summaryrefslogtreecommitdiff
path: root/ipsvd
diff options
context:
space:
mode:
Diffstat (limited to 'ipsvd')
-rw-r--r--ipsvd/tcpsvd.c5
-rw-r--r--ipsvd/udp_io.c156
-rw-r--r--ipsvd/udpsvd.c181
3 files changed, 291 insertions, 51 deletions
diff --git a/ipsvd/tcpsvd.c b/ipsvd/tcpsvd.c
index 98234a7..056deff 100644
--- a/ipsvd/tcpsvd.c
+++ b/ipsvd/tcpsvd.c
@@ -179,7 +179,10 @@ int tcpsvd_main(int argc, char **argv)
if (!argv[0][0] || LONE_CHAR(argv[0], '0'))
argv[0] = (char*)"0.0.0.0";
+ /* stdout is used for logging, don't buffer */
setlinebuf(stdout);
+ bb_sanitize_stdio(); /* fd# 1,2 must be opened */
+
need_hostnames = verbose || !(option_mask32 & OPT_E);
need_remote_ip = max_per_host || need_hostnames;
@@ -232,7 +235,6 @@ int tcpsvd_main(int argc, char **argv)
xsetuid(ugid.uid);
}
#endif
- bb_sanitize_stdio(); /* fd# 1,2 must be opened */
close(0);
if (verbose) {
@@ -439,6 +441,7 @@ int tcpsvd_main(int argc, char **argv)
xmove_fd(conn, 0);
dup2(0, 1);
+
signal(SIGTERM, SIG_DFL);
signal(SIGPIPE, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
diff --git a/ipsvd/udp_io.c b/ipsvd/udp_io.c
new file mode 100644
index 0000000..68999d4
--- /dev/null
+++ b/ipsvd/udp_io.c
@@ -0,0 +1,156 @@
+/* Thus far used only by udpsvd.c */
+
+void socket_want_pktinfo(int fd);
+ssize_t send_to_from(int fd, void *buf, size_t len, int flags,
+ const struct sockaddr *from, const struct sockaddr *to,
+ socklen_t tolen);
+ssize_t recv_from_to(int fd, void *buf, size_t len, int flags,
+ struct sockaddr *from, struct sockaddr *to,
+ socklen_t sa_size);
+
+/*
+ * This asks kernel to let us know dst addr/port of incoming packets
+ * We don't check for errors here. Not supported == won't be used
+ */
+void
+socket_want_pktinfo(int fd)
+{
+#ifdef IP_PKTINFO
+ setsockopt(fd, IPPROTO_IP, IP_PKTINFO, &const_int_1, sizeof(int));
+#endif
+#ifdef IPV6_PKTINFO
+ setsockopt(fd, IPPROTO_IPV6, IPV6_PKTINFO, &const_int_1, sizeof(int));
+#endif
+}
+
+
+ssize_t
+send_to_from(int fd, void *buf, size_t len, int flags,
+ const struct sockaddr *from, const struct sockaddr *to,
+ socklen_t tolen)
+{
+#ifndef IP_PKTINFO
+ return sendto(fd, buf, len, flags, to, tolen);
+#else
+ struct iovec iov[1];
+ struct msghdr msg;
+ char cbuf[LSA_SIZEOF_SA];
+ /* actually, max(sizeof(in_pktinfo),sizeof(in6_pktinfo)) */
+ struct cmsghdr* cmsgptr;
+
+ if (from->sa_family != AF_INET
+#if ENABLE_FEATURE_IPV6
+ && from->sa_family != AF_INET6
+#endif
+ ) {
+ /* ANY local address */
+ return sendto(fd, buf, len, flags, to, tolen);
+ }
+
+ /* man recvmsg and man cmsg is needed to make sense of code below */
+
+ iov[0].iov_base = buf;
+ iov[0].iov_len = len;
+
+ memset(cbuf, 0, sizeof(cbuf));
+
+ memset(&msg, 0, sizeof(msg));
+ msg.msg_name = (void *)(struct sockaddr *)to; /* or compiler will annoy us */
+ msg.msg_namelen = tolen;
+ msg.msg_iov = iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = cbuf;
+ msg.msg_controllen = sizeof(cbuf);
+ msg.msg_flags = flags;
+
+ cmsgptr = CMSG_FIRSTHDR(&msg);
