xinetd is not working on FreeBSD 10.3 and 12.0-CURRENT with dgram UDP services like tftp server or tftp-proxy. Sample config: service tftp { disable = no port = 69 socket_time = dgram protocol = udp wait = yes user = root group = wheel server = /usr/libexec/tftpd server_args = -d 15 -l -s /tftpboot } xinetd logs: 16/7/12@12:36:10: DEBUG: 15844 {main_loop} select returned 1 16/7/12@12:36:10: DEBUG: 15844 {svc_suspend} Suspended service tftp 16/7/12@12:36:10: DEBUG: 15844 {server_start} Starting service tftp 16/7/12@12:36:10: DEBUG: 15844 {main_loop} active_services = 0 16/7/12@12:36:10: DEBUG: 15845 {exec_server} duping 0 16/7/12@12:36:10: DEBUG: 15844 {main_loop} active_services = 0 16/7/12@12:36:10: DEBUG: 15844 {main_loop} select returned 1 16/7/12@12:36:10: DEBUG: 15844 {check_pipe} Got signal 20 (Child exited) 16/7/12@12:36:10: DEBUG: 15844 {child_exit} waitpid returned = 15845 16/7/12@12:36:10: DEBUG: 15844 {server_end} tftp server 15845 exited 16/7/12@12:36:10: DEBUG: 15844 {drain} UDP socket should be empty 16/7/12@12:36:10: DEBUG: 15844 {svc_resume} Resumed service tftp 16/7/12@12:36:10: DEBUG: 15844 {child_exit} waitpid returned = -1 16/7/12@12:36:10: DEBUG: 15844 {main_loop} active_services = 1 tftpd logs: Jul 12 12:36:10 tp tftpd[15845]: recvfrom: Resource temporarily unavailable tftp-proxy logs: Jul 11 17:12:39 test-ce-23-amd64 tftp-proxy[38884]: setsockopt(IP_RECVDSTADDR): Protocol not available It was first reported on pfSense, then I reproduced it on stock FreeBSD as well. Ref: https://redmine.pfsense.org/issues/6315
More details I find out while investigating. If xinetd is built WITHOUT option LIBWRAP, it didn't even execute tftpd and its logs says: 16/7/12@18:40:20: DEBUG: 29457 {main_loop} active_services = 1 16/7/12@18:40:24: DEBUG: 29457 {main_loop} select returned 1 16/7/12@18:40:24: DEBUG: 29457 {svc_suspend} Suspended service tftp 16/7/12@18:40:24: DEBUG: 29457 {server_start} Starting service tftp 16/7/12@18:40:24: DEBUG: 29457 {main_loop} active_services = 0 16/7/12@18:40:24: WARNING: 29458 {exec_server} fcntl( 0, clear close-on-exec ) failed: Bad file descriptor (errno = 9) 16/7/12@18:40:24: DEBUG: 29458 {exec_server} duping 0 16/7/12@18:40:24: ERROR: 29458 {exec_server} dup2( 0, 0 ) failed: Bad file descriptor (errno = 9) 16/7/12@18:40:24: DEBUG: 29457 {main_loop} active_services = 0 16/7/12@18:40:24: DEBUG: 29457 {main_loop} select returned 1 16/7/12@18:40:24: DEBUG: 29457 {check_pipe} Got signal 20 (Child exited) If xinetd is built WITH LIBWRAP option ON, it calls tftpd and here are xinetd log: Jul 12 17:31:31 cmbfbsd93 xinetd: warning: can't get client address: Bad file descriptor Followed by tftpd error log: Jul 12 17:31:31 cmbfbsd93 tftpd[65029]: recvfrom: Resource temporarily unavailable
More related info: https://afnog.org/archives/2007-May/003244.html https://lists.freebsd.org/pipermail/freebsd-hackers/2007-January/019394.html Looks like it broke between FreeBSD 6.1 and 6.2
loos@ fixed it in pfSense: https://github.com/pfsense/FreeBSD-ports/commit/eeb3abaa71905ccaec35b0bee7bc4dcc40cfc306
There is also a PR for upstream: https://github.com/xinetd-org/xinetd/pull/22
maintainer reset
I'll handle it
A commit references this bug: Author: garga Date: Mon Sep 5 17:09:18 UTC 2016 New revision: 421378 URL: https://svnweb.freebsd.org/changeset/ports/421378 Log: Fix some edge cases in xinetd file descriptor handling This change fixes the case where the listening file descriptor is in 0~2 range (easily reprodutible with a single UDP service) PR: 211038 Obtained from: pfSense MFH: 2016Q3 Sponsored by: Rubicon Communications (Netgate) Changes: head/security/xinetd/Makefile head/security/xinetd/files/patch-xinetd_child.c
A commit references this bug: Author: garga Date: Tue Sep 6 16:49:01 UTC 2016 New revision: 421441 URL: https://svnweb.freebsd.org/changeset/ports/421441 Log: MFH: r421378 Fix some edge cases in xinetd file descriptor handling This change fixes the case where the listening file descriptor is in 0~2 range (easily reprodutible with a single UDP service) PR: 211038 Obtained from: pfSense Sponsored by: Rubicon Communications (Netgate) Approved by: ports-secteam (feld) Changes: _U branches/2016Q3/ branches/2016Q3/security/xinetd/Makefile branches/2016Q3/security/xinetd/files/patch-xinetd_child.c