*BSD News Article 9500


Return to BSD News archive

Received: by minnie.vk1xwt.ampr.org with NNTP
	id AA5856 ; Fri, 01 Jan 93 01:58:44 EST
Newsgroups: comp.unix.bsd
Path: sserve!manuel.anu.edu.au!munnari.oz.au!spool.mu.edu!agate!dog.ee.lbl.gov!hellgate.utah.edu!fcom.cc.utah.edu!cs.weber.edu!terry
From: terry@cs.weber.edu (A Wizard of Earth C)
Subject: Re: 386BSD - Network services w/ 2 ethernet boards
Message-ID: <1993Jan3.003955.14569@fcom.cc.utah.edu>
Sender: news@fcom.cc.utah.edu
Organization: Weber State University  (Ogden, UT)
References: <C08r81.3qJ@moxie.hou.tx.us>
Date: Sun, 3 Jan 93 00:39:55 GMT
Lines: 242

In article <C08r81.3qJ@moxie.hou.tx.us> hackney@moxie.hou.tx.us (Greg Hackney) writes:
>
>I have a 386BSD machine with 2 ethernet boards to different network
>segments. The kernel is compiled with the "GATEWAY" option.
>
>Is there a way to activate some inetd network services for one board,
>but not for the other?

The easiest way I have found is to hack inetd itself and the inetd.conf file.

Basically the hack is applicable only to stream tcp nowait services, due to
the fact that wait services daemons handle all future connection requests,
non-stream  services aren't tcp, and non-connection oriented services do
not have sufficient information to determine the local socket number, since
the connection dies after delivery (although one could conceivably hack the
changes into the code following the recvfrom() calls and use that information,
the local socket information isn't fixed.  This might require a router hack.


The following hack description assumes the socket type to be Internet; no
other protocols are supported.

The lack of support for the standard regular expression mechanisms means
that I can only give comments as pseudo-code for the actual pattern matching
itself (Sorry; I didn't do the hack for 386BSD in the first place).

If you fill out the code in the comment-only section (--- 282,326 ----),
this should work for you.


]#
]# Internet server configuration database
]#
]#       @(#)inetd.conf  5.4 (Berkeley) 6/30/90
]#
]ftp     stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -l
]telnet  stream  tcp     nowait  root    /usr/libexec/telnetd    telnetd
]shell   stream  tcp     nowait  root    /usr/libexec/rshd       rshd
]login   stream  tcp     nowait  root    /usr/libexec/rlogind    rlogind
]exec    stream  tcp     nowait  root    /usr/libexec/rexecd     rexecd
]#uucpd  stream  tcp     nowait  root    /usr/libexec/uucpd      uucpd
]#nntp   stream  tcp     nowait  usenet  /usr/libexec/nntpd      nntpd
]finger  stream  tcp     nowait  nobody  /usr/libexec/fingerd    fingerd
].
].
].

Becomes:

]#
]# Internet server configuration database
]#
]#       @(#)inetd.conf  5.4 (Berkeley) 6/30/90
]#
]# Our trusted net is 128.89; our external net is 136.120.  We allow ftp,
]# telnet, and nntp externally (our fire wall provides news service for
]# external sites, telnet for the BBS, and ftp for the source archives).
]# Users on the trusted net have access to all services except nntp, which
]# is handled by an internal machine named news.cs.example.edu to reduce
]# loading on the gateway.
]#
]ftp     stream tcp nowait root   *       /usr/libexec/ftpd       ftpd -l
]telnet  stream tcp nowait root   *       /usr/libexec/telnetd    telnetd
]shell   stream tcp nowait root   128.89  /usr/libexec/rshd       rshd
]login   stream tcp nowait root   128.89  /usr/libexec/rlogind    rlogind
]exec    stream tcp nowait root   128.89  /usr/libexec/rexecd     rexecd
]#uucpd  stream tcp nowait root   *       /usr/libexec/uucpd      uucpd
]nntp   stream tcp nowait usenet  136.120 /usr/libexec/nntpd      nntpd
]finger  stream tcp nowait nobody 128.89  /usr/libexec/fingerd    fingerd
].
].
].

in /usr/src/usr.sbin/inetd/inetd.c, the changes look like this:

------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------
*** inetd.c     Mon Jun  3 21:25:23 1991
--- inetd.c.new Sat Jan  2 18:20:13 1993
***************
*** 29,34 ****
--- 29,36 ----
   * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   * SUCH DAMAGE.
+  *
+  * 02 Jan 93  Terry Lambert           Added GATEMOD compilation option
   */

  #ifndef lint
***************
*** 123,128 ****
--- 125,133 ----
        short   se_wait;                /* single threaded server */
        short   se_checked;             /* looked at during merge */
        char    *se_user;               /* user name to run as */
+ #ifdef GATEMOD
+       char    *se_restict;            /* interface restriction*/
+ #endif        /* GATEMOD*/
        struct  biltin *se_bi;          /* if built-in, description */
        char    *se_server;             /* server program */
  #define       MAXARGV 20
***************
*** 184,189 ****
--- 189,198 ----
        struct sigvec sv;
        int ch, pid, dofork;
        char buf[50];
+ #ifdef GATEMOD
+       struct sockaddr_in      inaddr;         /* for socket comparison*/
+       int                     inaddrsz = sizeof( struct sockaddr_in);
+ #endif        /* !GATEMOD*/

