NetBSD/usr.sbin/inetd/Makefile

#	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
#	$NetBSD: Makefile,v 1.30 2021/10/12 19:08:04 christos Exp $

.include <bsd.own.mk>

USE_FORT?= yes	# network server

PROG=	inetd
SRCS=	inetd.c parse.c parse_v2.c ratelimit.c
MAN=	inetd.8
MLINKS=	inetd.8 inetd.conf.5
WARNS=	6
#LINTFLAGS+=	-T

# Enables debug printouts when in debug mode
CPPFLAGS+=-DDEBUG_ENABLE

CPPFLAGS+=-DLIBWRAP
# Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
#CPPFLAGS+=-DLIBWRAP_INTERNAL
LDADD+= -lwrap -lblocklist -lutil
DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}

.if (${USE_INET6} != "no")
CPPFLAGS+=-DINET6
.endif

CPPFLAGS+=-DIPSEC
SRCS+=	ipsec.c
LDADD+= -lipsec
DPADD+=	${LIBIPSEC}

.include <bsd.prog.mk>
merge lite2 [actually, just update ucb sccs id's] 1997-10-05 20:16:10 +04:00			`# from: @(#)Makefile 8.1 (Berkeley) 6/6/93`
PR/56448: Solomon Ritzow: Various improvements. Rate limiting code has been moved to ratelimit.c. I renamed clear_ip_list to rl_clear_ip_list and broke the code up into more functions. I have also made the per-IP rate limiting allocation more efficient. IP addresses are now stored in their network format instead of a string from getnameinfo (see inetd.h struct rl_ip_node). malloc calls use only the space needed by the structure by using offsetof on union members (I suppose this can be a bit dangerous if not done correctly...). Per-IP rate limiting still supports textual comparison using getnameinfo for address families other than AF_INET and AF_INET6, but I don't think there are any that are actually compatible or used by inetd (I haven't tested UNIX sockets with a remote bound to another file, but I did test using IPv6 with the textual format by commenting out the IPv6 specific code, and it works properly). Still potentially handy for the future. The IP node list (se_rl_ip_list) now uses the <sys/queue.h> SLIST macros instead of a custom list. I've broken rl_process up into helper functions for each type of rate limiting and created a separate function for address stringification, for use with printouts from the -d flag. I tried to reduce stack memory use by moving printing code involving string buffers into separate functions. I haven't tested rl_ipv6_eq on a 32-bit system. The code for the positional syntax has also been moved to parse.c. Function try_biltin has been added to remove parse.c:parse_server's dependency on the biltin structure definition. File inetd.h has been updated with the proper function prototypes, and the servtab structure has been update with the new IP node SLIST. I also moved things around a bit. The way we (a peer and myself) formatted inetd.h previously was somewhat confusing. Function and global variable prototypes are now organized by the source file they are defined in. I also added a -f flag that I saw in another problem report (https://gnats.netbsd.org/12823) that I thought could be useful. It runs inetd in the foreground but without debug printouts or SO_DEBUG. I'm not completely sure about the line "if (foreground) setsid()" that I changed from "if (debug) setsid()". 2021-10-12 22:08:04 +03:00			`# $NetBSD: Makefile,v 1.30 2021/10/12 19:08:04 christos Exp $`
Only compile in IPv6 support if ${USE_INET6} != "no" MKINET6 is for providing IPv6 infrastructure. USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6). 2005-01-10 05:58:58 +03:00
			`.include <bsd.own.mk>`
initial import of 386bsd-0.1 sources 1993-03-21 12:45:37 +03:00
Add new Makefile knob, USE_FORT, which extends USE_SSP by turning on the FORTIFY_SOURCE feature of libssp, thus checking the size of arguments to various string and memory copy and set functions (as well as a few system calls and other miscellany) where known at function entry. RedHat has evidently built all "core system packages" with this option for some time. This option should be used at the top of Makefiles (or Makefile.inc where this is used for subdirectories) but after any setting of LIB. This is only useful for userland code, and cannot be used in libc or in any code which includes the libc internals, because it overrides certain libc functions with macros. Some effort has been made to make USE_FORT=yes work correctly for a full-system build by having the bsd.sys.mk logic disable the feature where it should not be used (libc, libssp iteself, the kernel) but no attempt has been made to build the entire system with USE_FORT and doing so will doubtless expose numerous bugs and misfeatures. Adjust the system build so that all programs and libraries that are setuid, directly handle network data (including serial comm data), perform authentication, or appear likely to have (or have a history of having) data-driven bugs (e.g. file(1)) are built with USE_FORT=yes by default, with the exception of libc, which cannot use USE_FORT and thus uses only USE_SSP by default. Tested on i386 with no ill results; USE_FORT=no per-directory or in a system build will disable if desired. 2007-05-28 16:06:17 +04:00			`USE_FORT?= yes # network server`

