging; extern int doabort; +#ifdef LIBWRAP +extern int libwrap; +#endif extern int verboselog; extern int insecure; extern int oldstyle_local; Modified: head/usr.sbin/rpcbind/security.c ============================================================================== --- head/usr.sbin/rpcbind/security.c Thu Mar 6 17:33:12 2014 (r262859) +++ head/usr.sbin/rpcbind/security.c Thu Mar 6 17:33:27 2014 (r262860) @@ -108,13 +108,15 @@ check_access(SVCXPRT *xprt, rpcproc_t pr } #ifdef LIBWRAP - if (addr->sa_family == AF_LOCAL) - return 1; - request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0); - sock_methods(&req); - if(!hosts_access(&req)) { - logit(deny_severity, addr, proc, prog, ": request from unauthorized host"); - return 0; + if (libwrap && addr->sa_family != AF_LOCAL) { + request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, + 0); + sock_methods(&req); + if(!hosts_access(&req)) { + logit(deny_severity, addr, proc, prog, + ": request from unauthorized host"); + return 0; + } } #endif if (verboselog)