diff options
| author | Laurent Bercot <ska-skaware@skarnet.org> | 2015-01-07 19:01:26 +0000 |
|---|---|---|
| committer | Laurent Bercot <ska-skaware@skarnet.org> | 2015-01-07 19:01:26 +0000 |
| commit | e9be34c9b798141dd6c224cf33934904935c49b2 (patch) | |
| tree | 969c243f85ef02d88bc4f54d9ab14cd323b7e9aa | |
| parent | e3aeb3b63b9996bd06c20861e1dac1c9421d9312 (diff) | |
| download | s6-networking-e9be34c9b798141dd6c224cf33934904935c49b2.tar.xz | |
Complete conversion of s6-ipcserver and s6-tcpserver (4 and 6)
to socketbinder + d model. With documentation (!)
| -rw-r--r-- | doc/s6-ipcserver-access.html | 2 | ||||
| -rw-r--r-- | doc/s6-ipcserver-socketbinder.html | 71 | ||||
| -rw-r--r-- | doc/s6-ipcserver.html | 91 | ||||
| -rw-r--r-- | doc/s6-ipcserverd.html | 131 | ||||
| -rw-r--r-- | doc/s6-sudod.html | 3 | ||||
| -rw-r--r-- | doc/s6-tcpserver-access.html | 9 | ||||
| -rw-r--r-- | doc/s6-tcpserver4-socketbinder.html | 70 | ||||
| -rw-r--r-- | doc/s6-tcpserver4d.html | 112 | ||||
| -rw-r--r-- | doc/s6-tcpserver6-socketbinder.html | 70 | ||||
| -rw-r--r-- | doc/s6-tcpserver6d.html | 112 | ||||
| -rw-r--r-- | src/conn-tools/s6-ipcserver.c | 4 | ||||
| -rw-r--r-- | src/conn-tools/s6-ipcserverd.c | 10 | ||||
| -rw-r--r-- | src/conn-tools/s6-tcpserver.c | 129 | ||||
| -rw-r--r-- | src/conn-tools/s6-tcpserver4.c | 463 | ||||
| -rw-r--r-- | src/conn-tools/s6-tcpserver6.c | 461 |
15 files changed, 911 insertions, 827 deletions
diff --git a/doc/s6-ipcserver-access.html b/doc/s6-ipcserver-access.html index 817425b..515138c 100644 --- a/doc/s6-ipcserver-access.html +++ b/doc/s6-ipcserver-access.html @@ -22,7 +22,7 @@ control tool for Unix domain sockets on systems where the <a href="http://www.superscript.com/ucspi-ipc/getpeereid.html">getpeereid()</a> system call can be implemented. It is meant to be run after -<a href="s6-ipcserver.html">s6-ipcserver</a> and before +<a href="s6-ipcserverd.html">s6-ipcserverd</a> and before the application program on the s6-ipcserver command line. </p> diff --git a/doc/s6-ipcserver-socketbinder.html b/doc/s6-ipcserver-socketbinder.html new file mode 100644 index 0000000..04670cd --- /dev/null +++ b/doc/s6-ipcserver-socketbinder.html @@ -0,0 +1,71 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ipcserver-socketbinder program</title> + <meta name="Description" content="s6-networking: the s6-ipcserver-socketbinder program" /> + <meta name="Keywords" content="s6-networking s6-ipcserver-socketbinder ipcserver ucspi socket bind listen" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ipcserver-socketbinder</tt> program </h1> + +<p> +<tt>s6-ipcserver-socketbinder</tt> binds a Unix domain +socket, then executes a program. +</p> + +<h2> Interface </h2> + +<pre> + s6-ipcserver-socketbinder [ -d | -D ] [ -b <em>backlog</em> ] <em>path</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-ipcserver-socketbinder creates a Unix domain socket of type SOCK_STREAM +and binds it to <em>path</em>. It prepares the socket to accept +connections by calling +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/listen.html">listen()</a>. </li> + <li> It then execs into <em>prog...</em> with the open socket +as its standard input. </li> + +<h2> Options </h2> + +<ul> + <li> <tt>-d</tt> : allow instant rebinding to the same path +even if it has been used not long ago - this is the SO_REUSEADDR flag to +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/setsockopt.html">setsockopt()</a> +and is generally used with server programs. This is the default. Note that +<em>path</em> will be deleted if it already exists at program start time. </li> + <li> <tt>-D</tt> : disallow instant rebinding to the same path. </li> + <li> <tt>-b <em>backlog</em></tt> : set a maximum of +<em>backlog</em> backlog connections on the socket. Extra +connection attempts will rejected by the kernel. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-ipcserver-socketbinder is part of a set of basic blocks used to +build a flexible Unix super-server. It normally should be given a +command line crafted to make it execute into +<a href="s6-ipcserverd.html">s6-ipcserverd</a> to accept connections +from clients, or into a program such as +<a href="http://skarnet.org/software/s6/s6-applyuidgid.html">s6-applyuidgid</a> +to drop privileges before doing so. </li> + <li> The <a href="s6-ipcserver.html">s6-ipcserver</a> program does +exactly this. It implements +a full Unix super-server by building a command line starting with +s6-ipcserver-socketbinder and ending with s6-ipcserverd followed by the +application program, and executing into it. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-ipcserver.html b/doc/s6-ipcserver.html index 331b139..4b52888 100644 --- a/doc/s6-ipcserver.html +++ b/doc/s6-ipcserver.html @@ -32,7 +32,8 @@ program to handle each connection. </pre> <ul> - <li> s6-ipcserver binds to a Unix domain socket on <em>path</em>. </li> + <li> s6-ipcserver binds a Unix domain socket to <em>path</em>. </li> + <li> It can drop its root privileges. </li> <li> It closes its stdin and stdout. </li> <li> For every client connection to this socket, it forks. The child sets some environment variables, then @@ -41,32 +42,36 @@ stdout writing to it. </li> <li> Depending on the verbosity level, it logs what it does to stderr. </li> <li> It runs until killed by a signal. Depending on the received signal, it may kill its children before exiting. </li> + <li> s6-ipcserver actually doesn't do any of this itself. It is +a wrapper, rewriting the command line and executing into a chain +of programs that perform those duties. </li> </ul> -<h2> Environment variables </h2> - -<p> - For each connection, an instance of <em>prog...</em> is spawned with -the following variables set: -</p> +<h2> Implementation </h2> <ul> - <li> PROTO: always set to IPC </li> - <li> IPCREMOTEEUID: set to the effective UID of the client, -unless credentials lookups have been disabled </li> - <li> IPCREMOTEEGID: set to the effective GID of the client, -unless credentials lookups have been disabled </li> - <li> IPCREMOTEPATH: set to the path associated with the remote socket, -if any. Be aware that it may contain arbitrary characters. </li> - <li> IPCCONNNUM: set to the number of connections originating from -the same user (i.e. same uid) </li> + <li> s6-ipcserver parses the options and arguments it is given, and +builds a new command line with them. It then executes into that new +command line. </li> + <li> The first program s6-ipcserver executes into is +<a href="s6-ipcserver-socketbinder.html">s6-ipcserver-socketbinder</a>. +It will create and bind a Unix domain socket to <em>path</em>, then +execute into the rest of the command line. </li> + <li> If a privilege-dropping operation has been requested, the +program that s6-ipcserver-socketbinder executes into is +<a href="http://skarnet.org/software/s6/s6-applyuidgid.html">s6-applyuidgid</a>. +It will drop the root privileges, then execute into the rest of the +command line. </li> + <li> The next program in the chain is +<a href="s6-ipcserverd.html">s6-ipcserverd</a>. It is executed into +by s6-applyuidgid, or directly by s6-ipcserver-socketbinder if no +privilege-dropping operation has been requested. s6-ipcserverd is +the long-lived process, the "daemon" itself, accepting connections +from clients. </li> + <li> For every client, s6-ipcserverd will spawn an instance of +<em>prog...