initial import of 386bsd-0.1 sources 1993-03-21 12:45:37 +03:00			`PROG= inetd`
PR/56448: Solomon Ritzow: Various improvements. Rate limiting code has been moved to ratelimit.c. I renamed clear_ip_list to rl_clear_ip_list and broke the code up into more functions. I have also made the per-IP rate limiting allocation more efficient. IP addresses are now stored in their network format instead of a string from getnameinfo (see inetd.h struct rl_ip_node). malloc calls use only the space needed by the structure by using offsetof on union members (I suppose this can be a bit dangerous if not done correctly...). Per-IP rate limiting still supports textual comparison using getnameinfo for address families other than AF_INET and AF_INET6, but I don't think there are any that are actually compatible or used by inetd (I haven't tested UNIX sockets with a remote bound to another file, but I did test using IPv6 with the textual format by commenting out the IPv6 specific code, and it works properly). Still potentially handy for the future. The IP node list (se_rl_ip_list) now uses the <sys/queue.h> SLIST macros instead of a custom list. I've broken rl_process up into helper functions for each type of rate limiting and created a separate function for address stringification, for use with printouts from the -d flag. I tried to reduce stack memory use by moving printing code involving string buffers into separate functions. I haven't tested rl_ipv6_eq on a 32-bit system. The code for the positional syntax has also been moved to parse.c. Function try_biltin has been added to remove parse.c:parse_server's dependency on the biltin structure definition. File inetd.h has been updated with the proper function prototypes, and the servtab structure has been update with the new IP node SLIST. I also moved things around a bit. The way we (a peer and myself) formatted inetd.h previously was somewhat confusing. Function and global variable prototypes are now organized by the source file they are defined in. I also added a -f flag that I saw in another problem report (https://gnats.netbsd.org/12823) that I thought could be useful. It runs inetd in the foreground but without debug printouts or SO_DEBUG. I'm not completely sure about the line "if (foreground) setsid()" that I changed from "if (debug) setsid()". 2021-10-12 22:08:04 +03:00			`SRCS= inetd.c parse.c parse_v2.c ratelimit.c`
specify man pages the new way. 1994-12-22 14:32:57 +03:00			`MAN= inetd.8`
inetd.5 -> inetd.conf.5, from <jbernard@tater.Mines.EDU> 1996-12-04 16:32:31 +03:00			`MLINKS= inetd.8 inetd.conf.5`
inetd: raise WARNS from 5 to 6 The necessary fixes include: * explicit integer conversions, to get rid of mixed signedness * function prototypes for parameterless functions While here: * add space after comma * add space after 'if' * place the '{' of a function definition on a separate line * rename variables 'bits' and 'temp' to 'hi' and 'lo' * in parse_quote, prefer expressions over assignments * make hex_to_bits static No functional change. 2021-08-30 21:21:11 +03:00			`WARNS= 6`
inetd: prepare for lint's strict bool mode Lint's strict bool mode considers bool incompatible with the other scalar types. This makes the type of expressions more visible in the code. In particular, conditions of the form '!strcmp(...)' are no longer allowed, they have to be written as 'strcmp(...) == 0'. The operator '!' cannot be used with sep->se_wait since that has type pid_t, not bool. No change to the resulting binary. 2021-09-03 23:24:28 +03:00			`#LINTFLAGS+= -T`
initial import of 386bsd-0.1 sources 1993-03-21 12:45:37 +03:00
Inetd enhancements by James Browning, Gabe Coffland, Alex Gavin, Solomon Ritzow Described in: https://www.mail-archive.com/tech-userlevel@netbsd.org/msg03114.html And developed in: https://github.com/ritzow/src/pull/1 From their notes: All new functionality should be explained by the updated manpage. The manpage has been refactored a bit: A new section "Directives" has been added and the information about default hostnames and IPsec directives has been moved there, and the new file include directive information is also there. getconfigent has the most major changes. A newline is no longer read immediately, but is called only by a "goto more" (inside an if(false) block). This allows multiple definitions or directives to exist on a single line for anything that doesn't terminate using a newline. This means a key-values service definition can be followed by another key-values service definition, a positional definition, or an ipsec, hostname, or .include directive on the same line. memset is no longer used explicitly to clear the servtab structure, a function init_servtab() is used instead, which uses a C struct initializer. The servtab se_group field is its own allocation now, and not just a pointer into the user:group string. Refactored some stuff out of getconfigent to separate functions for use by parse_v2.c. These functions in inetd.c are named with the form parse_() parse_v2.c only has code for parsing a key-values service definition into a provided servtab. It should not have anything that affects global state other than line and line_number. Some function prototypes, structures, and #defines have been moved from inetd.c to inetd.h. The function config_root replaces config as the function called on a config file load/reload. The code removed from the end of config(void) is now called in config_root, so it is not run on each recursive config call. setconfig(void) was removed and its code added into config_root because that is the only place it is called, and redundant checks for non-null globals were removed because they are always freed by endconfig. The fseek code was also removed because the config files are always closed by endconfig. Rate limiting code was updated to add a per-service per-IP rate limiting form. Some of that code was refactored out of other places into functions with names in the form rl_() We have not added any of the license or version information to the new files parse_v2.c, parse_v2.h, and inetd.h and we have not updated the license or version info for inetd.c. Security related: The behavior when reading invalid IPsec strings has changed. Inetd no longer exits, it quits reading the current config file instead. Could this impact program security? We have not checked for memory leaks. Solomon tried to use dmalloc without success. getconfigent seemed to have a memory leak at each "goto more". It seems like inetd has never free'd allocated strings when throwing away erroneous service definitions during parsing (i.e. when "goto more" is called when parsing fields). OpenBSD's version calls freeconfig on "goto more" (https://github.com/openbsd/src/blob/c5eae130d6c937080c3d30d124e8c8b86db7d625/usr.sbin/inetd/inetd.c#L1049) but NetBSD only calls it when service definitions are no longer needed. This has been fixed. freeconfig is called immediately before any "goto more". There shouldn't be any time when a servtab is in an invalid state where freeconfig would break. 2021-08-29 12:54:18 +03:00			`# Enables debug printouts when in debug mode`
			`CPPFLAGS+=-DDEBUG_ENABLE`

