Project import
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..bdfaefb
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,100 @@
+#
+#    Copyright (c) 2010-2011 Nest, Inc.
+#    All rights reserved.
+#
+#    This document is the property of Nest. It is considered
+#    confidential and proprietary information.
+#
+#    This document may not be reproduced or transmitted in any form,
+#    in whole or in part, without the express written permission of
+#    Nest.
+#
+#    Description:
+#      This file is the makefile for the IP socket connection filter
+#      daemon and library, tcp_wrappers.
+#
+
+BuildConfigSpecialized	:= No
+BuildProductSpecialized	:= No
+
+include pre.mak
+
+PackageName		:= tcp_wrappers
+
+PackageExtension	:= tar.gz
+PackageSeparator	:= _
+
+PackagePatchArgs	:= -g 0 -p1
+
+PackageArchive		:= $(PackageName).$(PackageExtension)
+PackageSourceDir	:= $(PackageName)$(PackageSeparator)$(PackageVersion)
+
+PackageBuildMakefile	= $(call GenerateBuildPaths,Makefile)
+
+CleanPaths		+= $(PackageLicenseFile)
+
+all: $(PackageDefaultGoal)
+
+# Generate the package license contents.
+
+$(PackageSourceDir)/DISCLAIMER: source
+
+$(PackageLicenseFile): $(PackageSourceDir)/DISCLAIMER
+	$(copy-result)
+
+# Extract the source from the archive and apply patches, if any.
+
+$(PackageSourceDir): $(PackageArchive) $(PackagePatchPaths)
+	$(expand-and-patch-package)
+
+# Prepare the sources.
+
+.PHONY: source
+source: | $(PackageSourceDir)
+
+# Patch the sources, if necessary.
+
+.PHONY: patch
+patch: source
+
+$(PackageBuildMakefile): | $(PackageSourceDir) $(BuildDirectory)
+	$(Verbose)ln -sf $(CURDIR)/$(PackageSourceDir)/Makefile $@
+
+# Configure the source for building.
+
+.PHONY: configure
+configure: source $(PackageBuildMakefile)
+
+# Build the source.
+#
+# We have to unset MAKEFLAGS since they confuse the package build otherwise.
+
+.PHONY: build
+build: configure
+	$(Verbose)unset MAKEFLAGS && \
+	CC="$(CC)" AR=$(AR) RANLIB=$(RANLIB) \
+	INSTALL="$(INSTALL) $(INSTALLFLAGS)" \
+	$(MAKE) -C $(BuildDirectory) \
+	REAL_DAEMON_DIR=/usr/sbin \
+	SRCDIR=$(CURDIR)/$(PackageSourceDir) \
+	$(TargetOS)
+
+# Stage the build to a temporary installation area.
+#
+# We have to unset MAKEFLAGS since they confuse the package build otherwise.
+
+.PHONY: stage
+stage: build | $(ResultDirectory)
+	$(Verbose)unset MAKEFLAGS && \
+	$(MAKE) -C $(BuildDirectory) \
+	SRCDIR=$(CURDIR)/$(PackageSourceDir) \
+	INSTALL="$(INSTALL) $(INSTALLFLAGS)" \
+	DESTDIR=$(ResultDirectory) \
+	install
+
+clean:
+	$(Verbose)$(RM) $(RMFLAGS) -r $(PackageSourceDir)
+	$(Verbose)$(RM) $(RMFLAGS) -r $(BuildDirectory)
+	$(Verbose)$(RM) $(RMFLAGS) -r $(ResultDirectory)
+
+include post.mak
diff --git a/tcp_wrappers.patches/tcp_wrappers-00.description b/tcp_wrappers.patches/tcp_wrappers-00.description
new file mode 100644
index 0000000..515af0e
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-00.description
@@ -0,0 +1 @@
+This patch is from 'tcp_wrappers-7.6-39_2.src.rpm' and addresses RedHat bug #11881 by fixing potential buffer overflow attacks.
diff --git a/tcp_wrappers.patches/tcp_wrappers-00.patch b/tcp_wrappers.patches/tcp_wrappers-00.patch
new file mode 100644
index 0000000..0c869b4
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-00.patch
@@ -0,0 +1,35 @@
+--- tcp_wrappers_7.6/tcpd.c.bug11881	Thu Jul 27 15:39:27 2000
++++ tcp_wrappers_7.6/tcpd.c	Thu Jul 27 15:41:54 2000
+@@ -60,10 +60,10 @@
+      */
+ 
+     if (argv[0][0] == '/') {
+-	strcpy(path, argv[0]);
++	strncpy(path, argv[0], sizeof(path));
+ 	argv[0] = strrchr(argv[0], '/') + 1;
+     } else {
+-	sprintf(path, "%s/%s", REAL_DAEMON_DIR, argv[0]);
++	snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]);
+     }
+ 
+     /*
+--- tcp_wrappers_7.6/eval.c.bug11881	Thu Jul 27 15:39:53 2000
++++ tcp_wrappers_7.6/eval.c	Thu Jul 27 15:40:51 2000
+@@ -111,7 +111,7 @@
+ 	return (hostinfo);
+ #endif
+     if (STR_NE(eval_user(request), unknown)) {
+-	sprintf(both, "%s@%s", request->user, hostinfo);
++	snprintf(both, sizeof(both), "%s@%s", request->user, hostinfo);
+ 	return (both);
+     } else {
+ 	return (hostinfo);
+@@ -128,7 +128,7 @@
+     char   *daemon = eval_daemon(request);
+ 
+     if (STR_NE(host, unknown)) {
+-	sprintf(both, "%s@%s", daemon, host);
++	snprintf(both, sizeof(both), "%s@%s", daemon, host);
+ 	return (both);
+     } else {
+ 	return (daemon);
diff --git a/tcp_wrappers.patches/tcp_wrappers-01.patch b/tcp_wrappers.patches/tcp_wrappers-01.patch
new file mode 100644
index 0000000..ff60a84
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-01.patch
@@ -0,0 +1,75 @@
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	1995-01-30 19:51:47.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.5	2004-04-09 16:59:45.000000000 +0200
+@@ -173,7 +173,7 @@
+ Patterns like these can be used when the machine has different internet
+ addresses with different internet hostnames.  Service providers can use
+ this facility to offer FTP, GOPHER or WWW archives with internet names
+-that may even belong to different organizations. See also the `twist'
++that may even belong to different organizations. See also the `twist\'
+ option in the hosts_options(5) document. Some systems (Solaris,
+ FreeBSD) can have more than one internet address on one physical
+ interface; with other systems you may have to resort to SLIP or PPP
+@@ -236,10 +236,10 @@
+ Before accepting a client request, the wrappers can use the IDENT
+ service to find out that the client did not send the request at all.
+ When the client host provides IDENT service, a negative IDENT lookup
+-result (the client matches `UNKNOWN@host') is strong evidence of a host
++result (the client matches `UNKNOWN@host\') is strong evidence of a host
+ spoofing attack.
+ .PP
+-A positive IDENT lookup result (the client matches `KNOWN@host') is
++A positive IDENT lookup result (the client matches `KNOWN@host\') is
+ less trustworthy. It is possible for an intruder to spoof both the
+ client connection and the IDENT lookup, although doing so is much
+ harder than spoofing just a client connection. It may also be that
+diff -ruN tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
+--- tcp_wrappers_7.6.orig/hosts_options.5	1994-12-28 17:42:29.000000000 +0100
++++ tcp_wrappers_7.6/hosts_options.5	2004-04-09 16:59:49.000000000 +0200
+@@ -124,7 +124,7 @@
+ value is taken.
+ .SH MISCELLANEOUS
+ .IP "banners /some/directory"
+-Look for a file in `/some/directory' with the same name as the daemon
++Look for a file in `/some/directory\' with the same name as the daemon
+ process (for example in.telnetd for the telnet service), and copy its
+ contents to the client. Newline characters are replaced by
+ carriage-return newline, and %<letter> sequences are expanded (see
+diff -ruN tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
+--- tcp_wrappers_7.6.orig/tcpdmatch.8	1996-02-11 17:01:36.000000000 +0100
++++ tcp_wrappers_7.6/tcpdmatch.8	2004-04-09 17:00:49.000000000 +0200
+@@ -26,7 +26,7 @@
+ A daemon process name. Typically, the last component of a daemon
+ executable pathname.
+ .IP client
+-A host name or network address, or one of the `unknown' or `paranoid'
++A host name or network address, or one of the `unknown\' or `paranoid\'
+ wildcard patterns.
+ .sp
+ When a client host name is specified, \fItcpdmatch\fR gives a
+@@ -37,13 +37,13 @@
+ .PP
+ Optional information specified with the \fIdaemon@server\fR form:
+ .IP server
+-A host name or network address, or one of the `unknown' or `paranoid'
+-wildcard patterns. The default server name is `unknown'.
++A host name or network address, or one of the `unknown\' or `paranoid\'
++wildcard patterns. The default server name is `unknown\'.
+ .PP
+ Optional information specified with the \fIuser@client\fR form:
+ .IP user
+ A client user identifier. Typically, a login name or a numeric userid.
+-The default user name is `unknown'.
++The default user name is `unknown\'.
+ .SH OPTIONS
+ .IP -d
+ Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
+@@ -70,7 +70,7 @@
+ .ti +5
+ tcpdmatch in.telnetd paranoid
+ .PP
+-On some systems, daemon names have no `in.' prefix, or \fItcpdmatch\fR
++On some systems, daemon names have no `in.\' prefix, or \fItcpdmatch\fR
+ may need some help to locate the inetd configuration file.
+ .SH FILES
+ .PP
diff --git a/tcp_wrappers.patches/tcp_wrappers-01.url b/tcp_wrappers.patches/tcp_wrappers-01.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-01.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-02.patch b/tcp_wrappers.patches/tcp_wrappers-02.patch
new file mode 100644
index 0000000..aeeb3b3
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-02.patch
@@ -0,0 +1,36 @@
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2007-07-29 19:46:22.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.5	2007-07-29 19:46:16.000000000 +0200
+@@ -12,7 +12,7 @@ An extended version of the access contro
+ \fIhosts_options\fR(5) document. The extensions are turned on at
+ program build time by building with -DPROCESS_OPTIONS.
+ .PP
+-In the following text, \fIdaemon\fR is the the process name of a
++In the following text, \fIdaemon\fR is the process name of a
+ network daemon process, and \fIclient\fR is the name and/or address of
+ a host requesting service. Network daemon process names are specified
+ in the inetd configuration file.
+diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8
+--- tcp_wrappers_7.6.orig/tcpdchk.8	1995-01-08 17:00:31.000000000 +0100
++++ tcp_wrappers_7.6/tcpdchk.8	2007-07-29 19:46:01.000000000 +0200
+@@ -1,7 +1,7 @@
+ .TH TCPDCHK 8
+ .SH NAME
+ tcpdchk \- tcp wrapper configuration checker
+-.SH SYNOPSYS
++.SH SYNOPSIS
+ tcpdchk [-a] [-d] [-i inet_conf] [-v]
+ .SH DESCRIPTION
+ .PP
+diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
+--- tcp_wrappers_7.6.orig/tcpdmatch.8	2007-07-29 19:46:22.000000000 +0200
++++ tcp_wrappers_7.6/tcpdmatch.8	2007-07-29 19:46:01.000000000 +0200
+@@ -1,7 +1,7 @@
+ .TH TCPDMATCH 8
+ .SH NAME
+ tcpdmatch \- tcp wrapper oracle
+-.SH SYNOPSYS
++.SH SYNOPSIS
+ tcpdmatch [-d] [-i inet_conf] daemon client
+ .sp
+ tcpdmatch [-d] [-i inet_conf] daemon[@server] [user@]client
diff --git a/tcp_wrappers.patches/tcp_wrappers-02.url b/tcp_wrappers.patches/tcp_wrappers-02.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-02.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-03.patch b/tcp_wrappers.patches/tcp_wrappers-03.patch
new file mode 100644
index 0000000..7bf680c
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-03.patch
@@ -0,0 +1,248 @@
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3
+--- tcp_wrappers_7.6.orig/hosts_access.3	2005-03-09 18:30:25.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.3	2005-03-09 18:27:03.000000000 +0100
+@@ -3,7 +3,7 @@
+ hosts_access, hosts_ctl, request_init, request_set \- access control library
+ .SH SYNOPSIS
+ .nf
+-#include "tcpd.h"
++#include <tcpd.h>
+ 
+ extern int allow_severity;
+ extern int deny_severity;
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2005-03-09 18:30:25.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.5	2005-03-09 18:30:18.000000000 +0100
+@@ -8,9 +8,9 @@ name, host name/address) patterns.  Exam
+ impatient reader is encouraged to skip to the EXAMPLES section for a
+ quick introduction.
+ .PP
+-An extended version of the access control language is described in the
+-\fIhosts_options\fR(5) document. The extensions are turned on at
+-program build time by building with -DPROCESS_OPTIONS.
++The extended version of the access control language is described in the
++\fIhosts_options\fR(5) document. \fBNote that this language supersedes
++the meaning of \fIshell_command\fB as documented below.\fR
+ .PP
+ In the following text, \fIdaemon\fR is the process name of a
+ network daemon process, and \fIclient\fR is the name and/or address of
+@@ -346,8 +346,8 @@ in.tftpd: LOCAL, .my.domain
+ /etc/hosts.deny:
+ .in +3
+ .nf
+-in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
+-	/usr/ucb/mail -s %d-%h root) &
++in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
++	/usr/bin/mail -s %d-%h root) &
+ .fi
+ .PP
+ The safe_finger command comes with the tcpd wrapper and should be
+@@ -383,6 +383,7 @@ that shouldn\'t.  All problems are repor
+ .fi
+ .SH SEE ALSO
+ .nf
++hosts_options(5) extended syntax.
+ tcpd(8) tcp/ip daemon wrapper program.
+ tcpdchk(8), tcpdmatch(8), test programs.
+ .SH BUGS
+diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
+--- tcp_wrappers_7.6.orig/hosts_options.5	2005-03-09 18:30:24.000000000 +0100
++++ tcp_wrappers_7.6/hosts_options.5	2005-03-09 18:27:03.000000000 +0100
+@@ -2,10 +2,8 @@
+ .SH NAME
+ hosts_options \- host access control language extensions
+ .SH DESCRIPTION
+-This document describes optional extensions to the language described
+-in the hosts_access(5) document. The extensions are enabled at program
+-build time. For example, by editing the Makefile and turning on the 
+-PROCESS_OPTIONS compile-time option.
++This document describes extensions to the language described
++in the hosts_access(5) document.
+ .PP
+ The extensible language uses the following format:
+ .sp
+@@ -58,12 +56,12 @@ Notice the leading dot on the domain nam
+ Execute, in a child process, the specified shell command, after
+ performing the %<letter> expansions described in the hosts_access(5)
+ manual page.  The command is executed with stdin, stdout and stderr
+-connected to the null device, so that it won\'t mess up the
++connected to the null device, so that it won't mess up the
+ conversation with the client host. Example:
+ .sp
+ .nf
+ .ti +3
+-spawn (/some/where/safe_finger -l @%h | /usr/ucb/mail root) &
++spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
+ .fi
+ .sp
+ executes, in a background child process, the shell command "safe_finger
+diff -ruNp tcp_wrappers_7.6.orig/inetcf.c tcp_wrappers_7.6/inetcf.c
+--- tcp_wrappers_7.6.orig/inetcf.c	1997-02-12 02:13:24.000000000 +0100
++++ tcp_wrappers_7.6/inetcf.c	2005-03-09 18:27:03.000000000 +0100
+@@ -26,13 +26,17 @@ extern void exit();
+   * guesses. Shorter names follow longer ones.
+   */
+ char   *inet_files[] = {
++#if 0
+     "/private/etc/inetd.conf",		/* NEXT */
+     "/etc/inet/inetd.conf",		/* SYSV4 */
+     "/usr/etc/inetd.conf",		/* IRIX?? */
++#endif
+     "/etc/inetd.conf",			/* BSD */
++#if 0
+     "/etc/net/tlid.conf",		/* SYSV4?? */
+     "/etc/saf/tlid.conf",		/* SYSV4?? */
+     "/etc/tlid.conf",			/* SYSV4?? */
++#endif
+     0,
+ };
+ 
+diff -ruNp tcp_wrappers_7.6.orig/tcpd.8 tcp_wrappers_7.6/tcpd.8
+--- tcp_wrappers_7.6.orig/tcpd.8	1996-02-21 16:39:16.000000000 +0100
++++ tcp_wrappers_7.6/tcpd.8	2005-03-09 18:27:03.000000000 +0100
+@@ -12,7 +12,11 @@ The program supports both 4.3BSD-style s
+ TLI.  Functionality may be limited when the protocol underneath TLI is
+ not an internet protocol.
+ .PP
+-Operation is as follows: whenever a request for service arrives, the
++There are two possible modes of operation: execution of \fItcpd\fP
++before a service started by \fIinetd\fP, or linking a daemon with
++the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3)
++manual page. Operation when started by \fIinetd\fP
++is as follows: whenever a request for service arrives, the
+ \fIinetd\fP daemon is tricked into running the \fItcpd\fP program
+ instead of the desired server. \fItcpd\fP logs the request and does
+ some additional checks. When all is well, \fItcpd\fP runs the
+@@ -88,11 +92,11 @@ configuration files.
+ .sp
+ .in +5
+ # mkdir /other/place
+-# mv /usr/etc/in.fingerd /other/place
+-# cp tcpd /usr/etc/in.fingerd
++# mv /usr/sbin/in.fingerd /other/place
++# cp tcpd /usr/sbin/in.fingerd
+ .fi
+ .PP
+-The example assumes that the network daemons live in /usr/etc. On some
++The example assumes that the network daemons live in /usr/sbin. On some
+ systems, network daemons live in /usr/sbin or in /usr/libexec, or have
+ no `in.\' prefix to their name.
+ .SH EXAMPLE 2
+@@ -101,35 +105,34 @@ are left in their original place.
+ .PP
+ In order to monitor access to the \fIfinger\fR service, perform the
+ following edits on the \fIinetd\fR configuration file (usually 
+-\fI/etc/inetd.conf\fR or \fI/etc/inet/inetd.conf\fR):
++\fI/etc/inetd.conf\fR):
+ .nf
+ .sp
+ .ti +5
+-finger  stream  tcp  nowait  nobody  /usr/etc/in.fingerd  in.fingerd
++finger  stream  tcp  nowait  nobody  /usr/sbin/in.fingerd  in.fingerd
+ .sp
+ becomes:
+ .sp
+ .ti +5
+-finger  stream  tcp  nowait  nobody  /some/where/tcpd     in.fingerd
++finger  stream  tcp  nowait  nobody  /usr/sbin/tcpd     in.fingerd
+ .sp
+ .fi
+ .PP
+-The example assumes that the network daemons live in /usr/etc. On some
++The example assumes that the network daemons live in /usr/sbin. On some
+ systems, network daemons live in /usr/sbin or in /usr/libexec, the
+ daemons have no `in.\' prefix to their name, or there is no userid
+ field in the inetd configuration file.
+ .PP
+ Similar changes will be needed for the other services that are to be
+ covered by \fItcpd\fR.  Send a `kill -HUP\' to the \fIinetd\fR(8)
+-process to make the changes effective. AIX users may also have to
+-execute the `inetimp\' command.
++process to make the changes effective.
+ .SH EXAMPLE 3
+ In the case of daemons that do not live in a common directory ("secret"
+ or otherwise), edit the \fIinetd\fR configuration file so that it
+ specifies an absolute path name for the process name field. For example:
+ .nf
+ .sp
+-    ntalk  dgram  udp  wait  root  /some/where/tcpd  /usr/local/lib/ntalkd
++    ntalk  dgram  udp  wait  root  /usr/sbin/tcpd  /usr/local/lib/ntalkd
+ .sp
+ .fi
+ .PP
+@@ -164,6 +167,7 @@ The default locations of the host access
+ .SH SEE ALSO
+ .na
+ .nf
++hosts_access(3), functions provided by the libwrap library.
+ hosts_access(5), format of the tcpd access control tables.
+ syslog.conf(5), format of the syslogd control file.
+ inetd.conf(5), format of the inetd control file.
+diff -ruNp tcp_wrappers_7.6.orig/tcpdchk.8 tcp_wrappers_7.6/tcpdchk.8
+--- tcp_wrappers_7.6.orig/tcpdchk.8	1995-01-08 17:00:31.000000000 +0100
++++ tcp_wrappers_7.6/tcpdchk.8	2005-03-09 18:27:03.000000000 +0100
+@@ -9,8 +9,8 @@ tcpdchk [-a] [-d] [-i inet_conf] [-v]
+ potential and real problems it can find. The program examines the
+ \fItcpd\fR access control files (by default, these are
+ \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the
+-entries in these files against entries in the \fIinetd\fR or \fItlid\fR
+-network configuration files.
++entries in these files against entries in the \fIinetd\fR
++network configuration file.
+ .PP
+ \fItcpdchk\fR reports problems such as non-existent pathnames; services
+ that appear in \fItcpd\fR access control rules, but are not controlled
+@@ -26,14 +26,13 @@ problem.
+ .SH OPTIONS
+ .IP -a
+ Report access control rules that permit access without an explicit
+-ALLOW keyword. This applies only when the extended access control
+-language is enabled (build with -DPROCESS_OPTIONS).
++ALLOW keyword.
+ .IP -d
+ Examine \fIhosts.allow\fR and \fIhosts.deny\fR files in the current
+ directory instead of the default ones.
+ .IP "-i inet_conf"
+ Specify this option when \fItcpdchk\fR is unable to find your
+-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
++\fIinetd.conf\fR network configuration file, or when
+ you suspect that the program uses the wrong one.
+ .IP -v
+ Display the contents of each access control rule.  Daemon lists, client
+@@ -54,7 +53,6 @@ tcpdmatch(8), explain what tcpd would do
+ hosts_access(5), format of the tcpd access control tables.
+ hosts_options(5), format of the language extensions.
+ inetd.conf(5), format of the inetd control file.
+-tlid.conf(5), format of the tlid control file.
+ .SH AUTHORS
+ .na
+ .nf
+diff -ruNp tcp_wrappers_7.6.orig/tcpdmatch.8 tcp_wrappers_7.6/tcpdmatch.8
+--- tcp_wrappers_7.6.orig/tcpdmatch.8	2005-03-09 18:30:24.000000000 +0100
++++ tcp_wrappers_7.6/tcpdmatch.8	2005-03-09 18:27:03.000000000 +0100
+@@ -13,7 +13,7 @@ request for service.  Examples are given
+ The program examines the \fItcpd\fR access control tables (default
+ \fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR) and prints its
+ conclusion.  For maximal accuracy, it extracts additional information
+-from your \fIinetd\fR or \fItlid\fR network configuration file.
++from your \fIinetd\fR network configuration file.
+ .PP
+ When \fItcpdmatch\fR finds a match in the access control tables, it
+ identifies the matched rule. In addition, it displays the optional
+@@ -50,7 +50,7 @@ Examine \fIhosts.allow\fR and \fIhosts.d
+ directory instead of the default ones.
+ .IP "-i inet_conf"
+ Specify this option when \fItcpdmatch\fR is unable to find your
+-\fIinetd.conf\fR or \fItlid.conf\fR network configuration file, or when
++\fIinetd.conf\fR network configuration file, or when
+ you suspect that the program uses the wrong one.
+ .SH EXAMPLES
+ To predict how \fItcpd\fR would handle a telnet request from the local
+@@ -86,7 +86,6 @@ tcpdchk(8), tcpd configuration checker
+ hosts_access(5), format of the tcpd access control tables.
+ hosts_options(5), format of the language extensions.
+ inetd.conf(5), format of the inetd control file.
+-tlid.conf(5), format of the tlid control file.
+ .SH AUTHORS
+ .na
+ .nf
diff --git a/tcp_wrappers.patches/tcp_wrappers-03.url b/tcp_wrappers.patches/tcp_wrappers-03.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-03.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-04.patch b/tcp_wrappers.patches/tcp_wrappers-04.patch
new file mode 100644
index 0000000..22e3791
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-04.patch
@@ -0,0 +1,117 @@
+See https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=17847
+(Though the original code needs to be patched to be case-insensitive.)
+
+--- a/hosts_access.5
++++ b/hosts_access.5
+@@ -89,6 +89,10 @@ An expression of the form `n.n.n.n/m.m.m
+ bitwise AND of the address and the `mask\'. For example, the net/mask
+ pattern `131.155.72.0/255.255.254.0\' matches every address in the
+ range `131.155.72.0\' through `131.155.73.255\'.
++.IP \(bu
++Wildcards `*\' and `?\' can be used to match hostnames or IP addresses.  This
++method of matching cannot be used in conjunction with `net/mask\' matching,
++hostname matching beginning with `.\' or IP address matching ending with `.\'.
+ .SH WILDCARDS
+ The access control language supports explicit wildcards:
+ .IP ALL
+--- a/hosts_access.c
++++ b/hosts_access.c
+@@ -82,6 +82,7 @@ static int client_match();
+ static int host_match();
+ static int string_match();
+ static int masked_match();
++static int match_pattern_ylo();
+ 
+ /* Size of logical line buffer. */
+ 
+@@ -289,6 +290,11 @@ char   *string;
+ {
+     int     n;
+ 
++#ifndef DISABLE_WILDCARD_MATCHING
++    if (strchr(tok, '*') || strchr(tok,'?')) {  /* contains '*' or '?' */
++        return (match_pattern_ylo(string,tok)); 	       
++    } else 
++#endif    
+     if (tok[0] == '.') {			/* suffix */
+ 	n = strlen(string) - strlen(tok);
+ 	return (n > 0 && STR_EQ(tok, string + n));
+@@ -329,3 +335,78 @@ char   *string;
+     }
+     return ((addr & mask) == net);
+ }
++
++#ifndef DISABLE_WILDCARD_MATCHING
++/* Note: this feature has been adapted in a pretty straightforward way
++   from Tatu Ylonen's last SSH version under free license by 
++   Pekka Savola <pekkas@netcore.fi>.
++
++   Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
++*/
++
++/* Returns true if the given string matches the pattern (which may contain
++   ? and * as wildcards), and zero if it does not match. */
++	  
++static int match_pattern_ylo(const char *s, const char *pattern)
++{
++  char src;
++  char pat;
++  while (1)
++    {
++      /* If at end of pattern, accept if also at end of string. */
++      if (!*pattern)
++        return !*s;
++
++      /* Process '*'. */
++      if (*pattern == '*')
++        {
++	  /* Skip the asterisk. */
++	  pattern++;
++
++	  /* If at end of pattern, accept immediately. */
++          if (!*pattern)
++            return 1;
++
++	  /* If next character in pattern is known, optimize. */
++          if (*pattern != '?' && *pattern != '*')
++            {
++	      /* Look instances of the next character in pattern, and try
++		 to match starting from those. */
++              pat = *pattern;
++              for (; *s; s++) {
++                src = *s;
++                if (toupper(src) == toupper(pat) &&
++                    match_pattern_ylo(s + 1, pattern + 1))
++                  return 1;
++              }
++	      /* Failed. */
++              return 0;
++            }
++
++	  /* Move ahead one character at a time and try to match at each
++	     position. */
++          for (; *s; s++)
++            if (match_pattern_ylo(s, pattern))
++              return 1;
++	  /* Failed. */
++          return 0;
++        }
++
++      /* There must be at least one more character in the string.  If we are
++	 at the end, fail. */
++      if (!*s)
++        return 0;
++
++      /* Check if the next character of the string is acceptable. */
++      pat = *pattern;
++      src = *s;
++      if (*pattern != '?' && toupper(pat) != toupper(src))
++	return 0;
++      
++      /* Move to the next character, both in string and in pattern. */
++      s++;
++      pattern++;
++    }
++  /*NOTREACHED*/
++}
++#endif /* DISABLE_WILDCARD_MATCHING */
diff --git a/tcp_wrappers.patches/tcp_wrappers-04.url b/tcp_wrappers.patches/tcp_wrappers-04.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-04.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-05.patch b/tcp_wrappers.patches/tcp_wrappers-05.patch
new file mode 100644
index 0000000..d06aaef
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-05.patch
@@ -0,0 +1,30 @@
+* Mon Feb  5 2001 Preston Brown <pbrown@redhat.com>
+- fix gethostbyname to work better with dot "." notation (#16949)
+
+--- tcp_wrappers_7.6/socket.c.fixgethostbyname	Fri Mar 21 13:27:25 1997
++++ tcp_wrappers_7.6/socket.c	Mon Feb  5 14:09:40 2001
+@@ -52,7 +52,8 @@
+ char   *name;
+ {
+     char    dot_name[MAXHOSTNAMELEN + 1];
+-
++    struct hostent *hp;
++    
+     /*
+      * Don't append dots to unqualified names. Such names are likely to come
+      * from local hosts files or from NIS.
+@@ -61,8 +62,12 @@
+     if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
+ 	return (gethostbyname(name));
+     } else {
+-	sprintf(dot_name, "%s.", name);
+-	return (gethostbyname(dot_name));
++        sprintf(dot_name, "%s.", name);
++        hp = gethostbyname(dot_name);
++	if (hp)
++	    return hp;
++	else
++	    return (gethostbyname(name));
+     }
+ }
+ 
diff --git a/tcp_wrappers.patches/tcp_wrappers-05.url b/tcp_wrappers.patches/tcp_wrappers-05.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-05.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-06.patch b/tcp_wrappers.patches/tcp_wrappers-06.patch
new file mode 100644
index 0000000..fc2cbbc
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-06.patch
@@ -0,0 +1,1236 @@
+--- a/fix_options.c
++++ b/fix_options.c
+@@ -11,6 +11,9 @@ static char sccsid[] = "@(#) fix_options
+ 
+ #include <sys/types.h>
+ #include <sys/param.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
+ #include <netinet/in.h>
+ #include <netinet/in_systm.h>
+ #include <netinet/ip.h>
+@@ -41,6 +44,22 @@ struct request_info *request;
+     unsigned int opt;
+     int     optlen;
+     struct in_addr dummy;
++#ifdef INET6
++    struct sockaddr_storage ss;
++    int sslen;
++
++    /*
++     * check if this is AF_INET socket
++     * XXX IPv6 support?
++     */
++    sslen = sizeof(ss);
++    if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
++	syslog(LOG_ERR, "getpeername: %m");
++	clean_exit(request);
++    }
++    if (ss.ss_family != AF_INET)
++	return;
++#endif
+ 
+     if ((ip = getprotobyname("ip")) != 0)
+ 	ipproto = ip->p_proto;
+--- a/hosts_access.5
++++ b/hosts_access.5
+@@ -85,11 +85,18 @@ member of the specified netgroup. Netgro
+ for daemon process names or for client user names.
+ .IP \(bu
+ An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
+-`net/mask\' pair. A host address is matched if `net\' is equal to the
++`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the
+ bitwise AND of the address and the `mask\'. For example, the net/mask
+ pattern `131.155.72.0/255.255.254.0\' matches every address in the
+ range `131.155.72.0\' through `131.155.73.255\'.
+ .IP \(bu
++An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
++`[net]/prefixlen\' pair. An IPv6 host address is matched if
++`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
++address. For example, the [net]/prefixlen pattern
++`[3ffe:505:2:1::]/64\' matches every address in the range
++`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
++.IP \(bu
+ Wildcards `*\' and `?\' can be used to match hostnames or IP addresses.  This
+ method of matching cannot be used in conjunction with `net/mask\' matching,
+ hostname matching beginning with `.\' or IP address matching ending with `.\'.
+--- a/hosts_access.c
++++ b/hosts_access.c
+@@ -24,7 +24,13 @@ static char sccsid[] = "@(#) hosts_acces
+ /* System libraries. */
+ 
+ #include <sys/types.h>
++#ifdef INT32_T
++    typedef uint32_t u_int32_t;
++#endif
+ #include <sys/param.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <stdio.h>
+@@ -33,6 +39,9 @@ static char sccsid[] = "@(#) hosts_acces
+ #include <errno.h>
+ #include <setjmp.h>
+ #include <string.h>
++#ifdef INET6
++#include <netdb.h>
++#endif
+ 
+ extern char *fgets();
+ extern int errno;
+@@ -83,6 +92,10 @@ static int host_match();
+ static int string_match();
+ static int masked_match();
+ static int match_pattern_ylo();
++#ifdef INET6
++static int masked_match4();
++static int masked_match6();
++#endif
+ 
+ /* Size of logical line buffer. */
+ 
+@@ -290,6 +303,13 @@ char   *string;
+ {
+     int     n;
+ 
++#ifdef INET6
++    /* convert IPv4 mapped IPv6 address to IPv4 address */
++    if (STRN_EQ(string, "::ffff:", 7)
++      && dot_quad_addr(string + 7) != INADDR_NONE) {
++      string += 7;
++    }
++#endif    
+ #ifndef DISABLE_WILDCARD_MATCHING
+     if (strchr(tok, '*') || strchr(tok,'?')) {  /* contains '*' or '?' */
+         return (match_pattern_ylo(string,tok)); 	       
+@@ -305,20 +325,72 @@ char   *string;
+     } else if (tok[(n = strlen(tok)) - 1] == '.') {	/* prefix */
+ 	return (STRN_EQ(tok, string, n));
+     } else {					/* exact match */
++#ifdef INET6
++	struct addrinfo hints, *res;
++	struct sockaddr_in6 pat, addr;
++	int len, ret;
++	char ch;
++
++	len = strlen(tok);
++	if (*tok == '[' && tok[len - 1] == ']') {
++	    ch = tok[len - 1];
++	    tok[len - 1] = '\0';
++	    memset(&hints, 0, sizeof(hints));
++	    hints.ai_family = AF_INET6;
++	    hints.ai_socktype = SOCK_STREAM;
++	    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++	    if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) {
++		memcpy(&pat, res->ai_addr, sizeof(pat));
++		freeaddrinfo(res);
++	    }
++	    tok[len - 1] = ch;
++	    if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0)
++		return NO;
++	    memcpy(&addr, res->ai_addr, sizeof(addr));
++	    freeaddrinfo(res);
++#ifdef NI_WITHSCOPEID
++	    if (pat.sin6_scope_id != 0 &&
++		addr.sin6_scope_id != pat.sin6_scope_id)
++		return NO;
++#endif
++	    return (!memcmp(&pat.sin6_addr, &addr.sin6_addr,
++			    sizeof(struct in6_addr)));
++	    return (ret);
++	}
++#endif
+ 	return (STR_EQ(tok, string));
+     }
+ }
+ 
+ /* masked_match - match address against netnumber/netmask */
+ 
++#ifdef INET6
+ static int masked_match(net_tok, mask_tok, string)
+ char   *net_tok;
+ char   *mask_tok;
+ char   *string;
+ {
++    return (masked_match4(net_tok, mask_tok, string) ||
++	    masked_match6(net_tok, mask_tok, string));
++}
++
++static int masked_match4(net_tok, mask_tok, string)
++#else
++static int masked_match(net_tok, mask_tok, string)
++#endif
++char   *net_tok;
++char   *mask_tok;
++char   *string;
++{
++#ifdef INET6
++    u_int32_t net;
++    u_int32_t mask;
++    u_int32_t addr;
++#else
+     unsigned long net;
+     unsigned long mask;
+     unsigned long addr;
++#endif
+ 
+     /*
+      * Disallow forms other than dotted quad: the treatment that inet_addr()
+@@ -330,12 +402,78 @@ char   *string;
+ 	return (NO);
+     if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
+ 	|| (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
++#ifndef INET6
+ 	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
++#endif
+ 	return (NO);				/* not tcpd_jump() */
+     }
+     return ((addr & mask) == net);
+ }
+ 
++#ifdef INET6
++static int masked_match6(net_tok, mask_tok, string)
++char   *net_tok;
++char   *mask_tok;
++char   *string;
++{
++    struct addrinfo hints, *res;
++    struct sockaddr_in6 net, addr;
++    u_int32_t mask;
++    int len, mask_len, i = 0;
++    char ch;
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = AF_INET6;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    if (getaddrinfo(string, NULL, &hints, &res) != 0)
++	return NO;
++    memcpy(&addr, res->ai_addr, sizeof(addr));
++    freeaddrinfo(res);
++
++    if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
++	if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE
++	 || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE)
++	    return (NO);
++	return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]);
++    }
++
++    /* match IPv6 address against netnumber/prefixlen */
++    len = strlen(net_tok);
++    if (*net_tok != '[' || net_tok[len - 1] != ']')
++	return NO;
++    ch = net_tok[len - 1];
++    net_tok[len - 1] = '\0';
++    if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) {
++	net_tok[len - 1] = ch;
++	return NO;
++    }
++    memcpy(&net, res->ai_addr, sizeof(net));
++    freeaddrinfo(res);
++    net_tok[len - 1] = ch;
++    if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128)
++	return NO;
++
++#ifdef NI_WITHSCOPEID
++    if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id)
++	return NO;
++#endif
++    while (mask_len > 0) {
++	if (mask_len < 32) {
++	    mask = htonl(~(0xffffffff >> mask_len));
++	    if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask))
++		return NO;
++	    break;
++	}
++	if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i])
++	    return NO;
++	i += 4;
++	mask_len -= 32;
++    }
++    return YES;
++}
++#endif /* INET6 */
++
+ #ifndef DISABLE_WILDCARD_MATCHING
+ /* Note: this feature has been adapted in a pretty straightforward way
+    from Tatu Ylonen's last SSH version under free license by 
+--- a/Makefile
++++ b/Makefile
+@@ -21,7 +21,7 @@ what:
+ 	@echo "	dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
+ 	@echo "	linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
+ 	@echo "	ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
+-	@echo "	sunos40 sunos5 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
++	@echo "	sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
+ 	@echo "	uts215 uxp"
+ 	@echo
+ 	@echo "If none of these match your environment, edit the system"
+@@ -131,20 +131,34 @@ epix:
+ 	NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all
+ 
+ # Freebsd and linux by default have no NIS.
+-386bsd netbsd bsdos:
++386bsd bsdos:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ 	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
+ 
+ freebsd:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	LIBS="-L/usr/local/v6/lib -linet6" \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+-	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \
++	VSYSLOG= all
++
++netbsd:
++	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all
+ 
+ linux:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+-	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+-	NETGROUP= TLI= EXTRA_CFLAGS="-DBROKEN_SO_LINGER" all
++	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
++	NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
++
++gnu:
++	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
++	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all
+ 
+ # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
+ hpux hpux8 hpux9 hpux10:
+@@ -196,6 +210,13 @@ sunos5:
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ 	BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all
+ 
++# SunOS 5.8 is another SYSV4 variant, but has IPv6 support
++solaris8:
++	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
++	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
++	EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all
++
+ # Generic SYSV40
+ esix sysv4:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+--- a/misc.c
++++ b/misc.c
+@@ -58,9 +58,31 @@ int     delimiter;
+ {
+     char   *cp;
+ 
++#ifdef INET6
++    int bracket = 0;
++
++    for (cp = string; cp && *cp; cp++) {
++	switch (*cp) {
++	case '[':
++	    bracket++;
++	    break;
++	case ']':
++	    bracket--;
++	    break;
++	default:
++	    if (bracket == 0 && *cp == delimiter) {
++		*cp++ = 0;
++		return cp;
++	    }
++	    break;
++	}
++    }
++    return (NULL);
++#else
+     if ((cp = strchr(string, delimiter)) != 0)
+ 	*cp++ = 0;
+     return (cp);
++#endif
+ }
+ 
+ /* dot_quad_addr - convert dotted quad to internal form */
+--- a/refuse.c
++++ b/refuse.c
+@@ -25,7 +25,12 @@ static char sccsid[] = "@(#) refuse.c 1.
+ void    refuse(request)
+ struct request_info *request;
+ {
++#ifdef INET6
++    syslog(deny_severity, "refused connect from %s (%s)",
++	   eval_client(request), eval_hostaddr(request->client));
++#else
+     syslog(deny_severity, "refused connect from %s", eval_client(request));
++#endif
+     clean_exit(request);
+     /* NOTREACHED */
+ }
+--- a/rfc931.c
++++ b/rfc931.c
+@@ -68,20 +68,50 @@ int     sig;
+ /* rfc931 - return remote user name, given socket structures */
+ 
+ void    rfc931(rmt_sin, our_sin, dest)
++#ifdef INET6
++struct sockaddr *rmt_sin;
++struct sockaddr *our_sin;
++#else
+ struct sockaddr_in *rmt_sin;
+ struct sockaddr_in *our_sin;
++#endif
+ char   *dest;
+ {
+     unsigned rmt_port;
+     unsigned our_port;
++#ifdef INET6
++    struct sockaddr_storage rmt_query_sin;
++    struct sockaddr_storage our_query_sin;
++    int alen;
++#else
+     struct sockaddr_in rmt_query_sin;
+     struct sockaddr_in our_query_sin;
++#endif
+     char    user[256];			/* XXX */
+     char    buffer[512];		/* XXX */
+     char   *cp;
+     char   *result = unknown;
+     FILE   *fp;
+ 
++#ifdef INET6
++    /* address family must be the same */
++    if (rmt_sin->sa_family != our_sin->sa_family) {
++	STRN_CPY(dest, result, STRING_LENGTH);
++	return;
++    }
++    switch (our_sin->sa_family) {
++    case AF_INET:
++	alen = sizeof(struct sockaddr_in);
++	break;
++    case AF_INET6:
++	alen = sizeof(struct sockaddr_in6);
++	break;
++    default:
++	STRN_CPY(dest, result, STRING_LENGTH);
++	return;
++    }
++#endif
++
+     /*
+      * Use one unbuffered stdio stream for writing to and for reading from
+      * the RFC931 etc. server. This is done because of a bug in the SunOS
+@@ -92,7 +122,11 @@ char   *dest;
+      * sockets.
+      */
+ 
++#ifdef INET6
++    if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) {
++#else
+     if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) {
++#endif
+ 	setbuf(fp, (char *) 0);
+ 
+ 	/*
+@@ -112,6 +146,25 @@ char   *dest;
+ 	     * addresses from the query socket.
+ 	     */
+ 
++#ifdef INET6
++	    memcpy(&our_query_sin, our_sin, alen);
++	    memcpy(&rmt_query_sin, rmt_sin, alen);
++	    switch (our_sin->sa_family) {
++	    case AF_INET:
++		((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT);
++		((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT);
++		break;
++	    case AF_INET6:
++		((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT);
++		((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT);
++		break;
++	    }
++
++	    if (bind(fileno(fp), (struct sockaddr *) & our_query_sin,
++		     alen) >= 0 &&
++		connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
++			alen) >= 0) {
++#else
+ 	    our_query_sin = *our_sin;
+ 	    our_query_sin.sin_port = htons(ANY_PORT);
+ 	    rmt_query_sin = *rmt_sin;
+@@ -121,6 +174,7 @@ char   *dest;
+ 		     sizeof(our_query_sin)) >= 0 &&
+ 		connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
+ 			sizeof(rmt_query_sin)) >= 0) {
++#endif
+ 
+ 		/*
+ 		 * Send query to server. Neglect the risk that a 13-byte
+@@ -129,8 +183,13 @@ char   *dest;
+ 		 */
+ 
+ 		fprintf(fp, "%u,%u\r\n",
++#ifdef INET6
++			ntohs(((struct sockaddr_in *)rmt_sin)->sin_port),
++			ntohs(((struct sockaddr_in *)our_sin)->sin_port));
++#else
+ 			ntohs(rmt_sin->sin_port),
+ 			ntohs(our_sin->sin_port));
++#endif
+ 		fflush(fp);
+ 
+ 		/*
+@@ -144,8 +203,13 @@ char   *dest;
+ 		    && ferror(fp) == 0 && feof(fp) == 0
+ 		    && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s",
+ 			      &rmt_port, &our_port, user) == 3
++#ifdef INET6
++		    && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port
++		    && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) {
++#else
+ 		    && ntohs(rmt_sin->sin_port) == rmt_port
+ 		    && ntohs(our_sin->sin_port) == our_port) {
++#endif
+ 
+ 		    /*
+ 		     * Strip trailing carriage return. It is part of the
+--- a/scaffold.c
++++ b/scaffold.c
+@@ -25,7 +25,9 @@ static char sccs_id[] = "@(#) scaffold.c
+ #define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+ #endif
+ 
++#ifndef INET6
+ extern char *malloc();
++#endif
+ 
+ /* Application-specific. */
+ 
+@@ -39,6 +41,7 @@ int     allow_severity = SEVERITY;
+ int     deny_severity = LOG_WARNING;
+ int     rfc931_timeout = RFC931_TIMEOUT;
+ 
++#ifndef INET6
+ /* dup_hostent - create hostent in one memory block */
+ 
+ static struct hostent *dup_hostent(hp)
+@@ -73,9 +76,46 @@ struct hostent *hp;
+     }
+     return (&hb->host);
+ }
++#endif
+ 
+ /* find_inet_addr - find all addresses for this host, result to free() */
+ 
++#ifdef INET6
++struct addrinfo *find_inet_addr(host)
++char   *host;
++{
++    struct addrinfo hints, *res;
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    if (getaddrinfo(host, NULL, &hints, &res) == 0)
++	return (res);
++
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = PF_UNSPEC;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
++    if (getaddrinfo(host, NULL, &hints, &res) != 0) {
++	tcpd_warn("%s: host not found", host);
++	return (0);
++    }
++    if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) {
++	tcpd_warn("%d: not an internet host", res->ai_family);
++	freeaddrinfo(res);
++	return (0);
++    }
++    if (!res->ai_canonname) {
++	tcpd_warn("%s: hostname alias", host);
++	tcpd_warn("(cannot obtain official name)", res->ai_canonname);
++    } else if (STR_NE(host, res->ai_canonname)) {
++	tcpd_warn("%s: hostname alias", host);
++	tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname);
++    }
++    return (res);
++}
++#else
+ struct hostent *find_inet_addr(host)
+ char   *host;
+ {
+@@ -118,6 +158,7 @@ char   *host;
+     }
+     return (dup_hostent(hp));
+ }
++#endif
+ 
+ /* check_dns - give each address thorough workout, return address count */
+ 
+@@ -125,8 +166,13 @@ int     check_dns(host)
+ char   *host;
+ {
+     struct request_info request;
++#ifdef INET6
++    struct sockaddr_storage sin;
++    struct addrinfo *hp, *res;
++#else
+     struct sockaddr_in sin;
+     struct hostent *hp;
++#endif
+     int     count;
+     char   *addr;
+ 
+@@ -134,11 +180,18 @@ char   *host;
+ 	return (0);
+     request_init(&request, RQ_CLIENT_SIN, &sin, 0);
+     sock_methods(&request);
++#ifndef INET6
+     memset((char *) &sin, 0, sizeof(sin));
+     sin.sin_family = AF_INET;
++#endif
+ 
++#ifdef INET6
++    for (res = hp, count = 0; res; res = res->ai_next, count++) {
++	memcpy(&sin, res->ai_addr, res->ai_addrlen);
++#else
+     for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+ 	memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr));
++#endif
+ 
+ 	/*
+ 	 * Force host name and address conversions. Use the request structure
+@@ -151,7 +204,11 @@ char   *host;
+ 	    tcpd_warn("host address %s->name lookup failed",
+ 		      eval_hostaddr(request.client));
+     }
++#ifdef INET6
++    freeaddrinfo(hp);
++#else
+     free((char *) hp);
++#endif
+     return (count);
+ }
+ 
+--- a/scaffold.h
++++ b/scaffold.h
+@@ -4,6 +4,10 @@
+   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+   */
+ 
++#ifdef INET6
++extern struct addrinfo *find_inet_addr();
++#else
+ extern struct hostent *find_inet_addr();
++#endif
+ extern int check_dns();
+ extern int check_path();
+--- a/socket.c
++++ b/socket.c
+@@ -24,13 +24,22 @@ static char sccsid[] = "@(#) socket.c 1.
+ #include <sys/types.h>
+ #include <sys/param.h>
+ #include <sys/socket.h>
++#ifdef INT32_T
++typedef uint32_t u_int32_t;
++#endif
+ #include <netinet/in.h>
+ #include <netdb.h>
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
+ 
++#ifdef INET6
++#ifndef NI_WITHSCOPEID
++#define NI_WITHSCOPEID	0
++#endif
++#else
+ extern char *inet_ntoa();
++#endif
+ 
+ /* Local stuff. */
+ 
+@@ -79,8 +88,13 @@ char   *name;
+ void    sock_host(request)
+ struct request_info *request;
+ {
++#ifdef INET6
++    static struct sockaddr_storage client;
++    static struct sockaddr_storage server;
++#else
+     static struct sockaddr_in client;
+     static struct sockaddr_in server;
++#endif
+     int     len;
+     char    buf[BUFSIZ];
+     int     fd = request->fd;
+@@ -109,7 +123,11 @@ struct request_info *request;
+ 	memset(buf, 0 sizeof(buf));
+ #endif
+     }
++#ifdef INET6
++    request->client->sin = (struct sockaddr *)&client;
++#else
+     request->client->sin = &client;
++#endif
+ 
+     /*
+      * Determine the server binding. This is used for client username
+@@ -122,7 +140,11 @@ struct request_info *request;
+ 	tcpd_warn("getsockname: %m");
+ 	return;
+     }
++#ifdef INET6
++    request->server->sin = (struct sockaddr *)&server;
++#else
+     request->server->sin = &server;
++#endif
+ }
+ 
+ /* sock_hostaddr - map endpoint address to printable form */
+@@ -130,10 +152,26 @@ struct request_info *request;
+ void    sock_hostaddr(host)
+ struct host_info *host;
+ {
++#ifdef INET6
++    struct sockaddr *sin = host->sin;
++    int salen;
++
++    if (!sin)
++	return;
++#ifdef SIN6_LEN
++    salen = sin->sa_len;
++#else
++    salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in)
++					: sizeof(struct sockaddr_in6);
++#endif
++    getnameinfo(sin, salen, host->addr, sizeof(host->addr),
++		NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++#else
+     struct sockaddr_in *sin = host->sin;
+ 
+     if (sin != 0)
+ 	STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr));
++#endif
+ }
+ 
+ /* sock_hostname - map endpoint address to host name */
+@@ -141,6 +179,160 @@ struct host_info *host;
+ void    sock_hostname(host)
+ struct host_info *host;
+ {
++#ifdef INET6
++    struct sockaddr *sin = host->sin;
++    struct sockaddr_in sin4;
++    struct addrinfo hints, *res, *res0 = NULL;
++    int salen, alen, err = 1;
++    char *ap = NULL, *rap, hname[NI_MAXHOST];
++
++    if (sin != NULL) {
++	if (sin->sa_family == AF_INET6) {
++	    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
++
++	    if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
++		memset(&sin4, 0, sizeof(sin4));
++#ifdef SIN6_LEN
++		sin4.sin_len = sizeof(sin4);
++#endif
++		sin4.sin_family = AF_INET;
++		sin4.sin_port = sin6->sin6_port;
++		sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12];
++		sin = (struct sockaddr *)&sin4;
++	    }
++	}
++	switch (sin->sa_family) {
++	case AF_INET:
++	    ap = (char *)&((struct sockaddr_in *)sin)->sin_addr;
++	    alen = sizeof(struct in_addr);
++	    salen = sizeof(struct sockaddr_in);
++	    break;
++	case AF_INET6:
++	    ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr;
++	    alen = sizeof(struct in6_addr);
++	    salen = sizeof(struct sockaddr_in6);
++	    break;
++	default:
++	    break;
++	}
++	if (ap)
++	    err = getnameinfo(sin, salen, hname, sizeof(hname),
++			      NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD);
++    }
++    if (!err) {
++
++	STRN_CPY(host->name, hname, sizeof(host->name));
++
++	/* reject numeric addresses */
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = sin->sa_family;
++	hints.ai_socktype = SOCK_STREAM;
++	hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
++	if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
++	    freeaddrinfo(res0);
++	    res0 = NULL;
++	    tcpd_warn("host name/name mismatch: "
++		      "reverse lookup results in non-FQDN %s",
++		      host->name);
++	    strcpy(host->name, paranoid);	/* name is bad, clobber it */
++	}
++	err = !err;
++    }
++    if (!err) {
++	/* we are now sure that this is non-numeric */
++
++	/*
++	 * Verify that the address is a member of the address list returned
++	 * by gethostbyname(hostname).
++	 * 
++	 * Verify also that gethostbyaddr() and gethostbyname() return the same
++	 * hostname, or rshd and rlogind may still end up being spoofed.
++	 * 
++	 * On some sites, gethostbyname("localhost") returns "localhost.domain".
++	 * This is a DNS artefact. We treat it as a special case. When we
++	 * can't believe the address list from gethostbyname("localhost")
++	 * we're in big trouble anyway.
++	 */
++
++	memset(&hints, 0, sizeof(hints));
++	hints.ai_family = sin->sa_family;
++	hints.ai_socktype = SOCK_STREAM;
++	hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
++	if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) {
++
++	    /*
++	     * Unable to verify that the host name matches the address. This
++	     * may be a transient problem or a botched name server setup.
++	     */
++
++	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
++		      host->name,
++		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
++
++	} else if ((res0->ai_canonname == NULL
++		    || STR_NE(host->name, res0->ai_canonname))
++		   && STR_NE(host->name, "localhost")) {
++
++	    /*
++	     * The gethostbyaddr() and gethostbyname() calls did not return
++	     * the same hostname. This could be a nameserver configuration
++	     * problem. It could also be that someone is trying to spoof us.
++	     */
++
++	    tcpd_warn("host name/name mismatch: %s != %.*s",
++		      host->name, STRING_LENGTH,
++		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
++
++	} else {
++
++	    /*
++	     * The address should be a member of the address list returned by
++	     * gethostbyname(). We should first verify that the h_addrtype
++	     * field is AF_INET, but this program has already caused too much
++	     * grief on systems with broken library code.
++	     */
++
++	    for (res = res0; res; res = res->ai_next) {
++		if (res->ai_family != sin->sa_family)
++		    continue;
++		switch (res->ai_family) {
++		case AF_INET:
++		    rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
++		    break;
++		case AF_INET6:
++		    /* need to check scope_id */
++		    if (((struct sockaddr_in6 *)sin)->sin6_scope_id !=
++		        ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
++			continue;
++		    }
++		    rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
++		    break;
++		default:
++		    continue;
++		}
++		if (memcmp(rap, ap, alen) == 0) {
++		    freeaddrinfo(res0);
++		    return;			/* name is good, keep it */
++		}
++	    }
++
++	    /*
++	     * The host name does not map to the initial address. Perhaps
++	     * someone has messed up. Perhaps someone compromised a name
++	     * server.
++	     */
++
++	    getnameinfo(sin, salen, hname, sizeof(hname),
++			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
++	    tcpd_warn("host name/address mismatch: %s != %.*s",
++		      hname, STRING_LENGTH,
++		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
++	}
++	strcpy(host->name, paranoid);		/* name is bad, clobber it */
++	if (res0)
++	    freeaddrinfo(res0);
++    }
++#else /* INET6 */
+     struct sockaddr_in *sin = host->sin;
+     struct hostent *hp;
+     int     i;
+@@ -220,6 +412,7 @@ struct host_info *host;
+ 	}
+ 	strcpy(host->name, paranoid);		/* name is bad, clobber it */
+     }
++#endif /* INET6 */
+ }
+ 
+ /* sock_sink - absorb unreceived IP datagram */
+@@ -228,7 +421,11 @@ static void sock_sink(fd)
+ int     fd;
+ {
+     char    buf[BUFSIZ];
++#ifdef INET6
++    struct sockaddr_storage sin;
++#else
+     struct sockaddr_in sin;
++#endif
+     int     size = sizeof(sin);
+ 
+     /*
+--- a/tcpd.c
++++ b/tcpd.c
+@@ -120,7 +120,12 @@ char  **argv;
+ 
+     /* Report request and invoke the real daemon program. */
+ 
++#ifdef INET6
++    syslog(allow_severity, "connect from %s (%s)",
++	   eval_client(&request), eval_hostaddr(request.client));
++#else
+     syslog(allow_severity, "connect from %s", eval_client(&request));
++#endif
+     closelog();
+     (void) execv(path, argv);
+     syslog(LOG_ERR, "error: cannot execute %s: %m", path);
+--- a/tcpdchk.c
++++ b/tcpdchk.c
+@@ -22,6 +22,9 @@ static char sccsid[] = "@(#) tcpdchk.c 1
+ 
+ #include <sys/types.h>
+ #include <sys/stat.h>
++#ifdef INET6
++#include <sys/socket.h>
++#endif
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ #include <stdio.h>
+@@ -397,6 +400,31 @@ char   *pat;
+     }
+ }
+ 
++#ifdef INET6
++static int is_inet6_addr(pat)
++    char *pat;
++{
++    struct addrinfo hints, *res;
++    int len, ret;
++    char ch;
++
++    if (*pat != '[')
++	return (0);
++    len = strlen(pat);
++    if ((ch = pat[len - 1]) != ']')
++	return (0);
++    pat[len - 1] = '\0';
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = AF_INET6;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    if ((ret = getaddrinfo(pat + 1, NULL, &hints, &res)) == 0)
++	freeaddrinfo(res);
++    pat[len - 1] = ch;
++    return (ret == 0);
++}
++#endif
++
+ /* check_host - criticize host pattern */
+ 
+ static int check_host(pat)
+@@ -423,14 +451,27 @@ char   *pat;
+ #endif
+ #endif
+     } else if (mask = split_at(pat, '/')) {	/* network/netmask */
++#ifdef INET6
++	int mask_len;
++
++	if ((dot_quad_addr(pat) == INADDR_NONE
++	    || dot_quad_addr(mask) == INADDR_NONE)
++	    && (!is_inet6_addr(pat)
++		|| ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
++#else
+ 	if (dot_quad_addr(pat) == INADDR_NONE
+ 	    || dot_quad_addr(mask) == INADDR_NONE)
++#endif
+ 	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
+     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
+ 	tcpd_warn("FAIL is no longer recognized");
+ 	tcpd_warn("(use EXCEPT or DENY instead)");
+     } else if (reserved_name(pat)) {		/* other reserved */
+ 	 /* void */ ;
++#ifdef INET6
++    } else if (is_inet6_addr(pat)) { /* IPv6 address */
++	addr_count = 1;
++#endif
+     } else if (NOT_INADDR(pat)) {		/* internet name */
+ 	if (pat[strlen(pat) - 1] == '.') {
+ 	    tcpd_warn("%s: domain or host name ends in dot", pat);
+--- a/tcpd.h
++++ b/tcpd.h
+@@ -11,7 +11,11 @@
+ struct host_info {
+     char    name[STRING_LENGTH];	/* access via eval_hostname(host) */
+     char    addr[STRING_LENGTH];	/* access via eval_hostaddr(host) */
++#ifdef INET6
++    struct sockaddr *sin;		/* socket address or 0 */
++#else
+     struct sockaddr_in *sin;		/* socket address or 0 */
++#endif
+     struct t_unitdata *unit;		/* TLI transport address or 0 */
+     struct request_info *request;	/* for shared information */
+ };
+--- a/tcpdmatch.c
++++ b/tcpdmatch.c
+@@ -57,7 +57,11 @@ int     main(argc, argv)
+ int     argc;
+ char  **argv;
+ {
++#ifdef INET6
++    struct addrinfo hints, *hp, *res;
++#else
+     struct hostent *hp;
++#endif
+     char   *myname = argv[0];
+     char   *client;
+     char   *server;
+@@ -68,8 +72,13 @@ char  **argv;
+     int     ch;
+     char   *inetcf = 0;
+     int     count;
++#ifdef INET6
++    struct sockaddr_storage server_sin;
++    struct sockaddr_storage client_sin;
++#else
+     struct sockaddr_in server_sin;
+     struct sockaddr_in client_sin;
++#endif
+     struct stat st;
+ 
+     /*
+@@ -172,13 +181,20 @@ char  **argv;
+     if (NOT_INADDR(server) == 0 || HOSTNAME_KNOWN(server)) {
+ 	if ((hp = find_inet_addr(server)) == 0)
+ 	    exit(1);
++#ifndef INET6
+ 	memset((char *) &server_sin, 0, sizeof(server_sin));
+ 	server_sin.sin_family = AF_INET;
++#endif
+ 	request_set(&request, RQ_SERVER_SIN, &server_sin, 0);
+ 
++#ifdef INET6
++	for (res = hp, count = 0; res; res = res->ai_next, count++) {
++	    memcpy(&server_sin, res->ai_addr, res->ai_addrlen);
++#else
+ 	for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+ 	    memcpy((char *) &server_sin.sin_addr, addr,
+ 		   sizeof(server_sin.sin_addr));
++#endif
+ 
+ 	    /*
+ 	     * Force evaluation of server host name and address. Host name
+@@ -194,7 +210,11 @@ char  **argv;
+ 	    fprintf(stderr, "Please specify an address instead\n");
+ 	    exit(1);
+ 	}
++#ifdef INET6
++	freeaddrinfo(hp);
++#else
+ 	free((char *) hp);
++#endif
+     } else {
+ 	request_set(&request, RQ_SERVER_NAME, server, 0);
+     }
+@@ -208,6 +228,18 @@ char  **argv;
+ 	tcpdmatch(&request);
+ 	exit(0);
+     }
++#ifdef INET6
++    memset(&hints, 0, sizeof(hints));
++    hints.ai_family = AF_INET6;
++    hints.ai_socktype = SOCK_STREAM;
++    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
++    if (getaddrinfo(client, NULL, &hints, &res) == 0) {
++	freeaddrinfo(res);
++	request_set(&request, RQ_CLIENT_ADDR, client, 0);
++	tcpdmatch(&request);
++	exit(0);
++    }
++#endif
+ 
+     /*
+      * Perhaps they are testing special client hostname patterns that aren't
+@@ -229,6 +261,34 @@ char  **argv;
+      */
+     if ((hp = find_inet_addr(client)) == 0)
+ 	exit(1);
++#ifdef INET6
++    request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
++
++    for (res = hp, count = 0; res; res = res->ai_next, count++) {
++	memcpy(&client_sin, res->ai_addr, res->ai_addrlen);
++
++	/*
++	 * getnameinfo() doesn't do reverse lookup against link-local
++	 * address.  So, we pass through host name evaluation against
++	 * such addresses.
++	 */
++	if (res->ai_family != AF_INET6 ||
++	    !IN6_IS_ADDR_LINKLOCAL(&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr)) {
++	    /*
++	     * Force evaluation of client host name and address. Host name
++	     * conflicts will be reported while eval_hostname() does its job.
++	     */
++	    request_set(&request, RQ_CLIENT_NAME, "", RQ_CLIENT_ADDR, "", 0);
++	    if (STR_EQ(eval_hostname(request.client), unknown))
++		tcpd_warn("host address %s->name lookup failed",
++			  eval_hostaddr(request.client));
++	}
++	tcpdmatch(&request);
++	if (res->ai_next)
++	    printf("\n");
++    }
++    freeaddrinfo(hp);
++#else
+     memset((char *) &client_sin, 0, sizeof(client_sin));
+     client_sin.sin_family = AF_INET;
+     request_set(&request, RQ_CLIENT_SIN, &client_sin, 0);
+@@ -250,6 +310,7 @@ char  **argv;
+ 	    printf("\n");
+     }
+     free((char *) hp);
++#endif
+     exit(0);
+ }
+ 
+--- a/tli.c
++++ b/tli.c
+@@ -65,8 +65,13 @@ static void tli_sink();
+ void    tli_host(request)
+ struct request_info *request;
+ {
++#ifdef INET6
++    static struct sockaddr_storage client;
++    static struct sockaddr_storage server;
++#else
+     static struct sockaddr_in client;
+     static struct sockaddr_in server;
++#endif
+ 
+     /*
+      * If we discover that we are using an IP transport, pretend we never
+@@ -76,14 +81,29 @@ struct request_info *request;
+ 
+     tli_endpoints(request);
+     if ((request->config = tli_transport(request->fd)) != 0
++#ifdef INET6
++	&& (STR_EQ(request->config->nc_protofmly, "inet") ||
++	    STR_EQ(request->config->nc_protofmly, "inet6"))) {
++#else
+ 	&& STR_EQ(request->config->nc_protofmly, "inet")) {
++#endif
+ 	if (request->client->unit != 0) {
++#ifdef INET6
++	    client = *(struct sockaddr_storage *) request->client->unit->addr.buf;
++	    request->client->sin = (struct sockaddr *) &client;
++#else
+ 	    client = *(struct sockaddr_in *) request->client->unit->addr.buf;
+ 	    request->client->sin = &client;
++#endif
+ 	}
+ 	if (request->server->unit != 0) {
++#ifdef INET6
++	    server = *(struct sockaddr_storage *) request->server->unit->addr.buf;
++	    request->server->sin = (struct sockaddr *) &server;
++#else
+ 	    server = *(struct sockaddr_in *) request->server->unit->addr.buf;
+ 	    request->server->sin = &server;
++#endif
+ 	}
+ 	tli_cleanup(request);
+ 	sock_methods(request);
+@@ -187,7 +207,15 @@ int     fd;
+     }
+     while (config = getnetconfig(handlep)) {
+ 	if (stat(config->nc_device, &from_config) == 0) {
++#ifdef NO_CLONE_DEVICE
++	/*
++	 * If the network devices are not cloned (as is the case for
++	 * Solaris 8 Beta), we must compare the major device numbers.