</em>, the remainder of the command line. </li> </ul> -<p> - If client credentials lookup has been disabled, IPCREMOTEEUID and -IPCREMOTEEUID will be set, but empty. -</p> - <h2> Options </h2> @@ -123,25 +128,45 @@ program to easily script a service that binds to a privileged socket then drops its privileges to those of a named non-root account. </li> </ul> -<h2> Signals </h2> +<h2> Implementation </h2> <ul> - <li> SIGTERM: exit. </li> - <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> - <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> - <li> SIGABRT: send a SIGKILL to all children, then exit. </li> + <li> s6-ipcserver parses the options and arguments it is given, and +builds a new command line with them. It then executes into that new +command line. </li> + <li> The first program s6-ipcserver executes into is +<a href="s6-ipcserver-socketbinder.html">s6-ipcserver-socketbinder</a>. +It will create and bind a Unix domain socket to <em>path</em>, then +execute into the rest of the command line. </li> + <li> If a privilege-dropping operation has been requested, the +program that s6-ipcserver-socketbinder executes into is +<a href="http://skarnet.org/software/s6/s6-applyuidgid.html">s6-applyuidgid</a>. +It will drop the root privileges, then execute into the rest of the +command line. </li> + <li> The next program in the chain is +<a href="s6-ipcserverd.html">s6-ipcserverd</a>. It is executed into +by s6-applyuidgid, or directly by s6-ipcserver-socketbinder if no +privilege-dropping operation has been requested. s6-ipcserverd is +the long-lived process, the "daemon" itself, accepting connections +from clients. </li> + <li> For every client, s6-ipcserverd will spawn an instance of +<em>prog...</em>, the remainder of the command line. </li> </ul> <h2> Notes </h2> <ul> - <li> Unlike his close cousin -<a href="http://www.superscript.com/ucspi-ipc/ipcserver.html">ipcserver</a>, -s6-ipcserver does not perform operations such as access control. Those are -delegated to the -<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> program. </li> - <li> s6-ipcserver can be used to set up -<a href="localservice.html">local services</a>. </li> + <li> s6-ipcserver does not interpret its options itself. It just +dispatches them to the appropriate program on the command line that +it builds. </li> + <li> In previous releases of s6-networking, s6-ipcserver was +monolithic: it did the work of s6-ipcserver-socketbinder, +s6-applyuidgid and s6-ipcserverd itself. The functionality has now +been split into several different programs because some service startup +schemes require the daemon to get its socket from an external +program instead of creating and binding it itself. The most obvious +application of this is upgrading a long-lived process without +losing existing connections. </li> </ul> </body> diff --git a/doc/s6-ipcserverd.html b/doc/s6-ipcserverd.html new file mode 100644 index 0000000..916de12 --- /dev/null +++ b/doc/s6-ipcserverd.html @@ -0,0 +1,131 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-ipcserverd program</title> + <meta name="Description" content="s6-networking: the s6-ipcserverd program" /> + <meta name="Keywords" content="s6-networking s6-ipcserverd ipcserver ucspi unix server super-server" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-ipcserverd</tt> program </h1> + +<p> +<tt>s6-ipcserverd</tt> is the serving part of the +<a href="s6-ipcserver.html">s6-ipcserver</a> super-server. +It assumes that its stdin is a bound and listening Unix +domain socket, and +it accepts connections from clients connecting to it, forking a +program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-ipcserverd [ -1 ] [ -v verbosity ] [ -P | -p ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] <em>prog...</em> +</pre> + +<ul> + <li> s6-ipcserverd accepts connections from clients to an already +bound and listening SOCK_STREAM Unix domain socket which is its +standard input. </li> + <li> For every client connection to this socket, it +forks. The child sets some environment variables, then +executes <em>prog...</em> with stdin reading from the socket and +stdout writing to it. </li> + <li> Depending on the verbosity level, it logs what it does to stderr. </li> + <li> It runs until killed by a signal. Depending on the received +signal, it may kill its children before exiting. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + For each connection, an instance of <em>prog...</em> is spawned with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to IPC </li> + <li> IPCREMOTEEUID: set to the effective UID of the client, +unless credentials lookups have been disabled </li> + <li> IPCREMOTEEGID: set to the effective GID of the client, +unless credentials lookups have been disabled </li> + <li> IPCREMOTEPATH: set to the path associated with the remote socket, +if any. Be aware that it may contain arbitrary characters. </li> + <li> IPCCONNNUM: set to the number of connections originating from +the same user (i.e. same uid) </li> +</ul> + +<p> + If client credentials lookup has been disabled, IPCREMOTEEUID and +IPCREMOTEEUID will be set, but empty. +</p> + + +<h2> Options </h2> + +<ul> + <li> <tt>-1</tt> : write a newline to stdout, and close stdout, +right before entering the client-accepting loop. +If stdout is suitably redirected, this can be used by monitoring +programs to check when the server is accepting connections. +The <a href="http://skarnet.org/software/s6/s6-notifywhenup.html">s6-notifywhenup</a> +program can be used before the s6-ipcserver +invocation to notify listeners when the server is ready. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less +verbose. <em>verbosity</em> can be 0 (quiet), 1 (normal), or 2 +(verbose). </li> + <li> <tt>-P</tt> : disable client credentials lookups. The +IPCREMOTEEUID and IPCREMOTEEGID environment variables will be unset +in every instance of <em>prog...</em>. This is the portable option, +because not every system supports credential lookup across Unix domain +sockets; but it is not as secure. </li> + <li> <tt>-p</tt> : enable client credentials lookups. This +is the default; it works at least on Linux, Solaris, and +*BSD systems. On systems that do not support it, every connection +attempt will fail with a warning message. </li> + <li> <tt>-c <em>maxconn</em></tt> : accept at most +<em>maxconn</em> concurrent connections. Default is 40. It is +impossible to set it higher than 1000. </li> + <li> <tt>-C <em>localmaxconn</em></tt> : accept at most +<em>localmaxconn</em> connections from the same user ID. +Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGTERM: exit. </li> + <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> + <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> + <li> SIGABRT: send a SIGKILL to all children, then exit. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> Unlike his close cousin +<a href="http://www.superscript.com/ucspi-ipc/ipcserver.html">ipcserver</a>, +s6-ipcserverd does not perform operations such as access control. Those are +delegated to the +<a href="s6-ipcserver-access.html">s6-ipcserver-access</a> program. </li> + <li> s6-ipcserverd can be used to set up +<a href="localservice.html">local services</a>. </li> + <li> s6-ipcserverd is meant to be execve'd into by a program that gets +the listening socket. That program is normally +<a href="s6-ipcserver-socketbinder.html">s6-ipcserver-socketbinder</a>, +which creates the socket itself; but it can be a different one if the +socket is to be retrieved by another means, for instance by fd-passing +from a fd-holding daemon (some people call this "socket activation"). </li> +</ul> + +</body> +</html> diff --git a/doc/s6-sudod.html b/doc/s6-sudod.html index d896d87..c783736 100644 --- a/doc/s6-sudod.html +++ b/doc/s6-sudod.html @@ -124,6 +124,9 @@ VAR variable will be removed from the environment.) </li> and file descriptors over the socket. </li> <li> s6-sudod spawns <tt>sargv cargv</tt>. </li> </ul> + (Actually, <a href="s6-ipcserver.html">s6-ipcserver</a> does not do this +itself: it executes into other programs that each do one of the tasks. But for +our example, it does not matter.) </li> </ul> <p> diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html index cb758d9..a89d9e3 100644 --- a/doc/s6-tcpserver-access.html +++ b/doc/s6-tcpserver-access.html @@ -36,7 +36,10 @@ just like tcpwrappers' <tt>tcpd</tt> program. <li> s6-tcpserver-access checks it is run under a UCSPI server tool such as <a href="s6-tcpserver.html">s6-tcpserver</a>, <a href="s6-tcpserver4.html">s6-tcpserver4</a> or - <a href="s6-tcpserver6.html">s6-tcpserver6</a>. </li> + <a href="s6-tcpserver6.html">s6-tcpserver6</a>, or their + stripped-down versions + <a href="s6-tcpserver4d.html">s6-tcpserver4d</a> or + <a href="s6-tcpserver6d.html">s6-tcpserver6d</a>. </li> <li> It checks that the remote end of the connection fits the accepted criteria defined