From ed5d57202ebab0e923eb8e9d967a9f97792a6e8f Mon Sep 17 00:00:00 2001
From: Peter Avalos <pavalos@theshell.com>
Date: Sun, 21 Dec 2008 21:24:07 -0500
Subject: [PATCH] Add nsswitch support.

The nsswitch.conf(5) manual page has a description of nsswitch.
Curiously, we already had this manual page, even though we didn't
support it.

/etc/host.conf is removed from src/, but if host.conf exists and
nsswitch.conf does not, nsswitch.conf will be created using its
contents.

Included in this commit is a framework for nsswitch caching, nscd(8),
but it relies on a few upcoming changes to our libc before it will work.
For now, it's turned off.

Also this commit includes hesiod support which is not compiled by
default.  Add WANT_HESIOD=true to make.conf to get it working.

Obtained-from: FreeBSD
---
 Makefile.inc1                                 |    2 +-
 etc/Makefile                                  |    4 +-
 etc/defaults/make.conf                        |    7 +
 etc/defaults/rc.conf                          |    1 +
 etc/host.conf                                 |    8 -
 etc/hosts                                     |    4 +-
 etc/nscd.conf                                 |   12 +
 etc/rc.d/Makefile                             |    3 +-
 etc/rc.d/nscd                                 |   52 +
 etc/rc.d/nsswitch                             |  165 ++
 include/Makefile                              |    6 +-
 include/dlfcn.h                               |   31 +-
 include/grp.h                                 |   33 +-
 include/hesiod.h                              |   98 +
 include/netdb.h                               |   10 -
 include/nss.h                                 |   57 +
 include/nsswitch.h                            |  250 ++
 include/pwd.h                                 |   80 +-
 include/rpc/rpcent.h                          |   12 +-
 include/stdlib.h                              |    2 -
 lib/libc/Makefile.inc                         |    7 +
 lib/libc/gen/Makefile.inc                     |    8 +-
 lib/libc/gen/dlfunc.c                         |   29 +
 lib/libc/gen/dlopen.3                         |    2 +
 lib/libc/gen/getgrent.3                       |  150 +-
 lib/libc/gen/getgrent.c                       | 1817 +++++++++---
 lib/libc/gen/getgrouplist.c                   |   52 +-
 lib/libc/gen/getpwent.3                       |  153 +-
 lib/libc/gen/getpwent.c                       | 2487 ++++++++++++-----
 lib/libc/gen/getusershell.3                   |   14 +-
 lib/libc/gen/getusershell.c                   |  231 +-
 {usr.sbin/pwd_mkdb => lib/libc/gen}/pw_scan.c |  102 +-
 {usr.sbin/pwd_mkdb => lib/libc/gen}/pw_scan.h |   14 +-
 lib/libc/gen/pwcache.3                        |   19 +-
 lib/libc/gen/pwcache.c                        |    8 +-
 lib/libc/include/namespace.h                  |    6 +
 lib/libc/include/nscache.h                    |  197 ++
 lib/libc/include/nscachedcli.h                |  107 +
 lib/libc/include/nss_tls.h                    |   80 +
 lib/libc/include/un-namespace.h               |    2 +
 lib/libc/net/Makefile.inc                     |   28 +-
 lib/libc/net/getaddrinfo.c                    |  607 ++--
 lib/libc/net/gethostbydns.c                   |   69 +-
 lib/libc/net/gethostbyht.c                    |   31 +-
 lib/libc/net/gethostbyname.3                  |   17 +-
 lib/libc/net/gethostbynis.c                   |   63 +-
 lib/libc/net/gethostnamadr.c                  |  456 ++-
 lib/libc/net/getipnodebyname.3                |    5 +-
 lib/libc/net/getnetbydns.c                    |   49 +-
 lib/libc/net/getnetbyht.c                     |   24 +-
 lib/libc/net/getnetbynis.c                    |   50 +-
 lib/libc/net/getnetent.3                      |   20 +-
 lib/libc/net/getnetnamadr.c                   |  170 +-
 lib/libc/net/getproto.c                       |  108 +-
 lib/libc/net/getprotoent.c                    |  498 +++-
 lib/libc/net/getprotoname.c                   |  113 +-
 lib/libc/net/getservbyname.c                  |   73 -
 lib/libc/net/getservent.c                     | 1272 +++++++--
 lib/libc/net/hesiod.3                         |  176 ++
 lib/libc/net/hesiod.c                         |  560 ++++
 lib/libc/net/name6.c                          |  545 +++-
 lib/libc/net/netdb_private.h                  |  145 +
 lib/libc/net/nscache.c                        |  436 +++
 lib/libc/net/nscachedcli.c                    |  574 ++++
 lib/libc/net/nsdispatch.3                     |  258 ++
 lib/libc/net/nsdispatch.c                     |  744 +++++
 lib/libc/net/nslexer.l                        |  115 +
 lib/libc/net/nsparser.y                       |  182 ++
 lib/libc/net/{getproto.c => nss_backends.h}   |   50 +-
 lib/libc/net/nss_compat.c                     |  278 ++
 lib/libc/rpc/getrpcent.c                      | 1154 ++++++--
 share/man/man5/Makefile                       |    4 +
 share/man/man5/group.5                        |   45 +-
 share/man/man5/hesiod.conf.5                  |   80 +
 share/man/man5/hosts.5                        |   12 +-
 share/man/man5/make.conf.5                    |   11 +
 share/man/man5/nsswitch.conf.5                |  174 +-
 share/man/man5/passwd.5                       |  912 ++----
 share/man/man8/yp.8                           |   35 +-
 usr.bin/Makefile                              |    4 +
 usr.bin/chpass/chpass.c                       |    2 +-
 usr.bin/chpass/edit.c                         |    2 +-
 usr.bin/chpass/pw_copy.c                      |    2 +-
 usr.bin/hesinfo/Makefile                      |    5 +
 usr.bin/hesinfo/hesinfo.1                     |  198 ++
 usr.bin/hesinfo/hesinfo.c                     |  106 +
 usr.bin/passwd/Makefile                       |    6 +-
 usr.sbin/Makefile                             |    5 +
 usr.sbin/nscd/Makefile                        |   17 +
 usr.sbin/nscd/agent.c                         |  124 +
 usr.sbin/nscd/agent.h                         |   72 +
 usr.sbin/nscd/agents/Makefile.inc             |    3 +
 usr.sbin/nscd/agents/group.c                  |  257 ++
 .../nscd/agents/group.h                       |   35 +-
 usr.sbin/nscd/agents/passwd.c                 |  264 ++
 .../nscd/agents/passwd.h                      |   35 +-
 usr.sbin/nscd/agents/services.c               |  278 ++
 .../nscd/agents/services.h                    |   35 +-
 usr.sbin/nscd/cachelib.c                      | 1216 ++++++++
 usr.sbin/nscd/cachelib.h                      |  281 ++
 usr.sbin/nscd/cacheplcs.c                     |  584 ++++
 usr.sbin/nscd/cacheplcs.h                     |  137 +
 usr.sbin/nscd/config.c                        |  577 ++++
 usr.sbin/nscd/config.h                        |  156 ++
 usr.sbin/nscd/debug.c                         |  147 +
 usr.sbin/nscd/debug.h                         |   67 +
 usr.sbin/nscd/hashtable.h                     |  216 ++
 usr.sbin/nscd/log.c                           |   76 +
 .../net/getproto.c => usr.sbin/nscd/log.h     |   42 +-
 usr.sbin/nscd/mp_rs_query.c                   |  533 ++++
 .../getproto.c => usr.sbin/nscd/mp_rs_query.h |   35 +-
 usr.sbin/nscd/mp_ws_query.c                   |  543 ++++
 .../getproto.c => usr.sbin/nscd/mp_ws_query.h |   37 +-
 usr.sbin/nscd/nscd.8                          |  165 ++
 usr.sbin/nscd/nscd.c                          |  867 ++++++
 usr.sbin/nscd/nscd.conf.5                     |  148 +
 usr.sbin/nscd/nscdcli.c                       |  281 ++
 .../{pwd_mkdb/pw_scan.h => nscd/nscdcli.h}    |   50 +-
 usr.sbin/nscd/parser.c                        |  472 ++++
 .../getservbyport.c => usr.sbin/nscd/parser.h |   52 +-
 usr.sbin/nscd/protocol.c                      |  548 ++++
 usr.sbin/nscd/protocol.h                      |  265 ++
 usr.sbin/nscd/query.c                         | 1266 +++++++++
 usr.sbin/nscd/query.h                         |  108 +
 .../getproto.c => usr.sbin/nscd/singletons.c  |   37 +-
 .../getproto.c => usr.sbin/nscd/singletons.h  |   46 +-
 usr.sbin/pwd_mkdb/Makefile                    |   11 +-
 usr.sbin/pwd_mkdb/pwd_mkdb.8                  |   41 +-
 usr.sbin/pwd_mkdb/pwd_mkdb.c                  |  297 +-
 usr.sbin/rarpd/Makefile                       |    2 -
 usr.sbin/rarpd/rarpd.8                        |   21 +-
 usr.sbin/rarpd/rarpd.c                        |  351 +--
 usr.sbin/ypserv/ypserv.8                      |    4 +-
 133 files changed, 23677 insertions(+), 3917 deletions(-)
 delete mode 100644 etc/host.conf
 create mode 100644 etc/nscd.conf
 create mode 100644 etc/rc.d/nscd
 create mode 100644 etc/rc.d/nsswitch
 create mode 100644 include/hesiod.h
 create mode 100644 include/nss.h
 create mode 100644 include/nsswitch.h
 create mode 100644 lib/libc/gen/dlfunc.c
 rename {usr.sbin/pwd_mkdb => lib/libc/gen}/pw_scan.c (65%)
 copy {usr.sbin/pwd_mkdb => lib/libc/gen}/pw_scan.h (78%)
 create mode 100644 lib/libc/include/nscache.h
 create mode 100644 lib/libc/include/nscachedcli.h
 create mode 100644 lib/libc/include/nss_tls.h
 delete mode 100644 lib/libc/net/getservbyname.c
 create mode 100644 lib/libc/net/hesiod.3
 create mode 100644 lib/libc/net/hesiod.c
 create mode 100644 lib/libc/net/netdb_private.h
 create mode 100644 lib/libc/net/nscache.c
 create mode 100644 lib/libc/net/nscachedcli.c
 create mode 100644 lib/libc/net/nsdispatch.3
 create mode 100644 lib/libc/net/nsdispatch.c
 create mode 100644 lib/libc/net/nslexer.l
 create mode 100644 lib/libc/net/nsparser.y
 copy lib/libc/net/{getproto.c => nss_backends.h} (54%)
 create mode 100644 lib/libc/net/nss_compat.c
 create mode 100644 share/man/man5/hesiod.conf.5
 create mode 100644 usr.bin/hesinfo/Makefile
 create mode 100644 usr.bin/hesinfo/hesinfo.1
 create mode 100644 usr.bin/hesinfo/hesinfo.c
 create mode 100644 usr.sbin/nscd/Makefile
 create mode 100644 usr.sbin/nscd/agent.c
 create mode 100644 usr.sbin/nscd/agent.h
 create mode 100644 usr.sbin/nscd/agents/Makefile.inc
 create mode 100644 usr.sbin/nscd/agents/group.c
 copy lib/libc/net/getproto.c => usr.sbin/nscd/agents/group.h (57%)
 create mode 100644 usr.sbin/nscd/agents/passwd.c
 copy lib/libc/net/getproto.c => usr.sbin/nscd/agents/passwd.h (57%)
 create mode 100644 usr.sbin/nscd/agents/services.c
 copy lib/libc/net/getproto.c => usr.sbin/nscd/agents/services.h (57%)
 create mode 100644 usr.sbin/nscd/cachelib.c
 create mode 100644 usr.sbin/nscd/cachelib.h
 create mode 100644 usr.sbin/nscd/cacheplcs.c
 create mode 100644 usr.sbin/nscd/cacheplcs.h
 create mode 100644 usr.sbin/nscd/config.c
 create mode 100644 usr.sbin/nscd/config.h
 create mode 100644 usr.sbin/nscd/debug.c
 create mode 100644 usr.sbin/nscd/debug.h
 create mode 100644 usr.sbin/nscd/hashtable.h
 create mode 100644 usr.sbin/nscd/log.c
 copy lib/libc/net/getproto.c => usr.sbin/nscd/log.h (54%)
 create mode 100644 usr.sbin/nscd/mp_rs_query.c
 copy lib/libc/net/getproto.c => usr.sbin/nscd/mp_rs_query.h (57%)
 create mode 100644 usr.sbin/nscd/mp_ws_query.c
 copy lib/libc/net/getproto.c => usr.sbin/nscd/mp_ws_query.h (57%)
 create mode 100644 usr.sbin/nscd/nscd.8
 create mode 100644 usr.sbin/nscd/nscd.c
 create mode 100644 usr.sbin/nscd/nscd.conf.5
 create mode 100644 usr.sbin/nscd/nscdcli.c
 rename usr.sbin/{pwd_mkdb/pw_scan.h => nscd/nscdcli.h} (52%)
 create mode 100644 usr.sbin/nscd/parser.c
 rename lib/libc/net/getservbyport.c => usr.sbin/nscd/parser.h (50%)
 create mode 100644 usr.sbin/nscd/protocol.c
 create mode 100644 usr.sbin/nscd/protocol.h
 create mode 100644 usr.sbin/nscd/query.c
 create mode 100644 usr.sbin/nscd/query.h
 copy lib/libc/net/getproto.c => usr.sbin/nscd/singletons.c (57%)
 copy lib/libc/net/getproto.c => usr.sbin/nscd/singletons.h (57%)

diff --git a/Makefile.inc1 b/Makefile.inc1
index 0e35c04fab..57996893b2 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -762,7 +762,7 @@ bootstrap-tools:
     usr.bin/cmp usr.bin/xargs usr.bin/id usr.bin/env usr.bin/dirname \
     usr.bin/tail \
     usr.sbin/chown usr.sbin/mtree usr.sbin/config \
-    usr.sbin/btxld usr.sbin/pwd_mkdb usr.sbin/zic usr.sbin/makewhatis \
+    usr.sbin/btxld usr.sbin/zic usr.sbin/makewhatis \
     gnu/usr.bin/texinfo gnu/usr.bin/grep gnu/usr.bin/sort \
     usr.bin/gzip usr.bin/bzip2 usr.bin/mkcsmapper usr.bin/mkesdb
 	${ECHODIR} "===> ${_tool} (bootstrap-tools)"; \
diff --git a/etc/Makefile b/etc/Makefile
index d0b07c2107..30d1010e05 100644
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -28,10 +28,10 @@ BIN1=	amd.map auth.conf \
 	crontab csh.cshrc csh.login csh.logout \
 	devd.conf devices.conf dhclient.conf dm.conf dntpd.conf \
 	ftpusers group \
-	hosts hosts.allow host.conf hosts.equiv hosts.lpd \
+	hosts hosts.allow hosts.equiv hosts.lpd \
 	inetd.conf login.access login.conf \
 	motd modems netconfig networks newsyslog.conf \
-	pf.conf phones printcap profile \
+	nscd.conf pf.conf phones printcap profile \
 	remote sensorsd.conf \
 	shells sysctl.conf syslog.conf usbd.conf \
 	etc.${MACHINE_ARCH}/ttys
diff --git a/etc/defaults/make.conf b/etc/defaults/make.conf
index af0cce9831..29f8d5fc4a 100644
--- a/etc/defaults/make.conf
+++ b/etc/defaults/make.conf
@@ -95,6 +95,13 @@ THREAD_LIB?=	thread_xu
 # To use GNU cpio as the standard cpio.  The default is bsdcpio.
 #WITH_GCPIO=	true
 #
+# To enable Hesiod support in libc
+#WANT_HESIOD=	true
+#
+# To disable name caching in the nsswitch subsystem.  The generic caching
+# daemon, nscd(8), will not be built either if this option is set.
+#NO_NS_CACHING=	true
+#
 # To avoid building various parts of the base system:
 #NO_BIND=	true	# do not build BIND
 #NO_CRYPT=	true	# do not build crypto code
diff --git a/etc/defaults/rc.conf b/etc/defaults/rc.conf
index a7ad2aefe2..0f7895baea 100644
--- a/etc/defaults/rc.conf
+++ b/etc/defaults/rc.conf
@@ -404,6 +404,7 @@ cron_flags=""		# Which options to pass to the cron daemon.
 lpd_enable="NO"		# Run the line printer daemon.
 lpd_program="/usr/sbin/lpd"	# path to lpd, if you want a different one.
 lpd_flags=""		# Flags to lpd (if enabled).
+nscd_enable="NO"	# Run the nsswitch caching daemon.
 usbd_enable="NO"	# Run the usbd daemon.
 usbd_flags=""		# Flags to usbd (if enabled).
 devd_enable="NO"	# Rund devd(8) daemon.
diff --git a/etc/host.conf b/etc/host.conf
deleted file mode 100644
index eed1658cf2..0000000000
--- a/etc/host.conf
+++ /dev/null
@@ -1,8 +0,0 @@
-# $FreeBSD: src/etc/host.conf,v 1.6 1999/08/27 23:23:41 peter Exp $
-# $DragonFly: src/etc/host.conf,v 1.2 2003/06/17 04:24:45 dillon Exp $
-# First try the /etc/hosts file
-hosts
-# Now try the nameserver next.
-bind
-# If you have YP/NIS configured, uncomment the next line
-# nis
diff --git a/etc/hosts b/etc/hosts
index 9e01843a11..a36591bfe8 100644
--- a/etc/hosts
+++ b/etc/hosts
@@ -1,4 +1,4 @@
-# $FreeBSD: src/etc/hosts,v 1.11.2.4 2003/02/06 20:36:58 dbaker Exp $
+# $FreeBSD: src/etc/hosts,v 1.16 2003/01/28 21:29:23 dbaker Exp $
 # $DragonFly: src/etc/hosts,v 1.2 2003/06/17 04:24:45 dillon Exp $
 #
 # Host Database
@@ -8,7 +8,7 @@
 # machine.
 #
 # In the presence of the domain name service or NIS, this file may
-# not be consulted at all; see /etc/host.conf for the resolution order.
+# not be consulted at all; see /etc/nsswitch.conf for the resolution order.
 #
 #
 ::1			localhost localhost.my.domain
diff --git a/etc/nscd.conf b/etc/nscd.conf
new file mode 100644
index 0000000000..8706c212b4
--- /dev/null
+++ b/etc/nscd.conf
@@ -0,0 +1,12 @@
+#
+# Default caching daemon configuration file
+# $FreeBSD: src/etc/nscd.conf,v 1.2 2007/10/18 08:26:20 bushman Exp $
+#
+
+enable-cache passwd yes
+enable-cache group yes
+enable-cache hosts yes
+enable-cache services yes
+enable-cache protocols yes
+enable-cache rpc yes
+enable-cache networks yes
diff --git a/etc/rc.d/Makefile b/etc/rc.d/Makefile
index 37100d75e3..7a0f6d41f3 100644
--- a/etc/rc.d/Makefile
+++ b/etc/rc.d/Makefile
@@ -18,13 +18,14 @@ FILES=	DAEMON LOGIN NETWORKING SERVERS abi accounting addswap adjkerntz \
 	mixer motd mountcritlocal mountcritremote \
 	mountd moused mroute6d mrouted msgs \
 	named netif netoptions newsyslog \
-	network_ipv6 nfsclient nfsd nfsserver nisdomain \
+	network_ipv6 nfsclient nfsd nfsserver nisdomain nscd nsswitch \
 	dntpd othermta pf pflog ppp ppp-user pppoed pwcheck \
 	quota random rarpd rcconf.sh resident rndcontrol root route6d routed \
 	routing rpcbind rtadvd rtsold rwho sysdb savecore sdpd securelevel \
 	sendmail sensorsd serial sppp sshd statd swap1 syscons sysctl syslogd \
 	timed ttys usbd varsym vinum virecover watchdogd wpa_supplicant \
 	ypbind yppasswdd ypserv ypset ypupdated ypxfrd
+
 FILESDIR=	/etc/rc.d
 FILESMODE=	${BINMODE}
 
diff --git a/etc/rc.d/nscd b/etc/rc.d/nscd
new file mode 100644
index 0000000000..13bbd851c8
--- /dev/null
+++ b/etc/rc.d/nscd
@@ -0,0 +1,52 @@
+#!/bin/sh
+#
+# $FreeBSD: src/etc/rc.d/nscd,v 1.7 2008/07/16 19:50:29 dougb Exp $
+#
+
+# PROVIDE: nscd
+# REQUIRE: DAEMON
+# BEFORE: LOGIN
+# KEYWORD: shutdown
+
+#
+# Add the following lines to /etc/rc.conf to enable nscd:
+#
+# nscd_enable="YES"
+#
+# See nscd(8) for flags
+#
+
+. /etc/rc.subr
+
+name=nscd
+rcvar=`set_rcvar`
+
+command=/usr/sbin/nscd
+extra_commands="flush"
+flush_cmd="${command} -I all"
+
+# usage: _nscd_set_option <option name> <default value>
+#
+_nscd_set_option() {
+	local _optname _defoptval _nscd_opt_val _cached_opt_val
+	_optname=$1
+	_defoptval=$2
+
+	_nscd_opt_val=$(eval "echo \$nscd_${_optname}")
+	_cached_opt_val=$(eval "echo \$cached_${_optname}")
+
+	if [ -n "$_cached_opt_val" -a "$_nscd_opt_val" != "$_defoptval" ]; then
+		warn "You should use nscd_${_optname} instead of" \
+		    "cached_${_optname}"
+		setvar "nscd_${_optname}" "$_cached_opt_val"
+	else
+		setvar "nscd_${_optname}" "${_nscd_opt_val:-$_defoptval}"
+	fi
+}
+
+
+load_rc_config $name
+_nscd_set_option "enable" "NO"
+_nscd_set_option "pidfile" "/var/run/nscd.pid"
+_nscd_set_option "flags" ""
+run_rc_command "$1"
diff --git a/etc/rc.d/nsswitch b/etc/rc.d/nsswitch
new file mode 100644
index 0000000000..78e19a1c72
--- /dev/null
+++ b/etc/rc.d/nsswitch
@@ -0,0 +1,165 @@
+#!/bin/sh
+#
+# Copyright (c) 1993 - 2004 The FreeBSD Project. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in the
+#    documentation and/or other materials provided with the distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $FreeBSD: src/etc/rc.d/nsswitch,v 1.10 2006/05/01 11:02:48 des Exp $
+#
+
+# PROVIDE: nsswitch
+# REQUIRE: root
+# BEFORE:  NETWORK
+
+. /etc/rc.subr
+
+name="nsswitch"
+start_cmd="nsswitch_start"
+stop_cmd=":"
+
+convert_host_conf()
+{
+    host_conf=$1; shift;
+    nsswitch_conf=$1; shift;
+
+    while read line; do
+	line=${line##[ 	]}
+	case $line in
+	hosts|local|file)
+		_nsswitch="${_nsswitch}${_nsswitch+ }files"
+		;;
+	dns|bind)
+		_nsswitch="${_nsswitch}${_nsswitch+ }dns"
+		;;
+	nis)
+		_nsswitch="${_nsswitch}${_nsswitch+ }nis"
+		;;
+	'#'*)
+		;;
+	*)
+		printf "Warning: unrecognized line [%s]", $line > "/dev/stderr"
+		;;
+
+	esac
+    done < $host_conf
+
+    echo "hosts: $_nsswitch" > $nsswitch_conf
+}
+
+generate_nsswitch_conf()
+{
+    nsswitch_conf=$1; shift;
+
+    cat >$nsswitch_conf <<EOF
+group: compat
+group_compat: nis
+hosts: files dns
+networks: files
+passwd: compat
+passwd_compat: nis
+shells: files
+services: compat
+services_compat: nis
+protocols: files
+rpc: files
+EOF
+}
+
+generate_host_conf()
+{
+    nsswitch_conf=$1; shift;
+    host_conf=$1; shift;
+
+    _cont=0
+    _sources=""
+    while read line; do
+	line=${line##[ 	]}
+	case $line in
+	hosts:*)
+		;;
+	*)
+		if [ $_cont -ne 1 ]; then
+			continue
+		fi
+		;;
+	esac
+	if [ "${line%\\}" = "${line}\\" ]; then
+		_cont=1
+	fi
+	line=${line#hosts:}
+	line=${line%\\}
+	line=${line%%#*}
+	_sources="${_sources}${_sources:+ }$line"
+    done < $nsswitch_conf
+
+    echo "# Auto-generated from nsswitch.conf" > $host_conf
+    for _s in ${_sources}; do
+	case $_s in
+	files)
+		echo "hosts" >> $host_conf
+		;;
+	dns)
+		echo "dns" >> $host_conf
+		;;
+	nis)
+		echo "nis" >> $host_conf
+		;;
+	*=*)
+		;;
+	*)
+		printf "Warning: unrecognized source [%s]", $_s > "/dev/stderr"
+		;;
+	esac
+    done
+}
+
+nsswitch_start()
+{
+	# Convert host.conf to nsswitch.conf if necessary
+	#
+	if [ -f "/etc/host.conf" -a ! -f "/etc/nsswitch.conf" ]; then
+		echo ''
+		echo 'Warning: /etc/host.conf is no longer used'
+		echo '  /etc/nsswitch.conf will be created for you'
+		convert_host_conf /etc/host.conf /etc/nsswitch.conf
+	fi
+
+	# Generate default nsswitch.conf if none exists
+	#
+	if [ ! -f "/etc/nsswitch.conf" ]; then
+		echo 'Generating nsswitch.conf.'
+		generate_nsswitch_conf /etc/nsswitch.conf
+	fi
+
+	# Generate host.conf for compatibility
+	#
+	if [ ! -f "/etc/host.conf" -o \
+		"/etc/host.conf" -ot "/etc/nsswitch.conf" ]
+	then
+		echo 'Generating host.conf.'
+		generate_host_conf /etc/nsswitch.conf /etc/host.conf
+	fi
+
+}
+
+load_rc_config $name
+run_rc_command "$1"
diff --git a/include/Makefile b/include/Makefile
index 9dd7873fbf..0ad7d7d801 100644
--- a/include/Makefile
+++ b/include/Makefile
@@ -16,7 +16,7 @@ INCS=	a.out.h ar.h assert.h bitstring.h complex.h cpio.h ctype.h db.h \
 	iconv.h ieeefp.h ifaddrs.h iso646.h inttypes.h \
 	langinfo.h libgen.h limits.h link.h locale.h malloc.h math.h memory.h \
 	mpool.h monetary.h ndbm.h netconfig.h \
-	netdb.h nl_types.h nlist.h objformat.h \
+	netdb.h nl_types.h nlist.h nss.h nsswitch.h objformat.h \
 	paths.h pthread.h pthread_np.h pwd.h \
 	ranlib.h readpassphrase.h regex.h regexp.h resolv.h re_comp.h rmd160.h \
 	search.h setjmp.h sgtty.h \
@@ -25,6 +25,10 @@ INCS=	a.out.h ar.h assert.h bitstring.h complex.h cpio.h ctype.h db.h \
 	timers.h ttyent.h unistd.h ulimit.h utime.h utmp.h uuid.h vis.h \
 	wchar.h wctype.h wordexp.h
 
+.if defined(WANT_HESIOD)
+INCS+=	hesiod.h
+.endif
+
 MHDRS=	float.h floatingpoint.h varargs.h
 
 # Only for default SHARED=copies case
diff --git a/include/dlfcn.h b/include/dlfcn.h
index e053203454..860296002e 100644
--- a/include/dlfcn.h
+++ b/include/dlfcn.h
@@ -65,6 +65,7 @@
 #define RTLD_DEFAULT	((void *) -2)	/* Use default search algorithm */
 #define	RTLD_SELF	((void *) -3)	/* Search the caller itself. */
 
+#if __BSD_VISIBLE
 /*
  * Structure filled in by dladdr().
  */
@@ -93,16 +94,38 @@ typedef struct  dl_serinfo {
         Dl_serpath	dls_serpath[1]; /* there may be more than one */
 } Dl_serinfo;
 
+/*
+ * The actual type declared by this typedef is immaterial, provided that
+ * it is a function pointer.  Its purpose is to provide a return type for
+ * dlfunc() which can be cast to a function pointer type without depending
+ * on behavior undefined by the C standard, which might trigger a compiler
+ * diagnostic.  We intentionally declare a unique type signature to force
+ * a diagnostic should the application not cast the return value of dlfunc()
+ * appropriately.
+ */
+struct __dlfunc_arg {
+	int __dlfunc_dummy;
+};
+
+typedef void (*dlfunc_t)(struct __dlfunc_arg);
+
+#endif /* __BSD_VISIBLE */
+
 __BEGIN_DECLS
-int		 dladdr(const void *, Dl_info *);
+/* XSI functions first */
 int		 dlclose(void *);
 const char 	*dlerror(void);
-int		 dlinfo(void *, int, void *);
+void		*dlopen(const char *, int);
+void		*dlsym(void * __restrict, const char * __restrict);
+
+#if __BSD_VISIBLE
+int		 dladdr(const void * __restrict, Dl_info * __restrict);
+dlfunc_t	 dlfunc(void * __restrict, const char * __restrict);
+int		 dlinfo(void * __restrict, int, void * __restrict);
 void		 dllockinit(void *, void *(*)(void *), void (*)(void *),
 			    void (*)(void *), void (*)(void *),
 			    void (*)(void *), void (*)(void *));
-void		*dlopen(const char *, int);
-void		*dlsym(void *, const char *);
+#endif /* __BSD_VISIBLE */
 __END_DECLS
 
 #endif /* !_DLFCN_H_ */
diff --git a/include/grp.h b/include/grp.h
index 62f45ad6cd..e6feac5e7a 100644
--- a/include/grp.h
+++ b/include/grp.h
@@ -36,6 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)grp.h	8.2 (Berkeley) 1/21/94
+ * $FreeBSD: src/include/grp.h,v 1.18 2003/04/17 14:15:25 nectar Exp $
  * $DragonFly: src/include/grp.h,v 1.5 2008/04/19 10:08:05 swildner Exp $
  */
 
@@ -44,8 +45,11 @@
 
 #include <sys/types.h>
 
-#ifndef _POSIX_SOURCE
 #define	_PATH_GROUP		"/etc/group"
+
+#ifndef _SIZE_T_DECLARED
+typedef __size_t	size_t;
+#define _SIZE_T_DECLARED
 #endif
 
 struct group {
@@ -58,13 +62,26 @@ struct group {
 #include <sys/cdefs.h>
 
 __BEGIN_DECLS
-struct group *getgrgid (gid_t);
-struct group *getgrnam (const char *);
-#ifndef _POSIX_SOURCE
-struct group *getgrent (void);
-int setgrent (void);
-void endgrent (void);
-int setgroupent (int);
+#if __BSD_VISIBLE || __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE
+void		 endgrent(void);
+struct group	*getgrent(void);
+#endif
+struct group	*getgrgid(gid_t);
+struct group	*getgrnam(const char *);
+#if __BSD_VISIBLE
+const char	*group_from_gid(gid_t, int);
+#endif
+#if __BSD_VISIBLE || __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE
+/* XXX IEEE Std 1003.1, 2003 specifies `void setgrent(void)' */
+int		 setgrent(void);
+int		 getgrgid_r(gid_t, struct group *, char *, size_t,
+		    struct group **);
+int		 getgrnam_r(const char *, struct group *, char *, size_t,
+		    struct group **);
+#endif
+#if __BSD_VISIBLE
+int		 getgrent_r(struct group *, char *, size_t, struct group **);
+int		 setgroupent(int);
 #endif
 __END_DECLS
 
diff --git a/include/hesiod.h b/include/hesiod.h
new file mode 100644
index 0000000000..c7dbeee332
--- /dev/null
+++ b/include/hesiod.h
@@ -0,0 +1,98 @@
+/*	$NetBSD: hesiod.h,v 1.3 1999/01/24 23:53:18 lukem Exp $	*/
+/*	$FreeBSD: src/include/hesiod.h,v 1.2 2002/03/23 17:24:53 imp Exp $ */
+
+
+/*-
+ * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+#ifndef _HESIOD_H_
+#define _HESIOD_H_
+
+	/* Application-visible indication that we have the new interfaces */
+
+#define HESIOD_INTERFACES
+
+	/* Configuration information. */
+
+#ifndef _PATH_HESIOD_CONF			/* Configuration file. */
+#define _PATH_HESIOD_CONF	"/etc/hesiod.conf"
+#endif
+
+#define DEF_RHS		""			/* Defaults if HESIOD_CONF */
+#define DEF_LHS		""			/*    file is not present. */
+
+	/* Error codes (for backwards compatibility) */
+
+#define	HES_ER_UNINIT	-1	/* uninitialized */
+#define	HES_ER_OK	0	/* no error */
+#define	HES_ER_NOTFOUND	1	/* Hesiod name not found by server */
+#define HES_ER_CONFIG	2	/* local problem (no config file?) */
+#define HES_ER_NET	3	/* network problem */
+
+	/* Declaration of routines */
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+int	hesiod_init(void **);
+char  **hesiod_resolve(void *, const char *, const char *);
+void	hesiod_free_list(void *, char **);
+char   *hesiod_to_bind(void *, const char *, const char *);
+void	hesiod_end(void *);
+
+				/* backwards compatibility */
+int	hes_init(void);
+char   *hes_to_bind(const char *, const char *);
+char  **hes_resolve(const char *, const char *);
+int	hes_error(void);
+void	hes_free(char **);
+__END_DECLS
+
+#endif /* ! _HESIOD_H_ */
diff --git a/include/netdb.h b/include/netdb.h
index 85b2d3fc4b..3d8b1e0c60 100644
--- a/include/netdb.h
+++ b/include/netdb.h
@@ -265,18 +265,8 @@ void	_setnethtent (int);
 void	_endnethtent (void);
 void	_setnetdnsent (int);
 void	_endnetdnsent (void);
-struct hostent * _gethostbyhtname  (const char *, int);
-struct hostent * _gethostbydnsname (const char *, int);
 struct hostent * _gethostbynisname (const char *, int);
-struct hostent * _gethostbyhtaddr  (const char *, int, int);
-struct hostent * _gethostbydnsaddr (const char *, int, int);
 struct hostent * _gethostbynisaddr (const char *, int, int);
-struct netent *  _getnetbyhtname  (const char *);
-struct netent *  _getnetbydnsname (const char *);
-struct netent *  _getnetbynisname (const char *);
-struct netent *  _getnetbyhtaddr  (unsigned long, int);
-struct netent *  _getnetbydnsaddr (unsigned long, int);
-struct netent *  _getnetbynisaddr (unsigned long, int);
 void _map_v4v6_address (const char *, char *);
 void _map_v4v6_hostent (struct hostent *, char **, int *);
 __END_DECLS
diff --git a/include/nss.h b/include/nss.h
new file mode 100644
index 0000000000..792b16bb5a
--- /dev/null
+++ b/include/nss.h
@@ -0,0 +1,57 @@
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/include/nss.h,v 1.2 2004/01/09 13:43:49 nectar Exp $
+ *
+ * Compatibility header for the GNU C Library-style nsswitch interface.
+ */
+#ifndef _NSS_H_
+#define _NSS_H_
+
+#include <nsswitch.h>
+
+enum nss_status {
+	NSS_STATUS_TRYAGAIN = -2,
+	NSS_STATUS_UNAVAIL,
+	NSS_STATUS_NOTFOUND,
+	NSS_STATUS_SUCCESS,
+	NSS_STATUS_RETURN
+};
+
+#define __nss_compat_result(rv, err)		\
+((rv == NSS_STATUS_TRYAGAIN && err == ERANGE) ? NS_RETURN : \
+ (rv == NSS_STATUS_TRYAGAIN) ? NS_TRYAGAIN :	\
+ (rv == NSS_STATUS_UNAVAIL)  ? NS_UNAVAIL  :	\
+ (rv == NSS_STATUS_NOTFOUND) ? NS_NOTFOUND :	\
+ (rv == NSS_STATUS_SUCCESS)  ? NS_SUCCESS  :	\
+ (rv == NSS_STATUS_RETURN)   ? NS_RETURN   : 0)
+
+#endif
diff --git a/include/nsswitch.h b/include/nsswitch.h
new file mode 100644
index 0000000000..ff1a897be5
--- /dev/null
+++ b/include/nsswitch.h
@@ -0,0 +1,250 @@
+/*	$NetBSD: nsswitch.h,v 1.6 1999/01/26 01:04:07 lukem Exp $	*/
+/*	$FreeBSD: src/include/nsswitch.h,v 1.5 2007/12/12 10:08:02 bushman Exp $ */
+
+/*-
+ * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Luke Mewburn.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _NSSWITCH_H
+#define _NSSWITCH_H	1
+
+#include <sys/types.h>
+#include <stdarg.h>
+
+#define NSS_MODULE_INTERFACE_VERSION 1
+
+#ifndef _PATH_NS_CONF
+#define _PATH_NS_CONF	"/etc/nsswitch.conf"
+#endif
+
+/* NSS source actions */
+#define	NS_ACTION_CONTINUE	0	/* try the next source */
+#define	NS_ACTION_RETURN	1	/* look no further */
+
+#define	NS_SUCCESS	(1<<0)		/* entry was found */
+#define	NS_UNAVAIL	(1<<1)		/* source not responding, or corrupt */
+#define	NS_NOTFOUND	(1<<2)		/* source responded 'no such entry' */
+#define	NS_TRYAGAIN	(1<<3)		/* source busy, may respond to retry */
+#define NS_RETURN	(1<<4)		/* stop search, e.g. for ERANGE */
+#define NS_TERMINATE	(NS_SUCCESS|NS_RETURN) /* flags that end search */
+#define	NS_STATUSMASK	0x000000ff	/* bitmask to get the status flags */
+
+/*
+ * currently implemented sources
+ */
+#define NSSRC_FILES	"files"		/* local files */
+#define	NSSRC_DNS	"dns"		/* DNS; IN for hosts, HS for others */
+#define	NSSRC_NIS	"nis"		/* YP/NIS */
+#define	NSSRC_COMPAT	"compat"	/* passwd,group in YP compat mode */
+#define	NSSRC_CACHE	"cache"		/* nscd daemon */
+#define NSSRC_FALLBACK	"__fallback"	/* internal fallback source */
+
+/*
+ * currently implemented databases
+ */
+#define NSDB_HOSTS		"hosts"
+#define NSDB_GROUP		"group"
+#define NSDB_GROUP_COMPAT	"group_compat"
+#define NSDB_NETGROUP		"netgroup"
+#define NSDB_NETWORKS		"networks"
+#define NSDB_PASSWD		"passwd"
+#define NSDB_PASSWD_COMPAT	"passwd_compat"
+#define NSDB_SHELLS		"shells"
+#define NSDB_SERVICES		"services"
+#define NSDB_SERVICES_COMPAT	"services_compat"
+#define NSDB_SSH_HOSTKEYS	"ssh_hostkeys"
+#define NSDB_PROTOCOLS		"protocols"
+#define NSDB_RPC		"rpc"
+
+/*
+ * suggested databases to implement
+ */
+#define NSDB_ALIASES		"aliases"
+#define NSDB_AUTH		"auth"
+#define NSDB_AUTOMOUNT		"automount"
+#define NSDB_BOOTPARAMS		"bootparams"
+#define NSDB_ETHERS		"ethers"
+#define NSDB_EXPORTS		"exports"
+#define NSDB_NETMASKS		"netmasks"
+#define NSDB_PHONES		"phones"
+#define NSDB_PRINTCAP		"printcap"
+#define NSDB_REMOTE		"remote"
+#define NSDB_SENDMAILVARS	"sendmailvars"
+#define NSDB_TERMCAP		"termcap"
+#define NSDB_TTYS		"ttys"
+
+/*
+ * ns_dtab `method' function signature.
+ */
+typedef int (*nss_method)(void *_retval, void *_mdata, va_list _ap);
+
+/*
+ * Macro for generating method prototypes.
+ */
+#define NSS_METHOD_PROTOTYPE(method) \
+	int method(void *, void *, va_list)
+
+/*
+ * ns_dtab - `nsswitch dispatch table'
+ * Contains an entry for each source and the appropriate function to
+ * call.  ns_dtabs are used in the nsdispatch() API in order to allow
+ * the application to override built-in actions.
+ */
+typedef struct _ns_dtab {
+	const char	 *src;		/* Source this entry implements */
+	nss_method	  method;	/* Method to be called */
+	void		 *mdata;	/* Data passed to method */
+} ns_dtab;
+
+/*
+ * macros to help build an ns_dtab[]
+ */
+#define NS_FILES_CB(F,C)	{ NSSRC_FILES,	F,	C },
+#define NS_COMPAT_CB(F,C)	{ NSSRC_COMPAT,	F,	C },
+#define NS_FALLBACK_CB(F)	{ NSSRC_FALLBACK, F,	NULL },
+
+#ifdef HESIOD
+#   define NS_DNS_CB(F,C)	{ NSSRC_DNS,	F,	C },
+#else
+#   define NS_DNS_CB(F,C)
+#endif
+
+#ifdef YP
+#   define NS_NIS_CB(F,C)	{ NSSRC_NIS,	F,	C },
+#else
+#   define NS_NIS_CB(F,C)
+#endif
+
+/*
+ * ns_src - `nsswitch source'
+ * used by the nsparser routines to store a mapping between a source
+ * and its dispatch control flags for a given database.
+ */
+typedef struct _ns_src {
+	const char	*name;
+	u_int32_t	 flags;
+} ns_src;
+
+
+/*
+ * default sourcelist (if nsswitch.conf is missing, corrupt,
+ * or the requested database doesn't have an entry.
+ */
+extern const ns_src __nsdefaultsrc[];
+
+/*
+ * ns_mtab - NSS method table
+ * An NSS module provides a mapping from (database name, method name)
+ * tuples to the nss_method and associated data.
+ */
+typedef struct _ns_mtab {
+	const char	*database;
+	const char	*name;
+	nss_method	 method;
+	void		*mdata;
+} ns_mtab;
+
+/*
+ * NSS module de-registration, called at module unload.
+ */
+typedef void	 (*nss_module_unregister_fn)(ns_mtab *, unsigned int);
+
+/*
+ * NSS module registration, called at module load.
+ */
+typedef ns_mtab *(*nss_module_register_fn)(const char *, unsigned int *,
+		       nss_module_unregister_fn *);
+
+/*
+ * Many NSS interfaces follow the getXXnam, getXXid, getXXent pattern.
+ * Developers are encouraged to use nss_lookup_type where approriate.
+ */
+enum nss_lookup_type {
+	nss_lt_name = 1,
+	nss_lt_id   = 2,
+	nss_lt_all  = 3
+};
+
+#ifdef _NS_PRIVATE
+/*
+ * private data structures for back-end nsswitch implementation
+ */
+
+/*
+ * ns_dbt - `nsswitch database thang'
+ * for each database in /etc/nsswitch.conf there is a ns_dbt, with its
+ * name and a list of ns_src's containing the source information.
+ */
+typedef struct _ns_dbt {
+	const char	*name;		/* name of database */
+	ns_src		*srclist;	/* list of sources */
+	int		 srclistsize;	/* size of srclist */
+} ns_dbt;
+
+/*
+ * ns_mod - NSS module
+ */
+typedef struct _ns_mod {
+	char		*name;		/* module name */
+	void		*handle;	/* handle from dlopen */
+	ns_mtab		*mtab;		/* method table */
+	unsigned int	 mtabsize;	/* count of entries in method table */
+	nss_module_unregister_fn unregister; /* called to unload module */
+} ns_mod;
+
+#endif /* _NS_PRIVATE */
+
+
+#include <sys/cdefs.h>
+
+__BEGIN_DECLS
+extern	int	nsdispatch(void *, const ns_dtab [], const char *,
+			   const char *, const ns_src [], ...);
+
+#ifdef _NS_PRIVATE
+extern	void		 _nsdbtaddsrc(ns_dbt *, const ns_src *);
+extern	void		 _nsdbtput(const ns_dbt *);
+extern	void		 _nsyyerror(const char *);
+extern	int		 _nsyylex(void);
+extern	int		 _nsyyparse(void);
+extern	int		 _nsyylineno;
+#ifdef _NSS_DEBUG
+extern	void		 _nsdbtdump(const ns_dbt *);
+#endif
+#endif /* _NS_PRIVATE */
+
+__END_DECLS
+
+#endif /* !_NSSWITCH_H */
diff --git a/include/pwd.h b/include/pwd.h
index ccb5ed270f..148b8b8e6f 100644
--- a/include/pwd.h
+++ b/include/pwd.h
@@ -36,6 +36,7 @@
  * SUCH DAMAGE.
  *
  *	@(#)pwd.h	8.2 (Berkeley) 1/21/94
+ * $FreeBSD: src/include/pwd.h,v 1.16 2005/01/26 17:26:54 nectar Exp $
  * $DragonFly: src/include/pwd.h,v 1.2 2003/11/14 01:01:43 dillon Exp $
  */
 
@@ -44,7 +45,16 @@
 
 #include <sys/types.h>
 
-#ifndef _POSIX_SOURCE
+#ifndef _TIME_T_DECLARED
+typedef	__time_t	time_t;
+#define	_TIME_T_DECLARED
+#endif
+
+#ifndef _SIZE_T_DECLARED
+typedef __size_t	size_t;
+#define _SIZE_T_DECLARED
+#endif
+
 #define _PATH_PWD		"/etc"
 #define	_PATH_PASSWD		"/etc/passwd"
 #define	_PASSWD			"passwd"
@@ -58,16 +68,40 @@
 
 #define	_PATH_PWD_MKDB		"/usr/sbin/pwd_mkdb"
 
-#define	_PW_KEYBYNAME		'1'	/* stored by name */
-#define	_PW_KEYBYNUM		'2'	/* stored by entry in the "file" */
-#define	_PW_KEYBYUID		'3'	/* stored by uid */
-#define _PW_KEYYPENABLED	'4'	/* YP is enabled */
-#define	_PW_KEYYPBYNUM		'5'	/* special +@netgroup entries */
+/* Historically, the keys in _PATH_MP_DB/_PATH_SMP_DB had the format
+ * `1 octet tag | key', where the tag is one of the _PW_KEY* values
+ * listed below.  These values happen to be ASCII digits.
+ * The tag is now still a single octet, but the
+ * upper 4 bits are interpreted as a version.  Previous format
+ * entries are version `3' -- this conveniently results in the same
+ * key values as before.  The new, architecture-independent entries
+ * are version `4'.
+ * As it happens, some applications read the database directly.
+ * (Bad app, no cookie!)  Thus, we leave the _PW_KEY* symbols at their
+ * old values so these apps still work.  Consequently
+ * we have to muck around a bit more to get the correct, versioned
+ * tag, and that is what the _PW_VERSIONED macro is about.
+ */
+
+#define _PW_VERSION_MASK	'\xF0'
+#define _PW_VERSIONED(x, v)	((unsigned char)(((x) & 0xCF) | ((v)<<4)))
+
+#define	_PW_KEYBYNAME		'\x31'	/* stored by name */
+#define	_PW_KEYBYNUM		'\x32'	/* stored by entry in the "file" */
+#define	_PW_KEYBYUID		'\x33'	/* stored by uid */
+#define _PW_KEYYPENABLED	'\x34'	/* YP is enabled */
+#define	_PW_KEYYPBYNUM		'\x35'	/* special +@netgroup entries */
+
+/* The database also contains a key to indicate the format version of
+ * the entries therein.  There may be other, older versioned entries
+ * as well.
+ */
+#define _PWD_VERSION_KEY	"\xFF" "VERSION"
+#define _PWD_CURRENT_VERSION	'\x04'
 