+ if (to->sa_family == AF_INET && from->sa_family == AF_INET) {
+ struct in_pktinfo *pktptr;
+ cmsgptr->cmsg_level = IPPROTO_IP;
+ cmsgptr->cmsg_type = IP_PKTINFO;
+ cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in_pktinfo));
+ pktptr = (struct in_pktinfo *)(CMSG_DATA(cmsgptr));
+ /* pktptr->ipi_ifindex = 0; -- already done by memset(cbuf...) */
+ pktptr->ipi_spec_dst = ((struct sockaddr_in*)from)->sin_addr;
+ }
+#if ENABLE_FEATURE_IPV6 && defined(IP6_PKTINFO)
+ else if (to->sa_family == AF_INET6 && from->sa_family == AF_INET6) {
+ struct in6_pktinfo *pktptr;
+ cmsgptr->cmsg_level = IPPROTO_IPV6;
+ cmsgptr->cmsg_type = IP6_PKTINFO;
+ cmsgptr->cmsg_len = CMSG_LEN(sizeof(struct in6_pktinfo));
+ pktptr = (struct in6_pktinfo *)(CMSG_DATA(cmsgptr));
+ /* pktptr->ipi6_ifindex = 0; -- already done by memset(cbuf...) */
+ pktptr->ipi6_addr = ((struct sockaddr_in6*)from)->sin6_addr;
+ }
+#endif
+ return sendmsg(fd, &msg, flags);
+#endif
+}
+
+/* NB: this will never set port# in *to! */
+ssize_t
+recv_from_to(int fd, void *buf, size_t len, int flags,
+ struct sockaddr *from, struct sockaddr *to,
+ socklen_t sa_size)
+{
+#ifndef IP_PKTINFO
+ return recvfrom(fd, buf, len, flags, from, &sa_size);
+#else
+ /* man recvmsg and man cmsg is needed to make sense of code below */
+ struct iovec iov[1];
+ union {
+ char cmsg[CMSG_SPACE(sizeof(struct in_pktinfo))];
+ char cmsg6[CMSG_SPACE(sizeof(struct in6_pktinfo))];
+ } u;
+ struct cmsghdr *cmsgptr;
+ struct msghdr msg;
+ socklen_t recv_length;
+
+ iov[0].iov_base = buf;
+ iov[0].iov_len = len;
+
+ memset(&msg, 0, sizeof(msg));
+ msg.msg_name = (struct sockaddr *)from;
+ msg.msg_namelen = sa_size;
+ msg.msg_iov = iov;
+ msg.msg_iovlen = 1;
+ msg.msg_control = &u;
+ msg.msg_controllen = sizeof(u);
+
+ recv_length = recvmsg(fd, &msg, flags);
+ if (recv_length < 0)
+ return recv_length;
+
+ /* Here we try to retrieve destination IP and memorize it */
+ memset(to, 0, sa_size);
+ for (cmsgptr = CMSG_FIRSTHDR(&msg);
+ cmsgptr != NULL;
+ cmsgptr = CMSG_NXTHDR(&msg, cmsgptr)
+ ) {
+ if (cmsgptr->cmsg_level == IPPROTO_IP
+ && cmsgptr->cmsg_type == IP_PKTINFO
+ ) {
+#define pktinfo(cmsgptr) ( (struct in_pktinfo*)(CMSG_DATA(cmsgptr)) )
+ to->sa_family = AF_INET;
+ ((struct sockaddr_in*)to)->sin_addr = pktinfo(cmsgptr)->ipi_addr;
+ /* ((struct sockaddr_in*)to)->sin_port = 123; */
+#undef pktinfo
+ break;
+ }
+#if ENABLE_FEATURE_IPV6 && defined(IP6_PKTINFO)
+ if (cmsgptr->cmsg_level == IPPROTO_IPV6
+ && cmsgptr->cmsg_type == IP6_PKTINFO
+ ) {
+#define pktinfo(cmsgptr) ( (struct in6_pktinfo*)(CMSG_DATA(cmsgptr)) )
+ to->sa_family = AF_INET6;
+ ((struct sockaddr_in6*)to)->sin6_addr = pktinfo(cmsgptr)->ipi6_addr;
+ /* ((struct sockaddr_in6*)to)->sin6_port = 123; */
+#undef pktinfo
+ break;
+ }
+#endif
+ }
+ return recv_length;
+#endif
+}
diff --git a/ipsvd/udpsvd.c b/ipsvd/udpsvd.c
index 06c4f2e..700e1af 100644
--- a/ipsvd/udpsvd.c
+++ b/ipsvd/udpsvd.c
@@ -22,12 +22,14 @@
#include "busybox.h"
+#include "udp_io.c"
+
unsigned verbose;
static void sig_term_handler(int sig)