by the database contained in <em>rulesdir</em> or <em>rulesfile</em>. If the database tells it to reject the connection, @@ -224,9 +227,9 @@ environment modifications, if any, s6-tcpserver-access execs into <ul> <li> s6-tcpserver-access works with -<a href="s6-tcpserver4.html">s6-tcpserver4</a>, handling IPv4 addresses, +<a href="s6-tcpserver4d.html">s6-tcpserver4d</a>, handling IPv4 addresses, as well as -<a href="s6-tcpserver6.html">s6-tcpserver6</a>, handling IPv6 addresses. +<a href="s6-tcpserver6d.html">s6-tcpserver6d</a>, handling IPv6 addresses. It will automatically detect the remote address type and match it against the correct subdatabase. </li> <li> s6-tcpserver-access may perform several DNS queries. For efficiency diff --git a/doc/s6-tcpserver4-socketbinder.html b/doc/s6-tcpserver4-socketbinder.html new file mode 100644 index 0000000..5cbbb07 --- /dev/null +++ b/doc/s6-tcpserver4-socketbinder.html @@ -0,0 +1,70 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver4-socketbinder program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver4-socketbinder program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver4-socketbinder tcpserver ucspi inet ipv4 socket bind listen" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver4-socketbinder</tt> program </h1> + +<p> +<tt>s6-tcpserver4-socketbinder</tt> binds an INET domain +socket to an IPv4 address and port, then executes a program. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver4-socketbinder [ -d | -D ] [ -b <em>backlog</em> ] <em>ip</em> <em>port</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver4-socketbinder creates an TCP socket +and binds it to IPv4 address <em>ip</em>, port <em>port</em>. +It prepares the socket to accept connections by calling +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/listen.html">listen()</a>. </li> + <li> It then execs into <em>prog...</em> with the open socket +as its standard input. </li> + +<h2> Options </h2> + +<ul> + <li> <tt>-d</tt> : allow instant rebinding to the same IP and port +even if it has been used not long ago - this is the SO_REUSEADDR flag to +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/setsockopt.html">setsockopt()</a> +and is generally used with server programs. This is the default. </li> + <li> <tt>-D</tt> : disallow instant rebinding to the same path. </li> + <li> <tt>-b <em>backlog</em></tt> : set a maximum of +<em>backlog</em> backlog connections on the socket. Extra +connection attempts will rejected by the kernel. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-tcpserver4-socketbinder is part of a set of basic blocks used to +build a flexible TCP/IPv4 super-server. It normally should be given a +command line crafted to make it execute into +<a href="s6-tcpserver4d.html">s6-tcpserver4d</a> to accept connections +from clients, or into a program such as +<a href="http://skarnet.org/software/s6/s6-applyuidgid.html">s6-applyuidgid</a> +to drop privileges before doing so. </li> + <li> The <a href="s6-tcpserver4.html">s6-tcpserver4</a> program does +exactly this. It implements +a full TCP/IPv4 super-server by building a command line starting with +s6-tcpserver4-socketbinder and ending with s6-tcpserver4d followed by the +application program, and executing into it. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver4d.html b/doc/s6-tcpserver4d.html new file mode 100644 index 0000000..018b921 --- /dev/null +++ b/doc/s6-tcpserver4d.html @@ -0,0 +1,112 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver4d program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver4d program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver4d tcpserver ucspi tcp server super-server ipv4" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver4d</tt> program </h1> + +<p> +<tt>s6-tcpserver4d</tt> is the serving part of the +<a href="s6-tcpserver4.html">s6-tcpserver4</a> super-server. +It assumes that its stdin is a bound and listening TCP/IPv4 socket, +and it accepts connections from clients connecting to it, +forking a program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver4d [ -1 ] [ -v <em>verbosity</em> ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver4d accepts connections from clients to an already +bound and listening TCP socket which is its standard input. </li> + <li> For every TCP connection to this socket, it +forks. The child sets some environment variables, then +executes <em>prog...</em> with stdin reading from the network +socket and stdout writing to it. </li> + <li> Depending on the verbosity level, it logs what it does to stderr. </li> + <li> It runs until killed by a signal. Depending on the received +signal, it may kill its children before exiting. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + For each connection, an instance of <em>prog...</em> is spawned with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to TCP </li> + <li> TCPREMOTEIP: set to the originating address </li> + <li> TCPREMOTEPORT: set to the originating port </li> + <li> TCPCONNNUM: set to the number of connections originating from +the same IP address </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-1</tt> : write a newline to stdout, and close stdout, +right before entering the client-accepting loop. +If stdout is suitably redirected, this can be used by monitoring +programs to check when the server is accepting connections. +The <a href="http://skarnet.org/software/s6/s6-notifywhenup.html">s6-notifywhenup</a> +program can be used before the s6-tcpserver +invocation to notify listeners when the server is ready. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose. +By default, <em>verbosity</em> is 1: print warning messages to stderr. +0 means only print fatal error messages ; 2 means print status and +connection information for every client. </li> + <li> <tt>-c <em>maxconn</em></tt> : accept at most +<em>maxconn</em> concurrent connections. Default is 40. It is +impossible to set it higher than 1000. </li> + <li> <tt>-C <em>localmaxconn</em></tt> : accept at most +<em>localmaxconn</em> connections from the same IP address. +Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGTERM: exit. </li> + <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> + <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> + <li> SIGABRT: send a SIGKILL to all children, then exit. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> Unlike its ancestor +<a href="http://cr.yp.to/ucspi-tcp/tcpserver.html">tcpserver</a>, +s6-tcpserver4d performs just the bare minimum: the point is to have a +very small and very fast process to serve connections with the least +possible overhead. Features such as additional environment variables, +access control and DNS resolution are provided +via the <a href="s6-tcpserver-access.html">s6-tcpserver-access</a> +program. </li> + <li> s6-tcpserver4d is meant to be execve'd into by a program that gets +the listening socket. That program is normally +<a href="s6-tcpserver4-socketbinder.html">s6-tcpserver4-socketbinder</a>, +which creates the socket itself; but it can be a different one if the +socket is to be retrieved by another means, for instance by fd-passing +from a fd-holding daemon (some people call this "socket activation"). </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver6-socketbinder.html b/doc/s6-tcpserver6-socketbinder.html new file mode 100644 index 0000000..0c0f8ee --- /dev/null +++ b/doc/s6-tcpserver6-socketbinder.html @@ -0,0 +1,70 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver6-socketbinder program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver6-socketbinder program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver6-socketbinder tcpserver ucspi inet ipv6 socket bind listen" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver6-socketbinder</tt> program </h1> + +<p> +<tt>s6-tcpserver6-socketbinder</tt> binds an INET domain +socket to an IPv6 address and port, then executes a program. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver6-socketbinder [ -d | -D ] [ -b <em>backlog</em> ] <em>ip</em> <em>port</em> <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver6-socketbinder creates an TCP socket +and binds it to IPv6 address <em>ip</em>, port <em>port</em>. +It prepares the socket to accept connections by calling +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/listen.html">listen()</a>. </li> + <li> It then execs into <em>prog...</em> with the open socket +as its standard input. </li> + +<h2> Options </h2> + +<ul> + <li> <tt>-d</tt> : allow instant rebinding to the same IP and port +even if it has been used not long ago - this is the SO_REUSEADDR flag to +<a href="http://pubs.opengroup.org/onlinepubs/9699919799/functions/setsockopt.html">setsockopt()</a> +and is generally used with server programs. This is the default. </li> + <li> <tt>-D</tt> : disallow instant rebinding to the same path. </li> + <li> <tt>-b <em>backlog</em></tt> : set a maximum of +<em>backlog</em> backlog connections on the socket. Extra +connection attempts will rejected by the kernel. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> s6-tcpserver6-socketbinder is part of a set of basic blocks used to +build a flexible TCP/IPv6 super-server. It normally should be given a +command line crafted to make it execute into +<a href="s6-tcpserver6d.html">s6-tcpserver6d</a> to accept connections +from clients, or into a program such as +<a href="http://skarnet.org/software/s6/s6-applyuidgid.html">s6-applyuidgid</a> +to drop privileges before doing so. </li> + <li> The <a href="s6-tcpserver6.html">s6-tcpserver6</a> program does +exactly this. It implements +a full TCP/IPv6 super-server by building a command line starting with +s6-tcpserver6-socketbinder and ending with s6-tcpserver6d followed by the +application program, and executing into it. </li> +</ul> + +</body> +</html> diff --git a/doc/s6-tcpserver6d.html b/doc/s6-tcpserver6d.html new file mode 100644 index 0000000..46bc6c1 --- /dev/null +++ b/doc/s6-tcpserver6d.html @@ -0,0 +1,112 @@ +<html> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> + <meta http-equiv="Content-Language" content="en" /> + <title>s6-networking: the s6-tcpserver6d program</title> + <meta name="Description" content="s6-networking: the s6-tcpserver6d program" /> + <meta name="Keywords" content="s6-networking s6-tcpserver6d tcpserver ucspi tcp server super-server ipv6" /> + <!-- <link rel="stylesheet" type="text/css" href="http://skarnet.org/default.css" /> --> + </head> +<body> + +<p> +<a href="index.html">s6-networking</a><br /> +<a href="http://skarnet.org/software/">Software</a><br /> +<a href="http://skarnet.org/">skarnet.org</a> +</p> + +<h1> The <tt>s6-tcpserver6d</tt> program </h1> + +<p> +<tt>s6-tcpserver6d</tt> is the serving part of the +<a href="s6-tcpserver6.html">s6-tcpserver6</a> super-server. +It assumes that its stdin is a bound and listening TCP/IPv6 socket, +and it accepts connections from clients connecting to it, +forking a program to handle each connection. +</p> + +<h2> Interface </h2> + +<pre> + s6-tcpserver6d [ -1 ] [ -v <em>verbosity</em> ] [ -c <em>maxconn</em> ] [ -C <em>localmaxconn</em> ] <em>prog...</em> +</pre> + +<ul> + <li> s6-tcpserver6d accepts connections from clients to an already +bound and listening TCP socket which is its standard input. </li> + <li> For every TCP connection to this socket, it +forks. The child sets some environment variables, then +executes <em>prog...</em> with stdin reading from the network +socket and stdout writing to it. </li> + <li> Depending on the verbosity level, it logs what it does to stderr. </li> + <li> It runs until killed by a signal. Depending on the received +signal, it may kill its children before exiting. </li> +</ul> + +<h2> Environment variables </h2> + +<p> + For each connection, an instance of <em>prog...</em> is spawned with +the following variables set: +</p> + +<ul> + <li> PROTO: always set to TCP </li> + <li> TCPREMOTEIP: set to the originating address </li> + <li> TCPREMOTEPORT: set to the originating port </li> + <li> TCPCONNNUM: set to the number of connections originating from +the same IP address </li> +</ul> + +<h2> Options </h2> + +<ul> + <li> <tt>-1</tt> : write a newline to stdout, and close stdout, +right before entering the client-accepting loop. +If stdout is suitably redirected, this can be used by monitoring +programs to check when the server is accepting connections. +The <a href="http://skarnet.org/software/s6/s6-notifywhenup.html">s6-notifywhenup</a> +program can be used before the s6-tcpserver +invocation to notify listeners when the server is ready. </li> + <li> <tt>-v <em>verbosity</em></tt> : be more or less verbose. +By default, <em>verbosity</em> is 1: print warning messages to stderr. +0 means only print fatal error messages ; 2 means print status and +connection information for every client. </li> + <li> <tt>-c <em>maxconn</em></tt> : accept at most +<em>maxconn</em> concurrent connections. Default is 40. It is +impossible to set it higher than 1000. </li> + <li> <tt>-C <em>localmaxconn</em></tt> : accept at most +<em>localmaxconn</em> connections from the same IP address. +Default is 40. It is impossible to set it higher than <em>maxconn</em>. </li> +</ul> + +<h2> Signals </h2> + +<ul> + <li> SIGTERM: exit. </li> + <li> SIGHUP: send a SIGTERM and a SIGCONT to all children. </li> + <li> SIGQUIT: send a SIGTERM and a SIGCONT to all children, then exit. </li> + <li> SIGABRT: send a SIGKILL to all children, then exit. </li> +</ul> + +<h2> Notes </h2> + +<ul> + <li> Unlike its ancestor +<a href="http://cr.yp.to/ucspi-tcp/tcpserver.html">tcpserver</a>, +s6-tcpserver6d performs just the bare minimum: the point is to have a +very small and very fast process to serve connections with the least +possible overhead. Features such as additional environment variables, +access control and DNS resolution are provided +via the <a href="s6-tcpserver-access.html">s6-tcpserver-access</a> +program. </li> + <li> s6-tcpserver6d is meant to be execve'd into by a program that gets +the listening socket. That program is normally +<a href="s6-tcpserver6-socketbinder.html">s6-tcpserver6-socketbinder</a>, +which creates the socket itself; but it can be a different one if the +socket is to be retrieved by another means, for instance by fd-passing +from a fd-holding daemon (some people call this "socket activation"). </li> +</ul> + +</body> +</html> diff --git a/src/conn-tools/s6-ipcserver.c b/src/conn-tools/s6-ipcserver.c index 890fc3d..b6546f8 100644 --- a/src/conn-tools/s6-ipcserver.c +++ b/src/conn-tools/s6-ipcserver.c @@ -101,8 +101,8 @@ int main (int argc, char const *const *argv, char const *const *envp) newargv[m++] = "--" ; } newargv[m++] = S6_NETWORKING_BINPREFIX "s6-ipcserverd" ; - if (!verbosity) newargv[m++] = "-q" ; - else if (verbosity == 2) newargv[m++] = "-v" ; + if (!verbosity) newargv[m++] = "-v0" ; + else if (verbosity == 2) newargv[m++] = "-v2" ; if (flag1) newargv[m++] = "-1" ; if (!flaglookup) newargv[m++] = "-P" ; if (maxconn) diff --git a/src/conn-tools/s6-ipcserverd.c b/src/conn-tools/s6-ipcserverd.c index 419b123..4afe5cc 100644 --- a/src/conn-tools/s6-ipcserverd.c +++ b/src/conn-tools/s6-ipcserverd.c @@ -20,7 +20,7 @@ #include <skalibs/iopause.h> #include <skalibs/webipc.h> -#define USAGE "s6-ipcserverd [ -q | -Q | -v ] [ -1 ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog..." +#define USAGE "s6-ipcserverd [ -v verbosity ] [ -1 ] [ -P | -p ] [ -c maxconn ] [ -C localmaxconn ] prog..." #define ABSOLUTE_MAXCONN 1000 @@ -303,18 +303,16 @@ int main (int argc, char const *const *argv, char const *const *envp) int flag1 = 0 ; for (;;) { - register int opt = subgetopt_r(argc, argv, "qQv1Ppc:C:", &l) ; + register int opt = subgetopt_r(argc, argv, "Pp1c:C:v:", &l) ; if (opt == -1) break ; switch (opt) { - case 'q' : verbosity = 0 ; break ; - case 'Q' : verbosity = 1 ; break ; - case 'v' : verbosity = 2 ; break ; - case '1' : flag1 = 1 ; break ; case 'P' : flaglookup = 0 ; break ; case 'p' : flaglookup = 1 ; break ; + case '1' : flag1 = 1 ; break ; case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; default : dieusage() ; } } diff --git a/src/conn-tools/s6-tcpserver.c b/src/conn-tools/s6-tcpserver.c index fcbf4f2..751b2b8 100644 --- a/src/conn-tools/s6-tcpserver.c +++ b/src/conn-tools/s6-tcpserver.c @@ -1,71 +1,136 @@ /* ISC license. */ +#include <sys/types.h> +#include <limits.h> #include <skalibs/uint.h> +#include <skalibs/gidstuff.h> #include <skalibs/sgetopt.h> #include <skalibs/strerr2.h> #include <skalibs/djbunix.h> #include <skalibs/ip46.h> +#include <s6/config.h> #include <s6-networking/config.h> -#define USAGE "s6-tcpserver [ -q | -Q | -v ] [ -1 ] [ -4 | -6 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." +#define USAGE "s6-tcpserver [ -q | -Q | -v ] [ -4 | -6 ] [ -d | -D ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." #define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) { - char const *newargv[2 + (argc << 1)] ; - char const *path ; - unsigned int m = 3 ; - int what = 0 ; unsigned int verbosity = 1 ; - char fmtv[UINT_FMT] ; + int flag1 = 0 ; + int flagU = 0 ; + int flagreuse = 1 ; + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = (unsigned int)-1 ; + unsigned int maxconn = 0 ; + unsigned int localmaxconn = 0 ; + unsigned int backlog = (unsigned int)-1 ; + unsigned int what = 0 ; PROG = "s6-tcpserver" ; - newargv[1] = "-v" ; - newargv[2] = fmtv ; { subgetopt_t l = SUBGETOPT_ZERO ; for (;;) { - register int opt = subgetopt_r(argc, argv, "qQv146Uc:C:b:u:g:G:", &l) ; + register int opt = subgetopt_r(argc, argv, "qQvDd1U46c:C:b:u:g:G:", &l) ; if (opt == -1) break ; switch (opt) { - case '4' : if (what) dieusage() ; what = 4 ; break ; - case '6' : if (what) dieusage() ; what = 6 ; break ; case 'q' : verbosity = 0 ; break ; case 'Q' : verbosity = 1 ; break ; case 'v' : verbosity = 2 ; break ; - case '1' : newargv[m++] = "-1" ; break ; - case 'U' : newargv[m++] = "-U" ; break ; - case 'c' : newargv[m++] = "-c" ; newargv[m++] = l.arg ; break ; - case 'C' : newargv[m++] = "-C" ; newargv[m++] = l.arg ; break ; - case 'b' : newargv[m++] = "-b" ; newargv[m++] = l.arg ; break ; - case 'u' : newargv[m++] = "-u" ; newargv[m++] = l.arg ; break ; - case 'g' : newargv[m++] = "-g" ; newargv[m++] = l.arg ; break ; - case 'G' : newargv[m++] = "-G" ; newargv[m++] = l.arg ; break ; + case 'D' : flagreuse = 0 ; break ; + case 'd' : flagreuse = 1 ; break ; + case '4' : what = 4 ; break ; + case '6' : what = 6 ; break ; + case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; + case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; + case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; + case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; + case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; + case '1' : flag1 = 1 ; break ; + case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; default : dieusage() ; } } argc -= l.ind ; argv += l.ind ; + if (argc < 3) dieusage() ; } - if (argc < 3) dieusage() ; - fmtv[uint_fmt(fmtv, verbosity)] = 0 ; - newargv[m++] = 0 ; + if (!what) { ip46_t ip ; if (!ip46_scan(argv[0], &ip)) dieusage() ; what = ip46_is6(&ip) ? 6 : 4 ; } - if (what == 6) - { - newargv[0] = "s6-tcpserver6" ; - path = S6_NETWORKING_BINPREFIX "s6-tcpserver6" ; - } - else + { - newargv[0] = "s6-tcpserver4" ; - path = S6_NETWORKING_BINPREFIX "s6-tcpserver4" ; + unsigned int m = 0 ; + unsigned int pos = 0 ; + char fmt[UINT_FMT * 5 + GID_FMT * NGROUPS_MAX] ; + char const *newargv[23 + argc] ; + newargv[m++] = what == 6 ? S6_NETWORKING_BINPREFIX "s6-tcpserver6-socketbinder" : S6_NETWORKING_BINPREFIX "s6-tcpserver4-socketbinder" ; + if (!flagreuse) newargv[m++] = "-D" ; + if (backlog != (unsigned int)-1) + { + newargv[m++] = "-b" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, backlog) ; + fmt[pos++] = 0 ; + } + newargv[m++] = "--" ; + newargv[m++] = *argv++ ; + newargv[m++] = *argv++ ; + if (flagU || uid || gid || gidn != (unsigned int)-1) + { + newargv[m++] = S6_EXTBINPREFIX "s6-applyuidgid" ; + if (flagU) newargv[m++] = "-Uz" ; + if (uid) + { + newargv[m++] = "-u" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, uid) ; + fmt[pos++] = 0 ; + } + if (gid) + { + newargv[m++] = "-g" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, gid) ; + fmt[pos++] = 0 ; + } + if (gidn != (unsigned int)-1) + { + newargv[m++] = "-G" ; + newargv[m++] = fmt + pos ; + pos += gid_fmtlist(fmt + pos, gids, gidn) ; + fmt[pos++] = 0 ; + } + newargv[m++] = "--" ; + } + newargv[m++] = what == 6 ? S6_NETWORKING_BINPREFIX "s6-tcpserver6d" : S6_NETWORKING_BINPREFIX "s6-tcpserver4d" ; + if (!verbosity) newargv[m++] = "-v0" ; + else if (verbosity == 2) newargv[m++] = "-v2" ; + if (flag1) newargv[m++] = "-1" ; + if (maxconn) + { + newargv[m++] = "-c" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, maxconn) ; + fmt[pos++] = 0 ; + } + if (localmaxconn) + { + newargv[m++] = "-C" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, localmaxconn) ; + fmt[pos++] = 0 ; + } + newargv[m++] = "--" ; + while (*argv) newargv[m++] = *argv++ ; + newargv[m++] = 0 ; + pathexec_run(newargv[0], newargv, envp) ; + strerr_dieexec(111, newargv[0]) ; } - pathexec_run(path, newargv, envp) ; - strerr_dieexec(111, path) ; } diff --git a/src/conn-tools/s6-tcpserver4.c b/src/conn-tools/s6-tcpserver4.c index e030b6d..6a85110 100644 --- a/src/conn-tools/s6-tcpserver4.c +++ b/src/conn-tools/s6-tcpserver4.c @@ -1,417 +1,128 @@ /* ISC license. */ -#include <skalibs/nonposix.h> #include <sys/types.h> -#include <sys/stat.h> -#include <sys/wait.h> -#include <errno.h> -#include <unistd.h> -#include <fcntl.h> #include <limits.h> -#include <grp.h> -#include <signal.h> -#include <skalibs/gccattributes.h> -#include <skalibs/allreadwrite.h> -#include <skalibs/uint16.h> -#include <skalibs/uint32.h> #include <skalibs/uint.h> #include <skalibs/gidstuff.h> -#include <skalibs/setgroups.h> -#include <skalibs/bytestr.h> #include <skalibs/sgetopt.h> -#include <skalibs/fmtscan.h> #include <skalibs/strerr2.h> -#include <skalibs/diuint32.h> -#include <skalibs/env.h> #include <skalibs/djbunix.h> -#include <skalibs/sig.h> -#include <skalibs/selfpipe.h> -#include <skalibs/iopause.h> -#include <skalibs/socket.h> +#include <s6/config.h> +#include <s6-networking/config.h> -#define ABSOLUTE_MAXCONN 1000 - -#define USAGE "s6-tcpserver4 [ -v verbosity ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." - -static unsigned int maxconn = 40 ; -static unsigned int localmaxconn = 40 ; -static unsigned int verbosity = 1 ; -static int cont = 1 ; -static diuint32 *pidip = 0 ; -static unsigned int numconn = 0 ; -static diuint32 *ipnum = 0 ; -static unsigned int iplen = 0 ; - -static char fmtmaxconn[UINT_FMT+1] = "/" ; -static char fmtlocalmaxconn[UINT_FMT+1] = "/" ; - - - /* Utility functions */ - -static inline void dieusage () -{ - strerr_dieusage(100, USAGE) ; -} - -static inline void X (void) -{ - strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; -} - - - /* Lookup primitives */ - -static unsigned int lookup_diuint32 (diuint32 const *, unsigned int, unsigned int) gccattr_pure ; -static unsigned int lookup_diuint32 (diuint32 const *tab, unsigned int tablen, unsigned int key) -{ - register unsigned int i = 0 ; - for (; i < tablen ; i++) if (key == tab[i].left) break ; - return i ; -} - -static inline unsigned int lookup_pid (uint32 pid) -{ - return lookup_diuint32(pidip, numconn, pid) ; -} - -static inline unsigned int lookup_ip (uint32 ip) -{ - return lookup_diuint32(ipnum, iplen, ip) ; -} - - - /* Logging */ - -static void log_start (char const *ip, uint16 port) -{ - char fmtip[IP4_FMT] ; - char fmtport[UINT16_FMT] ; - fmtip[ip4_fmt(fmtip, ip)] = 0 ; - fmtport[uint16_fmt(fmtport, port)] = 0 ; - strerr_warni4x("starting - listening on ", fmtip, ":", fmtport) ; -} - -static inline void log_exit (void) -{ - strerr_warni1x("exiting") ; -} - -static void log_status (void) -{ - char fmt[UINT_FMT] ; - fmt[uint_fmt(fmt, numconn)] = 0 ; - strerr_warni3x("status: ", fmt, fmtmaxconn) ; -} - -static void log_deny (uint32 ip, uint16 port, unsigned int num) -{ - char fmtip[UINT32_FMT] ; - char fmtport[UINT16_FMT] ; - char fmtnum[UINT_FMT] ; - fmtip[ip4_fmtu32(fmtip, ip)] = 0 ; - fmtport[uint16_fmt(fmtport, port)] = 0 ; - fmtnum[uint_fmt(fmtnum, num)] = 0 ; - strerr_warni7sys("deny ", fmtip, ":", fmtport, " count ", fmtnum, fmtlocalmaxconn) ; -} - -static void log_accept (uint32 pid, uint32 ip, uint16 port, unsigned int num) -{ - char