 #define	_PASSWORD_EFMT1		'_'	/* extended encryption format */
 
 #define	_PASSWORD_LEN		128	/* max length, not counting NULL */
-#endif
 
 struct passwd {
 	char	*pw_name;		/* user name */
@@ -96,16 +130,34 @@ struct passwd {
 #define _PWF_SHELL	_PWF(8)
 #define _PWF_EXPIRE	_PWF(9)
 
+/* XXX These flags are bogus.  With nsswitch, there are many
+ * possible sources and they cannot be represented in a small integer.
+ */
+#define _PWF_SOURCE	0x3000
+#define _PWF_FILES	0x1000
+#define _PWF_NIS	0x2000
+#define _PWF_HESIOD	0x3000
+
 #include <sys/cdefs.h>
 
 __BEGIN_DECLS
-struct passwd	*getpwuid (uid_t);
-struct passwd	*getpwnam (const char *);
-#ifndef _POSIX_SOURCE
-struct passwd	*getpwent (void);
-int		 setpassent (int);
-void		 setpwent (void);
-void		 endpwent (void);
+struct passwd	*getpwnam(const char *);
+struct passwd	*getpwuid(uid_t);
+
+#if __POSIX_VISIBLE >= 200112 || __XSI_VISIBLE >= 500
+void		 endpwent(void);
+struct passwd	*getpwent(void);
+void		 setpwent(void);
+int		 getpwnam_r(const char *, struct passwd *, char *, size_t,
+		    struct passwd **);
+int		 getpwuid_r(uid_t, struct passwd *, char *, size_t,
+		    struct passwd **);
+#endif
+
+#if __BSD_VISIBLE
+int		 getpwent_r(struct passwd *, char *, size_t, struct passwd **);
+int		 setpassent(int);
+const char	*user_from_uid(uid_t, int);
 #endif
 __END_DECLS
 
diff --git a/include/rpc/rpcent.h b/include/rpc/rpcent.h
index 41e34e4d8d..428d1fa909 100644
--- a/include/rpc/rpcent.h
+++ b/include/rpc/rpcent.h
@@ -29,7 +29,7 @@
  *	from: @(#)rpcent.h   1.13    94/04/25 SMI
  *	from: @(#)rpcent.h 1.1 88/12/06 SMI
  * $NetBSD: rpcent.h,v 1.1 2000/06/02 22:57:56 fvdl Exp $
- * $FreeBSD: src/include/rpc/rpcent.h,v 1.2 2002/03/23 17:24:55 imp Exp $
+ * $FreeBSD: src/include/rpc/rpcent.h,v 1.4 2006/04/29 04:26:16 ume Exp $
  * $DragonFly$
  */
 /*
@@ -53,12 +53,10 @@ struct rpcent {
 };
 
 __BEGIN_DECLS
-extern struct rpcent *getrpcbyname_r(const char *, struct rpcent *,
-				     char *, int);
-extern struct rpcent *getrpcbynumber_r(int, struct rpcent *, char *, int);
-extern struct rpcent *getrpcent_r(struct rpcent *, char *, int);
-
-/* Old interfaces that return a pointer to a static area;  MT-unsafe */
+/*
+ * These interfaces are currently implemented through nsswitch and are
+ * MT-safe.
+ */
 extern struct rpcent *getrpcbyname(char *);
 extern struct rpcent *getrpcbynumber(int);
 extern struct rpcent *getrpcent(void);
diff --git a/include/stdlib.h b/include/stdlib.h
index 12a22fc378..6f54500cdf 100644
--- a/include/stdlib.h
+++ b/include/stdlib.h
@@ -166,7 +166,6 @@ char	*devname_r(dev_t, mode_t, char *, size_t);
 int	 getloadavg(double [], int);
 const char *getprogname(void);
 
-char	*group_from_gid(gid_t, int);
 int	 heapsort(void *, size_t, size_t, int (*)(const void *, const void *));
 char	*initstate(unsigned long, char *, long);
 int	 mergesort(void *, size_t, size_t, int (*)(const void *, const void *));
@@ -182,7 +181,6 @@ void	 setprogname(const char *);
 char	*setstate(char *);
 void	 srandom(unsigned long);
 void	 srandomdev(void);
-char	*user_from_uid(uid_t, int);
 
 #if !defined(__STRICT_ANSI__) && !defined(_KERNEL_VIRTUAL)
 __int64_t	strtoq(const char *, char **, int);
diff --git a/lib/libc/Makefile.inc b/lib/libc/Makefile.inc
index f96f150b3c..1e6f019757 100644
--- a/lib/libc/Makefile.inc
+++ b/lib/libc/Makefile.inc
@@ -45,6 +45,13 @@ NOASM=
 CFLAGS+= -DYP
 .include "${.CURDIR}/../libc/yp/Makefile.inc"
 .endif
+.if defined(WANT_HESIOD)
+CFLAGS+= -DHESIOD
+.endif
+# Caching isn't ready yet
+#.if !defined(NO_NS_CACHING)
+#CFLAGS+= -DNS_CACHING
+#.endif
 
 # If there are no machine dependent sources, append all the
 # machine-independent sources:
diff --git a/lib/libc/gen/Makefile.inc b/lib/libc/gen/Makefile.inc
index d022eb5aa9..b410bc1e57 100644
--- a/lib/libc/gen/Makefile.inc
+++ b/lib/libc/gen/Makefile.inc
@@ -9,7 +9,7 @@ SRCS+=  _pthread_stubs.c _rand48.c _spinlock_stub.c _thread_init.c \
 	alarm.c arc4random.c assert.c basename.c \
 	clock.c closedir.c confstr.c \
 	ctermid.c ctype.c daemon.c devname.c dirname.c disklabel.c disktab.c \
-	dlfcn.c drand48.c erand48.c err.c errlst.c \
+	dlfcn.c dlfunc.c drand48.c erand48.c err.c errlst.c \
 	exec.c fmtcheck.c fmtmsg.c fnmatch.c fpclassifyd.c fpclassifyf.c \
 	fstab.c ftok.c fts.c ftw.c getbootfile.c getbsize.c \
 	getcap.c getcwd.c getdomainname.c getgrent.c getgrouplist.c \
@@ -24,7 +24,7 @@ SRCS+=  _pthread_stubs.c _rand48.c _spinlock_stub.c _thread_init.c \
 	msgget.c msgrcv.c msgsnd.c nftw.c nice.c \
 	nlist.c nrand48.c ntp_gettime.c opendir.c \
 	pause.c pmadvise.c popen.c posixshm.c \
-	psignal.c pthread_fake.c pwcache.c \
+	psignal.c pthread_fake.c pw_scan.c pwcache.c \
 	raise.c readdir.c readpassphrase.c rewinddir.c \
 	scandir.c seed48.c seekdir.c semconfig.c semctl.c semget.c semop.c \
 	setdomainname.c sethostname.c setjmperr.c setmode.c setprogname.c \
@@ -103,7 +103,9 @@ MLINKS+=getnetgrent.3 endnetgrent.3 getnetgrent.3 innetgr.3 \
 	getnetgrent.3 setnetgrent.3
 MLINKS+=getprogname.3 setprogname.3
 MLINKS+=getpwent.3 endpwent.3 getpwent.3 getpwnam.3 getpwent.3 getpwuid.3 \
-	getpwent.3 setpassent.3 getpwent.3 setpwent.3 getpwent.3 setpwfile.3
+	getpwent.3 setpassent.3 getpwent.3 setpwent.3 getpwent.3 setpwfile.3 \
+	getpwent.3 getpwent_r.3 getpwent.3 getpwnam_r.3 \
+	getpwent.3 getpwuid_r.3
 MLINKS+=getttyent.3 endttyent.3 getttyent.3 getttynam.3 \
 	getttyent.3 isdialuptty.3 getttyent.3 isnettty.3 \
 	getttyent.3 setttyent.3
diff --git a/lib/libc/gen/dlfunc.c b/lib/libc/gen/dlfunc.c
new file mode 100644
index 0000000000..b628de66e4
--- /dev/null
+++ b/lib/libc/gen/dlfunc.c
@@ -0,0 +1,29 @@
+/*
+ * This source file is in the public domain.
+ * Garrett A. Wollman, 2002-05-28.
+ *
+ * $FreeBSD: src/lib/libc/gen/dlfunc.c,v 1.3 2002/09/11 05:05:48 mike Exp $
+ */
+
+#include <dlfcn.h>
+
+/*
+ * Implement the dlfunc() interface, which behaves exactly the same as
+ * dlsym() except that it returns a function pointer instead of a data
+ * pointer.  This can be used by applications to avoid compiler warnings
+ * about undefined behavior, and is intended as prior art for future
+ * POSIX standardization.  This function requires that all pointer types
+ * have the same representation, which is true on all platforms FreeBSD
+ * runs on, but is not guaranteed by the C standard.
+ */
+dlfunc_t
+dlfunc(void * __restrict handle, const char * __restrict symbol)
+{
+	union {
+		void *d;
+		dlfunc_t f;
+	} rv;
+
+	rv.d = dlsym(handle, symbol);
+	return (rv.f);
+}
diff --git a/lib/libc/gen/dlopen.3 b/lib/libc/gen/dlopen.3
index da81c6f0a8..e0686ee16c 100644
--- a/lib/libc/gen/dlopen.3
+++ b/lib/libc/gen/dlopen.3
@@ -50,6 +50,8 @@
 .Fn dlopen "const char *path" "int mode"
 .Ft void *
 .Fn dlsym "void *handle" "const char *symbol"
+.Ft __dlfunc_t
+.Fn dlfunc "void *handle" "const char *symbol"
 .Ft const char *
 .Fn dlerror "void"
 .Ft int
diff --git a/lib/libc/gen/getgrent.3 b/lib/libc/gen/getgrent.3
index 1ecc1cbf2a..2133c258e5 100644
--- a/lib/libc/gen/getgrent.3
+++ b/lib/libc/gen/getgrent.3
@@ -9,10 +9,6 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"	This product includes software developed by the University of
-.\"	California, Berkeley and its contributors.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
@@ -30,7 +26,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     From: @(#)getgrent.3	8.2 (Berkeley) 4/19/94
-.\" $FreeBSD: src/lib/libc/gen/getgrent.3,v 1.12.2.4 2003/03/15 15:11:05 trhodes Exp $
+.\" $FreeBSD: src/lib/libc/gen/getgrent.3,v 1.28 2007/01/09 00:27:53 imp Exp $
 .\" $DragonFly: src/lib/libc/gen/getgrent.3,v 1.5 2008/04/19 10:08:05 swildner Exp $
 .\"
 .Dd April 19, 2008
@@ -38,8 +34,11 @@
 .Os
 .Sh NAME
 .Nm getgrent ,
+.Nm getgrent_r ,
 .Nm getgrnam ,
+.Nm getgrnam_r ,
 .Nm getgrgid ,
+.Nm getgrgid_r ,
 .Nm setgroupent ,
 .Nm setgrent ,
 .Nm endgrent
@@ -47,15 +46,20 @@
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
-.In sys/types.h
 .In grp.h
 .Ft struct group *
 .Fn getgrent void
+.Ft int
+.Fn getgrent_r "struct group *grp" "char *buffer" "size_t bufsize" "struct group **result"
 .Ft struct group *
 .Fn getgrnam "const char *name"
+.Ft int
+.Fn getgrnam_r "const char *name" "struct group *grp" "char *buffer" "size_t bufsize" "struct group **result"
 .Ft struct group *
 .Fn getgrgid "gid_t gid"
 .Ft int
+.Fn getgrgid_r "gid_t gid" "struct group *grp" "char *buffer" "size_t bufsize" "struct group **result"
+.Ft int
 .Fn setgroupent "int stayopen"
 .Ft int
 .Fn setgrent void
@@ -76,7 +80,7 @@ file
 struct group {
 	char	*gr_name;	/* group name */
 	char	*gr_passwd;	/* group password */
-	int	gr_gid;		/* group id */
+	gid_t	gr_gid;		/* group id */
 	char	**gr_mem;	/* group members */
 };
 .Ed
@@ -89,7 +93,8 @@ search the group database for the given group name pointed to by
 .Fa name
 or the group id pointed to by
 .Fa gid ,
-respectively, returning the first one encountered.  Identical group
+respectively, returning the first one encountered.
+Identical group
 names or group gids may result in undefined behavior.
 .Pp
 The
@@ -98,17 +103,49 @@ function
 sequentially reads the group database and is intended for programs
 that wish to step through the complete list of groups.
 .Pp
-All three routines will open the group file for reading, if necessary.
+The functions
+.Fn getgrent_r ,
+.Fn getgrnam_r ,
+and
+.Fn getgrgid_r
+are thread-safe versions of
+.Fn getgrent ,
+.Fn getgrnam ,
+and
+.Fn getgrgid ,
+respectively.
+The caller must provide storage for the results of the search in
+the
+.Fa grp ,
+.Fa buffer ,
+.Fa bufsize ,
+and
+.Fa result
+arguments.
+When these functions are successful, the
+.Fa grp
+argument will be filled-in, and a pointer to that argument will be
+stored in
+.Fa result .
+If an entry is not found or an error occurs,
+.Fa result
+will be set to
+.Dv NULL .
+.Pp
+These functions will open the group file for reading, if necessary.
 .Pp
 The
 .Fn setgroupent
 function
-opens the file, or rewinds it if it is already open.  If
+opens the file, or rewinds it if it is already open.
+If
 .Fa stayopen
 is non-zero, file descriptors are left open, significantly speeding
-functions subsequent calls.  This functionality is unnecessary for
+functions subsequent calls.
+This functionality is unnecessary for
 .Fn getgrent
-as it doesn't close its file descriptors by default.  It should also
+as it does not close its file descriptors by default.
+It should also
 be noted that it is dangerous for long-running programs to use this
 functionality as the group file may be updated.
 .Pp
@@ -123,33 +160,35 @@ The
 .Fn endgrent
 function
 closes any open files.
-.Sh YP/NIS INTERACTION
-When the
-.Xr yp 8
-group database is enabled, the
-.Fn getgrnam
-and
-.Fn getgrgid
-functions use the YP maps
-.Dq Li group.byname
-and
-.Dq Li group.bygid ,
-respectively, if the requested group is not found in the local
-.Pa /etc/group
-file.  The
-.Fn getgrent
-function will step through the YP map
-.Dq Li group.byname
-if the entire map is enabled as described in
-.Xr group 5 .
 .Sh RETURN VALUES
 The functions
 .Fn getgrent ,
 .Fn getgrnam ,
 and
 .Fn getgrgid ,
-return a pointer to the group entry if successful; if end-of-file
-is reached or an error occurs a null pointer is returned.
+return a pointer to a group structure on success or
+.Dv NULL
+if the entry is not found or if an error occurs.
+If an error does occur,
+.Va errno
+will be set.
+Note that programs must explicitly set
+.Va errno
+to zero before calling any of these functions if they need to
+distinguish between a non-existent entry and an error.
+The functions
+.Fn getgrent_r ,
+.Fn getgrnam_r ,
+and
+.Fn getgrgid_r
+return 0 if no error occurred, or an error number to indicate failure.
+It is not an error if a matching entry is not found.
+(Thus, if
+.Fa result
+is set to
+.Dv NULL
+and the return value is 0, no matching entry exists.)
+.Pp
 The functions
 .Fn setgroupent
 and
@@ -172,7 +211,25 @@ been deprecated and is no longer available.
 .Sh SEE ALSO
 .Xr getpwent 3 ,
 .Xr group 5 ,
+.Xr nsswitch.conf 5 ,
 .Xr yp 8
+.Sh STANDARDS
+The
+.Fn getgrent ,
+.Fn getgrnam ,
+.Fn getgrnam_r ,
+.Fn getgrgid ,
+.Fn getgrgid_r
+and
+.Fn endgrent
+functions conform to
+.St -p1003.1-96 .
+The
+.Fn setgrent
+function differs from that standard in that its return type is
+.Vt int
+rather than
+.Vt void .
 .Sh HISTORY
 The functions
 .Fn endgrent ,
@@ -189,6 +246,15 @@ and
 .Fn setgroupent
 appeared in
 .Bx 4.3 Reno .
+The functions
+.Fn getgrent_r ,
+.Fn getgrnam_r ,
+and
+.Fn getgrgid_r
+appeared in
+.Fx 5.1
+and
+.Dx 2.1 .
 .Sh BUGS
 The functions
 .Fn getgrent ,
@@ -202,3 +268,21 @@ a pointer to that object.
 Subsequent calls to
 the same function
 will modify the same object.
+.Pp
+The functions
+.Fn getgrent ,
+.Fn getgrent_r ,
+.Fn endgrent ,
+.Fn setgroupent ,
+and
+.Fn setgrent
+are fairly useless in a networked environment and should be
+avoided, if possible.
+The
+.Fn getgrent
+and
+.Fn getgrent_r
+functions
+make no attempt to suppress duplicate information if multiple
+sources are specified in
+.Xr nsswitch.conf 5 .
diff --git a/lib/libc/gen/getgrent.c b/lib/libc/gen/getgrent.c
index 2197f9bb27..9a32c38cfe 100644
--- a/lib/libc/gen/getgrent.c
+++ b/lib/libc/gen/getgrent.c
@@ -1,8 +1,12 @@
-/*	$NetBSD: getgrent.c,v 1.34.2.1 1999/04/27 14:10:58 perry Exp $	*/
-/*
- * Copyright (c) 1989, 1993
- *	The Regents of the University of California.  All rights reserved.
- * Portions Copyright (c) 1994, Jason Downs. All Rights Reserved.
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -12,18 +16,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -32,520 +29,1524 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getgrent.c	8.2 (Berkeley) 3/21/94
- * $FreeBSD: src/lib/libc/gen/getgrent.c,v 1.17.6.1 2001/03/05 08:56:02 obrien Exp $
+ * $FreeBSD: src/lib/libc/gen/getgrent.c,v 1.37 2007/12/12 10:08:02 bushman Exp $
  * $DragonFly: src/lib/libc/gen/getgrent.c,v 1.5 2005/11/19 22:32:53 swildner Exp $
  */
 
+#include "namespace.h"
+#include <sys/param.h>
+#ifdef YP
+#include <rpc/rpc.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+#endif
+#include <assert.h>
+#include <ctype.h>
 #include <errno.h>
-#include <limits.h>
-#include <sys/types.h>
+#ifdef HESIOD
+#include <hesiod.h>
+#endif
+#include <grp.h>
+#include <nsswitch.h>
+#include <pthread.h>
+#include <pthread_np.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
-#include <grp.h>
 #include <syslog.h>
+#include <unistd.h>
+#include "un-namespace.h"
+#include "libc_private.h"
+#include "nss_tls.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+
+enum constants {
+	GRP_STORAGE_INITIAL	= 1 << 10, /* 1 KByte */
+	GRP_STORAGE_MAX		= 1 << 20, /* 1 MByte */
+	SETGRENT		= 1,
+	ENDGRENT		= 2,
+	HESIOD_NAME_MAX		= 256,
+};
+
+static const ns_src defaultsrc[] = {
+	{ NSSRC_COMPAT, NS_SUCCESS },
+	{ NULL, 0 }
+};
 
-static FILE *_gr_fp;
-static struct group _gr_group;
-static int _gr_stayopen;
+int	 __gr_match_entry(const char *, size_t, enum nss_lookup_type,
+	    const char *, gid_t);
+int	 __gr_parse_entry(char *, size_t, struct group *, char *, size_t,
+	    int *);
+
+static	int	 is_comment_line(const char *, size_t);
+
+union key {
+	const char	*name;
+	gid_t		 gid;
+};
+static	struct group *getgr(int (*)(union key, struct group *, char *, size_t,
+		    struct group **), union key);
+static	int	 wrap_getgrnam_r(union key, struct group *, char *, size_t,
+		    struct group **);
+static	int	 wrap_getgrgid_r(union key, struct group *, char *, size_t,
+		    struct group **);
+static	int	 wrap_getgrent_r(union key, struct group *, char *, size_t,
+		    struct group **);
+
+struct files_state {
+	FILE	*fp;
+	int	 stayopen;
+};
+static	void	 files_endstate(void *);
+NSS_TLS_HANDLING(files);
+static	int	 files_setgrent(void *, void *, va_list);
+static	int	 files_group(void *, void *, va_list);
+
+
+#ifdef HESIOD
+struct dns_state {
+	long	counter;
+};
+static	void	 dns_endstate(void *);
+NSS_TLS_HANDLING(dns);
+static	int	 dns_setgrent(void *, void *, va_list);
+static	int	 dns_group(void *, void *, va_list);
+#endif
 
-static int	grscan(int, gid_t, const char *);
-static int	start_gr(void);
 
 #ifdef YP
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
-static int _gr_stepping_yp;
-static int _gr_yp_enabled;
-static int _getypgroup(struct group *, const char *, const char *);
-static int _nextypgroup(struct group *);
+struct nis_state {
+	char	 domain[MAXHOSTNAMELEN];
+	int	 done;
+	char	*key;
+	int	 keylen;
+};
+static	void	 nis_endstate(void *);
+NSS_TLS_HANDLING(nis);
+static	int	 nis_setgrent(void *, void *, va_list);
+static	int	 nis_group(void *, void *, va_list);
 #endif
 
-/* initial size for malloc and increase steps for realloc */
-#define	MAXGRP		64
-#define	MAXLINELENGTH	256
+struct compat_state {
+	FILE	*fp;
+	int	 stayopen;
+	char	*name;
+	enum _compat {
+		COMPAT_MODE_OFF = 0,
+		COMPAT_MODE_ALL,
+		COMPAT_MODE_NAME
+	}	 compat;
+};
+static	void	 compat_endstate(void *);
+NSS_TLS_HANDLING(compat);
+static	int	 compat_setgrent(void *, void *, va_list);
+static	int	 compat_group(void *, void *, va_list);
 
-static char **members; 		/* list of group members */
-static int maxgrp;              /* current length of **mebers */
-static char *line;		/* temp buffer for group line */
-static int maxlinelength;       /* current length of *line */
+static	int	gr_addgid(gid_t, gid_t *, int, int *);
+static	int	getgroupmembership_fallback(void *, void *, va_list);
 
-/* 
- * Lines longer than MAXLINELENGTHLIMIT will be counted as an error.
- * <= 0 disable check for maximum line length
- * 256K is enough for 64,000 uids
- */
-#define MAXLINELENGTHLIMIT	(256 * 1024)
-#define GROUP_IGNORE_COMMENTS	1	/* allow comments in /etc/group */
+#ifdef NS_CACHING
+static	int	 grp_id_func(char *, size_t *, va_list, void *);
+static	int	 grp_marshal_func(char *, size_t *, void *, va_list, void *);
+static	int	 grp_unmarshal_func(char *, size_t, void *, va_list, void *);
 
-struct group *
-getgrent(void)
+static int
+grp_id_func(char *buffer, size_t *buffer_size, va_list ap, void *cache_mdata)
 {
-	if (!_gr_fp && !start_gr()) {
-		return NULL;
+	char	*name;
+	gid_t	gid;
+
+	size_t	desired_size, size;
+	int	res = NS_UNAVAIL;
+	enum nss_lookup_type lookup_type;
+
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		size = strlen(name);
+		desired_size = sizeof(enum nss_lookup_type) + size + 1;
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), name, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		desired_size = sizeof(enum nss_lookup_type) + sizeof(gid_t);
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), &gid,
+		    sizeof(gid_t));
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
 	}
 
-#ifdef YP
-	if (_gr_stepping_yp) {
-		if (_nextypgroup(&_gr_group))
-			return(&_gr_group);
+fin:
+	*buffer_size = desired_size;
+	return (res);
+}
+
+static int
+grp_marshal_func(char *buffer, size_t *buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
+{
+	char *name;
+	gid_t gid;
+	struct group *grp;
+	char *orig_buf;
+	size_t orig_buf_size;
+
+	struct group new_grp;
+	size_t desired_size, size, mem_size;
+	char *p, **mem;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
 	}
-tryagain:
-#endif
 
-	if (!grscan(0, 0, NULL))
-		return(NULL);
-#ifdef YP
-	if(_gr_group.gr_name[0] == '+' && _gr_group.gr_name[1]) {
-		_getypgroup(&_gr_group, &_gr_group.gr_name[1],
-			    "group.byname");
-	} else if(_gr_group.gr_name[0] == '+') {
-		if (!_nextypgroup(&_gr_group))
-			goto tryagain;
-		else
-			return(&_gr_group);
+	grp = va_arg(ap, struct group *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+
+	desired_size = _ALIGNBYTES + sizeof(struct group) + sizeof(char *);
+
+	if (grp->gr_name != NULL)
+		desired_size += strlen(grp->gr_name) + 1;
+	if (grp->gr_passwd != NULL)
+		desired_size += strlen(grp->gr_passwd) + 1;
+
+	if (grp->gr_mem != NULL) {
+		mem_size = 0;
+		for (mem = grp->gr_mem; *mem; ++mem) {
+			desired_size += strlen(*mem) + 1;
+			++mem_size;
+		}
+
+		desired_size += _ALIGNBYTES + (mem_size + 1) * sizeof(char *);
 	}
-#endif
-	return(&_gr_group);
+
+	if (desired_size > *buffer_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_grp, grp, sizeof(struct group));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct group) + sizeof(char *);
+	memcpy(buffer + sizeof(struct group), &p, sizeof(char *));
+	p = (char *)_ALIGN(p);
+
+	if (new_grp.gr_name != NULL) {
+		size = strlen(new_grp.gr_name);
+		memcpy(p, new_grp.gr_name, size);
+		new_grp.gr_name = p;
+		p += size + 1;
+	}
+
+	if (new_grp.gr_passwd != NULL) {
+		size = strlen(new_grp.gr_passwd);
+		memcpy(p, new_grp.gr_passwd, size);
+		new_grp.gr_passwd = p;
+		p += size + 1;
+	}
+
+	if (new_grp.gr_mem != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_grp.gr_mem, sizeof(char *) * mem_size);
+		new_grp.gr_mem = (char **)p;
+		p += sizeof(char *) * (mem_size + 1);
+
+		for (mem = new_grp.gr_mem; *mem; ++mem) {
+			size = strlen(*mem);
+			memcpy(p, *mem, size);
+			*mem = p;
+			p += size + 1;
+		}
+	}
+
+	memcpy(buffer, &new_grp, sizeof(struct group));
+	return (NS_SUCCESS);
 }
 
-struct group *
-getgrnam(const char *name)
+static int
+grp_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
 {
-	int rval;
+	char *name;
+	gid_t gid;
+	struct group *grp;
+	char *orig_buf;
+	size_t orig_buf_size;
+	int *ret_errno;
 
-	if (!start_gr())
-		return(NULL);
-#ifdef YP
-	tryagain:
+	char *p;
+	char **mem;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+	grp = va_arg(ap, struct group *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+	ret_errno = va_arg(ap, int *);
+
+	if (orig_buf_size <
+	    buffer_size - sizeof(struct group) - sizeof(char *)) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
+	}
+
+	memcpy(grp, buffer, sizeof(struct group));
+	memcpy(&p, buffer + sizeof(struct group), sizeof(char *));
+
+	orig_buf = (char *)_ALIGN(orig_buf);
+	memcpy(orig_buf, buffer + sizeof(struct group) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p,
+	    buffer_size - sizeof(struct group) - sizeof(char *) -
+	    _ALIGN(p) + (size_t)p);
+	p = (char *)_ALIGN(p);
+
+	NS_APPLY_OFFSET(grp->gr_name, orig_buf, p, char *);
+	NS_APPLY_OFFSET(grp->gr_passwd, orig_buf, p, char *);
+	if (grp->gr_mem != NULL) {
+		NS_APPLY_OFFSET(grp->gr_mem, orig_buf, p, char **);
+
+		for (mem = grp->gr_mem; *mem; ++mem)
+			NS_APPLY_OFFSET(*mem, orig_buf, p, char *);
+	}
+
+	if (retval != NULL)
+		*((struct group **)retval) = grp;
+
+	return (NS_SUCCESS);
+}
+
+NSS_MP_CACHE_HANDLING(group);
+#endif /* NS_CACHING */
+
+#ifdef NS_CACHING
+static const nss_cache_info setgrent_cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+	group, (void *)nss_lt_all,
+	NULL, NULL);
+#endif
+
+static const ns_dtab setgrent_dtab[] = {
+	{ NSSRC_FILES, files_setgrent, (void *)SETGRENT },
+#ifdef HESIOD
+	{ NSSRC_DNS, dns_setgrent, (void *)SETGRENT },
 #endif
-	rval = grscan(1, 0, name);
 #ifdef YP
-	if(rval == -1 && (_gr_yp_enabled < 0 || (_gr_yp_enabled &&
-					_gr_group.gr_name[0] == '+'))) {
-		if (!(rval = _getypgroup(&_gr_group, name, "group.byname")))
-			goto tryagain;
-	}
+	{ NSSRC_NIS, nis_setgrent, (void *)SETGRENT },
 #endif
-	if (!_gr_stayopen)
-		endgrent();
-	return (rval) ? &_gr_group : NULL;
-}
+	{ NSSRC_COMPAT, compat_setgrent, (void *)SETGRENT },
+#ifdef NS_CACHING
+	NS_CACHE_CB(&setgrent_cache_info)
+#endif
+	{ NULL, NULL, NULL }
+};
 
-struct group *
-getgrgid(gid_t gid)
-{
-	int rval;
+#ifdef NS_CACHING
+static const nss_cache_info endgrent_cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+	group, (void *)nss_lt_all,
+	NULL, NULL);
+#endif
 
-	if (!start_gr())
-		return(NULL);
+static const ns_dtab endgrent_dtab[] = {
+	{ NSSRC_FILES, files_setgrent, (void *)ENDGRENT },
+#ifdef HESIOD
+	{ NSSRC_DNS, dns_setgrent, (void *)ENDGRENT },
+#endif
 #ifdef YP
-	tryagain:
+	{ NSSRC_NIS, nis_setgrent, (void *)ENDGRENT },
+#endif
+	{ NSSRC_COMPAT, compat_setgrent, (void *)ENDGRENT },
+#ifdef NS_CACHING
+	NS_CACHE_CB(&endgrent_cache_info)
+#endif
+	{ NULL, NULL, NULL }
+};
+
+#ifdef NS_CACHING
+static const nss_cache_info getgrent_r_cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+	group, (void *)nss_lt_all,
+	grp_marshal_func, grp_unmarshal_func);
+#endif
+
+static const ns_dtab getgrent_r_dtab[] = {
+	{ NSSRC_FILES, files_group, (void *)nss_lt_all },
+#ifdef HESIOD
+	{ NSSRC_DNS, dns_group, (void *)nss_lt_all },
 #endif
-	rval = grscan(1, gid, NULL);
 #ifdef YP
-	if(rval == -1 && _gr_yp_enabled) {
-		char buf[16];
-		snprintf(buf, sizeof buf, "%d", (unsigned)gid);
-		if (!(rval = _getypgroup(&_gr_group, buf, "group.bygid")))
-			goto tryagain;
-	}
+	{ NSSRC_NIS, nis_group, (void *)nss_lt_all },
 #endif
-	if (!_gr_stayopen)
-		endgrent();
-	return (rval) ? &_gr_group : NULL;
-}
+	{ NSSRC_COMPAT, compat_group, (void *)nss_lt_all },
+#ifdef NS_CACHING
+	NS_CACHE_CB(&getgrent_r_cache_info)
+#endif
+	{ NULL, NULL, NULL }
+};
 
 static int
-start_gr(void)
+gr_addgid(gid_t gid, gid_t *groups, int maxgrp, int *grpcnt)
 {
-	if (_gr_fp) {
-		rewind(_gr_fp);
-		return(1);
+	int     ret, dupc;
+
+	for (dupc = 0; dupc < MIN(maxgrp, *grpcnt); dupc++) {
+		if (groups[dupc] == gid)
+			return 1;
 	}
-	_gr_fp = fopen(_PATH_GROUP, "r");
-	if(!_gr_fp) return 0;
-#ifdef YP
+
+	ret = 1;
+	if (*grpcnt < maxgrp)
+		groups[*grpcnt] = gid;
+	else
+		ret = 0;
+
+	(*grpcnt)++;
+
+	return ret;
+}
+
+static int
+getgroupmembership_fallback(void *retval, void *mdata, va_list ap)
+{
+	const ns_src src[] = {
+		{ mdata, NS_SUCCESS },
+		{ NULL, 0}
+	};
+	struct group	grp;
+	struct group	*grp_p;
+	char		*buf;
+	size_t		bufsize;
+	const char	*uname;
+	gid_t		*groups;
+	gid_t		agroup;
+	int 		maxgrp, *grpcnt;
+	int		i, rv, ret_errno;
+
 	/*
-	 * This is a disgusting hack, used to determine when YP is enabled.
-	 * This would be easier if we had a group database to go along with
-	 * the password database.
+	 * As this is a fallback method, only provided src
+	 * list will be respected during methods search.
 	 */
-	{
-		char *my_line;
-		size_t linelen;
-		_gr_yp_enabled = 0;
-		while((my_line = fgetln(_gr_fp, &linelen)) != NULL) {
-			if(my_line[0] == '+') {
-				if(my_line[1] && my_line[1] != ':' && !_gr_yp_enabled) {
-					_gr_yp_enabled = 1;
-				} else {
-					_gr_yp_enabled = -1;
-					break;
+	assert(src[0].name != NULL);
+
+	uname = va_arg(ap, const char *);
+	agroup = va_arg(ap, gid_t);
+	groups = va_arg(ap, gid_t *);
+	maxgrp = va_arg(ap, int);
+	grpcnt = va_arg(ap, int *);
+
+	rv = NS_UNAVAIL;
+
+	buf = malloc(GRP_STORAGE_INITIAL);
+	if (buf == NULL)
+		goto out;
+
+	bufsize = GRP_STORAGE_INITIAL;
+
+	gr_addgid(agroup, groups, maxgrp, grpcnt);
+
+	_nsdispatch(NULL, setgrent_dtab, NSDB_GROUP, "setgrent", src, 0);
+	for (;;) {
+		do {
+			ret_errno = 0;
+			grp_p = NULL;
+			rv = _nsdispatch(&grp_p, getgrent_r_dtab, NSDB_GROUP,
+			    "getgrent_r", src, &grp, buf, bufsize, &ret_errno);
+
+			if (grp_p == NULL && ret_errno == ERANGE) {
+				free(buf);
+				if ((bufsize << 1) > GRP_STORAGE_MAX) {
+					buf = NULL;
+					errno = ERANGE;
+					goto out;
+				}
+
+				bufsize <<= 1;
+				buf = malloc(bufsize);
+				if (buf == NULL) {
+					goto out;
 				}
 			}
+		} while (grp_p == NULL && ret_errno == ERANGE);
+
+		if (ret_errno != 0) {
+			errno = ret_errno;
+			goto out;
 		}
-		rewind(_gr_fp);
-	}
-#endif
 
-	if (maxlinelength == 0) {
-		if ((line = (char *)malloc(MAXLINELENGTH)) == NULL)
-			return 0;
-		maxlinelength += MAXLINELENGTH;
-	}
+		if (grp_p == NULL)
+			break;
 
-	if (maxgrp == 0) {
-		if ((members = (char **) malloc(sizeof(char **) * 
-					       MAXGRP)) == NULL)
-			return 0;
-		maxgrp += MAXGRP;
+		for (i = 0; grp.gr_mem[i]; i++) {
+			if (strcmp(grp.gr_mem[i], uname) == 0)
+			    gr_addgid(grp.gr_gid, groups, maxgrp, grpcnt);
+		}
 	}
 
-	return 1;
+	_nsdispatch(NULL, endgrent_dtab, NSDB_GROUP, "endgrent", src);
+out:
+	free(buf);
+	return (rv);
 }
 
+/* XXX IEEE Std 1003.1, 2003 specifies `void setgrent(void)' */
 int
 setgrent(void)
 {
-	return setgroupent(0);
+	_nsdispatch(NULL, setgrent_dtab, NSDB_GROUP, "setgrent", defaultsrc, 0);
+	return (1);
 }
 
+
 int
 setgroupent(int stayopen)
 {
-	if (!start_gr())
-		return 0;
-	_gr_stayopen = stayopen;
-#ifdef YP
-	_gr_stepping_yp = 0;
-#endif
-	return 1;
+	_nsdispatch(NULL, setgrent_dtab, NSDB_GROUP, "setgrent", defaultsrc,
+	    stayopen);
+	return (1);
 }
 
+
 void
 endgrent(void)
 {
-#ifdef YP
-	_gr_stepping_yp = 0;
-#endif
-	if (_gr_fp) {
-		(void)fclose(_gr_fp);
-		_gr_fp = NULL;
-	}
+	_nsdispatch(NULL, endgrent_dtab, NSDB_GROUP, "endgrent", defaultsrc);
 }
 
-static int
-grscan(int search, gid_t gid, const char *name)
+
+int
+getgrent_r(struct group *grp, char *buffer, size_t bufsize,
+    struct group **result)
 {
-	char *cp, **m;
-	char *bp;
+	int	rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = _nsdispatch(result, getgrent_r_dtab, NSDB_GROUP, "getgrent_r", defaultsrc,
+	    grp, buffer, bufsize, &ret_errno);
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
 
 
-#ifdef YP
-	int _ypfound;
+int
+getgrnam_r(const char *name, struct group *grp, char *buffer, size_t bufsize,
+    struct group **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		group, (void *)nss_lt_name,
+		grp_id_func, grp_marshal_func, grp_unmarshal_func);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_group, (void *)nss_lt_name },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_group, (void *)nss_lt_name },
 #endif
-	for (;;) {
 #ifdef YP
-		_ypfound = 0;
+		{ NSSRC_NIS, nis_group, (void *)nss_lt_name },
 #endif
-		if (fgets(line, maxlinelength, _gr_fp) == NULL)
-			return(0);
-
-		if (!index(line, '\n')) {
-			do {
-				if (feof(_gr_fp))
-					return(0);
-			
-				/* don't allocate infinite memory */
-				if (MAXLINELENGTHLIMIT > 0 && 
-				    maxlinelength >= MAXLINELENGTHLIMIT)
-					return(0);
-
-				if ((line = reallocf(line, 
-				     (maxlinelength + MAXLINELENGTH))) == NULL)
-					return(0);
-			
-				if (fgets(line + maxlinelength - 1, 
-					  MAXLINELENGTH + 1, _gr_fp) == NULL)
-					return(0);
-
-				maxlinelength += MAXLINELENGTH;
-			} while (!index(line + maxlinelength - 
-				       MAXLINELENGTH - 1, '\n'));
-		}
-
-#ifdef GROUP_IGNORE_COMMENTS
-		/* 
-		 * Ignore comments: ^[ \t]*#
-		 */
-		for (cp = line; *cp != '\0'; cp++)
-			if (*cp != ' ' && *cp != '\t')
-				break;
-		if (*cp == '#' || *cp == '\0')
-			continue;
+		{ NSSRC_COMPAT, compat_group, (void *)nss_lt_name },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
 #endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
 
-		bp = line;
+	ret_errno = 0;
+	*result = NULL;
+	rv = _nsdispatch(result, dtab, NSDB_GROUP, "getgrnam_r", defaultsrc,
+	    name, grp, buffer, bufsize, &ret_errno);
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
 
-		if ((_gr_group.gr_name = strsep(&bp, ":\n")) == NULL)
-			break;
-#ifdef YP
-		/*
-		 * XXX   We need to be careful to avoid proceeding
-		 * past this point under certain circumstances or
-		 * we risk dereferencing null pointers down below.
-		 */
-		if (_gr_group.gr_name[0] == '+') {
-			if (strlen(_gr_group.gr_name) == 1) {
-				switch(search) {
-				case 0:
-					return(1);
-				case 1:
-					return(-1);
-				default:
-					return(0);
-				}
-			} else {
-				cp = &_gr_group.gr_name[1];
-				if (search && name != NULL)
-					if (strcmp(cp, name))
-						continue;
-				if (!_getypgroup(&_gr_group, cp,
-						"group.byname"))
-					continue;
-				if (search && name == NULL)
-					if (gid != _gr_group.gr_gid)
-						continue;
-			/* We're going to override -- tell the world. */
-				_ypfound++;
-			}
-		}
-#else
-		if (_gr_group.gr_name[0] == '+')
-			continue;
-#endif /* YP */
-		if (search && name) {
-			if(strcmp(_gr_group.gr_name, name)) {
-				continue;
-			}
-		}
-#ifdef YP
-		if ((cp = strsep(&bp, ":\n")) == NULL) {
-			if (_ypfound)
-				return(1);
-			else
-				break;
-		}
-		if (strlen(cp) || !_ypfound)
-			_gr_group.gr_passwd = cp;
-#else
-		if ((_gr_group.gr_passwd = strsep(&bp, ":\n")) == NULL)
-			break;
+
+int
+getgrgid_r(gid_t gid, struct group *grp, char *buffer, size_t bufsize,
+    struct group **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		group, (void *)nss_lt_id,
+		grp_id_func, grp_marshal_func, grp_unmarshal_func);
 #endif
-		if (!(cp = strsep(&bp, ":\n"))) {
-#ifdef YP
-			if (_ypfound)
-				return(1);
-			else
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_group, (void *)nss_lt_id },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_group, (void *)nss_lt_id },
 #endif
-				continue;
-		}
 #ifdef YP
-		/*
-		 * Hurm. Should we be doing this? We allow UIDs to
-		 * be overridden -- what about GIDs?
-		 */
-		if (!_ypfound)
+		{ NSSRC_NIS, nis_group, (void *)nss_lt_id },
 #endif
-		_gr_group.gr_gid = atoi(cp);
-		if (search && name == NULL && _gr_group.gr_gid != gid)
-			continue;
-		cp = NULL;
-		if (bp == NULL) /* !!! Must check for this! */
-			break;
-#ifdef YP
-		if ((cp = strsep(&bp, ":\n")) == NULL)
-			break;
-
-		if (!strlen(cp) && _ypfound)
-			return(1);
-		else
-			members[0] = NULL;
-		bp = cp;
-		cp = NULL;
+		{ NSSRC_COMPAT, compat_group, (void *)nss_lt_id },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
 #endif
-		for (m = members; ; bp++) {
-			if (m == (members + maxgrp - 1)) {
-				if ((members = (char **)
-				     reallocf(members, 
-					     sizeof(char **) * 
-					     (maxgrp + MAXGRP))) == NULL)
-					return(0);
-				m = members + maxgrp - 1;
-				maxgrp += MAXGRP;
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = _nsdispatch(result, dtab, NSDB_GROUP, "getgrgid_r", defaultsrc,
+	    gid, grp, buffer, bufsize, &ret_errno);
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
+
+
+
+int
+__getgroupmembership(const char *uname, gid_t agroup, gid_t *groups,
+	int maxgrp, int *grpcnt)
+{
+	static const ns_dtab dtab[] = {
+		NS_FALLBACK_CB(getgroupmembership_fallback)
+		{ NULL, NULL, NULL }
+	};
+	int rv;
+
+	assert(uname != NULL);
+	/* groups may be NULL if just sizing when invoked with maxgrp = 0 */
+	assert(grpcnt != NULL);
+
+	*grpcnt = 0;
+	rv = _nsdispatch(NULL, dtab, NSDB_GROUP, "getgroupmembership",
+	    defaultsrc, uname, agroup, groups, maxgrp, grpcnt);
+
+	/* too many groups found? */
+	return (*grpcnt > maxgrp ? -1 : 0);
+}
+
+
+static struct group	 grp;
+static char		*grp_storage;
+static size_t		 grp_storage_size;
+
+static struct group *
+getgr(int (*fn)(union key, struct group *, char *, size_t, struct group **),
+    union key key)
+{
+	int		 rv;
+	struct group	*res;
+
+	if (grp_storage == NULL) {
+		grp_storage = malloc(GRP_STORAGE_INITIAL);
+		if (grp_storage == NULL)
+			return (NULL);
+		grp_storage_size = GRP_STORAGE_INITIAL;
+	}
+	do {
+		rv = fn(key, &grp, grp_storage, grp_storage_size, &res);
+		if (res == NULL && rv == ERANGE) {
+			free(grp_storage);
+			if ((grp_storage_size << 1) > GRP_STORAGE_MAX) {
+				grp_storage = NULL;
+				errno = ERANGE;
+				return (NULL);
 			}
-			if (*bp == ',') {
-				if (cp) {
-					*bp = '\0';
-					*m++ = cp;
-					cp = NULL;
-				}
-			} else if (*bp == '\0' || *bp == '\n' || *bp == ' ') {
-				if (cp) {
-					*bp = '\0';
-					*m++ = cp;
-				}
-				break;
-			} else if (cp == NULL)
-				cp = bp;
-			
+			grp_storage_size <<= 1;
+			grp_storage = malloc(grp_storage_size);
+			if (grp_storage == NULL)
+				return (NULL);
 		}
-		_gr_group.gr_mem = members;
-		*m = NULL;
-		return(1);
-	}
-	/* NOTREACHED */
-	return (0);
+	} while (res == NULL && rv == ERANGE);
+	if (rv != 0)
+		errno = rv;
+	return (res);
 }
 
-#ifdef YP
 
 static int
-_gr_breakout_yp(struct group *gr, char *result)
+wrap_getgrnam_r(union key key, struct group *grp, char *buffer, size_t bufsize,
+    struct group **res)
 {
-	char *s, *cp;
-	char **m;
+	return (getgrnam_r(key.name, grp, buffer, bufsize, res));
+}
+
+
+static int
+wrap_getgrgid_r(union key key, struct group *grp, char *buffer, size_t bufsize,
+    struct group **res)
+{
+	return (getgrgid_r(key.gid, grp, buffer, bufsize, res));
+}
+
+
+static int
+wrap_getgrent_r(union key key __unused, struct group *grp, char *buffer,
+    size_t bufsize, struct group **res)
+{
+	return (getgrent_r(grp, buffer, bufsize, res));
+}
+
+
+struct group *
+getgrnam(const char *name)
+{
+	union key key;
+
+	key.name = name;
+	return (getgr(wrap_getgrnam_r, key));
+}
+
+
+struct group *
+getgrgid(gid_t gid)
+{
+	union key key;
+
+	key.gid = gid;
+	return (getgr(wrap_getgrgid_r, key));
+}
+
+
+struct group *
+getgrent(void)
+{
+	union key key;
+
+	key.gid = 0; /* not used */
+	return (getgr(wrap_getgrent_r, key));
+}
+
+
+static int
+is_comment_line(const char *s, size_t n)
+{
+	const char	*eom;
+
+	eom = &s[n];
+
+	for (; s < eom; s++)
+		if (*s == '#' || !isspace((unsigned char)*s))
+			break;
+	return (*s == '#' || s == eom);
+}
 