++	 */
++	    if (major(from_config.st_rdev) == major(from_client.st_rdev))
++#else
+ 	    if (minor(from_config.st_rdev) == major(from_client.st_rdev))
++#endif
+ 		break;
+ 	}
+     }
+--- a/update.c
++++ b/update.c
+@@ -46,10 +46,18 @@ va_list ap;
+ 	    request->fd = va_arg(ap, int);
+ 	    continue;
+ 	case RQ_CLIENT_SIN:
++#ifdef INET6
++	    request->client->sin = va_arg(ap, struct sockaddr *);
++#else
+ 	    request->client->sin = va_arg(ap, struct sockaddr_in *);
++#endif
+ 	    continue;
+ 	case RQ_SERVER_SIN:
++#ifdef INET6
++	    request->server->sin = va_arg(ap, struct sockaddr *);
++#else
+ 	    request->server->sin = va_arg(ap, struct sockaddr_in *);
++#endif
+ 	    continue;
+ 
+ 	    /*
+--- a/workarounds.c
++++ b/workarounds.c
+@@ -166,11 +166,22 @@ struct sockaddr *sa;
+ int    *len;
+ {
+     int     ret;
++#ifdef INET6
++    struct sockaddr *sin = sa;
++#else
+     struct sockaddr_in *sin = (struct sockaddr_in *) sa;
++#endif
+ 
+     if ((ret = getpeername(sock, sa, len)) >= 0
++#ifdef INET6
++	&& ((sin->su_si.si_family == AF_INET6
++	     && IN6_IS_ADDR_UNSPECIFIED(&sin->su_sin6.sin6_addr))
++	    || (sin->su_si.si_family == AF_INET
++		&& sin->su_sin.sin_addr.s_addr == 0))) {
++#else
+ 	&& sa->sa_family == AF_INET
+ 	&& sin->sin_addr.s_addr == 0) {
++#endif
+ 	errno = ENOTCONN;
+ 	return (-1);
+     } else {
diff --git a/tcp_wrappers.patches/tcp_wrappers-06.url b/tcp_wrappers.patches/tcp_wrappers-06.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-06.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-07.patch b/tcp_wrappers.patches/tcp_wrappers-07.patch
new file mode 100644
index 0000000..0238e35
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-07.patch
@@ -0,0 +1,151 @@
+Path: news.porcupine.org!news.porcupine.org!not-for-mail
+From: Wietse Venema <wietse@((no)(spam)(please))wzv.win.tue.nl>
+Newsgroups: comp.mail.sendmail,comp.security.unix
+Subject: TCP Wrapper Blacklist Extension
+Followup-To: poster
+Date: 8 Sep 1997 18:53:13 -0400
+Organization: Wietse's hangout while on sabattical in the USA
+Lines: 147
+Sender: wietse@spike.porcupine.org
+Message-ID: <5v1vkp$h4f$1@spike.porcupine.org>
+NNTP-Posting-Host: spike.porcupine.org
+Xref: news.porcupine.org comp.mail.sendmail:3541 comp.security.unix:7158
+
+The patch below adds a new host pattern to the TCP Wrapper access
+control language. Instead of a host name or address pattern, you
+can specify an external /file/name with host name or address
+patterns.   The feature can be used recursively.
+
+The /file/name extension makes it easy to blacklist bad sites, for
+example, to block unwanted electronic mail when libwrap is linked
+into sendmail.  Adding hosts to a simple text file is much easier
+than having to edit a more complex hosts.allow/deny file.
+
+I developed this a year or so ago as a substitute for NIS netgroups.
+At that time, I did not consider it of sufficient interest for
+inclusion in the TCP Wrapper distribution. How times have changed.
+
+The patch is relative to TCP Wrappers version 7.6. The main archive
+site is ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.6.tar.gz
+
+Thanks to the Debian LINUX folks for expressing their interest in
+this patch.
+
+	Wietse
+
+
+[diff updated by Md]
+
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2004-04-10 19:28:09.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.5	2004-04-10 19:28:01.000000000 +0200
+@@ -97,6 +97,13 @@
+ `[3ffe:505:2:1::]/64\' matches every address in the range
+ `3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
+ .IP \(bu
++A string that begins with a `/\' character is treated as a file
++name. A host name or address is matched if it matches any host name
++or address pattern listed in the named file. The file format is
++zero or more lines with zero or more host name or address patterns
++separated by whitespace.  A file name pattern can be used anywhere
++a host name or address pattern can be used.
++.IP \(bu
+ Wildcards `*\' and `?\' can be used to match hostnames or IP addresses.  This
+ method of matching cannot be used in conjunction with `net/mask\' matching,
+ hostname matching beginning with `.\' or IP address matching ending with `.\'.
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
+--- tcp_wrappers_7.6.orig/hosts_access.c	2004-04-10 19:28:09.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.c	2004-04-10 19:27:05.000000000 +0200
+@@ -253,6 +253,26 @@
+     }
+ }
+ 
++/* hostfile_match - look up host patterns from file */
++
++static int hostfile_match(path, host)
++char   *path;
++struct hosts_info *host;
++{
++    char    tok[BUFSIZ];
++    int     match = NO;
++    FILE   *fp;
++
++    if ((fp = fopen(path, "r")) != 0) {
++	while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
++	     /* void */ ;
++	fclose(fp);
++    } else if (errno != ENOENT) {
++	tcpd_warn("open %s: %m", path);
++    }
++    return (match);
++}
++
+ /* host_match - match host name and/or address against pattern */
+ 
+ static int host_match(tok, host)
+@@ -280,6 +300,8 @@
+ 	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */
+ 	return (NO);
+ #endif
++    } else if (tok[0] == '/') {			/* /file hack */
++	return (hostfile_match(tok, host));
+     } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */
+ 	char   *name = eval_hostname(host);
+ 	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
+diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
+--- tcp_wrappers_7.6.orig/tcpdchk.c	2004-04-10 19:28:09.000000000 +0200
++++ tcp_wrappers_7.6/tcpdchk.c	2004-04-10 19:27:05.000000000 +0200
+@@ -353,6 +353,8 @@
+ {
+     if (pat[0] == '@') {
+ 	tcpd_warn("%s: daemon name begins with \"@\"", pat);
++    } else if (pat[0] == '/') {
++	tcpd_warn("%s: daemon name begins with \"/\"", pat);
+     } else if (pat[0] == '.') {
+ 	tcpd_warn("%s: daemon name begins with dot", pat);
+     } else if (pat[strlen(pat) - 1] == '.') {
+@@ -385,6 +387,8 @@
+ {
+     if (pat[0] == '@') {			/* @netgroup */
+ 	tcpd_warn("%s: user name begins with \"@\"", pat);
++    } else if (pat[0] == '/') {
++	tcpd_warn("%s: user name begins with \"/\"", pat);
+     } else if (pat[0] == '.') {
+ 	tcpd_warn("%s: user name begins with dot", pat);
+     } else if (pat[strlen(pat) - 1] == '.') {
+@@ -430,8 +434,13 @@
+ static int check_host(pat)
+ char   *pat;
+ {
++    char    buf[BUFSIZ];
+     char   *mask;
+     int     addr_count = 1;
++    FILE   *fp;
++    struct tcpd_context saved_context;
++    char   *cp;
++    char   *wsp = " \t\r\n";
+ 
+     if (pat[0] == '@') {			/* @netgroup */
+ #ifdef NO_NETGRENT
+@@ -450,6 +459,21 @@
+ 	tcpd_warn("netgroup support disabled");
+ #endif
+ #endif
++    } else if (pat[0] == '/') {			/* /path/name */
++	if ((fp = fopen(pat, "r")) != 0) {
++	    saved_context = tcpd_context;
++	    tcpd_context.file = pat;
++	    tcpd_context.line = 0;
++	    while (fgets(buf, sizeof(buf), fp)) {
++		tcpd_context.line++;
++		for (cp = strtok(buf, wsp); cp; cp = strtok((char *) 0, wsp))
++		    check_host(cp);
++	    }
++	    tcpd_context = saved_context;
++	    fclose(fp);
++	} else if (errno != ENOENT) {
++	    tcpd_warn("open %s: %m", pat);
++	}
+     } else if (mask = split_at(pat, '/')) {	/* network/netmask */
+ #ifdef INET6
+ 	int mask_len;
diff --git a/tcp_wrappers.patches/tcp_wrappers-07.url b/tcp_wrappers.patches/tcp_wrappers-07.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-07.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-08.patch b/tcp_wrappers.patches/tcp_wrappers-08.patch
new file mode 100644
index 0000000..88a2b5e
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-08.patch
@@ -0,0 +1,45 @@
+diff -uN tcp_wrappers_7.6/hosts_access.c tcp_wrappers_7.6.new/hosts_access.c
+--- tcp_wrappers_7.6/hosts_access.c	Mon May 20 14:00:56 2002
++++ tcp_wrappers_7.6.new/hosts_access.c	Mon May 20 14:25:05 2002
+@@ -448,6 +448,15 @@
+     int len, mask_len, i = 0;
+     char ch;
+ 
++    /*
++     * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
++     * different between KAME and Solaris8.  While KAME returns
++     * AF_INET6, Solaris8 returns AF_INET.  So, we avoid this here.
++     */
++    if (STRN_EQ(string, "::ffff:", 7)
++	&& dot_quad_addr(string + 7) != INADDR_NONE)
++	return (masked_match4(net_tok, mask_tok, string + 7));
++
+     memset(&hints, 0, sizeof(hints));
+     hints.ai_family = AF_INET6;
+     hints.ai_socktype = SOCK_STREAM;
+@@ -457,13 +466,6 @@
+     memcpy(&addr, res->ai_addr, sizeof(addr));
+     freeaddrinfo(res);
+ 
+-    if (IN6_IS_ADDR_V4MAPPED(&addr.sin6_addr)) {
+-	if ((*(u_int32_t *)&net.sin6_addr.s6_addr[12] = dot_quad_addr(net_tok)) == INADDR_NONE
+-	 || (mask = dot_quad_addr(mask_tok)) == INADDR_NONE)
+-	    return (NO);
+-	return ((*(u_int32_t *)&addr.sin6_addr.s6_addr[12] & mask) == *(u_int32_t *)&net.sin6_addr.s6_addr[12]);
+-    }
+-
+     /* match IPv6 address against netnumber/prefixlen */
+     len = strlen(net_tok);
+     if (*net_tok != '[' || net_tok[len - 1] != ']')
+diff -uN tcp_wrappers_7.6/socket.c tcp_wrappers_7.6.new/socket.c
+--- tcp_wrappers_7.6/socket.c	Mon May 20 13:48:35 2002
++++ tcp_wrappers_7.6.new/socket.c	Mon May 20 14:22:27 2002
+@@ -228,7 +228,7 @@
+ 	hints.ai_family = sin->sa_family;
+ 	hints.ai_socktype = SOCK_STREAM;
+ 	hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
+-	if ((err = getaddrinfo(host->name, NULL, &hints, &res0) == 0)) {
++	if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
+ 	    freeaddrinfo(res0);
+ 	    res0 = NULL;
+ 	    tcpd_warn("host name/name mismatch: "
diff --git a/tcp_wrappers.patches/tcp_wrappers-08.url b/tcp_wrappers.patches/tcp_wrappers-08.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-08.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-09.patch b/tcp_wrappers.patches/tcp_wrappers-09.patch
new file mode 100644
index 0000000..2a553db
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-09.patch
@@ -0,0 +1,81 @@
+--- a/Makefile
++++ b/Makefile
+@@ -45,7 +45,7 @@ what:
+ #
+ # SysV.4 Solaris 2.x OSF AIX
+ #REAL_DAEMON_DIR=/usr/sbin
+-#
++REAL_DAEMON_DIR=/usr/sbin
+ # BSD 4.4
+ #REAL_DAEMON_DIR=/usr/libexec
+ #
+@@ -513,6 +513,7 @@ VSYSLOG	= -Dvsyslog=myvsyslog
+ # (examples: allow, deny, banners, twist and spawn).
+ # 
+ #STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
++STYLE = "-DPROCESS_OPTIONS -DACLEXEC"
+ 
+ ################################################################
+ # Optional: Changing the default disposition of logfile records
+@@ -536,6 +537,7 @@ VSYSLOG	= -Dvsyslog=myvsyslog
+ # The LOG_XXX names below are taken from the /usr/include/syslog.h file.
+ 
+ FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
++FACILITY= LOG_DAEMON
+ 
+ # The syslog priority at which successful connections are logged.
+ 
+@@ -632,6 +634,7 @@ TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\
+ # lookups altogether, see the next section.
+ 
+ PARANOID= -DPARANOID
++PARANOID=
+ 
+ ########################################
+ # Optional: turning off hostname lookups
+@@ -645,6 +648,7 @@ PARANOID= -DPARANOID
+ # mode (see previous section) and comment out the following definition.
+ 
+ HOSTNAME= -DALWAYS_HOSTNAME
++HOSTNAME=
+ 
+ #############################################
+ # Optional: Turning on host ADDRESS checking
+@@ -671,6 +675,7 @@ HOSTNAME= -DALWAYS_HOSTNAME
+ # Solaris 2.x, and Linux. See your system documentation for details.
+ #
+ # KILL_OPT= -DKILL_IP_OPTIONS
++KILL_OPT= -DKILL_IP_OPTIONS
+ 
+ ## End configuration options
+ ############################
+@@ -678,9 +683,10 @@ HOSTNAME= -DALWAYS_HOSTNAME
+ # Protection against weird shells or weird make programs.
+ 
+ SHELL	= /bin/sh
+-.c.o:;	$(CC) $(CFLAGS) -c $*.c
++.c.o:;	$(CC) $(CFLAGS) -o $*.o -c $*.c
+ 
+-CFLAGS	= -O -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
++COPTS	= -O2 -g
++CFLAGS	= $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+ 	$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
+ 	-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
+@@ -713,11 +719,12 @@ all other: config-check tcpd tcpdmatch t
+ 
+ config-check:
+ 	@set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
+-	@set +e; echo $(CFLAGS) >/tmp/cflags.$$$$ ; \
+-	if cmp cflags /tmp/cflags.$$$$ ; \
+-	then rm /tmp/cflags.$$$$ ; \
+-	else mv /tmp/cflags.$$$$ cflags ; \
++	@set +e; echo $(CFLAGS) >cflags.new ; \
++	if cmp cflags cflags.new ; \
++	then rm cflags.new ; \
++	else mv cflags.new cflags ; \
+ 	fi >/dev/null 2>/dev/null
++	@if [ ! -d shared ]; then mkdir shared; fi
+ 
+ $(LIB):	$(LIB_OBJ)
+ 	rm -f $(LIB)
diff --git a/tcp_wrappers.patches/tcp_wrappers-09.url b/tcp_wrappers.patches/tcp_wrappers-09.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-09.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-10.patch b/tcp_wrappers.patches/tcp_wrappers-10.patch
new file mode 100644
index 0000000..3d40b00
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-10.patch
@@ -0,0 +1,258 @@
+--- a/Makefile
++++ b/Makefile
+@@ -150,15 +150,15 @@ netbsd:
+ 
+ linux:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+-	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
++	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+ 	NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
+-	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+ 
+ gnu:
+ 	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+-	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
++	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+ 	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
+-	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR" all
++	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all
+ 
+ # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
+ hpux hpux8 hpux9 hpux10:
+@@ -713,7 +713,22 @@ KIT	= README miscd.c tcpd.c fromhost.c h
+ 
+ LIB	= libwrap.a
+ 
+-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk
++shared/%.o: %.c
++	$(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
++
++SOMAJOR = 0
++SOMINOR = 7.6
++
++SHLIB		= shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
++SHLIBSOMAJ	= shared/libwrap.so.$(SOMAJOR)
++SHLIBSO		= shared/libwrap.so
++SHLIBFLAGS	= -Lshared -lwrap
++
++SHLINKFLAGS = -fpic -shared -Wl,-soname,libwrap.so.$(SOMAJOR) -Wl,--version-script=libwrap.lds $(LIBS)
++SHCFLAGS = -fpic -shared -D_REENTRANT
++SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
++
++all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
+ 
+ # Invalidate all object files when the compiler options (CFLAGS) have changed.
+ 
+@@ -731,27 +746,33 @@ $(LIB):	$(LIB_OBJ)
+ 	$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
+ 	-$(RANLIB) $(LIB)
+ 
+-tcpd:	tcpd.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ tcpd.o $(LIB) $(LIBS)
++$(SHLIB): libwrap.lds $(SHLIB_OBJ)
++	rm -f $(SHLIB)
++	$(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
++	ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ)
++	ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
++
++tcpd:	tcpd.o $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
+ 
+ miscd:	miscd.o $(LIB)
+ 	$(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
+ 
+-safe_finger: safe_finger.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ safe_finger.o $(LIB) $(LIBS)
++safe_finger: safe_finger.o
++	$(CC) $(CFLAGS) -o $@ safe_finger.o
+ 
+ TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
+ 
+-tcpdmatch: $(TCPDMATCH_OBJ) $(LIB)
+-	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(LIB) $(LIBS)
++tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
+ 
+-try-from: try-from.o fakelog.o $(LIB)
+-	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(LIB) $(LIBS)
++try-from: try-from.o fakelog.o $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
+ 
+ TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
+ 
+-tcpdchk: $(TCPDCHK_OBJ) $(LIB)
+-	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(LIB) $(LIBS)
++tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
++	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
+ 
+ shar:	$(KIT)
+ 	@shar $(KIT)
+@@ -767,7 +788,9 @@ archive:
+ 
+ clean:
+ 	rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
++	libwrap*.so* \
+ 	cflags
++	rm -rf shared/
+ 
+ tidy:	clean
+ 	chmod -R a+r .
+@@ -913,5 +936,6 @@ update.o: cflags
+ update.o: mystdarg.h
+ update.o: tcpd.h
+ vfprintf.o: cflags
++weak_symbols.o: tcpd.h
+ workarounds.o: cflags
+ workarounds.o: tcpd.h
+--- a/tcpd.h
++++ b/tcpd.h
+@@ -4,6 +4,15 @@
+   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+   */
+ 
++#ifndef _TCPWRAPPERS_TCPD_H
++#define _TCPWRAPPERS_TCPD_H
++
++/* Need definitions of struct sockaddr_in and FILE. */
++#include <netinet/in.h>
++#include <stdio.h>
++
++__BEGIN_DECLS
++
+ /* Structure to describe one communications endpoint. */
+ 
+ #define STRING_LENGTH	128		/* hosts, users, processes */
+@@ -29,10 +38,10 @@ struct request_info {
+     char    pid[10];			/* access via eval_pid(request) */
+     struct host_info client[1];		/* client endpoint info */
+     struct host_info server[1];		/* server endpoint info */
+-    void  (*sink) ();			/* datagram sink function or 0 */
+-    void  (*hostname) ();		/* address to printable hostname */
+-    void  (*hostaddr) ();		/* address to printable address */
+-    void  (*cleanup) ();		/* cleanup function or 0 */
++    void  (*sink) (int);		/* datagram sink function or 0 */
++    void  (*hostname) (struct host_info *); /* address to printable hostname */
++    void  (*hostaddr) (struct host_info *); /* address to printable address */
++    void  (*cleanup) (struct request_info *); /* cleanup function or 0 */
+     struct netconfig *config;		/* netdir handle */
+ };
+ 
+@@ -70,20 +79,27 @@ extern void fromhost();			/* get/validat
+ #define fromhost sock_host		/* no TLI support needed */
+ #endif
+ 
+-extern int hosts_access();		/* access control */
+-extern void shell_cmd();		/* execute shell command */
+-extern char *percent_x();		/* do %<char> expansion */
+-extern void rfc931();			/* client name from RFC 931 daemon */
+-extern void clean_exit();		/* clean up and exit */
+-extern void refuse();			/* clean up and exit */
+-extern char *xgets();			/* fgets() on steroids */
+-extern char *split_at();		/* strchr() and split */
+-extern unsigned long dot_quad_addr();	/* restricted inet_addr() */
++extern int hosts_access(struct request_info *request);	/* access control */
++extern void shell_cmd(char *);		/* execute shell command */
++extern char *percent_x(char *, int, char *, struct request_info *);
++					/* do %<char> expansion */
++extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
++					/* client name from RFC 931 daemon */
++extern void clean_exit(struct request_info *);	/* clean up and exit */
++extern void refuse(struct request_info *);	/* clean up and exit */
++extern char *xgets(char *, int, FILE *);	/* fgets() on steroids */
++extern char *split_at(char *, int);		/* strchr() and split */
++extern unsigned long dot_quad_addr(char *);	/* restricted inet_addr() */
+ 
+ /* Global variables. */
+ 
++#ifdef HAVE_WEAKSYMS
++extern int allow_severity __attribute__ ((weak)); /* for connection logging */
++extern int deny_severity __attribute__ ((weak)); /* for connection logging */
++#else
+ extern int allow_severity;		/* for connection logging */
+ extern int deny_severity;		/* for connection logging */
++#endif
+ extern char *hosts_allow_table;		/* for verification mode redirection */
+ extern char *hosts_deny_table;		/* for verification mode redirection */
+ extern int hosts_access_verbose;	/* for verbose matching mode */
+@@ -98,6 +114,8 @@ extern int resident;			/* > 0 if residen
+ #ifdef __STDC__
+ extern struct request_info *request_init(struct request_info *,...);
+ extern struct request_info *request_set(struct request_info *,...);
++extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
++		char *client_user);
+ #else
+ extern struct request_info *request_init();	/* initialize request */
+ extern struct request_info *request_set();	/* update request structure */
+@@ -121,20 +139,23 @@ extern struct request_info *request_set(
+   * host_info structures serve as caches for the lookup results.
+   */
+ 
+-extern char *eval_user();		/* client user */
+-extern char *eval_hostname();		/* printable hostname */
+-extern char *eval_hostaddr();		/* printable host address */
+-extern char *eval_hostinfo();		/* host name or address */
+-extern char *eval_client();		/* whatever is available */
+-extern char *eval_server();		/* whatever is available */
++extern char *eval_user(struct request_info *);	/* client user */
++extern char *eval_hostname(struct host_info *);	/* printable hostname */
++extern char *eval_hostaddr(struct host_info *);	/* printable host address */
++extern char *eval_hostinfo(struct host_info *);	/* host name or address */
++extern char *eval_client(struct request_info *);/* whatever is available */
++extern char *eval_server(struct request_info *);/* whatever is available */
+ #define eval_daemon(r)	((r)->daemon)	/* daemon process name */
+ #define eval_pid(r)	((r)->pid)	/* process id */
+ 
+ /* Socket-specific methods, including DNS hostname lookups. */
+ 
+-extern void sock_host();		/* look up endpoint addresses */
+-extern void sock_hostname();		/* translate address to hostname */
+-extern void sock_hostaddr();		/* address to printable address */
++/* look up endpoint addresses */
++extern void sock_host(struct request_info *);
++/* translate address to hostname */
++extern void sock_hostname(struct host_info *);
++/* address to printable address */
++extern void sock_hostaddr(struct host_info *);
+ #define sock_methods(r) \
+ 	{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
+ 
+@@ -182,7 +203,7 @@ extern struct tcpd_context tcpd_context;
+   * behavior.
+   */
+ 
+-extern void process_options();		/* execute options */
++extern void process_options(char *, struct request_info *);/* execute options */
+ extern int dry_run;			/* verification flag */
+ 
+ /* Bug workarounds. */
+@@ -221,3 +242,7 @@ extern char *fix_strtok();
+ #define strtok	my_strtok
+ extern char *my_strtok();
+ #endif
++
++__END_DECLS
++
++#endif
+--- /dev/null
++++ b/weak_symbols.c
+@@ -0,0 +1,12 @@
++ /*
++  * @(#) weak_symbols.h 1.5 99/12/29 23:50
++  * 
++  * Author: Anthony Towns <ajt@debian.org>
++  */
++
++#ifdef HAVE_WEAKSYMS
++#include "tcpd.h"
++#include <syslog.h>
++int deny_severity = LOG_WARNING;
++int allow_severity = SEVERITY; 
++#endif
+--- /dev/null
++++ b/libwrap.lds
+@@ -0,0 +1,4 @@
++{
++  local:
++	aclexec_matched;
++};
diff --git a/tcp_wrappers.patches/tcp_wrappers-10.url b/tcp_wrappers.patches/tcp_wrappers-10.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-10.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-11.patch b/tcp_wrappers.patches/tcp_wrappers-11.patch
new file mode 100644
index 0000000..0e1ecf5
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-11.patch
@@ -0,0 +1,66 @@
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2003-08-21 03:15:36.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.5	2003-08-21 03:15:31.000000000 +0200
+@@ -90,6 +90,10 @@
+ pattern `131.155.72.0/255.255.254.0\' matches every address in the
+ range `131.155.72.0\' through `131.155.73.255\'.
+ .IP \(bu
++An expression of the form `n.n.n.n/mm' is interpreted as a
++`net/masklength' pair, where `mm' is the number of consecutive `1'
++bits in the netmask applied to the `n.n.n.n' address.
++.IP \(bu
+ An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
+ `[net]/prefixlen\' pair. An IPv6 host address is matched if
+ `prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
+--- tcp_wrappers_7.6.orig/hosts_access.c	2003-08-21 03:15:36.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.c	2003-08-21 03:09:30.000000000 +0200
+@@ -417,7 +417,8 @@
+     if ((addr = dot_quad_addr(string)) == INADDR_NONE)
+ 	return (NO);
+     if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
+-	|| (mask = dot_quad_addr(mask_tok)) == INADDR_NONE) {
++	|| ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE
++	    && (mask = cidr_mask_addr(mask_tok)) == 0)) {
+ #ifndef INET6
+ 	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
+ #endif
+diff -ruN tcp_wrappers_7.6.orig/misc.c tcp_wrappers_7.6/misc.c
+--- tcp_wrappers_7.6.orig/misc.c	2003-08-21 03:15:36.000000000 +0200
++++ tcp_wrappers_7.6/misc.c	2003-08-21 03:09:30.000000000 +0200
+@@ -107,3 +107,17 @@
+     }
+     return (runs == 4 ? inet_addr(str) : INADDR_NONE);
+ }
++
++/* cidr_mask_addr - convert cidr netmask length to internal form */
++
++unsigned long cidr_mask_addr(str)
++char   *str;
++{
++    int     maskbits;
++
++    maskbits = atoi(str);
++    if (maskbits < 1 || maskbits > 32)
++	return (0);
++    return htonl(0xFFFFFFFF << (32 - maskbits));
++}
++
+diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
+--- tcp_wrappers_7.6.orig/tcpdchk.c	2003-08-21 03:15:36.000000000 +0200
++++ tcp_wrappers_7.6/tcpdchk.c	2003-08-21 03:09:30.000000000 +0200
+@@ -497,12 +497,12 @@
+ 	int mask_len;
+ 
+ 	if ((dot_quad_addr(pat) == INADDR_NONE
+-	    || dot_quad_addr(mask) == INADDR_NONE)
++	    || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0)
+ 	    && (!is_inet6_addr(pat)
+ 		|| ((mask_len = atoi(mask)) < 0 || mask_len > 128)))
+ #else
+ 	if (dot_quad_addr(pat) == INADDR_NONE
+-	    || dot_quad_addr(mask) == INADDR_NONE)
++	    || dot_quad_addr(mask) == INADDR_NONE && cidr_mask_addr(mask) == 0)
+ #endif
+ 	    tcpd_warn("%s/%s: bad net/mask pattern", pat, mask);
+     } else if (STR_EQ(pat, "FAIL")) {		/* obsolete */
diff --git a/tcp_wrappers.patches/tcp_wrappers-11.url b/tcp_wrappers.patches/tcp_wrappers-11.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-11.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-12.patch b/tcp_wrappers.patches/tcp_wrappers-12.patch
new file mode 100644
index 0000000..913ed98
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-12.patch
@@ -0,0 +1,12 @@
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2004-04-25 12:17:59.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.5	2004-04-25 12:17:53.000000000 +0200
+@@ -89,6 +89,8 @@
+ bitwise AND of the address and the `mask\'. For example, the net/mask
+ pattern `131.155.72.0/255.255.254.0\' matches every address in the
+ range `131.155.72.0\' through `131.155.73.255\'.
++`255.255.255.255\' is not a valid mask value, so a single host can be
++matched just by its IP.
+ .IP \(bu
+ An expression of the form `n.n.n.n/mm' is interpreted as a
+ `net/masklength' pair, where `mm' is the number of consecutive `1'
diff --git a/tcp_wrappers.patches/tcp_wrappers-12.url b/tcp_wrappers.patches/tcp_wrappers-12.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-12.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-13.patch b/tcp_wrappers.patches/tcp_wrappers-13.patch
new file mode 100644
index 0000000..8fe5d30
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-13.patch
@@ -0,0 +1,137 @@
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
+--- tcp_wrappers_7.6.orig/hosts_access.c	2006-03-01 19:25:45.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.c	2006-03-01 19:23:58.000000000 +0100
+@@ -82,6 +82,9 @@ int     hosts_access_verbose = 0;
+   */
+ 
+ int     resident = (-1);		/* -1, 0: unknown; +1: yes */
++#ifdef ACLEXEC
++int	aclexec_matched = 0;
++#endif
+ 
+ /* Forward declarations. */
+ 
+@@ -185,6 +188,12 @@ struct request_info *request;
+ 	if (sh_cmd) {
+ #ifdef PROCESS_OPTIONS
+ 	    process_options(sh_cmd, request);
++# ifdef ACLEXEC
++	    if (aclexec_matched) {
++		syslog(LOG_INFO, "aclexec returned %d", aclexec_matched);
++		match = NO;
++	    }
++# endif
+ #else
+ 	    char    cmd[BUFSIZ];
+ 	    shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
+diff -ruNp tcp_wrappers_7.6.orig/options.c tcp_wrappers_7.6/options.c
+--- tcp_wrappers_7.6.orig/options.c	1996-02-11 17:01:32.000000000 +0100
++++ tcp_wrappers_7.6/options.c	2006-03-01 19:24:25.000000000 +0100
+@@ -47,6 +47,7 @@ static char sccsid[] = "@(#) options.c 1
+ #include <ctype.h>
+ #include <setjmp.h>
+ #include <string.h>
++#include <sys/wait.h>
+ 
+ #ifndef MAXPATHNAMELEN
+ #define MAXPATHNAMELEN  BUFSIZ
+@@ -76,6 +77,7 @@ static void group_option();		/* execute 
+ static void umask_option();		/* execute "umask mask" option */
+ static void linger_option();		/* execute "linger time" option */
+ static void keepalive_option();		/* execute "keepalive" option */
++static void aclexec_option();		/* execute "aclexec command" option */
+ static void spawn_option();		/* execute "spawn command" option */
+ static void twist_option();		/* execute "twist command" option */
+ static void rfc931_option();		/* execute "rfc931" option */
+@@ -113,6 +115,9 @@ static struct option option_table[] = {
+     "umask", umask_option, NEED_ARG,
+     "linger", linger_option, NEED_ARG,
+     "keepalive", keepalive_option, 0,
++#ifdef ACLEXEC
++    "aclexec", aclexec_option, NEED_ARG | EXPAND_ARG,
++#endif
+     "spawn", spawn_option, NEED_ARG | EXPAND_ARG,
+     "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
+     "rfc931", rfc931_option, OPT_ARG,
+@@ -310,6 +315,54 @@ struct request_info *request;
+ 	shell_cmd(value);
+ }
+ 
++#ifdef ACLEXEC
++/* aclexec_option - spawn a shell command and check status */
++
++/* ARGSUSED */
++
++static void aclexec_option(value, request)
++char   *value;
++struct request_info *request;
++{
++    int status, child_pid, wait_pid;
++    extern int aclexec_matched;
++
++    if (dry_run != 0)
++	    return;
++
++    child_pid = fork();
++
++    /* Something went wrong: we MUST terminate the process. */
++    if (child_pid < 0) {
++	tcpd_warn("aclexec_option: /bin/sh: %m");
++	clean_exit(request);
++    }
++
++    if (child_pid == 0) {
++	execl("/bin/sh", "sh", "-c", value, (char *) 0);
++
++        /* Something went wrong. We MUST terminate the child process. */
++        tcpd_warn("execl /bin/sh: %m");
++	_exit(0);
++    }
++
++    while ((wait_pid = wait(&status)) != -1 && wait_pid != child_pid)
++	/* void */ ;
++
++    aclexec_matched = 1;
++
++    if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
++	aclexec_matched = 0;
++    }
++
++    if (WIFSIGNALED(status))
++	tcpd_warn("process %d exited with signal %d", child_pid,
++	    WTERMSIG(status));
++
++    return;
++}
++#endif
++
+ /* linger_option - set the socket linger time (Marc Boucher <marc@cam.org>) */
+ 
+ /* ARGSUSED */
+diff -ruNp tcp_wrappers_7.6.orig/hosts_options.5 tcp_wrappers_7.6/hosts_options.5
+--- tcp_wrappers_7.6.orig/hosts_options.5	2006-03-01 21:48:43.000000000 +0100
++++ tcp_wrappers_7.6/hosts_options.5	2006-03-01 21:47:39.000000000 +0100
+@@ -52,6 +52,23 @@ ALL: ALL: ALLOW
+ .sp
+ Notice the leading dot on the domain name patterns.
+ .SH RUNNING OTHER COMMANDS
++.IP "aclexec shell_command"
++Execute, in a child process, the specified shell command, after
++performing the %<letter> expansions described in the hosts_access(5)
++manual page.  The command is executed with stdin, stdout and stderr
++connected to the null device, so that it won't mess up the
++conversation with the client host. Example:
++.sp
++.nf
++.ti +3
++smtp : ALL : aclexec checkdnsbl %a
++.fi
++.sp
++executes, in a background child process, the shell command "checkdnsbl %a"
++after replacing %a by the address of the remote host.
++.sp
++The connection will be allowed or refused depending on whether the
++command returns a true or false exit status.
+ .IP "spawn shell_command"
+ Execute, in a child process, the specified shell command, after
+ performing the %<letter> expansions described in the hosts_access(5)
diff --git a/tcp_wrappers.patches/tcp_wrappers-13.url b/tcp_wrappers.patches/tcp_wrappers-13.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-13.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-14.patch b/tcp_wrappers.patches/tcp_wrappers-14.patch
new file mode 100644
index 0000000..9fc64fb
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-14.patch
@@ -0,0 +1,87 @@
+--- tcp_wrappers_7.6/shell_cmd.c.sigchld	1994-12-28 17:42:44.000000000 +0100
++++ tcp_wrappers_7.6/shell_cmd.c	2007-06-28 15:42:17.000000000 +0200
+@@ -20,6 +20,11 @@
+ #include <stdio.h>
+ #include <syslog.h>
+ #include <string.h>
++#include <errno.h>
++#include <unistd.h>
++#include <sys/wait.h>
++#include <sys/stat.h>
++#include <fcntl.h>
+ 
+ extern void exit();
+ 
+@@ -31,13 +36,42 @@
+ 
+ static void do_child();
+ 
++/*
++ * The sigchld handler. If there is a SIGCHLD caused by a child other than
++ * ours, we set a flag and raise the signal later.
++ */
++volatile static int foreign_sigchld;
++volatile static int our_child_pid;
++static void sigchld(int sig, siginfo_t *si, void *unused)
++{
++    if (si && si->si_pid != our_child_pid)
++	foreign_sigchld = 1;
++}
++
+ /* shell_cmd - execute shell command */
+ 
+ void    shell_cmd(command)
+ char   *command;
+ {
+     int     child_pid;
+-    int     wait_pid;
++
++    struct sigaction new_action, old_action;
++    sigset_t new_mask, old_mask, empty_mask;
++
++    new_action.sa_sigaction = &sigchld;
++    new_action.sa_flags = SA_SIGINFO;
++    sigemptyset(&new_action.sa_mask);
++    sigemptyset(&new_mask);
++    sigemptyset(&empty_mask);
++    sigaddset(&new_mask, SIGCHLD);
++
++    /*
++     * Set the variables for handler, set the handler and block the signal
++     * until we have the pid.
++     */
++    foreign_sigchld = 0; our_child_pid = 0;
++    sigprocmask(SIG_BLOCK, &new_mask, &old_mask);
++    sigaction(SIGCHLD, &new_action, &old_action);
+ 
+     /*
+      * Most of the work is done within the child process, to minimize the
+@@ -49,12 +83,26 @@
+ 	tcpd_warn("cannot fork: %m");
+ 	break;
+     case 00:					/* child */
++	/* Clear the blocked mask for the child not to be surprised. */
++	sigprocmask(SIG_SETMASK, &empty_mask, 0);
+ 	do_child(command);
+ 	/* NOTREACHED */
+     default:					/* parent */
+-	while ((wait_pid = wait((int *) 0)) != -1 && wait_pid != child_pid)
+-	     /* void */ ;
++	our_child_pid = child_pid;
++	sigprocmask(SIG_UNBLOCK, &new_mask, 0);
++	while (waitpid(child_pid, (int *) 0, 0) == -1 && errno == EINTR);
+     }
++
++    /*
++     * Revert the signal mask and the SIGCHLD handler.
++     */
++    sigprocmask(SIG_SETMASK, &old_mask, 0);
++    sigaction(SIGCHLD, &old_action, 0);
++
++    /* If there was a foreign SIGCHLD, raise it after we have restored the old
++     * mask and handler. */
++    if (foreign_sigchld)
++	raise(SIGCHLD);
+ }
+ 
+ /* do_child - exec command with { stdin, stdout, stderr } to /dev/null */
diff --git a/tcp_wrappers.patches/tcp_wrappers-14.url b/tcp_wrappers.patches/tcp_wrappers-14.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-14.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-15.patch b/tcp_wrappers.patches/tcp_wrappers-15.patch
new file mode 100644
index 0000000..e35fc7e
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-15.patch
@@ -0,0 +1,71 @@
+diff -ruN tcp_wrappers_7.6.orig/eval.c tcp_wrappers_7.6/eval.c
+--- tcp_wrappers_7.6.orig/eval.c	1995-01-30 19:51:46.000000000 +0100
++++ tcp_wrappers_7.6/eval.c	2004-11-04 13:59:01.000000000 +0100
+@@ -98,6 +98,28 @@
+     }
+ }
+ 
++/* eval_port - return string with the port */
++char   *eval_port(saddr)
++#ifdef INET6
++struct sockaddr *saddr;
++#else
++struct sockaddr_in *saddr;
++#endif
++{
++    static char port[16];
++    if (saddr != 0) {
++        sprintf(port, "%u",
++#ifdef INET6
++            ntohs(((struct sockaddr_in *)saddr)->sin_port));
++#else
++            ntohs(saddr->sin_port));
++#endif
++    } else {
++	strcpy(port, "0");
++    }
++    return (port);
++}
++
+ /* eval_client - return string with as much about the client as we know */
+ 
+ char   *eval_client(request)
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2004-11-04 13:17:45.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.5	2004-11-04 13:55:32.000000000 +0100
+@@ -175,6 +175,8 @@
+ unavailable.
+ .IP "%n (%N)"
+ The client (server) host name (or "unknown" or "paranoid").
++.IP "%r (%R)"
++The clients (servers) port number (or "0").
+ .IP %p
+ The daemon process id.
+ .IP %s
+diff -ruN tcp_wrappers_7.6.orig/percent_x.c tcp_wrappers_7.6/percent_x.c
+--- tcp_wrappers_7.6.orig/percent_x.c	1994-12-28 17:42:38.000000000 +0100
++++ tcp_wrappers_7.6/percent_x.c	2004-11-04 13:19:29.000000000 +0100
+@@ -63,6 +63,8 @@
+ 		ch == 'n' ? eval_hostname(request->client) :
+ 		ch == 'N' ? eval_hostname(request->server) :
+ 		ch == 'p' ? eval_pid(request) :
++		ch == 'r' ? eval_port(request->client->sin) :
++		ch == 'R' ? eval_port(request->server->sin) :
+ 		ch == 's' ? eval_server(request) :
+ 		ch == 'u' ? eval_user(request) :
+ 		ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), "");
+diff -ruN tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
+--- tcp_wrappers_7.6.orig/tcpd.h	2004-11-04 13:17:45.000000000 +0100
++++ tcp_wrappers_7.6/tcpd.h	2004-11-04 13:19:13.000000000 +0100
+@@ -145,6 +145,11 @@
+ extern char *eval_hostinfo(struct host_info *);	/* host name or address */
+ extern char *eval_client(struct request_info *);/* whatever is available */
+ extern char *eval_server(struct request_info *);/* whatever is available */
++#ifdef INET6
++extern char *eval_port(struct sockaddr *);
++#else
++extern char *eval_port(struct sockaddr_in *);
++#endif
+ #define eval_daemon(r)	((r)->daemon)	/* daemon process name */
+ #define eval_pid(r)	((r)->pid)	/* process id */
+ 
diff --git a/tcp_wrappers.patches/tcp_wrappers-15.url b/tcp_wrappers.patches/tcp_wrappers-15.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-15.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-16.patch b/tcp_wrappers.patches/tcp_wrappers-16.patch
new file mode 100644
index 0000000..f2b76eb
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-16.patch
@@ -0,0 +1,34 @@
+diff -ruNp tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c
+--- tcp_wrappers_7.6.orig/fix_options.c	2006-03-01 23:45:28.000000000 +0100
++++ tcp_wrappers_7.6/fix_options.c	2006-03-01 23:45:25.000000000 +0100
+@@ -50,7 +50,7 @@ struct request_info *request;
+     struct in_addr dummy;
+ #ifdef INET6
+     struct sockaddr_storage ss;
+-    int sslen;
++    socklen_t sslen;
+ 
+     /*
+      * check if this is AF_INET socket
+diff -ruNp tcp_wrappers_7.6.orig/options.c tcp_wrappers_7.6/options.c
+--- tcp_wrappers_7.6.orig/options.c	2006-03-01 23:45:28.000000000 +0100
++++ tcp_wrappers_7.6/options.c	2006-03-01 22:55:44.000000000 +0100
+@@ -41,6 +41,7 @@ static char sccsid[] = "@(#) options.c 1
+ #include <netinet/in.h>
+ #include <netdb.h>
+ #include <stdio.h>
++#include <unistd.h>
+ #include <syslog.h>
+ #include <pwd.h>
+ #include <grp.h>
+diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c
+--- tcp_wrappers_7.6.orig/scaffold.c	2006-03-01 23:45:28.000000000 +0100
++++ tcp_wrappers_7.6/scaffold.c	2006-03-01 22:56:13.000000000 +0100
+@@ -17,6 +17,7 @@ static char sccs_id[] = "@(#) scaffold.c
+ #include <arpa/inet.h>
+ #include <netdb.h>
+ #include <stdio.h>
++#include <stdlib.h>
+ #include <syslog.h>
+ #include <setjmp.h>
+ #include <string.h>
diff --git a/tcp_wrappers.patches/tcp_wrappers-16.url b/tcp_wrappers.patches/tcp_wrappers-16.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-16.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-17.patch b/tcp_wrappers.patches/tcp_wrappers-17.patch
new file mode 100644
index 0000000..31c2b92
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-17.patch
@@ -0,0 +1,19 @@
+diff -ruN tcp_wrappers_7.6.orig/percent_m.c tcp_wrappers_7.6/percent_m.c
+--- tcp_wrappers_7.6.orig/percent_m.c	1994-12-28 17:42:37.000000000 +0100
++++ tcp_wrappers_7.6/percent_m.c	2003-08-21 02:45:31.000000000 +0200
+@@ -29,11 +29,15 @@
+ 
+     while (*bp = *cp)
+ 	if (*cp == '%' && cp[1] == 'm') {
++#ifdef HAVE_STRERROR
++	    strcpy(bp, strerror(errno));
++#else
+ 	    if (errno < sys_nerr && errno > 0) {
+ 		strcpy(bp, sys_errlist[errno]);
+ 	    } else {
+ 		sprintf(bp, "Unknown error %d", errno);
+ 	    }
++#endif
+ 	    bp += strlen(bp);
+ 	    cp += 2;
+ 	} else {
diff --git a/tcp_wrappers.patches/tcp_wrappers-17.url b/tcp_wrappers.patches/tcp_wrappers-17.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-17.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-18.patch b/tcp_wrappers.patches/tcp_wrappers-18.patch
new file mode 100644
index 0000000..afaa9c8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-18.patch
@@ -0,0 +1,21 @@
+diff -ruN tcp_wrappers_7.6.orig/hosts_access.3 tcp_wrappers_7.6/hosts_access.3
+--- tcp_wrappers_7.6.orig/hosts_access.3	2004-04-25 00:10:48.000000000 +0200
++++ tcp_wrappers_7.6/hosts_access.3	2004-04-25 00:09:36.000000000 +0200
+@@ -14,6 +14,9 @@
+ struct request_info *request_set(request, key, value, ..., 0)
+ struct request_info *request;
+ 
++void fromhost(request)
++struct request_info *request;
++
+ int hosts_access(request)
+ struct request_info *request;
+ 
+@@ -60,6 +63,7 @@
+ is available, host names and client user names are looked up on demand,
+ using the request structure as a cache.  hosts_access() returns zero if
+ access should be denied.
++fromhost() must be called before hosts_access().
+ .PP
+ hosts_ctl() is a wrapper around the request_init() and hosts_access()
+ routines with a perhaps more convenient interface (though it does not
diff --git a/tcp_wrappers.patches/tcp_wrappers-18.url b/tcp_wrappers.patches/tcp_wrappers-18.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-18.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-19.patch b/tcp_wrappers.patches/tcp_wrappers-19.patch
new file mode 100644
index 0000000..a14c9af
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-19.patch
@@ -0,0 +1,64 @@
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
+--- tcp_wrappers_7.6.orig/hosts_access.c	2007-01-08 01:31:32.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.c	2007-01-08 01:31:08.000000000 +0100
+@@ -232,6 +232,36 @@ int   (*match_fn) ();
+     return (NO);
+ }
+ 
++/*
++ * daemon_or_port_match - match server information: if the server endpoint
++ * pattern is a port number, match against port number of connection;
++ * otherwise match against daemon executable name
++ */
++
++static int daemon_or_port_match(char *tok, struct request_info *request) {
++    unsigned int port, sin_port;
++    char junk;
++
++    /* daemon name */
++    if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535)
++	return (string_match(tok, eval_daemon(request)));
++
++    /* port number */
++    if (!request->server->sin)
++	return (NO);
++
++#ifdef INET6
++    sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port);
++#else
++    sin_port = ntohs(request->server->sin->sin_port);
++#endif
++
++    if (port == sin_port)
++	return (YES);
++    else
++	return (NO);
++}
++
+ /* server_match - match server information */
+ 
+ static int server_match(tok, request)
+@@ -241,9 +271,9 @@ struct request_info *request;
+     char   *host;
+ 
+     if ((host = split_at(tok + 1, '@')) == 0) {	/* plain daemon */
+-	return (string_match(tok, eval_daemon(request)));
++	return (daemon_or_port_match(tok, request));
+     } else {					/* daemon@host */
+-	return (string_match(tok, eval_daemon(request))
++	return (daemon_or_port_match(tok, request)
+ 		&& host_match(host, request->server));
+     }
+ }
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.5 tcp_wrappers_7.6/hosts_access.5
+--- tcp_wrappers_7.6.orig/hosts_access.5	2007-01-08 01:31:32.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.5	2007-01-08 01:30:18.000000000 +0100
+@@ -51,7 +51,7 @@ being optional:
+ daemon_list : client_list [ : shell_command ]
+ .PP
+ \fIdaemon_list\fR is a list of one or more daemon process names
+-(argv[0] values) or wildcards (see below).  
++(argv[0] values) or server port numbers or wildcards (see below).  
+ .PP
+ \fIclient_list\fR is a list
+ of one or more host names, host addresses, patterns or wildcards (see
diff --git a/tcp_wrappers.patches/tcp_wrappers-19.url b/tcp_wrappers.patches/tcp_wrappers-19.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-19.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-20.patch b/tcp_wrappers.patches/tcp_wrappers-20.patch
new file mode 100644
index 0000000..9fe2490
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-20.patch
@@ -0,0 +1,94 @@
+Description: Upstream changes introduced in version 7.6.q-19
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ tcp-wrappers (7.6.q-19) unstable; urgency=low
+ .
+   * Made piuparts happy by removing /etc/hosts.{allow,deny} on purge, even
+     if the package is never purged on real systems.
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Marco d'Itri <md@linux.it>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- /dev/null
++++ tcp-wrappers-7.6.q/try-from.8
+@@ -0,0 +1,28 @@
++.TH TRY-FROM 8 "21th June 1997" Linux "Linux Programmer's Manual"
++.SH NAME
++try-from \- test program for the tcp_wrapper
++.SH SYNOPSIS
++.B try-from
++.SH DESCRIPTION
++The
++.B try\-from
++command can be called via a remote shell command to find out
++if the hostname and address are properly recognized
++by the
++.B tcp_wrapper
++library, if username lookup works, and (SysV only) if the TLI
++on top of IP heuristics work. Diagnostics are reported through
++.BR syslog (3)
++and redirected to stderr.
++
++Example:
++
++rsh host /some/where/try\-from
++
++.SH SEE ALSO
++.BR hosts_access (5),
++.BR hosts_options (5),
++.BR tcpd (8)
++.SH AUTHOR
++Wietse Venema, Eindhoven University of Technology, The Netherlands.
++
+--- /dev/null
++++ tcp-wrappers-7.6.q/safe_finger.8
+@@ -0,0 +1,34 @@
++.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"
++.SH NAME
++safe_finger \- finger client wrapper that protects against nasty stuff
++from finger servers
++.SH SYNOPSIS
++.B safe_finger [finger_options]
++.SH DESCRIPTION
++The
++.B safe_finger
++command protects against nasty stuff from finger servers. Use this
++program for automatic reverse finger probes from the
++.B tcp_wrapper
++.B (tcpd)
++, not the raw finger command. The
++.B safe_finger
++command makes sure that the finger client is not run with root
++privileges. It also runs the finger client with a defined PATH
++environment.
++.B safe_finger
++will also protect you from problems caused by the output of some
++finger servers. The problem: some programs may react to stuff in
++the first column. Other programs may get upset by thrash anywhere
++on a line. File systems may fill up as the finger server keeps
++sending data. Text editors may bomb out on extremely long lines.
++The finger server may take forever because it is somehow wedged.
++.B safe_finger
++takes care of all this badness.
++.SH SEE ALSO
++.BR hosts_access (5),
++.BR hosts_options (5),
++.BR tcpd (8)
++.SH AUTHOR
++Wietse Venema, Eindhoven University of Technology, The Netherlands.
++
diff --git a/tcp_wrappers.patches/tcp_wrappers-20.url b/tcp_wrappers.patches/tcp_wrappers-20.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-20.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-21.patch b/tcp_wrappers.patches/tcp_wrappers-21.patch
new file mode 100644
index 0000000..ece7da3
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-21.patch
@@ -0,0 +1,37 @@
+diff -ruN tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c
+--- tcp_wrappers_7.6.orig/rfc931.c	2004-08-29 18:40:08.000000000 +0200
++++ tcp_wrappers_7.6/rfc931.c	2004-08-29 18:40:02.000000000 +0200
+@@ -92,6 +92,8 @@
+     char   *cp;
+     char   *result = unknown;
+     FILE   *fp;
++    unsigned saved_timeout;
++    struct sigaction nact, oact;
+ 
+ #ifdef INET6
+     /* address family must be the same */
+@@ -134,7 +136,12 @@
+ 	 */
+ 
+ 	if (setjmp(timebuf) == 0) {
+-	    signal(SIGALRM, timeout);
++	    /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
++	    saved_timeout = alarm(0);
++	    nact.sa_handler = timeout;
++	    nact.sa_flags = 0;
++	    (void) sigemptyset(&nact.sa_mask);
++	    (void) sigaction(SIGALRM, &nact, &oact);
+ 	    alarm(rfc931_timeout);
+ 
+ 	    /*
+@@ -223,6 +230,10 @@
+ 	    }
+ 	    alarm(0);
+ 	}
++	/* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
++	(void) sigaction(SIGALRM, &oact, NULL);
++	if (saved_timeout > 0)
++	    alarm(saved_timeout);
+ 	fclose(fp);
+     }
+     STRN_CPY(dest, result, STRING_LENGTH);
diff --git a/tcp_wrappers.patches/tcp_wrappers-21.url b/tcp_wrappers.patches/tcp_wrappers-21.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-21.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-22.patch b/tcp_wrappers.patches/tcp_wrappers-22.patch
new file mode 100644
index 0000000..a926d0e
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-22.patch
@@ -0,0 +1,39 @@
+diff -ruNp tcp_wrappers_7.6.orig/scaffold.c tcp_wrappers_7.6/scaffold.c
+--- tcp_wrappers_7.6.orig/scaffold.c	2005-03-09 18:22:04.000000000 +0100
++++ tcp_wrappers_7.6/scaffold.c	2005-03-09 18:20:47.000000000 +0100
+@@ -237,10 +237,17 @@ struct request_info *request;
+ 
+ /* ARGSUSED */
+ 
+-void    rfc931(request)
+-struct request_info *request;
++void    rfc931(rmt_sin, our_sin, dest)
++#ifdef INET6
++struct sockaddr *rmt_sin;
++struct sockaddr *our_sin;
++#else
++struct sockaddr_in *rmt_sin;
++struct sockaddr_in *our_sin;
++#endif
++char   *dest;
+ {
+-    strcpy(request->user, unknown);
++    strcpy(dest, unknown);
+ }
+ 
+ /* check_path - examine accessibility */
+diff -ruNp tcp_wrappers_7.6.orig/tcpd.h tcp_wrappers_7.6/tcpd.h
+--- tcp_wrappers_7.6.orig/tcpd.h	2005-03-09 18:22:04.000000000 +0100
++++ tcp_wrappers_7.6/tcpd.h	2005-03-09 18:21:23.000000000 +0100
+@@ -83,7 +83,11 @@ extern int hosts_access(struct request_i
+ extern void shell_cmd(char *);		/* execute shell command */
+ extern char *percent_x(char *, int, char *, struct request_info *);
+ 					/* do %<char> expansion */
++#ifdef INET6
+ extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
++#else
++extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *);
++#endif
+ 					/* client name from RFC 931 daemon */
+ extern void clean_exit(struct request_info *);	/* clean up and exit */
+ extern void refuse(struct request_info *);	/* clean up and exit */
diff --git a/tcp_wrappers.patches/tcp_wrappers-22.url b/tcp_wrappers.patches/tcp_wrappers-22.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-22.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-23.patch b/tcp_wrappers.patches/tcp_wrappers-23.patch
new file mode 100644
index 0000000..5c8c9a1
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-23.patch
@@ -0,0 +1,29 @@
+--- tcp-wrappers-7.6-ipv6.1.orig/safe_finger.c
++++ tcp-wrappers-7.6-ipv6.1/safe_finger.c
+@@ -26,21 +26,24 @@
+ #include <stdio.h>
+ #include <ctype.h>
+ #include <pwd.h>
++#include <syslog.h>
+ 
+ extern void exit();
+ 
+ /* Local stuff */
+ 
+-char    path[] = "PATH=/bin:/usr/bin:/usr/ucb:/usr/bsd:/etc:/usr/etc:/usr/sbin";
++char    path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
+ 
+ #define	TIME_LIMIT	60		/* Do not keep listinging forever */
+ #define	INPUT_LENGTH	100000		/* Do not keep listinging forever */
+ #define	LINE_LENGTH	128		/* Editors can choke on long lines */
+ #define	FINGER_PROGRAM	"finger"	/* Most, if not all, UNIX systems */
+ #define	UNPRIV_NAME	"nobody"	/* Preferred privilege level */
+-#define	UNPRIV_UGID	32767		/* Default uid and gid */
++#define	UNPRIV_UGID	65534		/* Default uid and gid */
+ 
+ int     finger_pid;
++int	allow_severity = SEVERITY;
++int	deny_severity = LOG_WARNING;
+ 
+ void    cleanup(sig)
+ int     sig;
diff --git a/tcp_wrappers.patches/tcp_wrappers-23.url b/tcp_wrappers.patches/tcp_wrappers-23.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-23.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-24.patch b/tcp_wrappers.patches/tcp_wrappers-24.patch
new file mode 100644
index 0000000..26690df
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-24.patch
@@ -0,0 +1,44 @@
+* Fri May  6 2005 Thomas Woerner <twoerner@redhat.com> 7.6-39
+- fixed sig patch (#141110). Thanks to Nikita Shulga for the patch
+
+* Mon Feb 10 2003 Harald Hoyer <harald@redhat.de> 7.6-29
+- added security patch tcp_wrappers-7.6-sig.patch
+
+diff -ruNp tcp_wrappers_7.6.orig/hosts_access.c tcp_wrappers_7.6/hosts_access.c
+--- tcp_wrappers_7.6.orig/hosts_access.c	2006-03-01 22:14:14.000000000 +0100
++++ tcp_wrappers_7.6/hosts_access.c	2006-03-01 22:14:11.000000000 +0100
+@@ -66,6 +66,7 @@ static char sep[] = ", \t\r\n";
+ 
+ #define	YES		1
+ #define	NO		0
++#define ERR             -1
+ 
+  /*
+   * These variables are globally visible so that they can be redirected in
+@@ -130,11 +131,11 @@ struct request_info *request;
+     verdict = setjmp(tcpd_buf);
+     if (verdict != 0)
+ 	return (verdict == AC_PERMIT);
+-    if (table_match(hosts_allow_table, request))
++    if (table_match(hosts_allow_table, request) == YES)
+ 	return (YES);
+-    if (table_match(hosts_deny_table, request))
+-	return (NO);
+-    return (YES);
++    if (table_match(hosts_deny_table, request) == NO)
++	return (YES);
++    return (NO);
+ }
+ 
+ /* table_match - match table entries with (daemon, client) pair */
+@@ -178,8 +179,9 @@ struct request_info *request;
+ 	(void) fclose(fp);
+     } else if (errno != ENOENT) {
+ 	tcpd_warn("cannot open %s: %m", table);
++	match = ERR;
+     }
+-    if (match) {
++    if (match == YES) {
+ 	if (hosts_access_verbose > 1)
+ 	    syslog(LOG_DEBUG, "matched:  %s line %d",
+ 		   tcpd_context.file, tcpd_context.line);
diff --git a/tcp_wrappers.patches/tcp_wrappers-24.url b/tcp_wrappers.patches/tcp_wrappers-24.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-24.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-25.patch b/tcp_wrappers.patches/tcp_wrappers-25.patch
new file mode 100644
index 0000000..ed271fc
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-25.patch
@@ -0,0 +1,30 @@
+diff -ruNp tcp_wrappers_7.6.orig/rfc931.c tcp_wrappers_7.6/rfc931.c
+--- tcp_wrappers_7.6.orig/rfc931.c	2004-08-29 18:42:25.000000000 +0200
++++ tcp_wrappers_7.6/rfc931.c	2004-08-29 18:41:04.000000000 +0200
+@@ -33,7 +33,7 @@ static char sccsid[] = "@(#) rfc931.c 1.
+ 
+ int     rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
+ 
+-static jmp_buf timebuf;
++static sigjmp_buf timebuf;
+ 
+ /* fsocket - open stdio stream on top of socket */
+ 
+@@ -62,7 +62,7 @@ int     protocol;
+ static void timeout(sig)
+ int     sig;
+ {
+-    longjmp(timebuf, sig);
++    siglongjmp(timebuf, sig);
+ }
+ 
+ /* rfc931 - return remote user name, given socket structures */
+@@ -135,7 +135,7 @@ char   *dest;
+ 	 * Set up a timer so we won't get stuck while waiting for the server.
+ 	 */
+ 
+-	if (setjmp(timebuf) == 0) {
++	if (sigsetjmp(timebuf, 1) == 0) {
+ 	    /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
+ 	    saved_timeout = alarm(0);
+ 	    nact.sa_handler = timeout;
diff --git a/tcp_wrappers.patches/tcp_wrappers-25.url b/tcp_wrappers.patches/tcp_wrappers-25.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-25.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-26.patch b/tcp_wrappers.patches/tcp_wrappers-26.patch
new file mode 100644
index 0000000..4db40f4
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-26.patch
@@ -0,0 +1,42 @@
+diff -ruN tcp_wrappers_7.6.orig/fix_options.c tcp_wrappers_7.6/fix_options.c
+--- tcp_wrappers_7.6.orig/fix_options.c	2003-08-21 03:41:33.000000000 +0200
++++ tcp_wrappers_7.6/fix_options.c	2003-08-21 03:41:27.000000000 +0200
+@@ -38,7 +38,11 @@
+ #ifdef IP_OPTIONS
+     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+     char    lbuf[BUFFER_SIZE], *lp;
++#ifdef __GLIBC__
++    size_t  optsize = sizeof(optbuf), ipproto;
++#else
+     int     optsize = sizeof(optbuf), ipproto;
++#endif
+     struct protoent *ip;
+     int     fd = request->fd;
+     unsigned int opt;
+diff -ruN tcp_wrappers_7.6.orig/socket.c tcp_wrappers_7.6/socket.c
+--- tcp_wrappers_7.6.orig/socket.c	2003-08-21 03:41:33.000000000 +0200
++++ tcp_wrappers_7.6/socket.c	2003-08-21 03:40:51.000000000 +0200
+@@ -90,7 +90,11 @@
+     static struct sockaddr_in client;
+     static struct sockaddr_in server;
+ #endif
++#ifdef __GLIBC__
++    size_t  len;
++#else
+     int     len;
++#endif
+     char    buf[BUFSIZ];
+     int     fd = request->fd;
+ 
+@@ -421,7 +425,11 @@
+ #else
+     struct sockaddr_in sin;
+ #endif
++#ifdef __GLIBC__
++    size_t  size = sizeof(sin);
++#else
+     int     size = sizeof(sin);
++#endif
+ 
+     /*
+      * Eat up the not-yet received datagram. Some systems insist on a
diff --git a/tcp_wrappers.patches/tcp_wrappers-26.url b/tcp_wrappers.patches/tcp_wrappers-26.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-26.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-27.patch b/tcp_wrappers.patches/tcp_wrappers-27.patch
new file mode 100644
index 0000000..3beae39
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-27.patch
@@ -0,0 +1,39 @@
+diff -ruN tcp_wrappers_7.6.orig/tcpdchk.c tcp_wrappers_7.6/tcpdchk.c
+--- tcp_wrappers_7.6.orig/tcpdchk.c	2003-08-21 02:50:37.000000000 +0200
++++ tcp_wrappers_7.6/tcpdchk.c	2003-08-21 02:50:33.000000000 +0200
+@@ -53,6 +53,24 @@
+ #include "inetcf.h"
+ #include "scaffold.h"
+ 
++/* list of programs which are known to be linked with libwrap in debian */
++static const char *const libwrap_programs[] = {
++    "portmap", "mountd", "statd", "ugidd",
++    "redir", "rlinetd",
++    "sshd",
++    "atftpd",
++    "diald",
++    "esound",
++    "gdm", "gnome-session",
++    "icecast", "icecast_admin", "icecast_client", "icecast_source",
++    "mysqld",
++    "ntop",
++    "pptpd",
++    "rquotad",
++    "sendmail", "smail",
++    NULL
++};
++
+  /*
+   * Stolen from hosts_access.c...
+   */
+@@ -147,8 +165,8 @@
+     /*
+      * These are not run from inetd but may have built-in access control.
+      */
+-    inet_set("portmap", WR_NOT);
+-    inet_set("rpcbind", WR_NOT);
++    for (c = 0; libwrap_programs[c]; c++)
++	inet_set(libwrap_programs[c], WR_YES);
+ 
+     /*
+      * Check accessibility of access control files.
diff --git a/tcp_wrappers.patches/tcp_wrappers-27.url b/tcp_wrappers.patches/tcp_wrappers-27.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-27.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-28.patch b/tcp_wrappers.patches/tcp_wrappers-28.patch
new file mode 100644
index 0000000..c474f93
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-28.patch
@@ -0,0 +1,11 @@
+--- a/workarounds.c
++++ b/workarounds.c
+@@ -8,7 +8,7 @@
+   */
+ 
+ #ifndef lint
+-char    sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25";
++static char    sccsid[] = "@(#) workarounds.c 1.6 96/03/19 16:22:25";
+ #endif
+ 
+ #include <sys/types.h>
diff --git a/tcp_wrappers.patches/tcp_wrappers-28.url b/tcp_wrappers.patches/tcp_wrappers-28.url
new file mode 100644
index 0000000..42d79b8
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-28.url
@@ -0,0 +1 @@
+ftp://ftp.debian.org/debian/pool/main/t/tcp-wrappers/tcp-wrappers_7.6.q-19.debian.tar.gz
diff --git a/tcp_wrappers.patches/tcp_wrappers-50.description b/tcp_wrappers.patches/tcp_wrappers-50.description
new file mode 100644
index 0000000..b523d05
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-50.description
@@ -0,0 +1,3 @@
+This patch is a better attempt than the vendor-supplied patches for 
+establishing libwrap as a shared library and supporting install target 
+goals.
diff --git a/tcp_wrappers.patches/tcp_wrappers-50.patch b/tcp_wrappers.patches/tcp_wrappers-50.patch
new file mode 100644
index 0000000..63ea1f6
--- /dev/null
+++ b/tcp_wrappers.patches/tcp_wrappers-50.patch
@@ -0,0 +1,681 @@
+diff -aruN a/Makefile b/Makefile
+--- a/Makefile	2010-09-07 14:52:37.000000000 -0700
++++ b/Makefile	2010-09-07 15:29:09.000000000 -0700
+@@ -45,7 +45,7 @@
+ #
+ # SysV.4 Solaris 2.x OSF AIX
+ #REAL_DAEMON_DIR=/usr/sbin
+-REAL_DAEMON_DIR=/usr/sbin
++#
+ # BSD 4.4
+ #REAL_DAEMON_DIR=/usr/libexec
+ #
+@@ -90,224 +90,224 @@
+ 
+ # This is good for many BSD+SYSV hybrids with NIS (formerly YP).