fmtipport[IP4_FMT + UINT16_FMT + 1] ; - char fmtpid[UINT32_FMT] ; - char fmtnum[UINT_FMT] ; - register unsigned int n ; - n = ip4_fmtu32(fmtipport, ip) ; - fmtipport[n++] = ':' ; - n += uint16_fmt(fmtipport + n, port) ; - fmtipport[n] = 0 ; - fmtnum[uint_fmt(fmtnum, num)] = 0 ; - fmtpid[uint32_fmt(fmtpid, pid)] = 0 ; - strerr_warni7x("allow ", fmtipport, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; -} - -static void log_close (uint32 pid, uint32 ip, int w) -{ - char fmtpid[UINT32_FMT] ; - char fmtip[IP4_FMT] = "?" ; - char fmtw[UINT_FMT] ; - fmtpid[uint32_fmt(fmtpid, pid)] = 0 ; - fmtip[ip4_fmtu32(fmtip, ip)] = 0 ; - fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ; - strerr_warni6x("end pid ", fmtpid, " ip ", fmtip, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ; -} - - - /* Signal handling */ - -static void killthem (int sig) -{ - register unsigned int i = 0 ; - for (; i < numconn ; i++) kill(pidip[i].left, sig) ; -} - -static void wait_children (void) -{ - for (;;) - { - unsigned int i ; - int w ; - register int pid = wait_nohang(&w) ; - if (pid < 0) - if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; - else break ; - else if (!pid) break ; - i = lookup_pid(pid) ; - if (i < numconn) /* it's one of ours ! */ - { - uint32 ip = pidip[i].right ; - register unsigned int j = lookup_ip(ip) ; - if (j >= iplen) X() ; - if (!--ipnum[j].right) ipnum[j] = ipnum[--iplen] ; - pidip[i] = pidip[--numconn] ; - if (verbosity >= 2) - { - log_close(pid, ip, w) ; - log_status() ; - } - } - } -} - -static void handle_signals (void) -{ - for (;;) switch (selfpipe_read()) - { - case -1 : strerr_diefu1sys(111, "read selfpipe") ; - case 0 : return ; - case SIGCHLD : wait_children() ; break ; - case SIGTERM : - { - if (verbosity >= 2) - strerr_warni3x("received ", "SIGTERM,", " quitting") ; - cont = 0 ; - break ; - } - case SIGHUP : - { - if (verbosity >= 2) - strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ; - killthem(SIGTERM) ; - killthem(SIGCONT) ; - break ; - } - case SIGQUIT : - { - if (verbosity >= 2) - strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ; - cont = 0 ; - killthem(SIGTERM) ; - killthem(SIGCONT) ; - break ; - } - case SIGABRT : - { - if (verbosity >= 2) - strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ; - cont = 0 ; - killthem(SIGKILL) ; - break ; - } - default : X() ; - } -} - - - /* New connection handling */ - -static void run_child (int, uint32, uint16, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; -static void run_child (int s, uint32 ip, uint16 port, unsigned int num, char const *const *argv, char const *const *envp) -{ - char fmt[74] ; - unsigned int n = 0 ; - PROG = "s6-tcpserver (child)" ; - if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) - strerr_diefu1sys(111, "move fds") ; - byte_copy(fmt+n, 22, "PROTO=TCP\0TCPREMOTEIP=") ; n += 22 ; - n += ip4_fmtu32(fmt+n, ip) ; fmt[n++] = 0 ; - byte_copy(fmt+n, 14, "TCPREMOTEPORT=") ; n += 14 ; - n += uint16_fmt(fmt+n, port) ; fmt[n++] = 0 ; - byte_copy(fmt+n, 11, "TCPCONNNUM=") ; n += 11 ; - n += uint_fmt(fmt+n, num) ; fmt[n++] = 0 ; - pathexec_r(argv, envp, env_len(envp), fmt, n) ; - strerr_dieexec(111, argv[0]) ; -} - -static void new_connection (int s, uint32 ip, uint16 port, char const *const *argv, char const *const *envp) -{ - unsigned int i = lookup_ip(ip) ; - unsigned int num = (i < iplen) ? ipnum[i].right : 0 ; - register int pid ; - if (num >= localmaxconn) - { - log_deny(ip, port, num) ; - return ; - } - pid = fork() ; - if (pid < 0) - { - if (verbosity) strerr_warnwu1sys("fork") ; - return ; - } - else if (!pid) - { - selfpipe_finish() ; - run_child(s, ip, port, num+1, argv, envp) ; - } - - if (i < iplen) ipnum[i].right = num + 1 ; - else - { - ipnum[iplen].left = ip ; - ipnum[iplen++].right = 1 ; - } - pidip[numconn].left = (uint32)pid ; - pidip[numconn++].right = ip ; - if (verbosity >= 2) - { - log_accept((uint32)pid, ip, port, ipnum[i].right) ; - log_status() ; - } -} - - - /* And the main */ +#define USAGE "s6-tcpserver4 [ -v verbosity ] [ -d | -D ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." +#define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) { - iopause_fd x[2] = { { -1, IOPAUSE_READ, 0 }, { -1, IOPAUSE_READ | IOPAUSE_EXCEPT, 0 } } ; + unsigned int verbosity = 1 ; + int flag1 = 0 ; + int flagU = 0 ; + int flagreuse = 1 ; + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = (unsigned int)-1 ; + unsigned int maxconn = 0 ; + unsigned int localmaxconn = 0 ; + unsigned int backlog = (unsigned int)-1 ; PROG = "s6-tcpserver4" ; { subgetopt_t l = SUBGETOPT_ZERO ; - unsigned int uid = 0, gid = 0 ; - gid_t gids[NGROUPS_MAX] ; - unsigned int gidn = 0 ; - unsigned int backlog = 20 ; - char ip[4] ; - int flag1 = 0 ; - uint16 port ; for (;;) { - register int opt = subgetopt_r(argc, argv, "1Uc:C:b:u:g:G:v:", &l) ; + register int opt = subgetopt_r(argc, argv, "Dd1Uv:c:C:b:u:g:G:", &l) ; if (opt == -1) break ; switch (opt) { - case '1' : flag1 = 1 ; break ; - case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; - case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; + case 'D' : flagreuse = 0 ; break ; + case 'd' : flagreuse = 1 ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; + case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; - case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn)) dieusage() ; break ; - case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; - case 'U' : - { - char const *x = env_get2(envp, "UID") ; - if (!x) strerr_dienotset(100, "UID") ; - if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, "UID") ; - x = env_get2(envp, "GID") ; - if (!x) strerr_dienotset(100, "GID") ; - if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, "GID") ; - x = env_get2(envp, "GIDLIST") ; - if (!x) strerr_dienotset(100, "GIDLIST") ; - if (!gid_scanlist(gids, NGROUPS_MAX, x, &gidn) && *x) - strerr_dieinvalid(100, "GIDLIST") ; - break ; - } + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; + case '1' : flag1 = 1 ; break ; + case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; default : dieusage() ; } } argc -= l.ind ; argv += l.ind ; if (argc < 3) dieusage() ; - if (!ip4_scan(argv[0], ip) || !uint160_scan(argv[1], &port)) dieusage() ; - close(0) ; - if (flag1) + } + + { + unsigned int m = 0 ; + unsigned int pos = 0 ; + char fmt[UINT_FMT * 6 + GID_FMT * NGROUPS_MAX] ; + char const *newargv[24 + argc] ; + newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver4-socketbinder" ; + if (!flagreuse) newargv[m++] = "-D" ; + if (backlog != (unsigned int)-1) { - if (fcntl(1, F_GETFD) < 0) - strerr_dief1sys(100, "called with option -1 but stdout said") ; + newargv[m++] = "-b" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, backlog) ; + fmt[pos++] = 0 ; } - else close(1) ; - if (!maxconn) maxconn = 1 ; - if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ; - if (localmaxconn > maxconn) localmaxconn = maxconn ; - x[1].fd = socket_tcp4() ; - if ((x[1].fd == -1) || (coe(x[1].fd) == -1)) - strerr_diefu1sys(111, "create socket") ; - if (socket_bind4_reuse(x[1].fd, ip, port) < 0) - strerr_diefu2sys(111, "bind to ", argv[0]) ; - if (socket_listen(x[1].fd, backlog) == -1) - strerr_diefu1sys(111, "listen") ; - if (gidn && (setgroups(gidn, gids) < 0)) strerr_diefu1sys(111, "setgroups") ; - if (gid && (setgid(gid) < 0)) strerr_diefu1sys(111, "drop gid") ; - if (uid && (setuid(uid) < 0)) strerr_diefu1sys(111, "drop uid") ; - - x[0].fd = selfpipe_init() ; - if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ; - if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + newargv[m++] = "--" ; + newargv[m++] = *argv++ ; + newargv[m++] = *argv++ ; + if (flagU || uid || gid || gidn != (unsigned int)-1) { - sigset_t set ; - sigemptyset(&set) ; - sigaddset(&set, SIGCHLD) ; - sigaddset(&set, SIGTERM) ; - sigaddset(&set, SIGHUP) ; - sigaddset(&set, SIGQUIT) ; - sigaddset(&set, SIGABRT) ; - if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; + newargv[m++] = S6_EXTBINPREFIX "s6-applyuidgid" ; + if (flagU) newargv[m++] = "-Uz" ; + if (uid) + { + newargv[m++] = "-u" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, uid) ; + fmt[pos++] = 0 ; + } + if (gid) + { + newargv[m++] = "-g" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, gid) ; + fmt[pos++] = 0 ; + } + if (gidn != (unsigned int)-1) + { + newargv[m++] = "-G" ; + newargv[m++] = fmt + pos ; + pos += gid_fmtlist(fmt + pos, gids, gidn) ; + fmt[pos++] = 0 ; + } + newargv[m++] = "--" ; } - if (flag1) + newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver4d" ; + if (verbosity != 1) { - char fmt[UINT16_FMT] ; - unsigned int n = uint16_fmt(fmt, port) ; - fmt[n++] = '\n' ; - allwrite(1, fmt, n) ; - fd_close(1) ; + newargv[m++] = "-v" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, verbosity) ; + fmt[pos++] = 0 ; } - fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ; - if (verbosity >= 2) + if (flag1) newargv[m++] = "-1" ; + if (maxconn) { - fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ; - log_start(ip, port) ; - log_status() ; + newargv[m++] = "-c" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, maxconn) ; + fmt[pos++] = 0 ; } - } - - { - diuint32 inyostack[maxconn<<1] ; - pidip = inyostack ; ipnum = inyostack + maxconn ; - while (cont) + if (localmaxconn) { - if (iopause_g(x, 1 + (numconn < maxconn), 0) < 0) - strerr_diefu1sys(111, "iopause") ; - - if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ; - if (x[0].revents & IOPAUSE_READ) handle_signals() ; - if (numconn < maxconn) - { - if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ; - if (x[1].revents & IOPAUSE_READ) - { - char packedip[4] ; - uint16 port ; - register int fd = socket_accept4(x[1].fd, packedip, &port) ; - if (fd < 0) - { - if (verbosity) strerr_warnwu1sys("accept") ; - } - else - { - uint32 ip ; - uint32_unpack_big(packedip, &ip) ; - new_connection(fd, ip, port, argv+2, envp) ; - fd_close(fd) ; - } - } - } + newargv[m++] = "-C" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, localmaxconn) ; + fmt[pos++] = 0 ; } + newargv[m++] = "--" ; + while (*argv) newargv[m++] = *argv++ ; + newargv[m++] = 0 ; + pathexec_run(newargv[0], newargv, envp) ; + strerr_dieexec(111, newargv[0]) ; } - if (verbosity >= 2) log_exit() ; - return 0 ; } diff --git a/src/conn-tools/s6-tcpserver6.c b/src/conn-tools/s6-tcpserver6.c index 999a564..7cffb54 100644 --- a/src/conn-tools/s6-tcpserver6.c +++ b/src/conn-tools/s6-tcpserver6.c @@ -1,415 +1,128 @@ /* ISC license. */ -#include <skalibs/nonposix.h> #include <sys/types.h> -#include <sys/stat.h> -#include <sys/wait.h> -#include <errno.h> -#include <unistd.h> -#include <fcntl.h> #include <limits.h> -#include <grp.h> -#include <signal.h> -#include <skalibs/gccattributes.h> -#include <skalibs/allreadwrite.h> -#include <skalibs/uint16.h> #include <skalibs/uint.h> #include <skalibs/gidstuff.h> -#include <skalibs/setgroups.h> -#include <skalibs/bytestr.h> #include <skalibs/sgetopt.h> -#include <skalibs/fmtscan.h> #include <skalibs/strerr2.h> -#include <skalibs/env.h> #include <skalibs/djbunix.h> -#include <skalibs/sig.h> -#include <skalibs/selfpipe.h> -#include <skalibs/iopause.h> -#include <skalibs/socket.h> - -#define ABSOLUTE_MAXCONN 1000 - -#define USAGE "s6-tcpserver6 [ -v verbosity ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip6 port prog..." - -typedef struct ipnum_s ipnum_t, *ipnum_t_ref ; -struct ipnum_s -{ - char ip[16] ; - unsigned int num ; -} ; -#define IPNUM_ZERO { "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0", 0 } - -static unsigned int maxconn = 40 ; -static unsigned int localmaxconn = 40 ; -static unsigned int verbosity = 1 ; -static int cont = 1 ; -static ipnum_t_ref pidip = 0 ; -static unsigned int numconn = 0 ; -static ipnum_t_ref ipnum = 0 ; -static unsigned int iplen = 0 ; - -static char fmtmaxconn[UINT_FMT+1] = "/" ; -static char fmtlocalmaxconn[UINT_FMT+1] = "/" ; - - - /* Utility functions */ - -static inline void dieusage () -{ - strerr_dieusage(100, USAGE) ; -} - -static inline void X (void) -{ - strerr_dief1x(101, "internal inconsistency. Please submit a bug-report.") ; -} - - - /* Lookup primitives */ - -static unsigned int lookup_pid (unsigned int pid) -{ - register unsigned int i = 0 ; - for (; i < numconn ; i++) if (pid == pidip[i].num) break ; - return i ; -} - -static unsigned int lookup_ip (char const *ip) -{ - register unsigned int i = 0 ; - for (; i < iplen ; i++) if (!byte_diff(ip, 16, ipnum[i].ip)) break ; - return i ; -} - - - /* Logging */ - -static void log_start (char const *ip, uint16 port) -{ - char fmtip[IP6_FMT] ; - char fmtport[UINT16_FMT] ; - fmtip[ip6_fmt(fmtip, ip)] = 0 ; - fmtport[uint16_fmt(fmtport, port)] = 0 ; - strerr_warni4x("starting - listening on ", fmtip, " port ", fmtport) ; -} - -static inline void log_exit (void) -{ - strerr_warni1x("exiting") ; -} - -static void log_status (void) -{ - char fmt[UINT_FMT] ; - fmt[uint_fmt(fmt, numconn)] = 0 ; - strerr_warni3x("status: ", fmt, fmtmaxconn) ; -} - -static void log_deny (char const *ip, uint16 port, unsigned int num) -{ - char fmtip[IP6_FMT] ; - char fmtport[UINT16_FMT] ; - char fmtnum[UINT_FMT] ; - fmtip[ip6_fmt(fmtip, ip)] = 0 ; - fmtport[uint16_fmt(fmtport, port)] = 0 ; - fmtnum[uint_fmt(fmtnum, num)] = 0 ; - strerr_warni7sys("deny ", fmtip, " port ", fmtport, " count ", fmtnum, fmtlocalmaxconn) ; -} - -static void log_accept (unsigned int pid, char const *ip, uint16 port, unsigned int num) -{ - char fmtipport[IP6_FMT + UINT16_FMT + 6] ; - char fmtpid[UINT_FMT] ; - char fmtnum[UINT_FMT] ; - register unsigned int n ; - n = ip6_fmt(fmtipport, ip) ; - byte_copy(fmtipport + n, 6, " port ") ; n += 6 ; - n += uint16_fmt(fmtipport + n, port) ; - fmtipport[n] = 0 ; - fmtnum[uint_fmt(fmtnum, num)] = 0 ; - fmtpid[uint_fmt(fmtpid, pid)] = 0 ; - strerr_warni7x("allow ", fmtipport, " pid ", fmtpid, " count ", fmtnum, fmtlocalmaxconn) ; -} - -static void log_close (unsigned int pid, char const *ip, int w) -{ - char fmtpid[UINT_FMT] ; - char fmtip[IP6_FMT] = "?" ; - char fmtw[UINT_FMT] ; - fmtpid[uint_fmt(fmtpid, pid)] = 0 ; - fmtip[ip6_fmt(fmtip, ip)] = 0 ; - fmtw[uint_fmt(fmtw, WIFSIGNALED(w) ? WTERMSIG(w) : WEXITSTATUS(w))] = 0 ; - strerr_warni6x("end pid ", fmtpid, " ip ", fmtip, WIFSIGNALED(w) ? " signal " : " exitcode ", fmtw) ; -} - - - /* Signal handling */ - -static void killthem (int sig) -{ - register unsigned int i = 0 ; - for (; i < numconn ; i++) kill(pidip[i].num, sig) ; -} - -static void wait_children (void) -{ - for (;;) - { - unsigned int i ; - int w ; - register int pid = wait_nohang(&w) ; - if (pid < 0) - if (errno != ECHILD) strerr_diefu1sys(111, "wait_nohang") ; - else break ; - else if (!pid) break ; - i = lookup_pid(pid) ; - if (i < numconn) /* it's one of ours ! */ - { - register unsigned int j = lookup_ip(pidip[i].ip) ; - if (j >= iplen) X() ; - if (!--ipnum[j].num) ipnum[j] = ipnum[--iplen] ; - --numconn ; - if (verbosity >= 2) - { - log_close(pid, pidip[i].ip, w) ; - log_status() ; - } - pidip[i] = pidip[numconn] ; - } - } -} - -static void handle_signals (void) -{ - for (;;) switch (selfpipe_read()) - { - case -1 : strerr_diefu1sys(111, "read selfpipe") ; - case 0 : return ; - case SIGCHLD : wait_children() ; break ; - case SIGTERM : - { - if (verbosity >= 2) - strerr_warni3x("received ", "SIGTERM,", " quitting") ; - cont = 0 ; - break ; - } - case SIGHUP : - { - if (verbosity >= 2) - strerr_warni5x("received ", "SIGHUP,", " sending ", "SIGTERM+SIGCONT", " to all connections") ; - killthem(SIGTERM) ; - killthem(SIGCONT) ; - break ; - } - case SIGQUIT : - { - if (verbosity >= 2) - strerr_warni6x("received ", "SIGQUIT,", " sending ", "SIGTERM+SIGCONT", " to all connections", " and quitting") ; - cont = 0 ; - killthem(SIGTERM) ; - killthem(SIGCONT) ; - break ; - } - case SIGABRT : - { - if (verbosity >= 2) - strerr_warni6x("received ", "SIGABRT,", " sending ", "SIGKILL", " to all connections", " and quitting") ; - cont = 0 ; - killthem(SIGKILL) ; - break ; - } - default : X() ; - } -} - - - /* New connection handling */ - -static void run_child (int, char const *, uint16, unsigned int, char const *const *, char const *const *) gccattr_noreturn ; -static void run_child (int s, char const *ip, uint16 port, unsigned int num, char const *const *argv, char const *const *envp) -{ - char fmt[98] ; - unsigned int n = 0 ; - PROG = "s6-tcpserver6 (child)" ; - if ((fd_move(0, s) < 0) || (fd_copy(1, 0) < 0)) - strerr_diefu1sys(111, "move fds") ; - byte_copy(fmt+n, 24, "PROTO=TCP\0TCPREMOTEIP=") ; n += 22 ; - n += ip6_fmt(fmt+n, ip) ; fmt[n++] = 0 ; - byte_copy(fmt+n, 14, "TCPREMOTEPORT=") ; n += 14 ; - n += uint16_fmt(fmt+n, port) ; fmt[n++] = 0 ; - byte_copy(fmt+n, 11, "TCPCONNNUM=") ; n += 11 ; - n += uint_fmt(fmt+n, num) ; fmt[n++] = 0 ; - pathexec_r(argv, envp, env_len(envp), fmt, n) ; - strerr_dieexec(111, argv[0]) ; -} - -static void new_connection (int s, char const *ip, uint16 port, char const *const *argv, char const *const *envp) -{ - unsigned int i = lookup_ip(ip) ; - unsigned int num = (i < iplen) ? ipnum[i].num : 0 ; - register int pid ; - if (num >= localmaxconn) - { - log_deny(ip, port, num) ; - return ; - } - pid = fork() ; - if (pid < 0) - { - if (verbosity) strerr_warnwu1sys("fork") ; - return ; - } - else if (!pid) - { - selfpipe_finish() ; - run_child(s, ip, port, num+1, argv, envp) ; - } - - if (i < iplen) ipnum[i].num = num + 1 ; - else - { - byte_copy(ipnum[iplen].ip, 16, ip) ; - ipnum[iplen++].num = 1 ; - } - pidip[numconn].num = pid ; - byte_copy(pidip[numconn++].ip, 16, ip) ; - if (verbosity >= 2) - { - log_accept(pid, ip, port, ipnum[i].num) ; - log_status() ; - } -} +#include <s6/config.h> +#include <s6-networking/config.h> +#define USAGE "s6-tcpserver6 [ -v verbosity ] [ -d | -D ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gid,gid,... ] [ -g gid ] [ -u uid ] [ -U ] ip port prog..." +#define dieusage() strerr_dieusage(100, USAGE) int main (int argc, char const *const *argv, char const *const *envp) { - iopause_fd x[2] = { { -1, IOPAUSE_READ, 0 }, { -1, IOPAUSE_READ | IOPAUSE_EXCEPT, 0 } } ; + unsigned int verbosity = 1 ; + int flag1 = 0 ; + int flagU = 0 ; + int flagreuse = 1 ; + unsigned int uid = 0, gid = 0 ; + gid_t gids[NGROUPS_MAX] ; + unsigned int gidn = (unsigned int)-1 ; + unsigned int maxconn = 0 ; + unsigned int localmaxconn = 0 ; + unsigned int backlog = (unsigned int)-1 ; PROG = "s6-tcpserver6" ; { subgetopt_t l = SUBGETOPT_ZERO ; - unsigned int uid = 0, gid = 0 ; - gid_t gids[NGROUPS_MAX] ; - unsigned int gidn = 0 ; - unsigned int backlog = 20 ; - char ip[16] ; - int flag1 = 0 ; - uint16 port ; for (;;) { - register int opt = subgetopt_r(argc, argv, "1Uc:C:b:u:g:G:v:", &l) ; + register int opt = subgetopt_r(argc, argv, "Dd1Uv:c:C:b:u:g:G:", &l) ; if (opt == -1) break ; switch (opt) { - case '1' : flag1 = 1 ; break ; - case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; break ; - case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; break ; + case 'D' : flagreuse = 0 ; break ; + case 'd' : flagreuse = 1 ; break ; + case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; + case 'c' : if (!uint0_scan(l.arg, &maxconn)) dieusage() ; if (!maxconn) maxconn = 1 ; break ; + case 'C' : if (!uint0_scan(l.arg, &localmaxconn)) dieusage() ; if (!localmaxconn) localmaxconn = 1 ; break ; case 'b' : if (!uint0_scan(l.arg, &backlog)) dieusage() ; break ; case 'u' : if (!uint0_scan(l.arg, &uid)) dieusage() ; break ; case 'g' : if (!uint0_scan(l.arg, &gid)) dieusage() ; break ; - case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn)) dieusage() ; break ; - case 'v' : if (!uint0_scan(l.arg, &verbosity)) dieusage() ; break ; - case 'U' : - { - char const *x = env_get2(envp, "UID") ; - if (!x) strerr_dienotset(100, "UID") ; - if (!uint0_scan(x, &uid)) strerr_dieinvalid(100, "UID") ; - x = env_get2(envp, "GID") ; - if (!x) strerr_dienotset(100, "GID") ; - if (!uint0_scan(x, &gid)) strerr_dieinvalid(100, "GID") ; - x = env_get2(envp, "GIDLIST") ; - if (!x) strerr_dienotset(100, "GIDLIST") ; - if (!gid_scanlist(gids, NGROUPS_MAX, x, &gidn) && *x) - strerr_dieinvalid(100, "GIDLIST") ; - break ; - } + case 'G' : if (!gid_scanlist(gids, NGROUPS_MAX, l.arg, &gidn) && *l.arg) dieusage() ; break ; + case '1' : flag1 = 1 ; break ; + case 'U' : flagU = 1 ; uid = 0 ; gid = 0 ; gidn = (unsigned int)-1 ; break ; default : dieusage() ; } } argc -= l.ind ; argv += l.ind ; if (argc < 3) dieusage() ; - if (!ip6_scan(argv[0], ip) || !uint160_scan(argv[1], &port)) dieusage() ; - close(0) ; - if (flag1) + } + + { + unsigned int m = 0 ; + unsigned int pos = 0 ; + char fmt[UINT_FMT * 6 + GID_FMT * NGROUPS_MAX] ; + char const *newargv[24 + argc] ; + newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver6-socketbinder" ; + if (!flagreuse) newargv[m++] = "-D" ; + if (backlog != (unsigned int)-1) { - if (fcntl(1, F_GETFD) < 0) - strerr_dief1sys(100, "called with option -1 but stdout said") ; + newargv[m++] = "-b" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, backlog) ; + fmt[pos++] = 0 ; } - else close(1) ; - if (!maxconn) maxconn = 1 ; - if (maxconn > ABSOLUTE_MAXCONN) maxconn = ABSOLUTE_MAXCONN ; - if (localmaxconn > maxconn) localmaxconn = maxconn ; - x[1].fd = socket_tcp6() ; - if ((x[1].fd == -1) || (coe(x[1].fd) == -1)) - strerr_diefu1sys(111, "create socket") ; - if (socket_bind6_reuse(x[1].fd, ip, port) < 0) - strerr_diefu2sys(111, "bind to ", argv[0]) ; - if (socket_listen(x[1].fd, backlog) == -1) - strerr_diefu1sys(111, "listen") ; - if (gidn && (setgroups(gidn, gids) < 0)) strerr_diefu1sys(111, "setgroups") ; - if (gid && (setgid(gid) < 0)) strerr_diefu1sys(111, "drop gid") ; - if (uid && (setuid(uid) < 0)) strerr_diefu1sys(111, "drop uid") ; - - x[0].fd = selfpipe_init() ; - if (x[0].fd == -1) strerr_diefu1sys(111, "create selfpipe") ; - if (sig_ignore(SIGPIPE) < 0) strerr_diefu1sys(111, "ignore SIGPIPE") ; + newargv[m++] = "--" ; + newargv[m++] = *argv++ ; + newargv[m++] = *argv++ ; + if (flagU || uid || gid || gidn != (unsigned int)-1) { - sigset_t set ; - sigemptyset(&set) ; - sigaddset(&set, SIGCHLD) ; - sigaddset(&set, SIGTERM) ; - sigaddset(&set, SIGHUP) ; - sigaddset(&set, SIGQUIT) ; - sigaddset(&set, SIGABRT) ; - if (selfpipe_trapset(&set) < 0) strerr_diefu1sys(111, "trap signals") ; + newargv[m++] = S6_EXTBINPREFIX "s6-applyuidgid" ; + if (flagU) newargv[m++] = "-Uz" ; + if (uid) + { + newargv[m++] = "-u" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, uid) ; + fmt[pos++] = 0 ; + } + if (gid) + { + newargv[m++] = "-g" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, gid) ; + fmt[pos++] = 0 ; + } + if (gidn != (unsigned int)-1) + { + newargv[m++] = "-G" ; + newargv[m++] = fmt + pos ; + pos += gid_fmtlist(fmt + pos, gids, gidn) ; + fmt[pos++] = 0 ; + } + newargv[m++] = "--" ; } - if (flag1) + newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver6d" ; + if (verbosity != 1) { - char fmt[UINT16_FMT] ; - unsigned int n = uint16_fmt(fmt, port) ; - fmt[n++] = '\n' ; - allwrite(1, fmt, n) ; - fd_close(1) ; + newargv[m++] = "-v" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, verbosity) ; + fmt[pos++] = 0 ; } - fmtlocalmaxconn[1+uint_fmt(fmtlocalmaxconn+1, localmaxconn)] = 0 ; - if (verbosity >= 2) + if (flag1) newargv[m++] = "-1" ; + if (maxconn) { - fmtmaxconn[1+uint_fmt(fmtmaxconn+1, maxconn)] = 0 ; - log_start(ip, port) ; - log_status() ; + newargv[m++] = "-c" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, maxconn) ; + fmt[pos++] = 0 ; } - } - - { - ipnum_t inyostack[maxconn<<1] ; - pidip = inyostack ; ipnum = inyostack + maxconn ; - while (cont) + if (localmaxconn) { - if (iopause_g(x, 1 + (numconn < maxconn), 0) < 0) - strerr_diefu1sys(111, "iopause") ; - - if (x[0].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with selfpipe") ; - if (x[0].revents & IOPAUSE_READ) handle_signals() ; - if (numconn < maxconn) - { - if (x[1].revents & IOPAUSE_EXCEPT) strerr_dief1x(111, "trouble with socket") ; - if (x[1].revents & IOPAUSE_READ) - { - char ip[16] ; - uint16 port ; - register int fd = socket_accept6(x[1].fd, ip, &port) ; - if (fd < 0) - { - if (verbosity) strerr_warnwu1sys("accept") ; - } - else - { - new_connection(fd, ip, port, argv+2, envp) ; - fd_close(fd) ; - } - } - } + newargv[m++] = "-C" ; + newargv[m++] = fmt + pos ; + pos += uint_fmt(fmt + pos, localmaxconn) ; + fmt[pos++] = 0 ; } + newargv[m++] = "--" ; + while (*argv) newargv[m++] = *argv++ ; + newargv[m++] = 0 ; + pathexec_run(newargv[0], newargv, envp) ; + strerr_dieexec(111, newargv[0]) ; } - if (verbosity >= 2) log_exit() ; - return 0 ; } |