-	/*
-	 * XXX If 's' ends up being a NULL pointer, punt on this group.
-	 * It means the NIS group entry is badly formatted and should
-	 * be skipped.
-	 */
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* name */
-	gr->gr_name = s;
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* password */
-	gr->gr_passwd = s;
+/*
+ * files backend
+ */
+static void
+files_endstate(void *p)
+{
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* gid */
-	gr->gr_gid = atoi(s);
+	if (p == NULL)
+		return;
+	if (((struct files_state *)p)->fp != NULL)
+		fclose(((struct files_state *)p)->fp);
+	free(p);
+}
 
-	if ((s = result) == NULL) return 0;
-	cp = 0;
 
-	for (m = members; ; s++) {
-		if (m == members + maxgrp - 1) {
-			if ((members = (char **)reallocf(members, 
-			     sizeof(char **) * (maxgrp + MAXGRP))) == NULL)
-				return(0);
-			m = members + maxgrp - 1;
-			maxgrp += MAXGRP;
+static int
+files_setgrent(void *retval, void *mdata, va_list ap)
+{
+	struct files_state *st;
+	int		 rv, stayopen;
+
+	rv = files_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	switch ((enum constants)mdata) {
+	case SETGRENT:
+		stayopen = va_arg(ap, int);
+		if (st->fp != NULL)
+			rewind(st->fp);
+		else if (stayopen)
+			st->fp = fopen(_PATH_GROUP, "r");
+		break;
+	case ENDGRENT:
+		if (st->fp != NULL) {
+			fclose(st->fp);
+			st->fp = NULL;
 		}
-		if (*s == ',') {
-			if (cp) {
-				*s = '\0';
-				*m++ = cp;
-				cp = NULL;
-			}
-		} else if (*s == '\0' || *s == '\n' || *s == ' ') {
-			if (cp) {
-				*s = '\0';
-				*m++ = cp;
-			}
+		break;
+	default:
+		break;
+	}
+	return (NS_UNAVAIL);
+}
+
+
+static int
+files_group(void *retval, void *mdata, va_list ap)
+{
+	struct files_state	*st;
+	enum nss_lookup_type	 how;
+	const char		*name, *line;
+	struct group		*grp;
+	gid_t			 gid;
+	char			*buffer;
+	size_t			 bufsize, linesize;
+	off_t			 pos;
+	int			 rv, stayopen, *errnop;
+
+	name = NULL;
+	gid = (gid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		return (NS_NOTFOUND);
+	}
+	grp = va_arg(ap, struct group *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	*errnop = files_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (st->fp == NULL &&
+	    ((st->fp = fopen(_PATH_GROUP, "r")) == NULL)) {
+		*errnop = errno;
+		return (NS_UNAVAIL);
+	}
+	if (how == nss_lt_all)
+		stayopen = 1;
+	else {
+		rewind(st->fp);
+		stayopen = st->stayopen;
+	}
+	rv = NS_NOTFOUND;
+	pos = ftello(st->fp);
+	while ((line = fgetln(st->fp, &linesize)) != NULL) {
+		if (line[linesize-1] == '\n')
+			linesize--;
+		rv = __gr_match_entry(line, linesize, how, name, gid);
+		if (rv != NS_SUCCESS)
+			continue;
+		/* We need room at least for the line, a string NUL
+		 * terminator, alignment padding, and one (char *)
+		 * pointer for the member list terminator.
+		 */
+		if (bufsize <= linesize + _ALIGNBYTES + sizeof(char *)) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
 			break;
-		} else if (cp == NULL) {
-			cp = s;
 		}
+		memcpy(buffer, line, linesize);
+		buffer[linesize] = '\0';
+		rv = __gr_parse_entry(buffer, linesize, grp,
+		    &buffer[linesize + 1], bufsize - linesize - 1, errnop);
+		if (rv & NS_TERMINATE)
+			break;
+		pos = ftello(st->fp);
 	}
-	_gr_group.gr_mem = members;
-	*m = NULL;
+	if (!stayopen && st->fp != NULL) {
+		fclose(st->fp);
+		st->fp = NULL;
+	}
+	if (rv == NS_SUCCESS && retval != NULL)
+		*(struct group **)retval = grp;
+	else if (rv == NS_RETURN && *errnop == ERANGE && st->fp != NULL)
+		fseeko(st->fp, pos, SEEK_SET);
+	return (rv);
+}
+
 
-	return 1;
+#ifdef HESIOD
+/*
+ * dns backend
+ */
+static void
+dns_endstate(void *p)
+{
+
+	free(p);
+}
+
+
+static int
+dns_setgrent(void *retval, void *cb_data, va_list ap)
+{
+	struct dns_state	*st;
+	int			 rv;
+
+	rv = dns_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	st->counter = 0;
+	return (NS_UNAVAIL);
 }
 
-static char *_gr_yp_domain;
 
 static int
-_getypgroup(struct group *gr, const char *name, const char *map)
+dns_group(void *retval, void *mdata, va_list ap)
 {
-	char *result, *s;
-	static char resultbuf[YPMAXRECORD + 2];
-	int resultlen;
+	char			 buf[HESIOD_NAME_MAX];
+	struct dns_state	*st;
+	struct group		*grp;
+	const char		*name, *label;
+	void			*ctx;
+	char			*buffer, **hes;
+	size_t			 bufsize, adjsize, linesize;
+	gid_t			 gid;
+	enum nss_lookup_type	 how;
+	int			 rv, *errnop;
 
-	if(!_gr_yp_domain) {
-		if(yp_get_default_domain(&_gr_yp_domain))
-		  return 0;
+	ctx = NULL;
+	hes = NULL;
+	name = NULL;
+	gid = (gid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		break;
+	case nss_lt_all:
+		break;
+	}
+	grp     = va_arg(ap, struct group *);
+	buffer  = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop  = va_arg(ap, int *);
+	*errnop = dns_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (hesiod_init(&ctx) != 0) {
+		*errnop = errno;
+		rv = NS_UNAVAIL;
+		goto fin;
 	}
+	do {
+		rv = NS_NOTFOUND;
+		switch (how) {
+		case nss_lt_name:
+			label = name;
+			break;
+		case nss_lt_id:
+			if (snprintf(buf, sizeof(buf), "%lu",
+			    (unsigned long)gid) >= sizeof(buf))
+				goto fin;
+			label = buf;
+			break;
+		case nss_lt_all:
+			if (st->counter < 0)
+				goto fin;
+			if (snprintf(buf, sizeof(buf), "group-%ld",
+			    st->counter++) >= sizeof(buf))
+				goto fin;
+			label = buf;
+			break;
+		}
+		hes = hesiod_resolve(ctx, label,
+		    how == nss_lt_id ? "gid" : "group");
+		if ((how == nss_lt_id && hes == NULL &&
+		    (hes = hesiod_resolve(ctx, buf, "group")) == NULL) ||
+		    hes == NULL) {
+			if (how == nss_lt_all)
+				st->counter = -1;
+			if (errno != ENOENT)
+				*errnop = errno;
+			goto fin;
+		}
+		rv = __gr_match_entry(hes[0], strlen(hes[0]), how, name, gid);
+		if (rv != NS_SUCCESS) {
+			hesiod_free_list(ctx, hes);
+			hes = NULL;
+			continue;
+		}
+		/* We need room at least for the line, a string NUL
+		 * terminator, alignment padding, and one (char *)
+		 * pointer for the member list terminator.
+		 */
+		adjsize = bufsize - _ALIGNBYTES - sizeof(char *);
+		linesize = strlcpy(buffer, hes[0], adjsize);
+		if (linesize >= adjsize) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			goto fin;
+		}
+		hesiod_free_list(ctx, hes);
+		hes = NULL;
+		rv = __gr_parse_entry(buffer, linesize, grp,
+		    &buffer[linesize + 1], bufsize - linesize - 1, errnop);
+	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
+fin:
+	if (hes != NULL)
+		hesiod_free_list(ctx, hes);
+	if (ctx != NULL)
+		hesiod_end(ctx);
+	if (rv == NS_SUCCESS && retval != NULL)
+		*(struct group **)retval = grp;
+	return (rv);
+}
+#endif /* HESIOD */
 
-	if(yp_match(_gr_yp_domain, map, name, strlen(name),
-		    &result, &resultlen))
-		return 0;
 
-	s = strchr(result, '\n');
-	if(s) *s = '\0';
+#ifdef YP
+/*
+ * nis backend
+ */
+static void
+nis_endstate(void *p)
+{
+
+	if (p == NULL)
+		return;
+	free(((struct nis_state *)p)->key);
+	free(p);
+}
 
-	if (strlcpy(resultbuf, result, sizeof(resultbuf)) >= sizeof(resultbuf))
-		return(0);
-	free(result);
-	return(_gr_breakout_yp(gr, resultbuf));
 
+static int
+nis_setgrent(void *retval, void *cb_data, va_list ap)
+{
+	struct nis_state	*st;
+	int			 rv;
+
+	rv = nis_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	st->done = 0;
+	free(st->key);
+	st->key = NULL;
+	return (NS_UNAVAIL);
 }
 
 
 static int
-_nextypgroup(struct group *gr)
+nis_group(void *retval, void *mdata, va_list ap)
 {
-	static char *key;
-	static size_t keylen;
-	char *lastkey, *result;
-	static char resultbuf[YPMAXRECORD + 2];
-	size_t resultlen;
-	int rv;
+	char		 *map;
+	struct nis_state *st;
+	struct group	*grp;
+	const char	*name;
+	char		*buffer, *key, *result;
+	size_t		 bufsize;
+	gid_t		 gid;
+	enum nss_lookup_type how;
+	int		*errnop, keylen, resultlen, rv;
 
-	if(!_gr_yp_domain) {
-		if(yp_get_default_domain(&_gr_yp_domain))
-		  return 0;
+	name = NULL;
+	gid = (gid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		map = "group.byname";
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		map = "group.bygid";
+		break;
+	case nss_lt_all:
+		map = "group.byname";
+		break;
 	}
-
-	if(!_gr_stepping_yp) {
-		if(key) free(key);
-		rv = yp_first(_gr_yp_domain, "group.byname",
-			      &key, &keylen, &result, &resultlen);
-		if(rv) {
-			return 0;
+	grp     = va_arg(ap, struct group *);
+	buffer  = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop  = va_arg(ap, int *);
+	*errnop = nis_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (st->domain[0] == '\0') {
+		if (getdomainname(st->domain, sizeof(st->domain)) != 0) {
+			*errnop = errno;
+			return (NS_UNAVAIL);
 		}
-		_gr_stepping_yp = 1;
-		goto unpack;
-	} else {
-tryagain:
-		lastkey = key;
-		rv = yp_next(_gr_yp_domain, "group.byname", key, keylen,
-			     &key, &keylen, &result, &resultlen);
-		free(lastkey);
-unpack:
-		if(rv) {
-			_gr_stepping_yp = 0;
-			return 0;
+	}
+	result = NULL;
+	do {
+		rv = NS_NOTFOUND;
+		switch (how) {
+		case nss_lt_name:
+			if (strlcpy(buffer, name, bufsize) >= bufsize)
+				goto erange;
+			break;
+		case nss_lt_id:
+			if (snprintf(buffer, bufsize, "%lu",
+			    (unsigned long)gid) >= bufsize)
+				goto erange;
+			break;
+		case nss_lt_all:
+			if (st->done)
+				goto fin;
+			break;
 		}
+		result = NULL;
+		if (how == nss_lt_all) {
+			if (st->key == NULL)
+				rv = yp_first(st->domain, map, &st->key,
+				    &st->keylen, &result, &resultlen);
+			else {
+				key = st->key;
+				keylen = st->keylen;
+				st->key = NULL;
+				rv = yp_next(st->domain, map, key, keylen,
+				    &st->key, &st->keylen, &result,
+				    &resultlen);
+				free(key);
+			}
+			if (rv != 0) {
+				free(result);
+				free(st->key);
+				st->key = NULL;
+				if (rv == YPERR_NOMORE) {
+					st->done = 1;
+					rv = NS_NOTFOUND;
+				} else
+					rv = NS_UNAVAIL;
+				goto fin;
+			}
+		} else {
+			rv = yp_match(st->domain, map, buffer, strlen(buffer),
+			    &result, &resultlen);
+			if (rv == YPERR_KEY) {
+				rv = NS_NOTFOUND;
+				continue;
+			} else if (rv != 0) {
+				free(result);
+				rv = NS_UNAVAIL;
+				continue;
+			}
+		}
+		/* We need room at least for the line, a string NUL
+		 * terminator, alignment padding, and one (char *)
+		 * pointer for the member list terminator.
+		 */
+		if (resultlen >= bufsize - _ALIGNBYTES - sizeof(char *))
+			goto erange;
+		memcpy(buffer, result, resultlen);
+		buffer[resultlen] = '\0';
+		free(result);
+		rv = __gr_match_entry(buffer, resultlen, how, name, gid);
+		if (rv == NS_SUCCESS)
+			rv = __gr_parse_entry(buffer, resultlen, grp,
+			    &buffer[resultlen+1], bufsize - resultlen - 1,
+			    errnop);
+	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
+fin:
+	if (rv == NS_SUCCESS && retval != NULL)
+		*(struct group **)retval = grp;
+	return (rv);
+erange:
+	*errnop = ERANGE;
+	return (NS_RETURN);
+}
+#endif /* YP */
 
-		if(resultlen > sizeof(resultbuf)) {
-			free(result);
-			goto tryagain;
+
+
+/*
+ * compat backend
+ */
+static void
+compat_endstate(void *p)
+{
+	struct compat_state *st;
+
+	if (p == NULL)
+		return;
+	st = (struct compat_state *)p;
+	free(st->name);
+	if (st->fp != NULL)
+		fclose(st->fp);
+	free(p);
+}
+
+
+static int
+compat_setgrent(void *retval, void *mdata, va_list ap)
+{
+	static const ns_src compatsrc[] = {
+#ifdef YP
+		{ NSSRC_NIS, NS_SUCCESS },
+#endif
+		{ NULL, 0 }
+	};
+	ns_dtab dtab[] = {
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_setgrent, NULL },
+#endif
+#ifdef YP
+		{ NSSRC_NIS, nis_setgrent, NULL },
+#endif
+		{ NULL, NULL, NULL }
+	};
+	struct compat_state *st;
+	int		 rv, stayopen;
+
+#define set_setent(x, y) do {	 				\
+	int i;							\
+								\
+	for (i = 0; i < (sizeof(x)/sizeof(x[0])) - 1; i++)	\
+		x[i].mdata = (void *)y;				\
+} while (0)
+
+	rv = compat_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	switch ((enum constants)mdata) {
+	case SETGRENT:
+		stayopen = va_arg(ap, int);
+		if (st->fp != NULL)
+			rewind(st->fp);
+		else if (stayopen)
+			st->fp = fopen(_PATH_GROUP, "r");
+		set_setent(dtab, mdata);
+		_nsdispatch(NULL, dtab, NSDB_GROUP_COMPAT, "setgrent",
+		    compatsrc, 0);
+		break;
+	case ENDGRENT:
+		if (st->fp != NULL) {
+			fclose(st->fp);
+			st->fp = NULL;
 		}
+		set_setent(dtab, mdata);
+		_nsdispatch(NULL, dtab, NSDB_GROUP_COMPAT, "endgrent",
+		    compatsrc, 0);
+		break;
+	default:
+		break;
+	}
+	st->compat = COMPAT_MODE_OFF;
+	free(st->name);
+	st->name = NULL;
+	return (NS_UNAVAIL);
+#undef set_setent
+}
 
-		strncpy(resultbuf, result, resultlen);
-		resultbuf[resultlen] = '\0';
-		free(result);
-		if((result = strchr(resultbuf, '\n')) != NULL)
-			*result = '\0';
-		if (_gr_breakout_yp(gr, resultbuf))
-			return(1);
-		else
-			goto tryagain;
+
+static int
+compat_group(void *retval, void *mdata, va_list ap)
+{
+	static const ns_src compatsrc[] = {
+#ifdef YP
+		{ NSSRC_NIS, NS_SUCCESS },
+#endif
+		{ NULL, 0 }
+	};
+	ns_dtab dtab[] = {
+#ifdef YP
+		{ NSSRC_NIS, nis_group, NULL },
+#endif
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_group, NULL },
+#endif
+		{ NULL, NULL, NULL }
+	};
+	struct compat_state	*st;
+	enum nss_lookup_type	 how;
+	const char		*name, *line;
+	struct group		*grp;
+	gid_t			 gid;
+	char			*buffer, *p;
+	void			*discard;
+	size_t			 bufsize, linesize;
+	off_t			 pos;
+	int			 rv, stayopen, *errnop;
+
+#define set_lookup_type(x, y) do { 				\
+	int i;							\
+								\
+	for (i = 0; i < (sizeof(x)/sizeof(x[0])) - 1; i++)	\
+		x[i].mdata = (void *)y;				\
+} while (0)
+
+	name = NULL;
+	gid = (gid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		break;
+	case nss_lt_id:
+		gid = va_arg(ap, gid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		return (NS_NOTFOUND);
+	}
+	grp = va_arg(ap, struct group *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	*errnop = compat_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (st->fp == NULL &&
+	    ((st->fp = fopen(_PATH_GROUP, "r")) == NULL)) {
+		*errnop = errno;
+		rv = NS_UNAVAIL;
+		goto fin;
+	}
+	if (how == nss_lt_all)
+		stayopen = 1;
+	else {
+		rewind(st->fp);
+		stayopen = st->stayopen;
+	}
+docompat:
+	switch (st->compat) {
+	case COMPAT_MODE_ALL:
+		set_lookup_type(dtab, how);
+		switch (how) {
+		case nss_lt_all:
+			rv = _nsdispatch(&discard, dtab, NSDB_GROUP_COMPAT,
+			    "getgrent_r", compatsrc, grp, buffer, bufsize,
+			    errnop);
+			break;
+		case nss_lt_id:
+			rv = _nsdispatch(&discard, dtab, NSDB_GROUP_COMPAT,
+			    "getgrgid_r", compatsrc, gid, grp, buffer, bufsize,
+			    errnop);
+			break;
+		case nss_lt_name:
+			rv = _nsdispatch(&discard, dtab, NSDB_GROUP_COMPAT,
+			    "getgrnam_r", compatsrc, name, grp, buffer,
+			    bufsize, errnop);
+			break;
+		}
+		if (rv & NS_TERMINATE)
+			goto fin;
+		st->compat = COMPAT_MODE_OFF;
+		break;
+	case COMPAT_MODE_NAME:
+		set_lookup_type(dtab, nss_lt_name);
+		rv = _nsdispatch(&discard, dtab, NSDB_GROUP_COMPAT,
+		    "getgrnam_r", compatsrc, st->name, grp, buffer, bufsize,
+		    errnop);
+		switch (rv) {
+		case NS_SUCCESS:
+			switch (how) {
+			case nss_lt_name:
+				if (strcmp(name, grp->gr_name) != 0)
+					rv = NS_NOTFOUND;
+				break;
+			case nss_lt_id:
+				if (gid != grp->gr_gid)
+					rv = NS_NOTFOUND;
+				break;
+			default:
+				break;
+			}
+			break;
+		case NS_RETURN:
+			goto fin;
+		default:
+			break;
+		}
+		free(st->name);
+		st->name = NULL;
+		st->compat = COMPAT_MODE_OFF;
+		if (rv == NS_SUCCESS)
+			goto fin;
+		break;
+	default:
+		break;
+	}
+	rv = NS_NOTFOUND;
+	pos = ftello(st->fp);
+	while ((line = fgetln(st->fp, &linesize)) != NULL) {
+		if (line[linesize-1] == '\n')
+			linesize--;
+		if (linesize > 2 && line[0] == '+') {
+			p = memchr(&line[1], ':', linesize);
+			if (p == NULL || p == &line[1])
+				st->compat = COMPAT_MODE_ALL;
+			else {
+				st->name = malloc(p - line);
+				if (st->name == NULL) {
+					syslog(LOG_ERR,
+					 "getgrent memory allocation failure");
+					*errnop = ENOMEM;
+					rv = NS_UNAVAIL;
+					break;
+				}
+				memcpy(st->name, &line[1], p - line - 1);
+				st->name[p - line - 1] = '\0';
+				st->compat = COMPAT_MODE_NAME;
+			}
+			goto docompat;
+		}
+		rv = __gr_match_entry(line, linesize, how, name, gid);
+		if (rv != NS_SUCCESS)
+			continue;
+		/* We need room at least for the line, a string NUL
+		 * terminator, alignment padding, and one (char *)
+		 * pointer for the member list terminator.
+		 */
+		if (bufsize <= linesize + _ALIGNBYTES + sizeof(char *)) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+		memcpy(buffer, line, linesize);
+		buffer[linesize] = '\0';
+		rv = __gr_parse_entry(buffer, linesize, grp,
+		    &buffer[linesize + 1], bufsize - linesize - 1, errnop);
+		if (rv & NS_TERMINATE)
+			break;
+		pos = ftello(st->fp);
+	}
+fin:
+	if (!stayopen && st->fp != NULL) {
+		fclose(st->fp);
+		st->fp = NULL;
 	}
+	if (rv == NS_SUCCESS && retval != NULL)
+		*(struct group **)retval = grp;
+	else if (rv == NS_RETURN && *errnop == ERANGE && st->fp != NULL)
+		fseeko(st->fp, pos, SEEK_SET);
+	return (rv);
+#undef set_lookup_type
 }
 
-#endif /* YP */
+
+/*
+ * common group line matching and parsing
+ */
+int
+__gr_match_entry(const char *line, size_t linesize, enum nss_lookup_type how,
+    const char *name, gid_t gid)
+{
+	size_t		 namesize;
+	const char	*p, *eol;
+	char		*q;
+	unsigned long	 n;
+	int		 i, needed;
+
+	if (linesize == 0 || is_comment_line(line, linesize))
+		return (NS_NOTFOUND);
+	switch (how) {
+	case nss_lt_name:	needed = 1; break;
+	case nss_lt_id:		needed = 2; break;
+	default:		needed = 2; break;
+	}
+	eol = &line[linesize];
+	for (p = line, i = 0; i < needed && p < eol; p++)
+		if (*p == ':')
+			i++;
+	if (i < needed)
+		return (NS_NOTFOUND);
+	switch (how) {
+	case nss_lt_name:
+		namesize = strlen(name);
+		if (namesize + 1 == (size_t)(p - line) &&
+		    memcmp(line, name, namesize) == 0)
+			return (NS_SUCCESS);
+		break;
+	case nss_lt_id:
+		n = strtoul(p, &q, 10);
+		if (q < eol && *q == ':' && gid == (gid_t)n)
+			return (NS_SUCCESS);
+		break;
+	case nss_lt_all:
+		return (NS_SUCCESS);
+	default:
+		break;
+	}
+	return (NS_NOTFOUND);
+}
+
+
+int
+__gr_parse_entry(char *line, size_t linesize, struct group *grp, char *membuf,
+    size_t membufsize, int *errnop)
+{
+	char	       *s_gid, *s_mem, *p, **members;
+	unsigned long	n;
+	int		maxmembers;
+
+	memset(grp, 0, sizeof(*grp));
+	members = (char **)_ALIGN(membuf);
+	membufsize -= (char *)members - membuf;
+	maxmembers = membufsize / sizeof(*members);
+	if (maxmembers <= 0 ||
+	    (grp->gr_name = strsep(&line, ":")) == NULL ||
+	    grp->gr_name[0] == '\0' ||
+	    (grp->gr_passwd = strsep(&line, ":")) == NULL ||
+	    (s_gid = strsep(&line, ":")) == NULL ||
+	    s_gid[0] == '\0')
+		return (NS_NOTFOUND);
+	s_mem = line;
+	n = strtoul(s_gid, &s_gid, 10);
+	if (s_gid[0] != '\0')
+		return (NS_NOTFOUND);
+	grp->gr_gid = (gid_t)n;
+	grp->gr_mem = members;
+	while (maxmembers > 1 && s_mem != NULL) {
+		p = strsep(&s_mem, ",");
+		if (p != NULL && *p != '\0') {
+			*members++ = p;
+			maxmembers--;
+		}
+	}
+	*members = NULL;
+	if (s_mem == NULL)
+		return (NS_SUCCESS);
+	else {
+		*errnop = ERANGE;
+		return (NS_RETURN);
+	}
+}
diff --git a/lib/libc/gen/getgrouplist.c b/lib/libc/gen/getgrouplist.c
index 54e2ce2775..695cee8899 100644
--- a/lib/libc/gen/getgrouplist.c
+++ b/lib/libc/gen/getgrouplist.c
@@ -1,4 +1,4 @@
-/*
+/*-
  * Copyright (c) 1991, 1993
  *	The Regents of the University of California.  All rights reserved.
  *
@@ -10,10 +10,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
@@ -31,57 +27,23 @@
  * SUCH DAMAGE.
  *
  * @(#)getgrouplist.c	8.2 (Berkeley) 12/8/94
+ * $FreeBSD: src/lib/libc/gen/getgrouplist.c,v 1.16 2007/12/12 10:08:02 bushman Exp $
  * $DragonFly: src/lib/libc/gen/getgrouplist.c,v 1.6 2005/04/27 12:37:43 joerg Exp $
  */
 
 /*
  * get credential
  */
+#include <sys/types.h>
+
 #include <grp.h>
 #include <string.h>
 #include <unistd.h>
 
+extern int __getgroupmembership(const char *, gid_t, gid_t *, int, int *);
+
 int
 getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
 {
-	struct group *grp;
-	int i, ngroups;
-	int ret, maxgroups;
-
-	ret = 0;
-	ngroups = 0;
-	maxgroups = *grpcnt;
-	/*
-	 * When installing primary group, duplicate it;
-	 * the first element of groups is the effective gid
-	 * and will be overwritten when a setgid file is executed.
-	 */
-	groups[ngroups++] = agroup;
-	if (maxgroups > 1)
-		groups[ngroups++] = agroup;
-	/*
-	 * Scan the group file to find additional groups.
-	 */
-	setgrent();
-	while ((grp = getgrent()) != NULL) {
-		for (i = 0; i < ngroups; i++) {
-			if (grp->gr_gid == groups[i])
-				goto skip;
-		}
-		for (i = 0; grp->gr_mem[i]; i++) {
-			if (!strcmp(grp->gr_mem[i], uname)) {
-				if (ngroups >= maxgroups) {
-					ret = -1;
-					break;
-				}
-				groups[ngroups++] = grp->gr_gid;
-				break;
-			}
-		}
-skip:
-		;
-	}
-	endgrent();
-	*grpcnt = ngroups;
-	return (ret);
+	return __getgroupmembership(uname, agroup, groups, *grpcnt, grpcnt);
 }
diff --git a/lib/libc/gen/getpwent.3 b/lib/libc/gen/getpwent.3
index 170aee35b4..d892ea4df8 100644
--- a/lib/libc/gen/getpwent.3
+++ b/lib/libc/gen/getpwent.3
@@ -9,10 +9,6 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"	This product includes software developed by the University of
-.\"	California, Berkeley and its contributors.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
@@ -30,16 +26,19 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     From: @(#)getpwent.3	8.2 (Berkeley) 12/11/93
-.\" $FreeBSD: src/lib/libc/gen/getpwent.3,v 1.11.2.5 2002/02/01 15:51:16 ru Exp $
+.\" $FreeBSD: src/lib/libc/gen/getpwent.3,v 1.30 2007/01/09 00:27:54 imp Exp $
 .\" $DragonFly: src/lib/libc/gen/getpwent.3,v 1.5 2006/05/26 19:39:36 swildner Exp $
 .\"
-.Dd September 20, 1994
+.Dd April 16, 2003
 .Dt GETPWENT 3
 .Os
 .Sh NAME
 .Nm getpwent ,
+.Nm getpwent_r ,
 .Nm getpwnam ,
+.Nm getpwnam_r ,
 .Nm getpwuid ,
+.Nm getpwuid_r ,
 .Nm setpassent ,
 .Nm setpwent ,
 .Nm endpwent
@@ -51,12 +50,18 @@
 .In pwd.h
 .Ft struct passwd *
 .Fn getpwent void
+.Ft int
+.Fn getpwent_r "struct passwd *pwd" "char *buffer" "size_t bufsize" "struct passwd **result"
 .Ft struct passwd *
 .Fn getpwnam "const char *login"
+.Ft int
+.Fn getpwnam_r "const char *name" "struct passwd *pwd" "char *buffer" "size_t bufsize" "struct passwd **result"
 .Ft struct passwd *
 .Fn getpwuid "uid_t uid"
 .Ft int
-.Fn setpassent "int  stayopen"
+.Fn getpwuid_r "uid_t uid" "struct passwd *pwd" "char *buffer" "size_t bufsize" "struct passwd **result"
+.Ft int
+.Fn setpassent "int stayopen"
 .Ft void
 .Fn setpwent void
 .Ft void
@@ -68,7 +73,7 @@ which is described
 in
 .Xr passwd 5 .
 Each entry in the database is defined by the structure
-.Ar passwd
+.Vt passwd
 found in the include
 file
 .In pwd.h :
@@ -101,6 +106,35 @@ function
 sequentially reads the password database and is intended for programs
 that wish to process the complete list of users.
 .Pp
+The functions
+.Fn getpwent_r ,
+.Fn getpwnam_r ,
+and
+.Fn getpwuid_r
+are thread-safe versions of
+.Fn getpwent ,
+.Fn getpwnam ,
+and
+.Fn getpwuid ,
+respectively.
+The caller must provide storage for the results of the search in
+the
+.Fa pwd ,
+.Fa buffer ,
+.Fa bufsize ,
+and
+.Fa result
+arguments.
+When these functions are successful, the
+.Fa pwd
+argument will be filled-in, and a pointer to that argument will be
+stored in
+.Fa result .
+If an entry is not found or an error occurs,
+.Fa result
+will be set to
+.Dv NULL .
+.Pp
 The
 .Fn setpassent
 function
@@ -114,7 +148,7 @@ is non-zero, file descriptors are left open, significantly speeding
 up subsequent accesses for all of the routines.
 (This latter functionality is unnecessary for
 .Fn getpwent
-as it doesn't close its file descriptors by default.)
+as it does not close its file descriptors by default.)
 .Pp
 It is dangerous for long-running programs to keep the file descriptors
 open as the database will become out of date if it is updated while the
@@ -138,32 +172,36 @@ If the process which calls them has an effective uid of 0, the encrypted
 password will be returned, otherwise, the password field of the returned
 structure will point to the string
 .Ql * .
-.Sh YP/NIS INTERACTION
-When the
-.Xr yp 8
-password database is enabled, the
-.Fn getpwnam
-and
-.Fn getpwuid
-functions use the YP maps
-.Dq Li passwd.byname
-and
-.Dq Li passwd.byuid ,
-respectively, if the requested password entry is not found in the
-local database.  The
-.Fn getpwent
-function will step through the YP map
-.Dq Li passwd.byname
-if the entire map is enabled as described in
-.Xr passwd 5 .
 .Sh RETURN VALUES
 The functions
 .Fn getpwent ,
 .Fn getpwnam ,
 and
-.Fn getpwuid ,
+.Fn getpwuid
 return a valid pointer to a passwd structure on success
-and a null pointer if end-of-file is reached or an error occurs.
+or
+.Dv NULL
+if the entry is not found or if an error occurs.
+If an error does occur,
+.Va errno
+will be set.
+Note that programs must explicitly set
+.Va errno
+to zero before calling any of these functions if they need to
+distinguish between a non-existent entry and an error.
+The functions
+.Fn getpwent_r ,
+.Fn getpwnam_r ,
+and
+.Fn getpwuid_r
+return 0 if no error occurred, or an error number to indicate failure.
+It is not an error if a matching entry is not found.
+(Thus, if
+.Fa result
+is
+.Dv NULL
+and the return value is 0, no matching entry exists.)
+.Pp
 The
 .Fn setpassent
 function returns 0 on failure and 1 on success.
@@ -189,13 +227,43 @@ The historic function
 .Xr setpwfile 3 ,
 which allowed the specification of alternate password databases,
 has been deprecated and is no longer available.
+.Sh ERRORS
+These routines may fail for any of the errors specified in
+.Xr open 2 ,
+.Xr dbopen 3 ,
+.Xr socket 2 ,
+and
+.Xr connect 2 ,
+in addition to the following:
+.Bl -tag -width Er
+.It Bq Er ERANGE
+The buffer specified by the
+.Fa buffer
+and
+.Fa bufsize
+arguments was insufficiently sized to store the result.
+The caller should retry with a larger buffer.
+.El
 .Sh SEE ALSO
 .Xr getlogin 2 ,
 .Xr getgrent 3 ,
+.Xr nsswitch.conf 5 ,
 .Xr passwd 5 ,
 .Xr pwd_mkdb 8 ,
 .Xr vipw 8 ,
 .Xr yp 8
+.Sh STANDARDS
+The
+.Fn getpwent ,
+.Fn getpwnam ,
+.Fn getpwnam_r ,
+.Fn getpwuid ,
+.Fn getpwuid_r ,
+.Fn setpwent ,
+and
+.Fn endpwent
+functions conform to
+.St -p1003.1-96 .
 .Sh HISTORY
 The
 .Fn getpwent ,
@@ -210,6 +278,15 @@ The
 .Fn setpassent
 function appeared in
 .Bx 4.3 Reno .
+The
+.Fn getpwent_r ,
+.Fn getpwnam_r ,
+and
+.Fn getpwuid_r
+functions appeared in
+.Fx 5.1
+and
+.Dx 2.1 .
 .Sh BUGS
 The functions
 .Fn getpwent ,
@@ -221,3 +298,21 @@ a pointer to that object.
 Subsequent calls to
 the same function
 will modify the same object.
+.Pp
+The functions
+.Fn getpwent ,
+.Fn getpwent_r ,
+.Fn endpwent ,
+.Fn setpassent ,
+and
+.Fn setpwent
+are fairly useless in a networked environment and should be
+avoided, if possible.
+The
+.Fn getpwent
+and
+.Fn getpwent_r
+functions
+make no attempt to suppress duplicate information if multiple
+sources are specified in
+.Xr nsswitch.conf 5 .
diff --git a/lib/libc/gen/getpwent.c b/lib/libc/gen/getpwent.c
index 507896af78..40a9edff05 100644
--- a/lib/libc/gen/getpwent.c
+++ b/lib/libc/gen/getpwent.c
@@ -1,6 +1,12 @@
-/*
- * Copyright (c) 1988, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,18 +16,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -30,822 +29,1980 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getpwent.c	8.2 (Berkeley) 4/27/95
- * $FreeBSD: src/lib/libc/gen/getpwent.c,v 1.53.2.2 2001/03/05 09:52:13 obrien Exp $
+ * $FreeBSD: src/lib/libc/gen/getpwent.c,v 1.90 2006/04/28 12:03:35 ume Exp $
  * $DragonFly: src/lib/libc/gen/getpwent.c,v 1.7 2005/11/19 22:32:53 swildner Exp $
  */
 
 #include "namespace.h"
-#include <stdio.h>
 #include <sys/param.h>
+#ifdef YP
+#include <rpc/rpc.h>
+#include <rpcsvc/yp_prot.h>
+#include <rpcsvc/ypclnt.h>
+#endif
+#include <arpa/inet.h>
+#include <errno.h>
 #include <fcntl.h>
-#include <syslog.h>
+#ifdef HESIOD
+#include <hesiod.h>
+#endif
+#include <netdb.h>
+#include <nsswitch.h>
+#include <pthread.h>
+#include <pthread_np.h>
 #include <pwd.h>
-#include <utmp.h>
-#include <errno.h>
-#include <unistd.h>
 #include <stdlib.h>
+#include <stdio.h>
 #include <string.h>
-#include <limits.h>
-#include <grp.h>
+#include <syslog.h>
+#include <unistd.h>
 #include "un-namespace.h"
-
 #include <db.h>
+#include "libc_private.h"
+#include "pw_scan.h"
+#include "nss_tls.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+
+#ifndef CTASSERT
+#define CTASSERT(x)		_CTASSERT(x, __LINE__)
+#define _CTASSERT(x, y)		__CTASSERT(x, y)
+#define __CTASSERT(x, y)	typedef char __assert_ ## y [(x) ? 1 : -1]
+#endif
 
-extern void setnetgrent ( char * );
-extern int getnetgrent ( char **, char **, char ** );
-extern int innetgr ( const char *, const char *, const char *, const char * );
+/* Counter as stored in /etc/pwd.db */
+typedef	int		pwkeynum;
+
+CTASSERT(MAXLOGNAME > sizeof(uid_t));
+CTASSERT(MAXLOGNAME > sizeof(pwkeynum));
+
+enum constants {
+	PWD_STORAGE_INITIAL	= 1 << 10, /* 1 KByte */
+	PWD_STORAGE_MAX		= 1 << 20, /* 1 MByte */
+	SETPWENT		= 1,
+	ENDPWENT		= 2,
+	HESIOD_NAME_MAX		= 256
+};
+
+static const ns_src defaultsrc[] = {
+	{ NSSRC_COMPAT, NS_SUCCESS },
+	{ NULL, 0 }
+};
+
+int	__pw_match_entry(const char *, size_t, enum nss_lookup_type,
+	    const char *, uid_t);
+int	__pw_parse_entry(char *, size_t, struct passwd *, int, int *errnop);
+
+static	void	 pwd_init(struct passwd *);
+
+union key {
+	const char	*name;
+	uid_t		 uid;
+};
+
+static	struct passwd *getpw(int (*fn)(union key, struct passwd *, char *,
+		    size_t, struct passwd **), union key);
+static	int	 wrap_getpwnam_r(union key, struct passwd *, char *,
+		    size_t, struct passwd **);
+static	int	 wrap_getpwuid_r(union key, struct passwd *, char *, size_t,
+		    struct passwd **);
+static	int	 wrap_getpwent_r(union key, struct passwd *, char *, size_t,
+		    struct passwd **);
+
+static	int	 pwdb_match_entry_v3(char *, size_t, enum nss_lookup_type,
+		    const char *, uid_t);
+static	int	 pwdb_parse_entry_v3(char *, size_t, struct passwd *, int *);
+static	int	 pwdb_match_entry_v4(char *, size_t, enum nss_lookup_type,
+		    const char *, uid_t);
+static	int	 pwdb_parse_entry_v4(char *, size_t, struct passwd *, int *);
+
+
+struct {
+	int	(*match)(char *, size_t, enum nss_lookup_type, const char *,
+		    uid_t);
+	int	(*parse)(char *, size_t, struct passwd *, int *);
+} pwdb_versions[] = {
+	{ NULL, NULL },					/* version 0 */
+	{ NULL, NULL },					/* version 1 */
+	{ NULL, NULL },					/* version 2 */
+	{ pwdb_match_entry_v3, pwdb_parse_entry_v3 },	/* version 3 */
+	{ pwdb_match_entry_v4, pwdb_parse_entry_v4 },	/* version 4 */
+};
+
+
+struct files_state {
+	DB		*db;
+	pwkeynum	 keynum;
+	int		 stayopen;
+	int		 version;
+};
+static	void	files_endstate(void *);
+NSS_TLS_HANDLING(files);
+static	DB	*pwdbopen(int *);
+static	void	 files_endstate(void *);
+static	int	 files_setpwent(void *, void *, va_list);
+static	int	 files_passwd(void *, void *, va_list);
+
+
+#ifdef HESIOD
+struct dns_state {
+	long	counter;
+};
+static	void	dns_endstate(void *);
+NSS_TLS_HANDLING(dns);
+static	int	 dns_setpwent(void *, void *, va_list);
+static	int	 dns_passwd(void *, void *, va_list);
+#endif
 
-/*
- * The lookup techniques and data extraction code here must be kept
- * in sync with that in `pwd_mkdb'.
- */
 
-static struct passwd _pw_passwd;	/* password structure */
-static DB *_pw_db;			/* password database */
-static int _pw_keynum;			/* key counter */
-static int _pw_stayopen;		/* keep fd's open */
 #ifdef YP
-#include <rpc/rpc.h>
-#include <rpcsvc/yp_prot.h>
-#include <rpcsvc/ypclnt.h>
+struct nis_state {
+	char	 domain[MAXHOSTNAMELEN];
+	int	 done;
+	char	*key;
+	int	 keylen;
+};
+static	void	 nis_endstate(void *);
+NSS_TLS_HANDLING(nis);
+static	int	 nis_setpwent(void *, void *, va_list);
+static	int	 nis_passwd(void *, void *, va_list);
+static	int	 nis_map(char *, enum nss_lookup_type, char *, size_t, int *);
+static	int	 nis_adjunct(char *, const char *, char *, size_t);
+#endif
 
-static struct passwd _pw_copy;
-static DBT empty = { NULL, 0 };
-static DB *_ypcache = (DB *)NULL;
-static int _yp_exclusions = 0;
-static int _yp_enabled = -1;
-static int _pw_stepping_yp;		/* set true when stepping thru map */
-static char _ypnam[YPMAXRECORD];
-#define YP_HAVE_MASTER 2
-#define YP_HAVE_ADJUNCT 1
-#define YP_HAVE_NONE 0
-static int _gotmaster;
-static char *_pw_yp_domain;
-static inline int unwind ( char * );
-static void _ypinitdb ( void );
-static int _havemaster (char *);
-static int _getyppass (struct passwd *, const char *, const char * );
-static int _nextyppass (struct passwd *);
-static inline int lookup (const char *);
-static inline void store (const char *);
-static inline int ingr (const char *, const char*);
-static inline int verf (const char *);
-static char * _get_adjunct_pw (const char *);
-#endif
-static int __hashpw(DBT *);
-static int __initdb(void);
 
+struct compat_state {
+	DB		*db;
+	pwkeynum	 keynum;
+	int		 stayopen;
+	int		 version;
+	DB		*exclude;
+	struct passwd	 template;
+	char		*name;
+	enum _compat {
+		COMPAT_MODE_OFF = 0,
+		COMPAT_MODE_ALL,
+		COMPAT_MODE_NAME,
+		COMPAT_MODE_NETGROUP
+	}		 compat;
+};
+static	void	 compat_endstate(void *);
+NSS_TLS_HANDLING(compat);
+static	int	 compat_setpwent(void *, void *, va_list);
+static	int	 compat_passwd(void *, void *, va_list);
+static	void	 compat_clear_template(struct passwd *);
+static	int	 compat_set_template(struct passwd *, struct passwd *);
+static	int	 compat_use_template(struct passwd *, struct passwd *, char *,
+		    size_t);
+static	int	 compat_redispatch(struct compat_state *, enum nss_lookup_type,
+		    enum nss_lookup_type, const char *, const char *, uid_t,
+		    struct passwd *, char *, size_t, int *);
+
+#ifdef NS_CACHING
+static	int	 pwd_id_func(char *, size_t *, va_list ap, void *);
+static	int	 pwd_marshal_func(char *, size_t *, void *, va_list, void *);
+static	int	 pwd_unmarshal_func(char *, size_t, void *, va_list, void *);
 
-/*
- * Parse the + entries in the password database and do appropriate
- * NIS lookups. While ugly to look at, this is optimized to do only
- * as many lookups as are absolutely necessary in any given case.
- * Basically, the getpwent() function will feed us + and - lines
- * as they appear in the database. For + lines, we do netgroup/group
- * and user lookups to find all usernames that match the rule and
- * extract them from the NIS passwd maps. For - lines, we save the
- * matching names in a database and a) exlude them, and b) make sure
- * we don't consider them when processing other + lines that appear
- * later.
- */
-static inline int
-unwind(char *grp)
+static int
+pwd_id_func(char *buffer, size_t *buffer_size, va_list ap, void *cache_mdata)
 {
-	char *user, *host, *domain;
-	static int latch = 0;
-	static struct group *gr = NULL;
-	int rv = 0;
-
-	if (grp[0] == '+') {
-		if (strlen(grp) == 1) {
-			return(_nextyppass(&_pw_passwd));
+	char	*name;
+	uid_t	uid;
+	size_t	size, desired_size;
+	int	res = NS_UNAVAIL;
+	enum nss_lookup_type lookup_type;
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		size = strlen(name);
+		desired_size = sizeof(enum nss_lookup_type) + size + 1;
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
 		}
-		if (grp[1] == '@') {
-			_pw_stepping_yp = 1;
-grpagain:
-			if (gr != NULL) {
-				if (*gr->gr_mem != NULL) {
-					if (lookup(*gr->gr_mem)) {
-						gr->gr_mem++;
-						goto grpagain;
-					}
-					rv = _getyppass(&_pw_passwd,
-							*gr->gr_mem,
-							"passwd.byname");
-					gr->gr_mem++;
-					return(rv);
-				} else {
-					latch = 0;
-					_pw_stepping_yp = 0;
-					gr = NULL;
-					return(0);
-				}
-			}
-			if (!latch) {
-				setnetgrent(grp+2);
-				latch++;
-			}
-again:
-			if (getnetgrent(&host, &user, &domain) == 0) {
-				if ((gr = getgrnam(grp+2)) != NULL)
-					goto grpagain;
-				latch = 0;
-				_pw_stepping_yp = 0;
-				return(0);
-			} else {
-				if (lookup(user))
-					goto again;
-				if (_getyppass(&_pw_passwd, user,
-							"passwd.byname"))
-					return(1);
-				else
-					goto again;
-			}
-		} else {
-			if (lookup(grp+1))
-				return(0);
-			return(_getyppass(&_pw_passwd, grp+1, "passwd.byname"));
-		}
-	} else {
-		if (grp[1] == '@') {
-			setnetgrent(grp+2);
-			rv = 0;
-			while(getnetgrent(&host, &user, &domain) != 0) {
-				store(user);
-				rv++;
-			}
-			if (!rv && (gr = getgrnam(grp+2)) != NULL) {
-				while(*gr->gr_mem) {
-					store(*gr->gr_mem);
-					gr->gr_mem++;
-				}
-			}
-		} else {
-			store(grp+1);
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), name, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		desired_size = sizeof(enum nss_lookup_type) + sizeof(uid_t);
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
 		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), &uid,
+		    sizeof(uid_t));
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
 	}
-	return(0);
+
+fin:
+	*buffer_size = desired_size;
+	return (res);
 }
 