+ generic aix osf alpha dynix:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # Ditto, with vsyslog
+ sunos4:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP VSYSLOG= TLI= all
+ 
+ # Generic with resolver library.
+ generic-resolver:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lresolv RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # The NeXT loader needs "-m" or it barfs on redefined library functions.
+ next:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-m RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # SunOS for the 386 was frozen at release 4.0.x.
+ sunos40:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="setenv.o strcasecmp.o" \
+ 	NETGROUP=-DNETGROUP VSYSLOG= TLI= all
+ 
+ # Ultrix is like aix, next, etc., but has miscd and setenv().
+ ultrix:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+ 	NETGROUP=-DNETGROUP TLI= all miscd
+ 
+ # This works on EP/IX 1.4.3 and will likely work on Mips (reggers@julian.uwo.ca)
+ epix:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ 	NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all
+ 
+ # Freebsd and linux by default have no NIS.
+ 386bsd bsdos:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ 	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
+ 
+ freebsd:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-L/usr/local/v6/lib -linet6" \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ 	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \
+ 	VSYSLOG= all
+ 
+ netbsd:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+ 	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all
+ 
+ linux:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+ 	NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
+ 	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+ 
+ gnu:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+ 	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
+ 	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all
+ 
+ # This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
+ hpux hpux8 hpux9 hpux10:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # ConvexOS-10.x with UltraNet support (ukkonen@csc.fi).
+ convex-ultranet:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lulsock RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # Generic support for the Dynix/PTX version of TLI.
+ ptx-generic:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
+ 	AUX_OBJ="setenv.o strcasecmp.o ptx.o" NETGROUP= TLI=-DPTX all
+ 
+ # With UDP support optimized for PTX 2.x (timw@sequent.com).
+ ptx-2.x:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
+ 	AUX_OBJ="setenv.o strcasecmp.o tli-sequent.o" NETGROUP= \
+ 	TLI=-DTLI_SEQUENT all
+ 
+ # IRIX 4.0.x has a special ar(1) flag.
+ irix4:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lc -lsun" RANLIB=echo ARFLAGS=rvs AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # IRIX 5.2 is SYSV4 with several broken things (such as -lsocket -lnsl).
+ irix5:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lsun RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI= all
+ 
+ # IRIX 6.2 (tucker@math.unc.edu). Must find a better value than 200000.
+ irix6:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ 	NETGROUP=-DNETGROUP EXTRA_CFLAGS="-DBSD=200000" TLI= all
+ 
+ # SunOS 5.x is another SYSV4 variant.
+ sunos5:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ 	BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all
+ 
+ # SunOS 5.8 is another SYSV4 variant, but has IPv6 support
+ solaris8:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ 	EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all
+ 
+ # Generic SYSV40
+ esix sysv4:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI all
+ 
+ # DG/UX 5.4.1 and 5.4.2 have an unusual inet_addr() interface.
+ dgux:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lnsl RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+ 	BUGS="$(BUGS) -DINET_ADDR_BUG" all
+ 
+ dgux543:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lnsl RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI all
+ 
+ # NCR UNIX 02.02.01 and 02.03.00 (Alex Chircop, msu@unimt.mt)
+ ncrsvr4:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lresolv -lnsl -lsocket" RANLIB=echo ARFLAGS=rv \
+ 	AUX_OBJ="setenv.o strcasecmp.o" NETGROUP= TLI=-DTLI \
+ 	EXTRA_CFLAGS="" FROM_OBJ=ncr.o all
+ 
+ # Tandem SYSV4 (eqawas@hedgehog.ac.cowan.edu.au)
+ tandem:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP= AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+ 
+ # Amdahl UTS 2.1.5 (Richard.Richmond@bridge.bst.bls.com)
+ uts215:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \   
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket" RANLIB=echo \
+ 	ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP=-DNO_NETGROUP TLI= all
+ 
+ # UXP/DS System V.4 clone (vic@uida0.uida.es).
+ uxp:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-L/usr/ucblib -lsocket -lnsl -lucb" \
+ 	RANLIB=echo ARFLAGS=rv NETGROUP=-DNETGROUP \
+ 	AUX_OBJ=setenv.o TLI="-DTLI -DDRS_XTI" all
+ 
+ # DELL System V.4 Issue 2.2 using gcc (kim@tac.nyc.ny.us, jurban@norden1.com)
+ dell-gcc:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl" RANLIB=ranlib ARFLAGS=rv CC=gcc \
+ 	AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+ 
+ # SCO 3.2v4.1 no frills (jedwards@sol1.solinet.net).
+ sco:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl_s" RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP= AUX_OBJ=setenv.o TLI= all
+ 
+ # SCO OpenDesktop 2.0, release 3.2 (peter@midnight.com). Please simplify.
+ sco-od2:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lrpcsvc -lrpc -lyp -lrpc -lrpcsvc -lsocket" \
+ 	RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= all
+ 
+ # SCO 3.2v4.2 with TCP/IP 1.2.1 (Eduard.Vopicka@vse.cz). Please simplify.
+ sco-nis:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lyp -lrpc -lsocket -lyp -lc_s -lc" \
+ 	RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= EXTRA_CFLAGS="-nointl -DNO_NETGRENT" all
+ 
+ # SCO 3.2v5.0.0 OpenServer 5 (bob@odt.handy.com, bill@razorlogic.com)
+ sco-os5:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lrpcsvc -lsocket" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+ 	AUX_OBJ=setenv.o NETGROUP=-DNETGROUP TLI= all
+ 
+ # sinix 5.42 setjmp workaround (szrzs023@ub3.ub.uni-kiel.de)
+ sinix:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl -L/usr/ccs/lib -lc -L/usr/ucblib -lucb" \
+ 	RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o TLI=-DTLI all
+ 
+ # Domain SR10.4. Build under bsd, run under either sysv3 or bsd43.
+ apollo:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+ 	NETGROUP=-DNETGROUP TLI= SYSTYPE="-A run,any -A sys,any" all
+ 
+ # Pyramid OSx 5.1, using the BSD universe.
+ pyramid:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="environ.o vfprintf.o" \
+ 	STRINGS="-Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy" \
+ 	NETGROUP="-DNETGROUP -DUSE_GETDOMAIN" TLI= all
+@@ -315,68 +315,68 @@
+ # Untested.
+ mips:
+ 	@echo "Warning: some definitions may be wrong."
+-	make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ 	NETGROUP=-DNETGROUP TLI= SYSTYPE="-sysname bsd43" all
+ 
+ # Cray (tested with UNICOS 7.0.4).
+ unicos7:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS=-lnet RANLIB=echo ARFLAGS=rv \
+ 	EXTRA_CFLAGS=-DINADDR_NONE="\"((unsigned long) -1)\"" \
+ 	AUX_OBJ="setenv.o strcasecmp.o" NETGROUP= TLI= all
+ 
+ # Unicos 8.x, Cray-YMP (Bruce Kelly).
+ unicos8:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=echo AR=bld ARFLAGS=rv \
+ 	AUX_OBJ= NETGROUP= TLI= all
+ 
+ # Power_UNIX 2.1.1 (amantel@lerc.nasa.gov)
+ power_unix_211:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lnsl -lsocket -lgen -lresolv" RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP= AUX_OBJ=setenv.o TLI=-DTLI BUGS="$(BUGS)" all
+ 
+ # ISC (fc@all.net)
+ isc:
+-	make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-linet -lnsl_s -ldbm" RANLIB=echo ARFLAGS=rv \
+ 	AUX_OBJ="setenv.o strcasecmp.o" EXTRA_CFLAGS="-DENOTCONN=ENAVAIL" \
+ 	NETGROUP= TLI= all
+ 
+ # Interactive UNIX R3.2 version 4.0 (Bobby D. Wright).
+ iunix:
+-	make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-linet -lnsl_s -ldbm" RANLIB=echo ARFLAGS=rv \
+ 	AUX_OBJ=environ.o strcasecmp.o NETGROUP= TLI= all
+ 
+ # RTU 6.0 on a Masscomp 5400 (ben@piglet.cr.usgs.gov). When using the
+ # advanced installation, increment argv before actually looking at it.
+ rtu:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ 	NETGROUP= TLI= all
+ 
+ # Unixware sans NIS (mc@telebase.com). Compiler dislikes strcasecmp.c.
+ unixware1:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl -lc -L/usr/ucblib -lucb" RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP=$(NETGROUP) AUX_OBJ=environ.o TLI=-DTLI all
+ 
+ unixware2:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl -lgen -lc -L/usr/ucblib -lucb" RANLIB=echo \
+ 	ARFLAGS=rv NETGROUP=$(NETGROUP) AUX_OBJ=environ.o TLI=-DTLI all
+ 
+ u6000:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+ 	NETGROUP=-DNETGROUP AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+ 
+ # MachTen
+ machten:
+-	@make REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
++	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+ 	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+ 	NETGROUP= TLI= all
+ 
+@@ -680,10 +680,36 @@
+ ## End configuration options
+ ############################
+ 
++SRCDIR		= .
++
++DESTDIR		=
++
++PREFIX		= $(DESTDIR)/usr
++
++INCDIR		= $(PREFIX)/include
++
++LIBDIR		= $(PREFIX)/lib
++
++MANDIR		= $(PREFIX)/share/man
++MAN3DIR		= $(MANDIR)/man3
++MAN5DIR		= $(MANDIR)/man5
++MAN8DIR		= $(MANDIR)/man8
++
++SBINDIR		= $(PREFIX)/sbin
++
++INSTALL		= install
++INSTALL_PROG	= $(INSTALL) -m 0755
++INSTALL_DATA	= $(INSTALL) -m 0644
++
++SYMLINK		= ln -sf
++
++VPATH		= $(SRCDIR)
++
+ # Protection against weird shells or weird make programs.
+ 
+ SHELL	= /bin/sh
+-.c.o:;	$(CC) $(CFLAGS) -o $*.o -c $*.c
++
++.c.o:;	$(CC) $(CFLAGS) -o $*.o -c $(SRCDIR)/$*.c
+ 
+ COPTS	= -O2 -g
+ CFLAGS	= $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+@@ -700,7 +726,8 @@
+ 
+ FROM_OBJ= fromhost.o
+ 
+-KIT	= README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
++KIT	= $(addprefix $(SRCDIR)/, \
++	README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
+ 	tcpd.h tcpdmatch.c Makefile hosts_access.5 strcasecmp.c BLURB rfc931.c \
+ 	tcpd.8 eval.c hosts_access.3 hosts_ctl.c percent_x.c options.c \
+ 	clean_exit.c environ.c patchlevel.h fix_options.c workarounds.c \
+@@ -709,7 +736,12 @@
+ 	tli-sequent.h misc.c diag.c ncr.c tcpdchk.c percent_m.c \
+ 	myvsyslog.c mystdarg.h printf.ck README.IRIX Banners.Makefile \
+ 	refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
+-	scaffold.h tcpdmatch.8 README.NIS
++	scaffold.h tcpdmatch.8 README.NIS)
++
++DOCS	= $(addprefix $(SRCDIR)/,tcpd.8 tcpdchk.8 tcpdmatch.8 \
++	  hosts_access.5 hosts_options.5)
++
++PROGS	= tcpd tcpdmatch try-from safe_finger tcpdchk
+ 
+ LIB	= libwrap.a
+ 
+@@ -724,16 +756,16 @@
+ SHLIBSO		= shared/libwrap.so
+ SHLIBFLAGS	= -Lshared -lwrap
+ 
+-SHLINKFLAGS = -fpic -shared -Wl,-soname,libwrap.so.$(SOMAJOR) -Wl,--version-script=libwrap.lds $(LIBS)
++SHLINKFLAGS = -fpic -shared -Wl,-soname,libwrap.so.$(SOMAJOR) -Wl,--version-script=$(SRCDIR)/libwrap.lds $(LIBS)
+ SHCFLAGS = -fpic -shared -D_REENTRANT
+ SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
+ 
+-all other: config-check tcpd tcpdmatch try-from safe_finger tcpdchk $(LIB)
++all other: config-check $(LIB) $(SHLIB) $(PROGS)
+ 
+ # Invalidate all object files when the compiler options (CFLAGS) have changed.
+ 
+ config-check:
+-	@set +e; test -n "$(REAL_DAEMON_DIR)" || { make; exit 1; }
++	@set +e; test -n "$(REAL_DAEMON_DIR)" || { ${MAKE}; exit 1; }
+ 	@set +e; echo $(CFLAGS) >cflags.new ; \
+ 	if cmp cflags cflags.new ; \
+ 	then rm cflags.new ; \
+@@ -746,11 +778,11 @@
+ 	$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
+ 	-$(RANLIB) $(LIB)
+ 
+-$(SHLIB): libwrap.lds $(SHLIB_OBJ)
++$(SHLIB): $(SRCDIR)/libwrap.lds $(SHLIB_OBJ)
+ 	rm -f $(SHLIB)
+ 	$(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
+-	ln -sf $(notdir $(SHLIB)) $(SHLIBSOMAJ)
+-	ln -sf $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
++	$(SYMLINK) $(notdir $(SHLIB)) $(SHLIBSOMAJ)
++	$(SYMLINK) $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
+ 
+ tcpd:	tcpd.o $(SHLIB)
+ 	$(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
+@@ -774,6 +806,40 @@
+ tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
+ 	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
+ 
++.PHONY: install install-lib install-bin install-doc install-dev
++install: install-lib install-bin install-doc install-dev
++
++$(LIBDIR) $(SBINDIR) $(MAN8DIR) $(MAN5DIR) $(MAN3DIR) $(INCDIR):
++	mkdir -p $(@)
++
++install-lib: | $(LIBDIR)
++	$(INSTALL_DATA) $(LIB) $(LIBDIR)/
++	$(INSTALL_PROG) $(SHLIB) $(LIBDIR)/
++	$(SYMLINK) $(notdir $(SHLIB)) $(LIBDIR)/$(notdir $(SHLIBSOMAJ))
++	$(SYMLINK) $(notdir $(SHLIBSOMAJ)) $(LIBDIR)/$(notdir $(SHLIBSO))
++
++install-bin: | $(SBINDIR)
++	$(INSTALL_PROG) tcpd $(SBINDIR)/
++	$(INSTALL_PROG) tcpdchk $(SBINDIR)/
++	$(INSTALL_PROG) tcpdmatch $(SBINDIR)/
++	$(INSTALL_PROG) try-from $(SBINDIR)/
++	$(INSTALL_PROG) safe_finger $(SBINDIR)/
++
++install-doc: $(DOCS) | $(MAN5DIR) $(MAN8DIR)
++	$(INSTALL_DATA) $(SRCDIR)/tcpd.8 $(MAN8DIR)/
++	$(INSTALL_DATA) $(SRCDIR)/tcpdchk.8 $(MAN8DIR)/
++	$(INSTALL_DATA) $(SRCDIR)/tcpdmatch.8 $(MAN8DIR)/
++	$(INSTALL_DATA) $(SRCDIR)/hosts_access.5 $(MAN5DIR)/
++	$(INSTALL_DATA) $(SRCDIR)/hosts_options.5 $(MAN5DIR)/
++
++install-dev: | $(INCDIR) $(LIBDIR) $(MAN3DIR)
++	$(INSTALL_DATA) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/
++	$(INSTALL_DATA) $(SRCDIR)/tcpd.h $(INCDIR)/
++	$(INSTALL_DATA) $(LIB) $(LIBDIR)/
++	$(SYMLINK) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/hosts_ctl.3
++	$(SYMLINK) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/request_init.3
++	$(SYMLINK) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/request_set.3
++
+ shar:	$(KIT)
+ 	@shar $(KIT)
+ 
+@@ -807,10 +873,11 @@
+ 	-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ 	-Dvsyslog=myvsyslog \
++	$(addprefix $(SRCDIR)/, \
+ 	tcpd.c fromhost.c socket.c tli.c hosts_access.c \
+ 	shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+ 	options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+-	diag.c myvsyslog.c percent_m.c
++	diag.c myvsyslog.c percent_m.c)
+ 
+ miscd_lint:
+ 	lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+@@ -819,43 +886,48 @@
+ 	-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ 	-Dvsyslog=myvsyslog \
++	$(addprefix $(SRCDIR)/, \
+ 	miscd.c fromhost.c socket.c tli.c hosts_access.c \
+ 	shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+ 	options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+-	diag.c myvsyslog.c percent_m.c
++	diag.c myvsyslog.c percent_m.c)
+ 
+ match_lint:
+ 	lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+ 	-DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ 	-Dvsyslog=myvsyslog \
++	$(addprefix $(SRCDIR)/, \
+ 	tcpdmatch.c hosts_access.c eval.c percent_x.c options.c workarounds.c \
+ 	update.c socket.c misc.c diag.c myvsyslog.c percent_m.c setenv.c \
+-	inetcf.c scaffold.c
++	inetcf.c scaffold.c)
+ 
+ chk_lint:
+ 	lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+ 	-DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+ 	-Dvsyslog=myvsyslog \
++	$(addprefix $(SRCDIR)/, \
+ 	tcpdchk.c eval.c percent_x.c options.c update.c workarounds.c \
+-	setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c
++	setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c)
+ 
+ printfck:
+ 	printfck -f printf.ck \
++	$(addprefix $(SRCDIR)/, \
+ 	tcpd.c fromhost.c socket.c tli.c hosts_access.c \
+ 	shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+ 	options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+-	diag.c myvsyslog.c percent_m.c >aap.c
++	diag.c myvsyslog.c percent_m.c) > aap.c
+ 	lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+ 	-DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+ 	$(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+ 	-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+ 	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" -Dvsyslog=myvsyslog aap.c
+ 	printfck -f printf.ck \
++	$(addprefix $(SRCDIR)/, \
+ 	tcpdchk.c eval.c percent_x.c options.c update.c workarounds.c \
+-	setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c \
+-	>aap.c
++	setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c) \
++	> aap.c
+ 	lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+ 	-DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+ 	-Dvsyslog=myvsyslog -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\"
+@@ -863,79 +935,79 @@
+ # Internal compilation dependencies.
+ 
+ clean_exit.o: cflags
+-clean_exit.o: tcpd.h
++clean_exit.o: $(SRCDIR)/tcpd.h
+ diag.o: cflags
+-diag.o: mystdarg.h
+-diag.o: tcpd.h
++diag.o: $(SRCDIR)/mystdarg.h
++diag.o: $(SRCDIR)/tcpd.h
+ environ.o: cflags
+ eval.o: cflags
+-eval.o: tcpd.h
++eval.o: $(SRCDIR)/tcpd.h
+ fakelog.o: cflags
+-fakelog.o: mystdarg.h
++fakelog.o: $(SRCDIR)/mystdarg.h
+ fix_options.o: cflags
+-fix_options.o: tcpd.h
++fix_options.o: $(SRCDIR)/tcpd.h
+ fromhost.o: cflags
+-fromhost.o: tcpd.h
++fromhost.o: $(SRCDIR)/tcpd.h
+ hosts_access.o: cflags
+-hosts_access.o: tcpd.h
++hosts_access.o: $(SRCDIR)/tcpd.h
+ hosts_ctl.o: cflags
+-hosts_ctl.o: tcpd.h
++hosts_ctl.o: $(SRCDIR)/tcpd.h
+ inetcf.o: cflags
+-inetcf.o: inetcf.h
+-inetcf.o: tcpd.h
++inetcf.o: $(SRCDIR)/inetcf.h
++inetcf.o: $(SRCDIR)/tcpd.h
+ misc.o: cflags
+-misc.o: tcpd.h
++misc.o: $(SRCDIR)/tcpd.h
+ miscd.o: cflags
+-miscd.o: patchlevel.h
+-miscd.o: tcpd.h
++miscd.o: $(SRCDIR)/patchlevel.h
++miscd.o: $(SRCDIR)/tcpd.h
+ myvsyslog.o: cflags
+-myvsyslog.o: mystdarg.h
+-myvsyslog.o: tcpd.h
++myvsyslog.o: $(SRCDIR)/mystdarg.h
++myvsyslog.o: $(SRCDIR)/tcpd.h
+ ncr.o: cflags
+-ncr.o: tcpd.h
++ncr.o: $(SRCDIR)/tcpd.h
+ options.o: cflags
+-options.o: tcpd.h
++options.o: $(SRCDIR)/tcpd.h
+ percent_m.o: cflags
+-percent_m.o: mystdarg.h
++percent_m.o: $(SRCDIR)/mystdarg.h
+ percent_x.o: cflags
+-percent_x.o: tcpd.h
++percent_x.o: $(SRCDIR)/tcpd.h
+ ptx.o: cflags
+-ptx.o: tcpd.h
++ptx.o: $(SRCDIR)/tcpd.h
+ refuse.o: cflags
+-refuse.o: tcpd.h
++refuse.o: $(SRCDIR)/tcpd.h
+ rfc931.o: cflags
+-rfc931.o: tcpd.h
++rfc931.o: $(SRCDIR)/tcpd.h
+ safe_finger.o: cflags
+ scaffold.o: cflags
+-scaffold.o: scaffold.h
+-scaffold.o: tcpd.h
++scaffold.o: $(SRCDIR)/scaffold.h
++scaffold.o: $(SRCDIR)/tcpd.h
+ setenv.o: cflags
+ shell_cmd.o: cflags
+-shell_cmd.o: tcpd.h
++shell_cmd.o: $(SRCDIR)/tcpd.h
+ socket.o: cflags
+-socket.o: tcpd.h
++socket.o: $(SRCDIR)/tcpd.h
+ strcasecmp.o: cflags
+ tcpd.o: cflags
+-tcpd.o: patchlevel.h
+-tcpd.o: tcpd.h
++tcpd.o: $(SRCDIR)/patchlevel.h
++tcpd.o: $(SRCDIR)/tcpd.h
+ tcpdchk.o: cflags
+-tcpdchk.o: inetcf.h
+-tcpdchk.o: scaffold.h
+-tcpdchk.o: tcpd.h
++tcpdchk.o: $(SRCDIR)/inetcf.h
++tcpdchk.o: $(SRCDIR)/scaffold.h
++tcpdchk.o: $(SRCDIR)/tcpd.h
+ tcpdmatch.o: cflags
+-tcpdmatch.o: scaffold.h
+-tcpdmatch.o: tcpd.h
++tcpdmatch.o: $(SRCDIR)/scaffold.h
++tcpdmatch.o: $(SRCDIR)/tcpd.h
+ tli-sequent.o: cflags
+-tli-sequent.o: tcpd.h
+-tli-sequent.o: tli-sequent.h
++tli-sequent.o: $(SRCDIR)/tcpd.h
++tli-sequent.o: $(SRCDIR)/tli-sequent.h
+ tli.o: cflags
+-tli.o: tcpd.h
++tli.o: $(SRCDIR)/tcpd.h
+ try-from.o: cflags
+-try-from.o: tcpd.h
++try-from.o: $(SRCDIR)/tcpd.h
+ update.o: cflags
+-update.o: mystdarg.h
+-update.o: tcpd.h
++update.o: $(SRCDIR)/mystdarg.h
++update.o: $(SRCDIR)/tcpd.h
+ vfprintf.o: cflags
+-weak_symbols.o: tcpd.h
++weak_symbols.o: $(SRCDIR)/tcpd.h
+ workarounds.o: cflags
+-workarounds.o: tcpd.h
++workarounds.o: $(SRCDIR)/tcpd.h
diff --git a/tcp_wrappers.tar.gz b/tcp_wrappers.tar.gz
new file mode 100644
index 0000000..674d6e8
--- /dev/null
+++ b/tcp_wrappers.tar.gz
Binary files differ
diff --git a/tcp_wrappers.url b/tcp_wrappers.url
new file mode 100644
index 0000000..ebceb20
--- /dev/null
+++ b/tcp_wrappers.url
@@ -0,0 +1 @@
+ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz
diff --git a/tcp_wrappers.version b/tcp_wrappers.version
new file mode 100644
index 0000000..38abeb2
--- /dev/null
+++ b/tcp_wrappers.version
@@ -0,0 +1 @@
+7.6
diff --git a/tcp_wrappers_7.6/BLURB b/tcp_wrappers_7.6/BLURB
new file mode 100644
index 0000000..69178c1
--- /dev/null
+++ b/tcp_wrappers_7.6/BLURB
@@ -0,0 +1,36 @@
+@(#) BLURB 1.28 97/03/21 19:27:18
+
+With this package you can monitor and filter incoming requests for the
+SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
+network services.
+
+The package provides tiny daemon wrapper programs that can be installed
+without any changes to existing software or to existing configuration
+files.  The wrappers report the name of the client host and of the
+requested service; the wrappers do not exchange information with the
+client or server applications, and impose no overhead on the actual
+conversation between the client and server applications.
+
+This patch upgrades the tcp wrappers version 7.5 source code to
+version 7.6.  The source-routing protection in version 7.5 was not
+as strong as it could be. And all this effort was not needed with
+modern UNIX systems that can already stop source-routed traffic in
+the kernel. Examples are 4.4BSD derivatives, Solaris 2.x, and Linux.
+
+This release does not introduce new features. Do not bother applying
+this patch when you built your version 7.x tcp wrapper without
+enabling the KILL_IP_OPTIONS compiler switch; when you can disable
+IP source routing options in the kernel; when you run a UNIX version
+that pre-dates 4.4BSD, such as SunOS 4. Such systems are unable to
+receive source-routed connections and are therefore not vulnerable
+to IP spoofing attacks with source-routed TCP connections.
+
+A complete change log is given in the CHANGES document.  As always,
+problem reports and suggestions for improvement are welcome.
+
+	Wietse Venema (wietse@wzv.win.tue.nl),
+	Department of Mathematics and Computing Science,
+	Eindhoven University of Technology,
+	The Netherlands.
+
+	Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.
diff --git a/tcp_wrappers_7.6/Banners.Makefile b/tcp_wrappers_7.6/Banners.Makefile
new file mode 100644
index 0000000..915e3dd
--- /dev/null
+++ b/tcp_wrappers_7.6/Banners.Makefile
@@ -0,0 +1,70 @@
+# @(#) Banners.Makefile 1.3 97/02/12 02:13:18
+#
+# Install this file as the Makefile in your directory with banner files.
+# It will convert a prototype banner text to a form that is suitable for
+# the ftp, telnet, rlogin, and other services. 
+# 
+# You'll have to comment out the IN definition below if your daemon
+# names don't start with `in.'.
+#
+# The prototype text should live in the banners directory, as a file with
+# the name "prototype". In the prototype text you can use %<character>
+# sequences as described in the hosts_access.5 manual page (`nroff -man'
+# format).  The sequences will be expanded while the banner message is
+# sent to the client. For example:
+#
+#	Hello %u@%h, what brings you here?
+#
+# Expands to: Hello username@hostname, what brings you here? Note: the
+# use of %u forces a client username lookup.
+#
+# In order to use banners, build the tcp wrapper with -DPROCESS_OPTIONS
+# and use hosts.allow rules like this:
+#
+#	daemons ... : clients ... : banners /some/directory ...
+#
+# Of course, nothing prevents you from using multiple banner directories.
+# For example, one banner directory for clients that are granted service,
+# one banner directory for rejected clients, and one banner directory for
+# clients with a hostname problem.
+#
+SHELL	= /bin/sh
+IN	= in.
+BANNERS	= $(IN)telnetd $(IN)ftpd $(IN)rlogind # $(IN)fingerd $(IN)rshd
+
+all:	$(BANNERS)
+
+$(IN)telnetd: prototype
+	cp prototype $@
+	chmod 644 $@
+
+$(IN)ftpd: prototype
+	sed 's/^/220-/' prototype > $@
+	chmod 644 $@
+
+$(IN)rlogind: prototype nul
+	( ./nul ; cat prototype ) > $@
+	chmod 644 $@
+
+# Other services: banners may interfere with normal operation
+# so they should probably be used only when refusing service.
+# In particular, banners don't work with standard rsh daemons.
+# You would have to use an rshd that has built-in tcp wrapper
+# support, for example the rshd that is part of the logdaemon
+# utilities.
+
+$(IN)fingerd: prototype
+	cp prototype $@
+	chmod 644 $@
+
+$(IN)rshd: prototype nul
+	( ./nul ; cat prototype ) > $@
+	chmod 644 $@
+
+# In case no /dev/zero available, let's hope they have at least
+# a C compiler of some sort.
+
+nul:
+	echo 'main() { write(1,"",1); return(0); }' >nul.c
+	$(CC) $(CFLAGS) -s -o nul nul.c
+	rm -f nul.c
diff --git a/tcp_wrappers_7.6/CHANGES b/tcp_wrappers_7.6/CHANGES
new file mode 100644
index 0000000..e68ee75
--- /dev/null
+++ b/tcp_wrappers_7.6/CHANGES
@@ -0,0 +1,451 @@
+Request: after building the programs, please run the `tcpdchk' wrapper
+configuration checker. See the `tcpdchk.8' manual page (`nroff -man'
+format) for instructions. `tcpdchk' automatically identifies the most
+common configuration problems, and will save you and me a lot of time.
+
+Changes per release 7.6 (Mar 1997)
+==================================
+
+- Improved the anti source-routing protection. The code in version
+7.5 was not as strong as it could be, because I tried to be compatible
+with Linux. That was a mistake. Sorry for the inconvenience.
+
+- The program no longer terminates case of a source-routed connection,
+making the IP-spoofing code more usable for long-running daemons.
+
+- When syslogging DNS hostname problems, always stop after a limited
+number of characters.
+
+Changes per release 7.5 (Feb 1997)
+==================================
+
+- Optionally refuse source-routed TCP connections requests altogether.
+Credits to Niels Provos of Universitaet Hamburg.  File: fix_options.c.
+
+- Support for IRIX 6 (Lael Tucker).
+
+- Support for Amdahl UTS 2.1.5 (Richard E. Richmond).
+
+- Support for SINIX 5.42 (Klaus Nielsen).
+
+- SCO 5 now has vsyslog() (Bill Golden).
+
+- Hints and tips for dealing with IRIX inetd (Niko Makila, Aaron
+M Lee).
+
+- Support for BSD/OS (Paul Borman).
+
+- Support for Tandem (Emad Qawas).
+
+- Support for ISC (Frederick B. Cohen).
+
+- Workaround for UNICOS - it would choke on a setjmp() expression
+(Bruce Kelly). File: hosts_access.c, tcpdchk.c.
+
+- Increased the level of buffer overflow paranoia when printing
+unwanted IP options.  File: fix_options.c.
+
+Changes per release 7.4 (Mar 1996)
+==================================
+
+- IRIX 5.3 (and possibly, earlier releases, too) library routines call
+the non-reentrant strtok() routine. The result is that hosts may slip
+through allow/deny filters. Workaround is to not rely on the vendor's
+strtok() routine (#ifdef LIBC_CALLS_STRTOK). Credits to Th. Eifert
+(Aachen University) for spotting this one. This fix supersedes the
+earlier workaround for a similar problem in FreeBSD 2.0.
+
+Changes per release 7.3 (Feb 1996)
+==================================
+
+- More tests added to tcpdchk and tcpdmatch: make sure that the
+REAL_DAEMON_DIR actually is a directory and not a regular file;
+detect if tcpd recursively calls itself.
+
+- Edwin Kremer found an amusing fencepost error in the xgets()
+routine: lines longer than BUFLEN characters would be garbled.
+
+- The access control routines now refuse to execute "dangerous" actions
+such as `twist' when they are called from within a resident process.
+This prevents you from shooting yourself into the foot with critical
+systems programs such as, e.g., portmap or rpcbind.
+
+- Support for Unicos 8.x (Bruce Kelly). The program now closes the
+syslog client socket before running the real daemon: Cray UNICOS
+refuses to checkpoint processes with open network ports.
+
+- Support for MachTen UNIX (Albert M.C Tam).
+
+- Support for Interactive UNIX R3.2 V4.0 (Bobby D. Wright).
+
+- Support for SCO 3.2v5.0.0 OpenServer 5 (bob@odt.handy.com)
+
+- Support for Unixware 1.x and Unixware 2.x.  The old Unixware Makefile
+rule was broken. Sorry about that.
+
+- Some FreeBSD 2.0 libc routines call strtok() and severely mess up the
+allow/deny rule processing. This is very bad. Workaround:  call our own
+strtok() clone (#ifdef USE_STRSEP).
+
+- The programs now log a warning when they detect that a non-existent
+banner directory is specified.
+
+- The hosts_access.3 manual page used obsolete names for the RQ_*
+constants.
+
+Changes per release 7.2 (Jan 1995)
+==================================
+
+- Added a note to the README and manpages on using the IDENT service to
+detect sequence number spoofing and other host impersonation attacks.
+
+- Portability: ConvexOS puts RPC version numbers before the daemon path
+name (Jukka Ukkonen).
+
+- Portability: the AIX compiler disliked the strchr() declaration
+in socket.c.  I should have removed it when I included <string.h>.
+
+- Backwards compatibility: some people relied on the old leading dot or
+trailing dot magic in daemon process names.
+
+- Backwards compatibility: hostname lookup remains enabled when
+-DPARANOID is turned off. In order to disable hostname lookups you
+must turn off -DALWAYS_HOSTNAME.
+
+- Eliminated false complaints from the tcpdmatch/tcpdchk configuration
+checking programs about process names not in inetd.conf or about KNOWN
+username patterns.
+
+Changes per release 7.1 (Jan 1995)
+==================================
+
+- Portability: HP-UX permits you to break inetd.conf entries with
+backslash-newline.
+
+- Portability: EP/IX has no putenv() and some inetd.conf entries are
+spread out over two lines.
+
+- Portability: SCO with NIS support has no *netgrent() routines.
+
+Changes per release 7.0 (Jan 1995) 
+==================================
+
+- Added a last-minute workaround for a Solaris 2.4 gethostbyname()
+foulup with multi-homed hosts in DNS through NIS mode.
+
+- Added a last-minute defense against TLI weirdness: address lookups
+apparently succeed but the result netbuf is empty (ticlts transport).
+
+- Dropped several new solutions that were in need of a problem. Beta
+testers may recognize what new features were kicked out during the last
+weeks before release 7.0 came out. Such is life.
+
+- Got rid of out the environment replacement routines, at least for
+most architectures. One should not have to replace working system
+software when all that is needed is a 4.4BSD setenv() emulator.
+
+- By popular request I have added an option to send banner messages to
+clients. There is a Banners.Makefile that gives some aid for sites that
+are going to use this feature. John C. Wingenbach did some pioneering
+work here. I used to think that banners are frivolous. Now that I had
+a personal need for them I know that banners can be useful.
+
+- At last: an extensible functional interface to the pattern matching
+engine. request_init() and request_set() accept a variable-length
+name-value argument list.  The result can be passed to hosts_access().
+
+- When PARANOID mode is disabled (compile time), the wrapper does no
+hostname lookup or hostname double checks unless required by %letter
+expansions, or by access control rules that match host names.  This is
+useful for sites that don't care about internet hostnames anyway.
+Inspired by the authors of the firewalls and internet security book.
+
+- When PARANOID mode is disabled (compile time), hosts with a name/name
+or name/address conflict can be matched with the PARANOID host wildcard
+pattern, so that you can take some intelligent action instead of just
+dropping clients. Like showing a banner that explains the problem.
+
+- New percent escapes: %A expands to the server address; %H expands to
+the corresponding hostname (or address if no name is available); %n and
+%N expand to the client and server hostname (or "unknown"); %s expands
+to everything we know about the server endpoint (the opposite of the %c
+sequence for client information).
+
+- Symmetry: server and client host information is now treated on equal
+footing, so that we can reuse a lot of code.
+
+- Lazy evaluation of host names, host addresses, usernames, and so on,
+to avoid doing unnecessary work.
+
+- Dropping #ifdefs for some archaic systems made the code simpler.
+
+- Dropping the FAIL pattern made the pattern matcher much simpler.  Run
+the "tcpdchk" program to scan your access control files for any uses of
+this obscure language feature.
+
+- Moving host-specific pattern matching from string_match() to the
+host_match() routine made the code more accurate.  Run the "tcpdchk"
+program to scan your access control files for any dependencies on
+undocumented or obscure language features that are gone.
+
+- daemon@host patterns trigger on clients that connect to a specific
+internet address.  This can be useful for service providers that offer
+multiple ftp or www archives on different internet addresses, all
+belonging to one and the same host (www.foo.com, ftp.bar.com, you get
+the idea).  Inspired by a discussion with Rop Gonggrijp, Cor Bosman,
+and Casper Dik, and earlier discussions with Adrian van Bloois.
+
+- The new "tcpdchk" program critcizes all your access control rules and
+inetd.conf entries. Great for spotting obscure bugs in my own hosts.xxx
+files. This program also detects hosts with name/address conflicts and
+with other DNS-related problems. See the "tcpdchk.8" manual page.
+
+- The "tcpdmatch" program replaces the poor old "try" command. The new
+program looks in your inetd.conf file and therefore produces much more
+accurate predictions. In addition, it detects hosts with name/address
+conflicts and with other DNS-related problems. See the "tcpdmatch.8"
+manual page.  The inetd.conf lookup was suggested by Everett F Batey.
+
+- In the access control tables, the `=' between option name and value
+is no longer required.
+
+- Added 60-second timeout to the safe_finger command, to cover another
+potential problem. Suggested by Peter Wemm.
+
+- Andrew Maffei provided code that works with WIN-TCP on NCR System V.4
+UNIX. It reportedly works with versions 02.02.01 and 02.03.00. The code
+pops off all streams modules above the device driver, pushes the timod
+module to get at the peer address, and then restores the streams stack
+to the initial state.
+
+Changes per release 6.3 (Mar 1994)
+==================================
+
+- Keepalives option, to get rid of stuck daemons when people turn off
+their PC while still connected. Files: options.c, hosts_options.5.
+
+- Nice option, to calm down network daemons that take away too much CPU
+time. Files: options.c, hosts_options.5.
+
+- Ultrix perversion: the environ global pointer may be null. The
+environment replacement routines now check for this. File: environ.c.
+
+- Fixed a few places that still assumed the socket is on standard
+input. Fixed some error messages that did not provide access control
+file name and line number.  File: options.c.
+
+- Just when I was going to release 6.2 I received code for Dynix/PTX.
+That code is specific to PTX 2.x, so I'll keep around my generic
+PTX code just in case. The difference is in the handling of UDP
+services.  Files:  tli_sequent.[hc].
+
+Changes per release 6.2 (Feb 1994)
+==================================
+
+- Resurrected my year-old code to reduce DNS load by appending a dot to
+the gethostbyname() argument. This feature is still experimental and it
+may go away if it causes more problems than it solves. File: socket.c.
+
+- Auxiliary code for the Pyramid, BSD universe. Karl Vogel figured out
+what was missing: yp_get_default_domain() and vfprintf(). Files:
+workarounds.c, vfprintf.c.
+
+- Improved support for Dynix/PTX. The wrapper should now be able to
+deal with all TLI over IP services. File: ptx.c.
+
+- The try command now uses the hostname that gethostbyaddr() would
+return, instead of the hostname returned by gethostbyname(). This can
+be significant on systems with NIS that have short host names in the
+hosts map. For example, gethostbyname("wzv.win.tue.nl") returns
+"wzv.win.tue.nl"; gethostbyaddr(131.155.210.17) returns "wzv", and
+that is what we should test with. File: try.c.
+
+Changes per release 6.1 (Dec 1993)
+==================================
+
+- Re-implemented all environment access routines. Most systems have
+putenv() but no setenv(), some systems have setenv() but no putenv(),
+and there are even systems that have neither setenv() nor putenv(). The
+benefit of all this is that more systems can now be treated in the same
+way. File:  environ.c.
+
+- Workaround for a weird problem with DG/UX when the wrapper is run as
+nobody (i.e. fingerd). For some reason the ioctl(fd, I_FIND, "sockmod")
+call fails even with socket-based applications. The "fix" is to always
+assume sockets when the ioctl(fd, I_FIND, "timod") call fails. File:
+fromhost.c. Thanks to Paul de Vries (vries@dutentb.et.tudelft.nl) for
+helping me to figure out this one.
+
+- Implemented a workaround for Dynix/PTX and other systems with TLI
+that lack some essential support routines. Thanks to Bugs Brouillard
+(brouill@hsuseq.humboldt.edu) for the hospitality to try things out.
+The trick is to temporarily switch to the socket API to identify the
+client, and to switch back to TLI when done.  It still does not work
+right for basic network services such as telnet. File: fromhost.c.
+
+- Easy-to-build procedures for SCO UNIX, ConvexOS with UltraNet, EP/IX,
+Dynix 3.2, Dynix/PTX. File: Makefile.
+
+- Variable rfc931 timeout. Files: rfc931.c, options.c, log_tcp.h, try.c.
+
+- Further simplification of the rfc931 code. File: rfc931.c.
+
+- The fromhost() interface stinks: I cannot change that, but at least
+the from_sock() and from_tli() functions now accept a file descriptor
+argument.
+
+- Fixed a buglet: fromhost() would pass a garbage file descriptor to
+the isastream() call.
+
+- On some systems the finger client program lives in /usr/bsd. File:
+safe_finger.c.
+
+Changes per release 6.0 (Sept 1993)
+===================================
+
+- Easy build procedures for common platforms (sun, ultrix, aix, hpux
+and others).
+
+- TLI support, System V.4 style (Solaris, DG/UX).
+
+- Username lookup integrated with the access control language.
+Selective username lookups are now the default (was: no username
+lookups).
+
+- A safer finger command for booby traps. This one solves a host of
+possible problems with automatic reverse fingers. Thanks, Borja Marcos
+(borjam@we.lc.ehu.es) for some inspiring discussions.
+
+- KNOWN pattern that matches hosts whose name and address are known.
+
+- Cleanup of diagnostics. Errors in access-control files are now shown
+with file name and line number.
+
+- With AIX 3.2, hostnames longer than 32 would be truncated.  This
+caused hostname verification failures, so that service would be refused
+when paranoid mode was enabled.  Found by:  Adrian van Bloois
+(A.vanBloois@info.nic.surfnet.nl).
+
+- With some IRIX versions, remote username lookups failed because the
+fgets() library function does not handle partial read()s from sockets.
+Found by:  Daniel O'Callaghan (danny@austin.unimelb.edu.au).
+
+- Added a DISCLAIMER document to help you satisfy legal departments.
+
+The extension language module has undergone major revisions and
+extensions.  Thanks, John P. Rouillard (rouilj@ra.cs.umb.edu) for
+discussions, experiments, and for being a good guinea pig. The
+extensions are documented in hosts_options.5, and are enabled by
+editing the Makefile STYLE macro definition.
+
+- (Extension language) The ":" separator may now occur within options
+as long as it is protected with a backslash. A warning is issued when
+a rule ends on ":".
+
+- (Extension language) Better verification mode. When the `try' command
+is run, each option function now explains what it would do.
+
+- (Extension language) New "allow" and "deny" keywords so you can now
+have all rules within a single file. See "nroff -man hosts_options.5"
+for examples.
+
+- (Extension language) "linger" keyword to set the socket linger time
+(SO_LINGER). From:  Marc Boucher <marc@cam.org>.
+
+- (Extension language) "severity" keyword to turn the logging noise up
+or down. Many sites wanted a means to shut up the program; other sites
+wanted to emphasize specific events.  Adapted from code contributed
+by Dave Mitchell <D.Mitchell@dcs.shef.ac.uk>.
+
+Changes per release 5.1 (Mar 1993)
+==================================
+
+- The additional protection against source-routing attacks from hosts
+that pretend to have someone elses network address has become optional
+because it causes kernel panics with SunOS <= 4.1.3.
+
+Changes per release 5.0 (Mar 1993)
+==================================
+
+- Additional protection against source-routing attacks from hosts that
+pretend to have someone elses network address. For example, the address
+of a trusted host within your own network.
+
+- The access control language has been extended with a simple but
+powerful operator that greatly simplifies the design of rule sets (ALL:
+.foo.edu EXCEPT dialup.foo.edu). Blank lines are permitted, and long
+lines can be continued with backslash-newline.
+
+- All configurable stuff, including path names, has been moved into the
+Makefile so that you no longer have to hack source code to just
+configure the programs.
+
+- Ported to Solaris 2. TLI-based applications not yet supported.
+Several workarounds for System V bugs.
+
+- A small loophole in the netgroup lookup code was closed, and the
+remote username lookup code was made more portable.
+
+- Still more documentation. The README file now provides tutorial
+sections with introductions to client, server, inetd and syslogd.
+
+Changes per release 4.3 (Aug 1992) 
+==================================
+
+- Some sites reported that connections would be rejected because
+localhost != localhost.domain. The host name checking code now
+special-cases localhost (problem reported by several sites).
+
+- The programs now report an error if an existing access control file
+cannot be opened (e.g. due to lack of privileges).  Until now, the
+programs would just pretend that the access control file does not exist
+(reported by Darren Reed, avalon@coombs.anu.edu.au).
+
+- The timeout period for remote userid lookups was upped to 30 seconds,
+in order to cope with slow hosts or networks.  If this is too long for
+you, adjust the TIMEOUT definition in file rfc931.c (problem reported
+by several sites).
+
+- On hosts with more than one IP network interface, remote userid
+lookups could use the IP address of the "wrong" local interface.  The
+problem and its solution were discussed on the rfc931-users mailing
+list.  Scott Schwartz (schwartz@cs.psu.edu) folded the fix into the
+rfc931.c module.
+
+- The result of % expansion (in shell commands) is now checked for
+stuff that may confuse the shell; it is replaced by underscores
+(problem reported by Icarus Sparry, I.Sparry@gdr.bath.ac.uk).
+
+- A portability problem was fixed that caused compile-time problems
+on a CRAY (problem reported by Michael Barnett, mikeb@rmit.edu.au).
+
+Changes per release 4.0 (Jun 1992)
+==================================
+
+1 - network daemons no longer have to live within a common directory
+2 - the access control code now uses both the host address and name
+3 - an access control pattern that supports netmasks
+4 - additional protection against forged host names
+5 - a pattern that matches hosts whose name or address lookup fails
+6 - an operator that prevents hosts or services from being matched
+7 - optional remote username lookup with the RFC 931 protocol
+8 - an optional umask to prevent the creation of world-writable files
+9 - hooks for access control language extensions
+10 - last but not least, thoroughly revised documentation.
+
+Changes per release 3.0 (Oct 1991)
+==================================
+
+Enhancements over the previous release are: support for datagram (UDP
+and RPC) services, and execution of shell commands when a (remote host,
+requested service) pair matches a pattern in the access control tables.
+
+Changes per release 2.0 (May 1991)
+==================================
+
+Enhancements over the previous release are: protection against rlogin
+and rsh attacks through compromised domain name servers, optional
+netgroup support for systems with NIS (formerly YP), and an extension
+of the wild card patterns supported by the access control files.
+
+Release 1.0 (Jan 1991)
diff --git a/tcp_wrappers_7.6/DISCLAIMER b/tcp_wrappers_7.6/DISCLAIMER
new file mode 100644
index 0000000..42d82ca
--- /dev/null
+++ b/tcp_wrappers_7.6/DISCLAIMER
@@ -0,0 +1,16 @@
+/************************************************************************
+* Copyright 1995 by Wietse Venema.  All rights reserved.  Some individual
+* files may be covered by other copyrights.
+*
+* This material was originally written and compiled by Wietse Venema at
+* Eindhoven University of Technology, The Netherlands, in 1990, 1991,
+* 1992, 1993, 1994 and 1995.
+*
+* Redistribution and use in source and binary forms are permitted
+* provided that this entire copyright notice is duplicated in all such
+* copies.
+*
+* This software is provided "as is" and without any expressed or implied
+* warranties, including, without limitation, the implied warranties of
+* merchantibility and fitness for any particular purpose.
+************************************************************************/
diff --git a/tcp_wrappers_7.6/Makefile b/tcp_wrappers_7.6/Makefile
new file mode 100644
index 0000000..9b83d09
--- /dev/null
+++ b/tcp_wrappers_7.6/Makefile
@@ -0,0 +1,1013 @@
+# @(#) Makefile 1.23 97/03/21 19:27:20
+
+what:
+	@echo
+	@echo "Usage: edit the REAL_DAEMON_DIR definition in the Makefile then:"
+	@echo
+	@echo "	make sys-type"
+	@echo
+	@echo "If you are in a hurry you can try instead:"
+	@echo
+	@echo "	make REAL_DAEMON_DIR=/foo/bar sys-type"
+	@echo
+	@echo "And for a version with language extensions enabled:"
+	@echo
+	@echo "	make REAL_DAEMON_DIR=/foo/bar STYLE=-DPROCESS_OPTIONS sys-type"
+	@echo
+	@echo "This Makefile knows about the following sys-types:"
+	@echo
+	@echo "	generic (most bsd-ish systems with sys5 compatibility)"
+	@echo "	386bsd aix alpha apollo bsdos convex-ultranet dell-gcc dgux dgux543"
+	@echo "	dynix epix esix freebsd hpux irix4 irix5 irix6 isc iunix"
+	@echo "	linux machten mips(untested) ncrsvr4 netbsd next osf power_unix_211"
+	@echo "	ptx-2.x ptx-generic pyramid sco sco-nis sco-od2 sco-os5 sinix sunos4"
+	@echo "	sunos40 sunos5 solaris8 sysv4 tandem ultrix unicos7 unicos8 unixware1 unixware2"
+	@echo "	uts215 uxp"
+	@echo
+	@echo "If none of these match your environment, edit the system"
+	@echo "dependencies sections in the Makefile and do a 'make other'."
+	@echo
+
+#######################################################
+# Choice between easy and advanced installation recipe.
+# 
+# Advanced installation: vendor-provided daemons are left alone, and the
+# inetd configuration file is edited. In this case, the REAL_DAEMON_DIR
+# macro should reflect the actual directory with (most of) your
+# vendor-provided network daemons.  These names can be found in the
+# inetd.conf file. Usually, the telnet, ftp and finger daemons all live
+# in the same directory.
+# 
+# Uncomment the appropriate line if you are going to edit inetd.conf.
+#
+# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
+#REAL_DAEMON_DIR=/usr/etc
+#
+# SysV.4 Solaris 2.x OSF AIX
+#REAL_DAEMON_DIR=/usr/sbin
+#
+# BSD 4.4
+#REAL_DAEMON_DIR=/usr/libexec
+#
+# HP-UX SCO Unicos
+#REAL_DAEMON_DIR=/etc
+
+# Easy installation: vendor-provided network daemons are moved to "some
+# other" directory, and the tcpd wrapper fills in the "holes". For this
+# mode of operation, the REAL_DAEMON_DIR macro should be set to the "some
+# other" directory.  The "..." is here for historical reasons only; you
+# should probably use some other name. 
+# 
+# Uncomment the appropriate line if you are going to move your daemons.
+#
+# Ultrix 4.x SunOS 4.x ConvexOS 10.x Dynix/ptx
+#REAL_DAEMON_DIR=/usr/etc/...
+#
+# SysV.4 Solaris 2.x OSF AIX
+#REAL_DAEMON_DIR=/usr/sbin/...
+#
+# BSD 4.4
+#REAL_DAEMON_DIR=/usr/libexec/...
+#
+# HP-UX SCO Unicos
+#REAL_DAEMON_DIR=/etc/...
+
+# End of mandatory section
+##########################
+
+##########################################
+# Ready-to-use system-dependent templates.
+#
+# Ready-to-use templates are available for many systems (see the "echo"
+# commands at the start of this Makefile).  The templates take care of
+# all system dependencies: after editing the REAL_DAEMON_DIR definition
+# above, do a "make sunos4" (or whatever system type is appropriate).
+#
+# If your system is not listed (or something that comes close enough), you
+# have to edit the system dependencies section below and do a "make other".  
+#
+# Send templates for other UNIX versions to wietse@wzv.win.tue.nl.
+
+# This is good for many BSD+SYSV hybrids with NIS (formerly YP).
+generic aix osf alpha dynix:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# Ditto, with vsyslog
+sunos4:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP VSYSLOG= TLI= all
+
+# Generic with resolver library.
+generic-resolver:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lresolv RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# The NeXT loader needs "-m" or it barfs on redefined library functions.
+next:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-m RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# SunOS for the 386 was frozen at release 4.0.x.
+sunos40:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="setenv.o strcasecmp.o" \
+	NETGROUP=-DNETGROUP VSYSLOG= TLI= all
+
+# Ultrix is like aix, next, etc., but has miscd and setenv().
+ultrix:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= \
+	NETGROUP=-DNETGROUP TLI= all miscd
+
+# This works on EP/IX 1.4.3 and will likely work on Mips (reggers@julian.uwo.ca)
+epix:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+	NETGROUP=-DNETGROUP TLI= SYSTYPE="-systype bsd43" all
+
+# Freebsd and linux by default have no NIS.
+386bsd bsdos:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+	EXTRA_CFLAGS=-DSYS_ERRLIST_DEFINED VSYSLOG= all
+
+freebsd:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-L/usr/local/v6/lib -linet6" \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" \
+	VSYSLOG= all
+
+netbsd:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ= NETGROUP= TLI= \
+	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DINET6 -Dss_family=__ss_family -Dss_len=__ss_len" VSYSLOG= all
+
+linux:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+	NETGROUP="-DNETGROUP" TLI= VSYSLOG= BUGS= \
+	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT -DINET6=1 -Dss_family=__ss_family -Dss_len=__ss_len" all
+
+gnu:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lnsl RANLIB=ranlib ARFLAGS=rv AUX_OBJ=weak_symbols.o \
+	NETGROUP=-DNETGROUP TLI= VSYSLOG= BUGS= \
+	EXTRA_CFLAGS="-DSYS_ERRLIST_DEFINED -DHAVE_STRERROR -DHAVE_WEAKSYMS -D_REENTRANT" all
+
+# This is good for many SYSV+BSD hybrids with NIS, probably also for HP-UX 7.x.
+hpux hpux8 hpux9 hpux10:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# ConvexOS-10.x with UltraNet support (ukkonen@csc.fi).
+convex-ultranet:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lulsock RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# Generic support for the Dynix/PTX version of TLI.
+ptx-generic:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
+	AUX_OBJ="setenv.o strcasecmp.o ptx.o" NETGROUP= TLI=-DPTX all
+
+# With UDP support optimized for PTX 2.x (timw@sequent.com).
+ptx-2.x:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -linet -lnsl" RANLIB=echo ARFLAGS=rv \
+	AUX_OBJ="setenv.o strcasecmp.o tli-sequent.o" NETGROUP= \
+	TLI=-DTLI_SEQUENT all
+
+# IRIX 4.0.x has a special ar(1) flag.
+irix4:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lc -lsun" RANLIB=echo ARFLAGS=rvs AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# IRIX 5.2 is SYSV4 with several broken things (such as -lsocket -lnsl).
+irix5:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lsun RANLIB=echo ARFLAGS=rv VSYSLOG= \
+	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI= all
+
+# IRIX 6.2 (tucker@math.unc.edu). Must find a better value than 200000.
+irix6:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=echo ARFLAGS=rv VSYSLOG= \
+	NETGROUP=-DNETGROUP EXTRA_CFLAGS="-DBSD=200000" TLI= all
+
+# SunOS 5.x is another SYSV4 variant.
+sunos5:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+	BUGS="$(BUGS) -DSOLARIS_24_GETHOSTBYNAME_BUG" all
+
+# SunOS 5.8 is another SYSV4 variant, but has IPv6 support
+solaris8:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+	EXTRA_CFLAGS="-DINET6 -DNO_CLONE_DEVICE -DINT32_T" all
+
+# Generic SYSV40
+esix sysv4:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI all
+
+# DG/UX 5.4.1 and 5.4.2 have an unusual inet_addr() interface.
+dgux:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lnsl RANLIB=echo ARFLAGS=rv \
+	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI \
+	BUGS="$(BUGS) -DINET_ADDR_BUG" all
+
+dgux543:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lnsl RANLIB=echo ARFLAGS=rv \
+	NETGROUP=-DNETGROUP AUX_OBJ=setenv.o TLI=-DTLI all
+
+# NCR UNIX 02.02.01 and 02.03.00 (Alex Chircop, msu@unimt.mt)
+ncrsvr4:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lresolv -lnsl -lsocket" RANLIB=echo ARFLAGS=rv \
+	AUX_OBJ="setenv.o strcasecmp.o" NETGROUP= TLI=-DTLI \
+	EXTRA_CFLAGS="" FROM_OBJ=ncr.o all
+
+# Tandem SYSV4 (eqawas@hedgehog.ac.cowan.edu.au)
+tandem:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+	NETGROUP= AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+
+# Amdahl UTS 2.1.5 (Richard.Richmond@bridge.bst.bls.com)
+uts215:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket" RANLIB=echo \
+	ARFLAGS=rv AUX_OBJ=setenv.o NETGROUP=-DNO_NETGROUP TLI= all
+
+# UXP/DS System V.4 clone (vic@uida0.uida.es).
+uxp:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-L/usr/ucblib -lsocket -lnsl -lucb" \
+	RANLIB=echo ARFLAGS=rv NETGROUP=-DNETGROUP \
+	AUX_OBJ=setenv.o TLI="-DTLI -DDRS_XTI" all
+
+# DELL System V.4 Issue 2.2 using gcc (kim@tac.nyc.ny.us, jurban@norden1.com)
+dell-gcc:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl" RANLIB=ranlib ARFLAGS=rv CC=gcc \
+	AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+
+# SCO 3.2v4.1 no frills (jedwards@sol1.solinet.net).
+sco:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl_s" RANLIB=echo ARFLAGS=rv \
+	NETGROUP= AUX_OBJ=setenv.o TLI= all
+
+# SCO OpenDesktop 2.0, release 3.2 (peter@midnight.com). Please simplify.
+sco-od2:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lrpcsvc -lrpc -lyp -lrpc -lrpcsvc -lsocket" \
+	RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= all
+
+# SCO 3.2v4.2 with TCP/IP 1.2.1 (Eduard.Vopicka@vse.cz). Please simplify.
+sco-nis:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lyp -lrpc -lsocket -lyp -lc_s -lc" \
+	RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= EXTRA_CFLAGS="-nointl -DNO_NETGRENT" all
+
+# SCO 3.2v5.0.0 OpenServer 5 (bob@odt.handy.com, bill@razorlogic.com)
+sco-os5:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lrpcsvc -lsocket" RANLIB=echo ARFLAGS=rv VSYSLOG= \
+	AUX_OBJ=setenv.o NETGROUP=-DNETGROUP TLI= all
+
+# sinix 5.42 setjmp workaround (szrzs023@ub3.ub.uni-kiel.de)
+sinix:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl -L/usr/ccs/lib -lc -L/usr/ucblib -lucb" \
+	RANLIB=echo ARFLAGS=rv AUX_OBJ=setenv.o TLI=-DTLI all
+
+# Domain SR10.4. Build under bsd, run under either sysv3 or bsd43.
+apollo:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=setenv.o \
+	NETGROUP=-DNETGROUP TLI= SYSTYPE="-A run,any -A sys,any" all
+
+# Pyramid OSx 5.1, using the BSD universe.
+pyramid:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ="environ.o vfprintf.o" \
+	STRINGS="-Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy" \
+	NETGROUP="-DNETGROUP -DUSE_GETDOMAIN" TLI= all
+
+# Untested.
+mips:
+	@echo "Warning: some definitions may be wrong."
+	${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+	NETGROUP=-DNETGROUP TLI= SYSTYPE="-sysname bsd43" all
+
+# Cray (tested with UNICOS 7.0.4).
+unicos7:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS=-lnet RANLIB=echo ARFLAGS=rv \
+	EXTRA_CFLAGS=-DINADDR_NONE="\"((unsigned long) -1)\"" \
+	AUX_OBJ="setenv.o strcasecmp.o" NETGROUP= TLI= all
+
+# Unicos 8.x, Cray-YMP (Bruce Kelly).
+unicos8:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=echo AR=bld ARFLAGS=rv \
+	AUX_OBJ= NETGROUP= TLI= all
+
+# Power_UNIX 2.1.1 (amantel@lerc.nasa.gov)
+power_unix_211:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lnsl -lsocket -lgen -lresolv" RANLIB=echo ARFLAGS=rv \
+	NETGROUP= AUX_OBJ=setenv.o TLI=-DTLI BUGS="$(BUGS)" all
+
+# ISC (fc@all.net)
+isc:
+	${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-linet -lnsl_s -ldbm" RANLIB=echo ARFLAGS=rv \
+	AUX_OBJ="setenv.o strcasecmp.o" EXTRA_CFLAGS="-DENOTCONN=ENAVAIL" \
+	NETGROUP= TLI= all
+
+# Interactive UNIX R3.2 version 4.0 (Bobby D. Wright).
+iunix:
+	${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-linet -lnsl_s -ldbm" RANLIB=echo ARFLAGS=rv \
+	AUX_OBJ=environ.o strcasecmp.o NETGROUP= TLI= all
+
+# RTU 6.0 on a Masscomp 5400 (ben@piglet.cr.usgs.gov). When using the
+# advanced installation, increment argv before actually looking at it.
+rtu:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+	NETGROUP= TLI= all
+
+# Unixware sans NIS (mc@telebase.com). Compiler dislikes strcasecmp.c.
+unixware1:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl -lc -L/usr/ucblib -lucb" RANLIB=echo ARFLAGS=rv \
+	NETGROUP=$(NETGROUP) AUX_OBJ=environ.o TLI=-DTLI all
+
+unixware2:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl -lgen -lc -L/usr/ucblib -lucb" RANLIB=echo \
+	ARFLAGS=rv NETGROUP=$(NETGROUP) AUX_OBJ=environ.o TLI=-DTLI all
+
+u6000:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS="-lsocket -lnsl" RANLIB=echo ARFLAGS=rv \
+	NETGROUP=-DNETGROUP AUX_OBJ="setenv.o strcasecmp.o" TLI=-DTLI all
+
+# MachTen
+machten:
+	@${MAKE} REAL_DAEMON_DIR=$(REAL_DAEMON_DIR) STYLE=$(STYLE) \
+	LIBS= RANLIB=ranlib ARFLAGS=rv AUX_OBJ=environ.o \
+	NETGROUP= TLI= all
+
+###############################################################
+# System dependencies: TLI (transport-level interface) support.
+# 
+# Uncomment the following macro if your system has System V.4-style TLI
+# support (/usr/include/sys/timod.h, /etc/netconfig, and the netdir(3)
+# routines).
+#
+#TLI	= -DTLI
+
+###############################################################################
+# System dependencies: differences between ranlib(1) and ar(1) implementations.
+#
+# Some C compilers (Ultrix 4.x) insist that ranlib(1) be run on an object
+# library; some don't care as long as the modules are in the right order;
+# some systems don't even have a ranlib(1) command. Make your choice.
+
+RANLIB	= ranlib	# have ranlib (BSD-ish UNIX)
+#RANLIB	= echo		# no ranlib (SYSV-ish UNIX)
+
+ARFLAGS	= rv		# most systems
+#ARFLAGS= rvs		# IRIX 4.0.x
+
+AR	= ar
+#AR	= bld		# Unicos 8.x
+
+#############################################################################
+# System dependencies: routines that are not present in the system libraries.
+# 
+# If your system library does not have set/putenv() or strcasecmp(), use
+# the ones provided with this source distribution. The environ.c module
+# implements setenv(), getenv(), and putenv().
+
+AUX_OBJ= setenv.o
+#AUX_OBJ= environ.o
+#AUX_OBJ= environ.o strcasecmp.o
+
+# Uncomment the following if your C library does not provide the
+# strchr/strrchr/memcmp routines, but comes with index/rindex/bcmp.
+#
+#STRINGS= -Dstrchr=index -Dstrrchr=rindex -Dmemcmp=bcmp -Dno_memcpy
+
+#################################################################
+# System dependencies: selection of non-default object libraries.
+#
+# Most System V implementations require that you explicitly specify the
+# networking libraries. There is no general consensus, though.
+#
+#LIBS	= -lsocket -lnsl		# SysV.4 Solaris 2.x
+#LIBS	= -lsun				# IRIX
+#LIBS	= -lsocket -linet -lnsl -lnfs	# PTX
+#LIBS	= -linet -lnsl_s -ldbm		# ISC
+#LIBS	= -lnet				# Unicos 7
+#LIBS	= -linet -lsyslog -ldbm
+#LIBS	= -lsyslog -lsocket -lnsl
+
+######################################################
+# System dependencies: system-specific compiler flags.
