Date: Mon, 24 Feb 2014 12:14:17 -0800 From: Xin Li <delphij@delphij.net> To: Alexander Motin <mav@FreeBSD.org>, freebsd-net@freebsd.org Subject: Re: rpcbind & TCP wrappers Message-ID: <530BA819.1080400@delphij.net> In-Reply-To: <530B996F.4060100@FreeBSD.org> References: <530B996F.4060100@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. --------------030602000904060405050301 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 02/24/14 11:11, Alexander Motin wrote: > Hi. > > I've made benchmark to test rpcbind performance and discovered > very interesting numbers: on my test machine our present rpcbind is > able to handle only 12K RPCs per second, but building it without > TCP wrappers (libwrap) improves performance to 116K RPCs/sec. > Obviously hosts.allow parsing for each RPC is too expensive. Since > rpcbind output is often cached by the clients it may be not so huge > problem, but still 10x difference IMO worth some decision to be > made there. > > I've talked to several people and they agree that it is not very > useful to protect rpcbind since it is any way effectively read-only > for other hosts in default configuration. Since I expect some > people may still want it I've implemented patch disabling TCP > wrappers in rpcbind by default, but introducing new command line > option -t to easily restore functionality when needed: > http://people.freebsd.org/~mav/libwrap.patch > > Any comments or objections? I think the new 't' option should be wrapped like 'WSOP' (see attachment for a revised version). By the way we need to be careful when changing the defaults, or it creates astonishment (tcpwrap are supposed to work without restarting the service) but I think this is probably a pain we have to face if we can't make TCP wrappers to work faster. If we are going to proceed with the proposed patch, we'd better document it in both UPDATING and release notes. I do agree that it makes little difference protecting or not protecting rpcbind, though. Actually, I always force it to listen only on trusted LAN interface if I have to run it and that's cheaper than TCP wrappers or firewalling the port. Cheers, - -- Xin LI <delphij@delphij.net> https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTC6gZAAoJEJW2GBstM+ns/noP/A2YNG/x0MJBH1QnKEV48WQB oUwYiUjf7wMHFzTJtzX8A8hMZWqunVSMA/0NC0B/vpai6F73BprZHMSxRVu/FmZ/ 4jzXLG5UMwtO9/nEwiMV3ecRBLUKM8ltZEczy1wS1bOqBU8a+6HShhwxUMDotbaW xkiuWrIgrFVstAZP+BMEs/Z4P8xOtMGQXH2eBodZF2Myn5INtmkpXkH3FTxPLoJU NkdcPEGFDesecjm8mwHHEieDlk4cveUki+S1rx9NdE3CqQw74/4ST8QvTWqOkuKG iiGS/lH/76JtojAqQrDw2QzXYNfZuFYqBSN7X5K9qqKsgb0JqLvd6JiwsGEO+Qez X6NHjs/kNBPNu1IZTzM7IKBzrhbqVzj+WO8rZtRzlTshC8XEocdGG+T6QaOrubVP Hn+g1qOZ754ipAOfSX1zSthnVF0psZ+vD3Z/tAhrjnh4e1kLbc91dbcr8wp+Hkxj 32XWZ9Fhhb9o9EkuLVNWgh55xfUqb55qp23QwVE766Gg10OpG9khBJI0tucg9a3+ kdHBaH1b86rB2q7RI3itwMAgPAVU0eK/ASO+QE49pMysw3mw8EhnEEyQrGDO3B4P VSeegOLbIvcLkoiPqhSY0NL5TOeqp97WypYnY01k44iulN7g0XQMS87WnK+YcWUs U8pqHxLwrJ5OzD/gYLht =K3zm -----END PGP SIGNATURE----- --------------030602000904060405050301 Content-Type: text/plain; charset=UTF-8; name="rpcbind.