        Argv = argv;
        if (envp == 0 || *envp == 0)
***************
*** 256,263 ****
--- 265,278 ----
                            fprintf(stderr, "someone wants %s\n",
                                sep->se_service);
                    if (sep->se_socktype == SOCK_STREAM) {
+ #ifdef GATEMOD
+                           ctrl = accept(sep->se_fd,
+                                         (struct sockaddr *)&inaddr,
+                                         &inaddrsz);
+ #else /* !GATEMOD*/
                            ctrl = accept(sep->se_fd, (struct sockaddr *)0,
                                (int *)0);
+ #endif        /* !GATEMOD*/
                            if (debug)
                                    fprintf(stderr, "accept, ctrl %d\n", ctrl);
                            if (ctrl < 0) {
***************
*** 267,272 ****
--- 282,326 ----
                                            sep->se_service);
                                    continue;
                            }
+ #ifdef GATEMOD
+                           /* if there is a restriction...*/
+                           if( strcmp( sep->se_restrict, "*") {
+                               /*
+                                * look up the address of the local side
+                                * to determine which interface it came in
+                                * from.
+                                */
+
+                               /*
+                                * read from the symbol _tcpstat out of the
+                                * kernel to get the local/remote socket
+                                * pairs; basically, we are interested in
+                                * the local address part, and not the state,
+                                * so all we have to read is the inpcb's.
+                                * These are in a circular list, with a
+                                * NULL entry as a list marker with it's
+                                * inp_next pointing to the symbol offset
+                                * for _tcpstat in the kvm; once we kvm_read()
+                                * this record, we are done with the list.
+                                *
+                                * For each inpcb.inp_fport, check the socket
+                                * number against the socket we got in the
+                                * accept.  If it matches, check the value of
+                                * inpcb.inp_laddr against the restriction
+                                * pattern; if it doesn't match, drop the
+                                * connection (close()) and go to the next
+                                * event (continue;).
+                                *
+                                * There is a great deal of lattitude here
+                                * for multiple patterns seperated by commas,
+                                * etc. when doing the pattern match.  You
+                                * can choose to implement matching against
+                                * a list of addresses or whatever.  386BSD
+                                * doesn't support the re_* routines, so my
+                                * code won't work for this on 386BSD.
+                                */
+                           }
+ #endif        /* GATEMOD*/
                    } else
                            ctrl = sep->se_fd;
                    (void) sigblock(SIGBLOCK);
***************
*** 604,609 ****
--- 658,667 ----
        arg = skip(&cp);
        sep->se_wait = strcmp(arg, "wait") == 0;
        sep->se_user = newstr(skip(&cp));
+ #ifdef GATEMOD
+       /* local address use restrictions (for fire wall gateways)*/
+       sep->se_restrict = newstr(skip(&cp));
+ #endif        /* GATEMOD*/
        sep->se_server = newstr(skip(&cp));
        if (strcmp(sep->se_server, "internal") == 0) {
                register struct biltin *bi;
***************
*** 641,646 ****
--- 699,709 ----
                free(cp->se_proto);
        if (cp->se_user)
                free(cp->se_user);
+ #ifdef GATEMOD
+       /* local address use restrictions (for fire wall gateways)*/
+       if (cp->se_restrict)
+               free(cp->se_restrict);
+ #endif        /* GATEMOD*/
        if (cp->se_server)
                free(cp->se_server);
        for (i = 0; i < MAXARGV; i++)
***************
*** 957,964 ****
--- 1020,1034 ----
        char *action;
        struct servtab *sep;
  {
+ #ifdef GATEMOD
+       fprintf(stderr,
+           "%s: %s proto=%s, wait=%d, user=%s restrict=%s builtin=%x server=%s\
n",
+           action, sep->se_service, sep->se_proto, sep->se_wait,
+           sep->se_user, sep->se_restrict, (int)sep->se_bi, sep->se_server);
+ #else /* !GATEMOD*/
        fprintf(stderr,
            "%s: %s proto=%s, wait=%d, user=%s builtin=%x server=%s\n",
            action, sep->se_service, sep->se_proto,
            sep->se_wait, sep->se_user, (int)sep->se_bi, sep->se_server);
+ #endif        /* !GATEMOD*/
  }
------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------ 8< ------

Remember, this code won't run as is!  DON'T apply the patch unless you are
ready to change the globbing and write the KVM reading routines.


					Terry Lambert
					terry@icarus.weber.edu
					terry_lambert@novell.com
---
Any opinions in this posting are my own and not those of my present
or previous employers.
-- 
-------------------------------------------------------------------------------
                                        "I have an 8 user poetic license" - me
 Get the 386bsd FAQ from agate.berkeley.edu:/pub/386BSD/386bsd-0.1/unofficial
-------------------------------------------------------------------------------