+#
+# Apollo Domain/OS offers both bsd and sys5 environments, sometimes
+# on the same machine.  If your Apollo is primarily sys5.3 and also
+# has bsd4.3, uncomment the following to build under bsd and run under
+# either environment.
+#
+#SYSTYPE= -A run,any -A sys,any
+
+# For MIPS RISC/os 4_52.p3, uncomment the following definition.
+#
+#SYSTYPE= -sysname bsd43
+
+##################################################
+# System dependencies: working around system bugs.
+#
+# -DGETPEERNAME_BUG works around a getpeername(2) bug in some versions of
+# Apollo or SYSV.4 UNIX:  the wrapper would report that all UDP requests
+# come from address 0.0.0.0. The workaround does no harm on other systems.
+#
+# -DBROKEN_FGETS works around an fgets(3) bug in some System V versions
+# (IRIX):  fgets() gives up too fast when reading from a network socket.
+# The workaround does no harm on other systems.
+#
+# Some UNIX systems (IRIX) make the error of calling the strtok() library
+# routine from other library routines such as, e.g., gethostbyname/addr().
+# The result is that hosts can slip through the wrapper allow/deny filters.
+# Compile with -DLIBC_CALLS_STRTOK to avoid the vendor's strtok() routine.
+# The workaround does no harm on other systems.
+#
+# DG/UX 5.4.1 comes with an inet_ntoa() function that returns a structure
+# instead of a long integer. Compile with -DINET_ADDR_BUG to work around
+# this mutant behavour. Fixed in 5.4R3.
+#
+# Solaris 2.4 gethostbyname(), in DNS through NIS mode, puts only one
+# address in the host address list; all other addresses are treated as
+# host name aliases. Compile with -DSOLARIS_24_GETHOSTBYNAME_BUG to work
+# around this. The workaround does no harm on other Solaris versions.
+
+BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DLIBC_CALLS_STRTOK
+#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DINET_ADDR_BUG
+#BUGS = -DGETPEERNAME_BUG -DBROKEN_FGETS -DSOLARIS_24_GETHOSTBYNAME_BUG
+
+##########################################################################
+# System dependencies: whether or not your system has NIS (or YP) support.
+#
+# If your system supports NIS or YP-style netgroups, enable the following
+# macro definition. Netgroups are used only for host access control.
+#
+#NETGROUP= -DNETGROUP
+
+###############################################################
+# System dependencies: whether or not your system has vsyslog()
+#
+# If your system supports vsyslog(), comment out the following definition.
+# If in doubt leave it in, it won't harm.
+
+VSYSLOG	= -Dvsyslog=myvsyslog
+
+# End of the system dependencies.
+#################################
+
+##############################
+# Start of the optional stuff.
+
+###########################################
+# Optional: Turning on language extensions
+#
+# Instead of the default access control language that is documented in
+# the hosts_access.5 document, the wrappers can be configured to
+# implement an extensible language documented in the hosts_options.5
+# document.  This language is implemented by the "options.c" source
+# module, which also gives hints on how to add your own extensions.
+# Uncomment the next definition to turn on the language extensions
+# (examples: allow, deny, banners, twist and spawn).
+# 
+#STYLE	= -DPROCESS_OPTIONS	# Enable language extensions.
+STYLE = "-DPROCESS_OPTIONS -DACLEXEC"
+
+################################################################
+# Optional: Changing the default disposition of logfile records
+#
+# By default, logfile entries are written to the same file as used for
+# sendmail transaction logs. See your /etc/syslog.conf file for actual
+# path names of logfiles. The tutorial section in the README file
+# gives a brief introduction to the syslog daemon.
+# 
+# Change the FACILITY definition below if you disagree with the default
+# disposition. Some syslog versions (including Ultrix 4.x) do not provide
+# this flexibility.
+# 
+# If nothing shows up on your system, it may be that the syslog records
+# are sent to a dedicated loghost. It may also be that no syslog daemon
+# is running at all. The README file gives pointers to surrogate syslog
+# implementations for systems that have no syslog library routines or
+# no syslog daemons. When changing the syslog.conf file, remember that
+# there must be TABs between fields.
+#
+# The LOG_XXX names below are taken from the /usr/include/syslog.h file.
+
+FACILITY= LOG_MAIL	# LOG_MAIL is what most sendmail daemons use
+FACILITY= LOG_DAEMON
+
+# The syslog priority at which successful connections are logged.
+
+SEVERITY= LOG_INFO	# LOG_INFO is normally not logged to the console
+
+###########################
+# Optional: Reduce DNS load
+#
+# When looking up the address for a host.domain name, the typical DNS
+# code will first append substrings of your own domain, so it tries
+# host.domain.your.own.domain, then host.domain.own.domain, and then
+# host.domain. The APPEND_DOT feature stops this waste of cycles. It is
+# off by default because it causes problems on sites that don't use DNS
+# and with Solaris < 2.4. APPEND_DOT will not work with hostnames taken
+# from /etc/hosts or from NIS maps. It does work with DNS through NIS.
+#
+# DOT= -DAPPEND_DOT
+
+##################################################
+# Optional: Always attempt remote username lookups
+#
+# By default, the wrappers look up the remote username only when the
+# access control rules require them to do so.
+#
+# Username lookups require that the remote host runs a daemon that
+# supports an RFC 931 like protocol.  Remote user name lookups are not
+# possible for UDP-based connections, and can cause noticeable delays
+# with connections from non-UNIX PCs.  On some systems, remote username
+# lookups can trigger a kernel bug, causing loss of service. The README
+# file describes how to find out if your UNIX kernel has that problem.
+# 
+# Uncomment the following definition if the wrappers should always
+# attempt to get the remote user name. If this is not enabled you can
+# still do selective username lookups as documented in the hosts_access.5
+# and hosts_options.5 manual pages (`nroff -man' format).
+#
+#AUTH	= -DALWAYS_RFC931
+#
+# The default username lookup timeout is 10 seconds. This may not be long
+# enough for slow hosts or networks, but is enough to irritate PC users.
+
+RFC931_TIMEOUT = 10
+
+######################################################
+# Optional: Changing the default file protection mask
+#
+# On many systems, network daemons and other system processes are started
+# with a zero umask value, so that world-writable files may be produced.
+# It is a good idea to edit your /etc/rc* files so that they begin with
+# an explicit umask setting.  On our site we use `umask 022' because it
+# does not break anything yet gives adequate protection against tampering.
+# 
+# The following macro specifies the default umask for processes run under
+# control of the daemon wrappers. Comment it out only if you are certain
+# that inetd and its children are started with a safe umask value.
+
+UMASK	= -DDAEMON_UMASK=022
+
+#######################################
+# Optional: Turning off access control
+#
+# By default, host access control is enabled.  To disable host access
+# control, comment out the following definition.  Host access control
+# can also be turned off at runtime by providing no or empty access
+# control tables.
+
+ACCESS	= -DHOSTS_ACCESS
+
+########################################################
+# Optional: Changing the access control table pathnames
+#
+# The HOSTS_ALLOW and HOSTS_DENY macros define where the programs will
+# look for access control information. Watch out for the quotes and
+# backslashes when you make changes.
+
+TABLES	= -DHOSTS_DENY=\"/etc/hosts.deny\" -DHOSTS_ALLOW=\"/etc/hosts.allow\"
+
+####################################################
+# Optional: dealing with host name/address conflicts
+#
+# By default, the software tries to protect against hosts that claim to
+# have someone elses host name. This is relevant for network services
+# whose authentication depends on host names, such as rsh and rlogin.
+#
+# With paranoid mode on, connections will be rejected when the host name
+# does not match the host address. Connections will also be rejected when
+# the host name is available but cannot be verified.
+#
+# Comment out the following definition if you want more control over such
+# requests. When paranoid mode is off and a host name double check fails,
+# the client can be matched with the PARANOID access control pattern.
+#
+# Paranoid mode implies hostname lookup. In order to disable hostname
+# lookups altogether, see the next section.
+
+PARANOID= -DPARANOID
+PARANOID=
+
+########################################
+# Optional: turning off hostname lookups
+#
+# By default, the software always attempts to look up the client
+# hostname.  With selective hostname lookups, the client hostname
+# lookup is postponed until the name is required by an access control
+# rule or by a %letter expansion.
+# 
+# In order to perform selective hostname lookups, disable paranoid
+# mode (see previous section) and comment out the following definition.
+
+HOSTNAME= -DALWAYS_HOSTNAME
+HOSTNAME=
+
+#############################################
+# Optional: Turning on host ADDRESS checking
+#
+# Optionally, the software tries to protect against hosts that pretend to
+# have someone elses host address. This is relevant for network services
+# whose authentication depends on host names, such as rsh and rlogin,
+# because the network address is used to look up the remote host name.
+# 
+# The protection is to refuse TCP connections with IP source routing
+# options.
+#
+# This feature cannot be used with SunOS 4.x because of a kernel bug in
+# the implementation of the getsockopt() system call. Kernel panics have
+# been observed for SunOS 4.1.[1-3]. Symptoms are "BAD TRAP" and "Data
+# fault" while executing the tcp_ctloutput() kernel function.
+#
+# Reportedly, Sun patch 100804-03 or 101790 fixes this for SunOS 4.1.x.
+#
+# Uncomment the following macro definition if your getsockopt() is OK.
+#
+# -DKILL_IP_OPTIONS is not needed on modern UNIX systems that can stop
+# source-routed traffic in the kernel. Examples: 4.4BSD derivatives,
+# Solaris 2.x, and Linux. See your system documentation for details.
+#
+# KILL_OPT= -DKILL_IP_OPTIONS
+KILL_OPT= -DKILL_IP_OPTIONS
+
+## End configuration options
+############################
+
+SRCDIR		= .
+
+DESTDIR		=
+
+PREFIX		= $(DESTDIR)/usr
+
+INCDIR		= $(PREFIX)/include
+
+LIBDIR		= $(PREFIX)/lib
+
+MANDIR		= $(PREFIX)/share/man
+MAN3DIR		= $(MANDIR)/man3
+MAN5DIR		= $(MANDIR)/man5
+MAN8DIR		= $(MANDIR)/man8
+
+SBINDIR		= $(PREFIX)/sbin
+
+INSTALL		= install
+INSTALL_PROG	= $(INSTALL) -m 0755
+INSTALL_DATA	= $(INSTALL) -m 0644
+
+SYMLINK		= ln -sf
+
+VPATH		= $(SRCDIR)
+
+# Protection against weird shells or weird make programs.
+
+SHELL	= /bin/sh
+
+.c.o:;	$(CC) $(CFLAGS) -o $*.o -c $(SRCDIR)/$*.c
+
+COPTS	= -O2 -g
+CFLAGS	= $(COPTS) -DFACILITY=$(FACILITY) $(ACCESS) $(PARANOID) $(NETGROUP) \
+	$(BUGS) $(SYSTYPE) $(AUTH) $(UMASK) \
+	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" $(STYLE) $(KILL_OPT) \
+	-DSEVERITY=$(SEVERITY) -DRFC931_TIMEOUT=$(RFC931_TIMEOUT) \
+	$(UCHAR) $(TABLES) $(STRINGS) $(TLI) $(EXTRA_CFLAGS) $(DOT) \
+	$(VSYSLOG) $(HOSTNAME)
+
+LIB_OBJ= hosts_access.o options.o shell_cmd.o rfc931.o eval.o \
+	hosts_ctl.o refuse.o percent_x.o clean_exit.o $(AUX_OBJ) \
+	$(FROM_OBJ) fix_options.o socket.o tli.o workarounds.o \
+	update.o misc.o diag.o percent_m.o myvsyslog.o
+
+FROM_OBJ= fromhost.o
+
+KIT	= $(addprefix $(SRCDIR)/, \
+	README miscd.c tcpd.c fromhost.c hosts_access.c shell_cmd.c \
+	tcpd.h tcpdmatch.c Makefile hosts_access.5 strcasecmp.c BLURB rfc931.c \
+	tcpd.8 eval.c hosts_access.3 hosts_ctl.c percent_x.c options.c \
+	clean_exit.c environ.c patchlevel.h fix_options.c workarounds.c \
+	socket.c tli.c DISCLAIMER fakelog.c safe_finger.c hosts_options.5 \
+	CHANGES try-from.c update.c ptx.c vfprintf.c tli-sequent.c \
+	tli-sequent.h misc.c diag.c ncr.c tcpdchk.c percent_m.c \
+	myvsyslog.c mystdarg.h printf.ck README.IRIX Banners.Makefile \
+	refuse.c tcpdchk.8 setenv.c inetcf.c inetcf.h scaffold.c \
+	scaffold.h tcpdmatch.8 README.NIS)
+
+DOCS	= $(addprefix $(SRCDIR)/,tcpd.8 tcpdchk.8 tcpdmatch.8 \
+	  hosts_access.5 hosts_options.5)
+
+PROGS	= tcpd tcpdmatch try-from safe_finger tcpdchk
+
+LIB	= libwrap.a
+
+shared/%.o: %.c
+	$(CC) $(CFLAGS) $(SHCFLAGS) -c $< -o $@
+
+SOMAJOR = 0
+SOMINOR = 7.6
+
+SHLIB		= shared/libwrap.so.$(SOMAJOR).$(SOMINOR)
+SHLIBSOMAJ	= shared/libwrap.so.$(SOMAJOR)
+SHLIBSO		= shared/libwrap.so
+SHLIBFLAGS	= -Lshared -lwrap
+
+SHLINKFLAGS = -fpic -shared -Wl,-soname,libwrap.so.$(SOMAJOR) -Wl,--version-script=$(SRCDIR)/libwrap.lds $(LIBS)
+SHCFLAGS = -fpic -shared -D_REENTRANT
+SHLIB_OBJ= $(addprefix shared/, $(LIB_OBJ));
+
+all other: config-check $(LIB) $(SHLIB) $(PROGS)
+
+# Invalidate all object files when the compiler options (CFLAGS) have changed.
+
+config-check:
+	@set +e; test -n "$(REAL_DAEMON_DIR)" || { ${MAKE}; exit 1; }
+	@set +e; echo $(CFLAGS) >cflags.new ; \
+	if cmp cflags cflags.new ; \
+	then rm cflags.new ; \
+	else mv cflags.new cflags ; \
+	fi >/dev/null 2>/dev/null
+	@if [ ! -d shared ]; then mkdir shared; fi
+
+$(LIB):	$(LIB_OBJ)
+	rm -f $(LIB)
+	$(AR) $(ARFLAGS) $(LIB) $(LIB_OBJ)
+	-$(RANLIB) $(LIB)
+
+$(SHLIB): $(SRCDIR)/libwrap.lds $(SHLIB_OBJ)
+	rm -f $(SHLIB)
+	$(CC) -o $(SHLIB) $(SHLINKFLAGS) $(SHLIB_OBJ)
+	$(SYMLINK) $(notdir $(SHLIB)) $(SHLIBSOMAJ)
+	$(SYMLINK) $(notdir $(SHLIBSOMAJ)) $(SHLIBSO)
+
+tcpd:	tcpd.o $(SHLIB)
+	$(CC) $(CFLAGS) -o $@ tcpd.o $(SHLIBFLAGS)
+
+miscd:	miscd.o $(LIB)
+	$(CC) $(CFLAGS) -o $@ miscd.o $(LIB) $(LIBS)
+
+safe_finger: safe_finger.o
+	$(CC) $(CFLAGS) -o $@ safe_finger.o
+
+TCPDMATCH_OBJ = tcpdmatch.o fakelog.o inetcf.o scaffold.o
+
+tcpdmatch: $(TCPDMATCH_OBJ) $(SHLIB)
+	$(CC) $(CFLAGS) -o $@ $(TCPDMATCH_OBJ) $(SHLIBFLAGS)
+
+try-from: try-from.o fakelog.o $(SHLIB)
+	$(CC) $(CFLAGS) -o $@ try-from.o fakelog.o $(SHLIBFLAGS)
+
+TCPDCHK_OBJ = tcpdchk.o fakelog.o inetcf.o scaffold.o
+
+tcpdchk: $(TCPDCHK_OBJ) $(SHLIB)
+	$(CC) $(CFLAGS) -o $@ $(TCPDCHK_OBJ) $(SHLIBFLAGS)
+
+.PHONY: install install-lib install-bin install-doc install-dev
+install: install-lib install-bin install-doc install-dev
+
+$(LIBDIR) $(SBINDIR) $(MAN8DIR) $(MAN5DIR) $(MAN3DIR) $(INCDIR):
+	mkdir -p $(@)
+
+install-lib: | $(LIBDIR)
+	$(INSTALL_DATA) $(LIB) $(LIBDIR)/
+	$(INSTALL_PROG) $(SHLIB) $(LIBDIR)/
+	$(SYMLINK) $(notdir $(SHLIB)) $(LIBDIR)/$(notdir $(SHLIBSOMAJ))
+	$(SYMLINK) $(notdir $(SHLIBSOMAJ)) $(LIBDIR)/$(notdir $(SHLIBSO))
+
+install-bin: | $(SBINDIR)
+	$(INSTALL_PROG) tcpd $(SBINDIR)/
+	$(INSTALL_PROG) tcpdchk $(SBINDIR)/
+	$(INSTALL_PROG) tcpdmatch $(SBINDIR)/
+	$(INSTALL_PROG) try-from $(SBINDIR)/
+	$(INSTALL_PROG) safe_finger $(SBINDIR)/
+
+install-doc: $(DOCS) | $(MAN5DIR) $(MAN8DIR)
+	$(INSTALL_DATA) $(SRCDIR)/tcpd.8 $(MAN8DIR)/
+	$(INSTALL_DATA) $(SRCDIR)/tcpdchk.8 $(MAN8DIR)/
+	$(INSTALL_DATA) $(SRCDIR)/tcpdmatch.8 $(MAN8DIR)/
+	$(INSTALL_DATA) $(SRCDIR)/hosts_access.5 $(MAN5DIR)/
+	$(INSTALL_DATA) $(SRCDIR)/hosts_options.5 $(MAN5DIR)/
+
+install-dev: | $(INCDIR) $(LIBDIR) $(MAN3DIR)
+	$(INSTALL_DATA) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/
+	$(INSTALL_DATA) $(SRCDIR)/tcpd.h $(INCDIR)/
+	$(INSTALL_DATA) $(LIB) $(LIBDIR)/
+	$(SYMLINK) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/hosts_ctl.3
+	$(SYMLINK) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/request_init.3
+	$(SYMLINK) $(SRCDIR)/hosts_access.3 $(MAN3DIR)/request_set.3
+
+shar:	$(KIT)
+	@shar $(KIT)
+
+kit:	$(KIT)
+	@makekit $(KIT)
+
+files:
+	@echo $(KIT)
+
+archive:
+	$(ARCHIVE) $(KIT)
+
+clean:
+	rm -f tcpd miscd safe_finger tcpdmatch tcpdchk try-from *.[oa] core \
+	libwrap*.so* \
+	cflags
+	rm -rf shared/
+
+tidy:	clean
+	chmod -R a+r .
+	chmod 755 .
+
+# Enable all bells and whistles for linting.
+
+lint: tcpd_lint miscd_lint match_lint chk_lint
+
+tcpd_lint:
+	lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+	-DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+	$(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+	-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+	-Dvsyslog=myvsyslog \
+	$(addprefix $(SRCDIR)/, \
+	tcpd.c fromhost.c socket.c tli.c hosts_access.c \
+	shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+	options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+	diag.c myvsyslog.c percent_m.c)
+
+miscd_lint:
+	lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+	-DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+	$(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+	-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+	-Dvsyslog=myvsyslog \
+	$(addprefix $(SRCDIR)/, \
+	miscd.c fromhost.c socket.c tli.c hosts_access.c \
+	shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+	options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+	diag.c myvsyslog.c percent_m.c)
+
+match_lint:
+	lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+	-DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+	-Dvsyslog=myvsyslog \
+	$(addprefix $(SRCDIR)/, \
+	tcpdmatch.c hosts_access.c eval.c percent_x.c options.c workarounds.c \
+	update.c socket.c misc.c diag.c myvsyslog.c percent_m.c setenv.c \
+	inetcf.c scaffold.c)
+
+chk_lint:
+	lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+	-DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" \
+	-Dvsyslog=myvsyslog \
+	$(addprefix $(SRCDIR)/, \
+	tcpdchk.c eval.c percent_x.c options.c update.c workarounds.c \
+	setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c)
+
+printfck:
+	printfck -f printf.ck \
+	$(addprefix $(SRCDIR)/, \
+	tcpd.c fromhost.c socket.c tli.c hosts_access.c \
+	shell_cmd.c refuse.c rfc931.c eval.c percent_x.c clean_exit.c \
+	options.c setenv.c fix_options.c workarounds.c update.c misc.c \
+	diag.c myvsyslog.c percent_m.c) > aap.c
+	lint -DFACILITY=LOG_MAIL -DHOSTS_ACCESS -DPARANOID -DNETGROUP \
+	-DGETPEERNAME_BUG -DDAEMON_UMASK=022 -DSEVERITY=$(SEVERITY) \
+	$(TABLES) -DKILL_IP_OPTIONS -DPROCESS_OPTIONS \
+	-DRFC931_TIMEOUT=$(RFC931_TIMEOUT) -DALWAYS_RFC931 \
+	-DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\" -Dvsyslog=myvsyslog aap.c
+	printfck -f printf.ck \
+	$(addprefix $(SRCDIR)/, \
+	tcpdchk.c eval.c percent_x.c options.c update.c workarounds.c \
+	setenv.c misc.c diag.c myvsyslog.c percent_m.c inetcf.c scaffold.c) \
+	> aap.c
+	lint -DFACILITY=LOG_MAIL -DSEVERITY=$(SEVERITY) -DHOSTS_ACCESS \
+	-DPARANOID $(TABLES) -DNETGROUP -DPROCESS_OPTIONS -DRFC931_TIMEOUT=10 \
+	-Dvsyslog=myvsyslog -DREAL_DAEMON_DIR=\"$(REAL_DAEMON_DIR)\"
+
+# Internal compilation dependencies.
+
+clean_exit.o: cflags
+clean_exit.o: $(SRCDIR)/tcpd.h
+diag.o: cflags
+diag.o: $(SRCDIR)/mystdarg.h
+diag.o: $(SRCDIR)/tcpd.h
+environ.o: cflags
+eval.o: cflags
+eval.o: $(SRCDIR)/tcpd.h
+fakelog.o: cflags
+fakelog.o: $(SRCDIR)/mystdarg.h
+fix_options.o: cflags
+fix_options.o: $(SRCDIR)/tcpd.h
+fromhost.o: cflags
+fromhost.o: $(SRCDIR)/tcpd.h
+hosts_access.o: cflags
+hosts_access.o: $(SRCDIR)/tcpd.h
+hosts_ctl.o: cflags
+hosts_ctl.o: $(SRCDIR)/tcpd.h
+inetcf.o: cflags
+inetcf.o: $(SRCDIR)/inetcf.h
+inetcf.o: $(SRCDIR)/tcpd.h
+misc.o: cflags
+misc.o: $(SRCDIR)/tcpd.h
+miscd.o: cflags
+miscd.o: $(SRCDIR)/patchlevel.h
+miscd.o: $(SRCDIR)/tcpd.h
+myvsyslog.o: cflags
+myvsyslog.o: $(SRCDIR)/mystdarg.h
+myvsyslog.o: $(SRCDIR)/tcpd.h
+ncr.o: cflags
+ncr.o: $(SRCDIR)/tcpd.h
+options.o: cflags
+options.o: $(SRCDIR)/tcpd.h
+percent_m.o: cflags
+percent_m.o: $(SRCDIR)/mystdarg.h
+percent_x.o: cflags
+percent_x.o: $(SRCDIR)/tcpd.h
+ptx.o: cflags
+ptx.o: $(SRCDIR)/tcpd.h
+refuse.o: cflags
+refuse.o: $(SRCDIR)/tcpd.h
+rfc931.o: cflags
+rfc931.o: $(SRCDIR)/tcpd.h
+safe_finger.o: cflags
+scaffold.o: cflags
+scaffold.o: $(SRCDIR)/scaffold.h
+scaffold.o: $(SRCDIR)/tcpd.h
+setenv.o: cflags
+shell_cmd.o: cflags
+shell_cmd.o: $(SRCDIR)/tcpd.h
+socket.o: cflags
+socket.o: $(SRCDIR)/tcpd.h
+strcasecmp.o: cflags
+tcpd.o: cflags
+tcpd.o: $(SRCDIR)/patchlevel.h
+tcpd.o: $(SRCDIR)/tcpd.h
+tcpdchk.o: cflags
+tcpdchk.o: $(SRCDIR)/inetcf.h
+tcpdchk.o: $(SRCDIR)/scaffold.h
+tcpdchk.o: $(SRCDIR)/tcpd.h
+tcpdmatch.o: cflags
+tcpdmatch.o: $(SRCDIR)/scaffold.h
+tcpdmatch.o: $(SRCDIR)/tcpd.h
+tli-sequent.o: cflags
+tli-sequent.o: $(SRCDIR)/tcpd.h
+tli-sequent.o: $(SRCDIR)/tli-sequent.h
+tli.o: cflags
+tli.o: $(SRCDIR)/tcpd.h
+try-from.o: cflags
+try-from.o: $(SRCDIR)/tcpd.h
+update.o: cflags
+update.o: $(SRCDIR)/mystdarg.h
+update.o: $(SRCDIR)/tcpd.h
+vfprintf.o: cflags
+weak_symbols.o: $(SRCDIR)/tcpd.h
+workarounds.o: cflags
+workarounds.o: $(SRCDIR)/tcpd.h
diff --git a/tcp_wrappers_7.6/README b/tcp_wrappers_7.6/README
new file mode 100644
index 0000000..98b6b47
--- /dev/null
+++ b/tcp_wrappers_7.6/README
@@ -0,0 +1,1038 @@
+@(#) README 1.30 97/03/21 19:27:21
+
+This is the 7.6 version of the TCP/IP daemon wrapper package.
+
+Thank you for using this program. If you like it, send me a postcard.
+My postal address is at the bottom of this file.
+
+Read the BLURB file for a brief summary of what is new. The CHANGES
+file gives a complete account of differences with respect to previous
+releases.
+
+Announcements of new releases of this software are posted to Usenet
+(comp.security.unix, comp.unix.admin), to the cert-tools mailing list,
+and to a dedicated mailing list.  You can subscribe to the dedicated
+mailing list by sending an email message to majordomo@wzv.win.tue.nl
+with in the body (not subject):  subscribe tcp-wrappers-announce.
+
+Table of contents
+-----------------
+
+    1 - Introduction
+    2 - Disclaimer
+    3 - Tutorials
+                3.1 - How it works
+                3.2 - Where the logging information goes
+    4 - Features
+                4.1 - Access control
+                4.2 - Host name spoofing
+                4.3 - Host address spoofing
+                4.4 - Client username lookups
+                4.5 - Language extensions
+		4.6 - Multiple ftp/gopher/www archives on one host
+		4.7 - Banner messages
+		4.8 - Sequence number guessing
+    5 - Other works
+                5.1 - Related documents
+                5.2 - Related software
+    6 - Limitations
+                6.1 - Known wrapper limitations
+                6.2 - Known system software bugs
+    7 - Configuration and installation
+                7.1 - Easy configuration and installation
+                7.2 - Advanced configuration and installation
+                7.3 - Daemons with arbitrary path names
+                7.4 - Building and testing the access control rules
+                7.5 - Other applications
+    8 - Acknowledgements
+
+1 - Introduction
+----------------
+
+With this package you can monitor and filter incoming requests for the
+SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
+network services.
+
+It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise
+yourself lucky if you don't know what that means.
+
+The package provides tiny daemon wrapper programs that can be installed
+without any changes to existing software or to existing configuration
+files.  The wrappers report the name of the client host and of the
+requested service; the wrappers do not exchange information with the
+client or server applications, and impose no overhead on the actual
+conversation between the client and server applications.
+
+Optional features are: access control to restrict what systems can
+connect to what network daemons; client user name lookups with the RFC
+931 etc. protocol; additional protection against hosts that pretend to
+have someone elses host name; additional protection against hosts that
+pretend to have someone elses host address.
+
+The programs are very portable. Build procedures are provided for many
+common (and not so common) environments, and guidelines are provided in
+case your environment is not among them.
+
+Requirements are that network daemons are spawned by a super server
+such as the inetd; a 4.3BSD-style socket programming interface and/or
+System V.4-style TLI programming interface; and the availability of a
+syslog(3) library and of a syslogd(8) daemon.  The wrappers should run
+without modification on any system that satisfies these requirements.
+Workarounds have been implemented for several common bugs in systems
+software.
+
+What to do if this is your first encounter with the wrapper programs:
+1) read the tutorial sections for an introduction to the relevant
+concepts and terminology; 2) glance over the security feature sections
+in this document; 3) follow the installation instructions (easy or
+advanced). I recommend that you first use the default security feature
+settings.  Run the wrappers for a few days to become familiar with
+their logs, before doing anything drastic such as cutting off access or
+installing booby traps.
+
+2 - Disclaimer
+--------------
+
+The wrapper programs rely on source address information obtained from
+network packets. This information is provided by the client host. It is
+not 100 percent reliable, although the wrappers do their best to expose
+forgeries.
+
+In the absence of cryptographic protection of message contents, and of
+cryptographic authentication of message originators, all data from the
+network should be treated with sound scepticism.
+
+THIS RESTRICTION IS BY NO MEANS SPECIFIC TO THE TCP/IP PROTOCOLS.
+
+3 - Tutorials
+-------------
+
+The tutorial sections give a gentle introduction to the operation of
+the wrapper programs, and introduce some of the terminology that is
+used in the remainder of the document: client, server, the inetd and
+syslogd daemons, and their configuration files.
+
+3.1 - How it works
+------------------
+
+Almost every application of the TCP/IP protocols is based on a client-
+server model. For example, when a user invokes the telnet command to
+connect to one of your systems, a telnet server process is executed on
+the target host. The telnet server process connects the user to a login
+process. A few examples of client and server programs are shown in the
+table below:
+
+              client   server    application
+              --------------------------------
+              telnet   telnetd   remote login
+              ftp      ftpd      file transfer
+              finger   fingerd   show users
+
+The usual approach is to run one single daemon process that waits for
+all kinds of incoming network connections. Whenever a connection is
+established, this daemon (usually called inetd) runs the appropriate
+server program and goes back to sleep, waiting for other connections.
+
+The wrapper programs rely on a simple, but powerful mechanism.  Instead
+of directly running the desired server program, the inetd is tricked
+into running a small wrapper program. The wrapper logs the client host
+name or address and performs some additional checks.  When all is well,
+the wrapper executes the desired server program and goes away.
+
+The wrapper programs have no interaction with the client user (or with
+the client process).  Nor do the wrappers interact with the server
+application. This has two major advantages: 1) the wrappers are
+application-independent, so that the same program can protect many
+kinds of network services; 2) no interaction also means that the
+wrappers are invisible from outside (at least for authorized users).
+
+Another important property is that the wrapper programs are active only
+when the initial contact between client and server is established. Once
+a wrapper has done its work there is no overhead on the client-server
+conversation.
+
+The simple mechanism has one major drawback: the wrappers go away after
+the initial contact between client and server processes, so the
+wrappers are of little use with network daemons that service more than
+one client.  The wrappers would only see the first client attempt to
+contact such a server. The NFS mount daemon is a typical example of a
+daemon that services requests from multiple clients. See the section on
+related software for ways to deal with such server programs.
+
+There are two ways to use the wrapper programs:
+
+1) The easy way: move network daemons to some other directory and fill
+   the resulting holes with copies of the wrapper programs.  This
+   approach involves no changes to system configuration files, so there
+   is very little risk of breaking things.
+
+2) The advanced way: leave the network daemons alone and modify the
+   inetd configuration file.  For example, an entry such as:
+
+     tftp  dgram  udp  wait  root  /usr/etc/tcpd  in.tftpd -s /tftpboot
+
+   When a tftp request arrives, inetd will run the wrapper program
+   (tcpd) with a process name `in.tftpd'.  This is the name that the
+   wrapper will use when logging the request and when scanning the
+   optional access control tables.  `in.tftpd' is also the name of the
+   server program that the wrapper will attempt to run when all is
+   well.  Any arguments (`-s /tftpboot' in this particular example) are
+   transparently passed on to the server program.
+
+For an account of the history of the wrapper programs, with real-life
+examples, see the section below on related documents.
+
+3.2 - Where the logging information goes
+----------------------------------------
+
+The wrapper programs send their logging information to the syslog
+daemon (syslogd). The disposition of the wrapper logs is determined by
+the syslog configuration file (usually /etc/syslog.conf). Messages are
+written to files, to the console, or are forwarded to a @loghost. Some
+syslogd versions can even forward messages down a |pipeline.
+
+Older syslog implementations (still found on Ultrix systems) only
+support priority levels ranging from 9 (debug-level messages) to 0
+(alerts). All logging information of the specified priority level or
+more urgent is written to the same destination.  In the syslog.conf
+file, priority levels are specified in numerical form.  For example,
+
+    8/usr/spool/mqueue/syslog
+
+causes all messages with priority 8 (informational messages), and
+anything that is more urgent, to be appended to the file
+/usr/spool/mqueue/syslog.
+
+Newer syslog implementations support message classes in addition to
+priority levels.  Examples of message classes are: mail, daemon, auth
+and news. In the syslog.conf file, priority levels are specified with
+symbolic names: debug, info, notice, ..., emerg. For example,
+
+    mail.debug                  /var/log/syslog
+
+causes all messages of class mail with priority debug (or more urgent)
+to be appended to the /var/log/syslog file.
+
+By default, the wrapper logs go to the same place as the transaction
+logs of the sendmail daemon. The disposition can be changed by editing
+the Makefile and/or the syslog.conf file. Send a `kill -HUP' to the
+syslogd after changing its configuration file. Remember that syslogd,
+just like sendmail, insists on one or more TABs between the left-hand
+side and the right-hand side expressions in its configuration file.
+
+Solaris 2.x note: the syslog daemon depends on the m4 macro processor.
+The m4 program is installed as part of the software developer packages.
+
+Trouble shooting note: when the syslogging does not work as expected,
+run the program by hand (`syslogd -d') and see what really happens.
+
+4 - Features
+------------
+
+4.1 - Access control
+--------------------
+
+When compiled with -DHOSTS_ACCESS, the wrapper programs support a
+simple form of access control.  Access can be controlled per host, per
+service, or combinations thereof. The software provides hooks for the
+execution of shell commands when an access control rule fires; this
+feature may be used to install "booby traps".  For details, see the
+hosts_access.5 manual page, which is in `nroff -man' format. A later
+section describes how you can test your access control rules.
+
+Access control can also be used to connect clients to the "right"
+service. What is right may depend on the requested service, the origin
+of the request, and what host address the client connects to. Examples:
+
+(1) A gopher or www database speaks native language when contacted from
+    within the country, otherwise it speaks English.
+
+(2) A service provider offers different ftp, gopher or www services
+    with different internet hostnames from one host (section 4.6).
+
+Access control is enabled by default. It can be turned off by editing
+the Makefile, or by providing no access control tables. The install
+instructions below describe the Makefile editing process.
+
+The hosts_options.5 manual page (`nroff -man' format) documents an
+extended version of the access control language. The extensions are
+disabled by default. See the section below on language extensions.
+
+Later System V implementations provide the Transport Level Interface
+(TLI), a network programming interface that performs functions similar
+to the Berkeley socket programming interface.  Like Berkeley sockets,
+TLI was designed to cover multiple protocols, not just Internet.
+
+When the wrapper discovers that the TLI interface sits on top of a
+TCP/IP or UDP/IP conversation it uses this knowledge to provide the
+same functions as with traditional socket-based applications.  When
+some other protocol is used underneath TLI, the host address will be
+some universal magic cookie that may not even be usable for access
+control purposes.
+
+4.2 - Host name spoofing
+------------------------
+
+With some network applications, such as RSH or RLOGIN, the client host
+name plays an important role in the authentication process. Host name
+information can be reliable when lookups are done from a _local_ hosts
+table, provided that the client IP address can be trusted.
+
+With _distributed_ name services, authentication schemes that rely on
+host names become more problematic. The security of your system now may
+depend on some far-away DNS (domain name server) outside your own
+control. 
+
+The wrapper programs verify the client host name that is returned by
+the address->name DNS server, by asking for a second opinion.  To this
+end, the programs look at the name and addresses that are returned by
+the name->address DNS server, which may be an entirely different host. 
+
+If any name or address discrepancies are found, or if the second DNS
+opinion is not available, the wrappers assume that one of the two name
+servers is lying, and assume that the client host pretends to have
+someone elses host name.
+
+When compiled with -DPARANOID, the wrappers will always attempt to look
+up and double check the client host name, and will always refuse
+service in case of a host name/address discrepancy.  This is a
+reasonable policy for most systems.
+
+When compiled without -DPARANOID, the wrappers by default still perform
+hostname lookup. You can match hosts with a name/address discrepancy
+with the PARANOID wildcard and decide whether or not to grant service.
+
+Automatic hostname verification is enabled by default. Automatic
+hostname lookups and verification can be turned off by editing the
+Makefile. The configuration and installation section below describes
+the Makefile editing process.
+
+4.3 - Host address spoofing
+---------------------------
+
+While host name spoofing can be found out by asking a second opinion,
+it is much harder to find out that a host claims to have someone elses
+network address. And since host names are deduced from network
+addresses, address spoofing is at least as effective as name spoofing.
+
+The wrapper programs can give additional protection against hosts that
+claim to have an address that lies outside their own network.  For
+example, some far-away host that claims to be a trusted host within
+your own network. Such things are possible even while the impersonated
+system is up and running.
+
+This additional protection is not an invention of my own; it has been
+present for at least five years in the BSD rsh and rlogin daemons.
+Unfortunately, that feature was added *after* 4.3 BSD came out, so that
+very few, if any, UNIX vendors have adopted it.  Our site, and many
+other ones, has been running these enhanced daemons for several years,
+and without any ill effects.
+
+When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the
+programs refuse to service TCP connections with IP source routing
+options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems
+that can stop source-routed traffic in the kernel. Examples are
+4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals
+for details.
+
+If you are going to use this feature on SunOS 4.1.x you should apply
+patch 100804-03+ or 101790-something depending on your SunOS version.
+Otherwise you may experience "BAD TRAP" and "Data fault" panics when
+the getsockopt() system call is executed after a TCP RESET has been
+received. This is a kernel bug, it is not the fault of the wrappers.
+
+The feature is disabled by default. It can be turned on by editing the
+Makefile.  The configuration and installation section below describes
+the Makefile editing process.
+
+UDP services do not benefit from this additional protection. With UDP,
+all you can be certain of is the network packet's destination address.
+
+4.4 - Client username lookups
+-----------------------------
+
+The protocol proposed in RFC 931 provides a means to obtain the client
+user name from the client host.  The requirement is that the client
+host runs an RFC 931-compliant daemon. The information provided by such
+a daemon is not intended to be used for authentication purposes, but it
+can provide additional information about the owner of a TCP connection.
+
+The RFC 931 protocol has diverged into different directions (IDENT,
+TAP, RFC 1413). To add to the confusion, they all use the same network
+port.  The daemon wrappers implement a common subset of the protocols.
+
+There are some limitations: the number of hosts that run an RFC 931 (or
+compatible) daemon is limited (but growing); client user name lookups
+do not work for datagram (UDP) services. More seriously, client user
+name lookups can cause noticeable delays with connections from non-UNIX
+PCs. Recent PC software seem to have fixed this (for example NCSA
+telnet). The wrappers use a 10-second timeout for RFC931 lookups, to
+accommodate slow networks and slow hosts.
+
+By default, the wrappers will do username lookup only when the access
+control rules require them to do so (via user@host client patterns, see
+the hosts_access.5 manual page) or when the username is needed for
+%<letter> expansions.
+
+You can configure the wrappers to always perform client username
+lookups, by editing the Makefile.  The client username lookup timeout
+period (10 seconds default) can be changed by editing the Makefile. The
+installation sections below describe the Makefile editing process.
+
+On System V with TLI-based network services, client username lookups
+will be possible only when the underlying network protocol is TCP/IP.
+
+4.5 - Language extensions
+-------------------------
+
+The wrappers sport only a limited number of features. This is for a
+good reason: programs that run at high privilege levels must be easy to
+verify. And the smaller a program, the easier to verify. There is,
+however, a provision to add features.
+
+The options.c module provides a framework for language extensions.
+Quite a few extensions have already been implemented; they are
+documented in the hosts_options.5 document, which is in `nroff -man'
+format. Examples: changing the severity level at which a request for
+service is logged; "allow" and "deny" keywords; running a customized
+server instead of the standard one; many others.
+
+The language extensions are not enabled by default because they
+introduce an incompatible change to the access control language
+syntax.  Instructions to enable the extensions are given in the
+Makefile.
+
+4.6 - Multiple ftp/gopher/www archives on one host
+--------------------------------------------------
+
+Imagine one host with multiple internet addresses. These addresses do
+not need to have the same internet hostname. Thus, it is possible to
+offer services with different internet hostnames from just one host.
+
+Service providers can use this to offer organizations a presence on the
+"net" with their own internet hostname, even when those organizations
+aren't connected to the Internet at all.  To the end user it makes no
+difference, because applications use internet hostnames.
+
+There are several ways to assign multiple addresses to one machine.
+The nice way is to take an existing network interface and to assign
+additional internet addresses with the `ifconfig' command. Examples:
+
+    Solaris 2:	ifconfig le0:1 <address> netmask <mask> up
+    4.4 BSD:	ifconfig en0 alias <address> netmask <mask>
+
+On other systems one has to increase the number of network interfaces:
+either with hardware interfaces, or with pseudo interfaces like SLIP or
+PPP.  The interfaces do not need to be attached to anything. They just
+need to be up and to be assigned a suitable internet address and mask.
+
+With the wrapper software, `daemon@host' access control patterns can be
+used to distinguish requests by the network address that they are aimed
+at.  Judicious use of the `twist' option (see the hosts_options.5 file,
+`nroff -man' format) can guide the requests to the right server.  These
+can be servers that live in separate chroot areas, or servers modified
+to take additional context from the command line, or a combination.
+
+Another way is to modify gopher or www listeners so that they bind to
+only one specific network address. Multiple gopher or www servers can
+then be run side by side, each taking requests sent to its respective
+network address.
+
+4.7 - Banner messages
+---------------------
+
+Some sites are required to present an informational message to users
+before they attempt to login.  Banner messages can also be useful when
+denying service:  instead of simply dropping the connection a polite
+explanation is given first. Finally, banners can be used to give your
+system a more personal touch.
+
+The wrapper software provides easy-to-use tools to generate pre-login
+banners for ftp, telnet, rlogin etc. from a single prototype banner
+textfile.  Details on banners and on-the-fly %<letter> expansions are
+given in the hosts_options.5 manual page (`nroff -man' format). An
+example is given in the file Banners.Makefile.
+
+In order to support banner messages the wrappers have to be built with
+language extensions enabled. See the section on language extensions.
+
+4.8 - Sequence number guessing
+------------------------------
+
+Recently, systems came under attack from intruders that exploited a
+well-known weakness in TCP/IP sequence number generators.  This
+weakness allows intruders to impersonate trusted hosts. Break-ins have
+been reported via the rsh service. In fact, any network service can be
+exploited that trusts the client host name or address.
+
+A long-term solution is to stop using network services that trust the
+client host name or address, and to use data encryption instead.
+
+A short-term solution, as outlined in in CERT advisory CA-95:01, is to
+configure network routers so that they discard datagrams from "outside"
+with an "inside" source address. This approach is most fruitful when
+you do not trust any hosts outside your local network.
+
+The IDENT (RFC931 etc.) client username lookup protocol can help to
+detect host impersonation attacks.  Before accepting a client request,
+the wrappers can query the client's IDENT server and find out that the
+client never sent that request.
+
+When the client host provides IDENT service, a negative IDENT lookup
+result (the client matches `UNKNOWN@host') is strong evidence of a host
+impersonation attack.
+
+A positive IDENT lookup result (the client matches `KNOWN@host') is
+less trustworthy.  It is possible for an attacker to spoof both the
+client request and the IDENT lookup connection, although doing so
+should be much harder than spoofing just a client request. Another
+possibility is that the client's IDENT server is lying.
+
+Client username lookups are described in more detail in a previous
+section. Pointers to IDENT daemon software are described in the section
+on related software.
+
+5 - Other works
+---------------
+
+5.1 - Related documents
+-----------------------
+
+The war story behind the tcp wrapper tools is described in:
+
+    W.Z. Venema, "TCP WRAPPER, network monitoring, access control and
+    booby traps", UNIX Security Symposium III Proceedings (Baltimore),
+    September 1992. 
+
+    ftp.win.tue.nl:/pub/security/tcp_wrapper.ps.Z (postscript)
+    ftp.win.tue.nl:/pub/security/tcp_wrapper.txt.Z (flat text)
+
+The same cracker is also described in:
+
+    W.R. Cheswick, "An Evening with Berferd, In Which a Cracker is
+    Lured, Endured, and Studied", Proceedings of the Winter USENIX
+    Conference (San Francisco), January 1992.
+
+    research.att.com:/dist/internet_security/berferd.ps
+
+An updated version of the latter paper appeared in:
+
+    W.R. Cheswick, S.M. Bellovin, "Firewalls and Internet Security",
+    Addison-Wesley, 1994.
+
+Discussions on internet firewalls are archived on ftp.greatcircle.com.
+Subscribe to the mailing list by sending a message to 
+
+    majordomo@greatcircle.com
+
+With in the body (not subject): subscribe firewalls.
+
+5.2 - Related software
+----------------------
+
+Network daemons etc. with enhanced logging capabilities can generate
+massive amounts of information: our 150+ workstations generate several
+hundred kbytes each day. egrep-based filters can help to suppress some
+of the noise.  A more powerful tool is the Swatch monitoring system by
+Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in
+real time and can associate arbitrary actions with patterns; its
+applications are by no means restricted to security.  Swatch is
+available ftp.stanford.edu, directory /general/security-tools/swatch.
+
+Socks, described in the UNIX Security III proceedings, can be used to
+control network traffic from hosts on an internal network, through a
+firewall host, to the outer world. Socks consists of a daemon that is
+run on the firewall host, and of a library with routines that redirect
+application socket calls through the firewall daemon.  Socks is
+available from s1.gov in /pub/firewalls/socks.tar.Z.
+
+For a modified Socks version by Ying-Da Lee (ylee@syl.dl.nec.com) try
+ftp.nec.com, directory /pub/security/socks.cstc.
+
+Tcpr is a set of perl scripts by Paul Ziemba that enable you to run ftp
+and telnet commands across a firewall. Unlike socks it can be used with
+unmodified client software. Available from ftp.alantec.com, /pub/tcpr.
+
+The TIS firewall toolkit provides a multitude of tools to build your
+own internet firewall system. ftp.tis.com, directory /pub/firewalls.
+
+Versions of rshd and rlogind, modified to report the client user name
+in addition to the client host name, are available for anonymous ftp
+(ftp.win.tue.nl:/pub/security/logdaemon-XX.tar.Z).  These programs are
+drop-in replacements for SunOS 4.x, Ultrix 4.x, SunOS 5.x and HP-UX
+9.x. This archive also contains ftpd/rexecd/login versions that support
+S/Key or SecureNet one-time passwords in addition to traditional UNIX
+reusable passwords.
+
+The securelib shared library by William LeFebvre can be used to control
+access to network daemons that are not run under control of the inetd
+or that serve more than one client, such as the NFS mount daemon that
+runs until the machine goes down.  Available from eecs.nwu.edu, file
+/pub/securelib.tar.
+
+xinetd (posted to comp.sources.unix) is an inetd replacement that
+provides, among others, logging, username lookup and access control.
+However, it does not support the System V TLI services, and involves
+much more source code than the daemon wrapper programs. Available
+from ftp.uu.net, directory /usenet/comp.sources.unix.
+
+netlog from Texas A&M relies on the SunOS 4.x /dev/nit interface to
+passively watch all TCP and UDP network traffic on a network.  The
+current version is on net.tamu.edu in /pub/security/TAMU.
+
+Where shared libraries or router-based packet filtering are not an
+option, an alternative portmap daemon can help to prevent hackers
+from mounting your NFS file systems using the proxy RPC facility.
+ftp.win.tue.nl:/pub/security/portmap-X.shar.Z was tested with SunOS
+4.1.X Ultrix 3.0 and Ultrix 4.x, HP-UX 8.x and some version of AIX. The
+protection is less effective than that of the securelib library because
+portmap is mostly a dictionary service.
+
+An rpcbind replacement (the Solaris 2.x moral equivalent of portmap)
+can be found on ftp.win.tue.nl in /pub/security. It prevents hackers
+from mounting your NFS file systems by using the proxy RPC facility.
+
+Source for a portable RFC 931 (TAP, IDENT, RFC 1413) daemon by Peter
+Eriksson is available from ftp.lysator.liu.se:/pub/ident/servers.
+
+Some TCP/IP implementations come without syslog library. Some come with
+the library but have no syslog daemon. A replacement can be found in
+ftp.win.tue.nl:/pub/security/surrogate-syslog.tar.Z.  The fakesyslog
+library that comes with the nntp sources reportedly works well, too.
+
+6 - Limitations
+---------------
+
+6.1 - Known wrapper limitations
+-------------------------------
+
+Many UDP (and rpc/udp) daemons linger around for a while after they
+have serviced a request, just in case another request comes in.  In the
+inetd configuration file these daemons are registered with the `wait'
+option. Only the request that started such a daemon will be seen by the
+wrappers.  Such daemons are better protected with the securelib shared
+library (see: Related software).
+
+The wrappers do not work with RPC services over TCP. These services are
+registered as rpc/tcp in the inetd configuration file. The only non-
+trivial service that is affected by this limitation is rexd, which is
+used by the on(1) command. This is no great loss.  On most systems,
+rexd is less secure than a wildcard in /etc/hosts.equiv.
+
+Some RPC requests (for example: rwall, rup, rusers) appear to come from
+the server host. What happens is that the client broadcasts its request
+to all portmap daemons on its network; each portmap daemon forwards the
+request to a daemon on its own system. As far as the rwall etc.  daemons
+know, the request comes from the local host.
+
+Portmap and RPC (e.g. NIS and NFS) (in)security is a topic in itself.
+See the section in this document on related software.
+
+6.2 - Known system software bugs
+--------------------------------
+
+Workarounds have been implemented for several bugs in system software.
+They are described in the Makefile. Unfortunately, some system software
+bugs cannot be worked around. The result is loss of functionality.
+
+IRIX has so many bugs that it has its own README.IRIX file.
+
+Older ConvexOS versions come with a broken recvfrom(2) implementation.
+This makes it impossible for the daemon wrappers to look up the
+client host address (and hence, the name) in case of UDP requests.
+A patch is available for ConvexOS 10.1; later releases should be OK.
+
+With early Solaris (SunOS 5) versions, the syslog daemon will leave
+behind zombie processes when writing to logged-in users.  Workaround:
+increase the syslogd threshold for logging to users, or reduce the
+wrapper's logging severity.
+
+On some systems, the optional RFC 931 etc. client username lookups may
+trigger a kernel bug.  When a client host connects to your system, and
+the RFC 931 connection from your system to that client is rejected by a
+router, your kernel may drop all connections with that client.  This is
+not a bug in the wrapper programs: complain to your vendor, and don't
+enable client user name lookups until the bug has been fixed.
+
+Reportedly, SunOS 4.1.1, Next 2.0a, ISC 3.0 with TCP 1.3, and AIX 3.2.2
+and later are OK.
+
+Sony News/OS 4.51, HP-UX 8-something and Ultrix 4.3 still have the bug.
+Reportedly, a fix for Ultrix is available (CXO-8919).
+
+The following procedure can be used (from outside the tue.nl domain) to
+find out if your kernel has the bug. From the system under test, do:
+
+        % ftp 131.155.70.19
+
+This command attempts to make an ftp connection to our anonymous ftp
+server (ftp.win.tue.nl).  When the connection has been established, run
+the following command from the same system under test, while keeping
+the ftp connection open:
+
+        % telnet 131.155.70.19 111
+
+Do not forget the `111' at the end of the command. This telnet command
+attempts to connect to our portmap process.  The telnet command should
+fail with:  "host not reachable", or with a timeout error. If your ftp
+connection gets messed up, you have the bug. If the telnet command does
+not fail, please let me know a.s.a.p.!
+
+For those who care, the bug is that the BSD kernel code was not careful
+enough with incoming ICMP UNREACHABLE control messages (it ignored the
+local and remote port numbers, and therefore zapped *all* connections
+with the remote system). The bug is still present in the BSD NET/1
+source release (1989) but apparently has been fixed in BSD NET/2 (1991). 
+
+7 - Configuration and installation
+----------------------------------
+
+7.1 - Easy configuration and installation
+-----------------------------------------
+
+The "easy" recipe requires no changes to existing software or
+configuration files.  Basically, you move the daemons that you want to
+protect to a different directory and plug the resulting holes with
+copies of the wrapper programs.
+
+If you don't run Ultrix, you won't need the miscd wrapper program.  The
+miscd daemon implements among others the SYSTAT service, which produces
+the same output as the WHO command.
+
+Type `make' and follow the instructions.  The Makefile comes with
+ready-to-use templates for many common UNIX implementations (sun,
+ultrix, hp-ux, aix, irix,...). 
+
+IRIX has so many bugs that it has its own README.IRIX file.
+
+When the `make' succeeds the result is five executables (six in case of
+Ultrix).
+
+You can use the `tcpdchk' program to identify the most common problems
+in your wrapper and inetd configuration files.  
+
+With the `tcpdmatch' program you can examine how the wrapper would
+react to specific requests for service.  
+
+The `safe_finger' command should be used when you implement booby
+traps:  it gives better protection against nasty stuff that remote
+hosts may do in response to your finger probes.
+
+The `try-from' program tests the host and username lookup code.  Run it
+from a remote shell command (`rsh host /some/where/try-from') and it
+should be able to figure out from what system it is being called.
+
+The tcpd program can be used to monitor the telnet, finger, ftp, exec,
+rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
+a one-to-one mapping onto executable files.
+
+The tcpd program can also be used for services that are marked as
+rpc/udp in the inetd configuration file, but not for rpc/tcp services
+such as rexd.  You probably do not want to run rexd anyway. On most
+systems it is even less secure than a wildcard in /etc/hosts.equiv.
+
+With System V.4-style systems, the tcpd program can also handle TLI
+services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
+the same functions as with socket-based applications. When some other
+protocol is used underneath TLI, functionality will be limited (no
+client username lookups, weird network address formats).
+
+Decide which services you want to monitor. Move the corresponding
+vendor-provided daemon programs to the location specified by the
+REAL_DAEMON_DIR constant in the Makefile, and fill the holes with
+copies of the tcpd program. That is, one copy of (or link to) the tcpd
+program for each service that you want to monitor. For example, to
+monitor the use of your finger service:
+
+    # mkdir REAL_DAEMON_DIR
+    # mv /usr/etc/in.fingerd REAL_DAEMON_DIR
+    # cp tcpd /usr/etc/in.fingerd
+
+The example applies to SunOS 4. With other UNIX implementations the
+network daemons live in /usr/libexec, /usr/sbin or in /etc, or have no
+"in." prefix to their names, but you get the idea.
+
+File protections: the wrapper, all files used by the wrapper, and all
+directories in the path leading to those files, should be accessible
+but not writable for unprivileged users (mode 755 or mode 555). Do not
+install the wrapper set-uid.
+
+Ultrix only:  If you want to monitor the SYSTAT service, move the
+vendor-provided miscd daemon to the location specified by the
+REAL_DAEMON_DIR macro in the Makefile, and install the miscd wrapper
+at the original miscd location.
+
+In the absence of any access-control tables, the daemon wrappers
+will just maintain a record of network connections made to your system.
+
+7.2 - Advanced configuration and installation
+---------------------------------------------
+
+The advanced recipe leaves your daemon executables alone, but involves
+simple modifications to the inetd configuration file.
+
+Type `make' and follow the instructions.  The Makefile comes with
+ready-to-use templates for many common UNIX implementations (sun,
+ultrix, hp-ux, aix, irix, ...). 
+
+IRIX users should read the warnings in the README.IRIX file first.
+
+When the `make' succeeds the result is five executables (six in case of
+Ultrix).
+
+You can use the `tcpdchk' program to identify the most common problems
+in your wrapper and inetd configuration files.  
+
+With the `tcpdmatch' program you can examine how the wrapper would
+react to specific requests for service.  
+
+The `try-from' program tests the host and username lookup code.  Run it
+from a remote shell command (`rsh host /some/where/try-from') and it
+should be able to figure out from what system it is being called.
+
+The `safe_finger' command should be used when you implement a booby
+trap:  it gives better protection against nasty stuff that remote hosts
+may do in response to your finger probes.
+
+The tcpd program can be used to monitor the telnet, finger, ftp, exec,
+rsh, rlogin, tftp, talk, comsat and other tcp or udp services that have
+a one-to-one mapping onto executable files.
+
+With System V.4-style systems, the tcpd program can also handle TLI
+services. When TCP/IP or UDP/IP is used underneath TLI, tcpd provides
+the same functions as with socket-based applications. When some other
+protocol is used underneath TLI, functionality will be limited (no
+client username lookups, weird network address formats).
+
+The tcpd program can also be used for services that are marked as
+rpc/udp in the inetd configuration file, but not for rpc/tcp services
+such as rexd.  You probably do not want to run rexd anyway. On most
+systems it is even less secure than a wildcard in /etc/hosts.equiv.
+
+Install the tcpd command in a suitable place. Apollo UNIX users will
+want to install it under a different name because the name "tcpd" is
+already taken; a suitable name would be "frontd".  
+
+File protections: the wrapper, all files used by the wrapper, and all
+directories in the path leading to those files, should be accessible
+but not writable for unprivileged users (mode 755 or mode 555). Do not
+install the wrapper set-uid.
+
+Then perform the following edits on the inetd configuration file
+(usually /etc/inetd.conf or /etc/inet/inetd.conf):
+
+    finger  stream  tcp     nowait  nobody  /usr/etc/in.fingerd     in.fingerd
+                                            ^^^^^^^^^^^^^^^^^^^
+becomes:
+
+    finger  stream  tcp     nowait  nobody  /usr/etc/tcpd           in.fingerd
+                                            ^^^^^^^^^^^^^
+Send a `kill -HUP' to the inetd process to make the change effective.
+Some IRIX inetd implementations require that you first disable the
+finger service (comment out the finger service and `kill -HUP' the
+inetd) before you can turn on the modified version. Sending a HUP
+twice seems to work just as well for IRIX 5.3, 6.0, 6.0.1 and 6.1.
+
+AIX note: you may have to execute the `inetimp' command after changing
+the inetd configuration file.
+
+The example applies to SunOS 4. With other UNIX implementations the
+network daemons live in /usr/libexec, /usr/sbin, or /etc, the network
+daemons have no "in." prefix to their names, or the username field in
+the inetd configuration file may be missing.
+
+When the finger service works as expected you can perform similar
+changes for other network services. Do not forget the `kill -HUP'.
+
+The miscd daemon that comes with Ultrix implements several network
+services. It decides what to do by looking at its process name. One of
+the services is systat, which is a kind of limited finger service.  If
+you want to monitor the systat service, install the miscd wrapper in a
+suitable place and update the inetd configuration file:
+
+    systat  stream  tcp     nowait  /suitable/place/miscd      systatd
+
+Ultrix 4.3 allows you to specify a user id under which the daemon will
+be executed. This feature is not documented in the manual pages.  Thus,
+the example would become:
+
+    systat  stream  tcp     nowait  nobody /suitable/place/miscd    systatd
+
+Older Ultrix systems still run all their network daemons as root.
+
+In the absence of any access-control tables, the daemon wrappers
+will just maintain a record of network connections made to your system.
+
+7.3 - Daemons with arbitrary path names
+---------------------------------------
+
+The above tcpd examples work fine with network daemons that live in a
+common directory, but sometimes that is not practical. Having soft
+links all over your file system is not a clean solution, either.
+
+Instead you can specify, in the inetd configuration file, an absolute
+path name for the daemon process name.  For example,
+
+    ntalk   dgram   udp     wait    root    /usr/etc/tcpd /usr/local/lib/ntalkd
+
+When the daemon process name is an absolute path name, tcpd ignores the
+value of the REAL_DAEMON_DIR constant, and uses the last path component
+of the daemon process name for logging and for access control.
+
+7.4 - Building and testing the access control rules
+---------------------------------------------------
+
+In order to support access control the wrappers must be compiled with
+the -DHOSTS_ACCESS option. The access control policy is given in the
+form of two tables (default: /etc/hosts.allow and /etc/hosts.deny).
+Access control is disabled when there are no access control tables, or
+when the tables are empty.
+
+If you haven't used the wrappers before I recommend that you first run
+them a couple of days without any access control restrictions. The
+logfile records should give you an idea of the process names and of the
+host names that you will have to build into your access control rules.
+
+The syntax of the access control rules is documented in the file
+hosts_access.5, which is in `nroff -man' format. This is a lengthy
+document, and no-one expects you to read it right away from beginning
+to end.  Instead, after reading the introductory section, skip to the
+examples at the end so that you get a general idea of the language.
+Then you can appreciate the detailed reference sections near the
+beginning of the document.
+
+The examples in the hosts_access.5 document (`nroff -man' format) show
+two specific types of access control policy:  1) mostly closed (only
+permitting access from a limited number of systems) and 2) mostly open
+(permitting access from everyone except a limited number of trouble
+makers). You will have to choose what model suits your situation best.
+Implementing a mixed policy should not be overly difficult either.
+
+Optional extensions to the access control language are described in the
+hosts_options.5 document (`nroff -man' format).
+
+The `tcpdchk' program examines all rules in your access control files
+and reports any problems it can find. `tcpdchk -v' writes to standard
+output a pretty-printed list of all rules. `tcpdchk -d' examines the
+hosts.access and hosts.allow files in the current directory. This
+program is described in the tcpdchk.8 document (`nroff -man' format).
+
+The `tcpdmatch' command can be used to try out your local access
+control files.  The command syntax is:
+
+    tcpdmatch process_name hostname (e.g.: tcpdmatch in.tftpd localhost)
+
+    tcpdmatch process_name address  (e.g.: tcpdmatch in.tftpd 127.0.0.1)
+
+This way you can simulate what decisions will be made, and what actions
+will be taken, when hosts connect to your own system. The program is
+described in the tcpdmatch.8 document (`nroff -man' format).
+
+Note 1: `tcpdmatch -d' will look for hosts.{allow,deny} tables in the
+current working directory. This is useful for testing new rules without
+bothering your users.
+
+Note 2: you cannot use the `tcpdmatch' command to simulate what happens
+when the local system connects to other hosts.
+
+In order to find out what process name to use, just use the service and
+watch the process name that shows up in the logfile.  Alternatively,
+you can look up the name from the inetd configuration file. Coming back
+to the tftp example in the tutorial section above:
+
+    tftp  dgram  udp  wait  root  /usr/etc/tcpd  in.tftpd -s /tftpboot
+
+This entry causes the inetd to run the wrapper program (tcpd) with a
+process name `in.tftpd'.  This is the name that the wrapper will use
+when scanning the access control tables. Therefore, `in.tftpd' is the
+process name that should be given to the `tcpdmatch' command. On your
+system the actual inetd.conf entry may differ (tftpd instead of
+in.tftpd, and no `root' field), but you get the idea.
+
+When you specify a host name, the `tcpdmatch' program will use both the
+host name and address. This way you can simulate the most common case
+where the wrappers know both the host address and the host name.  The
+`tcpdmatch' program will iterate over all addresses that it can find
+for the given host name.
+
+When you specify a host address instead of a host name, the `tcpdmatch'
+program will pretend that the host name is unknown, so that you can
+simulate what happens when the wrapper is unable to look up the client
+host name.
+
+7.5 - Other applications
+------------------------
+
+The access control routines can easily be integrated with other
+programs.  The hosts_access.3 manual page (`nroff -man' format)
+describes the external interface of the libwrap.a library.
+
+The tcpd program can even be used to control access to the mail
+service.  This can be useful when you suspect that someone is trying
+out some obscure sendmail bug, or when a remote site is misconfigured
+and keeps hammering your mail daemon.
+
+In that case, sendmail should not be run as a stand-alone network
+listener, but it should be registered in the inetd configuration file.
+For example:
+
+    smtp    stream  tcp     nowait  root    /usr/etc/tcpd /usr/lib/sendmail -bs
+
+You will still need to run one sendmail background process to handle
+queued-up outgoing mail. A command like:
+
+    /usr/lib/sendmail -q15m
+
+(no `-bd' flag) should take care of that. You cannot really prevent
+people from posting forged mail this way, because there are many
+unprotected smtp daemons on the network.