Only compile in IPv6 support if ${USE_INET6} != "no" MKINET6 is for providing IPv6 infrastructure. USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6). 2005-01-10 05:58:58 +03:00			`CPPFLAGS+=-DLIBWRAP`
Make the previous dependent on LIBWRAP_INTERNAL, which is not defined by default. 1997-03-13 21:36:35 +03:00			# Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
use CPPFLAGS instead of CFLAGS 1997-10-25 10:57:53 +04:00			`#CPPFLAGS+=-DLIBWRAP_INTERNAL`
Add blocklist support to libwrap which enables all programs using libwrap to block access from hosts we deny. (libwrap support from Greg A. Woods) 2021-03-07 18:09:12 +03:00			`LDADD+= -lwrap -lblocklist -lutil`
			`DPADD+= ${LIBWRAP} ${LIBBLOCKLIST} ${LIBUTIL}`
use the new libwrap functionality to provide tcpd-like functionality as part of inetd. uses /etc/hosts.{allow,deny} as tcpd does, etc. it is basically exactly like tcpd except that you don't need to change the server to /usr/local/sbin/tcpd. XXX should document better somewhere 1996-11-26 20:23:34 +03:00
Only compile in IPv6 support if ${USE_INET6} != "no" MKINET6 is for providing IPv6 infrastructure. USE_INET6 is for compiling IPv6 support into the programs (needs MKINET6). 2005-01-10 05:58:58 +03:00			`.if (${USE_INET6} != "no")`
			`CPPFLAGS+=-DINET6`
			`.endif`

CPPFLAGS, not CFLAGS, for -D. 2001-09-13 17:02:20 +04:00			`CPPFLAGS+=-DIPSEC`
sync with latest libipsec. since outgoing and incoming policy is separated, inetd can take multiple policy specification, separated by ";". 2000-01-31 17:28:17 +03:00			`SRCS+= ipsec.c`
dual-stack inetd. you can write "tcp6" or "tcp4" into "protocol" field. (the style is the rough consensus among v6 implementers so it will be the standard style) TODO: test rpc and tcpmux on IPv6. TODO: test identd over IPv6. 1999-07-02 08:48:19 +04:00			`LDADD+= -lipsec`
			`DPADD+= ${LIBIPSEC}`

initial import of 386bsd-0.1 sources 1993-03-21 12:45:37 +03:00			`.include <bsd.prog.mk>`