-struct passwd *
-getpwent(void)
+static int
+pwd_marshal_func(char *buffer, size_t *buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
 {
-	DBT key;
-	char bf[sizeof(_pw_keynum) + 1];
-	int rv;
+	char *name;
+	uid_t uid;
+	struct passwd *pwd;
+	char *orig_buf;
+	size_t orig_buf_size;
+
+	struct passwd new_pwd;
+	size_t desired_size, size;
+	char *p;
 
-	if (!_pw_db && !__initdb())
-		return((struct passwd *)NULL);
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
 
-#ifdef YP
-	if(_pw_stepping_yp) {
-		_pw_passwd = _pw_copy;
-		if (unwind((char *)&_ypnam))
-			return(&_pw_passwd);
+	pwd = va_arg(ap, struct passwd *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+
+	desired_size = sizeof(struct passwd) + sizeof(char *) +
+	    strlen(pwd->pw_name) + 1;
+	if (pwd->pw_passwd != NULL)
+		desired_size += strlen(pwd->pw_passwd) + 1;
+	if (pwd->pw_class != NULL)
+		desired_size += strlen(pwd->pw_class) + 1;
+	if (pwd->pw_gecos != NULL)
+		desired_size += strlen(pwd->pw_gecos) + 1;
+	if (pwd->pw_dir != NULL)
+		desired_size += strlen(pwd->pw_dir) + 1;
+	if (pwd->pw_shell != NULL)
+		desired_size += strlen(pwd->pw_shell) + 1;
+
+	if (*buffer_size < desired_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
 	}
-#endif
-tryagain:
 
-	++_pw_keynum;
-	bf[0] = _PW_KEYBYNUM;
-	bcopy((char *)&_pw_keynum, bf + 1, sizeof(_pw_keynum));
-	key.data = (u_char *)bf;
-	key.size = sizeof(_pw_keynum) + 1;
-	rv = __hashpw(&key);
-	if(!rv) return (struct passwd *)NULL;
-#ifdef YP
-	if(_pw_passwd.pw_name[0] == '+' || _pw_passwd.pw_name[0] == '-') {
-		if (_yp_enabled == -1)
-			_ypinitdb();
-		bzero((char *)&_ypnam, sizeof(_ypnam));
-		bcopy(_pw_passwd.pw_name, _ypnam,
-			strlen(_pw_passwd.pw_name));
-		_pw_copy = _pw_passwd;
-		if (unwind((char *)&_ypnam) == 0)
-			goto tryagain;
-		else
-			return(&_pw_passwd);
+	memcpy(&new_pwd, pwd, sizeof(struct passwd));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct passwd) + sizeof(char *);
+	memcpy(buffer + sizeof(struct passwd), &p, sizeof(char *));
+
+	if (new_pwd.pw_name != NULL) {
+		size = strlen(new_pwd.pw_name);
+		memcpy(p, new_pwd.pw_name, size);
+		new_pwd.pw_name = p;
+		p += size + 1;
 	}
-#else
-	/* Ignore YP password file entries when YP is disabled. */
-	if(_pw_passwd.pw_name[0] == '+' || _pw_passwd.pw_name[0] == '-') {
-		goto tryagain;
+
+	if (new_pwd.pw_passwd != NULL) {
+		size = strlen(new_pwd.pw_passwd);
+		memcpy(p, new_pwd.pw_passwd, size);
+		new_pwd.pw_passwd = p;
+		p += size + 1;
 	}
-#endif
-	return(&_pw_passwd);
-}
 
-struct passwd *
-getpwnam(const char *name)
-{
-	DBT key;
-	int len, rval;
-	char bf[UT_NAMESIZE + 2];
+	if (new_pwd.pw_class != NULL) {
+		size = strlen(new_pwd.pw_class);
+		memcpy(p, new_pwd.pw_class, size);
+		new_pwd.pw_class = p;
+		p += size + 1;
+	}
 
-	if (!_pw_db && !__initdb())
-		return((struct passwd *)NULL);
+	if (new_pwd.pw_gecos != NULL) {
+		size = strlen(new_pwd.pw_gecos);
+		memcpy(p, new_pwd.pw_gecos, size);
+		new_pwd.pw_gecos = p;
+		p += size + 1;
+	}
 
-	bf[0] = _PW_KEYBYNAME;
-	len = strlen(name);
-	if (len > UT_NAMESIZE)
-		return(NULL);
-	bcopy(name, bf + 1, len);
-	key.data = (u_char *)bf;
-	key.size = len + 1;
-	rval = __hashpw(&key);
+	if (new_pwd.pw_dir != NULL) {
+		size = strlen(new_pwd.pw_dir);
+		memcpy(p, new_pwd.pw_dir, size);
+		new_pwd.pw_dir = p;
+		p += size + 1;
+	}
 
-#ifdef YP
-	if (!rval) {
-		if (_yp_enabled == -1)
-			_ypinitdb();
-		if (_yp_enabled)
-			rval = _getyppass(&_pw_passwd, name, "passwd.byname");
+	if (new_pwd.pw_shell != NULL) {
+		size = strlen(new_pwd.pw_shell);
+		memcpy(p, new_pwd.pw_shell, size);
+		new_pwd.pw_shell = p;
+		p += size + 1;
 	}
-#endif
-	/*
-	 * Prevent login attempts when YP is not enabled but YP entries
-	 * are in /etc/master.passwd.
-	 */
-	if (rval && (_pw_passwd.pw_name[0] == '+'||
-			_pw_passwd.pw_name[0] == '-')) rval = 0;
 
-	if (!_pw_stayopen)
-		endpwent();
-	return(rval ? &_pw_passwd : (struct passwd *)NULL);
+	memcpy(buffer, &new_pwd, sizeof(struct passwd));
+	return (NS_SUCCESS);
 }
 
-struct passwd *
-getpwuid(uid_t uid)
+static int
+pwd_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
 {
-	DBT key;
-	int keyuid, rval;
-	char bf[sizeof(keyuid) + 1];
+	char *name;
+	uid_t uid;
+	struct passwd *pwd;
+	char *orig_buf;
+	size_t orig_buf_size;
+	int *ret_errno;
 
-	if (!_pw_db && !__initdb())
-		return((struct passwd *)NULL);
+	char *p;
 
-	bf[0] = _PW_KEYBYUID;
-	keyuid = uid;
-	bcopy(&keyuid, bf + 1, sizeof(keyuid));
-	key.data = (u_char *)bf;
-	key.size = sizeof(keyuid) + 1;
-	rval = __hashpw(&key);
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
 
-#ifdef YP
-	if (!rval) {
-		if (_yp_enabled == -1)
-			_ypinitdb();
-		if (_yp_enabled) {
-			char ypbuf[16];	/* big enough for 32-bit uids */
-			snprintf(ypbuf, sizeof ypbuf, "%u", (unsigned)uid);
-			rval = _getyppass(&_pw_passwd, ypbuf, "passwd.byuid");
-		}
+	pwd = va_arg(ap, struct passwd *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+	ret_errno = va_arg(ap, int *);
+
+	if (orig_buf_size <
+	    buffer_size - sizeof(struct passwd) - sizeof(char *)) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
 	}
+
+	memcpy(pwd, buffer, sizeof(struct passwd));
+	memcpy(&p, buffer + sizeof(struct passwd), sizeof(char *));
+	memcpy(orig_buf, buffer + sizeof(struct passwd) + sizeof(char *),
+	    buffer_size - sizeof(struct passwd) - sizeof(char *));
+
+	NS_APPLY_OFFSET(pwd->pw_name, orig_buf, p, char *);
+	NS_APPLY_OFFSET(pwd->pw_passwd, orig_buf, p, char *);
+	NS_APPLY_OFFSET(pwd->pw_class, orig_buf, p, char *);
+	NS_APPLY_OFFSET(pwd->pw_gecos, orig_buf, p, char *);
+	NS_APPLY_OFFSET(pwd->pw_dir, orig_buf, p, char *);
+	NS_APPLY_OFFSET(pwd->pw_shell, orig_buf, p, char *);
+
+	if (retval != NULL)
+		*((struct passwd **)retval) = pwd;
+
+	return (NS_SUCCESS);
+}
+
+NSS_MP_CACHE_HANDLING(passwd);
+#endif /* NS_CACHING */
+
+void
+setpwent(void)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		passwd, (void *)nss_lt_all,
+		NULL, NULL);
 #endif
-	/*
-	 * Prevent login attempts when YP is not enabled but YP entries
-	 * are in /etc/master.passwd.
-	 */
-	if (rval && (_pw_passwd.pw_name[0] == '+'||
-			_pw_passwd.pw_name[0] == '-')) rval = 0;
 
-	if (!_pw_stayopen)
-		endpwent();
-	return(rval ? &_pw_passwd : (struct passwd *)NULL);
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setpwent, (void *)SETPWENT },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_setpwent, (void *)SETPWENT },
+#endif
+#ifdef YP
+		{ NSSRC_NIS, nis_setpwent, (void *)SETPWENT },
+#endif
+		{ NSSRC_COMPAT, compat_setpwent, (void *)SETPWENT },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	_nsdispatch(NULL, dtab, NSDB_PASSWD, "setpwent", defaultsrc, 0);
 }
 
+
 int
 setpassent(int stayopen)
 {
-	_pw_keynum = 0;
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		passwd, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setpwent, (void *)SETPWENT },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_setpwent, (void *)SETPWENT },
+#endif
 #ifdef YP
-	_pw_stepping_yp = 0;
-	if (stayopen)
-		setgroupent(1);
+		{ NSSRC_NIS, nis_setpwent, (void *)SETPWENT },
+#endif
+		{ NSSRC_COMPAT, compat_setpwent, (void *)SETPWENT },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
 #endif
-	_pw_stayopen = stayopen;
-	return(1);
+		{ NULL, NULL, NULL }
+	};
+	_nsdispatch(NULL, dtab, NSDB_PASSWD, "setpwent", defaultsrc, stayopen);
+	return (1);
 }
 
-void
-setpwent(void)
-{
-	setpassent(0);
-}
 
 void
 endpwent(void)
 {
-	_pw_keynum = 0;
-#ifdef YP
-	_pw_stepping_yp = 0;
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		passwd, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setpwent, (void *)ENDPWENT },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_setpwent, (void *)ENDPWENT },
 #endif
-	if (_pw_db) {
-		(_pw_db->close)(_pw_db);
-		_pw_db = (DB *)NULL;
-	}
 #ifdef YP
-	if (_ypcache) {
-		(_ypcache->close)(_ypcache);
-		_ypcache = (DB *)NULL;
-		_yp_exclusions = 0;
-	}
-	/* Fix for PR #12008 */
-	_yp_enabled = -1;
+		{ NSSRC_NIS, nis_setpwent, (void *)ENDPWENT },
+#endif
+		{ NSSRC_COMPAT, compat_setpwent, (void *)ENDPWENT },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
 #endif
+		{ NULL, NULL, NULL }
+	};
+	_nsdispatch(NULL, dtab, NSDB_PASSWD, "endpwent", defaultsrc);
 }
 
-static int
-__initdb(void)
+
+int
+getpwent_r(struct passwd *pwd, char *buffer, size_t bufsize,
+    struct passwd **result)
 {
-	static int warned;
-	char *p;
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		passwd, (void *)nss_lt_all,
+		pwd_marshal_func, pwd_unmarshal_func);
+#endif
 
-	p = (geteuid()) ? _PATH_MP_DB : _PATH_SMP_DB;
-	_pw_db = dbopen(p, O_RDONLY, 0, DB_HASH, NULL);
-	if (_pw_db)
-		return(1);
-	if (!warned++)
-		syslog(LOG_ERR, "%s: %m", p);
-	return(0);
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_passwd, (void *)nss_lt_all },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_passwd, (void *)nss_lt_all },
+#endif
+#ifdef YP
+		{ NSSRC_NIS, nis_passwd, (void *)nss_lt_all },
+#endif
+		{ NSSRC_COMPAT, compat_passwd, (void *)nss_lt_all },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	pwd_init(pwd);
+	ret_errno = 0;
+	*result = NULL;
+	rv = _nsdispatch(result, dtab, NSDB_PASSWD, "getpwent_r", defaultsrc,
+	    pwd, buffer, bufsize, &ret_errno);
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
 }
 
-static int
-__hashpw(DBT *key)
+
+int
+getpwnam_r(const char *name, struct passwd *pwd, char *buffer, size_t bufsize,
+    struct passwd **result)
 {
-	char *p, *t;
-	static u_int max;
-	static char *line;
-	DBT data;
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		passwd, (void *)nss_lt_name,
+		pwd_id_func, pwd_marshal_func, pwd_unmarshal_func);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_passwd, (void *)nss_lt_name },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_passwd, (void *)nss_lt_name },
+#endif
+#ifdef YP
+		{ NSSRC_NIS, nis_passwd, (void *)nss_lt_name },
+#endif
+		{ NSSRC_COMPAT, compat_passwd, (void *)nss_lt_name },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	pwd_init(pwd);
+	ret_errno = 0;
+	*result = NULL;
+	rv = _nsdispatch(result, dtab, NSDB_PASSWD, "getpwnam_r", defaultsrc,
+	    name, pwd, buffer, bufsize, &ret_errno);
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
 
-	if ((_pw_db->get)(_pw_db, key, &data, 0))
-		return(0);
-	p = (char *)data.data;
 
-	/* Increase buffer size for long lines if necessary. */
-	if (data.size > max) {
-		max = data.size + 1024;
-		if (!(line = reallocf(line, max)))
-			return(0);
-	}
+int
+getpwuid_r(uid_t uid, struct passwd *pwd, char *buffer, size_t bufsize,
+    struct passwd **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		passwd, (void *)nss_lt_id,
+		pwd_id_func, pwd_marshal_func, pwd_unmarshal_func);
+#endif
 
-	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
-	t = line;
-#define	EXPAND(e)	e = t; while ( (*t++ = *p++) );
-#define	SCALAR(v)	memmove(&(v), p, sizeof v); p += sizeof v
-	EXPAND(_pw_passwd.pw_name);
-	EXPAND(_pw_passwd.pw_passwd);
-	SCALAR(_pw_passwd.pw_uid);
-	SCALAR(_pw_passwd.pw_gid);
-	SCALAR(_pw_passwd.pw_change);
-	EXPAND(_pw_passwd.pw_class);
-	EXPAND(_pw_passwd.pw_gecos);
-	EXPAND(_pw_passwd.pw_dir);
-	EXPAND(_pw_passwd.pw_shell);
-	SCALAR(_pw_passwd.pw_expire);
-	bcopy(p, (char *)&_pw_passwd.pw_fields, sizeof _pw_passwd.pw_fields);
-	p += sizeof _pw_passwd.pw_fields;
-	return(1);
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_passwd, (void *)nss_lt_id },
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_passwd, (void *)nss_lt_id },
+#endif
+#ifdef YP
+		{ NSSRC_NIS, nis_passwd, (void *)nss_lt_id },
+#endif
+		{ NSSRC_COMPAT, compat_passwd, (void *)nss_lt_id },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	pwd_init(pwd);
+	ret_errno = 0;
+	*result = NULL;
+	rv = _nsdispatch(result, dtab, NSDB_PASSWD, "getpwuid_r", defaultsrc,
+	    uid, pwd, buffer, bufsize, &ret_errno);
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
 }
 
-#ifdef YP
 
 static void
-_ypinitdb(void)
-{
-	DBT key, data;
-	char buf[] = { _PW_KEYYPENABLED };
-	key.data = buf;
-	key.size = 1;
-	_yp_enabled = 0;
-	if ((_pw_db->get)(_pw_db, &key, &data, 0) == 0) {
-		_yp_enabled = (int)*((char *)data.data) - 2;
-		/* Don't even bother with this if we aren't root. */
-		if (!geteuid()) {
-			if (!_pw_yp_domain)
-				if (yp_get_default_domain(&_pw_yp_domain))
-					return;
-			_gotmaster = _havemaster(_pw_yp_domain);
-		} else _gotmaster = YP_HAVE_NONE;
-		/*
-		 * Create a DB hash database in memory. Bet you didn't know you
-		 * could do a dbopen() with a NULL filename, did you.
-		 */
-		if (_ypcache == (DB *)NULL)
-			_ypcache = dbopen(NULL, O_RDWR, 600, DB_HASH, NULL);
+pwd_init(struct passwd *pwd)
+{
+	static char nul[] = "";
+
+	memset(pwd, 0, sizeof(*pwd));
+	pwd->pw_uid = (uid_t)-1;  /* Considered least likely to lead to */
+	pwd->pw_gid = (gid_t)-1;  /* a security issue.                  */
+	pwd->pw_name = nul;
+	pwd->pw_passwd = nul;
+	pwd->pw_class = nul;
+	pwd->pw_gecos = nul;
+	pwd->pw_dir = nul;
+	pwd->pw_shell = nul;
+}
+
+
+static struct passwd	 pwd;
+static char		*pwd_storage;
+static size_t		 pwd_storage_size;
+
+
+static struct passwd *
+getpw(int (*fn)(union key, struct passwd *, char *, size_t, struct passwd **),
+    union key key)
+{
+	int		 rv;
+	struct passwd	*res;
+
+	if (pwd_storage == NULL) {
+		pwd_storage = malloc(PWD_STORAGE_INITIAL);
+		if (pwd_storage == NULL)
+			return (NULL);
+		pwd_storage_size = PWD_STORAGE_INITIAL;
 	}
+	do {
+		rv = fn(key, &pwd, pwd_storage, pwd_storage_size, &res);
+		if (res == NULL && rv == ERANGE) {
+			free(pwd_storage);
+			if ((pwd_storage_size << 1) > PWD_STORAGE_MAX) {
+				pwd_storage = NULL;
+				errno = ERANGE;
+				return (NULL);
+			}
+			pwd_storage_size <<= 1;
+			pwd_storage = malloc(pwd_storage_size);
+			if (pwd_storage == NULL)
+				return (NULL);
+		}
+	} while (res == NULL && rv == ERANGE);
+	if (rv != 0)
+		errno = rv;
+	return (res);
 }
 
-/*
- * See if a user is in the blackballed list.
- */
-static inline int
-lookup(const char *name)
+
+static int
+wrap_getpwnam_r(union key key, struct passwd *pwd, char *buffer,
+    size_t bufsize, struct passwd **res)
 {
-	DBT key;
+	return (getpwnam_r(key.name, pwd, buffer, bufsize, res));
+}
 
-	if (!_yp_exclusions)
-		return(0);
 
-	key.data = (char *)name;
-	key.size = strlen(name);
+static int
+wrap_getpwuid_r(union key key, struct passwd *pwd, char *buffer,
+    size_t bufsize, struct passwd **res)
+{
+	return (getpwuid_r(key.uid, pwd, buffer, bufsize, res));
+}
 
-	if ((_ypcache->get)(_ypcache, &key, &empty, 0)) {
-		return(0);
-	}
 
-	return(1);
+static int
+wrap_getpwent_r(union key key __unused, struct passwd *pwd, char *buffer,
+    size_t bufsize, struct passwd **res)
+{
+	return (getpwent_r(pwd, buffer, bufsize, res));
 }
 
-/*
- * Store a blackballed user in an in-core hash database.
- */
-static inline void
-store(const char *key)
+
+struct passwd *
+getpwnam(const char *name)
 {
-	DBT lkey;
-/*
-	if (lookup(key))
-		return;
-*/
+	union key key;
+
+	key.name = name;
+	return (getpw(wrap_getpwnam_r, key));
+}
+
+
+struct passwd *
+getpwuid(uid_t uid)
+{
+	union key key;
 
-	_yp_exclusions = 1;
+	key.uid = uid;
+	return (getpw(wrap_getpwuid_r, key));
+}
 
-	lkey.data = (char *)key;
-	lkey.size = strlen(key);
 
-	(_ypcache->put)(_ypcache, &lkey, &empty, R_NOOVERWRITE);
+struct passwd *
+getpwent(void)
+{
+	union key key;
+
+	key.uid = 0; /* not used */
+	return (getpw(wrap_getpwent_r, key));
 }
 
+
 /*
- * See if a user is a member of a particular group.
+ * files backend
  */
-static inline int
-ingr(const char *grp, const char *name)
+static DB *
+pwdbopen(int *version)
 {
-	struct group *gr;
+	DB	*res;
+	DBT	 key, entry;
+	int	 rv;
+
+	if (geteuid() != 0 ||
+	    (res = dbopen(_PATH_SMP_DB, O_RDONLY, 0, DB_HASH, NULL)) == NULL)
+		res = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
+	if (res == NULL)
+		return (NULL);
+	key.data = _PWD_VERSION_KEY;
+	key.size = strlen(_PWD_VERSION_KEY);
+	rv = res->get(res, &key, &entry, 0);
+	if (rv == 0)
+		*version = *(unsigned char *)entry.data;
+	else
+		*version = 3;
+	if (*version < 3 ||
+	    *version >= sizeof(pwdb_versions)/sizeof(pwdb_versions[0])) {
+		syslog(LOG_CRIT, "Unsupported password database version %d",
+		    *version);
+		res->close(res);
+		res = NULL;
+	}
+	return (res);
+}
 
-	if ((gr = getgrnam(grp)) == NULL)
-		return(0);
 
-	while(*gr->gr_mem) {
-		if (!strcmp(*gr->gr_mem, name))
-			return(1);
-		gr->gr_mem++;
-	}
+static void
+files_endstate(void *p)
+{
+	DB	*db;
 
-	return(0);
+	if (p == NULL)
+		return;
+	db = ((struct files_state *)p)->db;
+	if (db != NULL)
+		db->close(db);
+	free(p);
 }
 
-/*
- * Check a user against the +@netgroup/-@netgroup lines listed in
- * the local password database. Also checks +user/-user lines.
- * If no netgroup exists that matches +@netgroup/-@netgroup,
- * try searching regular groups with the same name.
- */
-static inline int
-verf(const char *name)
-{
-	DBT key;
-	char bf[sizeof(_pw_keynum) + 1];
-	int keynum = 0;
-
-again:
-	++keynum;
-	bf[0] = _PW_KEYYPBYNUM;
-	bcopy((char *)&keynum, bf + 1, sizeof(keynum));
-	key.data = (u_char *)bf;
-	key.size = sizeof(keynum) + 1;
-	if (!__hashpw(&key)) {
-		/* Try again using old format */
-		bf[0] = _PW_KEYBYNUM;
-		bcopy((char *)&keynum, bf + 1, sizeof(keynum));
-		key.data = (u_char *)bf;
-		if (!__hashpw(&key))
-			return(0);
-	}
-	if (_pw_passwd.pw_name[0] != '+' && (_pw_passwd.pw_name[0] != '-'))
-		goto again;
-	if (_pw_passwd.pw_name[0] == '+') {
-		if (strlen(_pw_passwd.pw_name) == 1) /* Wildcard */
-			return(1);
-		if (_pw_passwd.pw_name[1] == '@') {
-			if ((innetgr(_pw_passwd.pw_name+2, NULL, name,
-							_pw_yp_domain) ||
-			    ingr(_pw_passwd.pw_name+2, name)) && !lookup(name))
-				return(1);
-			else
-				goto again;
-		} else {
-			if (!strcmp(name, _pw_passwd.pw_name+1) &&
-								!lookup(name))
-				return(1);
-			else
-				goto again;
+
+static int
+files_setpwent(void *retval, void *mdata, va_list ap)
+{
+	struct files_state	*st;
+	int			 rv, stayopen;
+
+	rv = files_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	switch ((enum constants)mdata) {
+	case SETPWENT:
+		stayopen = va_arg(ap, int);
+		st->keynum = 0;
+		if (stayopen)
+			st->db = pwdbopen(&st->version);
+		st->stayopen = stayopen;
+		break;
+	case ENDPWENT:
+		if (st->db != NULL) {
+			st->db->close(st->db);
+			st->db = NULL;
 		}
+		break;
+	default:
+		break;
 	}
-	if (_pw_passwd.pw_name[0] == '-') {
-		/* Note that a minus wildcard is a no-op. */
-		if (_pw_passwd.pw_name[1] == '@') {
-			if (innetgr(_pw_passwd.pw_name+2, NULL, name,
-							_pw_yp_domain) ||
-			    ingr(_pw_passwd.pw_name+2, name)) {
-				store(name);
-				return(0);
-			} else
-				goto again;
-		} else {
-			if (!strcmp(name, _pw_passwd.pw_name+1)) {
-				store(name);
-				return(0);
-			} else
-				goto again;
+	return (NS_UNAVAIL);
+}
+
+
+static int
+files_passwd(void *retval, void *mdata, va_list ap)
+{
+	char			 keybuf[MAXLOGNAME + 1];
+	DBT			 key, entry;
+	struct files_state	*st;
+	enum nss_lookup_type	 how;
+	const char		*name;
+	struct passwd		*pwd;
+	char			*buffer;
+	size_t			 bufsize, namesize;
+	uid_t			 uid;
+	uint32_t		 store;
+	int			 rv, stayopen, *errnop;
+
+	name = NULL;
+	uid = (uid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		keybuf[0] = _PW_KEYBYNAME;
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		keybuf[0] = _PW_KEYBYUID;
+		break;
+	case nss_lt_all:
+		keybuf[0] = _PW_KEYBYNUM;
+		break;
+	default:
+		rv = NS_NOTFOUND;
+		goto fin;
+	}
+	pwd = va_arg(ap, struct passwd *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	*errnop = files_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (how == nss_lt_all && st->keynum < 0) {
+		rv = NS_NOTFOUND;
+		goto fin;
+	}
+	if (st->db == NULL &&
+	    (st->db = pwdbopen(&st->version)) == NULL) {
+		*errnop = errno;
+		rv = NS_UNAVAIL;
+		goto fin;
+	}
+	if (how == nss_lt_all)
+		stayopen = 1;
+	else
+		stayopen = st->stayopen;
+	key.data = keybuf;
+	do {
+		switch (how) {
+		case nss_lt_name:
+			/* MAXLOGNAME includes NUL byte, but we do not
+			 * include the NUL byte in the key.
+			 */
+			namesize = strlcpy(&keybuf[1], name, sizeof(keybuf)-1);
+			if (namesize >= sizeof(keybuf)-1) {
+				*errnop = EINVAL;
+				rv = NS_NOTFOUND;
+				goto fin;
+			}
+			key.size = namesize + 1;
+			break;
+		case nss_lt_id:
+			if (st->version < _PWD_CURRENT_VERSION) {
+				memcpy(&keybuf[1], &uid, sizeof(uid));
+				key.size = sizeof(uid) + 1;
+			} else {
+				store = htonl(uid);
+				memcpy(&keybuf[1], &store, sizeof(store));
+				key.size = sizeof(store) + 1;
+			}
+			break;
+		case nss_lt_all:
+			st->keynum++;
+			if (st->version < _PWD_CURRENT_VERSION) {
+				memcpy(&keybuf[1], &st->keynum,
+				    sizeof(st->keynum));
+				key.size = sizeof(st->keynum) + 1;
+			} else {
+				store = htonl(st->keynum);
+				memcpy(&keybuf[1], &store, sizeof(store));
+				key.size = sizeof(store) + 1;
+			}
+			break;
+		}
+		keybuf[0] = _PW_VERSIONED(keybuf[0], st->version);
+		rv = st->db->get(st->db, &key, &entry, 0);
+		if (rv < 0 || rv > 1) { /* should never return > 1 */
+			*errnop = errno;
+			rv = NS_UNAVAIL;
+			goto fin;
+		} else if (rv == 1) {
+			if (how == nss_lt_all)
+				st->keynum = -1;
+			rv = NS_NOTFOUND;
+			goto fin;
 		}
-		
+		rv = pwdb_versions[st->version].match(entry.data, entry.size,
+		    how, name, uid);
+		if (rv != NS_SUCCESS)
+			continue;
+		if (entry.size > bufsize) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+		memcpy(buffer, entry.data, entry.size);
+		rv = pwdb_versions[st->version].parse(buffer, entry.size, pwd,
+		    errnop);
+	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
+fin:
+	if (!stayopen && st->db != NULL) {
+		st->db->close(st->db);
+		st->db = NULL;
+	}
+	if (rv == NS_SUCCESS) {
+		pwd->pw_fields &= ~_PWF_SOURCE;
+		pwd->pw_fields |= _PWF_FILES;
+		if (retval != NULL)
+			*(struct passwd **)retval = pwd;
 	}
-	return(0);
+	return (rv);
 }
 
-static char *
-_get_adjunct_pw(const char *name)
+
+static int
+pwdb_match_entry_v3(char *entry, size_t entrysize, enum nss_lookup_type how,
+    const char *name, uid_t uid)
 {
-	static char adjunctbuf[YPMAXRECORD+2];
-	int rval;
-	char *result;
-	int resultlen;
-	char *map = "passwd.adjunct.byname";
-	char *s;
+	const char	*p, *eom;
+	uid_t		 uid2;
+
+	eom = &entry[entrysize];
+	for (p = entry; p < eom; p++)
+		if (*p == '\0')
+			break;
+	if (*p != '\0')
+		return (NS_NOTFOUND);
+	if (how == nss_lt_all)
+		return (NS_SUCCESS);
+	if (how == nss_lt_name)
+		return (strcmp(name, entry) == 0 ? NS_SUCCESS : NS_NOTFOUND);
+	for (p++; p < eom; p++)
+		if (*p == '\0')
+			break;
+	if (*p != '\0' || (++p) + sizeof(uid) >= eom)
+		return (NS_NOTFOUND);
+	memcpy(&uid2, p, sizeof(uid2));
+	return (uid == uid2 ? NS_SUCCESS : NS_NOTFOUND);
+}
 
-	if ((rval = yp_match(_pw_yp_domain, map, name, strlen(name),
-		    &result, &resultlen)))
-		return(NULL);
 
-	strncpy(adjunctbuf, result, resultlen);
-	adjunctbuf[resultlen] = '\0';
-	free(result);
-	result = (char *)&adjunctbuf;
+static int
+pwdb_parse_entry_v3(char *buffer, size_t bufsize, struct passwd *pwd,
+    int *errnop)
+{
+	char		*p, *eom;
+	int32_t		 pw_change, pw_expire;
+
+	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
+	p = buffer;
+	eom = &buffer[bufsize];
+#define STRING(field)	do {			\
+		(field) = p;			\
+		while (p < eom && *p != '\0')	\
+			p++;			\
+		if (p >= eom)			\
+			return (NS_NOTFOUND);	\
+		p++;				\
+	} while (0)
+#define SCALAR(field)	do {				\
+		if (p + sizeof(field) > eom)		\
+			return (NS_NOTFOUND);		\
+		memcpy(&(field), p, sizeof(field));	\
+		p += sizeof(field);			\
+	} while (0)
+	STRING(pwd->pw_name);
+	STRING(pwd->pw_passwd);
+	SCALAR(pwd->pw_uid);
+	SCALAR(pwd->pw_gid);
+	SCALAR(pw_change);
+	STRING(pwd->pw_class);
+	STRING(pwd->pw_gecos);
+	STRING(pwd->pw_dir);
+	STRING(pwd->pw_shell);
+	SCALAR(pw_expire);
+	SCALAR(pwd->pw_fields);
+#undef STRING
+#undef SCALAR
+	pwd->pw_change = pw_change;
+	pwd->pw_expire = pw_expire;
+	return (NS_SUCCESS);
+}
 
-	/* Don't care about the name. */
-	if ((s = strsep(&result, ":")) == NULL)
-		return (NULL); /* name */
-	if ((s = strsep(&result, ":")) == NULL)
-		return (NULL); /* password */
 
-	return(s);
+static int
+pwdb_match_entry_v4(char *entry, size_t entrysize, enum nss_lookup_type how,
+    const char *name, uid_t uid)
+{
+	const char	*p, *eom;
+	uint32_t	 uid2;
+
+	eom = &entry[entrysize];
+	for (p = entry; p < eom; p++)
+		if (*p == '\0')
+			break;
+	if (*p != '\0')
+		return (NS_NOTFOUND);
+	if (how == nss_lt_all)
+		return (NS_SUCCESS);
+	if (how == nss_lt_name)
+		return (strcmp(name, entry) == 0 ? NS_SUCCESS : NS_NOTFOUND);
+	for (p++; p < eom; p++)
+		if (*p == '\0')
+			break;
+	if (*p != '\0' || (++p) + sizeof(uid) >= eom)
+		return (NS_NOTFOUND);
+	memcpy(&uid2, p, sizeof(uid2));
+	uid2 = ntohl(uid2);
+	return (uid == (uid_t)uid2 ? NS_SUCCESS : NS_NOTFOUND);
 }
 
+
 static int
-_pw_breakout_yp(struct passwd *pw, char *res, int resultlen, int master)
+pwdb_parse_entry_v4(char *buffer, size_t bufsize, struct passwd *pwd,
+    int *errnop)
 {
-	char *s, *result;
-	static char resbuf[YPMAXRECORD+2];
+	char		*p, *eom;
+	uint32_t	 n;
 
-	/*
-	 * Be triple, ultra super-duper paranoid: reject entries
-	 * that start with a + or -. yp_mkdb and /var/yp/Makefile
-	 * are _both_ supposed to strip these out, but you never
-	 * know.
-	 */
-	if (*res == '+' || *res == '-')
-		return 0;
-
-	/*
-	 * The NIS protocol definition limits the size of an NIS
-	 * record to YPMAXRECORD bytes. We need to do a copy to
-	 * a static buffer here since the memory pointed to by
-	 * res will be free()ed when this function returns.
-	 */
-	strncpy((char *)&resbuf, res, resultlen);
-	resbuf[resultlen] = '\0';
-	result = (char *)&resbuf;
+	/* THIS CODE MUST MATCH THAT IN pwd_mkdb. */
+	p = buffer;
+	eom = &buffer[bufsize];
+#define STRING(field)	do {			\
+		(field) = p;			\
+		while (p < eom && *p != '\0')	\
+			p++;			\
+		if (p >= eom)			\
+			return (NS_NOTFOUND);	\
+		p++;				\
+	} while (0)
+#define SCALAR(field)	do {				\
+		if (p + sizeof(n) > eom)		\
+			return (NS_NOTFOUND);		\
+		memcpy(&n, p, sizeof(n));		\
+		(field) = ntohl(n);			\
+		p += sizeof(n);				\
+	} while (0)
+	STRING(pwd->pw_name);
+	STRING(pwd->pw_passwd);
+	SCALAR(pwd->pw_uid);
+	SCALAR(pwd->pw_gid);
+	SCALAR(pwd->pw_change);
+	STRING(pwd->pw_class);
+	STRING(pwd->pw_gecos);
+	STRING(pwd->pw_dir);
+	STRING(pwd->pw_shell);
+	SCALAR(pwd->pw_expire);
+	SCALAR(pwd->pw_fields);
+#undef STRING
+#undef SCALAR
+	return (NS_SUCCESS);
+}
 
-	/*
-	 * XXX Sanity check: make sure all fields are valid (no NULLs).
-	 * If we find a badly formatted entry, we punt.
-	 */
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* name */
-	/*
-	 * We don't care what pw_fields says: we _always_ want the
-	 * username returned to us by NIS.
-	 */
-	pw->pw_name = s;
-	pw->pw_fields |= _PWF_NAME;
-
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* password */
-	if(!(pw->pw_fields & _PWF_PASSWD)) {
-		/* SunOS passwd.adjunct hack */
-		if (master == YP_HAVE_ADJUNCT && strstr(s, "##") != NULL) {
-			char *realpw;
-			realpw = _get_adjunct_pw(pw->pw_name);
-			if (realpw == NULL)
-				pw->pw_passwd = s;
-			else
-				pw->pw_passwd = realpw;
-		} else {
-			pw->pw_passwd = s;
-		}
-		pw->pw_fields |= _PWF_PASSWD;
-	}
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* uid */
-	if(!(pw->pw_fields & _PWF_UID)) {
-		pw->pw_uid = atoi(s);
-		pw->pw_fields |= _PWF_UID;
-	}
+#ifdef HESIOD
+/*
+ * dns backend
+ */
+static void
+dns_endstate(void *p)
+{
+	free(p);
+}
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* gid */
-	if(!(pw->pw_fields & _PWF_GID))  {
-		pw->pw_gid = atoi(s);
-		pw->pw_fields |= _PWF_GID;
-	}
 
-	if (master == YP_HAVE_MASTER) {
-		if ((s = strsep(&result, ":")) == NULL) return 0; /* class */
-		if(!(pw->pw_fields & _PWF_CLASS))  {
-			pw->pw_class = s;
-			pw->pw_fields |= _PWF_CLASS;
-		}
+static int
+dns_setpwent(void *retval, void *mdata, va_list ap)
+{
+	struct dns_state	*st;
+	int			 rv;
+
+	rv = dns_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	st->counter = 0;
+	return (NS_UNAVAIL);
+}
 
-		if ((s = strsep(&result, ":")) == NULL) return 0; /* change */
-		if(!(pw->pw_fields & _PWF_CHANGE))  {
-			pw->pw_change = atol(s);
-			pw->pw_fields |= _PWF_CHANGE;
-		}
 
-		if ((s = strsep(&result, ":")) == NULL) return 0; /* expire */
-		if(!(pw->pw_fields & _PWF_EXPIRE))  {
-			pw->pw_expire = atol(s);
-			pw->pw_fields |= _PWF_EXPIRE;
+static int
+dns_passwd(void *retval, void *mdata, va_list ap)
+{
+	char			 buf[HESIOD_NAME_MAX];
+	struct dns_state	*st;
+	struct passwd		*pwd;
+	const char		*name, *label;
+	void			*ctx;
+	char			*buffer, **hes;
+	size_t			 bufsize, linesize;
+	uid_t			 uid;
+	enum nss_lookup_type	 how;
+	int			 rv, *errnop;
+
+	ctx = NULL;
+	hes = NULL;
+	name = NULL;
+	uid = (uid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		break;
+	case nss_lt_all:
+		break;
+	}
+	pwd     = va_arg(ap, struct passwd *);
+	buffer  = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop  = va_arg(ap, int *);
+	*errnop = dns_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (hesiod_init(&ctx) != 0) {
+		*errnop = errno;
+		rv = NS_UNAVAIL;
+		goto fin;
+	}
+	do {
+		rv = NS_NOTFOUND;
+		switch (how) {
+		case nss_lt_name:
+			label = name;
+			break;
+		case nss_lt_id:
+			if (snprintf(buf, sizeof(buf), "%lu",
+			    (unsigned long)uid) >= sizeof(buf))
+				goto fin;
+			label = buf;
+			break;
+		case nss_lt_all:
+			if (st->counter < 0)
+				goto fin;
+			if (snprintf(buf, sizeof(buf), "passwd-%ld",
+			    st->counter++) >= sizeof(buf))
+				goto fin;
+			label = buf;
+			break;
+		}
+		hes = hesiod_resolve(ctx, label,
+		    how == nss_lt_id ? "uid" : "passwd");
+		if (hes == NULL) {
+			if (how == nss_lt_all)
+				st->counter = -1;
+			if (errno != ENOENT)
+				*errnop = errno;
+			goto fin;
+		}
+		rv = __pw_match_entry(hes[0], strlen(hes[0]), how, name, uid);
+		if (rv != NS_SUCCESS) {
+			hesiod_free_list(ctx, hes);
+			hes = NULL;
+			continue;
 		}
+		linesize = strlcpy(buffer, hes[0], bufsize);
+		if (linesize >= bufsize) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			continue;
+		}
+		hesiod_free_list(ctx, hes);
+		hes = NULL;
+		rv = __pw_parse_entry(buffer, bufsize, pwd, 0, errnop);
+	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
+fin:
+	if (hes != NULL)
+		hesiod_free_list(ctx, hes);
+	if (ctx != NULL)
+		hesiod_end(ctx);
+	if (rv == NS_SUCCESS) {
+		pwd->pw_fields &= ~_PWF_SOURCE;
+		pwd->pw_fields |= _PWF_HESIOD;
+		if (retval != NULL)
+			*(struct passwd **)retval = pwd;
 	}
+	return (rv);
+}
+#endif /* HESIOD */
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* gecos */
-	if(!(pw->pw_fields & _PWF_GECOS)) {
-		pw->pw_gecos = s;
-		pw->pw_fields |= _PWF_GECOS;
-	}
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* dir */
-	if(!(pw->pw_fields & _PWF_DIR)) {
-		pw->pw_dir = s;
-		pw->pw_fields |= _PWF_DIR;
-	}
+#ifdef YP
+/*
+ * nis backend
+ */
+static void
+nis_endstate(void *p)
+{
+	free(((struct nis_state *)p)->key);
+	free(p);
+}
 
-	if ((s = strsep(&result, ":")) == NULL) return 0; /* shell */
-	if(!(pw->pw_fields & _PWF_SHELL)) {
-		pw->pw_shell = s;
-		pw->pw_fields |= _PWF_SHELL;
+/*
+ * Test for the presence of special FreeBSD-specific master.passwd.by*
+ * maps. We do this using yp_order(). If it fails, then either the server
+ * doesn't have the map, or the YPPROC_ORDER procedure isn't supported by
+ * the server (Sun NIS+ servers in YP compat mode behave this way). If
+ * the master.passwd.by* maps don't exist, then let the lookup routine try
+ * the regular passwd.by* maps instead. If the lookup routine fails, it
+ * can return an error as needed.
+ */
+static int
+nis_map(char *domain, enum nss_lookup_type how, char *buffer, size_t bufsize,
+    int *master)
+{
+	int	rv, order;
+
+	*master = 0;
+	if (geteuid() == 0) {
+		if (snprintf(buffer, bufsize, "master.passwd.by%s",
+		    (how == nss_lt_id) ? "uid" : "name") >= bufsize)
+			return (NS_UNAVAIL);
+		rv = yp_order(domain, buffer, &order);
+		if (rv == 0) {
+			*master = 1;
+			return (NS_SUCCESS);
+		}
 	}
 
-	/* Be consistent. */
-	if ((s = strchr(pw->pw_shell, '\n'))) *s = '\0';
+	if (snprintf(buffer, bufsize, "passwd.by%s",
+	    (how == nss_lt_id) ? "uid" : "name") >= bufsize)
+		return (NS_UNAVAIL);
 
-	return 1;
+	return (NS_SUCCESS);
 }
 
+
 static int
-_havemaster(char *_yp_domain)
+nis_adjunct(char *domain, const char *name, char *buffer, size_t bufsize)
 {
-	int order;
-	int rval;
+	int	 rv;
+	char	*result, *p, *q, *eor;
+	int	 resultlen;
+
+	result = NULL;
+	rv = yp_match(domain, "passwd.adjunct.byname", name, strlen(name),
+	    &result, &resultlen);
+	if (rv != 0)
+		rv = 1;
+	else {
+		eor = &result[resultlen];
+		p = memchr(result, ':', eor - result);
+		if (p != NULL && ++p < eor &&
+		    (q = memchr(p, ':', eor - p)) != NULL) {
+			if (q - p >= bufsize)
+				rv = -1;
+			else {
+				memcpy(buffer, p, q - p);
+				buffer[q - p] ='\0';
+			}
+		} else
+			rv = 1;
+	}
+	free(result);
+	return (rv);
+}
 
-	if (!(rval = yp_order(_yp_domain, "master.passwd.byname", &order)))
-		return(YP_HAVE_MASTER);
 
-	/*
-	 * NIS+ in YP compat mode doesn't support
-	 * YPPROC_ORDER -- no point in continuing.
-	 */
-	if (rval == YPERR_YPERR)
-		return(YP_HAVE_NONE);
+static int
+nis_setpwent(void *retval, void *mdata, va_list ap)
+{
+	struct nis_state	*st;
+	int			 rv;
+
+	rv = nis_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	st->done = 0;
+	free(st->key);
+	st->key = NULL;
+	return (NS_UNAVAIL);
+}
+
 
-	/* master.passwd doesn't exist -- try passwd.adjunct */
-	if (rval == YPERR_MAP) {
-		rval = yp_order(_yp_domain, "passwd.adjunct.byname", &order);
-		if (!rval)
-			return(YP_HAVE_ADJUNCT);
+static int
+nis_passwd(void *retval, void *mdata, va_list ap)
+{
+	char		 map[YPMAXMAP];
+	struct nis_state *st;
+	struct passwd	*pwd;
+	const char	*name;
+	char		*buffer, *key, *result;
+	size_t		 bufsize;
+	uid_t		 uid;
+	enum nss_lookup_type how;
+	int		*errnop, keylen, resultlen, rv, master;
+
+	name = NULL;
+	uid = (uid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		break;
+	case nss_lt_all:
+		break;
 	}
+	pwd     = va_arg(ap, struct passwd *);
+	buffer  = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop  = va_arg(ap, int *);
+	*errnop = nis_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (st->domain[0] == '\0') {
+		if (getdomainname(st->domain, sizeof(st->domain)) != 0) {
+			*errnop = errno;
+			return (NS_UNAVAIL);
+		}
+	}
+	rv = nis_map(st->domain, how, map, sizeof(map), &master);
+	if (rv != NS_SUCCESS)
+		return (rv);
+	result = NULL;
+	do {
+		rv = NS_NOTFOUND;
+		switch (how) {
+		case nss_lt_name:
+			if (strlcpy(buffer, name, bufsize) >= bufsize)
+				goto erange;
+			break;
+		case nss_lt_id:
+			if (snprintf(buffer, bufsize, "%lu",
+			    (unsigned long)uid) >= bufsize)
+				goto erange;
+			break;
+		case nss_lt_all:
+			if (st->done)
+				goto fin;
+			break;
+		}
+		result = NULL;
+		if (how == nss_lt_all) {
+			if (st->key == NULL)
+				rv = yp_first(st->domain, map, &st->key,
+				    &st->keylen, &result, &resultlen);
+			else {
+				key = st->key;
+				keylen = st->keylen;
+				st->key = NULL;
+				rv = yp_next(st->domain, map, key, keylen,
+				    &st->key, &st->keylen, &result,
+				    &resultlen);
+				free(key);
+			}
+			if (rv != 0) {
+				free(result);
+				free(st->key);
+				st->key = NULL;
+				if (rv == YPERR_NOMORE)
+					st->done = 1;
+				else
+					rv = NS_UNAVAIL;
+				goto fin;
+			}
+		} else {
+			rv = yp_match(st->domain, map, buffer, strlen(buffer),
+			    &result, &resultlen);
+			if (rv == YPERR_KEY) {
+				rv = NS_NOTFOUND;
+				continue;
+			} else if (rv != 0) {
+				free(result);
+				rv = NS_UNAVAIL;
+				continue;
+			}
+		}
+		if (resultlen >= bufsize)
+			goto erange;
+		memcpy(buffer, result, resultlen);
+		buffer[resultlen] = '\0';
+		free(result);
+		rv = __pw_match_entry(buffer, resultlen, how, name, uid);
+		if (rv == NS_SUCCESS)
+			rv = __pw_parse_entry(buffer, resultlen, pwd, master,
+			    errnop);
+	} while (how == nss_lt_all && !(rv & NS_TERMINATE));
+fin:
+	if (rv == NS_SUCCESS) {
+		if (strstr(pwd->pw_passwd, "##") != NULL) {
+			rv = nis_adjunct(st->domain, pwd->pw_name,
+			    &buffer[resultlen+1], bufsize-resultlen-1);
+			if (rv < 0)
+				goto erange;
+			else if (rv == 0)
+				pwd->pw_passwd = &buffer[resultlen+1];
+		}
+		pwd->pw_fields &= ~_PWF_SOURCE;
+		pwd->pw_fields |= _PWF_NIS;
+		if (retval != NULL)
+			*(struct passwd **)retval = pwd;
+		rv = NS_SUCCESS;
+	}
+	return (rv);
+erange:
+	*errnop = ERANGE;
+	return (NS_RETURN);
+}
+#endif /* YP */
+
+
+/*
+ * compat backend
+ */
+static void
+compat_clear_template(struct passwd *template)
+{
 