+
+8 - Acknowledgements
+--------------------
+
+Many people contributed to the evolution of the programs, by asking
+inspiring questions, by suggesting features or bugfixes, or by
+submitting source code.  Nevertheless, all mistakes and bugs in the
+wrappers are my own.
+
+Thanks to Brendan Kehoe (cs.widener.edu), Heimir Sverrisson (hafro.is)
+and Dan Bernstein (kramden.acf.nyu.edu) for feedback on an early
+release of this product.  The host name/address check was suggested by
+John Kimball (src.honeywell.com).  Apollo's UNIX environment has some
+peculiar quirks: Willem-Jan Withagen (eb.ele.tue.nl), Pieter
+Schoenmakers (es.ele.tue.nl) and Charles S. Fuller (wccs.psc.edu)
+provided assistance.  Hal R.  Brand (addvax.llnl.gov) told me how to
+get the client IP address in case of datagram-oriented services, and
+suggested the optional shell command feature.  Shabbir Safdar
+(mentor.cc.purdue.edu) provided a first version of a much-needed manual
+page.  Granville Boman Goza, IV (sei.cmu.edu) suggested to use the
+client IP address even when the host name is available.  Casper H.S.
+Dik (fwi.uva.nl) provided additional insight into DNS spoofing
+techniques.  The bogus daemon feature was inspired by code from Andrew
+Macpherson (BNR Europe Ltd).  Steve Bellovin (research.att.com)
+confirmed some of my suspicions about the darker sides of TCP/IP
+insecurity. Risks of automated fingers were pointed out by Borja Marcos
+(we.lc.ehu.es). Brad Plecs (jhuspo.ca.jhu.edu) was kind enough to try
+my early TLI code and to work out how DG/UX differs from Solaris.
+
+John P.  Rouillard (cs.umb.edu) deserves special mention for his
+persistent, but constructive, nagging about wrong or missing things,
+and for trying out and discussing embryonic code or ideas.
+
+Last but not least, Howard Chu (hanauma.jpl.nasa.gov), Darren Reed
+(coombs.anu.edu.au), Icarus Sparry (gdr.bath.ac.uk), Scott Schwartz
+(cs.psu.edu), John A. Kunze (violet.berkeley.edu), Daniel Len Schales
+(engr.latech.edu), Chris Turbeville (cse.uta.edu), Paul Kranenburg
+(cs.few.eur.nl), Marc Boucher (cam.org), Dave Mitchell
+(dcs.shef.ac.uk), Andrew Maffei, Adrian van Bloois, Rop Gonggrijp, John
+C. Wingenbach, Everett F. Batey  and many, many others provided fixes,
+code fragments, or ideas for improvements.
+
+        Wietse Venema (wietse@wzv.win.tue.nl)
+        Department of Mathematics and Computing Science
+        Eindhoven University of Technology
+        P.O. Box 513
+        5600 MB Eindhoven
+        The Netherlands
+
+	Currently visiting IBM T.J. Watson Research, Hawthorne NY, USA.
diff --git a/tcp_wrappers_7.6/README.IRIX b/tcp_wrappers_7.6/README.IRIX
new file mode 100644
index 0000000..56d2bea
--- /dev/null
+++ b/tcp_wrappers_7.6/README.IRIX
@@ -0,0 +1,54 @@
+@(#) README.IRIX 1.2 94/12/28 18:45:58
+
+In the past few months I received several messages with questions from
+people that tried to use my tcp wrapper on IRIX 5.x. Some mysteries
+could be solved via email, and then some remained.
+
+Today I finally had a chance to do some tests on someones IRIX 5.2
+system.  Here is my first-hand experience with wrapper release 6.3.
+
+(1) Inetd is broken. Normally one edits inetd.conf, sends a HUP signal
+    to inetd and that's it. With IRIX evil things happen:  inetd is too
+    stupid to remember that it is already listening on a port.
+
+    In order to modify an entry in inetd.conf, first comment it out
+    with a # at the beginning of the line, kill -HUP the inetd, then
+    uncomment the inetd.conf entry and kill -HUP again.
+
+    Even with this amount of care I have seen inetd messing up, like
+    calling rusersd when I make a talk connection.  Even killing and
+    restarting inetd does not solve all problems.
+
+    I find it hard to believe, it but the best thing to do with IRIX is
+    to reboot after changing inetd.conf.
+
+(2) When tcpd is built according to the irix4 Makefile rules, it
+    appears to work as expected with TCP-based services such as
+    fingerd, and with UDP-based services such as ntalk and tftp.
+
+(3) It does NOT work with RPC over UDP services such as rusersd and
+    rstatd:  the wrapper hangs in the recvfrom() system call, and I
+    have spent several hours looking for ways to work around it. No
+    way.  After finding that none of the applicable socket primitives
+    can be made to work (recvfrom recvmsg) I give up. So, the IRIX RPC
+    services cannot be wrapped until SGI fixes their system so that it
+    works like everyone elses code (HP Sun Dec AIX and so on).
+
+(4) I didn't even bother to try the RPC over TCP services.
+
+(5) When an IRIX 5.2 system is a NIS client, it can have problems with
+    hosts that have more than one address: the wrapper will see only
+    one address, and may complain when PARANOID mode is on. The fix is
+    to change the name service lookup order in /etc/resolv.conf so that
+    your system tries DNS before NIS (hostresorder bind nis local).
+
+(6) IRIX 5.2 is not System V.4, and it shows. Do not link with the
+    -lsocket and -lnsl libraries. They are completely broken, and the
+    wrapper will be unable to figure out the client internet address.
+    So, TLI services cannot be wrapped until SGI fixes their system so
+    that it works the way it is supposed to.
+
+I am not impressed by the quality of the IRIX system software.  There
+are many things that work on almost every other system except with IRIX.
+
+	Wietse
diff --git a/tcp_wrappers_7.6/README.NIS b/tcp_wrappers_7.6/README.NIS
new file mode 100644
index 0000000..34d39e2
--- /dev/null
+++ b/tcp_wrappers_7.6/README.NIS
@@ -0,0 +1,207 @@
+@(#) README.NIS 1.2 96/02/11 17:24:52
+
+> Problem: I have several [machines] with multiple IP addresses, and
+> when they try to connect to a daemon with tcp wrapper, they are often
+> rejected.  I assume this is due to the -DPARANOID option, and depends
+> on which IP address is returned first from the nameserver for a given
+> name.   This behavior seems to be random, may depend on ordering in
+> the YP host map?
+
+[Note: the situation described below no longer exists. Presently, my
+internet gateway uses the same IP address on all interfaces.  To avoid
+confusion I have removed the old name wzv-gw.win.tue.nl from the DNS. I
+have kept the discussion below for educational reasons].
+
+NIS was not designed to handle multi-homed hosts.  With NIS, each
+address should have its own hostname. For example, wzv-gw is my
+gateway. It has two interfaces: one connected to the local ethernet,
+the other to a serial link. In the NIS it is registered as:
+
+        131.155.210.23  wzv-gw-ether
+        131.155.12.78   wzv-gw-slip
+
+In principle, wzv-gw could be the official name of one of these
+interfaces, or it could be an alias for both.
+
+The DNS was designed to handle multi-homed hosts. In the DNS my gateway
+is registered in zone win.tue.nl, with one name that has two A records:
+
+        wzv-gw  IN      A       131.155.210.23
+                IN      A       131.155.12.78
+
+And of course there are PTR records in zones 210.155.131.in-addr.arpa
+and 12.155.131.in-addr.arpa that point to wzv-gw.win.tue.nl.
+
+This setup does not cause any problems. You can test your name service
+with the two programs below. This is what they say on a local NIS client
+(both client and server running SunOS 4.1.3_U1):
+
+        % gethostbyname wzv-gw
+        Hostname:       wzv-gw.win.tue.nl
+        Aliases:        
+        Addresses:      131.155.210.23 131.155.12.78 
+
+        % gethostbyaddr 131.155.210.23
+        Hostname:       wzv-gw-ether
+        Aliases:        
+        Addresses:      131.155.210.23 
+
+        % gethostbyaddr 131.155.12.78
+        Hostname:       wzv-gw-slip
+        Aliases:        
+        Addresses:      131.155.12.78 
+
+Things seem less confusing when seen by a NIS client in a different
+domain (both client and server running SunOS 4.1.3_U1):
+
+        % gethostbyname wzv-gw.win.tue.nl
+        Hostname:       wzv-gw.win.tue.nl
+        Aliases:        
+        Addresses:      131.155.210.23 131.155.12.78 
+
+        % gethostbyaddr 131.155.210.23
+        Hostname:       wzv-gw.win.tue.nl
+        Aliases:        
+        Addresses:      131.155.12.78 131.155.210.23
+
+        % gethostbyaddr 131.155.12.78
+        Hostname:       wzv-gw.win.tue.nl
+        Aliases:        
+        Addresses:      131.155.210.23 131.155.12.78
+
+Alas, Solaris 2.4 still has problems. This is what I get on a Solaris
+2.4 NIS client, with a SunOS 4.1.3_U1 NIS server:
+
+	% gethostbyname wzv-gw.win.tue.nl
+	Hostname:       wzv-gw.win.tue.nl
+	Aliases:        131.155.210.23 wzv-gw.win.tue.nl 
+	Addresses:      131.155.12.78 
+
+The tcpd source comes with a workaround for this problem. The
+workaround is ugly and is not part of the programs attached below.
+
+
+#! /bin/sh
+# This is a shell archive.  Remove anything before this line, then unpack
+# it by saving it into a file and typing "sh file".  To overwrite existing
+# files, type "sh file -c".  You can also feed this as standard input via
+# unshar, or by typing "sh <file", e.g..  If this archive is complete, you
+# will see the following message at the end:
+#		"End of shell archive."
+# Contents:  gethostbyaddr.c gethostbyname.c
+# Wrapped by wietse@wzv on Sun Jan  8 17:08:48 1995
+PATH=/bin:/usr/bin:/usr/ucb ; export PATH
+if test -f gethostbyaddr.c -a "${1}" != "-c" ; then 
+  echo shar: Will not over-write existing file \"gethostbyaddr.c\"
+else
+echo shar: Extracting \"gethostbyaddr.c\" \(1073 characters\)
+sed "s/^X//" >gethostbyaddr.c <<'END_OF_gethostbyaddr.c'
+X /*
+X  * gethostbyaddr tester. compile with:
+X  * 
+X  * cc -o gethostbyaddr gethostbyaddr.c (SunOS 4.x)
+X  * 
+X  * cc -o gethostbyaddr gethostbyaddr.c -lnsl (SunOS 5.x)
+X  * 
+X  * run as: gethostbyaddr address
+X  * 
+X  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+X  */
+X
+X#include <sys/types.h>
+X#include <sys/socket.h>
+X#include <netinet/in.h>
+X#include <arpa/inet.h>
+X#include <netdb.h>
+X#include <stdio.h>
+X
+Xmain(argc, argv)
+Xint     argc;
+Xchar  **argv;
+X{
+X    struct hostent *hp;
+X    long    addr;
+X
+X    if (argc != 2) {
+X	fprintf(stderr, "usage: %s i.p.addres\n", argv[0]);
+X	exit(1);
+X    }
+X    addr = inet_addr(argv[1]);
+X    if (hp = gethostbyaddr((char *) &addr, sizeof(addr), AF_INET)) {
+X	printf("Hostname:\t%s\n", hp->h_name);
+X	printf("Aliases:\t");
+X	while (hp->h_aliases[0])
+X	    printf("%s ", *hp->h_aliases++);
+X	printf("\n");
+X	printf("Addresses:\t");
+X	while (hp->h_addr_list[0])
+X	    printf("%s ", inet_ntoa(*(struct in_addr *) * hp->h_addr_list++));
+X	printf("\n");
+X	exit(0);
+X    }
+X    fprintf(stderr, "host %s not found\n", argv[1]);
+X    exit(1);
+X}
+END_OF_gethostbyaddr.c
+if test 1073 -ne `wc -c <gethostbyaddr.c`; then
+    echo shar: \"gethostbyaddr.c\" unpacked with wrong size!
+fi
+# end of overwriting check
+fi
+if test -f gethostbyname.c -a "${1}" != "-c" ; then 
+  echo shar: Will not over-write existing file \"gethostbyname.c\"
+else
+echo shar: Extracting \"gethostbyname.c\" \(999 characters\)
+sed "s/^X//" >gethostbyname.c <<'END_OF_gethostbyname.c'
+X /*
+X  * gethostbyname tester. compile with:
+X  * 
+X  * cc -o gethostbyname gethostbyname.c (SunOS 4.x)
+X  * 
+X  * cc -o gethostbyname gethostbyname.c -lnsl (SunOS 5.x)
+X  * 
+X  * run as: gethostbyname hostname
+X  * 
+X  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+X  */
+X#include <sys/types.h>
+X#include <sys/socket.h>
+X#include <netinet/in.h>
+X#include <arpa/inet.h>
+X#include <netdb.h>
+X#include <stdio.h>
+X
+Xmain(argc, argv)
+Xint     argc;
+Xchar  **argv;
+X{
+X    struct hostent *hp;
+X
+X    if (argc != 2) {
+X	fprintf(stderr, "usage: %s hostname\n", argv[0]);
+X	exit(1);
+X    }
+X    if (hp = gethostbyname(argv[1])) {
+X	printf("Hostname:\t%s\n", hp->h_name);
+X	printf("Aliases:\t");
+X	while (hp->h_aliases[0])
+X	    printf("%s ", *hp->h_aliases++);
+X	printf("\n");
+X	printf("Addresses:\t");
+X	while (hp->h_addr_list[0])
+X	    printf("%s ", inet_ntoa(*(struct in_addr *) * hp->h_addr_list++));
+X	printf("\n");
+X	exit(0);
+X    } else {
+X	fprintf(stderr, "host %s not found\n", argv[1]);
+X	exit(1);
+X    }
+X}
+END_OF_gethostbyname.c
+if test 999 -ne `wc -c <gethostbyname.c`; then
+    echo shar: \"gethostbyname.c\" unpacked with wrong size!
+fi
+# end of overwriting check
+fi
+echo shar: End of shell archive.
+exit 0
diff --git a/tcp_wrappers_7.6/clean_exit.c b/tcp_wrappers_7.6/clean_exit.c
new file mode 100644
index 0000000..cb9d4f5
--- /dev/null
+++ b/tcp_wrappers_7.6/clean_exit.c
@@ -0,0 +1,42 @@
+ /*
+  * clean_exit() cleans up and terminates the program. It should be called
+  * instead of exit() when for some reason the real network daemon will not or
+  * cannot be run. Reason: in the case of a datagram-oriented service we must
+  * discard the not-yet received data from the client. Otherwise, inetd will
+  * see the same datagram again and again, and go into a loop.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) clean_exit.c 1.4 94/12/28 17:42:19";
+#endif
+
+#include <stdio.h>
+
+extern void exit();
+
+#include "tcpd.h"
+
+/* clean_exit - clean up and exit */
+
+void    clean_exit(request)
+struct request_info *request;
+{
+
+    /*
+     * In case of unconnected protocols we must eat up the not-yet received
+     * data or inetd will loop.
+     */
+
+    if (request->sink)
+	request->sink(request->fd);
+
+    /*
+     * Be kind to the inetd. We already reported the problem via the syslogd,
+     * and there is no need for additional garbage in the logfile.
+     */
+
+    sleep(5);
+    exit(0);
+}
diff --git a/tcp_wrappers_7.6/diag.c b/tcp_wrappers_7.6/diag.c
new file mode 100644
index 0000000..e0bd792
--- /dev/null
+++ b/tcp_wrappers_7.6/diag.c
@@ -0,0 +1,69 @@
+ /*
+  * Routines to report various classes of problems. Each report is decorated
+  * with the current context (file name and line number), if available.
+  * 
+  * tcpd_warn() reports a problem and proceeds.
+  * 
+  * tcpd_jump() reports a problem and jumps.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) diag.c 1.1 94/12/28 17:42:20";
+#endif
+
+/* System libraries */
+
+#include <syslog.h>
+#include <stdio.h>
+#include <setjmp.h>
+
+/* Local stuff */
+
+#include "tcpd.h"
+#include "mystdarg.h"
+
+struct tcpd_context tcpd_context;
+jmp_buf tcpd_buf;
+
+/* tcpd_diag - centralize error reporter */
+
+static void tcpd_diag(severity, tag, format, ap)
+int     severity;
+char   *tag;
+char   *format;
+va_list ap;
+{
+    char    fmt[BUFSIZ];
+
+    if (tcpd_context.file)
+	sprintf(fmt, "%s: %s, line %d: %s",
+		tag, tcpd_context.file, tcpd_context.line, format);
+    else
+	sprintf(fmt, "%s: %s", tag, format);
+    vsyslog(severity, fmt, ap);
+}
+
+/* tcpd_warn - report problem of some sort and proceed */
+
+void    VARARGS(tcpd_warn, char *, format)
+{
+    va_list ap;
+
+    VASTART(ap, char *, format);
+    tcpd_diag(LOG_ERR, "warning", format, ap);
+    VAEND(ap);
+}
+
+/* tcpd_jump - report serious problem and jump */
+
+void    VARARGS(tcpd_jump, char *, format)
+{
+    va_list ap;
+
+    VASTART(ap, char *, format);
+    tcpd_diag(LOG_ERR, "error", format, ap);
+    VAEND(ap);
+    longjmp(tcpd_buf, AC_ERROR);
+}
diff --git a/tcp_wrappers_7.6/environ.c b/tcp_wrappers_7.6/environ.c
new file mode 100644
index 0000000..e7f846d
--- /dev/null
+++ b/tcp_wrappers_7.6/environ.c
@@ -0,0 +1,224 @@
+/*
+ * Many systems have putenv() but no setenv(). Other systems have setenv()
+ * but no putenv() (MIPS). Still other systems have neither (NeXT). This is a
+ * re-implementation that hopefully ends all problems.
+ *
+ * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+ */
+
+#ifndef lint
+static char sccsid[] = "@(#) environ.c 1.2 94/03/23 16:09:46";
+#endif
+
+/* System libraries. */
+
+extern char **environ;
+extern char *strchr();
+extern char *strcpy();
+extern char *strncpy();
+extern char *malloc();
+extern char *realloc();
+extern int strncmp();
+extern void free();
+
+#ifdef no_memcpy
+#define memcpy(d,s,l) bcopy(s,d,l)
+#else
+extern char *memcpy();
+#endif
+
+/* Local stuff. */
+
+static int addenv();			/* append entry to environment */
+
+static int allocated = 0;		/* environ is, or is not, allocated */
+
+#define DO_CLOBBER	1
+
+/* namelength - determine length of name in "name=whatever" */
+
+static int namelength(name)
+char   *name;
+{
+    char   *equal;
+
+    equal = strchr(name, '=');
+    return ((equal == 0) ? strlen(name) : (equal - name));
+}
+
+/* findenv - given name, locate name=value */
+
+static char **findenv(name, len)
+char   *name;
+int     len;
+{
+    char  **envp;
+
+    for (envp = environ; envp && *envp; envp++)
+	if (strncmp(name, *envp, len) == 0 && (*envp)[len] == '=')
+	    return (envp);
+    return (0);
+}
+
+/* getenv - given name, locate value */
+
+char   *getenv(name)
+char   *name;
+{
+    int     len = namelength(name);
+    char  **envp = findenv(name, len);
+
+    return (envp ? *envp + len + 1 : 0);
+}
+
+/* putenv - update or append environment (name,value) pair */
+
+int     putenv(nameval)
+char   *nameval;
+{
+    char   *equal = strchr(nameval, '=');
+    char   *value = (equal ? equal : "");
+
+    return (setenv(nameval, value, DO_CLOBBER));
+}
+
+/* unsetenv - remove variable from environment */
+
+void    unsetenv(name)
+char   *name;
+{
+    char  **envp;
+
+    if ((envp = findenv(name, namelength(name))) != 0)
+	while (envp[0] = envp[1])
+	    envp++;
+}
+
+/* setenv - update or append environment (name,value) pair */
+
+int     setenv(name, value, clobber)
+char   *name;
+char   *value;
+int     clobber;
+{
+    char   *destination;
+    char  **envp;
+    int     l_name;			/* length of name part */
+    int     l_nameval;			/* length of name=value */
+
+    /* Permit name= and =value. */
+
+    l_name = namelength(name);
+    envp = findenv(name, l_name);
+    if (envp != 0 && clobber == 0)
+	return (0);
+    if (*value == '=')
+	value++;
+    l_nameval = l_name + strlen(value) + 1;
+
+    /*
+     * Use available memory if the old value is long enough. Never free an
+     * old name=value entry because it may not be allocated.
+     */
+
+    destination = (envp != 0 && strlen(*envp) >= l_nameval) ?
+	*envp : malloc(l_nameval + 1);
+    if (destination == 0)
+	return (-1);
+    strncpy(destination, name, l_name);
+    destination[l_name] = '=';
+    strcpy(destination + l_name + 1, value);
+    return ((envp == 0) ? addenv(destination) : (*envp = destination, 0));
+}
+
+/* cmalloc - malloc and copy block of memory */
+
+static char *cmalloc(new_len, old, old_len)
+char   *old;
+int     old_len;
+{
+    char   *new = malloc(new_len);
+
+    if (new != 0)
+	memcpy(new, old, old_len);
+    return (new);
+}
+
+/* addenv - append environment entry */
+
+static int addenv(nameval)
+char   *nameval;
+{
+    char  **envp;
+    int     n_used;			/* number of environment entries */
+    int     l_used;			/* bytes used excl. terminator */
+    int     l_need;			/* bytes needed incl. terminator */
+
+    for (envp = environ; envp && *envp; envp++)
+	 /* void */ ;
+    n_used = envp - environ;
+    l_used = n_used * sizeof(*envp);
+    l_need = l_used + 2 * sizeof(*envp);
+
+    envp = allocated ?
+	(char **) realloc((char *) environ, l_need) :
+	(char **) cmalloc(l_need, (char *) environ, l_used);
+    if (envp == 0) {
+	return (-1);
+    } else {
+	allocated = 1;
+	environ = envp;
+	environ[n_used++] = nameval;		/* add new entry */
+	environ[n_used] = 0;			/* terminate list */
+	return (0);
+    }
+}
+
+#ifdef TEST
+
+ /*
+  * Stand-alone program for test purposes.
+  */
+
+/* printenv - display environment */
+
+static void printenv()
+{
+    char  **envp;
+
+    for (envp = environ; envp && *envp; envp++)
+	printf("%s\n", *envp);
+}
+
+int     main(argc, argv)
+int     argc;
+char  **argv;
+{
+    char   *cp;
+    int     changed = 0;
+
+    if (argc < 2) {
+	printf("usage: %s name[=value]...\n", argv[0]);
+	return (1);
+    }
+    while (--argc && *++argv) {
+	if (argv[0][0] == '-') {		/* unsetenv() test */
+	    unsetenv(argv[0] + 1);
+	    changed = 1;
+	} else if (strchr(argv[0], '=') == 0) {	/* getenv() test */
+	    cp = getenv(argv[0]);
+	    printf("%s: %s\n", argv[0], cp ? cp : "not found");
+	} else {				/* putenv() test */
+	    if (putenv(argv[0])) {
+		perror("putenv");
+		return (1);
+	    }
+	    changed = 1;
+	}
+    }
+    if (changed)
+	printenv();
+    return (0);
+}
+
+#endif /* TEST */
diff --git a/tcp_wrappers_7.6/eval.c b/tcp_wrappers_7.6/eval.c
new file mode 100644
index 0000000..72243d1
--- /dev/null
+++ b/tcp_wrappers_7.6/eval.c
@@ -0,0 +1,158 @@
+ /*
+  * Routines for controlled evaluation of host names, user names, and so on.
+  * They are, in fact, wrappers around the functions that are specific for
+  * the sockets or TLI programming interfaces. The request_info and host_info
+  * structures are used for result cacheing.
+  * 
+  * These routines allows us to postpone expensive operations until their
+  * results are really needed. Examples are hostname lookups and double
+  * checks, or username lookups. Information that cannot be retrieved is
+  * given the value "unknown" ("paranoid" in case of hostname problems).
+  * 
+  * When ALWAYS_HOSTNAME is off, hostname lookup is done only when required by
+  * tcpd paranoid mode, by access control patterns, or by %letter expansions.
+  * 
+  * When ALWAYS_RFC931 mode is off, user lookup is done only when required by
+  * access control patterns or %letter expansions.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) eval.c 1.3 95/01/30 19:51:45";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <string.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+ /*
+  * When a string has the value STRING_UNKNOWN, it means: don't bother, I
+  * tried to look up the data but it was unavailable for some reason. When a
+  * host name has the value STRING_PARANOID it means there was a name/address
+  * conflict.
+  */
+char    unknown[] = STRING_UNKNOWN;
+char    paranoid[] = STRING_PARANOID;
+
+/* eval_user - look up user name */
+
+char   *eval_user(request)
+struct request_info *request;
+{
+    if (request->user[0] == 0) {
+	strcpy(request->user, unknown);
+	if (request->sink == 0 && request->client->sin && request->server->sin)
+	    rfc931(request->client->sin, request->server->sin, request->user);
+    }
+    return (request->user);
+}
+
+/* eval_hostaddr - look up printable address */
+
+char   *eval_hostaddr(host)
+struct host_info *host;
+{
+    if (host->addr[0] == 0) {
+	strcpy(host->addr, unknown);
+	if (host->request->hostaddr != 0)
+	    host->request->hostaddr(host);
+    }
+    return (host->addr);
+}
+
+/* eval_hostname - look up host name */
+
+char   *eval_hostname(host)
+struct host_info *host;
+{
+    if (host->name[0] == 0) {
+	strcpy(host->name, unknown);
+	if (host->request->hostname != 0)
+	    host->request->hostname(host);
+    }
+    return (host->name);
+}
+
+/* eval_hostinfo - return string with host name (preferred) or address */
+
+char   *eval_hostinfo(host)
+struct host_info *host;
+{
+    char   *hostname;
+
+#ifndef ALWAYS_HOSTNAME				/* no implicit host lookups */
+    if (host->name[0] == 0)
+	return (eval_hostaddr(host));
+#endif
+    hostname = eval_hostname(host);
+    if (HOSTNAME_KNOWN(hostname)) {
+	return (host->name);
+    } else {
+	return (eval_hostaddr(host));
+    }
+}
+
+/* eval_port - return string with the port */
+char   *eval_port(saddr)
+#ifdef INET6
+struct sockaddr *saddr;
+#else
+struct sockaddr_in *saddr;
+#endif
+{
+    static char port[16];
+    if (saddr != 0) {
+        sprintf(port, "%u",
+#ifdef INET6
+            ntohs(((struct sockaddr_in *)saddr)->sin_port));
+#else
+            ntohs(saddr->sin_port));
+#endif
+    } else {
+	strcpy(port, "0");
+    }
+    return (port);
+}
+
+/* eval_client - return string with as much about the client as we know */
+
+char   *eval_client(request)
+struct request_info *request;
+{
+    static char both[2 * STRING_LENGTH];
+    char   *hostinfo = eval_hostinfo(request->client);
+
+#ifndef ALWAYS_RFC931				/* no implicit user lookups */
+    if (request->user[0] == 0)
+	return (hostinfo);
+#endif
+    if (STR_NE(eval_user(request), unknown)) {
+	snprintf(both, sizeof(both), "%s@%s", request->user, hostinfo);
+	return (both);
+    } else {
+	return (hostinfo);
+    }
+}
+
+/* eval_server - return string with as much about the server as we know */
+
+char   *eval_server(request)
+struct request_info *request;
+{
+    static char both[2 * STRING_LENGTH];
+    char   *host = eval_hostinfo(request->server);
+    char   *daemon = eval_daemon(request);
+
+    if (STR_NE(host, unknown)) {
+	snprintf(both, sizeof(both), "%s@%s", daemon, host);
+	return (both);
+    } else {
+	return (daemon);
+    }
+}
diff --git a/tcp_wrappers_7.6/fakelog.c b/tcp_wrappers_7.6/fakelog.c
new file mode 100644
index 0000000..fa9e06e
--- /dev/null
+++ b/tcp_wrappers_7.6/fakelog.c
@@ -0,0 +1,62 @@
+ /*
+  * This module intercepts syslog() library calls and redirects their output
+  * to the standard output stream. For interactive testing.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) fakelog.c 1.3 94/12/28 17:42:21";
+#endif
+
+#include <stdio.h>
+
+#include "mystdarg.h"
+
+/* openlog - dummy */
+
+/* ARGSUSED */
+
+openlog(name, logopt, facility)
+char   *name;
+int     logopt;
+int     facility;
+{
+    /* void */
+}
+
+/* vsyslog - format one record */
+
+vsyslog(severity, fmt, ap)
+int     severity;
+char   *fmt;
+va_list ap;
+{
+    char    buf[BUFSIZ];
+
+    vprintf(percent_m(buf, fmt), ap);
+    printf("\n");
+    fflush(stdout);
+}
+
+/* syslog - format one record */
+
+/* VARARGS */
+
+VARARGS(syslog, int, severity)
+{
+    va_list ap;
+    char   *fmt;
+
+    VASTART(ap, int, severity);
+    fmt = va_arg(ap, char *);
+    vsyslog(severity, fmt, ap);
+    VAEND(ap);
+}
+
+/* closelog - dummy */
+
+closelog()
+{
+    /* void */
+}
diff --git a/tcp_wrappers_7.6/fix_options.c b/tcp_wrappers_7.6/fix_options.c
new file mode 100644
index 0000000..3be0486
--- /dev/null
+++ b/tcp_wrappers_7.6/fix_options.c
@@ -0,0 +1,132 @@
+ /*
+  * Routine to disable IP-level socket options. This code was taken from 4.4BSD
+  * rlogind and kernel source, but all mistakes in it are my fault.
+  *
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+
+#ifndef IPOPT_OPTVAL
+#define IPOPT_OPTVAL	0
+#define IPOPT_OLEN	1
+#endif
+
+#include "tcpd.h"
+
+#define BUFFER_SIZE	512		/* Was: BUFSIZ */
+
+/* fix_options - get rid of IP-level socket options */
+
+fix_options(request)
+struct request_info *request;
+{
+#ifdef IP_OPTIONS
+    unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+    char    lbuf[BUFFER_SIZE], *lp;
+#ifdef __GLIBC__
+    size_t  optsize = sizeof(optbuf), ipproto;
+#else
+    int     optsize = sizeof(optbuf), ipproto;
+#endif
+    struct protoent *ip;
+    int     fd = request->fd;
+    unsigned int opt;
+    int     optlen;
+    struct in_addr dummy;
+#ifdef INET6
+    struct sockaddr_storage ss;
+    socklen_t sslen;
+
+    /*
+     * check if this is AF_INET socket
+     * XXX IPv6 support?
+     */
+    sslen = sizeof(ss);
+    if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
+	syslog(LOG_ERR, "getpeername: %m");
+	clean_exit(request);
+    }
+    if (ss.ss_family != AF_INET)
+	return;
+#endif
+
+    if ((ip = getprotobyname("ip")) != 0)
+	ipproto = ip->p_proto;
+    else
+	ipproto = IPPROTO_IP;
+
+    if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
+	&& optsize != 0) {
+
+	/*
+	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
+	 * address to the result IP options list when source routing options
+	 * are present (see <netinet/ip_var.h>), but produces no output for
+	 * other IP options. Solaris 2.x getsockopt() does produce output for
+	 * non-routing IP options, and uses the same format as BSD even when
+	 * the space for the destination address is unused. The code below
+	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
+	 * may occasionally miss source routing options on incompatible
+	 * systems such as Linux. Their choice.
+	 * 
+	 * Look for source routing options. Drop the connection when one is
+	 * found. Just wiping the IP options is insufficient: we would still
+	 * help the attacker by providing a real TCP sequence number, and the
+	 * attacker would still be able to send packets (blind spoofing). I
+	 * discussed this attack with Niels Provos, half a year before the
+	 * attack was described in open mailing lists.
+	 * 
+	 * It would be cleaner to just return a yes/no reply and let the caller
+	 * decide how to deal with it. Resident servers should not terminate.
+	 * However I am not prepared to make changes to internal interfaces
+	 * on short notice.
+	 */
+#define ADDR_LEN sizeof(dummy.s_addr)
+
+	for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
+	    opt = cp[IPOPT_OPTVAL];
+	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
+		syslog(LOG_WARNING,
+		   "refused connect from %s with IP source routing options",
+		       eval_client(request));
+		shutdown(fd, 2);
+		return;
+	    }
+	    if (opt == IPOPT_EOL)
+		break;
+	    if (opt == IPOPT_NOP) {
+		optlen = 1;
+	    } else {
+		optlen = cp[IPOPT_OLEN];
+		if (optlen <= 0)		/* Do not loop! */
+		    break;
+	    }
+	}
+	lp = lbuf;
+	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
+	    sprintf(lp, " %2.2x", *cp);
+	syslog(LOG_NOTICE,
+	       "connect from %s with IP options (ignored):%s",
+	       eval_client(request), lbuf);
+	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
+	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
+	    shutdown(fd, 2);
+	}
+    }
+#endif
+}
diff --git a/tcp_wrappers_7.6/fix_options.c.orig b/tcp_wrappers_7.6/fix_options.c.orig
new file mode 100644
index 0000000..7473adf
--- /dev/null
+++ b/tcp_wrappers_7.6/fix_options.c.orig
@@ -0,0 +1,128 @@
+ /*
+  * Routine to disable IP-level socket options. This code was taken from 4.4BSD
+  * rlogind and kernel source, but all mistakes in it are my fault.
+  *
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <netinet/in_systm.h>
+#include <netinet/ip.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+
+#ifndef IPOPT_OPTVAL
+#define IPOPT_OPTVAL	0
+#define IPOPT_OLEN	1
+#endif
+
+#include "tcpd.h"
+
+#define BUFFER_SIZE	512		/* Was: BUFSIZ */
+
+/* fix_options - get rid of IP-level socket options */
+
+fix_options(request)
+struct request_info *request;
+{
+#ifdef IP_OPTIONS
+    unsigned char optbuf[BUFFER_SIZE / 3], *cp;
+    char    lbuf[BUFFER_SIZE], *lp;
+    int     optsize = sizeof(optbuf), ipproto;
+    struct protoent *ip;
+    int     fd = request->fd;
+    unsigned int opt;
+    int     optlen;
+    struct in_addr dummy;
+#ifdef INET6
+    struct sockaddr_storage ss;
+    int sslen;
+
+    /*
+     * check if this is AF_INET socket
+     * XXX IPv6 support?
+     */
+    sslen = sizeof(ss);
+    if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
+	syslog(LOG_ERR, "getpeername: %m");
+	clean_exit(request);
+    }
+    if (ss.ss_family != AF_INET)
+	return;
+#endif
+
+    if ((ip = getprotobyname("ip")) != 0)
+	ipproto = ip->p_proto;
+    else
+	ipproto = IPPROTO_IP;
+
+    if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
+	&& optsize != 0) {
+
+	/*
+	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
+	 * address to the result IP options list when source routing options
+	 * are present (see <netinet/ip_var.h>), but produces no output for
+	 * other IP options. Solaris 2.x getsockopt() does produce output for
+	 * non-routing IP options, and uses the same format as BSD even when
+	 * the space for the destination address is unused. The code below
+	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
+	 * may occasionally miss source routing options on incompatible
+	 * systems such as Linux. Their choice.
+	 * 
+	 * Look for source routing options. Drop the connection when one is
+	 * found. Just wiping the IP options is insufficient: we would still
+	 * help the attacker by providing a real TCP sequence number, and the
+	 * attacker would still be able to send packets (blind spoofing). I
+	 * discussed this attack with Niels Provos, half a year before the
+	 * attack was described in open mailing lists.
+	 * 
+	 * It would be cleaner to just return a yes/no reply and let the caller
+	 * decide how to deal with it. Resident servers should not terminate.
+	 * However I am not prepared to make changes to internal interfaces
+	 * on short notice.
+	 */
+#define ADDR_LEN sizeof(dummy.s_addr)
+
+	for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
+	    opt = cp[IPOPT_OPTVAL];
+	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
+		syslog(LOG_WARNING,
+		   "refused connect from %s with IP source routing options",
+		       eval_client(request));
+		shutdown(fd, 2);
+		return;
+	    }
+	    if (opt == IPOPT_EOL)
+		break;
+	    if (opt == IPOPT_NOP) {
+		optlen = 1;
+	    } else {
+		optlen = cp[IPOPT_OLEN];
+		if (optlen <= 0)		/* Do not loop! */
+		    break;
+	    }
+	}
+	lp = lbuf;
+	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
+	    sprintf(lp, " %2.2x", *cp);
+	syslog(LOG_NOTICE,
+	       "connect from %s with IP options (ignored):%s",
+	       eval_client(request), lbuf);
+	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
+	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
+	    shutdown(fd, 2);
+	}
+    }
+#endif
+}
diff --git a/tcp_wrappers_7.6/fromhost.c b/tcp_wrappers_7.6/fromhost.c
new file mode 100644
index 0000000..a46c506
--- /dev/null
+++ b/tcp_wrappers_7.6/fromhost.c
@@ -0,0 +1,52 @@
+ /*
+  * On socket-only systems, fromhost() is nothing but an alias for the
+  * socket-specific sock_host() function.
+  * 
+  * On systems with sockets and TLI, fromhost() determines the type of API
+  * (sockets, TLI), then invokes the appropriate API-specific routines.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) fromhost.c 1.17 94/12/28 17:42:23";
+#endif
+
+#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/tiuser.h>
+#include <stropts.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* fromhost - find out what network API we should use */
+
+void    fromhost(request)
+struct request_info *request;
+{
+
+    /*
+     * On systems with streams support the IP network protocol family may be
+     * accessible via more than one programming interface: Berkeley sockets
+     * and the Transport Level Interface (TLI).
+     * 
+     * Thus, we must first find out what programming interface to use: sockets
+     * or TLI. On some systems, sockets are not part of the streams system,
+     * so if request->fd is not a stream we simply assume sockets.
+     */
+
+    if (ioctl(request->fd, I_FIND, "timod") > 0) {
+	tli_host(request);
+    } else {
+	sock_host(request);
+    }
+}
+
+#endif /* TLI || PTX || TLI_SEQUENT */
diff --git a/tcp_wrappers_7.6/hosts_access.3 b/tcp_wrappers_7.6/hosts_access.3
new file mode 100644
index 0000000..f16c446
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_access.3
@@ -0,0 +1,97 @@
+.TH HOSTS_ACCESS 3
+.SH NAME
+hosts_access, hosts_ctl, request_init, request_set \- access control library
+.SH SYNOPSIS
+.nf
+#include <tcpd.h>
+
+extern int allow_severity;
+extern int deny_severity;
+
+struct request_info *request_init(request, key, value, ..., 0)
+struct request_info *request;
+
+struct request_info *request_set(request, key, value, ..., 0)
+struct request_info *request;
+
+void fromhost(request)
+struct request_info *request;
+
+int hosts_access(request)
+struct request_info *request;
+
+int hosts_ctl(daemon, client_name, client_addr, client_user)
+char *daemon;
+char *client_name;
+char *client_addr;
+char *client_user;
+.fi
+.SH DESCRIPTION
+The routines described in this document are part of the \fIlibwrap.a\fR
+library. They implement a rule-based access control language with
+optional shell commands that are executed when a rule fires.
+.PP
+request_init() initializes a structure with information about a client
+request. request_set() updates an already initialized request
+structure. Both functions take a variable-length list of key-value
+pairs and return their first argument.  The argument lists are
+terminated with a zero key value. All string-valued arguments are
+copied. The expected keys (and corresponding value types) are:
+.IP "RQ_FILE (int)"
+The file descriptor associated with the request.
+.IP "RQ_CLIENT_NAME (char *)"
+The client host name.
+.IP "RQ_CLIENT_ADDR (char *)"
+A printable representation of the client network address.
+.IP "RQ_CLIENT_SIN (struct sockaddr_in *)"
+An internal representation of the client network address and port.  The
+contents of the structure are not copied.
+.IP "RQ_SERVER_NAME (char *)"
+The hostname associated with the server endpoint address.
+.IP "RQ_SERVER_ADDR (char *)"
+A printable representation of the server endpoint address.
+.IP "RQ_SERVER_SIN (struct sockaddr_in *)"
+An internal representation of the server endpoint address and port.
+The contents of the structure are not copied.
+.IP "RQ_DAEMON (char *)"
+The name of the daemon process running on the server host.
+.IP "RQ_USER (char *)"
+The name of the user on whose behalf the client host makes the request.
+.PP
+hosts_access() consults the access control tables described in the
+\fIhosts_access(5)\fR manual page.  When internal endpoint information
+is available, host names and client user names are looked up on demand,
+using the request structure as a cache.  hosts_access() returns zero if
+access should be denied.
+fromhost() must be called before hosts_access().
+.PP
+hosts_ctl() is a wrapper around the request_init() and hosts_access()
+routines with a perhaps more convenient interface (though it does not
+pass on enough information to support automated client username
+lookups).  The client host address, client host name and username
+arguments should contain valid data or STRING_UNKNOWN.  hosts_ctl()
+returns zero if access should be denied.
+.PP
+The \fIallow_severity\fR and \fIdeny_severity\fR variables determine
+how accepted and rejected requests may be logged. They must be provided
+by the caller and may be modified by rules in the access control
+tables.
+.SH DIAGNOSTICS
+Problems are reported via the syslog daemon.
+.SH SEE ALSO
+hosts_access(5), format of the access control tables.
+hosts_options(5), optional extensions to the base language.
+.SH FILES
+/etc/hosts.allow, /etc/hosts.deny, access control tables.
+.SH BUGS
+hosts_access() uses the strtok() library function. This may interfere
+with other code that relies on strtok().
+.SH AUTHOR
+.na
+.nf
+Wietse Venema (wietse@wzv.win.tue.nl)
+Department of Mathematics and Computing Science
+Eindhoven University of Technology
+Den Dolech 2, P.O. Box 513, 
+5600 MB Eindhoven, The Netherlands
+\" @(#) hosts_access.3 1.8 96/02/11 17:01:26
diff --git a/tcp_wrappers_7.6/hosts_access.5 b/tcp_wrappers_7.6/hosts_access.5
new file mode 100644
index 0000000..044d0e0
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_access.5
@@ -0,0 +1,405 @@
+.TH HOSTS_ACCESS 5
+.SH NAME
+hosts_access \- format of host access control files
+.SH DESCRIPTION
+This manual page describes a simple access control language that is
+based on client (host name/address, user name), and server (process
+name, host name/address) patterns.  Examples are given at the end. The
+impatient reader is encouraged to skip to the EXAMPLES section for a
+quick introduction.
+.PP
+The extended version of the access control language is described in the
+\fIhosts_options\fR(5) document. \fBNote that this language supersedes
+the meaning of \fIshell_command\fB as documented below.\fR
+.PP
+In the following text, \fIdaemon\fR is the process name of a
+network daemon process, and \fIclient\fR is the name and/or address of
+a host requesting service. Network daemon process names are specified
+in the inetd configuration file.
+.SH ACCESS CONTROL FILES
+The access control software consults two files. The search stops
+at the first match:
+.IP \(bu
+Access will be granted when a (daemon,client) pair matches an entry in
+the \fI/etc/hosts.allow\fR file.
+.IP \(bu
+Otherwise, access will be denied when a (daemon,client) pair matches an
+entry in the \fI/etc/hosts.deny\fR file.
+.IP \(bu
+Otherwise, access will be granted.
+.PP
+A non-existing access control file is treated as if it were an empty
+file. Thus, access control can be turned off by providing no access
+control files.
+.SH ACCESS CONTROL RULES
+Each access control file consists of zero or more lines of text.  These
+lines are processed in order of appearance. The search terminates when a
+match is found.
+.IP \(bu
+A newline character is ignored when it is preceded by a backslash
+character. This permits you to break up long lines so that they are
+easier to edit.
+.IP \(bu
+Blank lines or lines that begin with a `#\' character are ignored.
+This permits you to insert comments and whitespace so that the tables
+are easier to read.
+.IP \(bu
+All other lines should satisfy the following format, things between []
+being optional:
+.sp
+.ti +3
+daemon_list : client_list [ : shell_command ]
+.PP
+\fIdaemon_list\fR is a list of one or more daemon process names
+(argv[0] values) or server port numbers or wildcards (see below).  
+.PP
+\fIclient_list\fR is a list
+of one or more host names, host addresses, patterns or wildcards (see
+below) that will be matched against the client host name or address.
+.PP
+The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are
+explained in the sections on server endpoint patterns and on client
+username lookups, respectively.
+.PP
+List elements should be separated by blanks and/or commas.  
+.PP
+With the exception of NIS (YP) netgroup lookups, all access control
+checks are case insensitive.
+.ne 4
+.SH PATTERNS
+The access control language implements the following patterns:
+.IP \(bu
+A string that begins with a `.\' character. A host name is matched if
+the last components of its name match the specified pattern.  For
+example, the pattern `.tue.nl\' matches the host name
+`wzv.win.tue.nl\'.
+.IP \(bu
+A string that ends with a `.\' character. A host address is matched if
+its first numeric fields match the given string.  For example, the
+pattern `131.155.\' matches the address of (almost) every host on the
+Eind\%hoven University network (131.155.x.x).
+.IP \(bu
+A string that begins with an `@\' character is treated as an NIS
+(formerly YP) netgroup name. A host name is matched if it is a host
+member of the specified netgroup. Netgroup matches are not supported
+for daemon process names or for client user names.
+.IP \(bu
+An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
+`net/mask\' pair. An IPv4 host address is matched if `net\' is equal to the
+bitwise AND of the address and the `mask\'. For example, the net/mask
+pattern `131.155.72.0/255.255.254.0\' matches every address in the
+range `131.155.72.0\' through `131.155.73.255\'.
+`255.255.255.255\' is not a valid mask value, so a single host can be
+matched just by its IP.
+.IP \(bu
+An expression of the form `n.n.n.n/mm' is interpreted as a
+`net/masklength' pair, where `mm' is the number of consecutive `1'
+bits in the netmask applied to the `n.n.n.n' address.
+.IP \(bu
+An expression of the form `[n:n:n:n:n:n:n:n]/m\' is interpreted as a
+`[net]/prefixlen\' pair. An IPv6 host address is matched if
+`prefixlen\' bits of `net\' is equal to the `prefixlen\' bits of the
+address. For example, the [net]/prefixlen pattern
+`[3ffe:505:2:1::]/64\' matches every address in the range
+`3ffe:505:2:1::\' through `3ffe:505:2:1:ffff:ffff:ffff:ffff\'.
+.IP \(bu
+A string that begins with a `/\' character is treated as a file
+name. A host name or address is matched if it matches any host name
+or address pattern listed in the named file. The file format is
+zero or more lines with zero or more host name or address patterns
+separated by whitespace.  A file name pattern can be used anywhere
+a host name or address pattern can be used.
+.IP \(bu
+Wildcards `*\' and `?\' can be used to match hostnames or IP addresses.  This
+method of matching cannot be used in conjunction with `net/mask\' matching,
+hostname matching beginning with `.\' or IP address matching ending with `.\'.
+.SH WILDCARDS
+The access control language supports explicit wildcards:
+.IP ALL
+The universal wildcard, always matches.
+.IP LOCAL
+Matches any host whose name does not contain a dot character.
+.IP UNKNOWN
+Matches any user whose name is unknown, and matches any host whose name
+\fIor\fR address are unknown.  This pattern should be used with care:
+host names may be unavailable due to temporary name server problems. A
+network address will be unavailable when the software cannot figure out
+what type of network it is talking to.
+.IP KNOWN
+Matches any user whose name is known, and matches any host whose name
+\fIand\fR address are known. This pattern should be used with care:
+host names may be unavailable due to temporary name server problems.  A
+network address will be unavailable when the software cannot figure out
+what type of network it is talking to.
+.IP PARANOID
+Matches any host whose name does not match its address.  When tcpd is
+built with -DPARANOID (default mode), it drops requests from such
+clients even before looking at the access control tables.  Build
+without -DPARANOID when you want more control over such requests.
+.ne 6
+.SH OPERATORS
+.IP EXCEPT
+Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
+matches anything that matches \fIlist_1\fR unless it matches
+\fIlist_2\fR.  The EXCEPT operator can be used in daemon_lists and in
+client_lists. The EXCEPT operator can be nested: if the control
+language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
+would parse as `(a EXCEPT (b EXCEPT c))\'.
+.br
+.ne 6
+.SH SHELL COMMANDS
+If the first-matched access control rule contains a shell command, that
+command is subjected to %<letter> substitutions (see next section).
+The result is executed by a \fI/bin/sh\fR child process with standard
+input, output and error connected to \fI/dev/null\fR.  Specify an `&\'
+at the end of the command if you do not want to wait until it has
+completed.
+.PP
+Shell commands should not rely on the PATH setting of the inetd.
+Instead, they should use absolute path names, or they should begin with
+an explicit PATH=whatever statement.
+.PP
+The \fIhosts_options\fR(5) document describes an alternative language
+that uses the shell command field in a different and incompatible way.
+.SH % EXPANSIONS
+The following expansions are available within shell commands:
+.IP "%a (%A)"
+The client (server) host address.
+.IP %c
+Client information: user@host, user@address, a host name, or just an
+address, depending on how much information is available.
+.IP %d
+The daemon process name (argv[0] value).
+.IP "%h (%H)"
+The client (server) host name or address, if the host name is
+unavailable.
+.IP "%n (%N)"
+The client (server) host name (or "unknown" or "paranoid").
+.IP "%r (%R)"
+The clients (servers) port number (or "0").
+.IP %p
+The daemon process id.
+.IP %s
+Server information: daemon@host, daemon@address, or just a daemon name,
+depending on how much information is available.
+.IP %u
+The client user name (or "unknown").
+.IP %%
+Expands to a single `%\' character.
+.PP
+Characters in % expansions that may confuse the shell are replaced by
+underscores.
+.SH SERVER ENDPOINT PATTERNS
+In order to distinguish clients by the network address that they
+connect to, use patterns of the form:
+.sp
+.ti +3
+process_name@host_pattern : client_list ...
+.sp
+Patterns like these can be used when the machine has different internet
+addresses with different internet hostnames.  Service providers can use
+this facility to offer FTP, GOPHER or WWW archives with internet names
+that may even belong to different organizations. See also the `twist\'
+option in the hosts_options(5) document. Some systems (Solaris,
+FreeBSD) can have more than one internet address on one physical
+interface; with other systems you may have to resort to SLIP or PPP
+pseudo interfaces that live in a dedicated network address space.
+.sp
+The host_pattern obeys the same syntax rules as host names and
+addresses in client_list context. Usually, server endpoint information
+is available only with connection-oriented services.
+.SH CLIENT USERNAME LOOKUP
+When the client host supports the RFC 931 protocol or one of its
+descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve
+additional information about the owner of a connection. Client username
+information, when available, is logged together with the client host
+name, and can be used to match patterns like:
+.PP
+.ti +3
+daemon_list : ... user_pattern@host_pattern ...
+.PP
+The daemon wrappers can be configured at compile time to perform
+rule-driven username lookups (default) or to always interrogate the
+client host.  In the case of rule-driven username lookups, the above
+rule would cause username lookup only when both the \fIdaemon_list\fR
+and the \fIhost_pattern\fR match. 
+.PP
+A user pattern has the same syntax as a daemon process pattern, so the
+same wildcards apply (netgroup membership is not supported).  One
+should not get carried away with username lookups, though.
+.IP \(bu
+The client username information cannot be trusted when it is needed
+most, i.e. when the client system has been compromised.  In general,
+ALL and (UN)KNOWN are the only user name patterns that make sense.
+.IP \(bu
+Username lookups are possible only with TCP-based services, and only
+when the client host runs a suitable daemon; in all other cases the
+result is "unknown".
+.IP \(bu
+A well-known UNIX kernel bug may cause loss of service when username
+lookups are blocked by a firewall. The wrapper README document
+describes a procedure to find out if your kernel has this bug.
+.IP \(bu
+Username lookups may cause noticeable delays for non-UNIX users.  The
+default timeout for username lookups is 10 seconds: too short to cope
+with slow networks, but long enough to irritate PC users.
+.PP
+Selective username lookups can alleviate the last problem. For example,
+a rule like:
+.PP
+.ti +3
+daemon_list : @pcnetgroup ALL@ALL
+.PP
+would match members of the pc netgroup without doing username lookups,
+but would perform username lookups with all other systems.
+.SH DETECTING ADDRESS SPOOFING ATTACKS
+A flaw in the sequence number generator of many TCP/IP implementations
+allows intruders to easily impersonate trusted hosts and to break in
+via, for example, the remote shell service.  The IDENT (RFC931 etc.)
+service can be used to detect such and other host address spoofing
+attacks.
+.PP
+Before accepting a client request, the wrappers can use the IDENT
+service to find out that the client did not send the request at all.
+When the client host provides IDENT service, a negative IDENT lookup
+result (the client matches `UNKNOWN@host\') is strong evidence of a host
+spoofing attack.
+.PP
+A positive IDENT lookup result (the client matches `KNOWN@host\') is
+less trustworthy. It is possible for an intruder to spoof both the
+client connection and the IDENT lookup, although doing so is much
+harder than spoofing just a client connection. It may also be that
+the client\'s IDENT server is lying.
+.PP
+Note: IDENT lookups don\'t work with UDP services. 
+.SH EXAMPLES
+The language is flexible enough that different types of access control
+policy can be expressed with a minimum of fuss. Although the language
+uses two access control tables, the most common policies can be
+implemented with one of the tables being trivial or even empty.
+.PP
+When reading the examples below it is important to realize that the
+allow table is scanned before the deny table, that the search
+terminates when a match is found, and that access is granted when no
+match is found at all.
+.PP
+The examples use host and domain names. They can be improved by
+including address and/or network/netmask information, to reduce the
+impact of temporary name server lookup failures.
+.SH MOSTLY CLOSED
+In this case, access is denied by default. Only explicitly authorized
+hosts are permitted access. 
+.PP
+The default policy (no access) is implemented with a trivial deny
+file:
+.PP
+.ne 2
+/etc/hosts.deny: 
+.in +3
+ALL: ALL
+.PP
+This denies all service to all hosts, unless they are permitted access
+by entries in the allow file.
+.PP
+The explicitly authorized hosts are listed in the allow file.
+For example:
+.PP
+.ne 2
+/etc/hosts.allow: 
+.in +3
+ALL: LOCAL @some_netgroup
+.br
+ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
+.PP
+The first rule permits access from hosts in the local domain (no `.\'
+in the host name) and from members of the \fIsome_netgroup\fP
+netgroup.  The second rule permits access from all hosts in the
+\fIfoobar.edu\fP domain (notice the leading dot), with the exception of
+\fIterminalserver.foobar.edu\fP.
+.SH MOSTLY OPEN
+Here, access is granted by default; only explicitly specified hosts are
+refused service. 
+.PP
+The default policy (access granted) makes the allow file redundant so
+that it can be omitted.  The explicitly non-authorized hosts are listed
+in the deny file. For example:
+.PP
+/etc/hosts.deny:
+.in +3
+ALL: some.host.name, .some.domain
+.br
+ALL EXCEPT in.fingerd: other.host.name, .other.domain
+.PP
+The first rule denies some hosts and domains all services; the second
+rule still permits finger requests from other hosts and domains.
+.SH BOOBY TRAPS
+The next example permits tftp requests from hosts in the local domain
+(notice the leading dot).  Requests from any other hosts are denied.
+Instead of the requested file, a finger probe is sent to the offending
+host. The result is mailed to the superuser.
+.PP
+.ne 2
+/etc/hosts.allow:
+.in +3
+.nf
+in.tftpd: LOCAL, .my.domain
+.PP
+.ne 2
+/etc/hosts.deny:
+.in +3
+.nf
+in.tftpd: ALL: (/usr/sbin/safe_finger -l @%h | \\
+	/usr/bin/mail -s %d-%h root) &
+.fi
+.PP
+The safe_finger command comes with the tcpd wrapper and should be
+installed in a suitable place. It limits possible damage from data sent
+by the remote finger server.  It gives better protection than the
+standard finger command.
+.PP
+The expansion of the %h (client host) and %d (service name) sequences
+is described in the section on shell commands.
+.PP
+Warning: do not booby-trap your finger daemon, unless you are prepared
+for infinite finger loops.
+.PP
+On network firewall systems this trick can be carried even further.
+The typical network firewall only provides a limited set of services to
+the outer world. All other services can be "bugged" just like the above
+tftp example. The result is an excellent early-warning system.
+.br
+.ne 4
+.SH DIAGNOSTICS
+An error is reported when a syntax error is found in a host access
+control rule; when the length of an access control rule exceeds the
+capacity of an internal buffer; when an access control rule is not
+terminated by a newline character; when the result of %<letter>
+expansion would overflow an internal buffer; when a system call fails
+that shouldn\'t.  All problems are reported via the syslog daemon.
+.SH FILES
+.na
+.nf
+/etc/hosts.allow, (daemon,client) pairs that are granted access.
+/etc/hosts.deny, (daemon,client) pairs that are denied access.
+.ad
+.fi
+.SH SEE ALSO
+.nf
+hosts_options(5) extended syntax.
+tcpd(8) tcp/ip daemon wrapper program.
+tcpdchk(8), tcpdmatch(8), test programs.
+.SH BUGS
+If a name server lookup times out, the host name will not be available
+to the access control software, even though the host is registered.
+.PP
+Domain name server lookups are case insensitive; NIS (formerly YP)
+netgroup lookups are case sensitive.
+.SH AUTHOR
+.na
+.nf
+Wietse Venema (wietse@wzv.win.tue.nl)
+Department of Mathematics and Computing Science
+Eindhoven University of Technology
+Den Dolech 2, P.O. Box 513, 
+5600 MB Eindhoven, The Netherlands
+\" @(#) hosts_access.5 1.20 95/01/30 19:51:46
diff --git a/tcp_wrappers_7.6/hosts_access.5.orig b/tcp_wrappers_7.6/hosts_access.5.orig
new file mode 100644
index 0000000..3629ecd
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_access.5.orig
@@ -0,0 +1,378 @@
+.TH HOSTS_ACCESS 5
+.SH NAME
+hosts_access \- format of host access control files
+.SH DESCRIPTION
+This manual page describes a simple access control language that is
+based on client (host name/address, user name), and server (process
+name, host name/address) patterns.  Examples are given at the end. The
+impatient reader is encouraged to skip to the EXAMPLES section for a
+quick introduction.
+.PP
+An extended version of the access control language is described in the
+\fIhosts_options\fR(5) document. The extensions are turned on at
+program build time by building with -DPROCESS_OPTIONS.
+.PP
+In the following text, \fIdaemon\fR is the process name of a
+network daemon process, and \fIclient\fR is the name and/or address of
+a host requesting service. Network daemon process names are specified
+in the inetd configuration file.
+.SH ACCESS CONTROL FILES
+The access control software consults two files. The search stops
+at the first match:
+.IP \(bu
+Access will be granted when a (daemon,client) pair matches an entry in
+the \fI/etc/hosts.allow\fR file.
+.IP \(bu
+Otherwise, access will be denied when a (daemon,client) pair matches an
+entry in the \fI/etc/hosts.deny\fR file.
+.IP \(bu
+Otherwise, access will be granted.
+.PP
+A non-existing access control file is treated as if it were an empty
+file. Thus, access control can be turned off by providing no access
+control files.
+.SH ACCESS CONTROL RULES
+Each access control file consists of zero or more lines of text.  These
+lines are processed in order of appearance. The search terminates when a
+match is found.
+.IP \(bu
+A newline character is ignored when it is preceded by a backslash
+character. This permits you to break up long lines so that they are
+easier to edit.
+.IP \(bu
+Blank lines or lines that begin with a `#\' character are ignored.
+This permits you to insert comments and whitespace so that the tables
+are easier to read.
+.IP \(bu
+All other lines should satisfy the following format, things between []
+being optional:
+.sp
+.ti +3
+daemon_list : client_list [ : shell_command ]
+.PP
+\fIdaemon_list\fR is a list of one or more daemon process names
+(argv[0] values) or wildcards (see below).  
+.PP
+\fIclient_list\fR is a list
+of one or more host names, host addresses, patterns or wildcards (see
+below) that will be matched against the client host name or address.
+.PP
+The more complex forms \fIdaemon@host\fR and \fIuser@host\fR are
+explained in the sections on server endpoint patterns and on client
+username lookups, respectively.
+.PP
+List elements should be separated by blanks and/or commas.  
+.PP
+With the exception of NIS (YP) netgroup lookups, all access control
+checks are case insensitive.
+.ne 4
+.SH PATTERNS
+The access control language implements the following patterns:
+.IP \(bu
+A string that begins with a `.\' character. A host name is matched if
+the last components of its name match the specified pattern.  For
+example, the pattern `.tue.nl\' matches the host name
+`wzv.win.tue.nl\'.
+.IP \(bu
+A string that ends with a `.\' character. A host address is matched if
+its first numeric fields match the given string.  For example, the
+pattern `131.155.\' matches the address of (almost) every host on the
+Eind\%hoven University network (131.155.x.x).
+.IP \(bu
+A string that begins with an `@\' character is treated as an NIS
+(formerly YP) netgroup name. A host name is matched if it is a host
+member of the specified netgroup. Netgroup matches are not supported
+for daemon process names or for client user names.
+.IP \(bu
+An expression of the form `n.n.n.n/m.m.m.m\' is interpreted as a
+`net/mask\' pair. A host address is matched if `net\' is equal to the
+bitwise AND of the address and the `mask\'. For example, the net/mask
+pattern `131.155.72.0/255.255.254.0\' matches every address in the
+range `131.155.72.0\' through `131.155.73.255\'.
+.SH WILDCARDS
+The access control language supports explicit wildcards:
+.IP ALL
+The universal wildcard, always matches.
+.IP LOCAL
+Matches any host whose name does not contain a dot character.
+.IP UNKNOWN
+Matches any user whose name is unknown, and matches any host whose name
+\fIor\fR address are unknown.  This pattern should be used with care:
+host names may be unavailable due to temporary name server problems. A
+network address will be unavailable when the software cannot figure out
+what type of network it is talking to.
+.IP KNOWN
+Matches any user whose name is known, and matches any host whose name
+\fIand\fR address are known. This pattern should be used with care:
+host names may be unavailable due to temporary name server problems.  A
+network address will be unavailable when the software cannot figure out
+what type of network it is talking to.
+.IP PARANOID
+Matches any host whose name does not match its address.  When tcpd is
+built with -DPARANOID (default mode), it drops requests from such
+clients even before looking at the access control tables.  Build
+without -DPARANOID when you want more control over such requests.
+.ne 6
+.SH OPERATORS
+.IP EXCEPT
+Intended use is of the form: `list_1 EXCEPT list_2\'; this construct
+matches anything that matches \fIlist_1\fR unless it matches
+\fIlist_2\fR.  The EXCEPT operator can be used in daemon_lists and in
+client_lists. The EXCEPT operator can be nested: if the control
+language would permit the use of parentheses, `a EXCEPT b EXCEPT c\'
+would parse as `(a EXCEPT (b EXCEPT c))\'.
+.br
+.ne 6
+.SH SHELL COMMANDS
+If the first-matched access control rule contains a shell command, that
+command is subjected to %<letter> substitutions (see next section).
+The result is executed by a \fI/bin/sh\fR child process with standard
+input, output and error connected to \fI/dev/null\fR.  Specify an `&\'
+at the end of the command if you do not want to wait until it has
+completed.
+.PP
+Shell commands should not rely on the PATH setting of the inetd.
+Instead, they should use absolute path names, or they should begin with
+an explicit PATH=whatever statement.
+.PP
+The \fIhosts_options\fR(5) document describes an alternative language
+that uses the shell command field in a different and incompatible way.
+.SH % EXPANSIONS
+The following expansions are available within shell commands:
+.IP "%a (%A)"
+The client (server) host address.
+.IP %c
+Client information: user@host, user@address, a host name, or just an
+address, depending on how much information is available.
+.IP %d
+The daemon process name (argv[0] value).
+.IP "%h (%H)"
+The client (server) host name or address, if the host name is
+unavailable.
+.IP "%n (%N)"
+The client (server) host name (or "unknown" or "paranoid").
+.IP %p
+The daemon process id.
+.IP %s
+Server information: daemon@host, daemon@address, or just a daemon name,
+depending on how much information is available.
+.IP %u
+The client user name (or "unknown").
+.IP %%
+Expands to a single `%\' character.
+.PP
+Characters in % expansions that may confuse the shell are replaced by
+underscores.
+.SH SERVER ENDPOINT PATTERNS
+In order to distinguish clients by the network address that they
+connect to, use patterns of the form:
+.sp
+.ti +3
+process_name@host_pattern : client_list ...
+.sp
+Patterns like these can be used when the machine has different internet
+addresses with different internet hostnames.  Service providers can use
+this facility to offer FTP, GOPHER or WWW archives with internet names
+that may even belong to different organizations. See also the `twist\'
+option in the hosts_options(5) document. Some systems (Solaris,
+FreeBSD) can have more than one internet address on one physical
+interface; with other systems you may have to resort to SLIP or PPP
+pseudo interfaces that live in a dedicated network address space.
