$Id: MEMO,v 1.3 2000/05/15 09:25:45 misiek Exp $:

1) README

TCP Wrappers 7.6 compatible IPv6 tcp wrapper

			written by Kazunori Fujiwara <fujiwara@rcac.tdi.co.jp>
			release: 980106
			rewrite for english: 2000/2/15

Goal:

  I need secure IPv6 environment.
  I need IPv6 tcp_wrappers_7.6. (at that time, no tcp_wrappers ipv6 patch)

Compatibility:

  struct request_info *request_init(struct request_info * req, args)
  void fromhost(struct request_info *req)
  int hosts_access(struct request_info *req)
  void refuse(struct request_info *req)
  void clean_request(struct request_info *req)
  void clean_exit(struct request_info *req)
  int allow_severity ... syslog priority when allow
  int deny_severity  ... syslog priority when deny

Change from tcp_wrappers:
  configuration file:
    filename is /etc/hosts.access
    configuration file description is changed.

      service definition
         multiple allow/deny lines
      next service definitions
         multiple allow/deny lines
      End of file

    separate tcpd execution option and libwrap check option.
    read datailed MEMO file

Environment (OS)
  4.4BSD-Lite OS with KAME
    version 0.01e-200221 tested on FreeBSD-2.2.5R, BSD/OS3.0, BSD/OS3.1,
    FreeBSD-3.x

  4.4BSD IPv6 OS
    FreeBSD-4.x

2) SHORT API INFORMATION
tcp/udp wrapper

  /usr/include/tcpd.h

    struct request_info {
	int sock; /* socket or file descriptor */
	int isudp; /* udp ? */
	struct sockaddr_storage src;
	struct sockaddr_storage dst;
	char service[];
	char src_name[];
	char dst_name[];
    };


  /usr/lib/libwrap.a
    struct request_info *request_init(struct requestinfo * req, args)
	args ... command + argument
		RQ_FILE   ... specify file descriptor
		RQ_DAEMON ... specify service name
		NULL      ... end of args
		RQ_END    ... end of args
		RQ_IGNOREP ... ignore next argument
		RQ_SETTABLE ... set another access table file
	    for test only
		RQ_USER        ... specify username
		RQ_CLIENT_SIN  ... specify (sockaddr_in *)client address
		RQ_SERVER_SIN  ... specify (sockaddr_in *)server address
		RQ_CLIENT_NAME ... specify client FDQN
		RQ_SERVER_NAME ... specify server FDQN
	    ignored
		RQ_CLIENT_ADDR ... specify clientr address(dot notation)
		RQ_SERVER_ADDR ... specify server address(dot notation)

    void fromhost(struct request_info *req)
	get socket infomation

    int hosts_access(struct request_info *req)
	judge

    int hosts_access_tcpd(struct request_info *req, char *options, int optlen)
	judge and returns tcpd option string

    void refuse(struct request_info *req)
	refuse and exit(0) with leave syslog

    void clean_request(struct request_info *req)
	drop request (when udp)

    void clean_exit(struct request_info *req)
	drop request and exit(0)

    int allow_severity ... syslog priority when allow
    int deny_severity  ... syslog priority when deny

  /usr/libexec/tcpd

Caution:
	sockets except AF_INET, AF_INET6 causes error.

use functions:
	fopen, fgets, fclose, 
	getaddrinfo, getnameinfo, htons, inet_pton,
	longjmp, setjmp, memcpy, snprintf, sprintf, sscanf,
	strcasecmp, strchr, strcmp, strcpy, strncasecmp, strncpy,
	strtoul, signal, syslog

use syscalls:
	getpeername, getsockname, recvfrom, read, write, socket,
	alarm, sleep


3) TCPD ACCESS MANUAL

tcpd and libwrap controls with /etc/hosts.access file

   /etc/tcpd.access : access configuration file

   Format:

	"DEFAULT" "|" FLAGS
	SERVICE [ "|" FLAGS ]
	"allow" CLIENTS [ | FLAGS [ | OPTIONS ] ]
	"deny"  CLIENTS [ | FLAGS ]

        ..repetation

    "DEFAULT" line's FLAGS gives default value for all services.
    default is deny.

        FLAGS ... flags which affects judgement.
		  this is effective when checking
                  separate "," and space is ignored.
	          values are escaped with "'"
           ident     ... always check ident(rfc1413)
           noident   ... always don't check ident(rfc1413)
           defaultallow ...allow when not matched all clients pattern
           defaultdeny ... deny  when not matched all clients pattern (default)
           syslog local0.notice ... specify syslog priority
           refuse_wait 10 ... specify sleep wait time when sleep
					(default is 5 second)
           rfc1413_timeout 10 ... RFC1413 IDENT protocol timeout
           ignorednsfake ... ignore DNS reverse map faking
				(but is not trusted inner)
           denydnsfake ... deny when DNS reverse map faked

    SERVICE line specifies each serviced name and service host address.
    SERVICE line's FLAGS specifies the service's default FLAGS value.

        SERVICE ... service name

                    service name "@" HOSTNAME       
				specify server address hostname

                    service name "@inet#" HOSTNAME
				 specify server hostname and IPv4 restricted.

                    service name "@inet6#" HOSTNAME
				specify server hostname and IPv6 restricted.

                    service name "@" IPv4 address (dot notation)
				specify server IPaddress

		    service name "@" IPv6 address (: notation)
				specify server IPv6 address

        service name ... specify RQ_DAEMON when libwrap
                      daemon name when tcpd.
                      "ALL" matches all services.

        HOSTNAME ... FDQN or IPv4 or IPv6 address

	you write hostname or IP address after '@',
	you can distinguish multiple address same port.
	you can assign IPv4 or IPv6 as inet6#hostname, inet#hostname
		for example: http@inet6#hostname

    Next, assign service's allow/deny conditions.
    you can assign two kind of options:
      first:  above-mentioned FLAGS
      second: tcpd execution options when matched. (OPTIONS)

        CLIENTS ... [user@]CLIENTPATTERN1
                    when you assign "user@",
		    examine username with RFC1413 IDENT protocol

        CLIENTPATTERN1 = inet# CLIENTPATTERN2
                         inet6# CLIENTPATTERN2
                         CLIENTPATTERN2

        CLIENTPATTERN ...client host patterns
                "ALL" ... all match
                "KNOWN" ... DNS reverse mapped address
                "."DOMAIN ... this DOMAIN
                FDQN      ... FDQN
                addr/mask ... IPv4 or IPv6 address + mask
                addr      ... IPv4 or IPv6 address

        OPTIONS ... another tcpd execution options
                the last one is executed (without setenv)
			when one option is multiply used.
                separate "," and space is ignored.
		values are '' escapable.

                setenv 'ENVNAME' 'VALUE'  : set envirionment variable
                twist 'commands'          : execute commands
                user user                 : setuid user
                group group               : setgid group
                umask 007                 : setumask
                banner 'string'           : print 'string'
                noexec                    : don't evaluate tcpd command options
                nice number               : change nice number