{
if (verbose)
- printf("udpsvd: info: sigterm received, exit\n");
+ printf("%s: info: sigterm received, exit\n", applet_name);
exit(0);
}
@@ -37,21 +39,14 @@ int udpsvd_main(int argc, char **argv)
const char *instructs;
char *str_t, *user;
unsigned opt;
-// unsigned lookuphost = 0;
-// unsigned paranoid = 0;
-// unsigned long timeout = 0;
char *remote_hostname;
- char *local_hostname = local_hostname; /* gcc */
+ char *local_hostname = NULL;
char *remote_ip;
char *local_ip = local_ip; /* gcc */
uint16_t local_port, remote_port;
- union {
- struct sockaddr sa;
- struct sockaddr_in sin;
- USE_FEATURE_IPV6(struct sockaddr_in6 sin6;)
- } sock_adr;
- socklen_t sockadr_size;
+ len_and_sockaddr remote;
+ len_and_sockaddr *localp;
int sock;
int wstat;
unsigned pid;
@@ -68,7 +63,7 @@ int udpsvd_main(int argc, char **argv)
OPT_t = (1 << 7),
};
- opt_complementary = "ph:vv";
+ opt_complementary = "-3:ph:vv";
opt = getopt32(argc, argv, "vu:l:hpi:x:t:",
&user, &local_hostname, &instructs, &instructs, &str_t, &verbose);
//if (opt & OPT_x) iscdb =1;
@@ -83,26 +78,29 @@ int udpsvd_main(int argc, char **argv)
if (!argv[0][0] || LONE_CHAR(argv[0], '0'))
argv[0] = (char*)"0.0.0.0";
+ /* stdout is used for logging, don't buffer */
setlinebuf(stdout);
+ bb_sanitize_stdio(); /* fd# 1,2 must be opened */
signal(SIGTERM, sig_term_handler);
signal(SIGPIPE, SIG_IGN);
local_port = bb_lookup_port(argv[1], "udp", 0);
- sock = create_and_bind_dgram_or_die(argv[0], local_port);
+ localp = xhost2sockaddr(argv[0], local_port);
+ sock = xsocket(localp->sa.sa_family, SOCK_DGRAM, 0);
+ xmove_fd(sock, 0); /* fd# 0 is the open UDP socket */
+ xbind(0, &localp->sa, localp->len);
+ socket_want_pktinfo(0);
if (opt & OPT_u) { /* drop permissions */
xsetgid(ugid.gid);
xsetuid(ugid.uid);
}
- bb_sanitize_stdio(); /* fd# 1,2 must be opened */
- close(0);
if (verbose) {
/* we do it only for ":port" cosmetics... oh well */
- len_and_sockaddr *lsa = xhost2sockaddr(argv[0], local_port);
- char *addr = xmalloc_sockaddr2dotted(&lsa->sa, lsa->len);
- printf("udpsvd: info: listening on %s", addr);
+ char *addr = xmalloc_sockaddr2dotted(&localp->sa, localp->len);
+ printf("%s: info: listening on %s", applet_name, addr);
free(addr);
if (option_mask32 & OPT_u)
printf(", uid %u, gid %u",
@@ -111,19 +109,8 @@ int udpsvd_main(int argc, char **argv)
}
again:
-/* io[0].fd = s;
- io[0].events = IOPAUSE_READ;
- io[0].revents = 0;
- taia_now(&now);
- taia_uint(&deadline, 3600);
- taia_add(&deadline, &now, &deadline);
- iopause(io, 1, &deadline, &now);
- if (!(io[0].revents | IOPAUSE_READ))
- goto again;
- io[0].revents = 0;
-*/
- sockadr_size = sizeof(sock_adr);
- if (recvfrom(sock, NULL, 0, MSG_PEEK, &sock_adr.sa, &sockadr_size) == -1) {
+ /* if (recvfrom(0, NULL, 0, MSG_PEEK, &remote.sa, &localp->len) < 0) { */
+ if (recv_from_to(0, NULL, 0, MSG_PEEK, &remote.sa, &localp->sa, localp->len) < 0) {
bb_perror_msg("recvfrom");
goto again;
}
@@ -136,28 +123,38 @@ int udpsvd_main(int argc, char **argv)