+.sp
+The host_pattern obeys the same syntax rules as host names and
+addresses in client_list context. Usually, server endpoint information
+is available only with connection-oriented services.
+.SH CLIENT USERNAME LOOKUP
+When the client host supports the RFC 931 protocol or one of its
+descendants (TAP, IDENT, RFC 1413) the wrapper programs can retrieve
+additional information about the owner of a connection. Client username
+information, when available, is logged together with the client host
+name, and can be used to match patterns like:
+.PP
+.ti +3
+daemon_list : ... user_pattern@host_pattern ...
+.PP
+The daemon wrappers can be configured at compile time to perform
+rule-driven username lookups (default) or to always interrogate the
+client host.  In the case of rule-driven username lookups, the above
+rule would cause username lookup only when both the \fIdaemon_list\fR
+and the \fIhost_pattern\fR match. 
+.PP
+A user pattern has the same syntax as a daemon process pattern, so the
+same wildcards apply (netgroup membership is not supported).  One
+should not get carried away with username lookups, though.
+.IP \(bu
+The client username information cannot be trusted when it is needed
+most, i.e. when the client system has been compromised.  In general,
+ALL and (UN)KNOWN are the only user name patterns that make sense.
+.IP \(bu
+Username lookups are possible only with TCP-based services, and only
+when the client host runs a suitable daemon; in all other cases the
+result is "unknown".
+.IP \(bu
+A well-known UNIX kernel bug may cause loss of service when username
+lookups are blocked by a firewall. The wrapper README document
+describes a procedure to find out if your kernel has this bug.
+.IP \(bu
+Username lookups may cause noticeable delays for non-UNIX users.  The
+default timeout for username lookups is 10 seconds: too short to cope
+with slow networks, but long enough to irritate PC users.
+.PP
+Selective username lookups can alleviate the last problem. For example,
+a rule like:
+.PP
+.ti +3
+daemon_list : @pcnetgroup ALL@ALL
+.PP
+would match members of the pc netgroup without doing username lookups,
+but would perform username lookups with all other systems.
+.SH DETECTING ADDRESS SPOOFING ATTACKS
+A flaw in the sequence number generator of many TCP/IP implementations
+allows intruders to easily impersonate trusted hosts and to break in
+via, for example, the remote shell service.  The IDENT (RFC931 etc.)
+service can be used to detect such and other host address spoofing
+attacks.
+.PP
+Before accepting a client request, the wrappers can use the IDENT
+service to find out that the client did not send the request at all.
+When the client host provides IDENT service, a negative IDENT lookup
+result (the client matches `UNKNOWN@host\') is strong evidence of a host
+spoofing attack.
+.PP
+A positive IDENT lookup result (the client matches `KNOWN@host\') is
+less trustworthy. It is possible for an intruder to spoof both the
+client connection and the IDENT lookup, although doing so is much
+harder than spoofing just a client connection. It may also be that
+the client\'s IDENT server is lying.
+.PP
+Note: IDENT lookups don\'t work with UDP services. 
+.SH EXAMPLES
+The language is flexible enough that different types of access control
+policy can be expressed with a minimum of fuss. Although the language
+uses two access control tables, the most common policies can be
+implemented with one of the tables being trivial or even empty.
+.PP
+When reading the examples below it is important to realize that the
+allow table is scanned before the deny table, that the search
+terminates when a match is found, and that access is granted when no
+match is found at all.
+.PP
+The examples use host and domain names. They can be improved by
+including address and/or network/netmask information, to reduce the
+impact of temporary name server lookup failures.
+.SH MOSTLY CLOSED
+In this case, access is denied by default. Only explicitly authorized
+hosts are permitted access. 
+.PP
+The default policy (no access) is implemented with a trivial deny
+file:
+.PP
+.ne 2
+/etc/hosts.deny: 
+.in +3
+ALL: ALL
+.PP
+This denies all service to all hosts, unless they are permitted access
+by entries in the allow file.
+.PP
+The explicitly authorized hosts are listed in the allow file.
+For example:
+.PP
+.ne 2
+/etc/hosts.allow: 
+.in +3
+ALL: LOCAL @some_netgroup
+.br
+ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
+.PP
+The first rule permits access from hosts in the local domain (no `.\'
+in the host name) and from members of the \fIsome_netgroup\fP
+netgroup.  The second rule permits access from all hosts in the
+\fIfoobar.edu\fP domain (notice the leading dot), with the exception of
+\fIterminalserver.foobar.edu\fP.
+.SH MOSTLY OPEN
+Here, access is granted by default; only explicitly specified hosts are
+refused service. 
+.PP
+The default policy (access granted) makes the allow file redundant so
+that it can be omitted.  The explicitly non-authorized hosts are listed
+in the deny file. For example:
+.PP
+/etc/hosts.deny:
+.in +3
+ALL: some.host.name, .some.domain
+.br
+ALL EXCEPT in.fingerd: other.host.name, .other.domain
+.PP
+The first rule denies some hosts and domains all services; the second
+rule still permits finger requests from other hosts and domains.
+.SH BOOBY TRAPS
+The next example permits tftp requests from hosts in the local domain
+(notice the leading dot).  Requests from any other hosts are denied.
+Instead of the requested file, a finger probe is sent to the offending
+host. The result is mailed to the superuser.
+.PP
+.ne 2
+/etc/hosts.allow:
+.in +3
+.nf
+in.tftpd: LOCAL, .my.domain
+.PP
+.ne 2
+/etc/hosts.deny:
+.in +3
+.nf
+in.tftpd: ALL: (/some/where/safe_finger -l @%h | \\
+	/usr/ucb/mail -s %d-%h root) &
+.fi
+.PP
+The safe_finger command comes with the tcpd wrapper and should be
+installed in a suitable place. It limits possible damage from data sent
+by the remote finger server.  It gives better protection than the
+standard finger command.
+.PP
+The expansion of the %h (client host) and %d (service name) sequences
+is described in the section on shell commands.
+.PP
+Warning: do not booby-trap your finger daemon, unless you are prepared
+for infinite finger loops.
+.PP
+On network firewall systems this trick can be carried even further.
+The typical network firewall only provides a limited set of services to
+the outer world. All other services can be "bugged" just like the above
+tftp example. The result is an excellent early-warning system.
+.br
+.ne 4
+.SH DIAGNOSTICS
+An error is reported when a syntax error is found in a host access
+control rule; when the length of an access control rule exceeds the
+capacity of an internal buffer; when an access control rule is not
+terminated by a newline character; when the result of %<letter>
+expansion would overflow an internal buffer; when a system call fails
+that shouldn\'t.  All problems are reported via the syslog daemon.
+.SH FILES
+.na
+.nf
+/etc/hosts.allow, (daemon,client) pairs that are granted access.
+/etc/hosts.deny, (daemon,client) pairs that are denied access.
+.ad
+.fi
+.SH SEE ALSO
+.nf
+tcpd(8) tcp/ip daemon wrapper program.
+tcpdchk(8), tcpdmatch(8), test programs.
+.SH BUGS
+If a name server lookup times out, the host name will not be available
+to the access control software, even though the host is registered.
+.PP
+Domain name server lookups are case insensitive; NIS (formerly YP)
+netgroup lookups are case sensitive.
+.SH AUTHOR
+.na
+.nf
+Wietse Venema (wietse@wzv.win.tue.nl)
+Department of Mathematics and Computing Science
+Eindhoven University of Technology
+Den Dolech 2, P.O. Box 513, 
+5600 MB Eindhoven, The Netherlands
+\" @(#) hosts_access.5 1.20 95/01/30 19:51:46
diff --git a/tcp_wrappers_7.6/hosts_access.c b/tcp_wrappers_7.6/hosts_access.c
new file mode 100644
index 0000000..761e644
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_access.c
@@ -0,0 +1,616 @@
+ /*
+  * This module implements a simple access control language that is based on
+  * host (or domain) names, NIS (host) netgroup names, IP addresses (or
+  * network numbers) and daemon process names. When a match is found the
+  * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
+  * a list of options is executed or an optional shell command is executed.
+  * 
+  * Host and user names are looked up on demand, provided that suitable endpoint
+  * information is available as sockaddr_in structures or TLI netbufs. As a
+  * side effect, the pattern matching process may change the contents of
+  * request structure fields.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Compile with -DNETGROUP if your library provides support for netgroups.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#ifdef INT32_T
+    typedef uint32_t u_int32_t;
+#endif
+#include <sys/param.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <ctype.h>
+#include <errno.h>
+#include <setjmp.h>
+#include <string.h>
+#ifdef INET6
+#include <netdb.h>
+#endif
+
+extern char *fgets();
+extern int errno;
+
+#ifndef	INADDR_NONE
+#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Error handling. */
+
+extern jmp_buf tcpd_buf;
+
+/* Delimiters for lists of daemons or clients. */
+
+static char sep[] = ", \t\r\n";
+
+/* Constants to be used in assignments only, not in comparisons... */
+
+#define	YES		1
+#define	NO		0
+#define ERR             -1
+
+ /*
+  * These variables are globally visible so that they can be redirected in
+  * verification mode.
+  */
+
+char   *hosts_allow_table = HOSTS_ALLOW;
+char   *hosts_deny_table = HOSTS_DENY;
+int     hosts_access_verbose = 0;
+
+ /*
+  * In a long-running process, we are not at liberty to just go away.
+  */
+
+int     resident = (-1);		/* -1, 0: unknown; +1: yes */
+#ifdef ACLEXEC
+int	aclexec_matched = 0;
+#endif
+
+/* Forward declarations. */
+
+static int table_match();
+static int list_match();
+static int server_match();
+static int client_match();
+static int host_match();
+static int string_match();
+static int masked_match();
+static int match_pattern_ylo();
+#ifdef INET6
+static int masked_match4();
+static int masked_match6();
+#endif
+
+/* Size of logical line buffer. */
+
+#define	BUFLEN 2048
+
+/* hosts_access - host access control facility */
+
+int     hosts_access(request)
+struct request_info *request;
+{
+    int     verdict;
+
+    /*
+     * If the (daemon, client) pair is matched by an entry in the file
+     * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
+     * client) pair is matched by an entry in the file /etc/hosts.deny,
+     * access is denied. Otherwise, access is granted. A non-existent
+     * access-control file is treated as an empty file.
+     * 
+     * After a rule has been matched, the optional language extensions may
+     * decide to grant or refuse service anyway. Or, while a rule is being
+     * processed, a serious error is found, and it seems better to play safe
+     * and deny service. All this is done by jumping back into the
+     * hosts_access() routine, bypassing the regular return from the
+     * table_match() function calls below.
+     */
+
+    if (resident <= 0)
+	resident++;
+    verdict = setjmp(tcpd_buf);
+    if (verdict != 0)
+	return (verdict == AC_PERMIT);
+    if (table_match(hosts_allow_table, request) == YES)
+	return (YES);
+    if (table_match(hosts_deny_table, request) == NO)
+	return (YES);
+    return (NO);
+}
+
+/* table_match - match table entries with (daemon, client) pair */
+
+static int table_match(table, request)
+char   *table;
+struct request_info *request;
+{
+    FILE   *fp;
+    char    sv_list[BUFLEN];		/* becomes list of daemons */
+    char   *cl_list;			/* becomes list of clients */
+    char   *sh_cmd;			/* becomes optional shell command */
+    int     match = NO;
+    struct tcpd_context saved_context;
+
+    saved_context = tcpd_context;		/* stupid compilers */
+
+    /*
+     * Between the fopen() and fclose() calls, avoid jumps that may cause
+     * file descriptor leaks.
+     */
+
+    if ((fp = fopen(table, "r")) != 0) {
+	tcpd_context.file = table;
+	tcpd_context.line = 0;
+	while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
+	    if (sv_list[strlen(sv_list) - 1] != '\n') {
+		tcpd_warn("missing newline or line too long");
+		continue;
+	    }
+	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
+		continue;
+	    if ((cl_list = split_at(sv_list, ':')) == 0) {
+		tcpd_warn("missing \":\" separator");
+		continue;
+	    }
+	    sh_cmd = split_at(cl_list, ':');
+	    match = list_match(sv_list, request, server_match)
+		&& list_match(cl_list, request, client_match);
+	}
+	(void) fclose(fp);
+    } else if (errno != ENOENT) {
+	tcpd_warn("cannot open %s: %m", table);
+	match = ERR;
+    }
+    if (match == YES) {
+	if (hosts_access_verbose > 1)
+	    syslog(LOG_DEBUG, "matched:  %s line %d",
+		   tcpd_context.file, tcpd_context.line);
+	if (sh_cmd) {
+#ifdef PROCESS_OPTIONS
+	    process_options(sh_cmd, request);
+# ifdef ACLEXEC
+	    if (aclexec_matched) {
+		syslog(LOG_INFO, "aclexec returned %d", aclexec_matched);
+		match = NO;
+	    }
+# endif
+#else
+	    char    cmd[BUFSIZ];
+	    shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
+#endif
+	}
+    }
+    tcpd_context = saved_context;
+    return (match);
+}
+
+/* list_match - match a request against a list of patterns with exceptions */
+
+static int list_match(list, request, match_fn)
+char   *list;
+struct request_info *request;
+int   (*match_fn) ();
+{
+    char   *tok;
+
+    /*
+     * Process tokens one at a time. We have exhausted all possible matches
+     * when we reach an "EXCEPT" token or the end of the list. If we do find
+     * a match, look for an "EXCEPT" list and recurse to determine whether
+     * the match is affected by any exceptions.
+     */
+
+    for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
+	if (STR_EQ(tok, "EXCEPT"))		/* EXCEPT: give up */
+	    return (NO);
+	if (match_fn(tok, request)) {		/* YES: look for exceptions */
+	    while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT"))
+		 /* VOID */ ;
+	    return (tok == 0 || list_match((char *) 0, request, match_fn) == 0);
+	}
+    }
+    return (NO);
+}
+
+/*
+ * daemon_or_port_match - match server information: if the server endpoint
+ * pattern is a port number, match against port number of connection;
+ * otherwise match against daemon executable name
+ */
+
+static int daemon_or_port_match(char *tok, struct request_info *request) {
+    unsigned int port, sin_port;
+    char junk;
+
+    /* daemon name */
+    if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535)
+	return (string_match(tok, eval_daemon(request)));
+
+    /* port number */
+    if (!request->server->sin)
+	return (NO);
+
+#ifdef INET6
+    sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port);
+#else
+    sin_port = ntohs(request->server->sin->sin_port);
+#endif
+
+    if (port == sin_port)
+	return (YES);
+    else
+	return (NO);
+}
+
+/* server_match - match server information */
+
+static int server_match(tok, request)
+char   *tok;
+struct request_info *request;
+{
+    char   *host;
+
+    if ((host = split_at(tok + 1, '@')) == 0) {	/* plain daemon */
+	return (daemon_or_port_match(tok, request));
+    } else {					/* daemon@host */
+	return (daemon_or_port_match(tok, request)
+		&& host_match(host, request->server));
+    }
+}
+
+/* client_match - match client information */
+
+static int client_match(tok, request)
+char   *tok;
+struct request_info *request;
+{
+    char   *host;
+
+    if ((host = split_at(tok + 1, '@')) == 0) {	/* plain host */
+	return (host_match(tok, request->client));
+    } else {					/* user@host */
+	return (host_match(host, request->client)
+		&& string_match(tok, eval_user(request)));
+    }
+}
+
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char   *path;
+struct hosts_info *host;
+{
+    char    tok[BUFSIZ];
+    int     match = NO;
+    FILE   *fp;
+
+    if ((fp = fopen(path, "r")) != 0) {
+	while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+	     /* void */ ;
+	fclose(fp);
+    } else if (errno != ENOENT) {
+	tcpd_warn("open %s: %m", path);
+    }
+    return (match);
+}
+
+/* host_match - match host name and/or address against pattern */
+
+static int host_match(tok, host)
+char   *tok;
+struct host_info *host;
+{
+    char   *mask;
+
+    /*
+     * This code looks a little hairy because we want to avoid unnecessary
+     * hostname lookups.
+     * 
+     * The KNOWN pattern requires that both address AND name be known; some
+     * patterns are specific to host names or to host addresses; all other
+     * patterns are satisfied when either the address OR the name match.
+     */
+
+    if (tok[0] == '@') {			/* netgroup: look it up */
+#ifdef  NETGROUP
+	static char *mydomain = 0;
+	if (mydomain == 0)
+	    yp_get_default_domain(&mydomain);
+	return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain));
+#else
+	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */
+	return (NO);
+#endif
+    } else if (tok[0] == '/') {			/* /file hack */
+	return (hostfile_match(tok, host));
+    } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */
+	char   *name = eval_hostname(host);
+	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
+    } else if (STR_EQ(tok, "LOCAL")) {		/* local: no dots in name */
+	char   *name = eval_hostname(host);
+	return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name));
+    } else if ((mask = split_at(tok, '/')) != 0) {	/* net/mask */
+	return (masked_match(tok, mask, eval_hostaddr(host)));
+    } else {					/* anything else */
+	return (string_match(tok, eval_hostaddr(host))
+	    || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
+    }
+}
+
+/* string_match - match string against pattern */
+
+static int string_match(tok, string)
+char   *tok;
+char   *string;
+{
+    int     n;
+
+#ifdef INET6
+    /* convert IPv4 mapped IPv6 address to IPv4 address */
+    if (STRN_EQ(string, "::ffff:", 7)
+      && dot_quad_addr(string + 7) != INADDR_NONE) {
+      string += 7;
+    }
+#endif    
+#ifndef DISABLE_WILDCARD_MATCHING
+    if (strchr(tok, '*') || strchr(tok,'?')) {  /* contains '*' or '?' */
+        return (match_pattern_ylo(string,tok)); 	       
+    } else 
+#endif    
+    if (tok[0] == '.') {			/* suffix */
+	n = strlen(string) - strlen(tok);
+	return (n > 0 && STR_EQ(tok, string + n));
+    } else if (STR_EQ(tok, "ALL")) {		/* all: match any */
+	return (YES);
+    } else if (STR_EQ(tok, "KNOWN")) {		/* not unknown */
+	return (STR_NE(string, unknown));
+    } else if (tok[(n = strlen(tok)) - 1] == '.') {	/* prefix */
+	return (STRN_EQ(tok, string, n));
+    } else {					/* exact match */
+#ifdef INET6
+	struct addrinfo hints, *res;
+	struct sockaddr_in6 pat, addr;
+	int len, ret;
+	char ch;
+
+	len = strlen(tok);
+	if (*tok == '[' && tok[len - 1] == ']') {
+	    ch = tok[len - 1];
+	    tok[len - 1] = '\0';
+	    memset(&hints, 0, sizeof(hints));
+	    hints.ai_family = AF_INET6;
+	    hints.ai_socktype = SOCK_STREAM;
+	    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+	    if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) {
+		memcpy(&pat, res->ai_addr, sizeof(pat));
+		freeaddrinfo(res);
+	    }
+	    tok[len - 1] = ch;
+	    if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0)
+		return NO;
+	    memcpy(&addr, res->ai_addr, sizeof(addr));
+	    freeaddrinfo(res);
+#ifdef NI_WITHSCOPEID
+	    if (pat.sin6_scope_id != 0 &&
+		addr.sin6_scope_id != pat.sin6_scope_id)
+		return NO;
+#endif
+	    return (!memcmp(&pat.sin6_addr, &addr.sin6_addr,
+			    sizeof(struct in6_addr)));
+	    return (ret);
+	}
+#endif
+	return (STR_EQ(tok, string));
+    }
+}
+
+/* masked_match - match address against netnumber/netmask */
+
+#ifdef INET6
+static int masked_match(net_tok, mask_tok, string)
+char   *net_tok;
+char   *mask_tok;
+char   *string;
+{
+    return (masked_match4(net_tok, mask_tok, string) ||
+	    masked_match6(net_tok, mask_tok, string));
+}
+
+static int masked_match4(net_tok, mask_tok, string)
+#else
+static int masked_match(net_tok, mask_tok, string)
+#endif
+char   *net_tok;
+char   *mask_tok;
+char   *string;
+{
+#ifdef INET6
+    u_int32_t net;
+    u_int32_t mask;
+    u_int32_t addr;
+#else
+    unsigned long net;
+    unsigned long mask;
+    unsigned long addr;
+#endif
+
+    /*
+     * Disallow forms other than dotted quad: the treatment that inet_addr()
+     * gives to forms with less than four components is inconsistent with the
+     * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
+     */
+
+    if ((addr = dot_quad_addr(string)) == INADDR_NONE)
+	return (NO);
+    if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
+	|| ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE
+	    && (mask = cidr_mask_addr(mask_tok)) == 0)) {
+#ifndef INET6
+	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
+#endif
+	return (NO);				/* not tcpd_jump() */
+    }
+    return ((addr & mask) == net);
+}
+
+#ifdef INET6
+static int masked_match6(net_tok, mask_tok, string)
+char   *net_tok;
+char   *mask_tok;
+char   *string;
+{
+    struct addrinfo hints, *res;
+    struct sockaddr_in6 net, addr;
+    u_int32_t mask;
+    int len, mask_len, i = 0;
+    char ch;
+
+    /*
+     * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
+     * different between KAME and Solaris8.  While KAME returns
+     * AF_INET6, Solaris8 returns AF_INET.  So, we avoid this here.
+     */
+    if (STRN_EQ(string, "::ffff:", 7)
+	&& dot_quad_addr(string + 7) != INADDR_NONE)
+	return (masked_match4(net_tok, mask_tok, string + 7));
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = AF_INET6;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+    if (getaddrinfo(string, NULL, &hints, &res) != 0)
+	return NO;
+    memcpy(&addr, res->ai_addr, sizeof(addr));
+    freeaddrinfo(res);
+
+    /* match IPv6 address against netnumber/prefixlen */
+    len = strlen(net_tok);
+    if (*net_tok != '[' || net_tok[len - 1] != ']')
+	return NO;
+    ch = net_tok[len - 1];
+    net_tok[len - 1] = '\0';
+    if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) {
+	net_tok[len - 1] = ch;
+	return NO;
+    }
+    memcpy(&net, res->ai_addr, sizeof(net));
+    freeaddrinfo(res);
+    net_tok[len - 1] = ch;
+    if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128)
+	return NO;
+
+#ifdef NI_WITHSCOPEID
+    if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id)
+	return NO;
+#endif
+    while (mask_len > 0) {
+	if (mask_len < 32) {
+	    mask = htonl(~(0xffffffff >> mask_len));
+	    if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask))
+		return NO;
+	    break;
+	}
+	if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i])
+	    return NO;
+	i += 4;
+	mask_len -= 32;
+    }
+    return YES;
+}
+#endif /* INET6 */
+
+#ifndef DISABLE_WILDCARD_MATCHING
+/* Note: this feature has been adapted in a pretty straightforward way
+   from Tatu Ylonen's last SSH version under free license by 
+   Pekka Savola <pekkas@netcore.fi>.
+
+   Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+*/
+
+/* Returns true if the given string matches the pattern (which may contain
+   ? and * as wildcards), and zero if it does not match. */
+	  
+static int match_pattern_ylo(const char *s, const char *pattern)
+{
+  char src;
+  char pat;
+  while (1)
+    {
+      /* If at end of pattern, accept if also at end of string. */
+      if (!*pattern)
+        return !*s;
+
+      /* Process '*'. */
+      if (*pattern == '*')
+        {
+	  /* Skip the asterisk. */
+	  pattern++;
+
+	  /* If at end of pattern, accept immediately. */
+          if (!*pattern)
+            return 1;
+
+	  /* If next character in pattern is known, optimize. */
+          if (*pattern != '?' && *pattern != '*')
+            {
+	      /* Look instances of the next character in pattern, and try
+		 to match starting from those. */
+              pat = *pattern;
+              for (; *s; s++) {
+                src = *s;
+                if (toupper(src) == toupper(pat) &&
+                    match_pattern_ylo(s + 1, pattern + 1))
+                  return 1;
+              }
+	      /* Failed. */
+              return 0;
+            }
+
+	  /* Move ahead one character at a time and try to match at each
+	     position. */
+          for (; *s; s++)
+            if (match_pattern_ylo(s, pattern))
+              return 1;
+	  /* Failed. */
+          return 0;
+        }
+
+      /* There must be at least one more character in the string.  If we are
+	 at the end, fail. */
+      if (!*s)
+        return 0;
+
+      /* Check if the next character of the string is acceptable. */
+      pat = *pattern;
+      src = *s;
+      if (*pattern != '?' && toupper(pat) != toupper(src))
+	return 0;
+      
+      /* Move to the next character, both in string and in pattern. */
+      s++;
+      pattern++;
+    }
+  /*NOTREACHED*/
+}
+#endif /* DISABLE_WILDCARD_MATCHING */
diff --git a/tcp_wrappers_7.6/hosts_access.c.orig b/tcp_wrappers_7.6/hosts_access.c.orig
new file mode 100644
index 0000000..7ef0554
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_access.c.orig
@@ -0,0 +1,614 @@
+ /*
+  * This module implements a simple access control language that is based on
+  * host (or domain) names, NIS (host) netgroup names, IP addresses (or
+  * network numbers) and daemon process names. When a match is found the
+  * search is terminated, and depending on whether PROCESS_OPTIONS is defined,
+  * a list of options is executed or an optional shell command is executed.
+  * 
+  * Host and user names are looked up on demand, provided that suitable endpoint
+  * information is available as sockaddr_in structures or TLI netbufs. As a
+  * side effect, the pattern matching process may change the contents of
+  * request structure fields.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Compile with -DNETGROUP if your library provides support for netgroups.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#ifdef INT32_T
+    typedef uint32_t u_int32_t;
+#endif
+#include <sys/param.h>
+#ifdef INET6
+#include <sys/socket.h>
+#endif
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <ctype.h>
+#include <errno.h>
+#include <setjmp.h>
+#include <string.h>
+#ifdef INET6
+#include <netdb.h>
+#endif
+
+extern char *fgets();
+extern int errno;
+
+#ifndef	INADDR_NONE
+#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Error handling. */
+
+extern jmp_buf tcpd_buf;
+
+/* Delimiters for lists of daemons or clients. */
+
+static char sep[] = ", \t\r\n";
+
+/* Constants to be used in assignments only, not in comparisons... */
+
+#define	YES		1
+#define	NO		0
+
+ /*
+  * These variables are globally visible so that they can be redirected in
+  * verification mode.
+  */
+
+char   *hosts_allow_table = HOSTS_ALLOW;
+char   *hosts_deny_table = HOSTS_DENY;
+int     hosts_access_verbose = 0;
+
+ /*
+  * In a long-running process, we are not at liberty to just go away.
+  */
+
+int     resident = (-1);		/* -1, 0: unknown; +1: yes */
+#ifdef ACLEXEC
+int	aclexec_matched = 0;
+#endif
+
+/* Forward declarations. */
+
+static int table_match();
+static int list_match();
+static int server_match();
+static int client_match();
+static int host_match();
+static int string_match();
+static int masked_match();
+static int match_pattern_ylo();
+#ifdef INET6
+static int masked_match4();
+static int masked_match6();
+#endif
+
+/* Size of logical line buffer. */
+
+#define	BUFLEN 2048
+
+/* hosts_access - host access control facility */
+
+int     hosts_access(request)
+struct request_info *request;
+{
+    int     verdict;
+
+    /*
+     * If the (daemon, client) pair is matched by an entry in the file
+     * /etc/hosts.allow, access is granted. Otherwise, if the (daemon,
+     * client) pair is matched by an entry in the file /etc/hosts.deny,
+     * access is denied. Otherwise, access is granted. A non-existent
+     * access-control file is treated as an empty file.
+     * 
+     * After a rule has been matched, the optional language extensions may
+     * decide to grant or refuse service anyway. Or, while a rule is being
+     * processed, a serious error is found, and it seems better to play safe
+     * and deny service. All this is done by jumping back into the
+     * hosts_access() routine, bypassing the regular return from the
+     * table_match() function calls below.
+     */
+
+    if (resident <= 0)
+	resident++;
+    verdict = setjmp(tcpd_buf);
+    if (verdict != 0)
+	return (verdict == AC_PERMIT);
+    if (table_match(hosts_allow_table, request))
+	return (YES);
+    if (table_match(hosts_deny_table, request))
+	return (NO);
+    return (YES);
+}
+
+/* table_match - match table entries with (daemon, client) pair */
+
+static int table_match(table, request)
+char   *table;
+struct request_info *request;
+{
+    FILE   *fp;
+    char    sv_list[BUFLEN];		/* becomes list of daemons */
+    char   *cl_list;			/* becomes list of clients */
+    char   *sh_cmd;			/* becomes optional shell command */
+    int     match = NO;
+    struct tcpd_context saved_context;
+
+    saved_context = tcpd_context;		/* stupid compilers */
+
+    /*
+     * Between the fopen() and fclose() calls, avoid jumps that may cause
+     * file descriptor leaks.
+     */
+
+    if ((fp = fopen(table, "r")) != 0) {
+	tcpd_context.file = table;
+	tcpd_context.line = 0;
+	while (match == NO && xgets(sv_list, sizeof(sv_list), fp) != 0) {
+	    if (sv_list[strlen(sv_list) - 1] != '\n') {
+		tcpd_warn("missing newline or line too long");
+		continue;
+	    }
+	    if (sv_list[0] == '#' || sv_list[strspn(sv_list, " \t\r\n")] == 0)
+		continue;
+	    if ((cl_list = split_at(sv_list, ':')) == 0) {
+		tcpd_warn("missing \":\" separator");
+		continue;
+	    }
+	    sh_cmd = split_at(cl_list, ':');
+	    match = list_match(sv_list, request, server_match)
+		&& list_match(cl_list, request, client_match);
+	}
+	(void) fclose(fp);
+    } else if (errno != ENOENT) {
+	tcpd_warn("cannot open %s: %m", table);
+    }
+    if (match) {
+	if (hosts_access_verbose > 1)
+	    syslog(LOG_DEBUG, "matched:  %s line %d",
+		   tcpd_context.file, tcpd_context.line);
+	if (sh_cmd) {
+#ifdef PROCESS_OPTIONS
+	    process_options(sh_cmd, request);
+# ifdef ACLEXEC
+	    if (aclexec_matched) {
+		syslog(LOG_INFO, "aclexec returned %d", aclexec_matched);
+		match = NO;
+	    }
+# endif
+#else
+	    char    cmd[BUFSIZ];
+	    shell_cmd(percent_x(cmd, sizeof(cmd), sh_cmd, request));
+#endif
+	}
+    }
+    tcpd_context = saved_context;
+    return (match);
+}
+
+/* list_match - match a request against a list of patterns with exceptions */
+
+static int list_match(list, request, match_fn)
+char   *list;
+struct request_info *request;
+int   (*match_fn) ();
+{
+    char   *tok;
+
+    /*
+     * Process tokens one at a time. We have exhausted all possible matches
+     * when we reach an "EXCEPT" token or the end of the list. If we do find
+     * a match, look for an "EXCEPT" list and recurse to determine whether
+     * the match is affected by any exceptions.
+     */
+
+    for (tok = strtok(list, sep); tok != 0; tok = strtok((char *) 0, sep)) {
+	if (STR_EQ(tok, "EXCEPT"))		/* EXCEPT: give up */
+	    return (NO);
+	if (match_fn(tok, request)) {		/* YES: look for exceptions */
+	    while ((tok = strtok((char *) 0, sep)) && STR_NE(tok, "EXCEPT"))
+		 /* VOID */ ;
+	    return (tok == 0 || list_match((char *) 0, request, match_fn) == 0);
+	}
+    }
+    return (NO);
+}
+
+/*
+ * daemon_or_port_match - match server information: if the server endpoint
+ * pattern is a port number, match against port number of connection;
+ * otherwise match against daemon executable name
+ */
+
+static int daemon_or_port_match(char *tok, struct request_info *request) {
+    unsigned int port, sin_port;
+    char junk;
+
+    /* daemon name */
+    if (sscanf(tok, "%u%c", &port, &junk) != 1 || port > 65535)
+	return (string_match(tok, eval_daemon(request)));
+
+    /* port number */
+    if (!request->server->sin)
+	return (NO);
+
+#ifdef INET6
+    sin_port = ntohs(((struct sockaddr_in *)request->server->sin)->sin_port);
+#else
+    sin_port = ntohs(request->server->sin->sin_port);
+#endif
+
+    if (port == sin_port)
+	return (YES);
+    else
+	return (NO);
+}
+
+/* server_match - match server information */
+
+static int server_match(tok, request)
+char   *tok;
+struct request_info *request;
+{
+    char   *host;
+
+    if ((host = split_at(tok + 1, '@')) == 0) {	/* plain daemon */
+	return (daemon_or_port_match(tok, request));
+    } else {					/* daemon@host */
+	return (daemon_or_port_match(tok, request)
+		&& host_match(host, request->server));
+    }
+}
+
+/* client_match - match client information */
+
+static int client_match(tok, request)
+char   *tok;
+struct request_info *request;
+{
+    char   *host;
+
+    if ((host = split_at(tok + 1, '@')) == 0) {	/* plain host */
+	return (host_match(tok, request->client));
+    } else {					/* user@host */
+	return (host_match(host, request->client)
+		&& string_match(tok, eval_user(request)));
+    }
+}
+
+/* hostfile_match - look up host patterns from file */
+
+static int hostfile_match(path, host)
+char   *path;
+struct hosts_info *host;
+{
+    char    tok[BUFSIZ];
+    int     match = NO;
+    FILE   *fp;
+
+    if ((fp = fopen(path, "r")) != 0) {
+	while (fscanf(fp, "%s", tok) == 1 && !(match = host_match(tok, host)))
+	     /* void */ ;
+	fclose(fp);
+    } else if (errno != ENOENT) {
+	tcpd_warn("open %s: %m", path);
+    }
+    return (match);
+}
+
+/* host_match - match host name and/or address against pattern */
+
+static int host_match(tok, host)
+char   *tok;
+struct host_info *host;
+{
+    char   *mask;
+
+    /*
+     * This code looks a little hairy because we want to avoid unnecessary
+     * hostname lookups.
+     * 
+     * The KNOWN pattern requires that both address AND name be known; some
+     * patterns are specific to host names or to host addresses; all other
+     * patterns are satisfied when either the address OR the name match.
+     */
+
+    if (tok[0] == '@') {			/* netgroup: look it up */
+#ifdef  NETGROUP
+	static char *mydomain = 0;
+	if (mydomain == 0)
+	    yp_get_default_domain(&mydomain);
+	return (innetgr(tok + 1, eval_hostname(host), (char *) 0, mydomain));
+#else
+	tcpd_warn("netgroup support is disabled");	/* not tcpd_jump() */
+	return (NO);
+#endif
+    } else if (tok[0] == '/') {			/* /file hack */
+	return (hostfile_match(tok, host));
+    } else if (STR_EQ(tok, "KNOWN")) {		/* check address and name */
+	char   *name = eval_hostname(host);
+	return (STR_NE(eval_hostaddr(host), unknown) && HOSTNAME_KNOWN(name));
+    } else if (STR_EQ(tok, "LOCAL")) {		/* local: no dots in name */
+	char   *name = eval_hostname(host);
+	return (strchr(name, '.') == 0 && HOSTNAME_KNOWN(name));
+    } else if ((mask = split_at(tok, '/')) != 0) {	/* net/mask */
+	return (masked_match(tok, mask, eval_hostaddr(host)));
+    } else {					/* anything else */
+	return (string_match(tok, eval_hostaddr(host))
+	    || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
+    }
+}
+
+/* string_match - match string against pattern */
+
+static int string_match(tok, string)
+char   *tok;
+char   *string;
+{
+    int     n;
+
+#ifdef INET6
+    /* convert IPv4 mapped IPv6 address to IPv4 address */
+    if (STRN_EQ(string, "::ffff:", 7)
+      && dot_quad_addr(string + 7) != INADDR_NONE) {
+      string += 7;
+    }
+#endif    
+#ifndef DISABLE_WILDCARD_MATCHING
+    if (strchr(tok, '*') || strchr(tok,'?')) {  /* contains '*' or '?' */
+        return (match_pattern_ylo(string,tok)); 	       
+    } else 
+#endif    
+    if (tok[0] == '.') {			/* suffix */
+	n = strlen(string) - strlen(tok);
+	return (n > 0 && STR_EQ(tok, string + n));
+    } else if (STR_EQ(tok, "ALL")) {		/* all: match any */
+	return (YES);
+    } else if (STR_EQ(tok, "KNOWN")) {		/* not unknown */
+	return (STR_NE(string, unknown));
+    } else if (tok[(n = strlen(tok)) - 1] == '.') {	/* prefix */
+	return (STRN_EQ(tok, string, n));
+    } else {					/* exact match */
+#ifdef INET6
+	struct addrinfo hints, *res;
+	struct sockaddr_in6 pat, addr;
+	int len, ret;
+	char ch;
+
+	len = strlen(tok);
+	if (*tok == '[' && tok[len - 1] == ']') {
+	    ch = tok[len - 1];
+	    tok[len - 1] = '\0';
+	    memset(&hints, 0, sizeof(hints));
+	    hints.ai_family = AF_INET6;
+	    hints.ai_socktype = SOCK_STREAM;
+	    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+	    if ((ret = getaddrinfo(tok + 1, NULL, &hints, &res)) == 0) {
+		memcpy(&pat, res->ai_addr, sizeof(pat));
+		freeaddrinfo(res);
+	    }
+	    tok[len - 1] = ch;
+	    if (ret != 0 || getaddrinfo(string, NULL, &hints, &res) != 0)
+		return NO;
+	    memcpy(&addr, res->ai_addr, sizeof(addr));
+	    freeaddrinfo(res);
+#ifdef NI_WITHSCOPEID
+	    if (pat.sin6_scope_id != 0 &&
+		addr.sin6_scope_id != pat.sin6_scope_id)
+		return NO;
+#endif
+	    return (!memcmp(&pat.sin6_addr, &addr.sin6_addr,
+			    sizeof(struct in6_addr)));
+	    return (ret);
+	}
+#endif
+	return (STR_EQ(tok, string));
+    }
+}
+
+/* masked_match - match address against netnumber/netmask */
+
+#ifdef INET6
+static int masked_match(net_tok, mask_tok, string)
+char   *net_tok;
+char   *mask_tok;
+char   *string;
+{
+    return (masked_match4(net_tok, mask_tok, string) ||
+	    masked_match6(net_tok, mask_tok, string));
+}
+
+static int masked_match4(net_tok, mask_tok, string)
+#else
+static int masked_match(net_tok, mask_tok, string)
+#endif
+char   *net_tok;
+char   *mask_tok;
+char   *string;
+{
+#ifdef INET6
+    u_int32_t net;
+    u_int32_t mask;
+    u_int32_t addr;
+#else
+    unsigned long net;
+    unsigned long mask;
+    unsigned long addr;
+#endif
+
+    /*
+     * Disallow forms other than dotted quad: the treatment that inet_addr()
+     * gives to forms with less than four components is inconsistent with the
+     * access control language. John P. Rouillard <rouilj@cs.umb.edu>.
+     */
+
+    if ((addr = dot_quad_addr(string)) == INADDR_NONE)
+	return (NO);
+    if ((net = dot_quad_addr(net_tok)) == INADDR_NONE
+	|| ((mask = dot_quad_addr(mask_tok)) == INADDR_NONE
+	    && (mask = cidr_mask_addr(mask_tok)) == 0)) {
+#ifndef INET6
+	tcpd_warn("bad net/mask expression: %s/%s", net_tok, mask_tok);
+#endif
+	return (NO);				/* not tcpd_jump() */
+    }
+    return ((addr & mask) == net);
+}
+
+#ifdef INET6
+static int masked_match6(net_tok, mask_tok, string)
+char   *net_tok;
+char   *mask_tok;
+char   *string;
+{
+    struct addrinfo hints, *res;
+    struct sockaddr_in6 net, addr;
+    u_int32_t mask;
+    int len, mask_len, i = 0;
+    char ch;
+
+    /*
+     * Behavior of getaddrinfo() against IPv4-mapped IPv6 address is
+     * different between KAME and Solaris8.  While KAME returns
+     * AF_INET6, Solaris8 returns AF_INET.  So, we avoid this here.
+     */
+    if (STRN_EQ(string, "::ffff:", 7)
+	&& dot_quad_addr(string + 7) != INADDR_NONE)
+	return (masked_match4(net_tok, mask_tok, string + 7));
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = AF_INET6;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+    if (getaddrinfo(string, NULL, &hints, &res) != 0)
+	return NO;
+    memcpy(&addr, res->ai_addr, sizeof(addr));
+    freeaddrinfo(res);
+
+    /* match IPv6 address against netnumber/prefixlen */
+    len = strlen(net_tok);
+    if (*net_tok != '[' || net_tok[len - 1] != ']')
+	return NO;
+    ch = net_tok[len - 1];
+    net_tok[len - 1] = '\0';
+    if (getaddrinfo(net_tok + 1, NULL, &hints, &res) != 0) {
+	net_tok[len - 1] = ch;
+	return NO;
+    }
+    memcpy(&net, res->ai_addr, sizeof(net));
+    freeaddrinfo(res);
+    net_tok[len - 1] = ch;
+    if ((mask_len = atoi(mask_tok)) < 0 || mask_len > 128)
+	return NO;
+
+#ifdef NI_WITHSCOPEID
+    if (net.sin6_scope_id != 0 && addr.sin6_scope_id != net.sin6_scope_id)
+	return NO;
+#endif
+    while (mask_len > 0) {
+	if (mask_len < 32) {
+	    mask = htonl(~(0xffffffff >> mask_len));
+	    if ((*(u_int32_t *)&addr.sin6_addr.s6_addr[i] & mask) != (*(u_int32_t *)&net.sin6_addr.s6_addr[i] & mask))
+		return NO;
+	    break;
+	}
+	if (*(u_int32_t *)&addr.sin6_addr.s6_addr[i] != *(u_int32_t *)&net.sin6_addr.s6_addr[i])
+	    return NO;
+	i += 4;
+	mask_len -= 32;
+    }
+    return YES;
+}
+#endif /* INET6 */
+
+#ifndef DISABLE_WILDCARD_MATCHING
+/* Note: this feature has been adapted in a pretty straightforward way
+   from Tatu Ylonen's last SSH version under free license by 
+   Pekka Savola <pekkas@netcore.fi>.
+
+   Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
+*/
+
+/* Returns true if the given string matches the pattern (which may contain
+   ? and * as wildcards), and zero if it does not match. */
+	  
+static int match_pattern_ylo(const char *s, const char *pattern)
+{
+  char src;
+  char pat;
+  while (1)
+    {
+      /* If at end of pattern, accept if also at end of string. */
+      if (!*pattern)
+        return !*s;
+
+      /* Process '*'. */
+      if (*pattern == '*')
+        {
+	  /* Skip the asterisk. */
+	  pattern++;
+
+	  /* If at end of pattern, accept immediately. */
+          if (!*pattern)
+            return 1;
+
+	  /* If next character in pattern is known, optimize. */
+          if (*pattern != '?' && *pattern != '*')
+            {
+	      /* Look instances of the next character in pattern, and try
+		 to match starting from those. */
+              pat = *pattern;
+              for (; *s; s++) {
+                src = *s;
+                if (toupper(src) == toupper(pat) &&
+                    match_pattern_ylo(s + 1, pattern + 1))
+                  return 1;
+              }
+	      /* Failed. */
+              return 0;
+            }
+
+	  /* Move ahead one character at a time and try to match at each
+	     position. */
+          for (; *s; s++)
+            if (match_pattern_ylo(s, pattern))
+              return 1;
+	  /* Failed. */
+          return 0;
+        }
+
+      /* There must be at least one more character in the string.  If we are
+	 at the end, fail. */
+      if (!*s)
+        return 0;
+
+      /* Check if the next character of the string is acceptable. */
+      pat = *pattern;
+      src = *s;
+      if (*pattern != '?' && toupper(pat) != toupper(src))
+	return 0;
+      
+      /* Move to the next character, both in string and in pattern. */
+      s++;
+      pattern++;
+    }
+  /*NOTREACHED*/
+}
+#endif /* DISABLE_WILDCARD_MATCHING */
diff --git a/tcp_wrappers_7.6/hosts_ctl.c b/tcp_wrappers_7.6/hosts_ctl.c
new file mode 100644
index 0000000..e57f30a
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_ctl.c
@@ -0,0 +1,38 @@
+ /*
+  * hosts_ctl() combines common applications of the host access control
+  * library routines. It bundles its arguments then calls the hosts_access()
+  * access control checker. The host name and user name arguments should be
+  * empty strings, STRING_UNKNOWN or real data. If a match is found, the
+  * optional shell command is executed.
+  * 
+  * Restriction: this interface does not pass enough information to support
+  * selective remote username lookups or selective hostname double checks.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) hosts_ctl.c 1.4 94/12/28 17:42:27";
+#endif
+
+#include <stdio.h>
+
+#include "tcpd.h"
+
+/* hosts_ctl - limited interface to the hosts_access() routine */
+
+int     hosts_ctl(daemon, name, addr, user)
+char   *daemon;
+char   *name;
+char   *addr;
+char   *user;
+{
+    struct request_info request;
+
+    return (hosts_access(request_init(&request,
+				      RQ_DAEMON, daemon,
+				      RQ_CLIENT_NAME, name,
+				      RQ_CLIENT_ADDR, addr,
+				      RQ_USER, user,
+				      0)));
+}
diff --git a/tcp_wrappers_7.6/hosts_options.5 b/tcp_wrappers_7.6/hosts_options.5
new file mode 100644
index 0000000..d2fd7e1
--- /dev/null
+++ b/tcp_wrappers_7.6/hosts_options.5
@@ -0,0 +1,187 @@
+.TH HOSTS_OPTIONS 5
+.SH NAME
+hosts_options \- host access control language extensions
+.SH DESCRIPTION
+This document describes extensions to the language described
+in the hosts_access(5) document.
+.PP
+The extensible language uses the following format:
+.sp
+.ti +3
+daemon_list : client_list : option : option ...
+.PP
+The first two fields are described in the hosts_access(5) manual page.
+The remainder of the rules is a list of zero or more options.  Any ":"
+characters within options should be protected with a backslash.
+.PP
+An option is of the form "keyword" or "keyword value". Options are
+processed in the specified order. Some options are subjected to
+%<letter> substitutions. For the sake of backwards compatibility with
+earlier versions, an "=" is permitted between keyword and value.
+.SH LOGGING
+.IP "severity mail.info"
+.IP "severity notice"
+Change the severity level at which the event will be logged. Facility
+names (such as mail) are optional, and are not supported on systems
+with older syslog implementations. The severity option can be used
+to emphasize or to ignore specific events.
+.SH ACCESS CONTROL
+.IP "allow"
+.IP "deny"
+Grant (deny) service. These options must appear at the end of a rule.
+.PP
+The \fIallow\fR and \fIdeny\fR keywords make it possible to keep all
+access control rules within a single file, for example in the
+\fIhosts.allow\fR file.
+.sp
+To permit access from specific hosts only:
+.sp
+.ne 2
+.ti +3
+ALL: .friendly.domain: ALLOW
+.ti +3
+ALL: ALL: DENY
+.sp
+To permit access from all hosts except a few trouble makers:
+.sp
+.ne 2
+.ti +3
+ALL: .bad.domain: DENY
+.ti +3
+ALL: ALL: ALLOW
+.sp
+Notice the leading dot on the domain name patterns.
+.SH RUNNING OTHER COMMANDS
+.IP "aclexec shell_command"
+Execute, in a child process, the specified shell command, after
+performing the %<letter> expansions described in the hosts_access(5)
+manual page.  The command is executed with stdin, stdout and stderr
+connected to the null device, so that it won't mess up the
+conversation with the client host. Example:
+.sp
+.nf
+.ti +3
+smtp : ALL : aclexec checkdnsbl %a
+.fi
+.sp
+executes, in a background child process, the shell command "checkdnsbl %a"
+after replacing %a by the address of the remote host.
+.sp
+The connection will be allowed or refused depending on whether the
+command returns a true or false exit status.
+.IP "spawn shell_command"
+Execute, in a child process, the specified shell command, after
+performing the %<letter> expansions described in the hosts_access(5)
+manual page.  The command is executed with stdin, stdout and stderr
+connected to the null device, so that it won't mess up the
+conversation with the client host. Example:
+.sp
+.nf
+.ti +3
+spawn (/usr/sbin/safe_finger -l @%h | /usr/bin/mail root) &
+.fi
+.sp
+executes, in a background child process, the shell command "safe_finger
+-l @%h | mail root" after replacing %h by the name or address of the
+remote host.
+.sp
+The example uses the "safe_finger" command instead of the regular
+"finger" command, to limit possible damage from data sent by the finger
+server. The "safe_finger" command is part of the daemon wrapper
+package; it is a wrapper around the regular finger command that filters
+the data sent by the remote host.
+.IP "twist shell_command"
+Replace the current process by an instance of the specified shell
+command, after performing the %<letter> expansions described in the
+hosts_access(5) manual page.  Stdin, stdout and stderr are connected to
+the client process. This option must appear at the end of a rule.
+.sp
+To send a customized bounce message to the client instead of
+running the real ftp daemon:
+.sp
+.nf
+.ti +3
+in.ftpd : ... : twist /bin/echo 421 Some bounce message
+.fi
+.sp
+For an alternative way to talk to client processes, see the
+\fIbanners\fR option below.
+.sp
+To run /some/other/in.telnetd without polluting its command-line
+array or its process environment:
+.sp
+.nf
+.ti +3
+in.telnetd : ... : twist PATH=/some/other; exec in.telnetd
+.fi
+.sp
+Warning:  in case of UDP services, do not twist to commands that use
+the standard I/O or the read(2)/write(2) routines to communicate with
+the client process; UDP requires other I/O primitives.
+.SH NETWORK OPTIONS
+.IP "keepalive"
+Causes the server to periodically send a message to the client.  The
+connection is considered broken when the client does not respond. The
+keepalive option can be useful when users turn off their machine while
+it is still connected to a server.  The keepalive option is not useful
+for datagram (UDP) services.
+.IP "linger number_of_seconds"
+Specifies how long the kernel will try to deliver not-yet delivered
+data after the server process closes a connection. 
+.SH USERNAME LOOKUP
+.IP "rfc931 [ timeout_in_seconds ]"
+Look up the client user name with the RFC 931 (TAP, IDENT, RFC 1413)
+protocol.  This option is silently ignored in case of services based on
+transports other than TCP.  It requires that the client system runs an
+RFC 931 (IDENT, etc.) -compliant daemon, and may cause noticeable
+delays with connections from non-UNIX clients.  The timeout period is
+optional. If no timeout is specified a compile-time defined default
+value is taken.
+.SH MISCELLANEOUS
+.IP "banners /some/directory"
+Look for a file in `/some/directory\' with the same name as the daemon
+process (for example in.telnetd for the telnet service), and copy its
+contents to the client. Newline characters are replaced by
+carriage-return newline, and %<letter> sequences are expanded (see
+the hosts_access(5) manual page).
+.sp
+The tcp wrappers source code distribution provides a sample makefile
+(Banners.Makefile) for convenient banner maintenance.
+.sp
+Warning: banners are supported for connection-oriented (TCP) network
+services only.
+.IP "nice [ number ]"
+Change the nice value of the process (default 10).  Specify a positive
+value to spend more CPU resources on other processes. 
+.IP "setenv name value"
+Place a (name, value) pair into the process environment. The value is
+subjected to %<letter> expansions and may contain whitespace (but
+leading and trailing blanks are stripped off).
+.sp
+Warning: many network daemons reset their environment before spawning a
+login or shell process.
+.IP "umask 022"
+Like the umask command that is built into the shell. An umask of 022
+prevents the creation of files with group and world write permission.
+The umask argument should be an octal number.
+.IP "user nobody"
+.IP "user nobody.kmem"
+Assume the privileges of the "nobody" userid (or user "nobody", group
+"kmem"). The first form is useful with inetd implementations that run
+all services with root privilege. The second form is useful for
+services that need special group privileges only.
+.SH DIAGNOSTICS
+When a syntax error is found in an access control rule, the error
+is reported to the syslog daemon; further options will be ignored,
+and service is denied.
+.SH SEE ALSO
+hosts_access(5), the default access control language
+.SH AUTHOR
+.na
+.nf
+Wietse Venema (wietse@wzv.win.tue.nl)
+Department of Mathematics and Computing Science
+Eindhoven University of Technology
+Den Dolech 2, P.O. Box 513, 
+5600 MB Eindhoven, The Netherlands
+\" @(#) hosts_options.5 1.10 94/12/28 17:42:28
diff --git a/tcp_wrappers_7.6/inetcf.c b/tcp_wrappers_7.6/inetcf.c
new file mode 100644
index 0000000..75017f2
--- /dev/null
+++ b/tcp_wrappers_7.6/inetcf.c
@@ -0,0 +1,321 @@
+ /*
+  * Routines to parse an inetd.conf or tlid.conf file. This would be a great
+  * job for a PERL script.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) inetcf.c 1.7 97/02/12 02:13:23";
+#endif
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+extern int errno;
+extern void exit();
+
+#include "tcpd.h"
+#include "inetcf.h"
+
+ /*
+  * Network configuration files may live in unusual places. Here are some
+  * guesses. Shorter names follow longer ones.
+  */
+char   *inet_files[] = {
+#if 0
+    "/private/etc/inetd.conf",		/* NEXT */
+    "/etc/inet/inetd.conf",		/* SYSV4 */
+    "/usr/etc/inetd.conf",		/* IRIX?? */
+#endif
+    "/etc/inetd.conf",			/* BSD */
+#if 0
+    "/etc/net/tlid.conf",		/* SYSV4?? */
+    "/etc/saf/tlid.conf",		/* SYSV4?? */
+    "/etc/tlid.conf",			/* SYSV4?? */
+#endif
+    0,
+};
+
+static void inet_chk();
+static char *base_name();
+
+ /*
+  * Structure with everything we know about a service.
+  */
+struct inet_ent {
+    struct inet_ent *next;
+    int     type;
+    char    name[1];
+};
+
+static struct inet_ent *inet_list = 0;
+
+static char whitespace[] = " \t\r\n";
+
+/* inet_conf - read in and examine inetd.conf (or tlid.conf) entries */
+
+char   *inet_cfg(conf)
+char   *conf;
+{
+    char    buf[BUFSIZ];
+    FILE   *fp;
+    char   *service;
+    char   *protocol;
+    char   *user;
+    char   *path;
+    char   *arg0;
+    char   *arg1;
+    struct tcpd_context saved_context;
+    char   *percent_m();
+    int     i;
+    struct stat st;
+
+    saved_context = tcpd_context;
+
+    /*
+     * The inetd.conf (or tlid.conf) information is so useful that we insist
+     * on its availability. When no file is given run a series of educated
+     * guesses.
+     */
+    if (conf != 0) {
+	if ((fp = fopen(conf, "r")) == 0) {
+	    fprintf(stderr, percent_m(buf, "open %s: %m\n"), conf);
+	    exit(1);
+	}
+    } else {
+	for (i = 0; inet_files[i] && (fp = fopen(inet_files[i], "r")) == 0; i++)
+	     /* void */ ;
+	if (fp == 0) {
+	    fprintf(stderr, "Cannot find your inetd.conf or tlid.conf file.\n");
+	    fprintf(stderr, "Please specify its location.\n");
+	    exit(1);
+	}
+	conf = inet_files[i];
+	check_path(conf, &st);
+    }
+
+    /*
+     * Process the file. After the 7.0 wrapper release it became clear that
+     * there are many more inetd.conf formats than the 8 systems that I had
+     * studied. EP/IX uses a two-line specification for rpc services; HP-UX
+     * permits long lines to be broken with backslash-newline.
+     */
+    tcpd_context.file = conf;
+    tcpd_context.line = 0;
+    while (xgets(buf, sizeof(buf), fp)) {
+	service = strtok(buf, whitespace);	/* service */
+	if (service == 0 || *service == '#')
+	    continue;
+	if (STR_NE(service, "stream") && STR_NE(service, "dgram"))
+	    strtok((char *) 0, whitespace);	/* endpoint */
+	protocol = strtok((char *) 0, whitespace);
+	(void) strtok((char *) 0, whitespace);	/* wait */
+	if ((user = strtok((char *) 0, whitespace)) == 0)
+	    continue;
+	if (user[0] == '/') {			/* user */
+	    path = user;
+	} else {				/* path */
+	    if ((path = strtok((char *) 0, whitespace)) == 0)
+		continue;
+	}
+	if (path[0] == '?')			/* IRIX optional service */
+	    path++;
+	if (STR_EQ(path, "internal"))
+	    continue;
+	if (path[strspn(path, "-0123456789")] == 0) {
+
+	    /*
+	     * ConvexOS puts RPC version numbers before path names. Jukka
+	     * Ukkonen <ukkonen@csc.fi>.
+	     */
+	    if ((path = strtok((char *) 0, whitespace)) == 0)
+		continue;
+	}
+	if ((arg0 = strtok((char *) 0, whitespace)) == 0) {
+	    tcpd_warn("incomplete line");
+	    continue;
+	}
+	if (arg0[strspn(arg0, "0123456789")] == 0) {
+
+	    /*
+	     * We're reading a tlid.conf file, the format is:
+	     * 
+	     * ...stuff... path arg_count arguments mod_count modules
+	     */
+	    if ((arg0 = strtok((char *) 0, whitespace)) == 0) {
+		tcpd_warn("incomplete line");
+		continue;
+	    }
+	}
+	if ((arg1 = strtok((char *) 0, whitespace)) == 0)
+	    arg1 = "";
+
+	inet_chk(protocol, path, arg0, arg1);
+    }
+    fclose(fp);
+    tcpd_context = saved_context;
+    return (conf);
+}
+
+/* inet_chk - examine one inetd.conf (tlid.conf?) entry */
+
+static void inet_chk(protocol, path, arg0, arg1)
+char   *protocol;
+char   *path;
+char   *arg0;
+char   *arg1;
+{
+    char    daemon[BUFSIZ];
+    struct stat st;
+    int     wrap_status = WR_MAYBE;
+    char   *base_name_path = base_name(path);
+    char   *tcpd_proc_name = (arg0[0] == '/' ? base_name(arg0) : arg0);
+
+    /*
+     * Always warn when the executable does not exist or when it is not
+     * executable.
+     */
+    if (check_path(path, &st) < 0) {
+	tcpd_warn("%s: not found: %m", path);
+    } else if ((st.st_mode & 0100) == 0) {
+	tcpd_warn("%s: not executable", path);
+    }
+
+    /*
+     * Cheat on the miscd tests, nobody uses it anymore.
+     */
+    if (STR_EQ(base_name_path, "miscd")) {
+	inet_set(arg0, WR_YES);
+	return;
+    }
+
+    /*
+     * While we are here...
+     */
+    if (STR_EQ(tcpd_proc_name, "rexd") || STR_EQ(tcpd_proc_name, "rpc.rexd"))
+	tcpd_warn("%s may be an insecure service", tcpd_proc_name);
+
+    /*
+     * The tcpd program gets most of the attention.
+     */
+    if (STR_EQ(base_name_path, "tcpd")) {
+
+	if (STR_EQ(tcpd_proc_name, "tcpd"))
+	    tcpd_warn("%s is recursively calling itself", tcpd_proc_name);
+
+	wrap_status = WR_YES;
+
+	/*
+	 * Check: some sites install the wrapper set-uid.
+	 */
+	if ((st.st_mode & 06000) != 0)
+	    tcpd_warn("%s: file is set-uid or set-gid", path);
+
+	/*
+	 * Check: some sites insert tcpd in inetd.conf, instead of replacing
+	 * the daemon pathname.
+	 */
+	if (arg0[0] == '/' && STR_EQ(tcpd_proc_name, base_name(arg1)))
+	    tcpd_warn("%s inserted before %s", path, arg0);
+
+	/*
+	 * Check: make sure files exist and are executable. On some systems
+	 * the network daemons are set-uid so we cannot complain. Note that
+	 * tcpd takes the basename only in case of absolute pathnames.
+	 */
+	if (arg0[0] == '/') {			/* absolute path */
+	    if (check_path(arg0, &st) < 0) {
+		tcpd_warn("%s: not found: %m", arg0);
+	    } else if ((st.st_mode & 0100) == 0) {
+		tcpd_warn("%s: not executable", arg0);
+	    }
+	} else {				/* look in REAL_DAEMON_DIR */
+	    sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0);
+	    if (check_path(daemon, &st) < 0) {
+		tcpd_warn("%s: not found in %s: %m",
+			  arg0, REAL_DAEMON_DIR);
+	    } else if ((st.st_mode & 0100) == 0) {
+		tcpd_warn("%s: not executable", daemon);
+	    }
+	}
+
+    } else {
+
+	/*
+	 * No tcpd program found. Perhaps they used the "simple installation"
+	 * recipe. Look for a file with the same basename in REAL_DAEMON_DIR.
+	 * Draw some conservative conclusions when a distinct file is found.
+	 */
+	sprintf(daemon, "%s/%s", REAL_DAEMON_DIR, arg0);
+	if (STR_EQ(path, daemon)) {
+	    wrap_status = WR_NOT;
+	} else if (check_path(daemon, &st) >= 0) {
+	    wrap_status = WR_MAYBE;
+	} else if (errno == ENOENT) {
+	    wrap_status = WR_NOT;
+	} else {
+	    tcpd_warn("%s: file lookup: %m", daemon);
+	    wrap_status = WR_MAYBE;
+	}
+    }
+
+    /*
+     * Alas, we cannot wrap rpc/tcp services.
+     */
+    if (wrap_status == WR_YES && STR_EQ(protocol, "rpc/tcp"))
+	tcpd_warn("%s: cannot wrap rpc/tcp services", tcpd_proc_name);
+
+    inet_set(tcpd_proc_name, wrap_status);
+}
+
+/* inet_set - remember service status */
+
+void    inet_set(name, type)
+char   *name;
+int     type;
+{
+    struct inet_ent *ip =
+    (struct inet_ent *) malloc(sizeof(struct inet_ent) + strlen(name));
+
+    if (ip == 0) {
+	fprintf(stderr, "out of memory\n");
+	exit(1);
+    }
+    ip->next = inet_list;
+    strcpy(ip->name, name);
+    ip->type = type;
+    inet_list = ip;
+}
+
+/* inet_get - look up service status */
+
+int     inet_get(name)
+char   *name;
+{
+    struct inet_ent *ip;
+
+    if (inet_list == 0)
+	return (WR_MAYBE);
+
+    for (ip = inet_list; ip; ip = ip->next)
+	if (STR_EQ(ip->name, name))
+	    return (ip->type);
+
+    return (-1);
+}
+
+/* base_name - compute last pathname component */
+
+static char *base_name(path)
+char   *path;
+{
+    char   *cp;
+
+    if ((cp = strrchr(path, '/')) != 0)
+	path = cp + 1;
+    return (path);
+}
diff --git a/tcp_wrappers_7.6/inetcf.h b/tcp_wrappers_7.6/inetcf.h
new file mode 100644
index 0000000..0f1d77c
--- /dev/null
+++ b/tcp_wrappers_7.6/inetcf.h
@@ -0,0 +1,14 @@
+ /*
+  * @(#) inetcf.h 1.1 94/12/28 17:42:30
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+extern char *inet_cfg();		/* read inetd.conf file */
+extern void inet_set();			/* remember internet service */
+extern int inet_get();			/* look up internet service */
+
+#define WR_UNKNOWN	(-1)		/* service unknown */
+#define WR_NOT		1		/* may not be wrapped */
+#define WR_MAYBE	2		/* may be wrapped */
+#define	WR_YES		3		/* service is wrapped */
diff --git a/tcp_wrappers_7.6/libwrap.lds b/tcp_wrappers_7.6/libwrap.lds
new file mode 100644
index 0000000..1abf1c5
--- /dev/null
+++ b/tcp_wrappers_7.6/libwrap.lds
@@ -0,0 +1,4 @@
+{
+  local:
+	aclexec_matched;
+};
diff --git a/tcp_wrappers_7.6/misc.c b/tcp_wrappers_7.6/misc.c
new file mode 100644
index 0000000..c283e06
--- /dev/null
+++ b/tcp_wrappers_7.6/misc.c
@@ -0,0 +1,123 @@
+ /*
+  * Misc routines that are used by tcpd and by tcpdchk.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsic[] = "@(#) misc.c 1.2 96/02/11 17:01:29";
+#endif
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "tcpd.h"
+
+extern char *fgets();
+
+#ifndef	INADDR_NONE
+#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+#endif
+
+/* xgets - fgets() with backslash-newline stripping */
+
+char   *xgets(ptr, len, fp)
+char   *ptr;
+int     len;
+FILE   *fp;
+{
+    int     got;
+    char   *start = ptr;
+
+    while (fgets(ptr, len, fp)) {
+	got = strlen(ptr);
+	if (got >= 1 && ptr[got - 1] == '\n') {
+	    tcpd_context.line++;
+	    if (got >= 2 && ptr[got - 2] == '\\') {
+		got -= 2;
+	    } else {
+		return (start);
+	    }
+	}
+	ptr += got;
+	len -= got;
+	ptr[0] = 0;
+    }
+    return (ptr > start ? start : 0);
+}
+
+/* split_at - break string at delimiter or return NULL */
+
+char   *split_at(string, delimiter)
+char   *string;
+int     delimiter;
+{
+    char   *cp;
+
+#ifdef INET6
+    int bracket = 0;
+
+    for (cp = string; cp && *cp; cp++) {
+	switch (*cp) {
+	case '[':
+	    bracket++;
+	    break;
+	case ']':
+	    bracket--;
+	    break;
+	default:
+	    if (bracket == 0 && *cp == delimiter) {
+		*cp++ = 0;
+		return cp;
+	    }
+	    break;
+	}
+    }
+    return (NULL);
+#else
+    if ((cp = strchr(string, delimiter)) != 0)
+	*cp++ = 0;
+    return (cp);
+#endif
+}
+
+/* dot_quad_addr - convert dotted quad to internal form */
+
+unsigned long dot_quad_addr(str)
+char   *str;
+{
+    int     in_run = 0;
+    int     runs = 0;
+    char   *cp = str;
+
+    /* Count the number of runs of non-dot characters. */
+
+    while (*cp) {
+	if (*cp == '.') {
+	    in_run = 0;
+	} else if (in_run == 0) {
+	    in_run = 1;
+	    runs++;
+	}
+	cp++;
+    }
+    return (runs == 4 ? inet_addr(str) : INADDR_NONE);
+}
+
+/* cidr_mask_addr - convert cidr netmask length to internal form */
+
+unsigned long cidr_mask_addr(str)
+char   *str;
+{
+    int     maskbits;
+
+    maskbits = atoi(str);
+    if (maskbits < 1 || maskbits > 32)
+	return (0);
+    return htonl(0xFFFFFFFF << (32 - maskbits));
+}
+
diff --git a/tcp_wrappers_7.6/miscd.c b/tcp_wrappers_7.6/miscd.c
new file mode 100644
index 0000000..1ab835c
--- /dev/null
+++ b/tcp_wrappers_7.6/miscd.c
@@ -0,0 +1,120 @@
+ /*
+  * Front end to the ULTRIX miscd service. The front end logs the remote host
+  * name and then invokes the real miscd daemon. Install as "/usr/etc/miscd",
+  * after renaming the real miscd daemon to the name defined with the
+  * REAL_MISCD macro.