-	return (YP_HAVE_NONE);
+	free(template->pw_passwd);
+	free(template->pw_gecos);
+	free(template->pw_dir);
+	free(template->pw_shell);
+	memset(template, 0, sizeof(*template));
 }
 
+
 static int
-_getyppass(struct passwd *pw, const char *name, const char *map)
+compat_set_template(struct passwd *src, struct passwd *template)
 {
-	char *result, *s;
-	int resultlen;
-	int rv;
-	char mastermap[YPMAXRECORD];
 
-	if(!_pw_yp_domain) {
-		if(yp_get_default_domain(&_pw_yp_domain))
-		  return 0;
-	}
+	compat_clear_template(template);
+#ifdef PW_OVERRIDE_PASSWD
+	if ((src->pw_fields & _PWF_PASSWD) &&
+	    (template->pw_passwd = strdup(src->pw_passwd)) == NULL)
+		goto enomem;
+#endif
+	if (src->pw_fields & _PWF_UID)
+		template->pw_uid = src->pw_uid;
+	if (src->pw_fields & _PWF_GID)
+		template->pw_gid = src->pw_gid;
+	if ((src->pw_fields & _PWF_GECOS) &&
+	    (template->pw_gecos = strdup(src->pw_gecos)) == NULL)
+		goto enomem;
+	if ((src->pw_fields & _PWF_DIR) &&
+	    (template->pw_dir = strdup(src->pw_dir)) == NULL)
+		goto enomem;
+	if ((src->pw_fields & _PWF_SHELL) &&
+	    (template->pw_shell = strdup(src->pw_shell)) == NULL)
+		goto enomem;
+	template->pw_fields = src->pw_fields;
+	return (0);
+enomem:
+	syslog(LOG_ERR, "getpwent memory allocation failure");
+	return (-1);
+}
 
-	if (_gotmaster == YP_HAVE_MASTER)
-		snprintf(mastermap, sizeof(mastermap), "master.%s", map);
-	else
-		snprintf(mastermap, sizeof(mastermap), "%s", map);
-
-	if(yp_match(_pw_yp_domain, (char *)&mastermap, name, strlen(name),
-		    &result, &resultlen)) {
-		if (_gotmaster != YP_HAVE_MASTER)
-			return 0;
-		snprintf(mastermap, sizeof(mastermap), "%s", map);
-		if (yp_match(_pw_yp_domain, (char *)&mastermap,
-			     name, strlen(name), &result, &resultlen))
-			return 0;
-		_gotmaster = YP_HAVE_NONE;
-	}
-
-	if (!_pw_stepping_yp) {
-		s = strchr(result, ':');
-		if (s) {
-			*s = '\0';
-		} else {
-			/* Must be a malformed entry if no colons. */
-			free(result);
-			return(0);
-		}
 
-		if (!verf(result)) {
-			*s = ':';
-			free(result);
-			return(0);
-		}
+static int
+compat_use_template(struct passwd *pwd, struct passwd *template, char *buffer,
+    size_t bufsize)
+{
+	struct passwd hold;
+	char	*copy, *p, *q, *eob;
+	size_t	 n;
 
-		*s = ':'; /* Put back the colon we previously replaced with a NUL. */
+	/* We cannot know the layout of the password fields in `buffer',
+	 * so we have to copy everything.
+	 */
+	if (template->pw_fields == 0) /* nothing to fill-in */
+		return (0);
+	n = 0;
+	n += pwd->pw_name != NULL ? strlen(pwd->pw_name) + 1 : 0;
+	n += pwd->pw_passwd != NULL ? strlen(pwd->pw_passwd) + 1 : 0;
+	n += pwd->pw_class != NULL ? strlen(pwd->pw_class) + 1 : 0;
+	n += pwd->pw_gecos != NULL ? strlen(pwd->pw_gecos) + 1 : 0;
+	n += pwd->pw_dir != NULL ? strlen(pwd->pw_dir) + 1 : 0;
+	n += pwd->pw_shell != NULL ? strlen(pwd->pw_shell) + 1 : 0;
+	copy = malloc(n);
+	if (copy == NULL) {
+		syslog(LOG_ERR, "getpwent memory allocation failure");
+		return (ENOMEM);
 	}
+	p = copy;
+	eob = &copy[n];
+#define COPY(field) do {				\
+	if (pwd->field == NULL)				\
+		hold.field = NULL;			\
+	else {						\
+		hold.field = p;				\
+		p += strlcpy(p, pwd->field, eob-p) + 1;	\
+	}						\
+} while (0)
+	COPY(pw_name);
+	COPY(pw_passwd);
+	COPY(pw_class);
+	COPY(pw_gecos);
+	COPY(pw_dir);
+	COPY(pw_shell);
+#undef COPY
+	p = buffer;
+	eob = &buffer[bufsize];
+#define COPY(field, flag) do {						 \
+	q = (template->pw_fields & flag) ? template->field : hold.field; \
+	if (q == NULL)							 \
+		pwd->field = NULL;					 \
+	else {								 \
+		pwd->field = p;						 \
+		if ((n = strlcpy(p, q, eob-p)) >= eob-p) {		 \
+			free(copy);					 \
+			return (ERANGE);				 \
+		}							 \
+		p += n + 1;						 \
+	}								 \
+} while (0)
+	COPY(pw_name, 0);
+#ifdef PW_OVERRIDE_PASSWD
+	COPY(pw_passwd, _PWF_PASSWD);
+#else
+	COPY(pw_passwd, 0);
+#endif
+	COPY(pw_class, 0);
+	COPY(pw_gecos, _PWF_GECOS);
+	COPY(pw_dir, _PWF_DIR);
+	COPY(pw_shell, _PWF_SHELL);
+#undef COPY
+#define COPY(field, flag) do {			\
+	if (template->pw_fields & flag)		\
+		pwd->field = template->field;	\
+} while (0)
+	COPY(pw_uid, _PWF_UID);
+	COPY(pw_gid, _PWF_GID);
+#undef COPY
+	free(copy);
+	return (0);
+}
 
-	rv = _pw_breakout_yp(pw, result, resultlen, _gotmaster);
-	free(result);
-	return(rv);
+
+static int
+compat_exclude(const char *name, DB **db)
+{
+	DBT	key, data;
+
+	if (*db == NULL &&
+	    (*db = dbopen(NULL, O_RDWR, 600, DB_HASH, 0)) == NULL)
+		return (errno);
+	key.size = strlen(name);
+	key.data = (char *)name;
+	data.size = 0;
+	data.data = NULL;
+
+	if ((*db)->put(*db, &key, &data, 0) == -1)
+		return (errno);
+	return (0);
 }
 
+
 static int
-_nextyppass(struct passwd *pw)
+compat_is_excluded(const char *name, DB *db)
 {
-	static char *key;
-	static int keylen;
-	char *lastkey, *result, *s;
-	int resultlen;
-	int rv;
-	char *map = "passwd.byname";
+	DBT	key, data;
+
+	if (db == NULL)
+		return (0);
+	key.size = strlen(name);
+	key.data = (char *)name;
+	return (db->get(db, &key, &data, 0) == 0);
+}
 
-	if(!_pw_yp_domain) {
-		if(yp_get_default_domain(&_pw_yp_domain))
-		  return 0;
+
+static int
+compat_redispatch(struct compat_state *st, enum nss_lookup_type how,
+    enum nss_lookup_type lookup_how, const char *name, const char *lookup_name,
+    uid_t uid, struct passwd *pwd, char *buffer, size_t bufsize, int *errnop)
+{
+	static const ns_src compatsrc[] = {
+#ifdef YP
+		{ NSSRC_NIS, NS_SUCCESS },
+#endif
+		{ NULL, 0 }
+	};
+	ns_dtab dtab[] = {
+#ifdef YP
+		{ NSSRC_NIS, nis_passwd, NULL },
+#endif
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_passwd, NULL },
+#endif
+		{ NULL, NULL, NULL }
+	};
+	void		*discard;
+	int		 rv, e, i;
+
+	for (i = 0; i < sizeof(dtab)/sizeof(dtab[0]) - 1; i++)
+		dtab[i].mdata = (void *)lookup_how;
+more:
+	pwd_init(pwd);
+	switch (lookup_how) {
+	case nss_lt_all:
+		rv = _nsdispatch(&discard, dtab, NSDB_PASSWD_COMPAT,
+		    "getpwent_r", compatsrc, pwd, buffer, bufsize,
+		    errnop);
+		break;
+	case nss_lt_id:
+		rv = _nsdispatch(&discard, dtab, NSDB_PASSWD_COMPAT,
+		    "getpwuid_r", compatsrc, uid, pwd, buffer,
+		    bufsize, errnop);
+		break;
+	case nss_lt_name:
+		rv = _nsdispatch(&discard, dtab, NSDB_PASSWD_COMPAT,
+		    "getpwnam_r", compatsrc, lookup_name, pwd, buffer,
+		    bufsize, errnop);
+		break;
+	default:
+		return (NS_UNAVAIL);
+	}
+	if (rv != NS_SUCCESS)
+		return (rv);
+	if (compat_is_excluded(pwd->pw_name, st->exclude)) {
+		if (how == nss_lt_all)
+			goto more;
+		return (NS_NOTFOUND);
+	}
+	e = compat_use_template(pwd, &st->template, buffer, bufsize);
+	if (e != 0) {
+		*errnop = e;
+		if (e == ERANGE)
+			return (NS_RETURN);
+		else
+			return (NS_UNAVAIL);
 	}
+	switch (how) {
+	case nss_lt_name:
+		if (strcmp(name, pwd->pw_name) != 0)
+			return (NS_NOTFOUND);
+		break;
+	case nss_lt_id:
+		if (uid != pwd->pw_uid)
+			return (NS_NOTFOUND);
+		break;
+	default:
+		break;
+	}
+	return (NS_SUCCESS);
+}
 
-	if (_gotmaster == YP_HAVE_MASTER)
-		map = "master.passwd.byname";
 
-	if(!_pw_stepping_yp) {
-		if(key) free(key);
-			rv = yp_first(_pw_yp_domain, map,
-				      &key, &keylen, &result, &resultlen);
-		if(rv) {
-			return 0;
-		}
-		_pw_stepping_yp = 1;
-		goto unpack;
-	} else {
-tryagain:
-		lastkey = key;
-			rv = yp_next(_pw_yp_domain, map, key, keylen,
-			     &key, &keylen, &result, &resultlen);
-		free(lastkey);
-unpack:
-		if(rv) {
-			_pw_stepping_yp = 0;
-			return 0;
-		}
+static void
+compat_endstate(void *p)
+{
+	struct compat_state *st;
+
+	if (p == NULL)
+		return;
+	st = (struct compat_state *)p;
+	if (st->db != NULL)
+		st->db->close(st->db);
+	if (st->exclude != NULL)
+		st->exclude->close(st->exclude);
+	compat_clear_template(&st->template);
+	free(p);
+}
 
-		s = strchr(result, ':');
-		if (s) {
-			*s = '\0';
-		} else {
-			/* Must be a malformed entry if no colons. */
-			free(result);
-			goto tryagain;
-		}
 
-		if (lookup(result)) {
-			*s = ':';
-			free(result);
-			goto tryagain;
+static int
+compat_setpwent(void *retval, void *mdata, va_list ap)
+{
+	static const ns_src compatsrc[] = {
+#ifdef YP
+		{ NSSRC_NIS, NS_SUCCESS },
+#endif
+		{ NULL, 0 }
+	};
+	ns_dtab dtab[] = {
+#ifdef YP
+		{ NSSRC_NIS, nis_setpwent, NULL },
+#endif
+#ifdef HESIOD
+		{ NSSRC_DNS, dns_setpwent, NULL },
+#endif
+		{ NULL, NULL, NULL }
+	};
+	struct compat_state	*st;
+	int			 rv, stayopen;
+
+#define set_setent(x, y) do {	 				\
+	int i;							\
+								\
+	for (i = 0; i < (sizeof(x)/sizeof(x[0])) - 1; i++)	\
+		x[i].mdata = (void *)y;				\
+} while (0)
+
+	rv = compat_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+	switch ((enum constants)mdata) {
+	case SETPWENT:
+		stayopen = va_arg(ap, int);
+		st->keynum = 0;
+		if (stayopen)
+			st->db = pwdbopen(&st->version);
+		st->stayopen = stayopen;
+		set_setent(dtab, mdata);
+		_nsdispatch(NULL, dtab, NSDB_PASSWD_COMPAT, "setpwent",
+		    compatsrc, 0);
+		break;
+	case ENDPWENT:
+		if (st->db != NULL) {
+			st->db->close(st->db);
+			st->db = NULL;
 		}
+		set_setent(dtab, mdata);
+		_nsdispatch(NULL, dtab, NSDB_PASSWD_COMPAT, "endpwent",
+		    compatsrc, 0);
+		break;
+	default:
+		break;
+	}
+	return (NS_UNAVAIL);
+#undef set_setent
+}
+
 
-		*s = ':'; /* Put back the colon we previously replaced with a NUL. */
-		if (_pw_breakout_yp(pw, result, resultlen, _gotmaster)) {
-			free(result);
-			return(1);
+static int
+compat_passwd(void *retval, void *mdata, va_list ap)
+{
+	char			 keybuf[MAXLOGNAME + 1];
+	DBT			 key, entry;
+	struct compat_state	*st;
+	enum nss_lookup_type	 how;
+	const char		*name;
+	struct passwd		*pwd;
+	char			*buffer, *pw_name;
+	char			*host, *user, *domain;
+	size_t			 bufsize;
+	uid_t			 uid;
+	uint32_t		 store;
+	int			 rv, from_compat, stayopen, *errnop;
+
+	from_compat = 0;
+	name = NULL;
+	uid = (uid_t)-1;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, const char *);
+		break;
+	case nss_lt_id:
+		uid = va_arg(ap, uid_t);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		rv = NS_NOTFOUND;
+		goto fin;
+	}
+	pwd = va_arg(ap, struct passwd *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	*errnop = compat_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+	if (how == nss_lt_all && st->keynum < 0) {
+		rv = NS_NOTFOUND;
+		goto fin;
+	}
+	if (st->db == NULL &&
+	    (st->db = pwdbopen(&st->version)) == NULL) {
+		*errnop = errno;
+		rv = NS_UNAVAIL;
+		goto fin;
+	}
+	if (how == nss_lt_all) {
+		if (st->keynum < 0) {
+			rv = NS_NOTFOUND;
+			goto fin;
+		}
+		stayopen = 1;
+	} else {
+		st->keynum = 0;
+		stayopen = st->stayopen;
+	}
+docompat:
+	rv = NS_NOTFOUND;
+	switch (st->compat) {
+	case COMPAT_MODE_ALL:
+		rv = compat_redispatch(st, how, how, name, name, uid, pwd,
+		    buffer, bufsize, errnop);
+		if (rv != NS_SUCCESS)
+			st->compat = COMPAT_MODE_OFF;
+		break;
+	case COMPAT_MODE_NETGROUP:
+		/* XXX getnetgrent is not thread-safe. */
+		do {
+			rv = getnetgrent(&host, &user, &domain);
+			if (rv == 0) {
+				endnetgrent();
+				st->compat = COMPAT_MODE_OFF;
+				rv = NS_NOTFOUND;
+				continue;
+			} else if (user == NULL || user[0] == '\0')
+				continue;
+			rv = compat_redispatch(st, how, nss_lt_name, name,
+			    user, uid, pwd, buffer, bufsize, errnop);
+		} while (st->compat == COMPAT_MODE_NETGROUP &&
+		    !(rv & NS_TERMINATE));
+		break;
+	case COMPAT_MODE_NAME:
+		rv = compat_redispatch(st, how, nss_lt_name, name, st->name,
+		    uid, pwd, buffer, bufsize, errnop);
+		free(st->name);
+		st->name = NULL;
+		st->compat = COMPAT_MODE_OFF;
+		break;
+	default:
+		break;
+	}
+	if (rv & NS_TERMINATE) {
+		from_compat = 1;
+		goto fin;
+	}
+	key.data = keybuf;
+	rv = NS_NOTFOUND;
+	while (st->keynum >= 0) {
+		st->keynum++;
+		if (st->version < _PWD_CURRENT_VERSION) {
+			memcpy(&keybuf[1], &st->keynum, sizeof(st->keynum));
+			key.size = sizeof(st->keynum) + 1;
 		} else {
-			free(result);
-			goto tryagain;
+			store = htonl(st->keynum);
+			memcpy(&keybuf[1], &store, sizeof(store));
+			key.size = sizeof(store) + 1;
+		}
+		keybuf[0] = _PW_VERSIONED(_PW_KEYBYNUM, st->version);
+		rv = st->db->get(st->db, &key, &entry, 0);
+		if (rv < 0 || rv > 1) { /* should never return > 1 */
+			*errnop = errno;
+			rv = NS_UNAVAIL;
+			goto fin;
+		} else if (rv == 1) {
+			st->keynum = -1;
+			rv = NS_NOTFOUND;
+			goto fin;
 		}
+		pw_name = (char *)entry.data;
+		switch (pw_name[0]) {
+		case '+':
+			switch (pw_name[1]) {
+			case '\0':
+				st->compat = COMPAT_MODE_ALL;
+				break;
+			case '@':
+				setnetgrent(&pw_name[2]);
+				st->compat = COMPAT_MODE_NETGROUP;
+				break;
+			default:
+				st->name = strdup(&pw_name[1]);
+				if (st->name == NULL) {
+					syslog(LOG_ERR,
+					 "getpwent memory allocation failure");
+					*errnop = ENOMEM;
+					rv = NS_UNAVAIL;
+					break;
+				}
+				st->compat = COMPAT_MODE_NAME;
+			}
+			if (entry.size > bufsize) {
+				*errnop = ERANGE;
+				rv = NS_RETURN;
+				goto fin;
+			}
+			memcpy(buffer, entry.data, entry.size);
+			rv = pwdb_versions[st->version].parse(buffer,
+			    entry.size, pwd, errnop);
+			if (rv != NS_SUCCESS)
+				;
+			else if (compat_set_template(pwd, &st->template) < 0) {
+				*errnop = ENOMEM;
+				rv = NS_UNAVAIL;
+				goto fin;
+			}
+			goto docompat;
+		case '-':
+			switch (pw_name[1]) {
+			case '\0':
+				/* XXX Maybe syslog warning */
+				continue;
+			case '@':
+				setnetgrent(&pw_name[2]);
+				while (getnetgrent(&host, &user, &domain) !=
+				    0) {
+					if (user != NULL && user[0] != '\0')
+						compat_exclude(user,
+						    &st->exclude);
+				}
+				endnetgrent();
+				continue;
+			default:
+				compat_exclude(&pw_name[1], &st->exclude);
+				continue;
+			}
+			break;
+		default:
+			break;
+		}
+		if (compat_is_excluded((char *)entry.data, st->exclude))
+			continue;
+		rv = pwdb_versions[st->version].match(entry.data, entry.size,
+		    how, name, uid);
+		if (rv == NS_RETURN)
+			break;
+		else if (rv != NS_SUCCESS)
+			continue;
+		if (entry.size > bufsize) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+		memcpy(buffer, entry.data, entry.size);
+		rv = pwdb_versions[st->version].parse(buffer, entry.size, pwd,
+		    errnop);
+		if (rv & NS_TERMINATE)
+			break;
+	}
+fin:
+	if (!stayopen && st->db != NULL) {
+		st->db->close(st->db);
+		st->db = NULL;
+	}
+	if (rv == NS_SUCCESS) {
+		if (!from_compat) {
+			pwd->pw_fields &= ~_PWF_SOURCE;
+			pwd->pw_fields |= _PWF_FILES;
+		}
+		if (retval != NULL)
+			*(struct passwd **)retval = pwd;
 	}
+	return (rv);
 }
 
-#endif /* YP */
+
+/*
+ * common passwd line matching and parsing
+ */
+int
+__pw_match_entry(const char *entry, size_t entrysize, enum nss_lookup_type how,
+    const char *name, uid_t uid)
+{
+	const char	*p, *eom;
+	char		*q;
+	size_t		 len;
+	unsigned long	 m;
+
+	eom = entry + entrysize;
+	for (p = entry; p < eom; p++)
+		if (*p == ':')
+			break;
+	if (*p != ':')
+		return (NS_NOTFOUND);
+	if (how == nss_lt_all)
+		return (NS_SUCCESS);
+	if (how == nss_lt_name) {
+		len = strlen(name);
+		if (len == (p - entry) && memcmp(name, entry, len) == 0)
+			return (NS_SUCCESS);
+		else
+			return (NS_NOTFOUND);
+	}
+	for (p++; p < eom; p++)
+		if (*p == ':')
+			break;
+	if (*p != ':')
+		return (NS_NOTFOUND);
+	m = strtoul(++p, &q, 10);
+	if (q[0] != ':' || (uid_t)m != uid)
+		return (NS_NOTFOUND);
+	else
+		return (NS_SUCCESS);
+}
+
+
+/* XXX buffer must be NUL-terminated.  errnop is not set correctly. */
+int
+__pw_parse_entry(char *buffer, size_t bufsize __unused, struct passwd *pwd,
+    int master, int *errnop __unused)
+{
+
+	if (__pw_scan(buffer, pwd, master ? _PWSCAN_MASTER : 0) == 0)
+		return (NS_NOTFOUND);
+	else
+		return (NS_SUCCESS);
+}
diff --git a/lib/libc/gen/getusershell.3 b/lib/libc/gen/getusershell.3
index 375db283ad..028f9b3e80 100644
--- a/lib/libc/gen/getusershell.3
+++ b/lib/libc/gen/getusershell.3
@@ -1,6 +1,4 @@
 .\"	$NetBSD: getusershell.3,v 1.6 1999/03/22 19:44:42 garbled Exp $
-.\"	$FreeBSD: src/lib/libc/gen/getusershell.3,v 1.5.2.4 2003/03/13 18:05:37 trhodes Exp $
-.\"	$DragonFly: src/lib/libc/gen/getusershell.3,v 1.2 2003/06/17 04:26:42 dillon Exp $
 .\"
 .\" Copyright (c) 1985, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -13,10 +11,6 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"	This product includes software developed by the University of
-.\"	California, Berkeley and its contributors.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
@@ -34,16 +28,17 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)getusershell.3	8.1 (Berkeley) 6/4/93
-.\" $FreeBSD: src/lib/libc/gen/getusershell.3,v 1.5.2.4 2003/03/13 18:05:37 trhodes Exp $
+.\" $FreeBSD: src/lib/libc/gen/getusershell.3,v 1.12 2007/01/09 00:27:54 imp Exp $
+.\" $DragonFly: src/lib/libc/gen/getusershell.3,v 1.2 2003/06/17 04:26:42 dillon Exp $
 .\"
-.Dd June 4, 1993
+.Dd January 16, 1999
 .Dt GETUSERSHELL 3
 .Os
 .Sh NAME
 .Nm getusershell ,
 .Nm setusershell ,
 .Nm endusershell
-.Nd get legal user shells
+.Nd get valid user shells
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
@@ -88,6 +83,7 @@ The routine
 returns a null pointer (0) on
 .Dv EOF .
 .Sh SEE ALSO
+.Xr nsswitch.conf 5 ,
 .Xr shells 5
 .Sh HISTORY
 The
diff --git a/lib/libc/gen/getusershell.c b/lib/libc/gen/getusershell.c
index 6a6347ab46..e0a563eff6 100644
--- a/lib/libc/gen/getusershell.c
+++ b/lib/libc/gen/getusershell.c
@@ -10,10 +10,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
@@ -30,34 +26,49 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/lib/libc/gen/getusershell.c,v 1.3.2.1 2001/03/05 09:17:52 obrien Exp $
- * $DragonFly: src/lib/libc/gen/getusershell.c,v 1.4 2005/11/13 00:07:42 swildner Exp $
- *
  * @(#)getusershell.c	8.1 (Berkeley) 6/4/93
- * $FreeBSD: src/lib/libc/gen/getusershell.c,v 1.3.2.1 2001/03/05 09:17:52 obrien Exp $
+ * $NetBSD: getusershell.c,v 1.17 1999/01/25 01:09:34 lukem Exp $
+ * $FreeBSD: src/lib/libc/gen/getusershell.c,v 1.10 2007/01/09 00:27:54 imp Exp $
+ * $DragonFly: src/lib/libc/gen/getusershell.c,v 1.4 2005/11/13 00:07:42 swildner Exp $
  */
 
+#include "namespace.h"
 #include <sys/param.h>
 #include <sys/file.h>
-#include <sys/stat.h>
 
 #include <ctype.h>
+#include <errno.h>
+#include <nsswitch.h>
+#include <paths.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include <string.h>
+#include <stringlist.h>
 #include <unistd.h>
-#include <paths.h>
+
+#ifdef HESIOD
+#include <hesiod.h>
+#endif
+#ifdef YP
+#include <rpc/rpc.h>
+#include <rpcsvc/ypclnt.h>
+#include <rpcsvc/yp_prot.h>
+#endif
+#include "un-namespace.h"
 
 /*
  * Local shells should NOT be added here.  They should be added in
  * /etc/shells.
  */
 
-static char *okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL };
-static char **curshell, **shells, *strings;
-static char **initshells (void);
+static const char *const okshells[] = { _PATH_BSHELL, _PATH_CSHELL, NULL };
+static const char *const *curshell;
+static StringList	 *sl;
+
+static const char *const *initshells(void);
 
 /*
- * Get a list of shells from _PATH_SHELLS, if it exists.
+ * Get a list of shells from "shells" nsswitch database
  */
 char *
 getusershell(void)
@@ -66,7 +77,8 @@ getusershell(void)
 
 	if (curshell == NULL)
 		curshell = initshells();
-	ret = *curshell;
+	/*LINTED*/
+	ret = (char *)*curshell;
 	if (ret != NULL)
 		curshell++;
 	return (ret);
@@ -75,13 +87,10 @@ getusershell(void)
 void
 endusershell(void)
 {
-
-	if (shells != NULL)
-		free(shells);
-	shells = NULL;
-	if (strings != NULL)
-		free(strings);
-	strings = NULL;
+	if (sl) {
+		sl_free(sl, 1);
+		sl = NULL;
+	}
 	curshell = NULL;
 }
 
@@ -92,49 +101,159 @@ setusershell(void)
 	curshell = initshells();
 }
 
-static char **
-initshells(void)
+
+static int	_local_initshells(void *, void *, va_list);
+
+/*ARGSUSED*/
+static int
+_local_initshells(void *rv, void *cb_data, va_list ap)
 {
-	char **sp, *cp;
-	FILE *fp;
-	struct stat statb;
-
-	if (shells != NULL)
-		free(shells);
-	shells = NULL;
-	if (strings != NULL)
-		free(strings);
-	strings = NULL;
+	char	*sp, *cp;
+	FILE	*fp;
+	char	 line[MAXPATHLEN + 2];
+
+	if (sl)
+		sl_free(sl, 1);
+	sl = sl_init();
+
 	if ((fp = fopen(_PATH_SHELLS, "r")) == NULL)
-		return (okshells);
-	if (fstat(fileno(fp), &statb) == -1) {
-		fclose(fp);
-		return (okshells);
-	}
-	if ((strings = malloc((u_int)statb.st_size)) == NULL) {
-		fclose(fp);
-		return (okshells);
-	}
-	shells = calloc((unsigned)statb.st_size / 3, sizeof (char *));
-	if (shells == NULL) {
-		fclose(fp);
-		free(strings);
-		strings = NULL;
-		return (okshells);
-	}
-	sp = shells;
-	cp = strings;
+		return NS_UNAVAIL;
+
+	sp = cp = line;
 	while (fgets(cp, MAXPATHLEN + 1, fp) != NULL) {
 		while (*cp != '#' && *cp != '/' && *cp != '\0')
 			cp++;
 		if (*cp == '#' || *cp == '\0')
 			continue;
-		*sp++ = cp;
-		while (!isspace((unsigned char)*cp) && *cp != '#' && *cp != '\0')
+		sp = cp;
+		while (!isspace(*cp) && *cp != '#' && *cp != '\0')
 			cp++;
 		*cp++ = '\0';
+		sl_add(sl, strdup(sp));
 	}
-	*sp = NULL;
 	fclose(fp);
-	return (shells);
+	return NS_SUCCESS;
+}
+
+#ifdef HESIOD
+static int	_dns_initshells(void *, void *, va_list);
+
+/*ARGSUSED*/
+static int
+_dns_initshells(void *rv, void *cb_data, va_list ap)
+{
+	char	  shellname[] = "shells-XXXXX";
+	int	  hsindex, hpi, r;
+	char	**hp;
+	void	 *context;
+
+	if (sl)
+		sl_free(sl, 1);
+	sl = sl_init();
+	r = NS_UNAVAIL;
+	if (hesiod_init(&context) == -1)
+		return (r);
+
+	for (hsindex = 0; ; hsindex++) {
+		snprintf(shellname, sizeof(shellname)-1, "shells-%d", hsindex);
+		hp = hesiod_resolve(context, shellname, "shells");
+		if (hp == NULL) {
+			if (errno == ENOENT) {
+				if (hsindex == 0)
+					r = NS_NOTFOUND;
+				else
+					r = NS_SUCCESS;
+			}
+			break;
+		} else {
+			for (hpi = 0; hp[hpi]; hpi++)
+				sl_add(sl, hp[hpi]);
+			free(hp);
+		}
+	}
+	hesiod_end(context);
+	return (r);
+}
+#endif /* HESIOD */
+
+#ifdef YP
+static int	_nis_initshells(void *, void *, va_list);
+
+/*ARGSUSED*/
+static int
+_nis_initshells(void *rv, void *cb_data, va_list ap)
+{
+	static char *ypdomain;
+	char	*key, *data;
+	char	*lastkey;
+	int	 keylen, datalen;
+	int	 r;
+
+	if (sl)
+		sl_free(sl, 1);
+	sl = sl_init();
+
+	if (ypdomain == NULL) {
+		switch (yp_get_default_domain(&ypdomain)) {
+		case 0:
+			break;
+		case YPERR_RESRC:
+			return NS_TRYAGAIN;
+		default:
+			return NS_UNAVAIL;
+		}
+	}
+
+	/*
+	 * `key' and `data' point to strings dynamically allocated by
+	 * the yp_... functions.
+	 * `data' is directly put into the stringlist of shells.
+	 */
+	key = data = NULL;
+	if (yp_first(ypdomain, "shells", &key, &keylen, &data, &datalen))
+		return NS_UNAVAIL;
+	do {
+		data[datalen] = '\0';		/* clear trailing \n */
+		sl_add(sl, data);
+
+		lastkey = key;
+		r = yp_next(ypdomain, "shells", lastkey, keylen,
+		    &key, &keylen, &data, &datalen);
+		free(lastkey);
+	} while (r == 0);
+
+	if (r == YPERR_NOMORE) {
+		/*
+		 * `data' and `key' ought to be NULL - do not try to free them.
+		 */
+		return NS_SUCCESS;
+	}
+
+	return NS_UNAVAIL;
+}
+#endif /* YP */
+
+static const char *const *
+initshells(void)
+{
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_local_initshells, NULL)
+		NS_DNS_CB(_dns_initshells, NULL)
+		NS_NIS_CB(_nis_initshells, NULL)
+		{ 0 }
+	};
+	if (sl)
+		sl_free(sl, 1);
+	sl = sl_init();
+
+	if (_nsdispatch(NULL, dtab, NSDB_SHELLS, "initshells", __nsdefaultsrc)
+	    != NS_SUCCESS) {
+		if (sl)
+			sl_free(sl, 1);
+		sl = NULL;
+		return (okshells);
+	}
+	sl_add(sl, NULL);
+
+	return (const char *const *)(sl->sl_str);
 }
diff --git a/usr.sbin/pwd_mkdb/pw_scan.c b/lib/libc/gen/pw_scan.c
similarity index 65%
rename from usr.sbin/pwd_mkdb/pw_scan.c
rename to lib/libc/gen/pw_scan.c
index 21d591a41d..f894777d86 100644
--- a/usr.sbin/pwd_mkdb/pw_scan.c
+++ b/lib/libc/gen/pw_scan.c
@@ -10,10 +10,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
@@ -31,7 +27,7 @@
  * SUCH DAMAGE.
  *
  * @(#)pw_scan.c	8.3 (Berkeley) 4/2/94
- * $FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.c,v 1.14.2.1 2002/11/11 08:52:04 maxim Exp $
+ * $FreeBSD: src/lib/libc/gen/pw_scan.c,v 1.26 2007/01/09 00:27:55 imp Exp $
  * $DragonFly: src/usr.sbin/pwd_mkdb/pw_scan.c,v 1.3 2005/12/05 02:40:27 swildner Exp $
  */
 
@@ -55,17 +51,16 @@
 
 /*
  * Some software assumes that IDs are short.  We should emit warnings
- * for id's which can not be stored in a short, but we are more liberal
+ * for id's which cannot be stored in a short, but we are more liberal
  * by default, warning for IDs greater than USHRT_MAX.
  *
- * If pw_big_ids_warning is anything other than -1 on entry to pw_scan()
- * it will be set based on the existance of PW_SCAN_BIG_IDS in the
- * environment.
+ * If pw_big_ids_warning is -1 on entry to pw_scan(), it will be set based
+ * on the existence of PW_SCAN_BIG_IDS in the environment.
  */
-int	pw_big_ids_warning = -1;
+static int	pw_big_ids_warning = -1;
 
 int
-pw_scan(char *bp, struct passwd *pw)
+__pw_scan(char *bp, struct passwd *pw, int flags)
 {
 	uid_t id;
 	int root;
@@ -78,12 +73,13 @@ pw_scan(char *bp, struct passwd *pw)
 	if (!(pw->pw_name = strsep(&bp, ":")))		/* login */
 		goto fmt;
 	root = !strcmp(pw->pw_name, "root");
-	if(pw->pw_name[0] && (pw->pw_name[0] != '+' || pw->pw_name[1] == '\0'))
+	if (pw->pw_name[0] && (pw->pw_name[0] != '+' || pw->pw_name[1] == '\0'))
 		pw->pw_fields |= _PWF_NAME;
 
 	if (!(pw->pw_passwd = strsep(&bp, ":")))	/* passwd */
 		goto fmt;
-	if(pw->pw_passwd[0]) pw->pw_fields |= _PWF_PASSWD;
+	if (pw->pw_passwd[0])
+		pw->pw_fields |= _PWF_PASSWD;
 
 	if (!(p = strsep(&bp, ":")))			/* uid */
 		goto fmt;
@@ -91,24 +87,28 @@ pw_scan(char *bp, struct passwd *pw)
 		pw->pw_fields |= _PWF_UID;
 	else {
 		if (pw->pw_name[0] != '+' && pw->pw_name[0] != '-') {
-			warnx("no uid for user %s", pw->pw_name);
+			if (flags & _PWSCAN_WARN)
+				warnx("no uid for user %s", pw->pw_name);
 			return (0);
 		}
 	}
 	id = strtoul(p, &ep, 10);
 	if (errno == ERANGE) {
-		warnx("%s > max uid value (%lu)", p, ULONG_MAX);
+		if (flags & _PWSCAN_WARN)
+			warnx("%s > max uid value (%lu)", p, ULONG_MAX);
 		return (0);
 	}
 	if (*ep != '\0') {
-		warnx("%s uid is incorrect", p);
+		if (flags & _PWSCAN_WARN)
+			warnx("%s uid is incorrect", p);
 		return (0);
 	}
 	if (root && id) {
-		warnx("root uid should be 0");
+		if (flags & _PWSCAN_WARN)
+			warnx("root uid should be 0");
 		return (0);
 	}
-	if (pw_big_ids_warning && id > USHRT_MAX) {
+	if (flags & _PWSCAN_WARN && pw_big_ids_warning && id > USHRT_MAX) {
 		warnx("%s > recommended max uid value (%u)", p, USHRT_MAX);
 		/*return (0);*/ /* THIS SHOULD NOT BE FATAL! */
 	}
@@ -116,67 +116,83 @@ pw_scan(char *bp, struct passwd *pw)
 
 	if (!(p = strsep(&bp, ":")))			/* gid */
 		goto fmt;
-	if(p[0])
+	if (p[0])
 		pw->pw_fields |= _PWF_GID;
 	else {
 		if (pw->pw_name[0] != '+' && pw->pw_name[0] != '-') {
-			warnx("no gid for user %s", pw->pw_name);
+			if (flags & _PWSCAN_WARN)
+				warnx("no gid for user %s", pw->pw_name);
 			return (0);
 		}
 	}
 	id = strtoul(p, &ep, 10);
 	if (errno == ERANGE) {
-		warnx("%s > max gid value (%lu)", p, ULONG_MAX);
+		if (flags & _PWSCAN_WARN)
+			warnx("%s > max gid value (%lu)", p, ULONG_MAX);
 		return (0);
 	}
 	if (*ep != '\0') {
-		warnx("%s gid is incorrect", p);
+		if (flags & _PWSCAN_WARN)
+			warnx("%s gid is incorrect", p);
 		return (0);
 	}
-	if (pw_big_ids_warning && id > USHRT_MAX) {
+	if (flags & _PWSCAN_WARN && pw_big_ids_warning && id > USHRT_MAX) {
 		warnx("%s > recommended max gid value (%u)", p, USHRT_MAX);
 		/* return (0); This should not be fatal! */
 	}
 	pw->pw_gid = id;
 
-	pw->pw_class = strsep(&bp, ":");		/* class */
-	if(pw->pw_class[0]) pw->pw_fields |= _PWF_CLASS;
-
-	if (!(p = strsep(&bp, ":")))			/* change */
-		goto fmt;
-	if(p[0]) pw->pw_fields |= _PWF_CHANGE;
-	pw->pw_change = atol(p);
-
-	if (!(p = strsep(&bp, ":")))			/* expire */
-		goto fmt;
-	if(p[0]) pw->pw_fields |= _PWF_EXPIRE;
-	pw->pw_expire = atol(p);
-
+	if (flags & _PWSCAN_MASTER ) {
+		if (!(pw->pw_class = strsep(&bp, ":")))	/* class */
+			goto fmt;
+		if (pw->pw_class[0])
+			pw->pw_fields |= _PWF_CLASS;
+
+		if (!(p = strsep(&bp, ":")))		/* change */
+			goto fmt;
+		if (p[0])
+			pw->pw_fields |= _PWF_CHANGE;
+		pw->pw_change = atol(p);
+
+		if (!(p = strsep(&bp, ":")))		/* expire */
+			goto fmt;
+		if (p[0])
+			pw->pw_fields |= _PWF_EXPIRE;
+		pw->pw_expire = atol(p);
+	}
 	if (!(pw->pw_gecos = strsep(&bp, ":")))		/* gecos */
 		goto fmt;
-	if(pw->pw_gecos[0]) pw->pw_fields |= _PWF_GECOS;
+	if (pw->pw_gecos[0])
+		pw->pw_fields |= _PWF_GECOS;
 
-	if (!(pw->pw_dir = strsep(&bp, ":")))			/* directory */
+	if (!(pw->pw_dir = strsep(&bp, ":")))		/* directory */
 		goto fmt;
-	if(pw->pw_dir[0]) pw->pw_fields |= _PWF_DIR;
+	if (pw->pw_dir[0])
+		pw->pw_fields |= _PWF_DIR;
 
 	if (!(pw->pw_shell = strsep(&bp, ":")))		/* shell */
 		goto fmt;
 
 	p = pw->pw_shell;
-	if (root && *p)					/* empty == /bin/sh */
+	if (root && *p) {				/* empty == /bin/sh */
 		for (setusershell();;) {
 			if (!(sh = getusershell())) {
-				warnx("warning, unknown root shell");
+				if (flags & _PWSCAN_WARN)
+					warnx("warning, unknown root shell");
 				break;
 			}
 			if (!strcmp(p, sh))
 				break;
 		}
-	if(p[0]) pw->pw_fields |= _PWF_SHELL;
+		endusershell();
+	}
+	if (p[0])
+		pw->pw_fields |= _PWF_SHELL;
 
 	if ((p = strsep(&bp, ":"))) {			/* too many */
-fmt:		warnx("corrupted entry");
+fmt:
+		if (flags & _PWSCAN_WARN)
+			warnx("corrupted entry");
 		return (0);
 	}
 	return (1);
diff --git a/usr.sbin/pwd_mkdb/pw_scan.h b/lib/libc/gen/pw_scan.h
similarity index 78%
copy from usr.sbin/pwd_mkdb/pw_scan.h
copy to lib/libc/gen/pw_scan.h
index 8c2374f065..288a919b0b 100644
--- a/usr.sbin/pwd_mkdb/pw_scan.h
+++ b/lib/libc/gen/pw_scan.h
@@ -10,10 +10,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
@@ -31,11 +27,11 @@
  * SUCH DAMAGE.
  *
  *	@(#)pw_scan.h	8.1 (Berkeley) 4/1/94
- *
- *	$FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.h,v 1.2 1999/11/15 16:45:37 sheldonh Exp $
- *	$DragonFly: src/usr.sbin/pwd_mkdb/pw_scan.h,v 1.3 2003/11/03 19:31:41 eirikn Exp $
+ * $FreeBSD: src/lib/libc/gen/pw_scan.h,v 1.7 2007/01/09 00:27:55 imp Exp $
+ * $DragonFly: src/usr.sbin/pwd_mkdb/pw_scan.h,v 1.3 2003/11/03 19:31:41 eirikn Exp $
  */
 
-extern int	pw_big_ids_warning;
+#define _PWSCAN_MASTER 0x01
+#define _PWSCAN_WARN   0x02
 
-extern int	pw_scan(char *, struct passwd *);
+extern int	__pw_scan(char *, struct passwd *, int);
diff --git a/lib/libc/gen/pwcache.3 b/lib/libc/gen/pwcache.3
index 86f330fa8b..6c69b7c2ca 100644
--- a/lib/libc/gen/pwcache.3
+++ b/lib/libc/gen/pwcache.3
@@ -9,10 +9,6 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"	This product includes software developed by the University of
-.\"	California, Berkeley and its contributors.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
@@ -30,10 +26,10 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)pwcache.3	8.1 (Berkeley) 6/9/93
-.\" $FreeBSD: src/lib/libc/gen/pwcache.3,v 1.6.2.4 2001/12/14 18:33:51 ru Exp $
+.\" $FreeBSD: src/lib/libc/gen/pwcache.3,v 1.15 2007/01/09 00:27:55 imp Exp $
 .\" $DragonFly: src/lib/libc/gen/pwcache.3,v 1.2 2003/06/17 04:26:42 dillon Exp $
 .\"
-.Dd June 9, 1993
+.Dd March 22, 2002
 .Dt PWCACHE 3
 .Os
 .Sh NAME
@@ -42,11 +38,12 @@
 .Sh LIBRARY
 .Lb libc
 .Sh SYNOPSIS
-.In stdlib.h
-.Ft char *
-.Fn user_from_uid "unsigned long uid" "int nouser"
-.Ft char *
-.Fn group_from_gid "unsigned long gid" "int nogroup"
+.In pwd.h
+.Ft const char *
+.Fn user_from_uid "uid_t uid" "int nouser"
+.In grp.h
+.Ft const char *
+.Fn group_from_gid "gid_t gid" "int nogroup"
 .Sh DESCRIPTION
 The
 .Fn user_from_uid
diff --git a/lib/libc/gen/pwcache.c b/lib/libc/gen/pwcache.c
index 1f35db45e6..3c6133442a 100644
--- a/lib/libc/gen/pwcache.c
+++ b/lib/libc/gen/pwcache.c
@@ -31,12 +31,14 @@
  * SUCH DAMAGE.
  *
  * @(#)pwcache.c	8.1 (Berkeley) 6/4/93
+ * $FreeBSD: src/lib/libc/gen/pwcache.c,v 1.10 2002/03/22 02:35:47 imp Exp $
  * $DragonFly: src/lib/libc/gen/pwcache.c,v 1.5 2005/11/13 00:07:42 swildner Exp $
  */
 
+#include <sys/types.h>
+
 #include <grp.h>
 #include <pwd.h>
-#include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include <utmp.h>
@@ -44,7 +46,7 @@
 #define	NCACHE	64			/* power of 2 */
 #define	MASK	(NCACHE - 1)		/* bits to store with */
 
-char *
+const char *
 user_from_uid(uid_t uid, int nouser)
 {
 	static struct ncache {
@@ -78,7 +80,7 @@ user_from_uid(uid_t uid, int nouser)
 	return ((nouser && !cp->found) ? NULL : cp->name);
 }
 
-char *
+const char *
 group_from_gid(gid_t gid, int nogroup)
 {
 	static struct ncache {
diff --git a/lib/libc/include/namespace.h b/lib/libc/include/namespace.h
index 508fcd8dd6..0e5646fd03 100644
--- a/lib/libc/include/namespace.h
+++ b/lib/libc/include/namespace.h
@@ -31,6 +31,12 @@
 #ifndef _NAMESPACE_H_
 #define _NAMESPACE_H_
 
