Maybe it's time to get rid of tcpwrappers/tcpd?

Lennart Poettering mzerqung at 0pointer.de
Fri Mar 21 00:17:45 UTC 2014 

On Thu, 20.03.14 20:55, Hans de Goede (hdegoede at redhat.com) wrote:

> > I mean, I really don't mind that tcpd/tcpwrap stays in the archives, if
> > people want to make use of that. I am simply proposing to not link
> > agains them anymore for everything that is in the default system.
> 
> So as an innocent bystander who happens to be reading along this thread,
> I see 2 sides to the story here:
> 
> Lennart says:
> 1) It is horrible code
> 2) It really really is horrible horrible code
> 3) And there are other ways to achieve the same goal, so lets kill it

I am not just saying "other ways", but *better* ways.

I am also saying that keeping this around makes the OS unnecessarily more complex.

> Others say:
> 1) There may be other ways but non so easily central managed with with
> a unified syntax for all services
> 
> The argument which the others are making actually sounds a lot like
> a lot of the arguments in favor of systemd (wrt standardizing, etc.).

Well the difference here is pretty much that there was no
pre-existing standardization effort for the areas that systemd covered
really. 

However, there's a technically much better, established, better
understood alternative to tcpwrappers, and that's a firewall.

> And I'm getting the feeling that Lennart is not as much opposed to the
> functionality of tcp-wrappers, as that he *really* hates the code.

I am actually against this as seperate functionality too. Go high-level
with service-specific filtering. Or go low-level with a firewall. Don't
waste your time with tcpwrap...

> So maybe a solution would be to write a libwrap2 instead ?

Oh, please no. We already have firewalls for this.

If you want to write new code: I think it would be a lot nicer to simply
write a converter for hosts.allow and hosts.deny into iptables rules,
plus some warnings if DNS and IDENT matches are used.

> So offer something with equivalent functionality (and config file
> syntax compatibility), with a nice modern clean API and then systemd
> and others can be moved over to that 1 by 1, and once we've no more
> users left we can kill of the old beast ?

Nope. In systemd we already support one subsystem for filtering just
fine, it's called a firewall. I am looking for a way to simplify things,
and remove unnecessary redundancies. And just rewriting something that
is redundant and a bad idea in the first place, certainly doesn't help
there...

Lennart

-- 
Lennart Poettering, Red Hat

More information about the devel mailing list