+  * 
+  * Connections and diagnostics are logged through syslog(3).
+  * 
+  * The Ultrix miscd program implements (among others) the systat service, which
+  * pipes the output from who(1) to stdout. This information is potentially
+  * useful to systems crackers.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) miscd.c 1.10 96/02/11 17:01:30";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <syslog.h>
+
+#ifndef MAXPATHNAMELEN
+#define MAXPATHNAMELEN	BUFSIZ
+#endif
+
+#ifndef STDIN_FILENO
+#define STDIN_FILENO	0
+#endif
+
+/* Local stuff. */
+
+#include "patchlevel.h"
+#include "tcpd.h"
+
+int     allow_severity = SEVERITY;	/* run-time adjustable */
+int     deny_severity = LOG_WARNING;	/* ditto */
+
+main(argc, argv)
+int     argc;
+char  **argv;
+{
+    struct request_info request;
+    char    path[MAXPATHNAMELEN];
+
+    /* Attempt to prevent the creation of world-writable files. */
+
+#ifdef DAEMON_UMASK
+    umask(DAEMON_UMASK);
+#endif
+
+    /*
+     * Open a channel to the syslog daemon. Older versions of openlog()
+     * require only two arguments.
+     */
+
+#ifdef LOG_MAIL
+    (void) openlog(argv[0], LOG_PID, FACILITY);
+#else
+    (void) openlog(argv[0], LOG_PID);
+#endif
+
+    /*
+     * Find out the endpoint addresses of this conversation. Host name
+     * lookups and double checks will be done on demand.
+     */
+
+    request_init(&request, RQ_DAEMON, argv[0], RQ_FILE, STDIN_FILENO, 0);
+    fromhost(&request);
+
+    /*
+     * Optionally look up and double check the remote host name. Sites
+     * concerned with security may choose to refuse connections from hosts
+     * that pretend to have someone elses host name.
+     */
+
+#ifdef PARANOID
+    if (STR_EQ(eval_hostname(request.client), paranoid))
+	refuse(&request);
+#endif
+
+    /*
+     * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow
+     * socket options at the IP level. They do so for a good reason.
+     * Unfortunately, we cannot use this with SunOS 4.1.x because the
+     * getsockopt() system call can panic the system.
+     */
+
+#ifdef KILL_IP_OPTIONS
+    fix_options(&request);
+#endif
+
+    /*
+     * Check whether this host can access the service in argv[0]. The
+     * access-control code invokes optional shell commands as specified in
+     * the access-control tables.
+     */
+
+#ifdef HOSTS_ACCESS
+    if (!hosts_access(&request))
+	refuse(&request);
+#endif
+
+    /* Report request and invoke the real daemon program. */
+
+    syslog(allow_severity, "connect from %s", eval_client(&request));
+    sprintf(path, "%s/miscd", REAL_DAEMON_DIR);
+    closelog();
+    (void) execv(path, argv);
+    syslog(LOG_ERR, "error: cannot execute %s: %m", path);
+    clean_exit(&request);
+    /* NOTREACHED */
+}
diff --git a/tcp_wrappers_7.6/mystdarg.h b/tcp_wrappers_7.6/mystdarg.h
new file mode 100644
index 0000000..36bdf69
--- /dev/null
+++ b/tcp_wrappers_7.6/mystdarg.h
@@ -0,0 +1,19 @@
+
+ /*
+  * What follows is an attempt to unify varargs.h and stdarg.h. I'd rather
+  * have this than #ifdefs all over the code.
+  */
+
+#ifdef __STDC__
+#include <stdarg.h>
+#define VARARGS(func,type,arg) func(type arg, ...)
+#define VASTART(ap,type,name)  va_start(ap,name)
+#define VAEND(ap)              va_end(ap)
+#else
+#include <varargs.h>
+#define VARARGS(func,type,arg) func(va_alist) va_dcl
+#define VASTART(ap,type,name)  {type name; va_start(ap); name = va_arg(ap, type)
+#define VAEND(ap)              va_end(ap);}
+#endif
+
+extern char *percent_m();
diff --git a/tcp_wrappers_7.6/myvsyslog.c b/tcp_wrappers_7.6/myvsyslog.c
new file mode 100644
index 0000000..20401f1
--- /dev/null
+++ b/tcp_wrappers_7.6/myvsyslog.c
@@ -0,0 +1,33 @@
+ /*
+  * vsyslog() for sites without. In order to enable this code, build with
+  * -Dvsyslog=myvsyslog. We use a different name so that no accidents will
+  * happen when vsyslog() exists. On systems with vsyslog(), syslog() is
+  * typically implemented in terms of vsyslog().
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) myvsyslog.c 1.1 94/12/28 17:42:33";
+#endif
+
+#ifdef vsyslog
+
+#include <stdio.h>
+
+#include "tcpd.h"
+#include "mystdarg.h"
+
+myvsyslog(severity, format, ap)
+int     severity;
+char   *format;
+va_list ap;
+{
+    char    fbuf[BUFSIZ];
+    char    obuf[3 * STRING_LENGTH];
+
+    vsprintf(obuf, percent_m(fbuf, format), ap);
+    syslog(severity, "%s", obuf);
+}
+
+#endif
diff --git a/tcp_wrappers_7.6/ncr.c b/tcp_wrappers_7.6/ncr.c
new file mode 100644
index 0000000..b903fb8
--- /dev/null
+++ b/tcp_wrappers_7.6/ncr.c
@@ -0,0 +1,81 @@
+ /*
+  * This part for NCR UNIX with is from Andrew Maffei (arm@aqua.whoi.edu). It
+  * assumes TLI throughout. In order to look up endpoint address information
+  * we must talk to the "timod" streams module. For some reason "timod" wants
+  * to sit directly on top of the device driver. Therefore we pop off all
+  * streams modules except the driver, install the "timod" module so that we
+  * can figure out network addresses, and then restore the original state.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) ncr.c 1.1 94/12/28 17:42:34";
+#endif
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <sys/tiuser.h>
+#include <stropts.h>
+#include <sys/conf.h>
+
+#include "tcpd.h"
+
+#define MAX_MODULE_COUNT	10	/* XXX */
+
+/* fromhost - tear down the streams stack then rebuild it */
+
+void    fromhost(request)
+struct request_info *request;
+{
+    int     i;
+    int     num_mod;
+    struct str_list str_list;
+    struct str_mlist mod_buffer[MAX_MODULE_COUNT];
+    int     fd = request->fd;
+
+    str_list.sl_nmods = MAX_MODULE_COUNT;
+    str_list.sl_modlist = &mod_buffer[0];
+
+    /*
+     * On systems with WIN streams support we have to be careful about what
+     * is on the stream we are passed. This code POPs off all modules above
+     * the pseudo driver, pushes timod, gets the host address information,
+     * pops timod and then pushes all modules back on the stream.
+     * 
+     * Some state may be lost in this process. /usr/etc/tlid seems to do special
+     * things to the stream depending on the TCP port being serviced. (not a
+     * very nice thing to do!). It is unclear what to do if this code breaks
+     * - the stream may be left in an unknown condition.
+     */
+    if ((num_mod = ioctl(fd, I_LIST, NULL)) < 0)
+	tcpd_warn("fromhost: LIST failed: %m");
+    if (ioctl(fd, I_LIST, &str_list) < 0)
+	tcpd_warn("fromhost: LIST failed: %m");
+
+    /*
+     * POP stream modules except for the driver.
+     */
+    for (i = 0; i < num_mod - 1; i++)
+	if (ioctl(fd, I_POP, 0) < 0)
+	    tcpd_warn("fromhost: POP %s: %m", mod_buffer[i].l_name);
+
+    /*
+     * PUSH timod so that host address ioctls can be executed.
+     */
+    if (ioctl(fd, I_PUSH, "timod") < 0)
+	tcpd_warn("fromhost: PUSH timod: %m");
+    tli_host(request);
+
+    /*
+     * POP timod, we're done with it now.
+     */
+    if (ioctl(fd, I_POP, 0) < 0)
+	tcpd_warn("fromhost: POP timod: %m");
+
+    /*
+     * Restore stream modules.
+     */
+    for (i = num_mod - 2; i >= 0; i--)
+	if (ioctl(fd, I_PUSH, mod_buffer[i].l_name) < 0)
+	    tcpd_warn("fromhost: PUSH %s: %m", mod_buffer[i].l_name);
+}
diff --git a/tcp_wrappers_7.6/options.c b/tcp_wrappers_7.6/options.c
new file mode 100644
index 0000000..23f907f
--- /dev/null
+++ b/tcp_wrappers_7.6/options.c
@@ -0,0 +1,675 @@
+ /*
+  * General skeleton for adding options to the access control language. The
+  * features offered by this module are documented in the hosts_options(5)
+  * manual page (source file: hosts_options.5, "nroff -man" format).
+  * 
+  * Notes and warnings for those who want to add features:
+  * 
+  * In case of errors, abort options processing and deny access. There are too
+  * many irreversible side effects to make error recovery feasible. For
+  * example, it makes no sense to continue after we have already changed the
+  * userid.
+  * 
+  * In case of errors, do not terminate the process: the routines might be
+  * called from a long-running daemon that should run forever. Instead, call
+  * tcpd_jump() which does a non-local goto back into the hosts_access()
+  * routine.
+  * 
+  * In case of severe errors, use clean_exit() instead of directly calling
+  * exit(), or the inetd may loop on an UDP request.
+  * 
+  * In verification mode (for example, with the "tcpdmatch" command) the
+  * "dry_run" flag is set. In this mode, an option function should just "say"
+  * what it is going to do instead of really doing it.
+  * 
+  * Some option functions do not return (for example, the twist option passes
+  * control to another program). In verification mode (dry_run flag is set)
+  * such options should clear the "dry_run" flag to inform the caller of this
+  * course of action.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) options.c 1.17 96/02/11 17:01:31";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <syslog.h>
+#include <pwd.h>
+#include <grp.h>
+#include <ctype.h>
+#include <setjmp.h>
+#include <string.h>
+#include <sys/wait.h>
+
+#ifndef MAXPATHNAMELEN
+#define MAXPATHNAMELEN  BUFSIZ
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Options runtime support. */
+
+int     dry_run = 0;			/* flag set in verification mode */
+extern jmp_buf tcpd_buf;		/* tcpd_jump() support */
+
+/* Options parser support. */
+
+static char whitespace_eq[] = "= \t\r\n";
+#define whitespace (whitespace_eq + 1)
+
+static char *get_field();		/* chew :-delimited field off string */
+static char *chop_string();		/* strip leading and trailing blanks */
+
+/* List of functions that implement the options. Add yours here. */
+
+static void user_option();		/* execute "user name.group" option */
+static void group_option();		/* execute "group name" option */
+static void umask_option();		/* execute "umask mask" option */
+static void linger_option();		/* execute "linger time" option */
+static void keepalive_option();		/* execute "keepalive" option */
+static void aclexec_option();		/* execute "aclexec command" option */
+static void spawn_option();		/* execute "spawn command" option */
+static void twist_option();		/* execute "twist command" option */
+static void rfc931_option();		/* execute "rfc931" option */
+static void setenv_option();		/* execute "setenv name value" */
+static void nice_option();		/* execute "nice" option */
+static void severity_option();		/* execute "severity value" */
+static void allow_option();		/* execute "allow" option */
+static void deny_option();		/* execute "deny" option */
+static void banners_option();		/* execute "banners path" option */
+
+/* Structure of the options table. */
+
+struct option {
+    char   *name;			/* keyword name, case is ignored */
+    void  (*func) ();			/* function that does the real work */
+    int     flags;			/* see below... */
+};
+
+#define NEED_ARG	(1<<1)		/* option requires argument */
+#define USE_LAST	(1<<2)		/* option must be last */
+#define OPT_ARG		(1<<3)		/* option has optional argument */
+#define EXPAND_ARG	(1<<4)		/* do %x expansion on argument */
+
+#define need_arg(o)	((o)->flags & NEED_ARG)
+#define opt_arg(o)	((o)->flags & OPT_ARG)
+#define permit_arg(o)	((o)->flags & (NEED_ARG | OPT_ARG))
+#define use_last(o)	((o)->flags & USE_LAST)
+#define expand_arg(o)	((o)->flags & EXPAND_ARG)
+
+/* List of known keywords. Add yours here. */
+
+static struct option option_table[] = {
+    "user", user_option, NEED_ARG,
+    "group", group_option, NEED_ARG,
+    "umask", umask_option, NEED_ARG,
+    "linger", linger_option, NEED_ARG,
+    "keepalive", keepalive_option, 0,
+#ifdef ACLEXEC
+    "aclexec", aclexec_option, NEED_ARG | EXPAND_ARG,
+#endif
+    "spawn", spawn_option, NEED_ARG | EXPAND_ARG,
+    "twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
+    "rfc931", rfc931_option, OPT_ARG,
+    "setenv", setenv_option, NEED_ARG | EXPAND_ARG,
+    "nice", nice_option, OPT_ARG,
+    "severity", severity_option, NEED_ARG,
+    "allow", allow_option, USE_LAST,
+    "deny", deny_option, USE_LAST,
+    "banners", banners_option, NEED_ARG,
+    0,
+};
+
+/* process_options - process access control options */
+
+void    process_options(options, request)
+char   *options;
+struct request_info *request;
+{
+    char   *key;
+    char   *value;
+    char   *curr_opt;
+    char   *next_opt;
+    struct option *op;
+    char    bf[BUFSIZ];
+
+    for (curr_opt = get_field(options); curr_opt; curr_opt = next_opt) {
+	next_opt = get_field((char *) 0);
+
+	/*
+	 * Separate the option into name and value parts. For backwards
+	 * compatibility we ignore exactly one '=' between name and value.
+	 */
+	curr_opt = chop_string(curr_opt);
+	if (*(value = curr_opt + strcspn(curr_opt, whitespace_eq))) {
+	    if (*value != '=') {
+		*value++ = 0;
+		value += strspn(value, whitespace);
+	    }
+	    if (*value == '=') {
+		*value++ = 0;
+		value += strspn(value, whitespace);
+	    }
+	}
+	if (*value == 0)
+	    value = 0;
+	key = curr_opt;
+
+	/*
+	 * Disallow missing option names (and empty option fields).
+	 */
+	if (*key == 0)
+	    tcpd_jump("missing option name");
+
+	/*
+	 * Lookup the option-specific info and do some common error checks.
+	 * Delegate option-specific processing to the specific functions.
+	 */
+
+	for (op = option_table; op->name && STR_NE(op->name, key); op++)
+	     /* VOID */ ;
+	if (op->name == 0)
+	    tcpd_jump("bad option name: \"%s\"", key);
+	if (!value && need_arg(op))
+	    tcpd_jump("option \"%s\" requires value", key);
+	if (value && !permit_arg(op))
+	    tcpd_jump("option \"%s\" requires no value", key);
+	if (next_opt && use_last(op))
+	    tcpd_jump("option \"%s\" must be at end", key);
+	if (value && expand_arg(op))
+	    value = chop_string(percent_x(bf, sizeof(bf), value, request));
+	if (hosts_access_verbose)
+	    syslog(LOG_DEBUG, "option:   %s %s", key, value ? value : "");
+	(*(op->func)) (value, request);
+    }
+}
+
+/* allow_option - grant access */
+
+/* ARGSUSED */
+
+static void allow_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    longjmp(tcpd_buf, AC_PERMIT);
+}
+
+/* deny_option - deny access */
+
+/* ARGSUSED */
+
+static void deny_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    longjmp(tcpd_buf, AC_DENY);
+}
+
+/* banners_option - expand %<char>, terminate each line with CRLF */
+
+static void banners_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    char    path[MAXPATHNAMELEN];
+    char    ibuf[BUFSIZ];
+    char    obuf[2 * BUFSIZ];
+    struct stat st;
+    int     ch;
+    FILE   *fp;
+
+    sprintf(path, "%s/%s", value, eval_daemon(request));
+    if ((fp = fopen(path, "r")) != 0) {
+	while ((ch = fgetc(fp)) == 0)
+	    write(request->fd, "", 1);
+	ungetc(ch, fp);
+	while (fgets(ibuf, sizeof(ibuf) - 1, fp)) {
+	    if (split_at(ibuf, '\n'))
+		strcat(ibuf, "\r\n");
+	    percent_x(obuf, sizeof(obuf), ibuf, request);
+	    write(request->fd, obuf, strlen(obuf));
+	}
+	fclose(fp);
+    } else if (stat(value, &st) < 0) {
+	tcpd_warn("%s: %m", value);
+    }
+}
+
+/* group_option - switch group id */
+
+/* ARGSUSED */
+
+static void group_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    struct group *grp;
+    struct group *getgrnam();
+
+    if ((grp = getgrnam(value)) == 0)
+	tcpd_jump("unknown group: \"%s\"", value);
+    endgrent();
+
+    if (dry_run == 0 && setgid(grp->gr_gid))
+	tcpd_jump("setgid(%s): %m", value);
+}
+
+/* user_option - switch user id */
+
+/* ARGSUSED */
+
+static void user_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    struct passwd *pwd;
+    struct passwd *getpwnam();
+    char   *group;
+
+    if ((group = split_at(value, '.')) != 0)
+	group_option(group, request);
+    if ((pwd = getpwnam(value)) == 0)
+	tcpd_jump("unknown user: \"%s\"", value);
+    endpwent();
+
+    if (dry_run == 0 && setuid(pwd->pw_uid))
+	tcpd_jump("setuid(%s): %m", value);
+}
+
+/* umask_option - set file creation mask */
+
+/* ARGSUSED */
+
+static void umask_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    unsigned mask;
+    char    junk;
+
+    if (sscanf(value, "%o%c", &mask, &junk) != 1 || (mask & 0777) != mask)
+	tcpd_jump("bad umask value: \"%s\"", value);
+    (void) umask(mask);
+}
+
+/* spawn_option - spawn a shell command and wait */
+
+/* ARGSUSED */
+
+static void spawn_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    if (dry_run == 0)
+	shell_cmd(value);
+}
+
+#ifdef ACLEXEC
+/* aclexec_option - spawn a shell command and check status */
+
+/* ARGSUSED */
+
+static void aclexec_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    int status, child_pid, wait_pid;
+    extern int aclexec_matched;
+
+    if (dry_run != 0)
+	    return;
+
+    child_pid = fork();
+
+    /* Something went wrong: we MUST terminate the process. */
+    if (child_pid < 0) {
+	tcpd_warn("aclexec_option: /bin/sh: %m");
+	clean_exit(request);
+    }
+
+    if (child_pid == 0) {
+	execl("/bin/sh", "sh", "-c", value, (char *) 0);
+
+        /* Something went wrong. We MUST terminate the child process. */
+        tcpd_warn("execl /bin/sh: %m");
+	_exit(0);
+    }
+
+    while ((wait_pid = wait(&status)) != -1 && wait_pid != child_pid)
+	/* void */ ;
+
+    aclexec_matched = 1;
+
+    if (WIFEXITED(status) && WEXITSTATUS(status) == 0) {
+	aclexec_matched = 0;
+    }
+
+    if (WIFSIGNALED(status))
+	tcpd_warn("process %d exited with signal %d", child_pid,
+	    WTERMSIG(status));
+
+    return;
+}
+#endif
+
+/* linger_option - set the socket linger time (Marc Boucher <marc@cam.org>) */
+
+/* ARGSUSED */
+
+static void linger_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    struct linger linger;
+    char    junk;
+
+    if (sscanf(value, "%d%c", &linger.l_linger, &junk) != 1
+	|| linger.l_linger < 0)
+	tcpd_jump("bad linger value: \"%s\"", value);
+    if (dry_run == 0) {
+	linger.l_onoff = (linger.l_linger != 0);
+	if (setsockopt(request->fd, SOL_SOCKET, SO_LINGER, (char *) &linger,
+		       sizeof(linger)) < 0)
+	    tcpd_warn("setsockopt SO_LINGER %d: %m", linger.l_linger);
+    }
+}
+
+/* keepalive_option - set the socket keepalive option */
+
+/* ARGSUSED */
+
+static void keepalive_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    static int on = 1;
+
+    if (dry_run == 0 && setsockopt(request->fd, SOL_SOCKET, SO_KEEPALIVE,
+				   (char *) &on, sizeof(on)) < 0)
+	tcpd_warn("setsockopt SO_KEEPALIVE: %m");
+}
+
+/* nice_option - set nice value */
+
+/* ARGSUSED */
+
+static void nice_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    int     niceval = 10;
+    char    junk;
+
+    if (value != 0 && sscanf(value, "%d%c", &niceval, &junk) != 1)
+	tcpd_jump("bad nice value: \"%s\"", value);
+    if (dry_run == 0 && nice(niceval) < 0)
+	tcpd_warn("nice(%d): %m", niceval);
+}
+
+/* twist_option - replace process by shell command */
+
+static void twist_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    char   *error;
+
+    if (dry_run != 0) {
+	dry_run = 0;
+    } else {
+	if (resident > 0)
+	    tcpd_jump("twist option in resident process");
+
+	syslog(deny_severity, "twist %s to %s", eval_client(request), value);
+
+	/* Before switching to the shell, set up stdin, stdout and stderr. */
+
+#define maybe_dup2(from, to) ((from == to) ? to : (close(to), dup(from)))
+
+	if (maybe_dup2(request->fd, 0) != 0 ||
+	    maybe_dup2(request->fd, 1) != 1 ||
+	    maybe_dup2(request->fd, 2) != 2) {
+	    error = "twist_option: dup: %m";
+	} else {
+	    if (request->fd > 2)
+		close(request->fd);
+	    (void) execl("/bin/sh", "sh", "-c", value, (char *) 0);
+	    error = "twist_option: /bin/sh: %m";
+	}
+
+	/* Something went wrong: we MUST terminate the process. */
+
+	tcpd_warn(error);
+	clean_exit(request);
+    }
+}
+
+/* rfc931_option - look up remote user name */
+
+static void rfc931_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    int     timeout;
+    char    junk;
+
+    if (value != 0) {
+	if (sscanf(value, "%d%c", &timeout, &junk) != 1 || timeout <= 0)
+	    tcpd_jump("bad rfc931 timeout: \"%s\"", value);
+	rfc931_timeout = timeout;
+    }
+    (void) eval_user(request);
+}
+
+/* setenv_option - set environment variable */
+
+/* ARGSUSED */
+
+static void setenv_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    char   *var_value;
+
+    if (*(var_value = value + strcspn(value, whitespace)))
+	*var_value++ = 0;
+    if (setenv(chop_string(value), chop_string(var_value), 1))
+	tcpd_jump("memory allocation failure");
+}
+
+ /*
+  * The severity option goes last because it comes with a huge amount of ugly
+  * #ifdefs and tables.
+  */
+
+struct syslog_names {
+    char   *name;
+    int     value;
+};
+
+static struct syslog_names log_fac[] = {
+#ifdef LOG_KERN
+    "kern", LOG_KERN,
+#endif
+#ifdef LOG_USER
+    "user", LOG_USER,
+#endif
+#ifdef LOG_MAIL
+    "mail", LOG_MAIL,
+#endif
+#ifdef LOG_DAEMON
+    "daemon", LOG_DAEMON,
+#endif
+#ifdef LOG_AUTH
+    "auth", LOG_AUTH,
+#endif
+#ifdef LOG_LPR
+    "lpr", LOG_LPR,
+#endif
+#ifdef LOG_NEWS
+    "news", LOG_NEWS,
+#endif
+#ifdef LOG_UUCP
+    "uucp", LOG_UUCP,
+#endif
+#ifdef LOG_CRON
+    "cron", LOG_CRON,
+#endif
+#ifdef LOG_LOCAL0
+    "local0", LOG_LOCAL0,
+#endif
+#ifdef LOG_LOCAL1
+    "local1", LOG_LOCAL1,
+#endif
+#ifdef LOG_LOCAL2
+    "local2", LOG_LOCAL2,
+#endif
+#ifdef LOG_LOCAL3
+    "local3", LOG_LOCAL3,
+#endif
+#ifdef LOG_LOCAL4
+    "local4", LOG_LOCAL4,
+#endif
+#ifdef LOG_LOCAL5
+    "local5", LOG_LOCAL5,
+#endif
+#ifdef LOG_LOCAL6
+    "local6", LOG_LOCAL6,
+#endif
+#ifdef LOG_LOCAL7
+    "local7", LOG_LOCAL7,
+#endif
+    0,
+};
+
+static struct syslog_names log_sev[] = {
+#ifdef LOG_EMERG
+    "emerg", LOG_EMERG,
+#endif
+#ifdef LOG_ALERT
+    "alert", LOG_ALERT,
+#endif
+#ifdef LOG_CRIT
+    "crit", LOG_CRIT,
+#endif
+#ifdef LOG_ERR
+    "err", LOG_ERR,
+#endif
+#ifdef LOG_WARNING
+    "warning", LOG_WARNING,
+#endif
+#ifdef LOG_NOTICE
+    "notice", LOG_NOTICE,
+#endif
+#ifdef LOG_INFO
+    "info", LOG_INFO,
+#endif
+#ifdef LOG_DEBUG
+    "debug", LOG_DEBUG,
+#endif
+    0,
+};
+
+/* severity_map - lookup facility or severity value */
+
+static int severity_map(table, name)
+struct syslog_names *table;
+char   *name;
+{
+    struct syslog_names *t;
+
+    for (t = table; t->name; t++)
+	if (STR_EQ(t->name, name))
+	    return (t->value);
+    tcpd_jump("bad syslog facility or severity: \"%s\"", name);
+    /* NOTREACHED */
+}
+
+/* severity_option - change logging severity for this event (Dave Mitchell) */
+
+/* ARGSUSED */
+
+static void severity_option(value, request)
+char   *value;
+struct request_info *request;
+{
+    char   *level = split_at(value, '.');
+
+    allow_severity = deny_severity = level ?
+	severity_map(log_fac, value) | severity_map(log_sev, level) :
+	severity_map(log_sev, value);
+}
+
+/* get_field - return pointer to next field in string */
+
+static char *get_field(string)
+char   *string;
+{
+    static char *last = "";
+    char   *src;
+    char   *dst;
+    char   *ret;
+    int     ch;
+
+    /*
+     * This function returns pointers to successive fields within a given
+     * string. ":" is the field separator; warn if the rule ends in one. It
+     * replaces a "\:" sequence by ":", without treating the result of
+     * substitution as field terminator. A null argument means resume search
+     * where the previous call terminated. This function destroys its
+     * argument.
+     * 
+     * Work from explicit source or from memory. While processing \: we
+     * overwrite the input. This way we do not have to maintain buffers for
+     * copies of input fields.
+     */
+
+    src = dst = ret = (string ? string : last);
+    if (src[0] == 0)
+	return (0);
+
+    while (ch = *src) {
+	if (ch == ':') {
+	    if (*++src == 0)
+		tcpd_warn("rule ends in \":\"");
+	    break;
+	}
+	if (ch == '\\' && src[1] == ':')
+	    src++;
+	*dst++ = *src++;
+    }
+    last = src;
+    *dst = 0;
+    return (ret);
+}
+
+/* chop_string - strip leading and trailing blanks from string */
+
+static char *chop_string(string)
+register char *string;
+{
+    char   *start = 0;
+    char   *end;
+    char   *cp;
+
+    for (cp = string; *cp; cp++) {
+	if (!isspace(*cp)) {
+	    if (start == 0)
+		start = cp;
+	    end = cp;
+	}
+    }
+    return (start ? (end[1] = 0, start) : cp);
+}
diff --git a/tcp_wrappers_7.6/patchlevel.h b/tcp_wrappers_7.6/patchlevel.h
new file mode 100644
index 0000000..c523265
--- /dev/null
+++ b/tcp_wrappers_7.6/patchlevel.h
@@ -0,0 +1,3 @@
+#ifndef lint
+static char patchlevel[] = "@(#) patchlevel 7.6 97/03/21 19:27:23";
+#endif
diff --git a/tcp_wrappers_7.6/percent_m.c b/tcp_wrappers_7.6/percent_m.c
new file mode 100644
index 0000000..da4473a
--- /dev/null
+++ b/tcp_wrappers_7.6/percent_m.c
@@ -0,0 +1,47 @@
+ /*
+  * Replace %m by system error message.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) percent_m.c 1.1 94/12/28 17:42:37";
+#endif
+
+#include <stdio.h>
+#include <errno.h>
+#include <string.h>
+
+extern int errno;
+#ifndef SYS_ERRLIST_DEFINED
+extern char *sys_errlist[];
+extern int sys_nerr;
+#endif
+
+#include "mystdarg.h"
+
+char   *percent_m(obuf, ibuf)
+char   *obuf;
+char   *ibuf;
+{
+    char   *bp = obuf;
+    char   *cp = ibuf;
+
+    while (*bp = *cp)
+	if (*cp == '%' && cp[1] == 'm') {
+#ifdef HAVE_STRERROR
+	    strcpy(bp, strerror(errno));
+#else
+	    if (errno < sys_nerr && errno > 0) {
+		strcpy(bp, sys_errlist[errno]);
+	    } else {
+		sprintf(bp, "Unknown error %d", errno);
+	    }
+#endif
+	    bp += strlen(bp);
+	    cp += 2;
+	} else {
+	    bp++, cp++;
+	}
+    return (obuf);
+}
diff --git a/tcp_wrappers_7.6/percent_x.c b/tcp_wrappers_7.6/percent_x.c
new file mode 100644
index 0000000..1b5b83d
--- /dev/null
+++ b/tcp_wrappers_7.6/percent_x.c
@@ -0,0 +1,88 @@
+ /*
+  * percent_x() takes a string and performs %<char> expansions. It aborts the
+  * program when the expansion would overflow the output buffer. The result
+  * of %<char> expansion may be passed on to a shell process. For this
+  * reason, characters with a special meaning to shells are replaced by
+  * underscores.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) percent_x.c 1.4 94/12/28 17:42:37";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+extern void exit();
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* percent_x - do %<char> expansion, abort if result buffer is too small */
+
+char   *percent_x(result, result_len, string, request)
+char   *result;
+int     result_len;
+char   *string;
+struct request_info *request;
+{
+    char   *bp = result;
+    char   *end = result + result_len - 1;	/* end of result buffer */
+    char   *expansion;
+    int     expansion_len;
+    static char ok_chars[] = "1234567890!@%-_=+:,./\
+abcdefghijklmnopqrstuvwxyz\
+ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+    char   *str = string;
+    char   *cp;
+    int     ch;
+
+    /*
+     * Warning: we may be called from a child process or after pattern
+     * matching, so we cannot use clean_exit() or tcpd_jump().
+     */
+
+    while (*str) {
+	if (*str == '%' && (ch = str[1]) != 0) {
+	    str += 2;
+	    expansion =
+		ch == 'a' ? eval_hostaddr(request->client) :
+		ch == 'A' ? eval_hostaddr(request->server) :
+		ch == 'c' ? eval_client(request) :
+		ch == 'd' ? eval_daemon(request) :
+		ch == 'h' ? eval_hostinfo(request->client) :
+		ch == 'H' ? eval_hostinfo(request->server) :
+		ch == 'n' ? eval_hostname(request->client) :
+		ch == 'N' ? eval_hostname(request->server) :
+		ch == 'p' ? eval_pid(request) :
+		ch == 'r' ? eval_port(request->client->sin) :
+		ch == 'R' ? eval_port(request->server->sin) :
+		ch == 's' ? eval_server(request) :
+		ch == 'u' ? eval_user(request) :
+		ch == '%' ? "%" : (tcpd_warn("unrecognized %%%c", ch), "");
+	    for (cp = expansion; *(cp += strspn(cp, ok_chars)); /* */ )
+		*cp = '_';
+	    expansion_len = cp - expansion;
+	} else {
+	    expansion = str++;
+	    expansion_len = 1;
+	}
+	if (bp + expansion_len >= end) {
+	    tcpd_warn("percent_x: expansion too long: %.30s...", result);
+	    sleep(5);
+	    exit(0);
+	}
+	memcpy(bp, expansion, expansion_len);
+	bp += expansion_len;
+    }
+    *bp = 0;
+    return (result);
+}
diff --git a/tcp_wrappers_7.6/printf.ck b/tcp_wrappers_7.6/printf.ck
new file mode 100644
index 0000000..d53412b
--- /dev/null
+++ b/tcp_wrappers_7.6/printf.ck
@@ -0,0 +1,3 @@
+syslog	1 0
+tcpd_warn	0 0
+tcpd_jump	0 0
diff --git a/tcp_wrappers_7.6/ptx.c b/tcp_wrappers_7.6/ptx.c
new file mode 100644
index 0000000..b9c312b
--- /dev/null
+++ b/tcp_wrappers_7.6/ptx.c
@@ -0,0 +1,103 @@
+ /*
+  * The Dynix/PTX TLI implementation is not quite compatible with System V
+  * Release 4. Some important functions are not present so we are limited to
+  * IP-based services.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) ptx.c 1.3 94/12/28 17:42:38";
+#endif
+
+#ifdef PTX
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/tiuser.h>
+#include <sys/socket.h>
+#include <stropts.h>
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void ptx_sink();
+
+/* tli_host - determine TLI endpoint info, PTX version */
+
+void    tli_host(request)
+struct request_info *request;
+{
+    static struct sockaddr_in client;
+    static struct sockaddr_in server;
+
+    /*
+     * getpeerinaddr() was suggested by someone at Sequent. It seems to work
+     * with connection-oriented (TCP) services such as rlogind and telnetd,
+     * but it returns 0.0.0.0 with datagram (UDP) services. No problem: UDP
+     * needs special treatment anyway, in case we must refuse service.
+     */
+
+    if (getpeerinaddr(request->fd, &client, sizeof(client)) == 0
+	&& client.sin_addr.s_addr != 0) {
+	request->client->sin = &client;
+	if (getmyinaddr(request->fd, &server, sizeof(server)) == 0) {
+	    request->server->sin = &server;
+	} else {
+	    tcpd_warn("warning: getmyinaddr: %m");
+	}
+	sock_methods(request);
+
+    } else {
+
+	/*
+	 * Another suggestion was to temporarily switch to the socket
+	 * interface, identify the endpoint addresses with socket calls, then
+	 * to switch back to TLI. This seems to works OK with UDP services,
+	 * which is exactly what we should be looking at right now.
+	 */
+
+#define SWAP_MODULE(f, old, new) (ioctl(f, I_POP, old), ioctl(f, I_PUSH, new))
+
+	if (SWAP_MODULE(request->fd, "timod", "sockmod") != 0)
+	    tcpd_warn("replace timod by sockmod: %m");
+	sock_host(request);
+	if (SWAP_MODULE(request->fd, "sockmod", "timod") != 0)
+	    tcpd_warn("replace sockmod by timod: %m");
+	if (request->sink != 0)
+	    request->sink = ptx_sink;
+    }
+}
+
+/* ptx_sink - absorb unreceived IP datagram */
+
+static void ptx_sink(fd)
+int     fd;
+{
+    char    buf[BUFSIZ];
+    struct sockaddr sa;
+    int     size = sizeof(sa);
+
+    /*
+     * Eat up the not-yet received datagram. Where needed, switch to the
+     * socket programming interface.
+     */
+
+    if (ioctl(fd, I_FIND, "timod") != 0)
+	ioctl(fd, I_POP, "timod");
+    if (ioctl(fd, I_FIND, "sockmod") == 0)
+	ioctl(fd, I_PUSH, "sockmod");
+    (void) recvfrom(fd, buf, sizeof(buf), 0, &sa, &size);
+}
+
+#endif /* PTX */
diff --git a/tcp_wrappers_7.6/refuse.c b/tcp_wrappers_7.6/refuse.c
new file mode 100644
index 0000000..5e29581
--- /dev/null
+++ b/tcp_wrappers_7.6/refuse.c
@@ -0,0 +1,37 @@
+ /*
+  * refuse() reports a refused connection, and takes the consequences: in
+  * case of a datagram-oriented service, the unread datagram is taken from
+  * the input queue (or inetd would see the same datagram again and again);
+  * the program is terminated.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) refuse.c 1.5 94/12/28 17:42:39";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <syslog.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* refuse - refuse request */
+
+void    refuse(request)
+struct request_info *request;
+{
+#ifdef INET6
+    syslog(deny_severity, "refused connect from %s (%s)",
+	   eval_client(request), eval_hostaddr(request->client));
+#else
+    syslog(deny_severity, "refused connect from %s", eval_client(request));
+#endif
+    clean_exit(request);
+    /* NOTREACHED */
+}
+
diff --git a/tcp_wrappers_7.6/rfc931.c b/tcp_wrappers_7.6/rfc931.c
new file mode 100644
index 0000000..ef22f2d
--- /dev/null
+++ b/tcp_wrappers_7.6/rfc931.c
@@ -0,0 +1,240 @@
+ /*
+  * rfc931() speaks a common subset of the RFC 931, AUTH, TAP, IDENT and RFC
+  * 1413 protocols. It queries an RFC 931 etc. compatible daemon on a remote
+  * host to look up the owner of a connection. The information should not be
+  * used for authentication purposes. This routine intercepts alarm signals.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) rfc931.c 1.10 95/01/02 16:11:34";
+#endif
+
+/* System libraries. */
+
+#include <stdio.h>
+#include <syslog.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <setjmp.h>
+#include <signal.h>
+#include <string.h>
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+#define	RFC931_PORT	113		/* Semi-well-known port */
+#define	ANY_PORT	0		/* Any old port will do */
+
+int     rfc931_timeout = RFC931_TIMEOUT;/* Global so it can be changed */
+
+static sigjmp_buf timebuf;
+
+/* fsocket - open stdio stream on top of socket */
+
+static FILE *fsocket(domain, type, protocol)
+int     domain;
+int     type;
+int     protocol;
+{
+    int     s;
+    FILE   *fp;
+
+    if ((s = socket(domain, type, protocol)) < 0) {
+	tcpd_warn("socket: %m");
+	return (0);
+    } else {
+	if ((fp = fdopen(s, "r+")) == 0) {
+	    tcpd_warn("fdopen: %m");
+	    close(s);
+	}
+	return (fp);
+    }
+}
+
+/* timeout - handle timeouts */
+
+static void timeout(sig)
+int     sig;
+{
+    siglongjmp(timebuf, sig);
+}
+
+/* rfc931 - return remote user name, given socket structures */
+
+void    rfc931(rmt_sin, our_sin, dest)
+#ifdef INET6
+struct sockaddr *rmt_sin;
+struct sockaddr *our_sin;
+#else
+struct sockaddr_in *rmt_sin;
+struct sockaddr_in *our_sin;
+#endif
+char   *dest;
+{
+    unsigned rmt_port;
+    unsigned our_port;
+#ifdef INET6
+    struct sockaddr_storage rmt_query_sin;
+    struct sockaddr_storage our_query_sin;
+    int alen;
+#else
+    struct sockaddr_in rmt_query_sin;
+    struct sockaddr_in our_query_sin;
+#endif
+    char    user[256];			/* XXX */
+    char    buffer[512];		/* XXX */
+    char   *cp;
+    char   *result = unknown;
+    FILE   *fp;
+    unsigned saved_timeout;
+    struct sigaction nact, oact;
+
+#ifdef INET6
+    /* address family must be the same */
+    if (rmt_sin->sa_family != our_sin->sa_family) {
+	STRN_CPY(dest, result, STRING_LENGTH);
+	return;
+    }
+    switch (our_sin->sa_family) {
+    case AF_INET:
+	alen = sizeof(struct sockaddr_in);
+	break;
+    case AF_INET6:
+	alen = sizeof(struct sockaddr_in6);
+	break;
+    default:
+	STRN_CPY(dest, result, STRING_LENGTH);
+	return;
+    }
+#endif
+
+    /*
+     * Use one unbuffered stdio stream for writing to and for reading from
+     * the RFC931 etc. server. This is done because of a bug in the SunOS
+     * 4.1.x stdio library. The bug may live in other stdio implementations,
+     * too. When we use a single, buffered, bidirectional stdio stream ("r+"
+     * or "w+" mode) we read our own output. Such behaviour would make sense
+     * with resources that support random-access operations, but not with
+     * sockets.
+     */
+
+#ifdef INET6
+    if ((fp = fsocket(our_sin->sa_family, SOCK_STREAM, 0)) != 0) {
+#else
+    if ((fp = fsocket(AF_INET, SOCK_STREAM, 0)) != 0) {
+#endif
+	setbuf(fp, (char *) 0);
+
+	/*
+	 * Set up a timer so we won't get stuck while waiting for the server.
+	 */
+
+	if (sigsetjmp(timebuf, 1) == 0) {
+	    /* Save SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
+	    saved_timeout = alarm(0);
+	    nact.sa_handler = timeout;
+	    nact.sa_flags = 0;
+	    (void) sigemptyset(&nact.sa_mask);
+	    (void) sigaction(SIGALRM, &nact, &oact);
+	    alarm(rfc931_timeout);
+
+	    /*
+	     * Bind the local and remote ends of the query socket to the same
+	     * IP addresses as the connection under investigation. We go
+	     * through all this trouble because the local or remote system
+	     * might have more than one network address. The RFC931 etc.
+	     * client sends only port numbers; the server takes the IP
+	     * addresses from the query socket.
+	     */
+
+#ifdef INET6
+	    memcpy(&our_query_sin, our_sin, alen);
+	    memcpy(&rmt_query_sin, rmt_sin, alen);
+	    switch (our_sin->sa_family) {
+	    case AF_INET:
+		((struct sockaddr_in *)&our_query_sin)->sin_port = htons(ANY_PORT);
+		((struct sockaddr_in *)&rmt_query_sin)->sin_port = htons(RFC931_PORT);
+		break;
+	    case AF_INET6:
+		((struct sockaddr_in6 *)&our_query_sin)->sin6_port = htons(ANY_PORT);
+		((struct sockaddr_in6 *)&rmt_query_sin)->sin6_port = htons(RFC931_PORT);
+		break;
+	    }
+
+	    if (bind(fileno(fp), (struct sockaddr *) & our_query_sin,
+		     alen) >= 0 &&
+		connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
+			alen) >= 0) {
+#else
+	    our_query_sin = *our_sin;
+	    our_query_sin.sin_port = htons(ANY_PORT);
+	    rmt_query_sin = *rmt_sin;
+	    rmt_query_sin.sin_port = htons(RFC931_PORT);
+
+	    if (bind(fileno(fp), (struct sockaddr *) & our_query_sin,
+		     sizeof(our_query_sin)) >= 0 &&
+		connect(fileno(fp), (struct sockaddr *) & rmt_query_sin,
+			sizeof(rmt_query_sin)) >= 0) {
+#endif
+
+		/*
+		 * Send query to server. Neglect the risk that a 13-byte
+		 * write would have to be fragmented by the local system and
+		 * cause trouble with buggy System V stdio libraries.
+		 */
+
+		fprintf(fp, "%u,%u\r\n",
+#ifdef INET6
+			ntohs(((struct sockaddr_in *)rmt_sin)->sin_port),
+			ntohs(((struct sockaddr_in *)our_sin)->sin_port));
+#else
+			ntohs(rmt_sin->sin_port),
+			ntohs(our_sin->sin_port));
+#endif
+		fflush(fp);
+
+		/*
+		 * Read response from server. Use fgets()/sscanf() so we can
+		 * work around System V stdio libraries that incorrectly
+		 * assume EOF when a read from a socket returns less than
+		 * requested.
+		 */
+
+		if (fgets(buffer, sizeof(buffer), fp) != 0
+		    && ferror(fp) == 0 && feof(fp) == 0
+		    && sscanf(buffer, "%u , %u : USERID :%*[^:]:%255s",
+			      &rmt_port, &our_port, user) == 3
+#ifdef INET6
+		    && ntohs(((struct sockaddr_in *)rmt_sin)->sin_port) == rmt_port
+		    && ntohs(((struct sockaddr_in *)our_sin)->sin_port) == our_port) {
+#else
+		    && ntohs(rmt_sin->sin_port) == rmt_port
+		    && ntohs(our_sin->sin_port) == our_port) {
+#endif
+
+		    /*
+		     * Strip trailing carriage return. It is part of the
+		     * protocol, not part of the data.
+		     */
+
+		    if (cp = strchr(user, '\r'))
+			*cp = 0;
+		    result = user;
+		}
+	    }
+	    alarm(0);
+	}
+	/* Restore SIGALRM timer and handler. Sudheer Abdul-Salam, SUN. */
+	(void) sigaction(SIGALRM, &oact, NULL);
+	if (saved_timeout > 0)
+	    alarm(saved_timeout);
+	fclose(fp);
+    }
+    STRN_CPY(dest, result, STRING_LENGTH);
+}
diff --git a/tcp_wrappers_7.6/safe_finger.8 b/tcp_wrappers_7.6/safe_finger.8
new file mode 100644
index 0000000..875616b
--- /dev/null
+++ b/tcp_wrappers_7.6/safe_finger.8
@@ -0,0 +1,34 @@
+.TH SAFE_FINGER 8 "21th June 1997" Linux "Linux Programmer's Manual"
+.SH NAME
+safe_finger \- finger client wrapper that protects against nasty stuff
+from finger servers
+.SH SYNOPSIS
+.B safe_finger [finger_options]
+.SH DESCRIPTION
+The
+.B safe_finger
+command protects against nasty stuff from finger servers. Use this
+program for automatic reverse finger probes from the
+.B tcp_wrapper
+.B (tcpd)
+, not the raw finger command. The
+.B safe_finger
+command makes sure that the finger client is not run with root
+privileges. It also runs the finger client with a defined PATH
+environment.
+.B safe_finger
+will also protect you from problems caused by the output of some
+finger servers. The problem: some programs may react to stuff in
+the first column. Other programs may get upset by thrash anywhere
+on a line. File systems may fill up as the finger server keeps
+sending data. Text editors may bomb out on extremely long lines.
+The finger server may take forever because it is somehow wedged.
+.B safe_finger
+takes care of all this badness.
+.SH SEE ALSO
+.BR hosts_access (5),
+.BR hosts_options (5),
+.BR tcpd (8)
+.SH AUTHOR
+Wietse Venema, Eindhoven University of Technology, The Netherlands.
+
diff --git a/tcp_wrappers_7.6/safe_finger.c b/tcp_wrappers_7.6/safe_finger.c
new file mode 100644
index 0000000..0567ac0
--- /dev/null
+++ b/tcp_wrappers_7.6/safe_finger.c
@@ -0,0 +1,199 @@
+ /*
+  * safe_finger - finger client wrapper that protects against nasty stuff
+  * from finger servers. Use this program for automatic reverse finger
+  * probes, not the raw finger command.
+  * 
+  * Build with: cc -o safe_finger safe_finger.c
+  * 
+  * The problem: some programs may react to stuff in the first column. Other
+  * programs may get upset by thrash anywhere on a line. File systems may
+  * fill up as the finger server keeps sending data. Text editors may bomb
+  * out on extremely long lines. The finger server may take forever because
+  * it is somehow wedged. The code below takes care of all this badness.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) safe_finger.c 1.4 94/12/28 17:42:41";
+#endif
+
+/* System libraries */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <signal.h>
+#include <stdio.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <syslog.h>
+
+extern void exit();
+
+/* Local stuff */
+
+char    path[] = "PATH=/bin:/usr/bin:/sbin:/usr/sbin";
+
+#define	TIME_LIMIT	60		/* Do not keep listinging forever */
+#define	INPUT_LENGTH	100000		/* Do not keep listinging forever */
+#define	LINE_LENGTH	128		/* Editors can choke on long lines */
+#define	FINGER_PROGRAM	"finger"	/* Most, if not all, UNIX systems */
+#define	UNPRIV_NAME	"nobody"	/* Preferred privilege level */
+#define	UNPRIV_UGID	65534		/* Default uid and gid */
+
+int     finger_pid;
+int	allow_severity = SEVERITY;
+int	deny_severity = LOG_WARNING;
+
+void    cleanup(sig)
+int     sig;
+{
+    kill(finger_pid, SIGKILL);
+    exit(0);
+}
+
+main(argc, argv)
+int     argc;
+char  **argv;
+{
+    int     c;
+    int     line_length = 0;
+    int     finger_status;
+    int     wait_pid;
+    int     input_count = 0;
+    struct passwd *pwd;
+
+    /*
+     * First of all, let's don't run with superuser privileges.
+     */
+    if (getuid() == 0 || geteuid() == 0) {
+	if ((pwd = getpwnam(UNPRIV_NAME)) && pwd->pw_uid > 0) {
+	    setgid(pwd->pw_gid);
+	    setuid(pwd->pw_uid);
+	} else {
+	    setgid(UNPRIV_UGID);
+	    setuid(UNPRIV_UGID);
+	}
+    }
+
+    /*
+     * Redirect our standard input through the raw finger command.
+     */
+    if (putenv(path)) {
+	fprintf(stderr, "%s: putenv: out of memory", argv[0]);
+	exit(1);
+    }
+    argv[0] = FINGER_PROGRAM;
+    finger_pid = pipe_stdin(argv);
+
+    /*
+     * Don't wait forever (Peter Wemm <peter@gecko.DIALix.oz.au>).
+     */
+    signal(SIGALRM, cleanup);
+    (void) alarm(TIME_LIMIT);
+
+    /*
+     * Main filter loop.
+     */
+    while ((c = getchar()) != EOF) {
+	if (input_count++ >= INPUT_LENGTH) {	/* don't listen forever */
+	    fclose(stdin);
+	    printf("\n\n Input truncated to %d bytes...\n", input_count - 1);
+	    break;
+	}
+	if (c == '\n') {			/* good: end of line */
+	    putchar(c);
+	    line_length = 0;
+	} else {
+	    if (line_length >= LINE_LENGTH) {	/* force end of line */
+		printf("\\\n");
+		line_length = 0;
+	    }
+	    if (line_length == 0) {		/* protect left margin */
+		putchar(' ');
+		line_length++;
+	    }
+	    if (isascii(c) && (isprint(c) || isspace(c))) {	/* text */
+		if (c == '\\') {
+		    putchar(c);
+		    line_length++;
+		}
+		putchar(c);
+		line_length++;
+	    } else {				/* quote all other thash */
+		printf("\\%03o", c & 0377);
+		line_length += 4;
+	    }
+	}
+    }
+
+    /*
+     * Wait until the finger child process has terminated and account for its
+     * exit status. Which will always be zero on most systems.
+     */
+    while ((wait_pid = wait(&finger_status)) != -1 && wait_pid != finger_pid)
+	 /* void */ ;
+    return (wait_pid != finger_pid || finger_status != 0);
+}
+
+/* perror_exit - report system error text and terminate */
+
+void    perror_exit(text)
+char   *text;
+{
+    perror(text);
+    exit(1);
+}
+
+/* pipe_stdin - pipe stdin through program (from my ANSI to OLD C converter) */
+
+int     pipe_stdin(argv)
+char  **argv;
+{
+    int     pipefds[2];
+    int     pid;
+    int     i;
+    struct stat st;
+
+    /*
+     * The code that sets up the pipe requires that file descriptors 0,1,2
+     * are already open. All kinds of mysterious things will happen if that
+     * is not the case. The following loops makes sure that descriptors 0,1,2
+     * are set up properly.
+     */
+
+    for (i = 0; i < 3; i++) {
+	if (fstat(i, &st) == -1 && open("/dev/null", 2) != i)
+	    perror_exit("open /dev/null");
+    }
+
+    /*
+     * Set up the pipe that interposes the command into our standard input
+     * stream.
+     */
+
+    if (pipe(pipefds))
+	perror_exit("pipe");
+
+    switch (pid = fork()) {
+    case -1:					/* error */
+	perror_exit("fork");
+	/* NOTREACHED */
+    case 0:					/* child */
+	(void) close(pipefds[0]);		/* close reading end */
+	(void) close(1);			/* connect stdout to pipe */
+	if (dup(pipefds[1]) != 1)
+	    perror_exit("dup");
+	(void) close(pipefds[1]);		/* close redundant fd */
+	(void) execvp(argv[0], argv);
+	perror_exit(argv[0]);
+	/* NOTREACHED */
+    default:					/* parent */
+	(void) close(pipefds[1]);		/* close writing end */
+	(void) close(0);			/* connect stdin to pipe */
+	if (dup(pipefds[0]) != 0)
+	    perror_exit("dup");
+	(void) close(pipefds[0]);		/* close redundant fd */
+	return (pid);
+    }
+}
diff --git a/tcp_wrappers_7.6/scaffold.c b/tcp_wrappers_7.6/scaffold.c
new file mode 100644
index 0000000..6098274
--- /dev/null
+++ b/tcp_wrappers_7.6/scaffold.c
@@ -0,0 +1,278 @@
+ /*
+  * Routines for testing only. Not really industrial strength.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccs_id[] = "@(#) scaffold.c 1.6 97/03/21 19:27:24";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <setjmp.h>
+#include <string.h>
+
+#ifndef INADDR_NONE
+#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+#endif
+
+#ifndef INET6
+extern char *malloc();
+#endif
+
+/* Application-specific. */
+
+#include "tcpd.h"
+#include "scaffold.h"
+
+ /*
+  * These are referenced by the options module and by rfc931.c.
+  */
+int     allow_severity = SEVERITY;
+int     deny_severity = LOG_WARNING;
+int     rfc931_timeout = RFC931_TIMEOUT;
+
+#ifndef INET6
+/* dup_hostent - create hostent in one memory block */
+
+static struct hostent *dup_hostent(hp)
+struct hostent *hp;
+{
+    struct hostent_block {
+	struct hostent host;
+	char   *addr_list[1];
+    };
+    struct hostent_block *hb;
+    int     count;
+    char   *data;
+    char   *addr;
+
+    for (count = 0; hp->h_addr_list[count] != 0; count++)
+	 /* void */ ;
+
+    if ((hb = (struct hostent_block *) malloc(sizeof(struct hostent_block)
+			 + (hp->h_length + sizeof(char *)) * count)) == 0) {
+	fprintf(stderr, "Sorry, out of memory\n");
+	exit(1);
+    }
+    memset((char *) &hb->host, 0, sizeof(hb->host));
+    hb->host.h_length = hp->h_length;
+    hb->host.h_addr_list = hb->addr_list;
+    hb->host.h_addr_list[count] = 0;
+    data = (char *) (hb->host.h_addr_list + count + 1);
+
+    for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+	hb->host.h_addr_list[count] = data + hp->h_length * count;
+	memcpy(hb->host.h_addr_list[count], addr, hp->h_length);
+    }
+    return (&hb->host);
+}
+#endif
+
+/* find_inet_addr - find all addresses for this host, result to free() */
+
+#ifdef INET6
+struct addrinfo *find_inet_addr(host)
+char   *host;
+{
+    struct addrinfo hints, *res;
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+    if (getaddrinfo(host, NULL, &hints, &res) == 0)
+	return (res);
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
+    if (getaddrinfo(host, NULL, &hints, &res) != 0) {
+	tcpd_warn("%s: host not found", host);
+	return (0);
+    }
+    if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) {
+	tcpd_warn("%d: not an internet host", res->ai_family);
+	freeaddrinfo(res);
+	return (0);
+    }
+    if (!res->ai_canonname) {
+	tcpd_warn("%s: hostname alias", host);
+	tcpd_warn("(cannot obtain official name)", res->ai_canonname);
+    } else if (STR_NE(host, res->ai_canonname)) {
+	tcpd_warn("%s: hostname alias", host);
+	tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname);
+    }
+    return (res);
+}
+#else
+struct hostent *find_inet_addr(host)
+char   *host;
+{
+    struct in_addr addr;
+    struct hostent *hp;
+    static struct hostent h;
+    static char *addr_list[2];
+
+    /*
+     * Host address: translate it to internal form.
+     */
+    if ((addr.s_addr = dot_quad_addr(host)) != INADDR_NONE) {
+	h.h_addr_list = addr_list;
+	h.h_addr_list[0] = (char *) &addr;
+	h.h_length = sizeof(addr);
+	return (dup_hostent(&h));
+    }
+
+    /*
+     * Map host name to a series of addresses. Watch out for non-internet
+     * forms or aliases. The NOT_INADDR() is here in case gethostbyname() has
+     * been "enhanced" to accept numeric addresses. Make a copy of the
+     * address list so that later gethostbyXXX() calls will not clobber it.
+     */
+    if (NOT_INADDR(host) == 0) {
+	tcpd_warn("%s: not an internet address", host);
+	return (0);
+    }
+    if ((hp = gethostbyname(host)) == 0) {
+	tcpd_warn("%s: host not found", host);
+	return (0);
+    }
+    if (hp->h_addrtype != AF_INET) {
+	tcpd_warn("%d: not an internet host", hp->h_addrtype);
+	return (0);
+    }
+    if (STR_NE(host, hp->h_name)) {
+	tcpd_warn("%s: hostname alias", host);
+	tcpd_warn("(official name: %.*s)", STRING_LENGTH, hp->h_name);
+    }
+    return (dup_hostent(hp));
+}
+#endif
+
+/* check_dns - give each address thorough workout, return address count */
+
+int     check_dns(host)
+char   *host;
+{
+    struct request_info request;
+#ifdef INET6
+    struct sockaddr_storage sin;
+    struct addrinfo *hp, *res;
+#else
+    struct sockaddr_in sin;
+    struct hostent *hp;
+#endif
+    int     count;
+    char   *addr;
+
+    if ((hp = find_inet_addr(host)) == 0)
+	return (0);
+    request_init(&request, RQ_CLIENT_SIN, &sin, 0);
+    sock_methods(&request);
+#ifndef INET6
+    memset((char *) &sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+#endif
+
+#ifdef INET6
+    for (res = hp, count = 0; res; res = res->ai_next, count++) {
+	memcpy(&sin, res->ai_addr, res->ai_addrlen);
+#else
+    for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+	memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr));
+#endif
+
+	/*
+	 * Force host name and address conversions. Use the request structure
+	 * as a cache. Detect hostname lookup problems. Any name/name or
+	 * name/address conflicts will be reported while eval_hostname() does
+	 * its job.
+	 */
+	request_set(&request, RQ_CLIENT_ADDR, "", RQ_CLIENT_NAME, "", 0);
+	if (STR_EQ(eval_hostname(request.client), unknown))
+	    tcpd_warn("host address %s->name lookup failed",
+		      eval_hostaddr(request.client));
+    }
+#ifdef INET6
+    freeaddrinfo(hp);
+#else
+    free((char *) hp);
+#endif
+    return (count);
+}
+
+/* dummy function to intercept the real shell_cmd() */
+
+/* ARGSUSED */
+
+void    shell_cmd(command)
+char   *command;
+{
+    if (hosts_access_verbose)
+	printf("command: %s", command);
+}
+
+/* dummy function  to intercept the real clean_exit() */
+
+/* ARGSUSED */
+
+void    clean_exit(request)
+struct request_info *request;
+{
+    exit(0);
+}
+
+/* dummy function  to intercept the real rfc931() */
+
+/* ARGSUSED */
+
+void    rfc931(rmt_sin, our_sin, dest)
+#ifdef INET6
+struct sockaddr *rmt_sin;
+struct sockaddr *our_sin;
+#else
+struct sockaddr_in *rmt_sin;
+struct sockaddr_in *our_sin;
+#endif
+char   *dest;
+{
+    strcpy(dest, unknown);
+}
+
+/* check_path - examine accessibility */
+
+int     check_path(path, st)
+char   *path;
+struct stat *st;
+{
+    struct stat stbuf;
+    char    buf[BUFSIZ];
+
+    if (stat(path, st) < 0)
+	return (-1);
+#ifdef notdef
+    if (st->st_uid != 0)
+	tcpd_warn("%s: not owned by root", path);
+    if (st->st_mode & 020)
+	tcpd_warn("%s: group writable", path);
+#endif
+    if (st->st_mode & 002)
+	tcpd_warn("%s: world writable", path);
+    if (path[0] == '/' && path[1] != 0) {
+	strrchr(strcpy(buf, path), '/')[0] = 0;
+	(void) check_path(buf[0] ? buf : "/", &stbuf);
+    }
+    return (0);
+}
diff --git a/tcp_wrappers_7.6/scaffold.c.orig b/tcp_wrappers_7.6/scaffold.c.orig
new file mode 100644
index 0000000..9330588
--- /dev/null
+++ b/tcp_wrappers_7.6/scaffold.c.orig
@@ -0,0 +1,271 @@
+ /*
+  * Routines for testing only. Not really industrial strength.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccs_id[] = "@(#) scaffold.c 1.6 97/03/21 19:27:24";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include <setjmp.h>
+#include <string.h>
+
+#ifndef INADDR_NONE
+#define	INADDR_NONE	(-1)		/* XXX should be 0xffffffff */
+#endif
+
+#ifndef INET6
+extern char *malloc();
+#endif
+
+/* Application-specific. */
+
+#include "tcpd.h"
+#include "scaffold.h"
+
+ /*
+  * These are referenced by the options module and by rfc931.c.
+  */
+int     allow_severity = SEVERITY;
+int     deny_severity = LOG_WARNING;
+int     rfc931_timeout = RFC931_TIMEOUT;
+
+#ifndef INET6
+/* dup_hostent - create hostent in one memory block */
+
+static struct hostent *dup_hostent(hp)
+struct hostent *hp;
+{
+    struct hostent_block {
+	struct hostent host;
+	char   *addr_list[1];
+    };
+    struct hostent_block *hb;
+    int     count;
+    char   *data;
+    char   *addr;
+
+    for (count = 0; hp->h_addr_list[count] != 0; count++)
+	 /* void */ ;
+
+    if ((hb = (struct hostent_block *) malloc(sizeof(struct hostent_block)
+			 + (hp->h_length + sizeof(char *)) * count)) == 0) {
+	fprintf(stderr, "Sorry, out of memory\n");
+	exit(1);
+    }
+    memset((char *) &hb->host, 0, sizeof(hb->host));
+    hb->host.h_length = hp->h_length;
+    hb->host.h_addr_list = hb->addr_list;
+    hb->host.h_addr_list[count] = 0;
+    data = (char *) (hb->host.h_addr_list + count + 1);
+
+    for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+	hb->host.h_addr_list[count] = data + hp->h_length * count;
+	memcpy(hb->host.h_addr_list[count], addr, hp->h_length);
+    }
+    return (&hb->host);
+}
+#endif
+
+/* find_inet_addr - find all addresses for this host, result to free() */
+
+#ifdef INET6
+struct addrinfo *find_inet_addr(host)
+char   *host;
+{
+    struct addrinfo hints, *res;
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST;
+    if (getaddrinfo(host, NULL, &hints, &res) == 0)
+	return (res);
+
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_family = PF_UNSPEC;
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
+    if (getaddrinfo(host, NULL, &hints, &res) != 0) {
+	tcpd_warn("%s: host not found", host);
+	return (0);
+    }
+    if (res->ai_family != AF_INET6 && res->ai_family != AF_INET) {
+	tcpd_warn("%d: not an internet host", res->ai_family);
+	freeaddrinfo(res);
+	return (0);
+    }
+    if (!res->ai_canonname) {
+	tcpd_warn("%s: hostname alias", host);
+	tcpd_warn("(cannot obtain official name)", res->ai_canonname);
+    } else if (STR_NE(host, res->ai_canonname)) {
+	tcpd_warn("%s: hostname alias", host);
+	tcpd_warn("(official name: %.*s)", STRING_LENGTH, res->ai_canonname);
+    }
+    return (res);
+}
+#else
+struct hostent *find_inet_addr(host)
+char   *host;
+{
+    struct in_addr addr;
+    struct hostent *hp;
+    static struct hostent h;
+    static char *addr_list[2];
+
+    /*
+     * Host address: translate it to internal form.