+/*
+ * ISO C (C90) section.  Most names in libc aren't in ISO C, so they
+ * should be here.  Most aren't here...
+ */
+#define		nsdispatch			_nsdispatch
+
 /*
  * Prototypes for syscalls/functions that need to be overridden
  * in libc_r/libpthread.
diff --git a/lib/libc/include/nscache.h b/lib/libc/include/nscache.h
new file mode 100644
index 0000000000..c8bbdb4592
--- /dev/null
+++ b/lib/libc/include/nscache.h
@@ -0,0 +1,197 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/include/nscache.h,v 1.1 2006/04/28 12:03:35 ume Exp $
+ */
+
+#ifndef __NS_CACHE_H__
+#define __NS_CACHE_H__
+
+#include "nscachedcli.h"
+
+typedef int (*nss_cache_id_func_t)(char *, size_t *, va_list, void *);
+typedef int (*nss_cache_marshal_func_t)(char *, size_t *, void *, va_list,
+	void *);
+typedef int (*nss_cache_unmarshal_func_t)(char *, size_t, void *, va_list,
+	void *);
+
+typedef	void (*nss_set_mp_ws_func_t)(cached_mp_write_session);
+typedef	cached_mp_write_session	(*nss_get_mp_ws_func_t)(void);
+
+typedef void (*nss_set_mp_rs_func_t)(cached_mp_read_session);
+typedef cached_mp_read_session	(*nss_get_mp_rs_func_t)(void);
+
+typedef struct _nss_cache_info {
+	char	*entry_name;
+	void	*mdata;
+
+	/*
+	 * These 3 functions should be implemented specifically for each
+	 * nsswitch database.
+	 */
+	nss_cache_id_func_t id_func;	/* marshals the request parameters */
+	nss_cache_marshal_func_t marshal_func;	   /* marshals response */
+	nss_cache_unmarshal_func_t unmarshal_func; /* unmarshals response */
+
+	/*
+	 * These 4 functions should be generated with NSS_MP_CACHE_HANDLING
+	 * macro.
+	 */
+	nss_set_mp_ws_func_t set_mp_ws_func; /* sets current write session */
+	nss_get_mp_ws_func_t get_mp_ws_func; /* gets current write session */
+
+	nss_set_mp_rs_func_t set_mp_rs_func; /* sets current read session */
+	nss_get_mp_rs_func_t get_mp_rs_func; /* gets current read session */
+} nss_cache_info;
+
+/*
+ * NSS_MP_CACHE_HANDLING implements the set_mp_ws, get_mp_ws, set_mp_rs,
+ * get_mp_rs functions, that are used in _nss_cache_info. It uses
+ * NSS_TLS_HANDLING macro to organize thread local storage.
+ */
+#define NSS_MP_CACHE_HANDLING(name)					\
+struct name##_mp_state {						\
+	cached_mp_write_session	mp_write_session;			\
+	cached_mp_read_session	mp_read_session;			\
+};									\
+									\
+static void								\
+name##_mp_endstate(void *s) {						\
+	struct name##_mp_state	*mp_state;				\
+									\
+	mp_state = (struct name##_mp_state *)s;				\
+	if (mp_state->mp_write_session != INVALID_CACHED_MP_WRITE_SESSION)\
+		__abandon_cached_mp_write_session(mp_state->mp_write_session);\
+									\
+	if (mp_state->mp_read_session != INVALID_CACHED_MP_READ_SESSION)\
+		__close_cached_mp_read_session(mp_state->mp_read_session);\
+}									\
+NSS_TLS_HANDLING(name##_mp);						\
+									\
+static void								\
+name##_set_mp_ws(cached_mp_write_session ws)				\
+{									\
+	struct name##_mp_state	*mp_state;				\
+	int	res;							\
+									\
+	res = name##_mp_getstate(&mp_state);				\
+	if (res != 0)							\
+		return;							\
+									\
+	mp_state->mp_write_session = ws;				\
+}									\
+									\
+static cached_mp_write_session						\
+name##_get_mp_ws(void)							\
+{									\
+	struct name##_mp_state	*mp_state;				\
+	int	res;							\
+									\
+	res = name##_mp_getstate(&mp_state);				\
+	if (res != 0)							\
+		return (INVALID_CACHED_MP_WRITE_SESSION);		\
+									\
+	return (mp_state->mp_write_session);				\
+}									\
+									\
+static void								\
+name##_set_mp_rs(cached_mp_read_session rs)				\
+{									\
+	struct name##_mp_state	*mp_state;				\
+	int	res;							\
+									\
+	res = name##_mp_getstate(&mp_state);				\
+	if (res != 0)							\
+		return;							\
+									\
+	mp_state->mp_read_session = rs;					\
+}									\
+									\
+static cached_mp_read_session						\
+name##_get_mp_rs(void)							\
+{									\
+	struct name##_mp_state	*mp_state;				\
+	int	res;							\
+									\
+	res = name##_mp_getstate(&mp_state);				\
+	if (res != 0)							\
+		return (INVALID_CACHED_MP_READ_SESSION);		\
+									\
+	return (mp_state->mp_read_session);				\
+}
+
+/*
+ * These macros should be used to initialize _nss_cache_info structure. For
+ * multipart queries in setXXXent and getXXXent functions mf and uf
+ * (marshal function and unmarshal function) should be both NULL.
+ */
+#define NS_COMMON_CACHE_INFO_INITIALIZER(name, mdata, if, mf, uf)	\
+	{#name, mdata, if, mf, uf, NULL, NULL, NULL, NULL}
+#define NS_MP_CACHE_INFO_INITIALIZER(name, mdata, mf, uf)		\
+	{#name, mdata, NULL, mf, uf, name##_set_mp_ws, name##_get_mp_ws,\
+		name##_set_mp_rs, name##_get_mp_rs }
+
+/*
+ * Analog of other XXX_CB macros. Has the pointer to _nss_cache_info
+ * structure as the only argument.
+ */
+#define NS_CACHE_CB(cinfo) {NSSRC_CACHE, __nss_cache_handler, (void *)(cinfo) },
+
+/* args are: current pointer, current buffer, initial buffer, pointer type */
+#define NS_APPLY_OFFSET(cp, cb, ib, p_type)				\
+	if ((cp) != NULL)						\
+		(cp) = (p_type)((char *)(cb) + (size_t)(cp) - (size_t)(ib))
+/*
+ * Gets new pointer from the marshalled buffer by uisng initial address
+ * and initial buffer address
+ */
+#define NS_GET_NEWP(cp, cb, ib)						\
+	((char *)(cb) + (size_t)(cp) - (size_t)(ib))
+
+typedef struct _nss_cache_data {
+	char	*key;
+	size_t	key_size;
+
+	nss_cache_info const	*info;
+} nss_cache_data;
+
+__BEGIN_DECLS
+/* dummy function, which is needed to make nss_method_lookup happy */
+extern	int	__nss_cache_handler(void *, void *, va_list);
+
+#ifdef _NS_PRIVATE
+extern	int	__nss_common_cache_read(void *, void *, va_list);
+extern	int	__nss_common_cache_write(void *, void *, va_list);
+extern	int	__nss_common_cache_write_negative(void *);
+
+extern	int	__nss_mp_cache_read(void *, void *, va_list);
+extern	int	__nss_mp_cache_write(void *, void *, va_list);
+extern	int	__nss_mp_cache_write_submit(void *, void *, va_list);
+extern	int	__nss_mp_cache_end(void *, void *, va_list);
+#endif /* _NS_PRIVATE */
+
+__END_DECLS
+
+#endif
diff --git a/lib/libc/include/nscachedcli.h b/lib/libc/include/nscachedcli.h
new file mode 100644
index 0000000000..329f42b964
--- /dev/null
+++ b/lib/libc/include/nscachedcli.h
@@ -0,0 +1,107 @@
+/*-
+ * Copyright (c) 2004 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/include/nscachedcli.h,v 1.1 2006/04/28 12:03:35 ume Exp $
+ */
+
+#ifndef __NS_CACHED_CLI_H__
+#define __NS_CACHED_CLI_H__
+
+/*
+ * This file contains API for working with caching daemon
+ */
+
+enum comm_element_t {
+	CET_UNDEFINED = 0,
+	CET_WRITE_REQUEST = 1,
+	CET_WRITE_RESPONSE = 2,
+	CET_READ_REQUEST = 3,
+	CET_READ_RESPONSE = 4,
+	CET_TRANSFORM_REQUEST = 5,
+	CET_TRANSFORM_RESPONSE = 6,
+	CET_MP_WRITE_SESSION_REQUEST = 7,
+	CET_MP_WRITE_SESSION_RESPONSE = 8,
+	CET_MP_WRITE_SESSION_WRITE_REQUEST = 9,
+	CET_MP_WRITE_SESSION_WRITE_RESPONSE = 10,
+	CET_MP_WRITE_SESSION_CLOSE_NOTIFICATION = 11,
+	CET_MP_WRITE_SESSION_ABANDON_NOTIFICATION = 12,
+	CET_MP_READ_SESSION_REQUEST = 13,
+	CET_MP_READ_SESSION_RESPONSE = 14,
+	CET_MP_READ_SESSION_READ_REQUEST = 15,
+	CET_MP_READ_SESSION_READ_RESPONSE = 16,
+	CET_MP_READ_SESSION_CLOSE_NOTIFICATION = 17
+};
+
+struct cached_connection_params {
+	char	*socket_path;
+	struct	timeval	timeout;
+};
+
+struct cached_connection_ {
+	int	sockfd;
+	int	read_queue;
+	int	write_queue;
+
+	int	mp_flag;	/* shows if the connection is used for
+				 * multipart operations */
+};
+
+/* simple abstractions for not to write "struct" every time */
+typedef struct cached_connection_	*cached_connection;
+typedef struct cached_connection_	*cached_mp_write_session;
+typedef struct cached_connection_	*cached_mp_read_session;
+
+#define	INVALID_CACHED_CONNECTION	(NULL)
+#define	INVALID_CACHED_MP_WRITE_SESSION	(NULL)
+#define	INVALID_CACHED_MP_READ_SESSION	(NULL)
+
+__BEGIN_DECLS
+
+/* initialization/destruction routines */
+extern	cached_connection __open_cached_connection(
+	struct cached_connection_params const *);
+extern	void __close_cached_connection(cached_connection);
+
+/* simple read/write operations */
+extern	int __cached_write(cached_connection, const char *, const char *,
+	size_t, const char *, size_t);
+extern	int __cached_read(cached_connection, const char *, const char *,
+	size_t, char *, size_t *);
+
+/* multipart read/write operations */
+extern	cached_mp_write_session __open_cached_mp_write_session(
+	struct cached_connection_params const *, const char *);
+extern	int __cached_mp_write(cached_mp_write_session, const char *, size_t);
+extern	int __abandon_cached_mp_write_session(cached_mp_write_session);
+extern	int __close_cached_mp_write_session(cached_mp_write_session);
+
+extern	cached_mp_read_session __open_cached_mp_read_session(
+	struct cached_connection_params const *, const char *);
+extern	int __cached_mp_read(cached_mp_read_session, char *, size_t *);
+extern	int __close_cached_mp_read_session(cached_mp_read_session);
+
+__END_DECLS
+
+#endif
diff --git a/lib/libc/include/nss_tls.h b/lib/libc/include/nss_tls.h
new file mode 100644
index 0000000000..cd623b00d4
--- /dev/null
+++ b/lib/libc/include/nss_tls.h
@@ -0,0 +1,80 @@
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/include/nss_tls.h,v 1.3 2004/03/30 15:56:15 nectar Exp $
+ *
+ * Macros which generate thread local storage handling code in NSS modules.
+ */
+#ifndef _NSS_TLS_H_
+#define _NSS_TLS_H_
+
+#define NSS_TLS_HANDLING(name)					\
+static pthread_key_t name##_state_key;				\
+static	void	 name##_keyinit(void);				\
+static	int	 name##_getstate(struct name##_state **);	\
+\
+static void								\
+name##_keyinit(void)							\
+{									\
+	_pthread_key_create(&name##_state_key, name##_endstate);	\
+}									\
+\
+static int							\
+name##_getstate(struct name##_state **p)			\
+{								\
+	static struct name##_state st;				\
+	static pthread_once_t	keyinit = PTHREAD_ONCE_INIT;	\
+	int			rv;				\
+								\
+	if (!__isthreaded || _pthread_main_np() != 0) {		\
+		*p = &st;					\
+		return (0);					\
+	}							\
+	rv = _pthread_once(&keyinit, name##_keyinit);		\
+	if (rv != 0)						\
+		return (rv);					\
+	*p = _pthread_getspecific(name##_state_key);		\
+	if (*p != NULL)						\
+		return (0);					\
+	*p = calloc(1, sizeof(**p));				\
+	if (*p == NULL)						\
+		return (ENOMEM);				\
+	rv = _pthread_setspecific(name##_state_key, *p);	\
+	if (rv != 0) {						\
+		free(*p);					\
+		*p = NULL;					\
+	}							\
+	return (rv);						\
+}								\
+/* allow the macro invocation to end with a semicolon */	\
+struct _clashproof_bmVjdGFy
+
+#endif /* _NSS_TLS_H_ */
diff --git a/lib/libc/include/un-namespace.h b/lib/libc/include/un-namespace.h
index 8b20b57ea6..0407dbc7fd 100644
--- a/lib/libc/include/un-namespace.h
+++ b/lib/libc/include/un-namespace.h
@@ -246,5 +246,7 @@ int		_kevent(int, const struct kevent *, int, struct kevent *,
 int		_flock(int, int);
 #endif
 
+#undef		nsdispatch
+
 #endif	/* _UN_NAMESPACE_H_ */
 
diff --git a/lib/libc/net/Makefile.inc b/lib/libc/net/Makefile.inc
index 8c575fc17d..7b883781b0 100644
--- a/lib/libc/net/Makefile.inc
+++ b/lib/libc/net/Makefile.inc
@@ -9,20 +9,35 @@ SRCS+=	addr2ascii.c ascii2addr.c base64.c ether_addr.c eui64.c getaddrinfo.c \
 	gethostbydns.c gethostbyht.c gethostbynis.c gethostnamadr.c \
 	getifaddrs.c getnameinfo.c \
 	getnetbydns.c getnetbyht.c getnetbynis.c getnetnamadr.c \
-	getproto.c getprotoent.c getprotoname.c getservbyname.c \
-	getservbyport.c getservent.c herror.c inet_addr.c \
+	getproto.c getprotoent.c getprotoname.c \
+	getservent.c herror.c inet_addr.c \
 	if_indextoname.c if_nameindex.c if_nametoindex.c inet_lnaof.c \
 	inet_makeaddr.c inet_net_ntop.c inet_net_pton.c inet_neta.c \
 	inet_netof.c inet_network.c inet_ntoa.c inet_ntop.c \
 	inet_pton.c ip6opt.c linkaddr.c map_v4v6.c name6.c ns_addr.c \
 	ns_name.c ns_netint.c \
 	ns_ntoa.c ns_parse.c ns_print.c ns_ttl.c nsap_addr.c \
+	nsdispatch.c nslexer.c nsparser.y nss_compat.c \
 	rcmd.c rcmdsh.c recv.c res_comp.c res_data.c res_debug.c \
 	res_init.c res_mkquery.c res_mkupdate.c res_query.c res_send.c \
 	res_update.c rthdr.c send.c vars.c
 # not supported: iso_addr.c 
 
-CFLAGS+=-DINET6
+# This isn't ready yet.
+#.if !defined(NO_NS_CACHING)
+#SRCS+=	nscache.c nscachedcli.c
+#.endif
+
+CFLAGS+=-DINET6 -I${.OBJDIR}
+
+YFLAGS+=-p_nsyy
+LFLAGS+=-P_nsyy
+
+CLEANFILES+=nslexer.c
+
+nslexer.c: nslexer.l
+	${LEX} ${LFLAGS} -o/dev/stdout ${.IMPSRC} | \
+		sed -e '/YY_BUF_SIZE/s/16384/1024/' >${.TARGET}
 
 # machine-dependent net sources
 .include "${.CURDIR}/../libc/${MACHINE_ARCH}/net/Makefile.inc"
@@ -34,7 +49,7 @@ MAN+=	addr2ascii.3 byteorder.3 ethers.3 eui64.3 \
 	getnameinfo.3 getnetent.3 getprotoent.3 getservent.3 if_indextoname.3 \
 	inet.3 inet_net.3 \
 	inet6_opt_init.3 inet6_option_space.3 inet6_rth_space.3 \
-	inet6_rthdr_space.3 linkaddr.3 \
+	inet6_rthdr_space.3 linkaddr.3 nsdispatch.3 \
 	rcmd.3 rcmdsh.3 resolver.3
 # not installed: iso_addr.3 ns.3
 
@@ -99,3 +114,8 @@ MLINKS+=resolver.3 dn_comp.3 resolver.3 dn_expand.3 resolver.3 res_init.3 \
 	resolver.3 res_mkquery.3 resolver.3 res_query.3 \
 	resolver.3 res_search.3 resolver.3 res_send.3
 .endif
+
+.if defined(WANT_HESIOD)
+SRCS+=	hesiod.c
+MAN+=	hesiod.3
+.endif
diff --git a/lib/libc/net/getaddrinfo.c b/lib/libc/net/getaddrinfo.c
index a389aa176e..cde711cf97 100644
--- a/lib/libc/net/getaddrinfo.c
+++ b/lib/libc/net/getaddrinfo.c
@@ -81,7 +81,6 @@
 #include <unistd.h>
 #include <stdio.h>
 #include <errno.h>
-#include "un-namespace.h"
 
 #include "res_config.h"
 
@@ -89,6 +88,14 @@
 #include <syslog.h>
 #endif
 
+#include <stdarg.h>
+#include <nsswitch.h>
+#include "un-namespace.h"
+#include "libc_private.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+
 #if defined(__KAME__) && defined(INET6)
 # define FAITH
 #endif
@@ -170,6 +177,12 @@ static const struct explore explore[] = {
 #define PTON_MAX	4
 #endif
 
+static const ns_src default_dns_files[] = {
+	{ NSSRC_FILES, 	NS_SUCCESS },
+	{ NSSRC_DNS, 	NS_SUCCESS },
+	{ 0 }
+};
+
 #define MAXPACKET	(64*1024)
 
 typedef union {
@@ -209,15 +222,19 @@ static int ip6_str2scopeid (char *, struct sockaddr_in6 *, u_int32_t *);
 
 static struct addrinfo *getanswer (const querybuf *, int, const char *,
 	int, const struct addrinfo *);
-static int _dns_getaddrinfo (const struct addrinfo *, const char *,
-	struct addrinfo **);
-static struct addrinfo *_gethtent (FILE *fp, const char *,
-	const struct addrinfo *);
-static int _files_getaddrinfo (const struct addrinfo *, const char *,
-	struct addrinfo **);
+static int _dns_getaddrinfo (void *, void *, va_list);
+static void _sethtent (void);
+static void _endhtent (void);
+static struct addrinfo *_gethtent (const char *, const struct addrinfo *);
+static int _files_getaddrinfo (void *, void *, va_list);
 #ifdef YP
-static int _nis_getaddrinfo (const struct addrinfo *, const char *,
-	struct addrinfo **);
+static struct addrinfo *_yphostent (char *, const struct addrinfo *);
+static int _yp_getaddrinfo (void *, void *, va_list);
+#endif
+#ifdef NS_CACHING
+static int addrinfo_id_func(char *, size_t *, va_list, void *);
+static int addrinfo_marshal_func(char *, size_t *, void *, va_list, void *);
+static int addrinfo_unmarshal_func(char *, size_t, void *, va_list, void *);
 #endif
 
 static int res_queryN (const char *, struct res_target *);
@@ -244,34 +261,7 @@ static const char *ai_errlist[] = {
 	"Unknown error", 				/* EAI_MAX        */
 };
 
-/*
- * Select order host function.
- */
-#define	MAXHOSTCONF	4
-
-#ifndef HOSTCONF
-#  define	HOSTCONF	"/etc/host.conf"
-#endif /* !HOSTCONF */
-
-struct _hostconf {
-	int (*byname)(const struct addrinfo *, const char *,
-		      struct addrinfo **);
-};
-
-/* default order */
-static struct _hostconf _hostconf[MAXHOSTCONF] = {
-	_dns_getaddrinfo,
-	_files_getaddrinfo,
-#ifdef ICMPNL
-	NULL,
-#endif /* ICMPNL */
-};
-
-static int	_hostconf_init_done;
-static void	_hostconf_init(void);
-
 /* Make getaddrinfo() thread-safe in libc for use with kernel threads. */
-#include "libc_private.h"
 #include "spinlock.h"
 /*
  * XXX: Our res_*() is not thread-safe.  So, we share lock between
@@ -585,82 +575,6 @@ getaddrinfo(const char *hostname, const char *servname,
 	return error;
 }
 
-static char *
-_hgetword(char **pp)
-{
-	char c, *p, *ret;
-	const char *sp;
-	static const char sep[] = "# \t\n";
-
-	ret = NULL;
-	for (p = *pp; (c = *p) != '\0'; p++) {
-		for (sp = sep; *sp != '\0'; sp++) {
-			if (c == *sp)
-				break;
-		}
-		if (c == '#')
-			p[1] = '\0';	/* ignore rest of line */
-		if (ret == NULL) {
-			if (*sp == '\0')
-				ret = p;
-		} else {
-			if (*sp != '\0') {
-				*p++ = '\0';
-				break;
-			}
-		}
-	}
-	*pp = p;
-	if (ret == NULL || *ret == '\0')
-		return NULL;
-	return ret;
-}
-
-/*
- * Initialize hostconf structure.
- */
-
-static void
-_hostconf_init(void)
-{
-	FILE *fp;
-	int n;
-	char *p, *line;
-	char buf[BUFSIZ];
-
-	_hostconf_init_done = 1;
-	n = 0;
-	p = HOSTCONF;
-	if ((fp = fopen(p, "r")) == NULL)
-		return;
-	while (n < MAXHOSTCONF && fgets(buf, sizeof(buf), fp)) {
-		line = buf;
-		if ((p = _hgetword(&line)) == NULL)
-			continue;
-		do {
-			if (strcmp(p, "hosts") == 0
-			||  strcmp(p, "local") == 0
-			||  strcmp(p, "file") == 0
-			||  strcmp(p, "files") == 0)
-				_hostconf[n++].byname = _files_getaddrinfo;
-			else if (strcmp(p, "dns") == 0
-			     ||  strcmp(p, "bind") == 0)
-				_hostconf[n++].byname = _dns_getaddrinfo;
-#ifdef YP
-			else if (strcmp(p, "nis") == 0)
-				_hostconf[n++].byname = _nis_getaddrinfo;
-#endif
-		} while ((p = _hgetword(&line)) != NULL);
-	}
-	fclose(fp);
-	if (n < 0) {
-		/* no keyword found. do not change default configuration */
-		return;
-	}
-	for (; n < MAXHOSTCONF; n++)
-		_hostconf[n].byname = NULL;
-}
-
 /*
  * FQDN hostname, DNS lookup
  */
@@ -670,10 +584,25 @@ explore_fqdn(const struct addrinfo *pai, const char *hostname,
 {
 	struct addrinfo *result;
 	struct addrinfo *cur;
-	int error = 0, i;
+	int error = 0;
+
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+	NS_COMMON_CACHE_INFO_INITIALIZER(
+		hosts, NULL, addrinfo_id_func, addrinfo_marshal_func,
+		addrinfo_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_files_getaddrinfo, NULL)
+		{ NSSRC_DNS, _dns_getaddrinfo, NULL },	/* force -DHESIOD */
+		NS_NIS_CB(_yp_getaddrinfo, NULL)
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ 0 }
+	};
 
 	result = NULL;
-	*res = NULL;
 
 	THREAD_LOCK();
 
@@ -685,24 +614,31 @@ explore_fqdn(const struct addrinfo *pai, const char *hostname,
 		return 0;
 	}
 
-	if (!_hostconf_init_done)
-		_hostconf_init();
-
-	for (i = 0; i < MAXHOSTCONF; i++) {
-		if (!_hostconf[i].byname)
-			continue;
-		error = (*_hostconf[i].byname)(pai, hostname, &result);
-		if (error != 0)
-			continue;
+	switch (nsdispatch(&result, dtab, NSDB_HOSTS, "getaddrinfo",
+			default_dns_files, hostname, pai)) {
+	case NS_TRYAGAIN:
+		error = EAI_AGAIN;
+		goto free;
+	case NS_UNAVAIL:
+		error = EAI_FAIL;
+		goto free;
+	case NS_NOTFOUND:
+		error = EAI_NODATA;
+		goto free;
+	case NS_SUCCESS:
+		error = 0;
 		for (cur = result; cur; cur = cur->ai_next) {
 			GET_PORT(cur, servname);
 			/* canonname should be filled already */
 		}
 		THREAD_UNLOCK();
-		*res = result;
-		return 0;
+		break;
 	}
 
+	*res = result;
+
+	return 0;
+
 free:
 	THREAD_UNLOCK();
 	if (result)
@@ -975,13 +911,13 @@ get_ai(const struct addrinfo *pai, const struct afd *afd, const char *addr)
 	ai->ai_addr->sa_len = afd->a_socklen;
 	ai->ai_addrlen = afd->a_socklen;
 	ai->ai_addr->sa_family = ai->ai_family = afd->a_af;
-	p = (char *)(ai->ai_addr);
+	p = (char *)(void *)(ai->ai_addr);
 #ifdef FAITH
 	if (translate == 1)
-		memcpy(p + afd->a_off, &faith_prefix, afd->a_addrlen);
+		memcpy(p + afd->a_off, &faith_prefix, (size_t)afd->a_addrlen);
 	else
 #endif
-	memcpy(p + afd->a_off, addr, afd->a_addrlen);
+	memcpy(p + afd->a_off, addr, (size_t)afd->a_addrlen);
 
 	return ai;
 }
@@ -1248,6 +1184,7 @@ addr4sort(struct addrinfo *sentinel)
 static const char AskedForGot[] =
 	"gethostby*.getanswer: asked for \"%s\", got \"%s\"";
 #endif
+static FILE *hostf = NULL;
 
 static struct addrinfo *
 getanswer(const querybuf *answer, int anslen, const char *qname, int qtype,
@@ -1457,15 +1394,18 @@ getanswer(const querybuf *answer, int anslen, const char *qname, int qtype,
 
 /*ARGSUSED*/
 static int
-_dns_getaddrinfo(const struct addrinfo *pai, const char *hostname,
-		 struct addrinfo **res)
+_dns_getaddrinfo(void *rv, void *cb_data, va_list ap)
 {
 	struct addrinfo *ai;
 	querybuf *buf, *buf2;
 	const char *name;
+	const struct addrinfo *pai;
 	struct addrinfo sentinel, *cur;
 	struct res_target q, q2;
 
+	name = va_arg(ap, char *);
+	pai = va_arg(ap, const struct addrinfo *);
+
 	memset(&q, 0, sizeof(q2));
 	memset(&q2, 0, sizeof(q2));
 	memset(&sentinel, 0, sizeof(sentinel));
@@ -1514,12 +1454,12 @@ _dns_getaddrinfo(const struct addrinfo *pai, const char *hostname,
 	default:
 		free(buf);
 		free(buf2);
-		return EAI_FAIL;
+		return NS_UNAVAIL;
 	}
-	if (res_searchN(hostname, &q) < 0) {
+	if (res_searchN(name, &q) < 0) {
 		free(buf);
 		free(buf2);
-		return EAI_NODATA;
+		return NS_NOTFOUND;
 	}
 	/* prefer IPv6 */
 	if (q.next) {
@@ -1539,18 +1479,36 @@ _dns_getaddrinfo(const struct addrinfo *pai, const char *hostname,
 	if (sentinel.ai_next == NULL)
 		switch (h_errno) {
 		case HOST_NOT_FOUND:
-			return EAI_NODATA;
+			return NS_NOTFOUND;
 		case TRY_AGAIN:
-			return EAI_AGAIN;
+			return NS_TRYAGAIN;
 		default:
-			return EAI_FAIL;
+			return NS_UNAVAIL;
 		}
-	*res = sentinel.ai_next;
-	return 0;
+	*((struct addrinfo **)rv) = sentinel.ai_next;
+	return NS_SUCCESS;
+}
+
+static void
+_sethtent(void)
+{
+	if (!hostf)
+		hostf = fopen(_PATH_HOSTS, "r" );
+	else
+		rewind(hostf);
+}
+
+static void
+_endhtent(void)
+{
+	if (hostf) {
+		fclose(hostf);
+		hostf = NULL;
+	}
 }
 
 static struct addrinfo *
-_gethtent(FILE *hostf, const char *name, const struct addrinfo *pai)
+_gethtent(const char *name, const struct addrinfo *pai)
 {
 	char *p;
 	char *cp, *tname, *cname;
@@ -1559,6 +1517,8 @@ _gethtent(FILE *hostf, const char *name, const struct addrinfo *pai)
 	const char *addr;
 	char hostbuf[8*1024];
 
+	if (!hostf && !(hostf = fopen(_PATH_HOSTS, "r" )))
+		return (NULL);
 again:
 	if (!(p = fgets(hostbuf, sizeof hostbuf, hostf)))
 		return (NULL);
@@ -1624,97 +1584,173 @@ found:
 
 /*ARGSUSED*/
 static int
-_files_getaddrinfo(const struct addrinfo *pai, const char *hostname,
-		   struct addrinfo **res)
+_files_getaddrinfo(void *rv, void *cb_data, va_list ap)
 {
-	FILE *hostf;
+	const char *name;
+	const struct addrinfo *pai;
 	struct addrinfo sentinel, *cur;
 	struct addrinfo *p;
 
-	sentinel.ai_next = NULL;
+	name = va_arg(ap, char *);
+	pai = va_arg(ap, struct addrinfo *);
+
+	memset(&sentinel, 0, sizeof(sentinel));
 	cur = &sentinel;
 
-	if ((hostf = fopen(_PATH_HOSTS, "r")) == NULL)
-		return EAI_FAIL;
-	while ((p = _gethtent(hostf, hostname, pai)) != NULL) {
+	_sethtent();
+	while ((p = _gethtent(name, pai)) != NULL) {
 		cur->ai_next = p;
 		while (cur && cur->ai_next)
 			cur = cur->ai_next;
 	}
-	fclose(hostf);
-
-	if (!sentinel.ai_next)
-		return EAI_NODATA;
+	_endhtent();
 
-	*res = sentinel.ai_next;
-	return 0;
+	*((struct addrinfo **)rv) = sentinel.ai_next;
+	if (sentinel.ai_next == NULL)
+		return NS_NOTFOUND;
+	return NS_SUCCESS;
 }
 
 #ifdef YP
+static char *__ypdomain;
+
 /*ARGSUSED*/
-static int
-_nis_getaddrinfo(const struct addrinfo *pai, const char *hostname,
-		 struct addrinfo **res)
+static struct addrinfo *
+_yphostent(char *line, const struct addrinfo *pai)
 {
-	struct hostent *hp;
-	int af;
 	struct addrinfo sentinel, *cur;
-	int i;
-	const struct afd *afd;
+	struct addrinfo hints, *res, *res0;
 	int error;
+	char *p = line;
+	const char *addr, *canonname;
+	char *nextline;
+	char *cp;
 
-	sentinel.ai_next = NULL;
+	addr = canonname = NULL;
+
+	memset(&sentinel, 0, sizeof(sentinel));
 	cur = &sentinel;
 
-	af = (pai->ai_family == AF_UNSPEC) ? AF_INET : pai->ai_family;
-	if (af != AF_INET)
-		return (EAI_ADDRFAMILY);
+nextline:
+	/* terminate line */
+	cp = strchr(p, '\n');
+	if (cp) {
+		*cp++ = '\0';
+		nextline = cp;
+	} else
+		nextline = NULL;
 
-	if ((hp = _gethostbynisname(hostname, af)) == NULL) {
-		switch (errno) {
-		/* XXX: should be filled in */
-		default:
-			error = EAI_FAIL;
-			break;
-		}
-	} else if (hp->h_name == NULL ||
-		   hp->h_name[0] == 0 || hp->h_addr_list[0] == NULL) {
-		hp = NULL;
-		error = EAI_FAIL;
+	cp = strpbrk(p, " \t");
+	if (cp == NULL) {
+		if (canonname == NULL)
+			return (NULL);
+		else
+			goto done;
 	}
+	*cp++ = '\0';
 
-	if (hp == NULL)
-		return error;
+	addr = p;
 
-	for (i = 0; hp->h_addr_list[i] != NULL; i++) {
-		if (hp->h_addrtype != af)
+	while (cp && *cp) {
+		if (*cp == ' ' || *cp == '\t') {
+			cp++;
 			continue;
+		}
+		if (!canonname)
+			canonname = cp;
+		if ((cp = strpbrk(cp, " \t")) != NULL)
+			*cp++ = '\0';
+	}
 
-		afd = find_afd(hp->h_addrtype);
-		if (afd == NULL)
-			continue;
+	hints = *pai;
+	hints.ai_flags = AI_NUMERICHOST;
+	error = getaddrinfo(addr, NULL, &hints, &res0);
+	if (error == 0) {
+		for (res = res0; res; res = res->ai_next) {
+			/* cover it up */
+			res->ai_flags = pai->ai_flags;
 
-		GET_AI(cur->ai_next, afd, hp->h_addr_list[i]);
-		if ((pai->ai_flags & AI_CANONNAME) != 0) {
-			/*
-			 * RFC2553 says that ai_canonname will be set only for
-			 * the first element.  we do it for all the elements,
-			 * just for convenience.
-			 */
-			GET_CANONNAME(cur->ai_next, hp->h_name);
+			if (pai->ai_flags & AI_CANONNAME)
+				get_canonname(pai, res, canonname);
 		}
-
+	} else
+		res0 = NULL;
+	if (res0) {
+		cur->ai_next = res0;
 		while (cur && cur->ai_next)
 			cur = cur->ai_next;
 	}
 
-	*res = sentinel.ai_next;
-	return 0;
+	if (nextline) {
+		p = nextline;
+		goto nextline;
+	}
 
-free:
-	if (sentinel.ai_next)
-		freeaddrinfo(sentinel.ai_next);
-	return error;
+done:
+	return sentinel.ai_next;
+}
+
+/*ARGSUSED*/
+static int
+_yp_getaddrinfo(void *rv, void *cb_data, va_list ap)
+{
+	struct addrinfo sentinel, *cur;
+	struct addrinfo *ai = NULL;
+	static char *__ypcurrent;
+	int __ypcurrentlen, r;
+	const char *name;
+	const struct addrinfo *pai;
+
+	name = va_arg(ap, char *);
+	pai = va_arg(ap, const struct addrinfo *);
+
+	memset(&sentinel, 0, sizeof(sentinel));
+	cur = &sentinel;
+
+	if (!__ypdomain) {
+		if (_yp_check(&__ypdomain) == 0)
+			return NS_UNAVAIL;
+	}
+	if (__ypcurrent)
+		free(__ypcurrent);
+	__ypcurrent = NULL;
+
+	/* hosts.byname is only for IPv4 (Solaris8) */
+	if (pai->ai_family == PF_UNSPEC || pai->ai_family == PF_INET) {
+		r = yp_match(__ypdomain, "hosts.byname", name,
+			(int)strlen(name), &__ypcurrent, &__ypcurrentlen);
+		if (r == 0) {
+			struct addrinfo ai4;
+
+			ai4 = *pai;
+			ai4.ai_family = AF_INET;
+			ai = _yphostent(__ypcurrent, &ai4);
+			if (ai) {
+				cur->ai_next = ai;
+				while (cur && cur->ai_next)
+					cur = cur->ai_next;
+			}
+		}
+	}
+
+	/* ipnodes.byname can hold both IPv4/v6 */
+	r = yp_match(__ypdomain, "ipnodes.byname", name,
+		(int)strlen(name), &__ypcurrent, &__ypcurrentlen);
+	if (r == 0) {
+		ai = _yphostent(__ypcurrent, pai);
+		if (ai) {
+			cur->ai_next = ai;
+			while (cur && cur->ai_next)
+				cur = cur->ai_next;
+		}
+	}
+
+	if (sentinel.ai_next == NULL) {
+		h_errno = HOST_NOT_FOUND;
+		return NS_NOTFOUND;
+	}
+	*((struct addrinfo **)rv) = sentinel.ai_next;
+	return NS_SUCCESS;
 }
 #endif
 
@@ -1723,6 +1759,185 @@ free:
 extern const char *__hostalias (const char *);
 extern int h_errno;
 
+
+#ifdef NS_CACHING
+static int
+addrinfo_id_func(char *buffer, size_t *buffer_size, va_list ap,
+    void *cache_mdata)
+{
+	res_state statp;
+	u_long res_options;
+
+	const int op_id = 0;	/* identifies the getaddrinfo for the cache */
+	char *hostname;
+	struct addrinfo *hints;
+
+	char *p;
+	int ai_flags, ai_family, ai_socktype, ai_protocol;
+	size_t desired_size, size;
+
+	statp = __res_state();
+	res_options = statp->options & (RES_RECURSE | RES_DEFNAMES |
+	    RES_DNSRCH | RES_NOALIASES | RES_USE_INET6);
+
+	hostname = va_arg(ap, char *);
+	hints = va_arg(ap, struct addrinfo *);
+
+	desired_size = sizeof(res_options) + sizeof(int) + sizeof(int) * 4;
+	if (hostname != NULL) {
+		size = strlen(hostname);
+		desired_size += size + 1;
+	} else
+		size = 0;
+
+	if (desired_size > *buffer_size) {
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	if (hints == NULL)
+		ai_flags = ai_family = ai_socktype = ai_protocol = 0;
+	else {
+		ai_flags = hints->ai_flags;
+		ai_family = hints->ai_family;
+		ai_socktype = hints->ai_socktype;
+		ai_protocol = hints->ai_protocol;
+	}
+
+	p = buffer;
+	memcpy(p, &res_options, sizeof(res_options));
+	p += sizeof(res_options);
+
+	memcpy(p, &op_id, sizeof(int));
+	p += sizeof(int);
+
+	memcpy(p, &ai_flags, sizeof(int));
+	p += sizeof(int);
+
+	memcpy(p, &ai_family, sizeof(int));
+	p += sizeof(int);
+
+	memcpy(p, &ai_socktype, sizeof(int));
+	p += sizeof(int);
+
+	memcpy(p, &ai_protocol, sizeof(int));
+	p += sizeof(int);
+
+	if (hostname != NULL)
+		memcpy(p, hostname, size);
+
+	*buffer_size = desired_size;
+	return (NS_SUCCESS);
+}
+
+static int
+addrinfo_marshal_func(char *buffer, size_t *buffer_size, void *retval,
+    va_list ap, void *cache_mdata)
+{
+	struct addrinfo	*ai, *cai;
+	char *p;
+	size_t desired_size, size, ai_size;
+
+	ai = *((struct addrinfo **)retval);
+
+	desired_size = sizeof(size_t);
+	ai_size = 0;
+	for (cai = ai; cai != NULL; cai = cai->ai_next) {
+		desired_size += sizeof(struct addrinfo) + cai->ai_addrlen;
+		if (cai->ai_canonname != NULL)
+			desired_size += sizeof(size_t) +
+			    strlen(cai->ai_canonname);
+		++ai_size;
+	}
+
+	if (desired_size > *buffer_size) {
+		/* this assignment is here for future use */
+		errno = ERANGE;
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	memset(buffer, 0, desired_size);
+	p = buffer;
+
+	memcpy(p, &ai_size, sizeof(size_t));
+	p += sizeof(size_t);
+	for (cai = ai; cai != NULL; cai = cai->ai_next) {
+		memcpy(p, cai, sizeof(struct addrinfo));
+		p += sizeof(struct addrinfo);
+
+		memcpy(p, cai->ai_addr, cai->ai_addrlen);
+		p += cai->ai_addrlen;
+
+		if (cai->ai_canonname != NULL) {
+			size = strlen(cai->ai_canonname);
+			memcpy(p, &size, sizeof(size_t));
+			p += sizeof(size_t);
+
+			memcpy(p, cai->ai_canonname, size);
+			p += size;
+		}
+	}
+
+	return (NS_SUCCESS);
+}
+
+static int
+addrinfo_unmarshal_func(char *buffer, size_t buffer_size, void *retval,
+    va_list ap, void *cache_mdata)
+{
+	struct addrinfo	new_ai, *result, *sentinel, *lasts;
+
+	char *p;
+	size_t ai_size, ai_i, size;
+
+	p = buffer;
+	memcpy(&ai_size, p, sizeof(size_t));
+	p += sizeof(size_t);
+
+	result = NULL;
+	lasts = NULL;
+	for (ai_i = 0; ai_i < ai_size; ++ai_i) {
+		memcpy(&new_ai, p, sizeof(struct addrinfo));
+		p += sizeof(struct addrinfo);
+		size = new_ai.ai_addrlen + sizeof(struct addrinfo) +
+			_ALIGNBYTES;
+
+		sentinel = (struct addrinfo *)malloc(size);
+		memset(sentinel, 0, size);
+
+		memcpy(sentinel, &new_ai, sizeof(struct addrinfo));
+		sentinel->ai_addr = (struct sockaddr *)_ALIGN((char *)sentinel +
+		    sizeof(struct addrinfo));
+
+		memcpy(sentinel->ai_addr, p, new_ai.ai_addrlen);
+		p += new_ai.ai_addrlen;
+
+		if (new_ai.ai_canonname != NULL) {
+			memcpy(&size, p, sizeof(size_t));
+			p += sizeof(size_t);
+
+			sentinel->ai_canonname = (char *)malloc(size + 1);
+			memset(sentinel->ai_canonname, 0, size + 1);
+
+			memcpy(sentinel->ai_canonname, p, size);
+			p += size;
+		}
+
+		if (result == NULL) {
+			result = sentinel;
+			lasts = sentinel;
+		} else {
+			lasts->ai_next = sentinel;
+			lasts = sentinel;
+		}
+	}
+
+	*((struct addrinfo **)retval) = result;
+	return (NS_SUCCESS);
+}
+#endif /* NS_CACHING */
+
 /*
  * Formulate a normal query, send, and await answer.
  * Returned answer is placed in supplied buffer "answer".
diff --git a/lib/libc/net/gethostbydns.c b/lib/libc/net/gethostbydns.c
index 7c989bb49c..528a2971a6 100644
--- a/lib/libc/net/gethostbydns.c
+++ b/lib/libc/net/gethostbydns.c
@@ -70,6 +70,8 @@
 #include <ctype.h>
 #include <errno.h>
 #include <syslog.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 
 #include "res_config.h"
 
@@ -457,18 +459,22 @@ __dns_getanswer(const char *answer, int anslen, const char *qname, int qtype)
 	return(gethostanswer((const querybuf *)answer, anslen, qname, qtype));
 }
 
-struct hostent *
-_gethostbydnsname(const char *name, int af)
+int
+_dns_gethostbyname(void *rval, void *cb_data, va_list ap)
 {
 	querybuf *buf;
-	const char *cp;
+	const char *cp, *name;
 	char *bp;
-	int n, size, type, len;
+	int af, n, size, type, len;
 	struct hostent *hp;
 
+	name = va_arg(ap, const char *);
+	af = va_arg(ap, int);
+	*(struct hostent **)rval = NULL;
+
 	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 
 	switch (af) {
@@ -483,7 +489,7 @@ _gethostbydnsname(const char *name, int af)
 	default:
 		h_errno = NETDB_INTERNAL;
 		errno = EAFNOSUPPORT;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 
 	host.h_addrtype = af;
@@ -513,7 +519,7 @@ _gethostbydnsname(const char *name, int af)
 				 */
 				if (inet_pton(af, name, host_addr) <= 0) {
 					h_errno = HOST_NOT_FOUND;
-					return (NULL);
+					return NS_NOTFOUND;
 				}
 				strncpy(hostbuf, name, MAXDNAME);
 				hostbuf[MAXDNAME] = '\0';
@@ -528,7 +534,8 @@ _gethostbydnsname(const char *name, int af)
 				if (_res.options & RES_USE_INET6)
 					_map_v4v6_hostent(&host, &bp, &len);
 				h_errno = NETDB_SUCCESS;
-				return (&host);
+				*(struct hostent **)rval = &host;
+				return NS_SUCCESS;
 			}
 			if (!isdigit((unsigned char)*cp) && *cp != '.')
 				break;
@@ -546,7 +553,7 @@ _gethostbydnsname(const char *name, int af)
 				 */
 				if (inet_pton(af, name, host_addr) <= 0) {
 					h_errno = HOST_NOT_FOUND;
-					return (NULL);
+					return NS_NOTFOUND;
 				}
 				strncpy(hostbuf, name, MAXDNAME);
 				hostbuf[MAXDNAME] = '\0';
@@ -559,7 +566,8 @@ _gethostbydnsname(const char *name, int af)
 				h_addr_ptrs[1] = NULL;
 				host.h_addr_list = h_addr_ptrs;
 				h_errno = NETDB_SUCCESS;
-				return (&host);
+				*(struct hostent **)rval = &host;
+				return NS_SUCCESS;
 			}
 			if (!isxdigit((unsigned char)*cp) && *cp != ':' && *cp != '.')
 				break;
@@ -579,17 +587,18 @@ _gethostbydnsname(const char *name, int af)
 		dprintf("static buffer is too small (%d)\n", n);
 		return (NULL);
 	}
-	hp = gethostanswer(buf, n, name, type);
+	*(struct hostent **)rval = gethostanswer(buf, n, name, type);
 	free(buf);
-	return (hp);
+	return (*(struct hostent **)rval != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
-struct hostent *
-_gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
-		  int len,
-		  int af)
+int
+_dns_gethostbyaddr(void *rval, void *cb_data, va_list ap)
 {
-	const u_char *uaddr = (const u_char *)addr;
+	const char *addr;	/* XXX should have been def'd as u_char! */
+	int len, af;
+
+	const u_char *uaddr;
 	static const u_char mapped[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0xff,0xff };
 	static const u_char tunnelled[] = { 0,0, 0,0, 0,0, 0,0, 0,0, 0,0 };
 	int n, size;
@@ -602,10 +611,17 @@ _gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
 	u_long old_options;
 	char hname2[MAXDNAME+1];
 #endif /*SUNSECURITY*/
+
+	addr = va_arg(ap, const char *);
+	uaddr = (const u_char *)addr;
+	len = va_arg(ap, int);
+	af = va_arg(ap, int);
+
+	*(struct hostent **)rval = NULL;
 	
 	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	if (af == AF_INET6 && len == IN6ADDRSZ &&
 	    (!bcmp(uaddr, mapped, sizeof mapped) ||
@@ -626,12 +642,12 @@ _gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
 	default:
 		errno = EAFNOSUPPORT;
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	if (size != len) {
 		errno = EINVAL;
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	switch (af) {
 	case AF_INET:
@@ -667,16 +683,16 @@ _gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
 	if (n < 0) {
 		free(buf);
 		dprintf("res_query failed (%d)\n", n);
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	if (n > sizeof buf->buf) {
 		free(buf);
 		dprintf("static buffer is too small (%d)\n", n);
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	if (!(hp = gethostanswer(buf, n, qbuf, T_PTR))) {
 		free(buf);
-		return (NULL);	/* h_errno was set by gethostanswer() */
+		return NS_NOTFOUND;	/* h_errno was set by gethostanswer() */
 	}
 	free(buf);
 #ifdef SUNSECURITY
@@ -696,7 +712,7 @@ _gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
 		       hname2, inet_ntoa(*((struct in_addr *)addr)));
 		_res.options = old_options;
 		h_errno = HOST_NOT_FOUND;
-		return (NULL);
+		return NS_NOTFOUND;
 	    }
 	    _res.options = old_options;
 	    for (haddr = rhp->h_addr_list; *haddr; haddr++)
@@ -707,7 +723,7 @@ _gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
 		       "gethostbyaddr: A record of %s != PTR record [%s]",
 		       hname2, inet_ntoa(*((struct in_addr *)addr)));
 		h_errno = HOST_NOT_FOUND;
-		return (NULL);
+		return NS_NOTFOUND;
 	    }
 	}
 #endif /*SUNSECURITY*/
@@ -722,7 +738,8 @@ _gethostbydnsaddr(const char *addr,	/* XXX should have been def'd as u_char! */
 		hp->h_length = IN6ADDRSZ;
 	}
 	h_errno = NETDB_SUCCESS;
-	return (hp);
+	*(struct hostent **)rval = hp;
+	return (hp != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
 #ifdef RESOLVSORT
diff --git a/lib/libc/net/gethostbyht.c b/lib/libc/net/gethostbyht.c
index 68319526e7..f87c568bf8 100644
--- a/lib/libc/net/gethostbyht.c
+++ b/lib/libc/net/gethostbyht.c
@@ -59,6 +59,8 @@
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 #include <arpa/nameser.h>	/* XXX */
 #include <resolv.h>		/* XXX */
 
