Return to BSD News archive
Received: by minnie.vk1xwt.ampr.org with NNTP
id AA5856 ; Fri, 01 Jan 93 01:58:44 EST
Newsgroups: comp.unix.bsd
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!agate!dog.ee.lbl.gov!hellgate.utah.edu!fcom.cc.utah.edu!cs.weber.edu!terry
From: terry@cs.weber.edu (A Wizard of Earth C)
Subject: Re: 386BSD - Network services w/ 2 ethernet boards
Message-ID: <1993Jan3.003955.14569@fcom.cc.utah.edu>
Sender: news@fcom.cc.utah.edu
Organization: Weber State University (Ogden, UT)
References: <C08r81.3qJ@moxie.hou.tx.us>
Date: Sun, 3 Jan 93 00:39:55 GMT
Lines: 242
In article <C08r81.3qJ@moxie.hou.tx.us> hackney@moxie.hou.tx.us (Greg Hackney) writes:
>
>I have a 386BSD machine with 2 ethernet boards to different network
>segments. The kernel is compiled with the "GATEWAY" option.
>
>Is there a way to activate some inetd network services for one board,
>but not for the other?
The easiest way I have found is to hack inetd itself and the inetd.conf file.
Basically the hack is applicable only to stream tcp nowait services, due to
the fact that wait services daemons handle all future connection requests,
non-stream services aren't tcp, and non-connection oriented services do
not have sufficient information to determine the local socket number, since
the connection dies after delivery (although one could conceivably hack the
changes into the code following the recvfrom() calls and use that information,
the local socket information isn't fixed. This might require a router hack.
The following hack description assumes the socket type to be Internet; no
other protocols are supported.
The lack of support for the standard regular expression mechanisms means
that I can only give comments as pseudo-code for the actual pattern matching
itself (Sorry; I didn't do the hack for 386BSD in the first place).
If you fill out the code in the comment-only section (--- 282,326 ----),
this should work for you.
]#
]# Internet server configuration database
]#
]# @(#)inetd.conf 5.4 (Berkeley) 6/30/90
]#
]ftp stream tcp nowait root /usr/libexec/ftpd ftpd -l
]telnet stream tcp nowait root /usr/libexec/telnetd telnetd
]shell stream tcp nowait root /usr/libexec/rshd rshd
]login stream tcp nowait root /usr/libexec/rlogind rlogind
]exec stream tcp nowait root /usr/libexec/rexecd rexecd
]#uucpd stream tcp nowait root /usr/libexec/uucpd uucpd
]#nntp stream tcp nowait usenet /usr/libexec/nntpd nntpd
]finger stream tcp nowait nobody /usr/libexec/fingerd fingerd
].
].
].
Becomes:
]#
]# Internet server configuration database
]#
]# @(#)inetd.conf 5.4 (Berkeley) 6/30/90
]#
]# Our trusted net is 128.89; our external net is 136.120. We allow ftp,
]# telnet, and nntp externally (our fire wall provides news service for
]# external sites, telnet for the BBS, and ftp for the source archives).
]# Users on the trusted net have access to all services except nntp, which
]# is handled by an internal machine named news.cs.example.edu to reduce
]# loading on the gateway.
]#
]ftp stream tcp nowait root * /usr/libexec/ftpd ftpd -l
]telnet stream tcp nowait root * /usr/libexec/telnetd telnetd
]shell stream tcp nowait root 128.89 /usr/libexec/rshd rshd
]login stream tcp nowait root 128.89 /usr/libexec/rlogind rlogind
]exec stream tcp nowait root 128.89 /usr/libexec/rexecd rexecd
]#uucpd stream tcp nowait root * /usr/libexec/uucpd uucpd
]nntp stream tcp nowait usenet 136.120 /usr/libexec/nntpd nntpd
]finger stream tcp nowait nobody 128.89 /usr/libexec/fingerd fingerd
].
].
].