while (wait_pid(&wstat, pid) == -1)
bb_perror_msg("error waiting for child");
if (verbose)
- printf("udpsvd: info: end %u\n", pid);
+ printf("%s: info: end %u\n", applet_name, pid);
goto again;
}
/* Child */
-/* if (recvfrom(sock, 0, 0, MSG_PEEK, (struct sockaddr *)&sock_adr, &sockadr_size) == -1)
- drop("unable to read from socket");
-*/
+#if 0
+ /* I'd like to make it so that local addr is fixed to localp->sa,
+ * but how? The below trick doesn't work... */
+ close(0);
+ set_nport(localp, htons(local_port));
+ xmove_fd(xsocket(localp->sa.sa_family, SOCK_DGRAM, 0), 0);
+ xbind(0, &localp->sa, localp->len);
+#endif
+
if (verbose) {
- local_ip = argv[0]; // TODO: recv_from_to!
- local_hostname = (char*)"localhost";
+ local_ip = xmalloc_sockaddr2dotted_noport(&localp->sa, localp->len);
+ if (!local_hostname) {
+ local_hostname = xmalloc_sockaddr2host_noport(&localp->sa, localp->len);
+ if (!local_hostname)
+ bb_error_msg_and_die("cannot look up local hostname for %s", local_ip);
+ }
}
- remote_ip = xmalloc_sockaddr2dotted_noport(&sock_adr.sa, sockadr_size);
- remote_port = get_nport(&sock_adr.sa);
+ remote_ip = xmalloc_sockaddr2dotted_noport(&remote.sa, localp->len);
+ remote_port = get_nport(&remote.sa);
remote_port = ntohs(remote_port);
- if (verbose) {
- printf("udpsvd: info: pid %u from %s\n", pid, remote_ip);
- }
+ if (verbose)
+ printf("%s: info: pid %u from %s\n", applet_name, pid, remote_ip);
+
if (opt & OPT_h) {
- remote_hostname = xmalloc_sockaddr2host(&sock_adr.sa, sizeof(sock_adr));
+ remote_hostname = xmalloc_sockaddr2host(&remote.sa, localp->len);
if (!remote_hostname) {
bb_error_msg("warning: cannot look up hostname for %s", remote_ip);
remote_hostname = (char*)"";
@@ -176,15 +173,15 @@ int udpsvd_main(int argc, char **argv)
if (verbose) {
#if 0
- out("udpsvd: info: ");
+ out("%s: info: ", applet_name);
switch(ac) {
case IPSVD_DENY: out("deny "); break;
case IPSVD_DEFAULT: case IPSVD_INSTRUCT: out("start "); break;
case IPSVD_EXEC: out("exec "); break;
}
#endif
- printf("udpsvd: info: %u %s:%s :%s:%s:%u\n",
- pid, local_hostname, local_ip,
+ printf("%s: info: %u %s:%s :%s:%s:%u\n",
+ applet_name, pid, local_hostname, local_ip,
remote_hostname, remote_ip, remote_port);
#if 0
if (instructs) {
@@ -202,7 +199,7 @@ int udpsvd_main(int argc, char **argv)
#if 0
if (ac == IPSVD_DENY) {
- recv(s, 0, 0, 0);
+ recv(0, 0, 0, 0);
_exit(100);
}
if (ac == IPSVD_EXEC) {
@@ -213,14 +210,98 @@ int udpsvd_main(int argc, char **argv)
run = args;
} else run = prog;
#endif
-
- xmove_fd(sock, 0);
+ /* Make plain write(1) work for the child by supplying default
+ * destination address */
+ xconnect(0, &remote.sa, localp->len);
dup2(0, 1);
signal(SIGTERM, SIG_DFL);
signal(SIGPIPE, SIG_DFL);
- argv += 2;
+ argv += 2;
BB_EXECVP(argv[0], argv);
bb_perror_msg_and_die("exec '%s'", argv[0]);
}
+
+/*
+udpsvd [-hpvv] [-u user] [-l name] [-i dir|-x cdb] [-t sec] host port prog
+
+udpsvd creates an UDP/IP socket, binds it to the address host:port,
+and listens on the socket for incoming datagrams.