@@ -156,12 +158,17 @@ gethostent(void)
 	return (&host);
 }
 
-struct hostent *
-_gethostbyhtname(const char *name, int af)
+int
+_ht_gethostbyname(void *rval, void *cb_data, va_list ap)
 {
+	const char *name;
+	int af;
 	struct hostent *p;
 	char **cp;
-	
+
+	name = va_arg(ap, const char *);
+	af = va_arg(ap, int);
+
 	sethostent(0);
 	while ((p = gethostent()) != NULL) {
 		if (p->h_addrtype != af)
@@ -174,18 +181,28 @@ _gethostbyhtname(const char *name, int af)
 	}
 found:
 	endhostent();
-	return (p);
+	*(struct hostent **)rval = p;
+
+	return (p != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
-struct hostent *
-_gethostbyhtaddr(const char *addr, int len, int af)
+int
+_ht_gethostbyaddr(void *rval, void *cb_data, va_list ap)
 {
+	const char *addr;
+	int len, af;
 	struct hostent *p;
 
+	addr = va_arg(ap, const char *);
+	len = va_arg(ap, int);
+	af = va_arg(ap, int);
+
 	sethostent(0);
 	while ((p = gethostent()) != NULL)
 		if (p->h_addrtype == af && !bcmp(p->h_addr, addr, len))
 			break;
 	endhostent();
-	return (p);
+
+	*(struct hostent **)rval = p;
+	return (p != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
diff --git a/lib/libc/net/gethostbyname.3 b/lib/libc/net/gethostbyname.3
index 64e25d035f..93d764d059 100644
--- a/lib/libc/net/gethostbyname.3
+++ b/lib/libc/net/gethostbyname.3
@@ -79,10 +79,15 @@ following structure describing an internet host
 referenced by name or by address, respectively.
 This structure contains either the information obtained from the name server,
 .Xr named 8 ,
-or broken-out fields from a line in
-.Pa /etc/hosts .
-If the local name server is not running these routines do a lookup in
-.Pa /etc/hosts .
+broken-out fields from a line in
+.Pa /etc/hosts ,
+or database entries supplied by the
+.Xr yp 4
+system.
+The order of the lookups is controlled by the
+.Sq hosts
+entry in
+.Xr nsswitch.conf 5 .
 .Bd -literal
 struct	hostent {
 	char	*h_name;	/* official name of host */
@@ -195,9 +200,9 @@ value of the
 .Fa err
 parameter.
 .Sh FILES
-.Bl -tag -width /etc/resolv.conf -compact
+.Bl -tag -width /etc/nsswitch.conf -compact
 .It Pa /etc/hosts
-.It Pa /etc/host.conf
+.It Pa /etc/nsswitch.conf
 .It Pa /etc/resolv.conf
 .El
 .Sh DIAGNOSTICS
diff --git a/lib/libc/net/gethostbynis.c b/lib/libc/net/gethostbynis.c
index 67a4f1df02..59d3247375 100644
--- a/lib/libc/net/gethostbynis.c
+++ b/lib/libc/net/gethostbynis.c
@@ -22,7 +22,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * $FreeBSD: src/lib/libc/net/gethostbynis.c,v 1.10.2.1 2000/10/01 16:39:47 nectar Exp $
+ * $FreeBSD: src/lib/libc/net/gethostbynis.c,v 1.16 2003/01/05 14:05:24 fenner Exp $
  * $DragonFly: src/lib/libc/net/gethostbynis.c,v 1.4 2005/11/13 02:04:47 swildner Exp $
  */
 
@@ -37,6 +37,8 @@
 #include <ctype.h>
 #include <errno.h>
 #include <string.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 #ifdef YP
 #include <rpc/rpc.h>
 #include <rpcsvc/yp_prot.h>
@@ -52,18 +54,17 @@ extern int h_errno;
 static char *host_aliases[MAXALIASES];
 static char hostaddr[MAXADDRS];
 static char *host_addrs[2];
-#endif /* YP */
 
 static struct hostent *
 _gethostbynis(const char *name, char *map, int af)
 {
-#ifdef YP
 	char *cp, **q;
 	char *result;
 	int resultlen,size;
 	static struct hostent h;
 	static char *domain = (char *)NULL;
 	static char ypbuf[YPMAXRECORD + 2];
+	in_addr_t addr;
 
 	switch(af) {
 	case AF_INET:
@@ -101,7 +102,8 @@ _gethostbynis(const char *name, char *map, int af)
 	*cp++ = '\0';
 	h.h_addr_list = host_addrs;
 	h.h_addr = hostaddr;
-	*((u_long *)h.h_addr) = inet_addr(result);
+	addr = inet_addr(result);
+	bcopy((char *)&addr, h.h_addr, size);
 	h.h_length = size;
 	h.h_addrtype = AF_INET;
 	while (*cp == ' ' || *cp == '\t')
@@ -124,19 +126,64 @@ _gethostbynis(const char *name, char *map, int af)
 	}
 	*q = NULL;
 	return (&h);
-#else
-	return (NULL);
-#endif /* YP */
 }
+#endif /* YP */
 
+/* XXX _gethostbynisname/_gethostbynisaddr only used by getaddrinfo */
 struct hostent *
 _gethostbynisname(const char *name, int af)
 {
+#ifdef YP
 	return _gethostbynis(name, "hosts.byname", af);
+#else
+	return NULL;
+#endif
 }
 
 struct hostent *
 _gethostbynisaddr(const char *addr, int len, int af)
 {
-	return _gethostbynis(inet_ntoa(*(struct in_addr *)addr),"hosts.byaddr", af);
+#ifdef YP
+	return _gethostbynis(inet_ntoa(*(struct in_addr *)addr),
+			     "hosts.byaddr", af);
+#else
+	return NULL;
+#endif
+}
+
+
+int
+_nis_gethostbyname(void *rval, void *cb_data, va_list ap)
+{
+#ifdef YP
+	const char *name;
+	int af;
+
+	name = va_arg(ap, const char *);
+	af = va_arg(ap, int);
+
+	*(struct hostent **)rval = _gethostbynis(name, "hosts.byname", af);
+	return (*(struct hostent **)rval != NULL) ? NS_SUCCESS : NS_NOTFOUND;
+#else
+	return NS_UNAVAIL;
+#endif
+}
+
+int
+_nis_gethostbyaddr(void *rval, void *cb_data, va_list ap)
+{
+#ifdef YP
+	const char *addr;
+	int len;
+	int af;
+
+	addr = va_arg(ap, const char *);
+	len = va_arg(ap, int);
+	af = va_arg(ap, int);
+
+	*(struct hostent **)rval =_gethostbynis(inet_ntoa(*(struct in_addr *)addr),"hosts.byaddr", af);
+	return (*(struct hostent **)rval != NULL) ? NS_SUCCESS : NS_NOTFOUND;
+#else
+	return NS_UNAVAIL;
+#endif
 }
diff --git a/lib/libc/net/gethostnamadr.c b/lib/libc/net/gethostnamadr.c
index b1892db1ec..ae4060e10b 100644
--- a/lib/libc/net/gethostnamadr.c
+++ b/lib/libc/net/gethostnamadr.c
@@ -34,86 +34,32 @@
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 #include <arpa/nameser.h>		/* XXX hack for _res */
 #include <resolv.h>			/* XXX hack for _res */
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
 
-#define _PATH_HOSTCONF	"/etc/host.conf"
-
-enum service_type {
-  SERVICE_NONE = 0,
-  SERVICE_BIND,
-  SERVICE_HOSTS,
-  SERVICE_NIS };
-#define SERVICE_MAX	SERVICE_NIS
-
-static struct {
-  const char *name;
-  enum service_type type;
-} service_names[] = {
-  { "hosts", SERVICE_HOSTS },
-  { "/etc/hosts", SERVICE_HOSTS },
-  { "hosttable", SERVICE_HOSTS },
-  { "htable", SERVICE_HOSTS },
-  { "bind", SERVICE_BIND },
-  { "dns", SERVICE_BIND },
-  { "domain", SERVICE_BIND },
-  { "yp", SERVICE_NIS },
-  { "yellowpages", SERVICE_NIS },
-  { "nis", SERVICE_NIS },
-  { 0, SERVICE_NONE }
-};
-
-static enum service_type service_order[SERVICE_MAX + 1];
-static int service_done = 0;
-
-static enum service_type
-get_service_name(const char *name) {
-	int i;
-	for(i = 0; service_names[i].type != SERVICE_NONE; i++) {
-		if(!strcasecmp(name, service_names[i].name)) {
-			return service_names[i].type;
-		}
-	}
-	return SERVICE_NONE;
-}
+extern int _ht_gethostbyname(void *, void *, va_list);
+extern int _dns_gethostbyname(void *, void *, va_list);
+extern int _nis_gethostbyname(void *, void *, va_list);
+extern int _ht_gethostbyaddr(void *, void *, va_list);
+extern int _dns_gethostbyaddr(void *, void *, va_list);
+extern int _nis_gethostbyaddr(void *, void *, va_list);
 
-static void
-init_services(void)
-{
-	char *cp, *p, buf[BUFSIZ];
-	int cc = 0;
-	FILE *fd;
-
-	if ((fd = (FILE *)fopen(_PATH_HOSTCONF, "r")) == NULL) {
-				/* make some assumptions */
-		service_order[0] = SERVICE_BIND;
-		service_order[1] = SERVICE_HOSTS;
-		service_order[2] = SERVICE_NONE;
-	} else {
-		while (fgets(buf, BUFSIZ, fd) != NULL && cc < SERVICE_MAX) {
-			if(buf[0] == '#')
-				continue;
-
-			p = buf;
-			while ((cp = strsep(&p, "\n \t,:;")) != NULL && *cp == '\0')
-				;
-			if (cp == NULL)
-				continue;
-			do {
-				if (isalpha((unsigned char)cp[0])) {
-					service_order[cc] = get_service_name(cp);
-					if(service_order[cc] != SERVICE_NONE)
-						cc++;
-				}
-				while ((cp = strsep(&p, "\n \t,:;")) != NULL && *cp == '\0')
-					;
-			} while(cp != NULL && cc < SERVICE_MAX);
-		}
-		service_order[cc] = SERVICE_NONE;
-		fclose(fd);
-	}
-	service_done = 1;
-}
+/* Host lookup order if nsswitch.conf is broken or nonexistant */
+static const ns_src default_src[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ NSSRC_DNS, NS_SUCCESS },
+	{ 0 }
+};
+#ifdef NS_CACHING
+static int host_id_func(char *, size_t *, va_list, void *);
+static int host_marshal_func(char *, size_t *, void *, va_list, void *);
+static int host_unmarshal_func(char *, size_t, void *, va_list, void *);
+#endif
 
 struct hostent *
 gethostbyname(const char *name)
@@ -136,57 +82,331 @@ struct hostent *
 gethostbyname2(const char *name, int type)
 {
 	struct hostent *hp = 0;
-	int nserv = 0;
-
-	if (!service_done)
-		init_services();
-
-	while (!hp) {
-		switch (service_order[nserv]) {
-		      case SERVICE_NONE:
-			return NULL;
-		      case SERVICE_HOSTS:
-			hp = _gethostbyhtname(name, type);
-			break;
-		      case SERVICE_BIND:
-			hp = _gethostbydnsname(name, type);
-			break;
-		      case SERVICE_NIS:
-			hp = _gethostbynisname(name, type);
-			break;
-		}
-		nserv++;
-	}
-	return hp;
+	int rval;
+
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		hosts, (void *)nss_lt_name,
+		host_id_func, host_marshal_func, host_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_ht_gethostbyname, NULL)
+		{ NSSRC_DNS, _dns_gethostbyname, NULL },
+		NS_NIS_CB(_nis_gethostbyname, NULL) /* force -DHESIOD */
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ 0 }
+	};
+
+	rval = nsdispatch((void *)&hp, dtab, NSDB_HOSTS, "gethostbyname",
+			  default_src, name, type);
+
+	if (rval != NS_SUCCESS)
+		return NULL;
+	else
+		return hp;
 }
 
 struct hostent *
 gethostbyaddr(const void *addr, socklen_t len, int type)
 {
 	struct hostent *hp = 0;
-	int nserv = 0;
-
-	if (!service_done)
-		init_services();
-
-	while (!hp) {
-		switch (service_order[nserv]) {
-		      case SERVICE_NONE:
-			return 0;
-		      case SERVICE_HOSTS:
-			hp = _gethostbyhtaddr(addr, len, type);
-			break;
-		      case SERVICE_BIND:
-			hp = _gethostbydnsaddr(addr, len, type);
-			break;
-		      case SERVICE_NIS:
-			hp = _gethostbynisaddr(addr, len, type);
-			break;
+	int rval;
+
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		hosts, (void *)nss_lt_id,
+		host_id_func, host_marshal_func, host_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_ht_gethostbyaddr, NULL)
+		{ NSSRC_DNS, _dns_gethostbyaddr, NULL },
+		NS_NIS_CB(_nis_gethostbyaddr, NULL) /* force -DHESIOD */
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ 0 }
+	};
+
+	rval = nsdispatch((void *)&hp, dtab, NSDB_HOSTS, "gethostbyaddr",
+			  default_src, addr, len, type);
+
+	if (rval != NS_SUCCESS)
+		return NULL;
+	else
+		return hp;
+}
+
+#ifdef NS_CACHING
+static int
+host_id_func(char *buffer, size_t *buffer_size, va_list ap, void *cache_mdata)
+{
+	res_state statp;
+	u_long res_options;
+
+	const int op_id = 1;
+	char *str;
+	int len, type;
+
+	size_t desired_size, size;
+	enum nss_lookup_type lookup_type;
+	char *p;
+	int res = NS_UNAVAIL;
+
+	statp = __res_state();
+	res_options = statp->options & (RES_RECURSE | RES_DEFNAMES |
+	    RES_DNSRCH | RES_NOALIASES | RES_USE_INET6);
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		str = va_arg(ap, char *);
+		type = va_arg(ap, int);
+
+		size = strlen(str);
+		desired_size = sizeof(res_options) + sizeof(int) +
+		    sizeof(enum nss_lookup_type) + sizeof(int) + size + 1;
+
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		p = buffer;
+
+		memcpy(p, &res_options, sizeof(res_options));
+		p += sizeof(res_options);
+
+		memcpy(p, &op_id, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, &lookup_type, sizeof(enum nss_lookup_type));
+		p += sizeof(int);
+
+		memcpy(p, &type, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, str, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		str = va_arg(ap, char *);
+		len = va_arg(ap, int);
+		type = va_arg(ap, int);
+
+		desired_size = sizeof(res_options) + sizeof(int) +
+		    sizeof(enum nss_lookup_type) + sizeof(int) * 2 + len;
+
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		p = buffer;
+		memcpy(p, &res_options, sizeof(res_options));
+		p += sizeof(res_options);
+
+		memcpy(p, &op_id, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, &lookup_type, sizeof(enum nss_lookup_type));
+		p += sizeof(int);
+
+		memcpy(p, &type, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, &len, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, str, len);
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+fin:
+	*buffer_size = desired_size;
+	return (res);
+}
+
+static int
+host_marshal_func(char *buffer, size_t *buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
+{
+	char *str;
+	int len, type;
+	struct hostent *ht;
+
+	struct hostent new_ht;
+	size_t desired_size, aliases_size, addr_size, size;
+	char *p, **iter;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		str = va_arg(ap, char *);
+		type = va_arg(ap, int);
+		break;
+	case nss_lt_id:
+		str = va_arg(ap, char *);
+		len = va_arg(ap, int);
+		type = va_arg(ap, int);
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+	ht = va_arg(ap, struct hostent *);
+
+	desired_size = _ALIGNBYTES + sizeof(struct hostent) + sizeof(char *);
+	if (ht->h_name != NULL)
+		desired_size += strlen(ht->h_name) + 1;
+
+	if (ht->h_aliases != NULL) {
+		aliases_size = 0;
+		for (iter = ht->h_aliases; *iter; ++iter) {
+			desired_size += strlen(*iter) + 1;
+			++aliases_size;
+		}
+
+		desired_size += _ALIGNBYTES +
+		    (aliases_size + 1) * sizeof(char *);
+	}
+
+	if (ht->h_addr_list != NULL) {
+		addr_size = 0;
+		for (iter = ht->h_addr_list; *iter; ++iter)
+			++addr_size;
+
+		desired_size += addr_size * _ALIGN(ht->h_length);
+		desired_size += _ALIGNBYTES + (addr_size + 1) * sizeof(char *);
+	}
+
+	if (desired_size > *buffer_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_ht, ht, sizeof(struct hostent));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct hostent) + sizeof(char *);
+	memcpy(buffer + sizeof(struct hostent), &p, sizeof(char *));
+	p = (char *)_ALIGN(p);
+
+	if (new_ht.h_name != NULL) {
+		size = strlen(new_ht.h_name);
+		memcpy(p, new_ht.h_name, size);
+		new_ht.h_name = p;
+		p += size + 1;
+	}
+
+	if (new_ht.h_aliases != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_ht.h_aliases, sizeof(char *) * aliases_size);
+		new_ht.h_aliases = (char **)p;
+		p += sizeof(char *) * (aliases_size + 1);
+
+		for (iter = new_ht.h_aliases; *iter; ++iter) {
+			size = strlen(*iter);
+			memcpy(p, *iter, size);
+			*iter = p;
+			p += size + 1;
+		}
+	}
+
+	if (new_ht.h_addr_list != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_ht.h_addr_list, sizeof(char *) * addr_size);
+		new_ht.h_addr_list = (char **)p;
+		p += sizeof(char *) * (addr_size + 1);
+
+		size = _ALIGN(new_ht.h_length);
+		for (iter = new_ht.h_addr_list; *iter; ++iter) {
+			memcpy(p, *iter, size);
+			*iter = p;
+			p += size + 1;
 		}
-		nserv++;
 	}
-	return hp;
+	memcpy(buffer, &new_ht, sizeof(struct hostent));
+	return (NS_SUCCESS);
+}
+
+static int
+host_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
+{
+	char *str;
+	int len, type;
+	struct hostent *ht;
+
+	char *p;
+	char **iter;
+	char *orig_buf;
+	size_t orig_buf_size;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		str = va_arg(ap, char *);
+		type = va_arg(ap, int);
+		break;
+	case nss_lt_id:
+		str = va_arg(ap, char *);
+		len = va_arg(ap, int);
+		type = va_arg(ap, int);
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+	ht = va_arg(ap, struct hostent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+
+	if (orig_buf_size <
+	    buffer_size - sizeof(struct hostent) - sizeof(char *)) {
+		errno = ERANGE;
+		return (NS_RETURN);
+	}
+
+	memcpy(ht, buffer, sizeof(struct hostent));
+	memcpy(&p, buffer + sizeof(struct hostent), sizeof(char *));
+
+	orig_buf = (char *)_ALIGN(orig_buf);
+	memcpy(orig_buf, buffer + sizeof(struct hostent) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p,
+	    buffer_size - sizeof(struct hostent) - sizeof(char *) -
+	    _ALIGN(p) + (size_t)p);
+	p = (char *)_ALIGN(p);
+
+	NS_APPLY_OFFSET(ht->h_name, orig_buf, p, char *);
+	if (ht->h_aliases != NULL) {
+		NS_APPLY_OFFSET(ht->h_aliases, orig_buf, p, char **);
+
+		for (iter = ht->h_aliases; *iter; ++iter)
+			NS_APPLY_OFFSET(*iter, orig_buf, p, char *);
+	}
+
+	if (ht->h_addr_list != NULL) {
+		NS_APPLY_OFFSET(ht->h_addr_list, orig_buf, p, char **);
+
+		for (iter = ht->h_addr_list; *iter; ++iter)
+			NS_APPLY_OFFSET(*iter, orig_buf, p, char *);
+	}
+
+	*((struct hostent **)retval) = ht;
+	return (NS_SUCCESS);
 }
+#endif /* NS_CACHING */
 
 void
 sethostent(int stayopen)
diff --git a/lib/libc/net/getipnodebyname.3 b/lib/libc/net/getipnodebyname.3
index 54ff771cb2..c8fbbba86b 100644
--- a/lib/libc/net/getipnodebyname.3
+++ b/lib/libc/net/getipnodebyname.3
@@ -394,9 +394,9 @@ or
 .Fn getipnodebyaddr .
 .\"
 .Sh FILES
-.Bl -tag -width /etc/resolv.conf -compact
+.Bl -tag -width /etc/nsswitch.conf -compact
 .It Pa /etc/hosts
-.It Pa /etc/host.conf
+.It Pa /etc/nsswitch.conf
 .It Pa /etc/resolv.conf
 .El
 .\"
@@ -418,6 +418,7 @@ The meanings of each error code are described in
 .Xr gethostbyaddr 3 ,
 .Xr gethostbyname 3 ,
 .Xr hosts 5 ,
+.Xr nsswitch.conf 5 ,
 .Xr services 5 ,
 .Xr hostname 7 ,
 .Xr named 8
diff --git a/lib/libc/net/getnetbydns.c b/lib/libc/net/getnetbydns.c
index 7ba9405b34..b238414553 100644
--- a/lib/libc/net/getnetbydns.c
+++ b/lib/libc/net/getnetbydns.c
@@ -72,6 +72,8 @@
 #include <string.h>
 #include <unistd.h>
 #include <syslog.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 
 #include "res_config.h"
 
@@ -207,18 +209,23 @@ static	char *net_aliases[MAXALIASES], netbuf[PACKETSZ];
 	return (NULL);
 }
 
-struct netent *
-_getnetbydnsaddr(unsigned long net, int net_type)
+int
+_dns_getnetbyaddr(void *rval, void *cb_data, va_list ap)
 {
 	unsigned int netbr[4];
-	int nn, anslen;
+	int nn, anslen, net_type;
 	querybuf *buf;
 	char qbuf[MAXDNAME];
-	unsigned long net2;
+	unsigned long net, net2;
 	struct netent *net_entry;
 
+	net = va_arg(ap, unsigned long);
+	net_type = va_arg(ap, int);
+
+	*(struct netent **)rval = NULL;
+
 	if (net_type != AF_INET)
-		return (NULL);
+		return NS_UNAVAIL;
 
 	for (nn = 4, net2 = net; net2; net2 >>= 8)
 		netbr[--nn] = net2 & 0xff;
@@ -240,7 +247,7 @@ _getnetbydnsaddr(unsigned long net, int net_type)
 	}
 	if ((buf = malloc(sizeof(*buf))) == NULL) {
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_NOTFOUND;
 	}
 	anslen = res_query(qbuf, C_IN, T_PTR, (u_char *)buf, sizeof(*buf));
 	if (anslen < 0) {
@@ -249,14 +256,14 @@ _getnetbydnsaddr(unsigned long net, int net_type)
 		if (_res.options & RES_DEBUG)
 			printf("res_search failed\n");
 #endif
-		return (NULL);
+		return NS_UNAVAIL;
 	} else if (anslen > sizeof(*buf)) {
 		free(buf);
 #ifdef DEBUG
 		if (_res.options & RES_DEBUG)
 			printf("res_search static buffer too small\n");
 #endif
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	net_entry = getnetanswer(buf, anslen, BYADDR);
 	free(buf);
@@ -267,26 +274,32 @@ _getnetbydnsaddr(unsigned long net, int net_type)
 		while ((u_net & 0xff) == 0 && u_net != 0)
 			u_net >>= 8;
 		net_entry->n_net = u_net;
-		return (net_entry);
+		*(struct netent **)rval = net_entry;
+		return NS_SUCCESS;
 	}
-	return (NULL);
+	return NS_NOTFOUND;
 }
 
-struct netent *
-_getnetbydnsname(const char *net)
+int
+_dns_getnetbyname(void *rval, void *cb_data, va_list ap)
 {
+	const char *net;
 	int anslen;
 	querybuf *buf;
 	char qbuf[MAXDNAME];
 	struct netent *net_entry;
 
+	net = va_arg(ap, const char *);
+
+	*(struct netent**)rval = NULL;
+
 	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 	if ((buf = malloc(sizeof(*buf))) == NULL) {
 		h_errno = NETDB_INTERNAL;
-		return (NULL);
+		return NS_NOTFOUND;
 	}
 	strncpy(qbuf, net, sizeof(qbuf) - 1);
 	qbuf[sizeof(qbuf) - 1] = '\0';
@@ -297,18 +310,18 @@ _getnetbydnsname(const char *net)
 		if (_res.options & RES_DEBUG)
 			printf("res_search failed\n");
 #endif
-		return (NULL);
+		return NS_UNAVAIL;
 	} else if (anslen > sizeof(*buf)) {
 		free(buf);
 #ifdef DEBUG
 		if (_res.options & RES_DEBUG)
 			printf("res_search static buffer too small\n");
 #endif
-		return (NULL);
+		return NS_UNAVAIL;
 	}
-	net_entry = getnetanswer(buf, anslen, BYNAME);
+	*(struct netent**)rval = getnetanswer(buf, anslen, BYNAME);
 	free(buf);
-	return net_entry;
+	return (*(struct netent**)rval != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
 void
diff --git a/lib/libc/net/getnetbyht.c b/lib/libc/net/getnetbyht.c
index c45d2a5baa..0e5f26e597 100644
--- a/lib/libc/net/getnetbyht.c
+++ b/lib/libc/net/getnetbyht.c
@@ -49,6 +49,8 @@
 #include <netdb.h>
 #include <stdio.h>
 #include <string.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 
 #define	MAXALIASES	35
 
@@ -128,12 +130,15 @@ again:
 	return (&net);
 }
 
-struct netent *
-_getnetbyhtname(const char *name)
+int
+_ht_getnetbyname(void *rval, void *cb_data, va_list ap)
 {
+	const char *name;
 	struct netent *p;
 	char **cp;
 
+	name = va_arg(ap, const char *);
+
 	setnetent(_net_stayopen);
 	while ( (p = getnetent()) ) {
 		if (strcasecmp(p->n_name, name) == 0)
@@ -145,19 +150,26 @@ _getnetbyhtname(const char *name)
 found:
 	if (!_net_stayopen)
 		endnetent();
-	return (p);
+	*(struct netent **)rval = p;
+	return (p != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
-struct netent *
-_getnetbyhtaddr(unsigned long net, int type)
+int
+_ht_getnetbyaddr(void *rval, void *cb_data, va_list ap)
 {
+	unsigned long net;
+	int type;
 	struct netent *p;
 
+	net = va_arg(ap, unsigned long);
+	type = va_arg(ap, int);
+
 	setnetent(_net_stayopen);
 	while ( (p = getnetent()) )
 		if (p->n_addrtype == type && p->n_net == net)
 			break;
 	if (!_net_stayopen)
 		endnetent();
-	return (p);
+	*(struct netent **)rval = p;
+	return (p != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
diff --git a/lib/libc/net/getnetbynis.c b/lib/libc/net/getnetbynis.c
index 81dbe605d3..e7009ee015 100644
--- a/lib/libc/net/getnetbynis.c
+++ b/lib/libc/net/getnetbynis.c
@@ -36,6 +36,8 @@
 #include <ctype.h>
 #include <errno.h>
 #include <string.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 #include <arpa/nameser.h>
 #ifdef YP
 #include <rpc/rpc.h>
@@ -48,17 +50,15 @@
 
 #ifdef YP
 static char *host_aliases[MAXALIASES];
-#endif /* YP */
 
 static struct netent *
 _getnetbynis(const char *name, char *map, int af)
 {
-#ifdef YP
 	char *cp, **q;
 	static char *result;
 	int resultlen;
 	static struct netent h;
-	static char *domain = (char *)NULL;
+	static char *domain = NULL;
 	static char ypbuf[YPMAXRECORD + 2];
 
 	switch(af) {
@@ -70,7 +70,7 @@ _getnetbynis(const char *name, char *map, int af)
 		return NULL;
 	}
 
-	if (domain == (char *)NULL)
+	if (domain == NULL)
 		if (yp_get_default_domain (&domain))
 			return (NULL);
 
@@ -112,29 +112,43 @@ _getnetbynis(const char *name, char *map, int af)
 	}
 	*q = NULL;
 	return (&h);
-#else
-	return (NULL);
-#endif
 }
+#endif /* YP */
 
-struct netent *
-_getnetbynisname(const char *name)
+int
+_nis_getnetbyname(void *rval, void *cb_data, va_list ap)
 {
-	return _getnetbynis(name, "networks.byname", AF_INET);
+#ifdef YP
+	const char *name;
+
+	name = va_arg(ap, const char *);
+
+	*(struct netent **)rval = _getnetbynis(name, "networks.byname", AF_INET);
+	return (*(struct netent **)rval != NULL) ? NS_SUCCESS : NS_NOTFOUND;
+#else
+	return NS_UNAVAIL;
+#endif
+
 }
 
-struct netent *
-_getnetbynisaddr(unsigned long addr, int af)
+int
+_nis_getnetbyaddr(void *rval, void *cb_data, va_list ap)
 {
+#ifdef YP
 	char *str, *cp;
-	unsigned long net2;
-	int nn;
+	unsigned long addr, net2;
+	int af, nn;
 	unsigned int netbr[4];
 	char buf[MAXDNAME];
 
+	addr = va_arg(ap, unsigned long);
+	af = va_arg(ap, int);
+
+	*(struct netent **)rval = NULL;
+
 	if (af != AF_INET) {
 		errno = EAFNOSUPPORT;
-		return (NULL);
+		return NS_UNAVAIL;
 	}
 
         for (nn = 4, net2 = addr; net2; net2 >>= 8) {
@@ -165,5 +179,9 @@ _getnetbynisaddr(unsigned long addr, int af)
 		cp = str + (strlen(str) - 2);
 	}
 
-	return _getnetbynis(str, "networks.byaddr", af);
+	*(struct netent **)rval = _getnetbynis(str, "networks.byaddr", af);
+	return (*(struct netent**)rval != NULL) ? NS_SUCCESS : NS_NOTFOUND;
+#else
+	return NS_UNAVAIL;
+#endif /* YP */
 }
diff --git a/lib/libc/net/getnetent.3 b/lib/libc/net/getnetent.3
index 5c4d718021..8ec33a70c6 100644
--- a/lib/libc/net/getnetent.3
+++ b/lib/libc/net/getnetent.3
@@ -65,10 +65,18 @@ and
 .Fn getnetbyaddr
 functions
 each return a pointer to an object with the
-following structure
-containing the broken-out
-fields of a line in the network data base,
-.Pa /etc/networks .
+following structure describing an internet network.
+This structure contains either the information obtained
+from the nameserver,
+.Xr named 8 ,
+broken-out fields of a line in the network data base
+.Pa /etc/networks ,
+or entries supplied by the
+.Xr yp 4
+system.  The order of the lookups is controlled by the
+`networks' entry in
+.Xr nsswitch.conf 5 .
+.Pp
 .Bd -literal -offset indent
 struct	netent {
 	char		*n_name;	/* official name of net */
@@ -130,8 +138,10 @@ must be
 .Dv AF_INET .
 Network numbers are supplied in host order.
 .Sh FILES
-.Bl -tag -width /etc/networks -compact
+.Bl -tag -width /etc/nsswitch.conf -compact
 .It Pa /etc/networks
+.It Pa /etc/nsswitch.conf
+.It Pa /etc/resolv.conf
 .El
 .Sh DIAGNOSTICS
 Null pointer
diff --git a/lib/libc/net/getnetnamadr.c b/lib/libc/net/getnetnamadr.c
index 39ead15946..3803e7fd72 100644
--- a/lib/libc/net/getnetnamadr.c
+++ b/lib/libc/net/getnetnamadr.c
@@ -34,141 +34,65 @@
 #include <stdio.h>
 #include <ctype.h>
 #include <string.h>
-
-#ifndef _PATH_NETCONF
-#define _PATH_NETCONF	"/etc/host.conf"
-#endif
-
-enum service_type {
-  SERVICE_NONE = 0,
-  SERVICE_BIND,
-  SERVICE_TABLE,
-  SERVICE_NIS };
-#define SERVICE_MAX	SERVICE_NIS
-
-static struct {
-  const char *name;
-  enum service_type type;
-} service_names[] = {
-  { "hosts", SERVICE_TABLE },
-  { "/etc/hosts", SERVICE_TABLE },
-  { "hosttable", SERVICE_TABLE },
-  { "htable", SERVICE_TABLE },
-  { "bind", SERVICE_BIND },
-  { "dns", SERVICE_BIND },
-  { "domain", SERVICE_BIND },
-  { "yp", SERVICE_NIS },
-  { "yellowpages", SERVICE_NIS },
-  { "nis", SERVICE_NIS },
-  { 0, SERVICE_NONE }
+#include <stdarg.h>
+#include <nsswitch.h>
+
+extern int _ht_getnetbyname(void *, void *, va_list);
+extern int _dns_getnetbyname(void *, void *, va_list);
+extern int _nis_getnetbyname(void *, void *, va_list);
+extern int _ht_getnetbyaddr(void *, void *, va_list);
+extern int _dns_getnetbyaddr(void *, void *, va_list);
+extern int _nis_getnetbyaddr(void *, void *, va_list);
+
+/* Network lookup order if nsswitch.conf is broken or nonexistant */
+static const ns_src default_src[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ NSSRC_DNS, NS_SUCCESS },
+	{ 0 }
 };
 
-static enum service_type service_order[SERVICE_MAX + 1];
-static int service_done = 0;
-
-static enum service_type
-get_service_name(const char *name)
-{
-	int i;
-	for(i = 0; service_names[i].type != SERVICE_NONE; i++) {
-		if(!strcasecmp(name, service_names[i].name)) {
-			return service_names[i].type;
-		}
-	}
-	return SERVICE_NONE;
-}
-
-static void
-init_services(void)
-{
-	char *cp, *p, buf[BUFSIZ];
-	int cc = 0;
-	FILE *fd;
-
-	if ((fd = (FILE *)fopen(_PATH_NETCONF, "r")) == NULL) {
-				/* make some assumptions */
-		service_order[0] = SERVICE_TABLE;
-		service_order[1] = SERVICE_NONE;
-	} else {
-		while (fgets(buf, BUFSIZ, fd) != NULL && cc < SERVICE_MAX) {
-			if(buf[0] == '#')
-				continue;
-
-			p = buf;
-			while ((cp = strsep(&p, "\n \t,:;")) != NULL && *cp == '\0')
-				;
-			if (cp == NULL)
-				continue;
-			do {
-				if (isalpha((unsigned char)cp[0])) {
-					service_order[cc] = get_service_name(cp);
-					if(service_order[cc] != SERVICE_NONE)
-						cc++;
-				}
-				while ((cp = strsep(&p, "\n \t,:;")) != NULL && *cp == '\0')
-					;
-			} while(cp != NULL && cc < SERVICE_MAX);
-		}
-		service_order[cc] = SERVICE_NONE;
-		fclose(fd);
-	}
-	service_done = 1;
-}
-
 struct netent *
 getnetbyname(const char *name)
 {
 	struct netent *hp = 0;
-	int nserv = 0;
-
-	if (!service_done)
-		init_services();
-
-	while (!hp) {
-		switch (service_order[nserv]) {
-		      case SERVICE_NONE:
-			return NULL;
-		      case SERVICE_TABLE:
-			hp = _getnetbyhtname(name);
-			break;
-		      case SERVICE_BIND:
-			hp = _getnetbydnsname(name);
-			break;
-		      case SERVICE_NIS:
-			hp = _getnetbynisname(name);
-			break;
-		}
-		nserv++;
-	}
-	return hp;
+	int rval;
+
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_ht_getnetbyname, NULL)
+		{ NSSRC_DNS, _dns_getnetbyname, NULL },
+		NS_NIS_CB(_nis_getnetbyname, NULL) /* force -DHESIOD */
+		{ 0 }
+	};
+
+	rval = nsdispatch((void *)&hp, dtab, NSDB_NETWORKS, "getnetbyname",
+			  default_src, name);
+
+	if (rval != NS_SUCCESS)
+		return NULL;
+	else
+		return hp;
 }
 
 struct netent *
 getnetbyaddr(u_long addr, int af)
 {
 	struct netent *hp = 0;
-	int nserv = 0;
-
-	if (!service_done)
-		init_services();
-
-	while (!hp) {
-		switch (service_order[nserv]) {
-		      case SERVICE_NONE:
-			return 0;
-		      case SERVICE_TABLE:
-			hp = _getnetbyhtaddr(addr, af);
-			break;
-		      case SERVICE_BIND:
-			hp = _getnetbydnsaddr(addr, af);
-			break;
-		      case SERVICE_NIS:
-			hp = _getnetbynisaddr(addr, af);
-			break;
-		}
-		nserv++;
-	}
-	return hp;
+	int rval;
+
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_ht_getnetbyaddr, NULL)
+		{ NSSRC_DNS, _dns_getnetbyaddr, NULL },
+		NS_NIS_CB(_nis_getnetbyaddr, NULL) /* force -DHESIOD */
+		{ 0 }
+	};
+
+	rval = nsdispatch((void *)&hp, dtab, NSDB_HOSTS, "getnetbyaddr",
+			  default_src, addr, af);
+
+	if (rval != NS_SUCCESS)
+		return NULL;
+	else
+		return hp;
 }
 
 void
diff --git a/lib/libc/net/getproto.c b/lib/libc/net/getproto.c
index e0a0085c50..335af1d605 100644
--- a/lib/libc/net/getproto.c
+++ b/lib/libc/net/getproto.c
@@ -27,23 +27,113 @@
  * SUCH DAMAGE.
  *
  * @(#)getproto.c	8.1 (Berkeley) 6/4/93
+ * $FreeBSD: src/lib/libc/net/getproto.c,v 1.7 2007/01/09 00:28:02 imp Exp $
  * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
  */
 
 #include <netdb.h>
+#include <nsswitch.h>
+#include "netdb_private.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+#include "nss_tls.h"
 
-extern int _proto_stayopen;
+static const ns_src defaultsrc[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ NULL, 0 }
+};
+
+#ifdef NS_CACHING
+extern int __proto_id_func(char *, size_t *, va_list, void *);
+extern int __proto_marshal_func(char *, size_t *, void *, va_list, void *);
+extern int __proto_unmarshal_func(char *, size_t, void *, va_list, void *);
+#endif
+
+static int
+files_getprotobynumber(void *retval, void *mdata, va_list ap)
+{
+	struct protoent pe;
+	struct protoent_data *ped;
+	int error;
+
+	int number;
+	struct protoent	*pptr;
+	char *buffer;
+	size_t buflen;
+	int *errnop;
+
+	number = va_arg(ap, int);
+	pptr = va_arg(ap, struct protoent *);
+	buffer = va_arg(ap, char *);
+	buflen = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+
+	if ((ped = __protoent_data_init()) == NULL) {
+		*errnop = -1;
+		return (NS_NOTFOUND);
+	}
+
+	__setprotoent_p(ped->stayopen, ped);
+	while ((error = __getprotoent_p(&pe, ped)) == 0)
+		if (pe.p_proto == number)
+			break;
+	if (!ped->stayopen)
+		__endprotoent_p(ped);
+	if (error != 0) {
+		*errnop = -1;
+		return (NS_NOTFOUND);
+	}
+	if (__copy_protoent(&pe, pptr, buffer, buflen) != 0) {
+		*errnop = -1;
+		return (NS_NOTFOUND);
+	}
+
+	*((struct protoent **)retval) = pptr;
+	return (NS_SUCCESS);
+}
+
+int
+getprotobynumber_r(int proto, struct protoent *pptr, char *buffer,
+    size_t buflen, struct protoent **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		protocols, (void *)nss_lt_id,
+		__proto_id_func, __proto_marshal_func, __proto_unmarshal_func);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_getprotobynumber, NULL },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_PROTOCOLS, "getprotobynumber_r",
+		defaultsrc, proto, pptr, buffer, buflen, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
 
 struct protoent *
 getprotobynumber(int proto)
 {
-	struct protoent *p;
+	struct protodata *pd;
+	struct protoent *rval;
 
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
+	if ((pd = __protodata_init()) == NULL)
+		return (NULL);
+	if (getprotobynumber_r(proto, &pd->proto, pd->data, sizeof(pd->data),
+	    &rval) != 0)
+		return (NULL);
+	return (rval);
 }
diff --git a/lib/libc/net/getprotoent.c b/lib/libc/net/getprotoent.c
index 81b53ccdc0..2d9fb57f26 100644
--- a/lib/libc/net/getprotoent.c
+++ b/lib/libc/net/getprotoent.c
@@ -27,62 +27,353 @@
  * SUCH DAMAGE.
  *
  * @(#)getprotoent.c	8.1 (Berkeley) 6/4/93
+ * $FreeBSD: src/lib/libc/net/getprotoent.c,v 1.9 2007/01/09 00:28:02 imp Exp $
  * $DragonFly: src/lib/libc/net/getprotoent.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
  */
 
+#include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <errno.h>
+#include <limits.h>
 #include <netdb.h>
+#include <nsswitch.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include "namespace.h"
+#include "reentrant.h"
+#include "un-namespace.h"
+#include "netdb_private.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+#include "nss_tls.h"
 
-#define	MAXALIASES	35
+static const ns_src defaultsrc[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ NULL, 0 }
+};
 
-static FILE *protof = NULL;
-static char line[BUFSIZ+1];
-static struct protoent proto;
-static char *proto_aliases[MAXALIASES];
-int _proto_stayopen;
+NETDB_THREAD_ALLOC(protoent_data)
+NETDB_THREAD_ALLOC(protodata)
+
+static void
+protoent_data_clear(struct protoent_data *ped)
+{
+	if (ped->fp) {
+		fclose(ped->fp);
+		ped->fp = NULL;
+	}
+}
+
+static void
+protoent_data_free(void *ptr)
+{
+	struct protoent_data *ped = ptr;
+
+	protoent_data_clear(ped);
+	free(ped);
+}
+
+static void
+protodata_free(void *ptr)
+{
+	free(ptr);
+}
+
+#ifdef NS_CACHING
+int
+__proto_id_func(char *buffer, size_t *buffer_size, va_list ap,
+    void *cache_mdata)
+{
+	char *name;
+	int proto;
+
+	size_t desired_size, size;
+	enum nss_lookup_type lookup_type;
+	int res = NS_UNAVAIL;
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+
+		size = strlen(name);
+		desired_size = sizeof(enum nss_lookup_type) + size + 1;
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), name, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		proto = va_arg(ap, int);
+
+		desired_size = sizeof(enum nss_lookup_type) + sizeof(int);
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), &proto,
+			sizeof(int));
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+fin:
+	*buffer_size = desired_size;
+	return (res);
+}
+
+
+int
+__proto_marshal_func(char *buffer, size_t *buffer_size, void *retval,
+    va_list ap, void *cache_mdata)
+{
+	char *name;
+	int num;
+	struct protoent *proto;
+	char *orig_buf;
+	size_t orig_buf_size;
+
+	struct protoent new_proto;
+	size_t desired_size, size, aliases_size;
+	char *p;
+	char **alias;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		num = va_arg(ap, int);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+	proto = va_arg(ap, struct protoent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+
+	desired_size = _ALIGNBYTES + sizeof(struct protoent) + sizeof(char *);
+	if (proto->p_name != NULL)
+		desired_size += strlen(proto->p_name) + 1;
+
+	if (proto->p_aliases != NULL) {
+		aliases_size = 0;
+		for (alias = proto->p_aliases; *alias; ++alias) {
+			desired_size += strlen(*alias) + 1;
+			++aliases_size;
+		}
+
+		desired_size += _ALIGNBYTES + (aliases_size + 1) *
+		    sizeof(char *);
+	}
+
+	if (*buffer_size < desired_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_proto, proto, sizeof(struct protoent));
+
+	*buffer_size = desired_size;
+	memset(buffer, 0, desired_size);
+	p = buffer + sizeof(struct protoent) + sizeof(char *);
+	memcpy(buffer + sizeof(struct protoent), &p, sizeof(char *));
+	p = (char *)_ALIGN(p);
+
+	if (new_proto.p_name != NULL) {
+		size = strlen(new_proto.p_name);
+		memcpy(p, new_proto.p_name, size);
+		new_proto.p_name = p;
+		p += size + 1;
+	}
+
+	if (new_proto.p_aliases != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_proto.p_aliases, sizeof(char *) * aliases_size);
+		new_proto.p_aliases = (char **)p;
+		p += sizeof(char *) * (aliases_size + 1);
+
+		for (alias = new_proto.p_aliases; *alias; ++alias) {
+			size = strlen(*alias);
+			memcpy(p, *alias, size);
+			*alias = p;
+			p += size + 1;
+		}
+	}
+
+	memcpy(buffer, &new_proto, sizeof(struct protoent));
+	return (NS_SUCCESS);
+}
+
+int
+__proto_unmarshal_func(char *buffer, size_t buffer_size, void *retval,
+    va_list ap, void *cache_mdata)
+{
+	char *name;
+	int num;
+	struct protoent *proto;
+	char *orig_buf;
+	size_t orig_buf_size;
+	int *ret_errno;
+
+	char *p;
+	char **alias;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		num = va_arg(ap, int);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+	proto = va_arg(ap, struct protoent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+	ret_errno = va_arg(ap, int *);
+
+	if (orig_buf_size <
+	    buffer_size - sizeof(struct protoent) - sizeof(char *)) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
+	}
+
+	memcpy(proto, buffer, sizeof(struct protoent));
+	memcpy(&p, buffer + sizeof(struct protoent), sizeof(char *));
+
+	orig_buf = (char *)_ALIGN(orig_buf);
+	memcpy(orig_buf, buffer + sizeof(struct protoent) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p,
+	    buffer_size - sizeof(struct protoent) - sizeof(char *) -
+	    _ALIGN(p) + (size_t)p);
+	p = (char *)_ALIGN(p);
+
+	NS_APPLY_OFFSET(proto->p_name, orig_buf, p, char *);
+	if (proto->p_aliases != NULL) {
+		NS_APPLY_OFFSET(proto->p_aliases, orig_buf, p, char **);
+
+		for (alias = proto->p_aliases; *alias; ++alias)
+			NS_APPLY_OFFSET(*alias, orig_buf, p, char *);
+	}
+
+	if (retval != NULL)
+		*((struct protoent **)retval) = proto;
+
+	return (NS_SUCCESS);
+}
+
+NSS_MP_CACHE_HANDLING(protocols);
+#endif /* NS_CACHING */
+
+int
+__copy_protoent(struct protoent *pe, struct protoent *pptr, char *buf,
+    size_t buflen)
+{
+	char *cp;
+	int i, n;
+	int numptr, len;
+
+	/* Find out the amount of space required to store the answer. */
+	numptr = 1; /* NULL ptr */
+	len = (char *)ALIGN(buf) - buf;
+	for (i = 0; pe->p_aliases[i]; i++, numptr++) {
+		len += strlen(pe->p_aliases[i]) + 1;
+	}
+	len += strlen(pe->p_name) + 1;
+	len += numptr * sizeof(char*);
+
+	if (len > (int)buflen) {
+		errno = ERANGE;
+		return (-1);
+	}
+
+	/* copy protocol value*/
+	pptr->p_proto = pe->p_proto;
+
+	cp = (char *)ALIGN(buf) + numptr * sizeof(char *);
+
+	/* copy official name */
+	n = strlen(pe->p_name) + 1;
+	strcpy(cp, pe->p_name);
+	pptr->p_name = cp;
+	cp += n;
+
+	/* copy aliases */
+	pptr->p_aliases = (char **)ALIGN(buf);
+	for (i = 0 ; pe->p_aliases[i]; i++) {
+		n = strlen(pe->p_aliases[i]) + 1;
+		strcpy(cp, pe->p_aliases[i]);
+		pptr->p_aliases[i] = cp;
+		cp += n;
+	}
+	pptr->p_aliases[i] = NULL;
+
+	return (0);
+}
 
 void
-setprotoent(int f)
+__setprotoent_p(int f, struct protoent_data *ped)
 {
-	if (protof == NULL)
-		protof = fopen(_PATH_PROTOCOLS, "r" );
+	if (ped->fp == NULL)
+		ped->fp = fopen(_PATH_PROTOCOLS, "r");
 	else
-		rewind(protof);
-	_proto_stayopen |= f;
+		rewind(ped->fp);
+	ped->stayopen |= f;
 }
 
 void
-endprotoent(void)
+__endprotoent_p(struct protoent_data *ped)
 {
-	if (protof) {
-		fclose(protof);
-		protof = NULL;
+	if (ped->fp) {
+		fclose(ped->fp);
+		ped->fp = NULL;
 	}
-	_proto_stayopen = 0;
+	ped->stayopen = 0;
 }
 