+     */
+    if ((addr.s_addr = dot_quad_addr(host)) != INADDR_NONE) {
+	h.h_addr_list = addr_list;
+	h.h_addr_list[0] = (char *) &addr;
+	h.h_length = sizeof(addr);
+	return (dup_hostent(&h));
+    }
+
+    /*
+     * Map host name to a series of addresses. Watch out for non-internet
+     * forms or aliases. The NOT_INADDR() is here in case gethostbyname() has
+     * been "enhanced" to accept numeric addresses. Make a copy of the
+     * address list so that later gethostbyXXX() calls will not clobber it.
+     */
+    if (NOT_INADDR(host) == 0) {
+	tcpd_warn("%s: not an internet address", host);
+	return (0);
+    }
+    if ((hp = gethostbyname(host)) == 0) {
+	tcpd_warn("%s: host not found", host);
+	return (0);
+    }
+    if (hp->h_addrtype != AF_INET) {
+	tcpd_warn("%d: not an internet host", hp->h_addrtype);
+	return (0);
+    }
+    if (STR_NE(host, hp->h_name)) {
+	tcpd_warn("%s: hostname alias", host);
+	tcpd_warn("(official name: %.*s)", STRING_LENGTH, hp->h_name);
+    }
+    return (dup_hostent(hp));
+}
+#endif
+
+/* check_dns - give each address thorough workout, return address count */
+
+int     check_dns(host)
+char   *host;
+{
+    struct request_info request;
+#ifdef INET6
+    struct sockaddr_storage sin;
+    struct addrinfo *hp, *res;
+#else
+    struct sockaddr_in sin;
+    struct hostent *hp;
+#endif
+    int     count;
+    char   *addr;
+
+    if ((hp = find_inet_addr(host)) == 0)
+	return (0);
+    request_init(&request, RQ_CLIENT_SIN, &sin, 0);
+    sock_methods(&request);
+#ifndef INET6
+    memset((char *) &sin, 0, sizeof(sin));
+    sin.sin_family = AF_INET;
+#endif
+
+#ifdef INET6
+    for (res = hp, count = 0; res; res = res->ai_next, count++) {
+	memcpy(&sin, res->ai_addr, res->ai_addrlen);
+#else
+    for (count = 0; (addr = hp->h_addr_list[count]) != 0; count++) {
+	memcpy((char *) &sin.sin_addr, addr, sizeof(sin.sin_addr));
+#endif
+
+	/*
+	 * Force host name and address conversions. Use the request structure
+	 * as a cache. Detect hostname lookup problems. Any name/name or
+	 * name/address conflicts will be reported while eval_hostname() does
+	 * its job.
+	 */
+	request_set(&request, RQ_CLIENT_ADDR, "", RQ_CLIENT_NAME, "", 0);
+	if (STR_EQ(eval_hostname(request.client), unknown))
+	    tcpd_warn("host address %s->name lookup failed",
+		      eval_hostaddr(request.client));
+    }
+#ifdef INET6
+    freeaddrinfo(hp);
+#else
+    free((char *) hp);
+#endif
+    return (count);
+}
+
+/* dummy function to intercept the real shell_cmd() */
+
+/* ARGSUSED */
+
+void    shell_cmd(command)
+char   *command;
+{
+    if (hosts_access_verbose)
+	printf("command: %s", command);
+}
+
+/* dummy function  to intercept the real clean_exit() */
+
+/* ARGSUSED */
+
+void    clean_exit(request)
+struct request_info *request;
+{
+    exit(0);
+}
+
+/* dummy function  to intercept the real rfc931() */
+
+/* ARGSUSED */
+
+void    rfc931(request)
+struct request_info *request;
+{
+    strcpy(request->user, unknown);
+}
+
+/* check_path - examine accessibility */
+
+int     check_path(path, st)
+char   *path;
+struct stat *st;
+{
+    struct stat stbuf;
+    char    buf[BUFSIZ];
+
+    if (stat(path, st) < 0)
+	return (-1);
+#ifdef notdef
+    if (st->st_uid != 0)
+	tcpd_warn("%s: not owned by root", path);
+    if (st->st_mode & 020)
+	tcpd_warn("%s: group writable", path);
+#endif
+    if (st->st_mode & 002)
+	tcpd_warn("%s: world writable", path);
+    if (path[0] == '/' && path[1] != 0) {
+	strrchr(strcpy(buf, path), '/')[0] = 0;
+	(void) check_path(buf[0] ? buf : "/", &stbuf);
+    }
+    return (0);
+}
diff --git a/tcp_wrappers_7.6/scaffold.h b/tcp_wrappers_7.6/scaffold.h
new file mode 100644
index 0000000..d3c7a3c
--- /dev/null
+++ b/tcp_wrappers_7.6/scaffold.h
@@ -0,0 +1,13 @@
+ /*
+  * @(#) scaffold.h 1.3 94/12/31 18:19:19
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifdef INET6
+extern struct addrinfo *find_inet_addr();
+#else
+extern struct hostent *find_inet_addr();
+#endif
+extern int check_dns();
+extern int check_path();
diff --git a/tcp_wrappers_7.6/setenv.c b/tcp_wrappers_7.6/setenv.c
new file mode 100644
index 0000000..03c7062
--- /dev/null
+++ b/tcp_wrappers_7.6/setenv.c
@@ -0,0 +1,34 @@
+ /*
+  * Some systems do not have setenv(). This one is modeled after 4.4 BSD, but
+  * is implemented in terms of portable primitives only: getenv(), putenv()
+  * and malloc(). It should therefore be safe to use on every UNIX system.
+  * 
+  * If clobber == 0, do not overwrite an existing variable.
+  * 
+  * Returns nonzero if memory allocation fails.
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) setenv.c 1.1 93/03/07 22:47:58";
+#endif
+
+/* setenv - update or insert environment (name,value) pair */
+
+int     setenv(name, value, clobber)
+char   *name;
+char   *value;
+int     clobber;
+{
+    char   *malloc();
+    char   *getenv();
+    char   *cp;
+
+    if (clobber == 0 && getenv(name) != 0)
+	return (0);
+    if ((cp = malloc(strlen(name) + strlen(value) + 2)) == 0)
+	return (1);
+    sprintf(cp, "%s=%s", name, value);
+    return (putenv(cp));
+}
diff --git a/tcp_wrappers_7.6/shell_cmd.c b/tcp_wrappers_7.6/shell_cmd.c
new file mode 100644
index 0000000..b0ffdd9
--- /dev/null
+++ b/tcp_wrappers_7.6/shell_cmd.c
@@ -0,0 +1,140 @@
+ /*
+  * shell_cmd() takes a shell command after %<character> substitutions. The
+  * command is executed by a /bin/sh child process, with standard input,
+  * standard output and standard error connected to /dev/null.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) shell_cmd.c 1.5 94/12/28 17:42:44";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <signal.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+#include <errno.h>
+#include <unistd.h>
+#include <sys/wait.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+extern void exit();
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void do_child();
+
+/*
+ * The sigchld handler. If there is a SIGCHLD caused by a child other than
+ * ours, we set a flag and raise the signal later.
+ */
+volatile static int foreign_sigchld;
+volatile static int our_child_pid;
+static void sigchld(int sig, siginfo_t *si, void *unused)
+{
+    if (si && si->si_pid != our_child_pid)
+	foreign_sigchld = 1;
+}
+
+/* shell_cmd - execute shell command */
+
+void    shell_cmd(command)
+char   *command;
+{
+    int     child_pid;
+
+    struct sigaction new_action, old_action;
+    sigset_t new_mask, old_mask, empty_mask;
+
+    new_action.sa_sigaction = &sigchld;
+    new_action.sa_flags = SA_SIGINFO;
+    sigemptyset(&new_action.sa_mask);
+    sigemptyset(&new_mask);
+    sigemptyset(&empty_mask);
+    sigaddset(&new_mask, SIGCHLD);
+
+    /*
+     * Set the variables for handler, set the handler and block the signal
+     * until we have the pid.
+     */
+    foreign_sigchld = 0; our_child_pid = 0;
+    sigprocmask(SIG_BLOCK, &new_mask, &old_mask);
+    sigaction(SIGCHLD, &new_action, &old_action);
+
+    /*
+     * Most of the work is done within the child process, to minimize the
+     * risk of damage to the parent.
+     */
+
+    switch (child_pid = fork()) {
+    case -1:					/* error */
+	tcpd_warn("cannot fork: %m");
+	break;
+    case 00:					/* child */
+	/* Clear the blocked mask for the child not to be surprised. */
+	sigprocmask(SIG_SETMASK, &empty_mask, 0);
+	do_child(command);
+	/* NOTREACHED */
+    default:					/* parent */
+	our_child_pid = child_pid;
+	sigprocmask(SIG_UNBLOCK, &new_mask, 0);
+	while (waitpid(child_pid, (int *) 0, 0) == -1 && errno == EINTR);
+    }
+
+    /*
+     * Revert the signal mask and the SIGCHLD handler.
+     */
+    sigprocmask(SIG_SETMASK, &old_mask, 0);
+    sigaction(SIGCHLD, &old_action, 0);
+
+    /* If there was a foreign SIGCHLD, raise it after we have restored the old
+     * mask and handler. */
+    if (foreign_sigchld)
+	raise(SIGCHLD);
+}
+
+/* do_child - exec command with { stdin, stdout, stderr } to /dev/null */
+
+static void do_child(command)
+char   *command;
+{
+    char   *error;
+    int     tmp_fd;
+
+    /*
+     * Systems with POSIX sessions may send a SIGHUP to grandchildren if the
+     * child exits first. This is sick, sessions were invented for terminals.
+     */
+
+    signal(SIGHUP, SIG_IGN);
+
+    /* Set up new stdin, stdout, stderr, and exec the shell command. */
+
+    for (tmp_fd = 0; tmp_fd < 3; tmp_fd++)
+	(void) close(tmp_fd);
+    if (open("/dev/null", 2) != 0) {
+	error = "open /dev/null: %m";
+    } else if (dup(0) != 1 || dup(0) != 2) {
+	error = "dup: %m";
+    } else {
+	(void) execl("/bin/sh", "sh", "-c", command, (char *) 0);
+	error = "execl /bin/sh: %m";
+    }
+
+    /* Something went wrong. We MUST terminate the child process. */
+
+    tcpd_warn(error);
+    _exit(0);
+}
diff --git a/tcp_wrappers_7.6/socket.c b/tcp_wrappers_7.6/socket.c
new file mode 100644
index 0000000..c2f4d1a
--- /dev/null
+++ b/tcp_wrappers_7.6/socket.c
@@ -0,0 +1,445 @@
+ /*
+  * This module determines the type of socket (datagram, stream), the client
+  * socket address and port, the server socket address and port. In addition,
+  * it provides methods to map a transport address to a printable host name
+  * or address. Socket address information results are in static memory.
+  * 
+  * The result from the hostname lookup method is STRING_PARANOID when a host
+  * pretends to have someone elses name, or when a host name is available but
+  * could not be verified.
+  * 
+  * When lookup or conversion fails the result is set to STRING_UNKNOWN.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#ifdef INT32_T
+typedef uint32_t u_int32_t;
+#endif
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+#ifdef INET6
+#ifndef NI_WITHSCOPEID
+#define NI_WITHSCOPEID	0
+#endif
+#else
+extern char *inet_ntoa();
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void sock_sink();
+
+#ifdef APPEND_DOT
+
+ /*
+  * Speed up DNS lookups by terminating the host name with a dot. Should be
+  * done with care. The speedup can give problems with lookups from sources
+  * that lack DNS-style trailing dot magic, such as local files or NIS maps.
+  */
+
+static struct hostent *gethostbyname_dot(name)
+char   *name;
+{
+    char    dot_name[MAXHOSTNAMELEN + 1];
+    struct hostent *hp;
+    
+    /*
+     * Don't append dots to unqualified names. Such names are likely to come
+     * from local hosts files or from NIS.
+     */
+
+    if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
+	return (gethostbyname(name));
+    } else {
+        sprintf(dot_name, "%s.", name);
+        hp = gethostbyname(dot_name);
+	if (hp)
+	    return hp;
+	else
+	    return (gethostbyname(name));
+    }
+}
+
+#define gethostbyname gethostbyname_dot
+#endif
+
+/* sock_host - look up endpoint addresses and install conversion methods */
+
+void    sock_host(request)
+struct request_info *request;
+{
+#ifdef INET6
+    static struct sockaddr_storage client;
+    static struct sockaddr_storage server;
+#else
+    static struct sockaddr_in client;
+    static struct sockaddr_in server;
+#endif
+#ifdef __GLIBC__
+    size_t  len;
+#else
+    int     len;
+#endif
+    char    buf[BUFSIZ];
+    int     fd = request->fd;
+
+    sock_methods(request);
+
+    /*
+     * Look up the client host address. Hal R. Brand <BRAND@addvax.llnl.gov>
+     * suggested how to get the client host info in case of UDP connections:
+     * peek at the first message without actually looking at its contents. We
+     * really should verify that client.sin_family gets the value AF_INET,
+     * but this program has already caused too much grief on systems with
+     * broken library code.
+     */
+
+    len = sizeof(client);
+    if (getpeername(fd, (struct sockaddr *) & client, &len) < 0) {
+	request->sink = sock_sink;
+	len = sizeof(client);
+	if (recvfrom(fd, buf, sizeof(buf), MSG_PEEK,
+		     (struct sockaddr *) & client, &len) < 0) {
+	    tcpd_warn("can't get client address: %m");
+	    return;				/* give up */
+	}
+#ifdef really_paranoid
+	memset(buf, 0 sizeof(buf));
+#endif
+    }
+#ifdef INET6
+    request->client->sin = (struct sockaddr *)&client;
+#else
+    request->client->sin = &client;
+#endif
+
+    /*
+     * Determine the server binding. This is used for client username
+     * lookups, and for access control rules that trigger on the server
+     * address or name.
+     */
+
+    len = sizeof(server);
+    if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) {
+	tcpd_warn("getsockname: %m");
+	return;
+    }
+#ifdef INET6
+    request->server->sin = (struct sockaddr *)&server;
+#else
+    request->server->sin = &server;
+#endif
+}
+
+/* sock_hostaddr - map endpoint address to printable form */
+
+void    sock_hostaddr(host)
+struct host_info *host;
+{
+#ifdef INET6
+    struct sockaddr *sin = host->sin;
+    int salen;
+
+    if (!sin)
+	return;
+#ifdef SIN6_LEN
+    salen = sin->sa_len;
+#else
+    salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in)
+					: sizeof(struct sockaddr_in6);
+#endif
+    getnameinfo(sin, salen, host->addr, sizeof(host->addr),
+		NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
+#else
+    struct sockaddr_in *sin = host->sin;
+
+    if (sin != 0)
+	STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr));
+#endif
+}
+
+/* sock_hostname - map endpoint address to host name */
+
+void    sock_hostname(host)
+struct host_info *host;
+{
+#ifdef INET6
+    struct sockaddr *sin = host->sin;
+    struct sockaddr_in sin4;
+    struct addrinfo hints, *res, *res0 = NULL;
+    int salen, alen, err = 1;
+    char *ap = NULL, *rap, hname[NI_MAXHOST];
+
+    if (sin != NULL) {
+	if (sin->sa_family == AF_INET6) {
+	    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
+
+	    if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+		memset(&sin4, 0, sizeof(sin4));
+#ifdef SIN6_LEN
+		sin4.sin_len = sizeof(sin4);
+#endif
+		sin4.sin_family = AF_INET;
+		sin4.sin_port = sin6->sin6_port;
+		sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12];
+		sin = (struct sockaddr *)&sin4;
+	    }
+	}
+	switch (sin->sa_family) {
+	case AF_INET:
+	    ap = (char *)&((struct sockaddr_in *)sin)->sin_addr;
+	    alen = sizeof(struct in_addr);
+	    salen = sizeof(struct sockaddr_in);
+	    break;
+	case AF_INET6:
+	    ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr;
+	    alen = sizeof(struct in6_addr);
+	    salen = sizeof(struct sockaddr_in6);
+	    break;
+	default:
+	    break;
+	}
+	if (ap)
+	    err = getnameinfo(sin, salen, hname, sizeof(hname),
+			      NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD);
+    }
+    if (!err) {
+
+	STRN_CPY(host->name, hname, sizeof(host->name));
+
+	/* reject numeric addresses */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = sin->sa_family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
+	if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
+	    freeaddrinfo(res0);
+	    res0 = NULL;
+	    tcpd_warn("host name/name mismatch: "
+		      "reverse lookup results in non-FQDN %s",
+		      host->name);
+	    strcpy(host->name, paranoid);	/* name is bad, clobber it */
+	}
+	err = !err;
+    }
+    if (!err) {
+	/* we are now sure that this is non-numeric */
+
+	/*
+	 * Verify that the address is a member of the address list returned
+	 * by gethostbyname(hostname).
+	 * 
+	 * Verify also that gethostbyaddr() and gethostbyname() return the same
+	 * hostname, or rshd and rlogind may still end up being spoofed.
+	 * 
+	 * On some sites, gethostbyname("localhost") returns "localhost.domain".
+	 * This is a DNS artefact. We treat it as a special case. When we
+	 * can't believe the address list from gethostbyname("localhost")
+	 * we're in big trouble anyway.
+	 */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = sin->sa_family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
+	if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) {
+
+	    /*
+	     * Unable to verify that the host name matches the address. This
+	     * may be a transient problem or a botched name server setup.
+	     */
+
+	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
+		      host->name,
+		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
+
+	} else if ((res0->ai_canonname == NULL
+		    || STR_NE(host->name, res0->ai_canonname))
+		   && STR_NE(host->name, "localhost")) {
+
+	    /*
+	     * The gethostbyaddr() and gethostbyname() calls did not return
+	     * the same hostname. This could be a nameserver configuration
+	     * problem. It could also be that someone is trying to spoof us.
+	     */
+
+	    tcpd_warn("host name/name mismatch: %s != %.*s",
+		      host->name, STRING_LENGTH,
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+
+	} else {
+
+	    /*
+	     * The address should be a member of the address list returned by
+	     * gethostbyname(). We should first verify that the h_addrtype
+	     * field is AF_INET, but this program has already caused too much
+	     * grief on systems with broken library code.
+	     */
+
+	    for (res = res0; res; res = res->ai_next) {
+		if (res->ai_family != sin->sa_family)
+		    continue;
+		switch (res->ai_family) {
+		case AF_INET:
+		    rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
+		    break;
+		case AF_INET6:
+		    /* need to check scope_id */
+		    if (((struct sockaddr_in6 *)sin)->sin6_scope_id !=
+		        ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
+			continue;
+		    }
+		    rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
+		    break;
+		default:
+		    continue;
+		}
+		if (memcmp(rap, ap, alen) == 0) {
+		    freeaddrinfo(res0);
+		    return;			/* name is good, keep it */
+		}
+	    }
+
+	    /*
+	     * The host name does not map to the initial address. Perhaps
+	     * someone has messed up. Perhaps someone compromised a name
+	     * server.
+	     */
+
+	    getnameinfo(sin, salen, hname, sizeof(hname),
+			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
+	    tcpd_warn("host name/address mismatch: %s != %.*s",
+		      hname, STRING_LENGTH,
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+	}
+	strcpy(host->name, paranoid);		/* name is bad, clobber it */
+	if (res0)
+	    freeaddrinfo(res0);
+    }
+#else /* INET6 */
+    struct sockaddr_in *sin = host->sin;
+    struct hostent *hp;
+    int     i;
+
+    /*
+     * On some systems, for example Solaris 2.3, gethostbyaddr(0.0.0.0) does
+     * not fail. Instead it returns "INADDR_ANY". Unfortunately, this does
+     * not work the other way around: gethostbyname("INADDR_ANY") fails. We
+     * have to special-case 0.0.0.0, in order to avoid false alerts from the
+     * host name/address checking code below.
+     */
+    if (sin != 0 && sin->sin_addr.s_addr != 0
+	&& (hp = gethostbyaddr((char *) &(sin->sin_addr),
+			       sizeof(sin->sin_addr), AF_INET)) != 0) {
+
+	STRN_CPY(host->name, hp->h_name, sizeof(host->name));
+
+	/*
+	 * Verify that the address is a member of the address list returned
+	 * by gethostbyname(hostname).
+	 * 
+	 * Verify also that gethostbyaddr() and gethostbyname() return the same
+	 * hostname, or rshd and rlogind may still end up being spoofed.
+	 * 
+	 * On some sites, gethostbyname("localhost") returns "localhost.domain".
+	 * This is a DNS artefact. We treat it as a special case. When we
+	 * can't believe the address list from gethostbyname("localhost")
+	 * we're in big trouble anyway.
+	 */
+
+	if ((hp = gethostbyname(host->name)) == 0) {
+
+	    /*
+	     * Unable to verify that the host name matches the address. This
+	     * may be a transient problem or a botched name server setup.
+	     */
+
+	    tcpd_warn("can't verify hostname: gethostbyname(%s) failed",
+		      host->name);
+
+	} else if (STR_NE(host->name, hp->h_name)
+		   && STR_NE(host->name, "localhost")) {
+
+	    /*
+	     * The gethostbyaddr() and gethostbyname() calls did not return
+	     * the same hostname. This could be a nameserver configuration
+	     * problem. It could also be that someone is trying to spoof us.
+	     */
+
+	    tcpd_warn("host name/name mismatch: %s != %.*s",
+		      host->name, STRING_LENGTH, hp->h_name);
+
+	} else {
+
+	    /*
+	     * The address should be a member of the address list returned by
+	     * gethostbyname(). We should first verify that the h_addrtype
+	     * field is AF_INET, but this program has already caused too much
+	     * grief on systems with broken library code.
+	     */
+
+	    for (i = 0; hp->h_addr_list[i]; i++) {
+		if (memcmp(hp->h_addr_list[i],
+			   (char *) &sin->sin_addr,
+			   sizeof(sin->sin_addr)) == 0)
+		    return;			/* name is good, keep it */
+	    }
+
+	    /*
+	     * The host name does not map to the initial address. Perhaps
+	     * someone has messed up. Perhaps someone compromised a name
+	     * server.
+	     */
+
+	    tcpd_warn("host name/address mismatch: %s != %.*s",
+		      inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
+	}
+	strcpy(host->name, paranoid);		/* name is bad, clobber it */
+    }
+#endif /* INET6 */
+}
+
+/* sock_sink - absorb unreceived IP datagram */
+
+static void sock_sink(fd)
+int     fd;
+{
+    char    buf[BUFSIZ];
+#ifdef INET6
+    struct sockaddr_storage sin;
+#else
+    struct sockaddr_in sin;
+#endif
+#ifdef __GLIBC__
+    size_t  size = sizeof(sin);
+#else
+    int     size = sizeof(sin);
+#endif
+
+    /*
+     * Eat up the not-yet received datagram. Some systems insist on a
+     * non-zero source address argument in the recvfrom() call below.
+     */
+
+    (void) recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) & sin, &size);
+}
diff --git a/tcp_wrappers_7.6/socket.c.orig b/tcp_wrappers_7.6/socket.c.orig
new file mode 100644
index 0000000..4b2c575
--- /dev/null
+++ b/tcp_wrappers_7.6/socket.c.orig
@@ -0,0 +1,437 @@
+ /*
+  * This module determines the type of socket (datagram, stream), the client
+  * socket address and port, the server socket address and port. In addition,
+  * it provides methods to map a transport address to a printable host name
+  * or address. Socket address information results are in static memory.
+  * 
+  * The result from the hostname lookup method is STRING_PARANOID when a host
+  * pretends to have someone elses name, or when a host name is available but
+  * could not be verified.
+  * 
+  * When lookup or conversion fails the result is set to STRING_UNKNOWN.
+  * 
+  * Diagnostics are reported through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/socket.h>
+#ifdef INT32_T
+typedef uint32_t u_int32_t;
+#endif
+#include <netinet/in.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+#ifdef INET6
+#ifndef NI_WITHSCOPEID
+#define NI_WITHSCOPEID	0
+#endif
+#else
+extern char *inet_ntoa();
+#endif
+
+/* Local stuff. */
+
+#include "tcpd.h"
+
+/* Forward declarations. */
+
+static void sock_sink();
+
+#ifdef APPEND_DOT
+
+ /*
+  * Speed up DNS lookups by terminating the host name with a dot. Should be
+  * done with care. The speedup can give problems with lookups from sources
+  * that lack DNS-style trailing dot magic, such as local files or NIS maps.
+  */
+
+static struct hostent *gethostbyname_dot(name)
+char   *name;
+{
+    char    dot_name[MAXHOSTNAMELEN + 1];
+    struct hostent *hp;
+    
+    /*
+     * Don't append dots to unqualified names. Such names are likely to come
+     * from local hosts files or from NIS.
+     */
+
+    if (strchr(name, '.') == 0 || strlen(name) >= MAXHOSTNAMELEN - 1) {
+	return (gethostbyname(name));
+    } else {
+        sprintf(dot_name, "%s.", name);
+        hp = gethostbyname(dot_name);
+	if (hp)
+	    return hp;
+	else
+	    return (gethostbyname(name));
+    }
+}
+
+#define gethostbyname gethostbyname_dot
+#endif
+
+/* sock_host - look up endpoint addresses and install conversion methods */
+
+void    sock_host(request)
+struct request_info *request;
+{
+#ifdef INET6
+    static struct sockaddr_storage client;
+    static struct sockaddr_storage server;
+#else
+    static struct sockaddr_in client;
+    static struct sockaddr_in server;
+#endif
+    int     len;
+    char    buf[BUFSIZ];
+    int     fd = request->fd;
+
+    sock_methods(request);
+
+    /*
+     * Look up the client host address. Hal R. Brand <BRAND@addvax.llnl.gov>
+     * suggested how to get the client host info in case of UDP connections:
+     * peek at the first message without actually looking at its contents. We
+     * really should verify that client.sin_family gets the value AF_INET,
+     * but this program has already caused too much grief on systems with
+     * broken library code.
+     */
+
+    len = sizeof(client);
+    if (getpeername(fd, (struct sockaddr *) & client, &len) < 0) {
+	request->sink = sock_sink;
+	len = sizeof(client);
+	if (recvfrom(fd, buf, sizeof(buf), MSG_PEEK,
+		     (struct sockaddr *) & client, &len) < 0) {
+	    tcpd_warn("can't get client address: %m");
+	    return;				/* give up */
+	}
+#ifdef really_paranoid
+	memset(buf, 0 sizeof(buf));
+#endif
+    }
+#ifdef INET6
+    request->client->sin = (struct sockaddr *)&client;
+#else
+    request->client->sin = &client;
+#endif
+
+    /*
+     * Determine the server binding. This is used for client username
+     * lookups, and for access control rules that trigger on the server
+     * address or name.
+     */
+
+    len = sizeof(server);
+    if (getsockname(fd, (struct sockaddr *) & server, &len) < 0) {
+	tcpd_warn("getsockname: %m");
+	return;
+    }
+#ifdef INET6
+    request->server->sin = (struct sockaddr *)&server;
+#else
+    request->server->sin = &server;
+#endif
+}
+
+/* sock_hostaddr - map endpoint address to printable form */
+
+void    sock_hostaddr(host)
+struct host_info *host;
+{
+#ifdef INET6
+    struct sockaddr *sin = host->sin;
+    int salen;
+
+    if (!sin)
+	return;
+#ifdef SIN6_LEN
+    salen = sin->sa_len;
+#else
+    salen = (sin->sa_family == AF_INET) ? sizeof(struct sockaddr_in)
+					: sizeof(struct sockaddr_in6);
+#endif
+    getnameinfo(sin, salen, host->addr, sizeof(host->addr),
+		NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
+#else
+    struct sockaddr_in *sin = host->sin;
+
+    if (sin != 0)
+	STRN_CPY(host->addr, inet_ntoa(sin->sin_addr), sizeof(host->addr));
+#endif
+}
+
+/* sock_hostname - map endpoint address to host name */
+
+void    sock_hostname(host)
+struct host_info *host;
+{
+#ifdef INET6
+    struct sockaddr *sin = host->sin;
+    struct sockaddr_in sin4;
+    struct addrinfo hints, *res, *res0 = NULL;
+    int salen, alen, err = 1;
+    char *ap = NULL, *rap, hname[NI_MAXHOST];
+
+    if (sin != NULL) {
+	if (sin->sa_family == AF_INET6) {
+	    struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)sin;
+
+	    if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
+		memset(&sin4, 0, sizeof(sin4));
+#ifdef SIN6_LEN
+		sin4.sin_len = sizeof(sin4);
+#endif
+		sin4.sin_family = AF_INET;
+		sin4.sin_port = sin6->sin6_port;
+		sin4.sin_addr.s_addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12];
+		sin = (struct sockaddr *)&sin4;
+	    }
+	}
+	switch (sin->sa_family) {
+	case AF_INET:
+	    ap = (char *)&((struct sockaddr_in *)sin)->sin_addr;
+	    alen = sizeof(struct in_addr);
+	    salen = sizeof(struct sockaddr_in);
+	    break;
+	case AF_INET6:
+	    ap = (char *)&((struct sockaddr_in6 *)sin)->sin6_addr;
+	    alen = sizeof(struct in6_addr);
+	    salen = sizeof(struct sockaddr_in6);
+	    break;
+	default:
+	    break;
+	}
+	if (ap)
+	    err = getnameinfo(sin, salen, hname, sizeof(hname),
+			      NULL, 0, NI_WITHSCOPEID | NI_NAMEREQD);
+    }
+    if (!err) {
+
+	STRN_CPY(host->name, hname, sizeof(host->name));
+
+	/* reject numeric addresses */
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = sin->sa_family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST;
+	if ((err = getaddrinfo(host->name, NULL, &hints, &res0)) == 0) {
+	    freeaddrinfo(res0);
+	    res0 = NULL;
+	    tcpd_warn("host name/name mismatch: "
+		      "reverse lookup results in non-FQDN %s",
+		      host->name);
+	    strcpy(host->name, paranoid);	/* name is bad, clobber it */
+	}
+	err = !err;
+    }
+    if (!err) {
+	/* we are now sure that this is non-numeric */
+
+	/*
+	 * Verify that the address is a member of the address list returned
+	 * by gethostbyname(hostname).
+	 * 
+	 * Verify also that gethostbyaddr() and gethostbyname() return the same
+	 * hostname, or rshd and rlogind may still end up being spoofed.
+	 * 
+	 * On some sites, gethostbyname("localhost") returns "localhost.domain".
+	 * This is a DNS artefact. We treat it as a special case. When we
+	 * can't believe the address list from gethostbyname("localhost")
+	 * we're in big trouble anyway.
+	 */
+
+	memset(&hints, 0, sizeof(hints));
+	hints.ai_family = sin->sa_family;
+	hints.ai_socktype = SOCK_STREAM;
+	hints.ai_flags = AI_PASSIVE | AI_CANONNAME;
+	if (getaddrinfo(host->name, NULL, &hints, &res0) != 0) {
+
+	    /*
+	     * Unable to verify that the host name matches the address. This
+	     * may be a transient problem or a botched name server setup.
+	     */
+
+	    tcpd_warn("can't verify hostname: getaddrinfo(%s, %s) failed",
+		      host->name,
+		      (sin->sa_family == AF_INET) ? "AF_INET" : "AF_INET6");
+
+	} else if ((res0->ai_canonname == NULL
+		    || STR_NE(host->name, res0->ai_canonname))
+		   && STR_NE(host->name, "localhost")) {
+
+	    /*
+	     * The gethostbyaddr() and gethostbyname() calls did not return
+	     * the same hostname. This could be a nameserver configuration
+	     * problem. It could also be that someone is trying to spoof us.
+	     */
+
+	    tcpd_warn("host name/name mismatch: %s != %.*s",
+		      host->name, STRING_LENGTH,
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+
+	} else {
+
+	    /*
+	     * The address should be a member of the address list returned by
+	     * gethostbyname(). We should first verify that the h_addrtype
+	     * field is AF_INET, but this program has already caused too much
+	     * grief on systems with broken library code.
+	     */
+
+	    for (res = res0; res; res = res->ai_next) {
+		if (res->ai_family != sin->sa_family)
+		    continue;
+		switch (res->ai_family) {
+		case AF_INET:
+		    rap = (char *)&((struct sockaddr_in *)res->ai_addr)->sin_addr;
+		    break;
+		case AF_INET6:
+		    /* need to check scope_id */
+		    if (((struct sockaddr_in6 *)sin)->sin6_scope_id !=
+		        ((struct sockaddr_in6 *)res->ai_addr)->sin6_scope_id) {
+			continue;
+		    }
+		    rap = (char *)&((struct sockaddr_in6 *)res->ai_addr)->sin6_addr;
+		    break;
+		default:
+		    continue;
+		}
+		if (memcmp(rap, ap, alen) == 0) {
+		    freeaddrinfo(res0);
+		    return;			/* name is good, keep it */
+		}
+	    }
+
+	    /*
+	     * The host name does not map to the initial address. Perhaps
+	     * someone has messed up. Perhaps someone compromised a name
+	     * server.
+	     */
+
+	    getnameinfo(sin, salen, hname, sizeof(hname),
+			NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID);
+	    tcpd_warn("host name/address mismatch: %s != %.*s",
+		      hname, STRING_LENGTH,
+		      (res0->ai_canonname == NULL) ? "" : res0->ai_canonname);
+	}
+	strcpy(host->name, paranoid);		/* name is bad, clobber it */
+	if (res0)
+	    freeaddrinfo(res0);
+    }
+#else /* INET6 */
+    struct sockaddr_in *sin = host->sin;
+    struct hostent *hp;
+    int     i;
+
+    /*
+     * On some systems, for example Solaris 2.3, gethostbyaddr(0.0.0.0) does
+     * not fail. Instead it returns "INADDR_ANY". Unfortunately, this does
+     * not work the other way around: gethostbyname("INADDR_ANY") fails. We
+     * have to special-case 0.0.0.0, in order to avoid false alerts from the
+     * host name/address checking code below.
+     */
+    if (sin != 0 && sin->sin_addr.s_addr != 0
+	&& (hp = gethostbyaddr((char *) &(sin->sin_addr),
+			       sizeof(sin->sin_addr), AF_INET)) != 0) {
+
+	STRN_CPY(host->name, hp->h_name, sizeof(host->name));
+
+	/*
+	 * Verify that the address is a member of the address list returned
+	 * by gethostbyname(hostname).
+	 * 
+	 * Verify also that gethostbyaddr() and gethostbyname() return the same
+	 * hostname, or rshd and rlogind may still end up being spoofed.
+	 * 
+	 * On some sites, gethostbyname("localhost") returns "localhost.domain".
+	 * This is a DNS artefact. We treat it as a special case. When we
+	 * can't believe the address list from gethostbyname("localhost")
+	 * we're in big trouble anyway.
+	 */
+
+	if ((hp = gethostbyname(host->name)) == 0) {
+
+	    /*
+	     * Unable to verify that the host name matches the address. This
+	     * may be a transient problem or a botched name server setup.
+	     */
+
+	    tcpd_warn("can't verify hostname: gethostbyname(%s) failed",
+		      host->name);
+
+	} else if (STR_NE(host->name, hp->h_name)
+		   && STR_NE(host->name, "localhost")) {
+
+	    /*
+	     * The gethostbyaddr() and gethostbyname() calls did not return
+	     * the same hostname. This could be a nameserver configuration
+	     * problem. It could also be that someone is trying to spoof us.
+	     */
+
+	    tcpd_warn("host name/name mismatch: %s != %.*s",
+		      host->name, STRING_LENGTH, hp->h_name);
+
+	} else {
+
+	    /*
+	     * The address should be a member of the address list returned by
+	     * gethostbyname(). We should first verify that the h_addrtype
+	     * field is AF_INET, but this program has already caused too much
+	     * grief on systems with broken library code.
+	     */
+
+	    for (i = 0; hp->h_addr_list[i]; i++) {
+		if (memcmp(hp->h_addr_list[i],
+			   (char *) &sin->sin_addr,
+			   sizeof(sin->sin_addr)) == 0)
+		    return;			/* name is good, keep it */
+	    }
+
+	    /*
+	     * The host name does not map to the initial address. Perhaps
+	     * someone has messed up. Perhaps someone compromised a name
+	     * server.
+	     */
+
+	    tcpd_warn("host name/address mismatch: %s != %.*s",
+		      inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
+	}
+	strcpy(host->name, paranoid);		/* name is bad, clobber it */
+    }
+#endif /* INET6 */
+}
+
+/* sock_sink - absorb unreceived IP datagram */
+
+static void sock_sink(fd)
+int     fd;
+{
+    char    buf[BUFSIZ];
+#ifdef INET6
+    struct sockaddr_storage sin;
+#else
+    struct sockaddr_in sin;
+#endif
+    int     size = sizeof(sin);
+
+    /*
+     * Eat up the not-yet received datagram. Some systems insist on a
+     * non-zero source address argument in the recvfrom() call below.
+     */
+
+    (void) recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) & sin, &size);
+}
diff --git a/tcp_wrappers_7.6/strcasecmp.c b/tcp_wrappers_7.6/strcasecmp.c
new file mode 100644
index 0000000..a54e828
--- /dev/null
+++ b/tcp_wrappers_7.6/strcasecmp.c
@@ -0,0 +1,94 @@
+/*
+ * Copyright (c) 1987 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that the above copyright notice and this paragraph are
+ * duplicated in all such forms and that any documentation,
+ * advertising materials, and other materials related to such
+ * distribution and use acknowledge that the software was developed
+ * by the University of California, Berkeley.  The name of the
+ * University may not be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+static char sccsid[] = "@(#)strcasecmp.c	5.6 (Berkeley) 6/27/88";
+#endif /* LIBC_SCCS and not lint */
+
+/* Some environments don't define u_char -- WZV */
+#if 0
+#include <sys/types.h>
+#else
+typedef unsigned char u_char;
+#endif
+
+/*
+ * This array is designed for mapping upper and lower case letter
+ * together for a case independent comparison.  The mappings are
+ * based upon ascii character sequences.
+ */
+static u_char charmap[] = {
+	'\000', '\001', '\002', '\003', '\004', '\005', '\006', '\007',
+	'\010', '\011', '\012', '\013', '\014', '\015', '\016', '\017',
+	'\020', '\021', '\022', '\023', '\024', '\025', '\026', '\027',
+	'\030', '\031', '\032', '\033', '\034', '\035', '\036', '\037',
+	'\040', '\041', '\042', '\043', '\044', '\045', '\046', '\047',
+	'\050', '\051', '\052', '\053', '\054', '\055', '\056', '\057',
+	'\060', '\061', '\062', '\063', '\064', '\065', '\066', '\067',
+	'\070', '\071', '\072', '\073', '\074', '\075', '\076', '\077',
+	'\100', '\141', '\142', '\143', '\144', '\145', '\146', '\147',
+	'\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157',
+	'\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167',
+	'\170', '\171', '\172', '\133', '\134', '\135', '\136', '\137',
+	'\140', '\141', '\142', '\143', '\144', '\145', '\146', '\147',
+	'\150', '\151', '\152', '\153', '\154', '\155', '\156', '\157',
+	'\160', '\161', '\162', '\163', '\164', '\165', '\166', '\167',
+	'\170', '\171', '\172', '\173', '\174', '\175', '\176', '\177',
+	'\200', '\201', '\202', '\203', '\204', '\205', '\206', '\207',
+	'\210', '\211', '\212', '\213', '\214', '\215', '\216', '\217',
+	'\220', '\221', '\222', '\223', '\224', '\225', '\226', '\227',
+	'\230', '\231', '\232', '\233', '\234', '\235', '\236', '\237',
+	'\240', '\241', '\242', '\243', '\244', '\245', '\246', '\247',
+	'\250', '\251', '\252', '\253', '\254', '\255', '\256', '\257',
+	'\260', '\261', '\262', '\263', '\264', '\265', '\266', '\267',
+	'\270', '\271', '\272', '\273', '\274', '\275', '\276', '\277',
+	'\300', '\341', '\342', '\343', '\344', '\345', '\346', '\347',
+	'\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357',
+	'\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+	'\370', '\371', '\372', '\333', '\334', '\335', '\336', '\337',
+	'\340', '\341', '\342', '\343', '\344', '\345', '\346', '\347',
+	'\350', '\351', '\352', '\353', '\354', '\355', '\356', '\357',
+	'\360', '\361', '\362', '\363', '\364', '\365', '\366', '\367',
+	'\370', '\371', '\372', '\373', '\374', '\375', '\376', '\377',
+};
+
+strcasecmp(s1, s2)
+	char *s1, *s2;
+{
+	register u_char	*cm = charmap,
+			*us1 = (u_char *)s1,
+			*us2 = (u_char *)s2;
+
+	while (cm[*us1] == cm[*us2++])
+		if (*us1++ == '\0')
+			return(0);
+	return(cm[*us1] - cm[*--us2]);
+}
+
+strncasecmp(s1, s2, n)
+	char *s1, *s2;
+	register int n;
+{
+	register u_char	*cm = charmap,
+			*us1 = (u_char *)s1,
+			*us2 = (u_char *)s2;
+
+	while (--n >= 0 && cm[*us1] == cm[*us2++])
+		if (*us1++ == '\0')
+			return(0);
+	return(n < 0 ? 0 : cm[*us1] - cm[*--us2]);
+}
diff --git a/tcp_wrappers_7.6/tcpd.8 b/tcp_wrappers_7.6/tcpd.8
new file mode 100644
index 0000000..4ff221f
--- /dev/null
+++ b/tcp_wrappers_7.6/tcpd.8
@@ -0,0 +1,182 @@
+.TH TCPD 8
+.SH NAME
+tcpd \- access control facility for internet services
+.SH DESCRIPTION
+.PP
+The \fItcpd\fR program can be set up to monitor incoming requests for
+\fItelnet\fR, \fIfinger\fR, \fIftp\fR, \fIexec\fR, \fIrsh\fR,
+\fIrlogin\fR, \fItftp\fR, \fItalk\fR, \fIcomsat\fR and other services
+that have a one-to-one mapping onto executable files.
+.PP
+The program supports both 4.3BSD-style sockets and System V.4-style
+TLI.  Functionality may be limited when the protocol underneath TLI is
+not an internet protocol.
+.PP
+There are two possible modes of operation: execution of \fItcpd\fP
+before a service started by \fIinetd\fP, or linking a daemon with
+the \fIlibwrap\fP shared library as documented in the \fIhosts_access\fR(3)
+manual page. Operation when started by \fIinetd\fP
+is as follows: whenever a request for service arrives, the
+\fIinetd\fP daemon is tricked into running the \fItcpd\fP program
+instead of the desired server. \fItcpd\fP logs the request and does
+some additional checks. When all is well, \fItcpd\fP runs the
+appropriate server program and goes away.
+.PP
+Optional features are: pattern-based access control, client username
+lookups with the RFC 931 etc. protocol, protection against hosts that
+pretend to have someone elses host name, and protection against hosts
+that pretend to have someone elses network address.
+.SH LOGGING
+Connections that are monitored by
+.I tcpd
+are reported through the \fIsyslog\fR(3) facility. Each record contains
+a time stamp, the client host name and the name of the requested
+service.  The information can be useful to detect unwanted activities,
+especially when logfile information from several hosts is merged.
+.PP
+In order to find out where your logs are going, examine the syslog
+configuration file, usually /etc/syslog.conf.
+.SH ACCESS CONTROL
+Optionally,
+.I tcpd
+supports a simple form of access control that is based on pattern
+matching.  The access-control software provides hooks for the execution
+of shell commands when a pattern fires.  For details, see the
+\fIhosts_access\fR(5) manual page.
+.SH HOST NAME VERIFICATION
+The authentication scheme of some protocols (\fIrlogin, rsh\fR) relies
+on host names. Some implementations believe the host name that they get
+from any random name server; other implementations are more careful but
+use a flawed algorithm.
+.PP
+.I tcpd
+verifies the client host name that is returned by the address->name DNS
+server by looking at the host name and address that are returned by the
+name->address DNS server.  If any discrepancy is detected,
+.I tcpd
+concludes that it is dealing with a host that pretends to have someone
+elses host name.
+.PP
+If the sources are compiled with -DPARANOID,
+.I tcpd
+will drop the connection in case of a host name/address mismatch.
+Otherwise, the hostname can be matched with the \fIPARANOID\fR wildcard,
+after which suitable action can be taken.
+.SH HOST ADDRESS SPOOFING
+Optionally,
+.I tcpd
+disables source-routing socket options on every connection that it
+deals with. This will take care of most attacks from hosts that pretend
+to have an address that belongs to someone elses network. UDP services
+do not benefit from this protection. This feature must be turned on
+at compile time.
+.SH RFC 931
+When RFC 931 etc. lookups are enabled (compile-time option) \fItcpd\fR
+will attempt to establish the name of the client user. This will
+succeed only if the client host runs an RFC 931-compliant daemon.
+Client user name lookups will not work for datagram-oriented
+connections, and may cause noticeable delays in the case of connections
+from PCs.
+.SH EXAMPLES
+The details of using \fItcpd\fR depend on pathname information that was
+compiled into the program.
+.SH EXAMPLE 1
+This example applies when \fItcpd\fR expects that the original network
+daemons will be moved to an "other" place.
+.PP
+In order to monitor access to the \fIfinger\fR service, move the
+original finger daemon to the "other" place and install tcpd in the
+place of the original finger daemon. No changes are required to
+configuration files.
+.nf
+.sp
+.in +5
+# mkdir /other/place
+# mv /usr/sbin/in.fingerd /other/place
+# cp tcpd /usr/sbin/in.fingerd
+.fi
+.PP
+The example assumes that the network daemons live in /usr/sbin. On some
+systems, network daemons live in /usr/sbin or in /usr/libexec, or have
+no `in.\' prefix to their name.
+.SH EXAMPLE 2
+This example applies when \fItcpd\fR expects that the network daemons
+are left in their original place.
+.PP
+In order to monitor access to the \fIfinger\fR service, perform the
+following edits on the \fIinetd\fR configuration file (usually 
+\fI/etc/inetd.conf\fR):
+.nf
+.sp
+.ti +5
+finger  stream  tcp  nowait  nobody  /usr/sbin/in.fingerd  in.fingerd
+.sp
+becomes:
+.sp
+.ti +5
+finger  stream  tcp  nowait  nobody  /usr/sbin/tcpd     in.fingerd
+.sp
+.fi
+.PP
+The example assumes that the network daemons live in /usr/sbin. On some
+systems, network daemons live in /usr/sbin or in /usr/libexec, the
+daemons have no `in.\' prefix to their name, or there is no userid
+field in the inetd configuration file.
+.PP
+Similar changes will be needed for the other services that are to be
+covered by \fItcpd\fR.  Send a `kill -HUP\' to the \fIinetd\fR(8)
+process to make the changes effective.
+.SH EXAMPLE 3
+In the case of daemons that do not live in a common directory ("secret"
+or otherwise), edit the \fIinetd\fR configuration file so that it
+specifies an absolute path name for the process name field. For example:
+.nf
+.sp
+    ntalk  dgram  udp  wait  root  /usr/sbin/tcpd  /usr/local/lib/ntalkd
+.sp
+.fi
+.PP
+Only the last component (ntalkd) of the pathname will be used for
+access control and logging.
+.SH BUGS
+Some UDP (and RPC) daemons linger around for a while after they have
+finished their work, in case another request comes in.  In the inetd
+configuration file these services are registered with the \fIwait\fR
+option. Only the request that started such a daemon will be logged.
+.PP
+The program does not work with RPC services over TCP. These services
+are registered as \fIrpc/tcp\fR in the inetd configuration file. The
+only non-trivial service that is affected by this limitation is
+\fIrexd\fR, which is used by the \fIon(1)\fR command. This is no great
+loss.  On most systems, \fIrexd\fR is less secure than a wildcard in
+/etc/hosts.equiv.
+.PP
+RPC broadcast requests (for example: \fIrwall, rup, rusers\fR) always
+appear to come from the responding host. What happens is that the
+client broadcasts the request to all \fIportmap\fR daemons on its
+network; each \fIportmap\fR daemon forwards the request to a local
+daemon. As far as the \fIrwall\fR etc.  daemons know, the request comes
+from the local host.
+.SH FILES
+.PP
+The default locations of the host access control tables are:
+.PP
+/etc/hosts.allow
+.br
+/etc/hosts.deny
+.SH SEE ALSO
+.na
+.nf
+hosts_access(3), functions provided by the libwrap library.
+hosts_access(5), format of the tcpd access control tables.
+syslog.conf(5), format of the syslogd control file.
+inetd.conf(5), format of the inetd control file.
+.SH AUTHORS
+.na
+.nf
+Wietse Venema (wietse@wzv.win.tue.nl),
+Department of Mathematics and Computing Science,
+Eindhoven University of Technology
+Den Dolech 2, P.O. Box 513, 
+5600 MB Eindhoven, The Netherlands
+\" @(#) tcpd.8 1.5 96/02/21 16:39:16
diff --git a/tcp_wrappers_7.6/tcpd.c b/tcp_wrappers_7.6/tcpd.c
new file mode 100644
index 0000000..c28b592
--- /dev/null
+++ b/tcp_wrappers_7.6/tcpd.c
@@ -0,0 +1,134 @@
+ /*
+  * General front end for stream and datagram IP services. This program logs
+  * the remote host name and then invokes the real daemon. For example,
+  * install as /usr/etc/{tftpd,fingerd,telnetd,ftpd,rlogind,rshd,rexecd},
+  * after saving the real daemons in the directory specified with the
+  * REAL_DAEMON_DIR macro. This arrangement requires that the network daemons
+  * are started by inetd or something similar. Connections and diagnostics
+  * are logged through syslog(3).
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef lint
+static char sccsid[] = "@(#) tcpd.c 1.10 96/02/11 17:01:32";
+#endif
+
+/* System libraries. */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <syslog.h>
+#include <string.h>
+
+#ifndef MAXPATHNAMELEN
+#define MAXPATHNAMELEN	BUFSIZ
+#endif
+
+#ifndef STDIN_FILENO
+#define STDIN_FILENO	0
+#endif
+
+/* Local stuff. */
+
+#include "patchlevel.h"
+#include "tcpd.h"
+
+int     allow_severity = SEVERITY;	/* run-time adjustable */
+int     deny_severity = LOG_WARNING;	/* ditto */
+
+main(argc, argv)
+int     argc;
+char  **argv;
+{
+    struct request_info request;
+    char    path[MAXPATHNAMELEN];
+
+    /* Attempt to prevent the creation of world-writable files. */
+
+#ifdef DAEMON_UMASK
+    umask(DAEMON_UMASK);
+#endif
+
+    /*
+     * If argv[0] is an absolute path name, ignore REAL_DAEMON_DIR, and strip
+     * argv[0] to its basename.
+     */
+
+    if (argv[0][0] == '/') {
+	strncpy(path, argv[0], sizeof(path));
+	argv[0] = strrchr(argv[0], '/') + 1;
+    } else {
+	snprintf(path, sizeof(path), "%s/%s", REAL_DAEMON_DIR, argv[0]);
+    }
+
+    /*
+     * Open a channel to the syslog daemon. Older versions of openlog()
+     * require only two arguments.
+     */
+
+#ifdef LOG_MAIL
+    (void) openlog(argv[0], LOG_PID, FACILITY);
+#else
+    (void) openlog(argv[0], LOG_PID);
+#endif
+
+    /*
+     * Find out the endpoint addresses of this conversation. Host name
+     * lookups and double checks will be done on demand.
+     */
+
+    request_init(&request, RQ_DAEMON, argv[0], RQ_FILE, STDIN_FILENO, 0);
+    fromhost(&request);
+
+    /*
+     * Optionally look up and double check the remote host name. Sites
+     * concerned with security may choose to refuse connections from hosts
+     * that pretend to have someone elses host name.
+     */
+
+#ifdef PARANOID
+    if (STR_EQ(eval_hostname(request.client), paranoid))
+	refuse(&request);
+#endif
+
+    /*
+     * The BSD rlogin and rsh daemons that came out after 4.3 BSD disallow
+     * socket options at the IP level. They do so for a good reason.
+     * Unfortunately, we cannot use this with SunOS 4.1.x because the
+     * getsockopt() system call can panic the system.
+     */
+
+#ifdef KILL_IP_OPTIONS
+    fix_options(&request);
+#endif
+
+    /*
+     * Check whether this host can access the service in argv[0]. The
+     * access-control code invokes optional shell commands as specified in
+     * the access-control tables.
+     */
+
+#ifdef HOSTS_ACCESS
+    if (!hosts_access(&request))
+	refuse(&request);
+#endif
+
+    /* Report request and invoke the real daemon program. */
+
+#ifdef INET6
+    syslog(allow_severity, "connect from %s (%s)",
+	   eval_client(&request), eval_hostaddr(request.client));
+#else
+    syslog(allow_severity, "connect from %s", eval_client(&request));
+#endif
+    closelog();
+    (void) execv(path, argv);
+    syslog(LOG_ERR, "error: cannot execute %s: %m", path);
+    clean_exit(&request);
+    /* NOTREACHED */
+}
diff --git a/tcp_wrappers_7.6/tcpd.h b/tcp_wrappers_7.6/tcpd.h
new file mode 100644
index 0000000..2e21341
--- /dev/null
+++ b/tcp_wrappers_7.6/tcpd.h
@@ -0,0 +1,257 @@
+ /*
+  * @(#) tcpd.h 1.5 96/03/19 16:22:24
+  * 
+  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
+  */
+
+#ifndef _TCPWRAPPERS_TCPD_H
+#define _TCPWRAPPERS_TCPD_H
+
+/* Need definitions of struct sockaddr_in and FILE. */
+#include <netinet/in.h>
+#include <stdio.h>
+
+__BEGIN_DECLS
+
+/* Structure to describe one communications endpoint. */
+
+#define STRING_LENGTH	128		/* hosts, users, processes */
+
+struct host_info {
+    char    name[STRING_LENGTH];	/* access via eval_hostname(host) */
+    char    addr[STRING_LENGTH];	/* access via eval_hostaddr(host) */
+#ifdef INET6
+    struct sockaddr *sin;		/* socket address or 0 */
+#else
+    struct sockaddr_in *sin;		/* socket address or 0 */
+#endif
+    struct t_unitdata *unit;		/* TLI transport address or 0 */
+    struct request_info *request;	/* for shared information */
+};
+
+/* Structure to describe what we know about a service request. */
+
+struct request_info {
+    int     fd;				/* socket handle */
+    char    user[STRING_LENGTH];	/* access via eval_user(request) */
+    char    daemon[STRING_LENGTH];	/* access via eval_daemon(request) */
+    char    pid[10];			/* access via eval_pid(request) */
+    struct host_info client[1];		/* client endpoint info */
+    struct host_info server[1];		/* server endpoint info */
+    void  (*sink) (int);		/* datagram sink function or 0 */
+    void  (*hostname) (struct host_info *); /* address to printable hostname */
+    void  (*hostaddr) (struct host_info *); /* address to printable address */
+    void  (*cleanup) (struct request_info *); /* cleanup function or 0 */
+    struct netconfig *config;		/* netdir handle */
+};
+
+/* Common string operations. Less clutter should be more readable. */
+
+#define STRN_CPY(d,s,l)	{ strncpy((d),(s),(l)); (d)[(l)-1] = 0; }
+
+#define STRN_EQ(x,y,l)	(strncasecmp((x),(y),(l)) == 0)
+#define STRN_NE(x,y,l)	(strncasecmp((x),(y),(l)) != 0)
+#define STR_EQ(x,y)	(strcasecmp((x),(y)) == 0)
+#define STR_NE(x,y)	(strcasecmp((x),(y)) != 0)
+
+ /*
+  * Initially, all above strings have the empty value. Information that
+  * cannot be determined at runtime is set to "unknown", so that we can
+  * distinguish between `unavailable' and `not yet looked up'. A hostname
+  * that we do not believe in is set to "paranoid".
+  */
+
+#define STRING_UNKNOWN	"unknown"	/* lookup failed */
+#define STRING_PARANOID	"paranoid"	/* hostname conflict */
+
+extern char unknown[];
+extern char paranoid[];
+
+#define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
+
+#define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0)
+
+/* Global functions. */
+
+#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+extern void fromhost();			/* get/validate client host info */
+#else
+#define fromhost sock_host		/* no TLI support needed */
+#endif
+
+extern int hosts_access(struct request_info *request);	/* access control */
+extern void shell_cmd(char *);		/* execute shell command */
+extern char *percent_x(char *, int, char *, struct request_info *);
+					/* do %<char> expansion */
+#ifdef INET6
+extern void rfc931(struct sockaddr *, struct sockaddr *, char *);
+#else
+extern void rfc931(struct sockaddr_in *, struct sockaddr_in *, char *);
+#endif
+					/* client name from RFC 931 daemon */
+extern void clean_exit(struct request_info *);	/* clean up and exit */
+extern void refuse(struct request_info *);	/* clean up and exit */
+extern char *xgets(char *, int, FILE *);	/* fgets() on steroids */
+extern char *split_at(char *, int);		/* strchr() and split */
+extern unsigned long dot_quad_addr(char *);	/* restricted inet_addr() */
+
+/* Global variables. */
+
+#ifdef HAVE_WEAKSYMS
+extern int allow_severity __attribute__ ((weak)); /* for connection logging */
+extern int deny_severity __attribute__ ((weak)); /* for connection logging */
+#else
+extern int allow_severity;		/* for connection logging */
+extern int deny_severity;		/* for connection logging */
+#endif
+extern char *hosts_allow_table;		/* for verification mode redirection */
+extern char *hosts_deny_table;		/* for verification mode redirection */
+extern int hosts_access_verbose;	/* for verbose matching mode */
+extern int rfc931_timeout;		/* user lookup timeout */
+extern int resident;			/* > 0 if resident process */
+
+ /*
+  * Routines for controlled initialization and update of request structure
+  * attributes. Each attribute has its own key.
+  */
+
+#ifdef __STDC__
+extern struct request_info *request_init(struct request_info *,...);
+extern struct request_info *request_set(struct request_info *,...);
+extern int hosts_ctl(char *daemon, char *client_name, char *client_addr,
+		char *client_user);
+#else
+extern struct request_info *request_init();	/* initialize request */
+extern struct request_info *request_set();	/* update request structure */
+#endif
+
+#define RQ_FILE		1		/* file descriptor */
+#define RQ_DAEMON	2		/* server process (argv[0]) */
+#define RQ_USER		3		/* client user name */
+#define RQ_CLIENT_NAME	4		/* client host name */
+#define RQ_CLIENT_ADDR	5		/* client host address */
+#define RQ_CLIENT_SIN	6		/* client endpoint (internal) */
+#define RQ_SERVER_NAME	7		/* server host name */
+#define RQ_SERVER_ADDR	8		/* server host address */
+#define RQ_SERVER_SIN	9		/* server endpoint (internal) */
+
+ /*
+  * Routines for delayed evaluation of request attributes. Each attribute
+  * type has its own access method. The trivial ones are implemented by
+  * macros. The other ones are wrappers around the transport-specific host
+  * name, address, and client user lookup methods. The request_info and
+  * host_info structures serve as caches for the lookup results.
+  */
+
+extern char *eval_user(struct request_info *);	/* client user */
+extern char *eval_hostname(struct host_info *);	/* printable hostname */
+extern char *eval_hostaddr(struct host_info *);	/* printable host address */
+extern char *eval_hostinfo(struct host_info *);	/* host name or address */
+extern char *eval_client(struct request_info *);/* whatever is available */
+extern char *eval_server(struct request_info *);/* whatever is available */
+#ifdef INET6
+extern char *eval_port(struct sockaddr *);
+#else
+extern char *eval_port(struct sockaddr_in *);
+#endif
+#define eval_daemon(r)	((r)->daemon)	/* daemon process name */
+#define eval_pid(r)	((r)->pid)	/* process id */
+
+/* Socket-specific methods, including DNS hostname lookups. */
+
+/* look up endpoint addresses */
+extern void sock_host(struct request_info *);
+/* translate address to hostname */
+extern void sock_hostname(struct host_info *);
+/* address to printable address */
+extern void sock_hostaddr(struct host_info *);
+#define sock_methods(r) \
+	{ (r)->hostname = sock_hostname; (r)->hostaddr = sock_hostaddr; }
+
+/* The System V Transport-Level Interface (TLI) interface. */
+
+#if defined(TLI) || defined(PTX) || defined(TLI_SEQUENT)
+extern void tli_host();			/* look up endpoint addresses etc. */
+#endif
+
+ /*
+  * Problem reporting interface. Additional file/line context is reported
+  * when available. The jump buffer (tcpd_buf) is not declared here, or
+  * everyone would have to include <setjmp.h>.
+  */
+
+#ifdef __STDC__
+extern void tcpd_warn(char *, ...);	/* report problem and proceed */
+extern void tcpd_jump(char *, ...);	/* report problem and jump */
+#else
+extern void tcpd_warn();
+extern void tcpd_jump();
+#endif
+
+struct tcpd_context {
+    char   *file;			/* current file */
+    int     line;			/* current line */
+};
+extern struct tcpd_context tcpd_context;
+
+ /*
+  * While processing access control rules, error conditions are handled by
+  * jumping back into the hosts_access() routine. This is cleaner than
+  * checking the return value of each and every silly little function. The
+  * (-1) returns are here because zero is already taken by longjmp().
+  */
+
+#define AC_PERMIT	1		/* permit access */
+#define AC_DENY		(-1)		/* deny_access */
+#define AC_ERROR	AC_DENY		/* XXX */
+
+ /*
+  * In verification mode an option function should just say what it would do,
+  * instead of really doing it. An option function that would not return
+  * should clear the dry_run flag to inform the caller of this unusual
+  * behavior.
+  */
+
+extern void process_options(char *, struct request_info *);/* execute options */
+extern int dry_run;			/* verification flag */
+
+/* Bug workarounds. */
+
+#ifdef INET_ADDR_BUG			/* inet_addr() returns struct */
+#define inet_addr fix_inet_addr
+extern long fix_inet_addr();
+#endif
+
+#ifdef BROKEN_FGETS			/* partial reads from sockets */
+#define fgets fix_fgets
+extern char *fix_fgets();
+#endif
+
+#ifdef RECVFROM_BUG			/* no address family info */
+#define recvfrom fix_recvfrom
+extern int fix_recvfrom();
+#endif
+
+#ifdef GETPEERNAME_BUG			/* claims success with UDP */
+#define getpeername fix_getpeername
+extern int fix_getpeername();
+#endif
+
+#ifdef SOLARIS_24_GETHOSTBYNAME_BUG	/* lists addresses as aliases */
+#define gethostbyname fix_gethostbyname
+extern struct hostent *fix_gethostbyname();
+#endif
+
+#ifdef USE_STRSEP			/* libc calls strtok() */
+#define strtok	fix_strtok
+extern char *fix_strtok();
+#endif
+
+#ifdef LIBC_CALLS_STRTOK		/* libc calls strtok() */
+#define strtok	my_strtok
+extern char *my_strtok();
+#endif
+
+__END_DECLS
+
+#endif
diff --git a/tcp_wrappers_7.6/tcpdchk.8 b/tcp_wrappers_7.6/tcpdchk.8
new file mode 100644
index 0000000..fd48955
--- /dev/null
+++ b/tcp_wrappers_7.6/tcpdchk.8
@@ -0,0 +1,64 @@
+.TH TCPDCHK 8
+.SH NAME
+tcpdchk \- tcp wrapper configuration checker
+.SH SYNOPSIS
+tcpdchk [-a] [-d] [-i inet_conf] [-v]
+.SH DESCRIPTION
+.PP
+\fItcpdchk\fR examines your tcp wrapper configuration and reports all
+potential and real problems it can find. The program examines the
+\fItcpd\fR access control files (by default, these are
+\fI/etc/hosts.allow\fR and \fI/etc/hosts.deny\fR), and compares the
+entries in these files against entries in the \fIinetd\fR
+network configuration file.
+.PP
+\fItcpdchk\fR reports problems such as non-existent pathnames; services
+that appear in \fItcpd\fR access control rules, but are not controlled
+by \fItcpd\fR; services that should not be wrapped; non-existent host
+names or non-internet address forms; occurrences of host aliases
+instead of official host names; hosts with a name/address conflict;
+inappropriate use of wildcard patterns; inappropriate use of NIS
+netgroups or references to non-existent NIS netgroups; references to
+non-existent options; invalid arguments to options; and so on.
+.P