in /usr/src/usr.sbin/inetd/inetd.c, the changes look like this:
------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------
*** inetd.c Mon Jun 3 21:25:23 1991
--- inetd.c.new Sat Jan 2 18:20:13 1993
***************
*** 29,34 ****
--- 29,36 ----
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
+ *
+ * 02 Jan 93 Terry Lambert Added GATEMOD compilation option
*/
#ifndef lint
***************
*** 123,128 ****
--- 125,133 ----
short se_wait; /* single threaded server */
short se_checked; /* looked at during merge */
char *se_user; /* user name to run as */
+ #ifdef GATEMOD
+ char *se_restict; /* interface restriction*/
+ #endif /* GATEMOD*/
struct biltin *se_bi; /* if built-in, description */
char *se_server; /* server program */
#define MAXARGV 20
***************
*** 184,189 ****
--- 189,198 ----
struct sigvec sv;
int ch, pid, dofork;
char buf[50];
+ #ifdef GATEMOD
+ struct sockaddr_in inaddr; /* for socket comparison*/
+ int inaddrsz = sizeof( struct sockaddr_in);
+ #endif /* !GATEMOD*/
Argv = argv;
if (envp == 0 || *envp == 0)
***************
*** 256,263 ****
--- 265,278 ----
fprintf(stderr, "someone wants %s\n",
sep->se_service);
if (sep->se_socktype == SOCK_STREAM) {
+ #ifdef GATEMOD
+ ctrl = accept(sep->se_fd,
+ (struct sockaddr *)&inaddr,
+ &inaddrsz);
+ #else /* !GATEMOD*/
ctrl = accept(sep->se_fd, (struct sockaddr *)0,
(int *)0);
+ #endif /* !GATEMOD*/
if (debug)
fprintf(stderr, "accept, ctrl %d\n", ctrl);
if (ctrl < 0) {
***************
*** 267,272 ****
--- 282,326 ----
sep->se_service);
continue;
}
+ #ifdef GATEMOD
+ /* if there is a restriction...*/
+ if( strcmp( sep->se_restrict, "*") {
+ /*
+ * look up the address of the local side
+ * to determine which interface it came in
+ * from.
+ */
+
+ /*
+ * read from the symbol _tcpstat out of the
+ * kernel to get the local/remote socket
+ * pairs; basically, we are interested in
+ * the local address part, and not the state,
+ * so all we have to read is the inpcb's.
+ * These are in a circular list, with a
+ * NULL entry as a list marker with it's
+ * inp_next pointing to the symbol offset
+ * for _tcpstat in the kvm; once we kvm_read()
+ * this record, we are done with the list.
+ *
+ * For each inpcb.inp_fport, check the socket
+ * number against the socket we got in the
+ * accept. If it matches, check the value of
+ * inpcb.inp_laddr against the restriction
+ * pattern; if it doesn't match, drop the
+ * connection (close()) and go to the next
+ * event (continue;).
+ *
+ * There is a great deal of lattitude here
+ * for multiple patterns seperated by commas,
+ * etc. when doing the pattern match. You
+ * can choose to implement matching against
+ * a list of addresses or whatever. 386BSD
+ * doesn't support the re_* routines, so my
+ * code won't work for this on 386BSD.
+ */
+ }
+ #endif /* GATEMOD*/
} else
ctrl = sep->se_fd;
(void) sigblock(SIGBLOCK);
***************
*** 604,609 ****
--- 658,667 ----
arg = skip(&cp);
sep->se_wait = strcmp(arg, "wait") == 0;
sep->se_user = newstr(skip(&cp));
+ #ifdef GATEMOD
+ /* local address use restrictions (for fire wall gateways)*/
+ sep->se_restrict = newstr(skip(&cp));
+ #endif /* GATEMOD*/
sep->se_server = newstr(skip(&cp));
if (strcmp(sep->se_server, "internal") == 0) {
register struct biltin *bi;
***************
*** 641,646 ****
--- 699,709 ----
free(cp->se_proto);
if (cp->se_user)
free(cp->se_user);
+ #ifdef GATEMOD
+ /* local address use restrictions (for fire wall gateways)*/
+ if (cp->se_restrict)
+ free(cp->se_restrict);
+ #endif /* GATEMOD*/
if (cp->se_server)
free(cp->se_server);
for (i = 0; i < MAXARGV; i++)
***************
*** 957,964 ****
--- 1020,1034 ----
char *action;
struct servtab *sep;
{
+ #ifdef GATEMOD
+ fprintf(stderr,
+ "%s: %s proto=%s, wait=%d, user=%s restrict=%s builtin=%x server=%s\
n",
+ action, sep->se_service, sep->se_proto, sep->se_wait,
+ sep->se_user, sep->se_restrict, (int)sep->se_bi, sep->se_server);
+ #else /* !GATEMOD*/
fprintf(stderr,
"%s: %s proto=%s, wait=%d, user=%s builtin=%x server=%s\n",
action, sep->se_service, sep->se_proto,
sep->se_wait, sep->se_user, (int)sep->se_bi, sep->se_server);
+ #endif /* !GATEMOD*/
}
------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------
Remember, this code won't run as is! DON'T apply the patch unless you are
ready to change the globbing and write the KVM reading routines.
Terry Lambert
terry@icarus.weber.edu
terry_lambert@novell.com
---
Any opinions in this posting are my own and not those of my present
or previous employers.
--
-------------------------------------------------------------------------------
"I have an 8 user poetic license" - me
Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial
-------------------------------------------------------------------------------