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="rpcbind.diff" Index: etc/hosts.allow =================================================================== --- etc/hosts.allow (revision 262456) +++ etc/hosts.allow (working copy) @@ -60,6 +60,7 @@ exim : localhost : allow exim : ALL : allow # Rpcbind is used for all RPC services; protect your NFS! +# Rpcbind should be running with -t option to support this. # (IP addresses rather than hostnames *MUST* be used here) #rpcbind : 192.0.2.32/255.255.255.224 : allow #rpcbind : 192.0.2.96/255.255.255.224 : allow Index: usr.sbin/rpcbind/rpcbind.8 =================================================================== --- usr.sbin/rpcbind/rpcbind.8 (revision 262456) +++ usr.sbin/rpcbind/rpcbind.8 (working copy) @@ -2,7 +2,7 @@ .\" Copyright 1989 AT&T .\" Copyright 1991 Sun Microsystems, Inc. .\" $FreeBSD$ -.Dd April 23, 2007 +.Dd February 24, 2014 .Dt RPCBIND 8 .Os .Sh NAME @@ -133,6 +133,8 @@ to use non-privileged ports for outgoing connectio clients from using .Nm to connect to services from a privileged port. +.It Fl t +Enable TCP Wrappers support. .El .Sh NOTES All RPC servers must be restarted if Index: usr.sbin/rpcbind/rpcbind.c =================================================================== --- usr.sbin/rpcbind/rpcbind.c (revision 262456) +++ usr.sbin/rpcbind/rpcbind.c (working copy) @@ -88,6 +88,9 @@ rpcblist_ptr list_rbl; /* A list of version 3/4 rp int runasdaemon = 0; int insecure = 0; int oldstyle_local = 0; +#ifdef LIBWRAP +int libwrap = 0; +#endif int verboselog = 0; char **hosts = NULL; @@ -785,7 +788,12 @@ parseargs(int argc, char *argv[]) #else #define WSOP "" #endif - while ((c = getopt(argc, argv, "6adh:iLls" WSOP)) != -1) { +#ifdef LIBWRAP +#define WRAPOP "t" +#else +#define WRAPOP "" +#endif + while ((c = getopt(argc, argv, "6adh:iLls" WRAPOP WSOP)) != -1) { switch (c) { case '6': ipv6_only = 1; @@ -818,6 +826,11 @@ parseargs(int argc, char *argv[]) case 's': runasdaemon = 1; break; +#ifdef LIBWRAP + case 't': + libwrap = 1; + break; +#endif #ifdef WARMSTART case 'w': warmstart = 1; @@ -825,8 +838,8 @@ parseargs(int argc, char *argv[]) #endif default: /* error */ fprintf(stderr, - "usage: rpcbind [-6adiLls%s] [-h bindip]\n", - WSOP); + "usage: rpcbind [-6adiLls%s%s] [-h bindip]\n", + WRAPOP, WSOP); exit (1); } } Index: usr.sbin/rpcbind/rpcbind.h =================================================================== --- usr.sbin/rpcbind/rpcbind.h (revision 262456) +++ usr.sbin/rpcbind/rpcbind.h (working copy) @@ -66,6 +66,9 @@ struct r_rmtcall_args { extern int debugging; extern int doabort; +#ifdef LIBWRAP +extern int libwrap; +#endif extern int verboselog; extern int insecure; extern int oldstyle_local; Index: usr.sbin/rpcbind/security.c =================================================================== --- usr.sbin/rpcbind/security.c (revision 262456) +++ usr.sbin/rpcbind/security.c (working copy) @@ -108,13 +108,15 @@ check_access(SVCXPRT *xprt, rpcproc_t proc, void * } #ifdef LIBWRAP - if (addr->sa_family == AF_LOCAL) - return 1; - request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, 0); - sock_methods(&req); - if(!hosts_access(&req)) { - logit(deny_severity, addr, proc, prog, ": request from unauthorized host"); - return 0; + if (libwrap && addr->sa_family != AF_LOCAL) { + request_init(&req, RQ_DAEMON, "rpcbind", RQ_CLIENT_SIN, addr, + 0); + sock_methods(&req); + if(!hosts_access(&req)) { + logit(deny_severity, addr, proc, prog, + ": request from unauthorized host"); + return 0; + } } #endif if (verboselog) --------------030602000904060405050301--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?530BA819.1080400>