xinetd-kafel is a modification version of original xinetd.Kafel allows you compile Berkeley Packet Filter easily, thanksGoogle for Kafel.Changes-------------------------------------------------------------------------Add kafel compiler and seccomp syscall filter support to origin xinetd.For more information, please the document below.xinetd is a powerful replacement for inetd.Original site:http://www.xinetd.orgxinetd has access control mechanisms, extensive logging capabilities,the ability to make services available based on time, can placelimits on the number of servers that can be started, and has deployabledefence mechanisms to protect against port scanners, among other things.There are a number of differences between xinetd and inetd.  The largest difference to the end user is the config file.  xinetd's config file format is more C like, and somewhat similar to bind 8's.*** NOTE ***xinetd's reconfig signal is now SIGHUP.  SIGUSR2 still works for now,but should be considered deprecated.  The state dump signal is nowSIGUSR1.***      ***There are a couple of compile time options to xinetd:  ----------------------------------------------------------------------------with-libwrap  : This option to the configure script tells xinetdto compile in support for tcp wrappers.  You must already have libwrapinstalled on your system.  This option will have xinetd pay attentionto your /etc/hosts.{allow|deny} files.  With this option turned on,xinetd will first look at your /etc/hosts.{allow|deny} files, thenif access is granted, it goes through xinetd's internal access controlmechanisms.  Note that xinetd passes the server name if there is one,otherwise it uses the service id, *not* the service name to libwrap - this is a change from previous behaviour.--with-loadavg  : This option to the configure script tells xinetdto compile in support for the max_load configuration option.  Thisoption allows you to have certain services disabled when the systemload gets above a specified level.  This is highly operating systemspecific.  It currently has been tested on linux, and there isdevelopmental support for solaris 2.6 and higher.--with-inet6    : Services default to IPv6 (PF_INET6) sockets.Now that IPv6 support is fully integrated into xinetd, this optionis almost meaningless.  IPv6 sockets are available with the "IPv6"service flag, even without this option.--with-howl=PATH: Adds howl mdns advertising support to xinetd.PATH is the prefix where howl is installed, such as /usr/local,/usr, etc.  PATH is not optional.  configure will not automaticallydetect howl's installed location.--with-kafel=PATH: Adds kafel compiled selinux filter support to xinetd.PATH is the prefix where kafel is installed, such as /usr/local,/usr, etc.  PATH is optional.  configure will automaticallydetect kafel's installed location, if kafel is already installed insystem paths.Access Control:--------------------------------------------------------------------------As of xinetd 2.1.8.8pre3 there is a change in the handling of names specified in the access control directives, only_from andno_access.  For numerical entries in these fields, nothing haschanged.The way it used to be:  When xinetd started, it would lookup thename(s) specified.  It would then collect all the IP addressesassociated with that name, and store them in the access controllists.  This led to problems of acls being out of date, and access controls being messed up when names were specified.  It didhave the advantage of not waiting for a lookup to happen when youconnected.The way it is now:  xinetd keeps all the names you specify on theaccess control directives.  When a client attempts to connect toa service, a reverse lookup is performed on the client's IP address.The canonical name returned is compared with the specified names.If the first character of the name being specified in the configfile is a '.', then all hosts within that domain are matched.For example, if I put .synack.net, all hosts with a reverse mappingthat are in .synack.net domain, are matched.libwrap support:----------------------------------------------------------------------For libwrap access control, the access control is done by theserver name for the service.  So, if you have an entry like this:service telnet{     ... server = /usr/sbin/in.telnetd ...}Your corresponding hosts.{allow|deny} entry would look somethinglike this:in.telnetd: ALLHowever, many services don't have a "server".  Internal servicesand redirection services don't have a "server" line in the configurationfile.  For these services, the service name is used.  For example:server telnet{...redirect = 10.0.0.1 23...}Your hosts.{allow|deny} entry would look something like this:telnet: ALLSo, in general, if a service has a "server" attribute to it, accesscontrol is performed based on that entry.  If a service does not havea "server" attribute, (internal and redirection services) then accesscontrol is based on the service name.This is only for libwrap access control.itox:--------------------------------------------------------------------------I will continue to keep itox in the distribution, and fix any bugs orcompatibility issues that come to my attention, but I probably won'tget around to adding features.  If someone else would like to pick thisup, let me know and I'd be happy to incorporate changes.I have made a quick perl script (xconv.pl) to replace itox.  xconv.pldoes a straight translation of inetd.conf file syntax to xinetd.conf.It handles tcpd correctly, warns on the use of rpc services, sets the REUSE flag, and handles groups properly if your inetd.conf file supports them.kafel:--------------------------------------------------------------------------for kafel and syscall filter support, it is done by adding kafel_rule toconfiguration file. So, you need to have an entry like this:service telnet{     ... server = /path/to/your/server ... kafel_rule /path/to/kafel/rule/file ...}Inside kafel rule file, you need something like this:POLICY bad {    DENY {        listen, seccomp, ptrace, accept, accept4    }} USE bad DEFAULT ALLOWFor more gramma, please visit:https://github.com/google/kafelxinetd was originally written by panos@cs.colorado.edu.  At least one otherversion of xinetd has been seen floating around the net.  This version isbeing maintained by Rob Braun (bbraun@synack.net) and bug reports for thisversion should be directed there.Known bugs: On some BSD's, you may need to set 'groups = yes' in your services.If you need this, and you don't specify 'groups = yes', you'll get a log message telling you it is needed, when you connect to a service.Bug reports/comments/suggestions/flames for this version should be sentto bbraun@synack.net