+
+If a datagram is available on the socket, udpsvd conditionally starts
+a program, with standard input reading from the socket, and standard
+output redirected to standard error, to handle this, and possibly
+more datagrams. udpsvd does not start the program if another program
+that it has started before still is running. If the program exits,
+udpsvd again listens to the socket until a new datagram is available.
+If there are still datagrams available on the socket, the program
+is restarted immediately.
+
+udpsvd optionally checks for special intructions depending on
+the IP address or hostname of the client sending the datagram which
+not yet was handled by a running program, see ipsvd-instruct(5)
+for details.
+
+Attention:
+UDP is a connectionless protocol. Most programs that handle user datagrams,
+such as talkd(8), keep running after receiving a datagram, and process
+subsequent datagrams sent to the socket until a timeout is reached.
+udpsvd only checks special instructions for a datagram that causes a startup
+of the program; not if a program handling datagrams already is running.
+It doesn't make much sense to restrict access through special instructions
+when using such a program.
+
+On the other hand, it makes perfectly sense with programs like tftpd(8),
+that fork to establish a separate connection to the client when receiving
+the datagram. In general it's adequate to set up special instructions for
+programs that support being run by tcpwrapper.
+Options
+
+host
+ host either is a hostname, or a dotted-decimal IP address, or 0.
+ If host is 0, udpsvd accepts datagrams to any local IP address.
+port
+ udpsvd accepts datagrams to host:port. port may be a name from
+ /etc/services or a number.
+prog
+ prog consists of one or more arguments. udpsvd normally runs prog
+ to handle a datagram, and possibly more, that is sent to the socket,
+ if there is no program that was started before by udpsvd still running
+ and handling datagrams.
+-i dir
+ read instructions for handling new connections from the instructions
+ directory dir. See ipsvd-instruct(5) for details.
+-x cdb
+ read instructions for handling new connections from the constant
+ database cdb. The constant database normally is created from
+ an instructions directory by running ipsvd-cdb(8).
+-t sec
+ timeout. This option only takes effect if the -i option is given.
+ While checking the instructions directory, check the time of last
+ access of the file that matches the clients address or hostname if any,
+ discard and remove the file if it wasn't accessed within the last
+ sec seconds; udpsvd does not discard or remove a file if the user's
+ write permission is not set, for those files the timeout is disabled.
+ Default is 0, which means that the timeout is disabled.
+-l name
+ local hostname. Do not look up the local hostname in DNS, but use name
+ as hostname. By default udpsvd looks up the local hostname once at startup.
+-u user[:group]
+ drop permissions. Switch user ID to user's UID, and group ID to user's
+ primary GID after creating and binding to the socket. If user
+ is followed by a colon and a group name, the group ID is switched
+ to the GID of group instead. All supplementary groups are removed.
+-h
+ Look up the client's hostname in DNS.
+-p
+ paranoid. After looking up the client's hostname in DNS, look up
+ the IP addresses in DNS for that hostname, and forget the hostname
+ if none of the addresses match the client's IP address. You should
+ set this option if you use hostname based instructions. The -p option
+ implies the -h option.
+-v
+ verbose. Print verbose messages to standard output.
+-vv
+ more verbose. Print more verbose messages to standard output.
+*/