reverse-resolve the IP address we're given, which will take a while
to time out, since we're still scanning cached leases (i.e. the network
isn't up yet).
EINVAL. This has been confirmed by Bill Fenner. The wrong socket led to
masses of syslog entries on hosts connected to the mbone and cache entries
deleted to early.
XXX As the socket need to be the one that is ip_mrouter in netinet/ip_mroute.c,
XXX the kernel could be modified to always return the data for ip_mrouter.
XXX Bill Fenner suggests to upgrade to 3.9.beta-3 with -DIOCTL_OK_ON_RAW_SOCKET
-fromhost() doesn't work because the file descriptor isn't available
at this point, see PR bin/6813
-it needs some initialization for libwrap to grok the IP address and/or
host names in its rule files (see PR bin/6831 by Andreas Wrede
<andreas@planix.com>, the fix is different)
Needless to say that libwrap's interface sucks.
point them to options(4) for more details. Also point out that ipf
is necc. for ipnat to function. Oh, and convert ipnat.8 to mandoc
while I was in here... was easier to convert it then rewrite my stuff
after I noticed..
Closes PR# 4813 by Jeff Thieleke
* portmap is now tcp-wrapped (i.e. obeys hosts.{allow,deny})
both for lookups (as `portmap') and for forwarded calls to
specific services.
* the new -l flag, analagous to inetd -l, logs all connections
to portmap.
* the new -s flag causes portmap to suid to the user daemon
after binding it's port, so that outgoing connections do
not come from privileged ports. This prevents users from
using portmap to get a free privileged port.
* portmap now _only_ accepts SETs and UNSETs on the loopback
interface. In the past, anyone in the world could do all
sorts of nasty things to your portmap tables. Note that
our libc already_only_ uses the loopback interface to
register rpc ports.
This work is modeled after/partially taken from Wietse Venema's tcp-
wrapped version of the BSD 4.3 portmap. It has benefitted greatly from my
discussions with Luke, Matt and many others.