-struct protoent *
-getprotoent(void)
+int
+__getprotoent_p(struct protoent *pe, struct protoent_data *ped)
 {
 	char *p;
-	char *cp, **q;
+	char *cp, **q, *endp;
+	long l;
 
-	if (protof == NULL && (protof = fopen(_PATH_PROTOCOLS, "r" )) == NULL)
-		return (NULL);
+	if (ped->fp == NULL && (ped->fp = fopen(_PATH_PROTOCOLS, "r")) == NULL)
+		return (-1);
 again:
-	if ((p = fgets(line, BUFSIZ, protof)) == NULL)
-		return (NULL);
+	if ((p = fgets(ped->line, sizeof ped->line, ped->fp)) == NULL)
+		return (-1);
 	if (*p == '#')
 		goto again;
 	cp = strpbrk(p, "#\n");
-	if (cp == NULL)
-		goto again;
-	*cp = '\0';
-	proto.p_name = p;
+	if (cp != NULL)
+		*cp = '\0';
+	pe->p_name = p;
 	cp = strpbrk(p, " \t");
 	if (cp == NULL)
 		goto again;
@@ -92,8 +383,11 @@ again:
 	p = strpbrk(cp, " \t");
 	if (p != NULL)
 		*p++ = '\0';
-	proto.p_proto = atoi(cp);
-	q = proto.p_aliases = proto_aliases;
+	l = strtol(cp, &endp, 10);
+	if (endp == cp || *endp != '\0' || l < 0 || l > USHRT_MAX)
+		goto again;
+	pe->p_proto = l;
+	q = pe->p_aliases = ped->aliases;
 	if (p != NULL) {
 		cp = p;
 		while (cp && *cp) {
@@ -101,7 +395,7 @@ again:
 				cp++;
 				continue;
 			}
-			if (q < &proto_aliases[MAXALIASES - 1])
+			if (q < &ped->aliases[_MAXALIASES - 1])
 				*q++ = cp;
 			cp = strpbrk(cp, " \t");
 			if (cp != NULL)
@@ -109,5 +403,147 @@ again:
 		}
 	}
 	*q = NULL;
-	return (&proto);
+	return (0);
+}
+
+static int
+files_getprotoent_r(void *retval, void *mdata, va_list ap)
+{
+	struct protoent pe;
+	struct protoent_data *ped;
+
+	struct protoent	*pptr;
+	char *buffer;
+	size_t buflen;
+	int *errnop;
+
+	pptr = va_arg(ap, struct protoent *);
+	buffer = va_arg(ap, char *);
+	buflen = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+
+	if ((ped = __protoent_data_init()) == NULL)
+		return (-1);
+
+	if (__getprotoent_p(&pe, ped) != 0) {
+		*errnop = errno;
+		return (NS_NOTFOUND);
+	}
+
+	if (__copy_protoent(&pe, pptr, buffer, buflen) != 0) {
+		*errnop = errno;
+		return (NS_NOTFOUND);
+	}
+
+	*((struct protoent **)retval) = pptr;
+	return (NS_SUCCESS);
+}
+
+static int
+files_setprotoent(void *retval, void *mdata, va_list ap)
+{
+	struct protoent_data *ped;
+	int f;
+
+	f = va_arg(ap, int);
+	if ((ped = __protoent_data_init()) == NULL)
+		return (NS_UNAVAIL);
+
+	__setprotoent_p(f, ped);
+	return (NS_UNAVAIL);
+}
+
+static int
+files_endprotoent(void *retval, void *mdata, va_list ap)
+{
+	struct protoent_data *ped;
+
+	if ((ped = __protoent_data_init()) == NULL)
+		return (NS_UNAVAIL);
+
+	__endprotoent_p(ped);
+	return (NS_UNAVAIL);
+}
+
+int
+getprotoent_r(struct protoent *pptr, char *buffer, size_t buflen,
+    struct protoent **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		protocols, (void *)nss_lt_all,
+		__proto_marshal_func, __proto_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_getprotoent_r, (void *)nss_lt_all },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_PROTOCOLS, "getprotoent_r",
+	    defaultsrc, pptr, buffer, buflen, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
+
+void
+setprotoent(int stayopen)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		protocols, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setprotoent, NULL },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	nsdispatch(NULL, dtab, NSDB_PROTOCOLS, "setprotoent", defaultsrc,
+		stayopen);
+}
+
+void
+endprotoent(void)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		protocols, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_endprotoent, NULL },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	nsdispatch(NULL, dtab, NSDB_PROTOCOLS, "endprotoent", defaultsrc);
+}
+
+struct protoent *
+getprotoent(void)
+{
+	struct protodata *pd;
+	struct protoent *rval;
+
+	if ((pd = __protodata_init()) == NULL)
+		return (NULL);
+	if (getprotoent_r(&pd->proto, pd->data, sizeof(pd->data), &rval) != 0)
+		return (NULL);
+	return (rval);
 }
diff --git a/lib/libc/net/getprotoname.c b/lib/libc/net/getprotoname.c
index aa185fa998..4ee59b0740 100644
--- a/lib/libc/net/getprotoname.c
+++ b/lib/libc/net/getprotoname.c
@@ -27,30 +27,121 @@
  * SUCH DAMAGE.
  *
  * @(#)getprotoname.c	8.1 (Berkeley) 6/4/93
+ * $FreeBSD: src/lib/libc/net/getprotoname.c,v 1.7 2007/01/09 00:28:02 imp Exp $
  * $DragonFly: src/lib/libc/net/getprotoname.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
  */
 
 #include <netdb.h>
+#include <nsswitch.h>
 #include <string.h>
+#include "netdb_private.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+#include "nss_tls.h"
 
-extern int _proto_stayopen;
+static const ns_src defaultsrc[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ NULL, 0 }
+};
 
-struct protoent *
-getprotobyname(const char *name)
+#ifdef NS_CACHING
+extern int __proto_id_func(char *, size_t *, va_list, void *);
+extern int __proto_marshal_func(char *, size_t *, void *, va_list, void *);
+extern int __proto_unmarshal_func(char *, size_t, void *, va_list, void *);
+#endif
+
+static int
+files_getprotobyname(void *retval, void *mdata, va_list ap)
 {
-	struct protoent *p;
+	struct protoent pe;
+	struct protoent_data *ped;
 	char **cp;
+	int error;
+
+	char *name;
+	struct protoent	*pptr;
+	char *buffer;
+	size_t buflen;
+	int *errnop;
+
+	name = va_arg(ap, char *);
+	pptr = va_arg(ap, struct protoent *);
+	buffer = va_arg(ap, char *);
+	buflen = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+
 
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) ) {
-		if (strcmp(p->p_name, name) == 0)
+	if ((ped = __protoent_data_init()) == NULL) {
+		*errnop = -1;
+		return (NS_NOTFOUND);
+	}
+
+	__setprotoent_p(ped->stayopen, ped);
+	while ((error = __getprotoent_p(&pe, ped)) == 0) {
+		if (strcmp(pe.p_name, name) == 0)
 			break;
-		for (cp = p->p_aliases; *cp != 0; cp++)
+		for (cp = pe.p_aliases; *cp != 0; cp++)
 			if (strcmp(*cp, name) == 0)
 				goto found;
 	}
 found:
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
+	if (!ped->stayopen)
+		__endprotoent_p(ped);
+	if (error != 0) {
+		*errnop = -1;
+		return (NS_NOTFOUND);
+	}
+	if (__copy_protoent(&pe, pptr, buffer, buflen) != 0) {
+		*errnop = -1;
+		return (NS_NOTFOUND);
+	}
+
+	*((struct protoent **)retval) = pptr;
+	return (NS_SUCCESS);
+}
+
+
+int
+getprotobyname_r(const char *name, struct protoent *pptr, char *buffer,
+    size_t buflen, struct protoent **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		protocols, (void *)nss_lt_name,
+		__proto_id_func, __proto_marshal_func, __proto_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_getprotobyname, NULL },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_PROTOCOLS, "getprotobyname_r",
+	    defaultsrc, name, pptr, buffer, buflen, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
+
+struct protoent *
+getprotobyname(const char *name)
+{
+	struct protodata *pd;
+	struct protoent *rval;
+
+	if ((pd = __protodata_init()) == NULL)
+		return (NULL);
+	if (getprotobyname_r(name, &pd->proto, pd->data, sizeof(pd->data),
+	    &rval) != 0)
+		return (NULL);
+	return (rval);
 }
diff --git a/lib/libc/net/getservbyname.c b/lib/libc/net/getservbyname.c
deleted file mode 100644
index 8ae83269ea..0000000000
--- a/lib/libc/net/getservbyname.c
+++ /dev/null
@@ -1,73 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * @(#)getservbyname.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getservbyname.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
- */
-
-#include <netdb.h>
-#include <string.h>
-
-extern int _serv_stayopen;
-
-struct servent *
-getservbyname(const char *name, const char *proto)
-{
-	struct servent *p;
-	char **cp;
-
-#ifdef YP
-	extern char *___getservbyname_yp;
-	extern char *___getservbyproto_yp;
-
-	___getservbyname_yp = (char *)name;
-	___getservbyproto_yp = (char *)proto;
-#endif
-
-	setservent(_serv_stayopen);
-	while ( (p = getservent()) ) {
-		if (strcmp(name, p->s_name) == 0)
-			goto gotname;
-		for (cp = p->s_aliases; *cp; cp++)
-			if (strcmp(name, *cp) == 0)
-				goto gotname;
-		continue;
-gotname:
-		if (proto == 0 || strcmp(p->s_proto, proto) == 0)
-			break;
-	}
-	if (!_serv_stayopen)
-		endservent();
-
-#ifdef YP
-	___getservbyname_yp = NULL;
-	___getservbyproto_yp = NULL;
-#endif
-
-	return (p);
-}
diff --git a/lib/libc/net/getservent.c b/lib/libc/net/getservent.c
index f8db6abd3d..db38051365 100644
--- a/lib/libc/net/getservent.c
+++ b/lib/libc/net/getservent.c
@@ -27,243 +27,1181 @@
  * SUCH DAMAGE.
  *
  * @(#)getservent.c	8.1 (Berkeley) 6/4/93
+ * $FreeBSD: src/lib/libc/net/getservent.c,v 1.23 2007/01/09 00:28:02 imp Exp $
  * $DragonFly: src/lib/libc/net/getservent.c,v 1.7 2005/11/13 02:04:47 swildner Exp $
  */
 
+#include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <limits.h>
 #include <netdb.h>
+#include <nsswitch.h>
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <unistd.h>
 #ifdef YP
 #include <rpc/rpc.h>
 #include <rpcsvc/yp_prot.h>
 #include <rpcsvc/ypclnt.h>
-static int serv_stepping_yp = 0;
-extern int _yp_check ( char ** );
 #endif
+#include "namespace.h"
+#include "reentrant.h"
+#include "un-namespace.h"
+#include "netdb_private.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+#include "nss_tls.h"
+
+enum constants
+{
+	SETSERVENT		= 1,
+	ENDSERVENT		= 2,
+	SERVENT_STORAGE_INITIAL	= 1 << 10, /* 1 KByte */
+	SERVENT_STORAGE_MAX	= 1 << 20, /* 1 MByte */
+};
+
+struct servent_mdata
+{
+	enum nss_lookup_type how;
+	int compat_mode;
+};
 
+static const ns_src defaultsrc[] = {
+	{ NSSRC_COMPAT, NS_SUCCESS },
+	{ NULL, 0 }
+};
 
-#define	MAXALIASES	35
+static int servent_unpack(char *, struct servent *, char **, size_t, int *);
 
-static FILE *servf = NULL;
-static char line[BUFSIZ+1];
-static struct servent serv;
-static char *serv_aliases[MAXALIASES];
-int _serv_stayopen;
+/* files backend declarations */
+struct files_state
+{
+	FILE *fp;
+	int stayopen;
+
+	int compat_mode_active;
+};
+static void files_endstate(void *);
+NSS_TLS_HANDLING(files);
+
+static int files_servent(void *, void *, va_list);
+static int files_setservent(void *, void *, va_list);
 
 #ifdef YP
-char *___getservbyname_yp = NULL;
-char *___getservbyproto_yp = NULL;
-int ___getservbyport_yp = 0;
-static char *yp_domain = NULL;
+/* nis backend declarations */
+static 	int 	nis_servent(void *, void *, va_list);
+static 	int 	nis_setservent(void *, void *, va_list);
+
+struct nis_state
+{
+	int yp_stepping;
+	char yp_domain[MAXHOSTNAMELEN];
+	char *yp_key;
+	int yp_keylen;
+};
+static void nis_endstate(void *);
+NSS_TLS_HANDLING(nis);
+
+static int nis_servent(void *, void *, va_list);
+static int nis_setservent(void *, void *, va_list);
+#endif
+
+/* compat backend declarations */
+static int compat_setservent(void *, void *, va_list);
+
+/* get** wrappers for get**_r functions declarations */
+struct servent_state {
+	struct servent serv;
+	char *buffer;
+	size_t bufsize;
+};
+static	void	servent_endstate(void *);
+NSS_TLS_HANDLING(servent);
+
+struct key {
+	const char *proto;
+	union {
+		const char *name;
+		int port;
+	};
+};
+
+static int wrap_getservbyname_r(struct key, struct servent *, char *, size_t,
+    struct servent **);
+static int wrap_getservbyport_r(struct key, struct servent *, char *, size_t,
+    struct servent **);
+static int wrap_getservent_r(struct key, struct servent *, char *, size_t,
+    struct servent **);
+static struct servent *getserv(int (*fn)(struct key, struct servent *, char *,
+    size_t, struct servent **), struct key);
+
+#ifdef NS_CACHING
+static int serv_id_func(char *, size_t *, va_list, void *);
+static int serv_marshal_func(char *, size_t *, void *, va_list, void *);
+static int serv_unmarshal_func(char *, size_t, void *, va_list, void *);
+#endif
 
 static int
-_getservbyport_yp(char *line)
+servent_unpack(char *p, struct servent *serv, char **aliases,
+    size_t aliases_size, int *errnop)
 {
-	char *result;
-	int resultlen;
-	char buf[YPMAXRECORD + 2];
+	char *cp, **q, *endp;
+	long l;
+
+	if (*p == '#')
+		return -1;
+
+	memset(serv, 0, sizeof(struct servent));
+
+	cp = strpbrk(p, "#\n");
+	if (cp != NULL)
+		*cp = '\0';
+	serv->s_name = p;
+
+	p = strpbrk(p, " \t");
+	if (p == NULL)
+		return -1;
+	*p++ = '\0';
+	while (*p == ' ' || *p == '\t')
+		p++;
+	cp = strpbrk(p, ",/");
+	if (cp == NULL)
+		return -1;
+
+	*cp++ = '\0';
+	l = strtol(p, &endp, 10);
+	if (endp == p || *endp != '\0' || l < 0 || l > USHRT_MAX)
+		return -1;
+	serv->s_port = htons((in_port_t)l);
+	serv->s_proto = cp;
+
+	q = serv->s_aliases = aliases;
+	cp = strpbrk(cp, " \t");
+	if (cp != NULL)
+		*cp++ = '\0';
+	while (cp && *cp) {
+		if (*cp == ' ' || *cp == '\t') {
+			cp++;
+			continue;
+		}
+		if (q < &aliases[aliases_size - 1]) {
+			*q++ = cp;
+		} else {
+			*q = NULL;
+			*errnop = ERANGE;
+			return -1;
+		}
+		cp = strpbrk(cp, " \t");
+		if (cp != NULL)
+			*cp++ = '\0';
+	}
+	*q = NULL;
+
+	return 0;
+}
+
+/* files backend implementation */
+static	void
+files_endstate(void *p)
+{
+	FILE * f;
+
+	if (p == NULL)
+		return;
+
+	f = ((struct files_state *)p)->fp;
+	if (f != NULL)
+		fclose(f);
+
+	free(p);
+}
+
+/*
+ * compat structures. compat and files sources functionalities are almost
+ * equal, so they all are managed by files_servent function
+ */
+static int
+files_servent(void *retval, void *mdata, va_list ap)
+{
+	static const ns_src compat_src[] = {
+#ifdef YP
+		{ NSSRC_NIS, NS_SUCCESS },
+#endif
+		{ NULL, 0 }
+	};
+	ns_dtab compat_dtab[] = {
+#ifdef YP
+		{ NSSRC_NIS, nis_servent,
+			(void *)((struct servent_mdata *)mdata)->how },
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	struct files_state *st;
 	int rv;
+	int stayopen;
+
+	struct servent_mdata *serv_mdata;
+	char *name;
+	char *proto;
+	int port;
+
+	struct servent *serv;
+	char *buffer;
+	size_t bufsize;
+	int *errnop;
+
+	char **aliases;
+	int aliases_size;
+	size_t linesize;
+	char *line;
+	char **cp;
+
+	name = NULL;
+	proto = NULL;
+	serv_mdata = (struct servent_mdata *)mdata;
+	switch (serv_mdata->how) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		port = va_arg(ap, int);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		return NS_NOTFOUND;
+	};
 
-	snprintf(buf, sizeof(buf), "%d/%s", ntohs(___getservbyport_yp),
-						___getservbyproto_yp);
+	serv = va_arg(ap, struct servent *);
+	buffer  = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap,int *);
 
-	___getservbyport_yp = 0;
-	___getservbyproto_yp = NULL;
+	*errnop = files_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
 
-	if(!yp_domain) {
-		if(yp_get_default_domain(&yp_domain))
-			return (0);
+	if (st->fp == NULL)
+		st->compat_mode_active = 0;
+
+	if (st->fp == NULL && (st->fp = fopen(_PATH_SERVICES, "r")) == NULL) {
+		*errnop = errno;
+		return (NS_UNAVAIL);
 	}
 
-	/*
-	 * We have to be a little flexible here. Ideally you're supposed
-	 * to have both a services.byname and a services.byport map, but
-	 * some systems have only services.byname. FreeBSD cheats a little
-	 * by putting the services.byport information in the same map as
-	 * services.byname so that either case will work. We allow for both
-	 * possibilities here: if there is no services.byport map, we try
-	 * services.byname instead.
-	 */
-	if ((rv = yp_match(yp_domain, "services.byport", buf, strlen(buf),
-						&result, &resultlen))) {
-		if (rv == YPERR_MAP) {
-			if (yp_match(yp_domain, "services.byname", buf,
-					strlen(buf), &result, &resultlen))
-			return(0);
-		} else
-			return(0);
+	if (serv_mdata->how == nss_lt_all)
+		stayopen = 1;
+	else {
+		rewind(st->fp);
+		stayopen = st->stayopen;
 	}
-		
-	/* getservent() expects lines terminated with \n -- make it happy */
-	snprintf(line, BUFSIZ, "%.*s\n", resultlen, result);
 
-	free(result);
-	return(1);
+	rv = NS_NOTFOUND;
+	do {
+		if (!st->compat_mode_active) {
+			if ((line = fgetln(st->fp, &linesize)) == NULL) {
+				*errnop = errno;
+				rv = NS_RETURN;
+				break;
+			}
+
+			if (*line=='+') {
+				if (serv_mdata->compat_mode != 0)
+					st->compat_mode_active = 1;
+			} else {
+				if (bufsize <= linesize + _ALIGNBYTES +
+				    sizeof(char *)) {
+					*errnop = ERANGE;
+					rv = NS_RETURN;
+					break;
+				}
+				aliases = (char **)_ALIGN(&buffer[linesize+1]);
+				aliases_size = (buffer + bufsize -
+				    (char *)aliases) / sizeof(char *);
+				if (aliases_size < 1) {
+					*errnop = ERANGE;
+					rv = NS_RETURN;
+					break;
+				}
+
+				memcpy(buffer, line, linesize);
+				buffer[linesize] = '\0';
+			}
+		}
+
+		if (st->compat_mode_active != 0) {
+			switch (serv_mdata->how) {
+			case nss_lt_name:
+				rv = nsdispatch(retval, compat_dtab,
+				    NSDB_SERVICES_COMPAT, "getservbyname_r",
+				    compat_src, name, proto, serv, buffer,
+				    bufsize, errnop);
+				break;
+			case nss_lt_id:
+				rv = nsdispatch(retval, compat_dtab,
+				    NSDB_SERVICES_COMPAT, "getservbyport_r",
+				    compat_src, port, proto, serv, buffer,
+					bufsize, errnop);
+				break;
+			case nss_lt_all:
+				rv = nsdispatch(retval, compat_dtab,
+				    NSDB_SERVICES_COMPAT, "getservent_r",
+				    compat_src, serv, buffer, bufsize, errnop);
+				break;
+			}
+
+			if (!(rv & NS_TERMINATE) ||
+			    serv_mdata->how != nss_lt_all)
+				st->compat_mode_active = 0;
+
+			continue;
+		}
+
+		rv = servent_unpack(buffer, serv, aliases, aliases_size,
+		    errnop);
+		if (rv !=0 ) {
+			if (*errnop == 0) {
+				rv = NS_NOTFOUND;
+				continue;
+			}
+			else {
+				rv = NS_RETURN;
+				break;
+			}
+		}
+
+		rv = NS_NOTFOUND;
+		switch (serv_mdata->how) {
+		case nss_lt_name:
+			if (strcmp(name, serv->s_name) == 0)
+				goto gotname;
+			for (cp = serv->s_aliases; *cp; cp++)
+				if (strcmp(name, *cp) == 0)
+					goto gotname;
+
+			continue;
+		gotname:
+			if (proto == 0 || strcmp(serv->s_proto, proto) == 0)
+				rv = NS_SUCCESS;
+			break;
+		case nss_lt_id:
+			if (port != serv->s_port)
+				continue;
+
+			if (proto == 0 || strcmp(serv->s_proto, proto) == 0)
+				rv = NS_SUCCESS;
+			break;
+		case nss_lt_all:
+			rv = NS_SUCCESS;
+			break;
+		}
+
+	} while (!(rv & NS_TERMINATE));
+
+	if (!stayopen && st->fp != NULL) {
+		fclose(st->fp);
+		st->fp = NULL;
+	}
+
+	if ((rv == NS_SUCCESS) && (retval != NULL))
+		*(struct servent **)retval=serv;
+
+	return (rv);
 }
 
 static int
-_getservbyname_yp(char *line)
+files_setservent(void *retval, void *mdata, va_list ap)
 {
-	char *result;
-	int resultlen;
+	struct files_state *st;
+	int rv;
+	int f;
+
+	rv = files_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+
+	switch ((enum constants)mdata) {
+	case SETSERVENT:
+		f = va_arg(ap,int);
+		if (st->fp == NULL)
+			st->fp = fopen(_PATH_SERVICES, "r");
+		else
+			rewind(st->fp);
+		st->stayopen |= f;
+		break;
+	case ENDSERVENT:
+		if (st->fp != NULL) {
+			fclose(st->fp);
+			st->fp = NULL;
+		}
+		st->stayopen = 0;
+		break;
+	default:
+		break;
+	};
+
+	st->compat_mode_active = 0;
+	return (NS_UNAVAIL);
+}
+
+/* nis backend implementation */
+#ifdef YP
+static 	void
+nis_endstate(void *p)
+{
+	if (p == NULL)
+		return;
+
+	free(((struct nis_state *)p)->yp_key);
+	free(p);
+}
+
+static int
+nis_servent(void *retval, void *mdata, va_list ap)
+{
+	char *resultbuf, *lastkey;
+	int resultbuflen;
 	char buf[YPMAXRECORD + 2];
 
-	if(!yp_domain) {
-		if(yp_get_default_domain(&yp_domain))
-			return (0);
-	}
+	struct nis_state *st;
+	int rv;
+
+	enum nss_lookup_type how;
+	char *name;
+	char *proto;
+	int port;
+
+	struct servent *serv;
+	char *buffer;
+	size_t bufsize;
+	int *errnop;
+
+	char **aliases;
+	int aliases_size;
+
+	name = NULL;
+	proto = NULL;
+	how = (enum nss_lookup_type)mdata;
+	switch (how) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		port = va_arg(ap, int);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		return NS_NOTFOUND;
+	};
 
-	snprintf(buf, sizeof(buf), "%s/%s", ___getservbyname_yp,
-						___getservbyproto_yp);
+	serv = va_arg(ap, struct servent *);
+	buffer  = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
 
-	___getservbyname_yp = 0;
-	___getservbyproto_yp = NULL;
+	*errnop = nis_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
 
-	if (yp_match(yp_domain, "services.byname", buf, strlen(buf),
-						&result, &resultlen)) {
-		return(0);
+	if (st->yp_domain[0] == '\0') {
+		if (getdomainname(st->yp_domain, sizeof st->yp_domain)) {
+			*errnop = errno;
+			return (NS_UNAVAIL);
+		}
 	}
-		
-	/* getservent() expects lines terminated with \n -- make it happy */
-	snprintf(line, BUFSIZ, "%.*s\n", resultlen, result);
 
-	free(result);
-	return(1);
+	do {
+		switch (how) {
+		case nss_lt_name:
+			snprintf(buf, sizeof(buf), "%s/%s", name, proto);
+			if (yp_match(st->yp_domain, "services.byname", buf,
+			    strlen(buf), &resultbuf, &resultbuflen)) {
+				rv = NS_NOTFOUND;
+				goto fin;
+			}
+			break;
+		case nss_lt_id:
+			snprintf(buf, sizeof(buf), "%d/%s", ntohs(port),
+			    proto);
+
+			/*
+			 * We have to be a little flexible
+			 * here. Ideally you're supposed to have both
+			 * a services.byname and a services.byport
+			 * map, but some systems have only
+			 * services.byname. FreeBSD cheats a little by
+			 * putting the services.byport information in
+			 * the same map as services.byname so that
+			 * either case will work. We allow for both
+			 * possibilities here: if there is no
+			 * services.byport map, we try services.byname
+			 * instead.
+			 */
+			rv = yp_match(st->yp_domain, "services.byport", buf,
+			    strlen(buf), &resultbuf, &resultbuflen);
+			if (rv) {
+				if (rv == YPERR_MAP) {
+					if (yp_match(st->yp_domain,
+					    "services.byname", buf,
+					    strlen(buf), &resultbuf,
+					    &resultbuflen)) {
+						rv = NS_NOTFOUND;
+						goto fin;
+					}
+				} else {
+					rv = NS_NOTFOUND;
+					goto fin;
+				}
+			}
+
+			break;
+		case nss_lt_all:
+			if (!st->yp_stepping) {
+				free(st->yp_key);
+				rv = yp_first(st->yp_domain, "services.byname",
+				    &st->yp_key, &st->yp_keylen, &resultbuf,
+				    &resultbuflen);
+				if (rv) {
+					rv = NS_NOTFOUND;
+					goto fin;
+				}
+				st->yp_stepping = 1;
+			} else {
+				lastkey = st->yp_key;
+				rv = yp_next(st->yp_domain, "services.byname",
+				    st->yp_key, st->yp_keylen, &st->yp_key,
+				    &st->yp_keylen, &resultbuf, &resultbuflen);
+				free(lastkey);
+				if (rv) {
+					st->yp_stepping = 0;
+					rv = NS_NOTFOUND;
+					goto fin;
+				}
+			}
+			break;
+		};
+
+		/* we need a room for additional \n symbol */
+		if (bufsize <=
+		    resultbuflen + 1 + _ALIGNBYTES + sizeof(char *)) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+
+		aliases = (char **)_ALIGN(&buffer[resultbuflen + 2]);
+		aliases_size =
+		    (buffer + bufsize - (char *)aliases) / sizeof(char *);
+		if (aliases_size < 1) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+
+		/*
+		 * servent_unpack expects lines terminated with \n --
+		 * make it happy
+		 */
+		memcpy(buffer, resultbuf, resultbuflen);
+		buffer[resultbuflen] = '\n';
+		buffer[resultbuflen + 1] = '\0';
+
+		if (servent_unpack(buffer, serv, aliases, aliases_size,
+		    errnop) != 0) {
+			if (*errnop == 0)
+				rv = NS_NOTFOUND;
+			else
+				rv = NS_RETURN;
+		} else
+			rv = NS_SUCCESS;
+		free(resultbuf);
+
+	} while (!(rv & NS_TERMINATE) && how == nss_lt_all);
+
+fin:
+	if (rv == NS_SUCCESS && retval != NULL)
+		*(struct servent **)retval = serv;
+
+	return (rv);
 }
 
 static int
-_getservent_yp(char *line)
+nis_setservent(void *result, void *mdata, va_list ap)
 {
-	static char *key = NULL;
-	static int keylen;
-	char *lastkey, *result;
-	int resultlen;
+	struct nis_state *st;
 	int rv;
 
-	if(!yp_domain) {
-		if(yp_get_default_domain(&yp_domain))
-			return (0);
+	rv = nis_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+
+	switch ((enum constants)mdata) {
+	case SETSERVENT:
+	case ENDSERVENT:
+		free(st->yp_key);
+		st->yp_key = NULL;
+		st->yp_stepping = 0;
+		break;
+	default:
+		break;
+	};
+
+	return (NS_UNAVAIL);
+}
+#endif
+
+/* compat backend implementation */
+static int
+compat_setservent(void *retval, void *mdata, va_list ap)
+{
+	static const ns_src compat_src[] = {
+#ifdef YP
+		{ NSSRC_NIS, NS_SUCCESS },
+#endif
+		{ NULL, 0 }
+	};
+	ns_dtab compat_dtab[] = {
+#ifdef YP
+		{ NSSRC_NIS, nis_setservent, mdata },
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int f;
+
+	files_setservent(retval, mdata, ap);
+
+	switch ((enum constants)mdata) {
+	case SETSERVENT:
+		f = va_arg(ap, int);
+		nsdispatch(retval, compat_dtab, NSDB_SERVICES_COMPAT,
+		    "setservent", compat_src, f);
+		break;
+	case ENDSERVENT:
+		nsdispatch(retval, compat_dtab, NSDB_SERVICES_COMPAT,
+		    "endservent", compat_src);
+		break;
+	default:
+		break;
 	}
 
-	if (!serv_stepping_yp) {
-		if (key)
-			free(key);
-		if ((rv = yp_first(yp_domain, "services.byname", &key, &keylen,
-			     &result, &resultlen))) {
-			serv_stepping_yp = 0;
-			return(0);
+	return (NS_UNAVAIL);
+}
+
+#ifdef NS_CACHING
+static int
+serv_id_func(char *buffer, size_t *buffer_size, va_list ap, void *cache_mdata)
+{
+	char *name;
+	char *proto;
+	int port;
+
+	size_t desired_size, size, size2;
+	enum nss_lookup_type lookup_type;
+	int res = NS_UNAVAIL;
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		proto = va_arg(ap, char *);
+
+		size = strlen(name);
+		desired_size = sizeof(enum nss_lookup_type) + size + 1;
+		if (proto != NULL) {
+			size2 = strlen(proto);
+			desired_size += size2 + 1;
+		} else
+			size2 = 0;
+
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
 		}
-		serv_stepping_yp = 1;
-	} else {
-		lastkey = key;
-		rv = yp_next(yp_domain, "services.byname", key, keylen, &key,
-			     &keylen, &result, &resultlen);
-		free(lastkey);
-		if (rv) {
-			serv_stepping_yp = 0;
-			return (0);
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), name, size + 1);
+
+		if (proto != NULL)
+			memcpy(buffer + sizeof(enum nss_lookup_type) + size + 1,
+			    proto, size2 + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		port = va_arg(ap, int);
+		proto = va_arg(ap, char *);
+
+		desired_size = sizeof(enum nss_lookup_type) + sizeof(int);
+		if (proto != NULL) {
+			size = strlen(proto);
+			desired_size += size + 1;
+		} else
+			size = 0;
+
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
 		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), &port,
+		    sizeof(int));
+
+		if (proto != NULL)
+			memcpy(buffer + sizeof(enum nss_lookup_type) +
+			    sizeof(int), proto, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+fin:
+	*buffer_size = desired_size;
+	return (res);
+}
+
+int
+serv_marshal_func(char *buffer, size_t *buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
+{
+	char *name;
+	char *proto;
+	int port;
+	struct servent *serv;
+	char *orig_buf;
+	size_t orig_buf_size;
+
+	struct servent new_serv;
+	size_t desired_size;
+	char **alias;
+	char *p;
+	size_t size;
+	size_t aliases_size;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		port = va_arg(ap, int);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
 	}
 
-	/* getservent() expects lines terminated with \n -- make it happy */
-	snprintf(line, BUFSIZ, "%.*s\n", resultlen, result);
+	serv = va_arg(ap, struct servent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+
+	desired_size = _ALIGNBYTES + sizeof(struct servent) + sizeof(char *);
+	if (serv->s_name != NULL)
+		desired_size += strlen(serv->s_name) + 1;
+	if (serv->s_proto != NULL)
+		desired_size += strlen(serv->s_proto) + 1;
 
-	free(result);
+	aliases_size = 0;
+	if (serv->s_aliases != NULL) {
+		for (alias = serv->s_aliases; *alias; ++alias) {
+			desired_size += strlen(*alias) + 1;
+			++aliases_size;
+		}
+
+		desired_size += _ALIGNBYTES +
+		    sizeof(char *) * (aliases_size + 1);
+	}
+
+	if (*buffer_size < desired_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
 
-	return(1);
+	memcpy(&new_serv, serv, sizeof(struct servent));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct servent) + sizeof(char *);
+	memcpy(buffer + sizeof(struct servent), &p, sizeof(char *));
+	p = (char *)_ALIGN(p);
+
+	if (new_serv.s_name != NULL) {
+		size = strlen(new_serv.s_name);
+		memcpy(p, new_serv.s_name, size);
+		new_serv.s_name = p;
+		p += size + 1;
+	}
+
+	if (new_serv.s_proto != NULL) {
+		size = strlen(new_serv.s_proto);
+		memcpy(p, new_serv.s_proto, size);
+		new_serv.s_proto = p;
+		p += size + 1;
+	}
+
+	if (new_serv.s_aliases != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_serv.s_aliases, sizeof(char *) * aliases_size);
+		new_serv.s_aliases = (char **)p;
+		p += sizeof(char *) * (aliases_size + 1);
+
+		for (alias = new_serv.s_aliases; *alias; ++alias) {
+			size = strlen(*alias);
+			memcpy(p, *alias, size);
+			*alias = p;
+			p += size + 1;
+		}
+	}
+
+	memcpy(buffer, &new_serv, sizeof(struct servent));
+	return (NS_SUCCESS);
 }
-#endif
 
-void
-setservent(int f)
+int
+serv_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
 {
-	if (servf == NULL)
-		servf = fopen(_PATH_SERVICES, "r" );
+	char *name;
+	char *proto;
+	int port;
+	struct servent *serv;
+	char *orig_buf;
+	char *p;
+	char **alias;
+	size_t orig_buf_size;
+	int *ret_errno;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		port = va_arg(ap, int);
+		proto = va_arg(ap, char *);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+	serv = va_arg(ap, struct servent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+	ret_errno = va_arg(ap, int *);
+
+	if (orig_buf_size <
+	    buffer_size - sizeof(struct servent) - sizeof(char *)) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
+	}
+
+	memcpy(serv, buffer, sizeof(struct servent));
+	memcpy(&p, buffer + sizeof(struct servent), sizeof(char *));
+
+	orig_buf = (char *)_ALIGN(orig_buf);
+	memcpy(orig_buf, buffer + sizeof(struct servent) + sizeof(char *) +
+	    (_ALIGN(p) - (size_t)p),
+	    buffer_size - sizeof(struct servent) - sizeof(char *) -
+	    (_ALIGN(p) - (size_t)p));
+	p = (char *)_ALIGN(p);
+
+	NS_APPLY_OFFSET(serv->s_name, orig_buf, p, char *);
+	NS_APPLY_OFFSET(serv->s_proto, orig_buf, p, char *);
+	if (serv->s_aliases != NULL) {
+		NS_APPLY_OFFSET(serv->s_aliases, orig_buf, p, char **);
+
+		for (alias = serv->s_aliases; *alias; ++alias)
+			NS_APPLY_OFFSET(*alias, orig_buf, p, char *);
+	}
+
+	if (retval != NULL)
+		*((struct servent **)retval) = serv;
+	return (NS_SUCCESS);
+}
+
+NSS_MP_CACHE_HANDLING(services);
+#endif /* NS_CACHING */
+
+/* get**_r functions implementation */
+int
+getservbyname_r(const char *name, const char *proto, struct servent *serv,
+    char *buffer, size_t bufsize, struct servent **result)
+{
+	static const struct servent_mdata mdata = { nss_lt_name, 0 };
+	static const struct servent_mdata compat_mdata = { nss_lt_name, 1 };
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+	NS_COMMON_CACHE_INFO_INITIALIZER(
+		services, (void *)nss_lt_name,
+		serv_id_func, serv_marshal_func, serv_unmarshal_func);
+#endif /* NS_CACHING */
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_servent, (void *)&mdata },
+#ifdef YP
+		{ NSSRC_NIS, nis_servent, (void *)nss_lt_name },
+#endif
+		{ NSSRC_COMPAT, files_servent, (void *)&compat_mdata },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int	rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_SERVICES, "getservbyname_r",
+	    defaultsrc, name, proto, serv, buffer, bufsize, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
 	else
-		rewind(servf);
-	_serv_stayopen |= f;
+		return (ret_errno);
 }
 
-void
-endservent(void)
+int
+getservbyport_r(int port, const char *proto, struct servent *serv,
+    char *buffer, size_t bufsize, struct servent **result)
 {
-	if (servf) {
-		fclose(servf);
-		servf = NULL;
-	}
-	_serv_stayopen = 0;
+	static const struct servent_mdata mdata = { nss_lt_id, 0 };
+	static const struct servent_mdata compat_mdata = { nss_lt_id, 1 };
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+	NS_COMMON_CACHE_INFO_INITIALIZER(
+		services, (void *)nss_lt_id,
+		serv_id_func, serv_marshal_func, serv_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_servent, (void *)&mdata },
+#ifdef YP
+		{ NSSRC_NIS, nis_servent, (void *)nss_lt_id },
+#endif
+		{ NSSRC_COMPAT, files_servent, (void *)&compat_mdata },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_SERVICES, "getservbyport_r",
+	    defaultsrc, port, proto, serv, buffer, bufsize, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
 }
 
-struct servent *
-getservent(void)
+int
+getservent_r(struct servent *serv, char *buffer, size_t bufsize,
+    struct servent **result)
 {
-	char *p;
-	char *cp, **q;
+	static const struct servent_mdata mdata = { nss_lt_all, 0 };
+	static const struct servent_mdata compat_mdata = { nss_lt_all, 1 };
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		services, (void *)nss_lt_all,
+		serv_marshal_func, serv_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_servent, (void *)&mdata },
+#ifdef YP
+		{ NSSRC_NIS, nis_servent, (void *)nss_lt_all },
+#endif
+		{ NSSRC_COMPAT, files_servent, (void *)&compat_mdata },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_SERVICES, "getservent_r",
+	    defaultsrc, serv, buffer, bufsize, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
 
+void
+setservent(int stayopen)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		services, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setservent, (void *)SETSERVENT },
 #ifdef YP
-	if (serv_stepping_yp && _getservent_yp(line)) {
-		p = (char *)&line;
-		goto unpack;
-	}
-tryagain:
+		{ NSSRC_NIS, nis_setservent, (void *)SETSERVENT },
 #endif
-	if (servf == NULL && (servf = fopen(_PATH_SERVICES, "r" )) == NULL)
-		return (NULL);
-again:
-	if ((p = fgets(line, BUFSIZ, servf)) == NULL)
-		return (NULL);
+		{ NSSRC_COMPAT, compat_setservent, (void *)SETSERVENT },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	nsdispatch(NULL, dtab, NSDB_SERVICES, "setservent", defaultsrc,
+	    stayopen);
+}
+
+void
+endservent(void)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		services, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setservent, (void *)ENDSERVENT },
 #ifdef YP
-	if (*p == '+' && _yp_check(NULL)) {
-		if (___getservbyname_yp != NULL) {
-			if (!_getservbyname_yp(line))
-				goto tryagain;
-		} 
-		else if (___getservbyport_yp != 0) {
-			if (!_getservbyport_yp(line))
-				goto tryagain;
-		}
-		else if (!_getservent_yp(line))
-			goto tryagain;
-	}
-unpack:
+		{ NSSRC_NIS, nis_setservent, (void *)ENDSERVENT },
 #endif
-	if (*p == '#')
-		goto again;
-	cp = strpbrk(p, "#\n");
-	if (cp == NULL)
-		goto again;
-	*cp = '\0';
-	serv.s_name = p;
-	p = strpbrk(p, " \t");
+		{ NSSRC_COMPAT, compat_setservent, (void *)ENDSERVENT },
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	nsdispatch(NULL, dtab, NSDB_SERVICES, "endservent", defaultsrc);
+}
+
+/* get** wrappers for get**_r functions implementation */
+static void
+servent_endstate(void *p)
+{
 	if (p == NULL)
-		goto again;
-	*p++ = '\0';
-	while (*p == ' ' || *p == '\t')
-		p++;
-	cp = strpbrk(p, ",/");
-	if (cp == NULL)
-		goto again;
-	*cp++ = '\0';
-	serv.s_port = htons((u_short)atoi(p));
-	serv.s_proto = cp;
-	q = serv.s_aliases = serv_aliases;
-	cp = strpbrk(cp, " \t");
-	if (cp != NULL)
-		*cp++ = '\0';
-	while (cp && *cp) {
-		if (*cp == ' ' || *cp == '\t') {
-			cp++;
-			continue;
-		}
-		if (q < &serv_aliases[MAXALIASES - 1])
-			*q++ = cp;
-		cp = strpbrk(cp, " \t");
-		if (cp != NULL)
-			*cp++ = '\0';
+		return;
+
+	free(((struct servent_state *)p)->buffer);
+	free(p);
+}
+
+static int
+wrap_getservbyname_r(struct key key, struct servent *serv, char *buffer,
+    size_t bufsize, struct servent **res)
+{
+	return (getservbyname_r(key.name, key.proto, serv, buffer, bufsize,
+	    res));
+}
+
+static int
+wrap_getservbyport_r(struct key key, struct servent *serv, char *buffer,
+    size_t bufsize, struct servent **res)
+{
+	return (getservbyport_r(key.port, key.proto, serv, buffer, bufsize,
+	    res));
+}
+
+static	int
+wrap_getservent_r(struct key key, struct servent *serv, char *buffer,
+    size_t bufsize, struct servent **res)
+{
+	return (getservent_r(serv, buffer, bufsize, res));
+}
+
+static struct servent *
+getserv(int (*fn)(struct key, struct servent *, char *, size_t,
+    struct servent **), struct key key)
+{
+	int rv;
+	struct servent *res;
+	struct servent_state * st;
+
+	rv = servent_getstate(&st);
+	if (rv != 0) {
+		errno = rv;
+		return NULL;
 	}
-	*q = NULL;
-	return (&serv);
+
+	if (st->buffer == NULL) {
+		st->buffer = malloc(SERVENT_STORAGE_INITIAL);
+		if (st->buffer == NULL)
+			return (NULL);
+		st->bufsize = SERVENT_STORAGE_INITIAL;
+	}
+	do {
+		rv = fn(key, &st->serv, st->buffer, st->bufsize, &res);
+		if (res == NULL && rv == ERANGE) {
+			free(st->buffer);
+			if ((st->bufsize << 1) > SERVENT_STORAGE_MAX) {
+				st->buffer = NULL;
+				errno = ERANGE;
+				return (NULL);
+			}
+			st->bufsize <<= 1;
+			st->buffer = malloc(st->bufsize);
+			if (st->buffer == NULL)
+				return (NULL);
+		}
+	} while (res == NULL && rv == ERANGE);
+	if (rv != 0)
+		errno = rv;
+
+	return (res);
+}
+
+struct servent *
+getservbyname(const char *name, const char *proto)
+{
+	struct key key;
+
+	key.name = name;
+	key.proto = proto;
+
+	return (getserv(wrap_getservbyname_r, key));
+}
+
+struct servent *
+getservbyport(int port, const char *proto)
+{
+	struct key key;
+
+	key.port = port;
+	key.proto = proto;
+
+	return (getserv(wrap_getservbyport_r, key));
+}
+
+struct servent *
+getservent()
+{
+	struct key key;
+
+	key.proto = NULL;
+	key.port = 0;
+
+	return (getserv(wrap_getservent_r, key));
 }
diff --git a/lib/libc/net/hesiod.3 b/lib/libc/net/hesiod.3
new file mode 100644
index 0000000000..6401e79227
--- /dev/null
+++ b/lib/libc/net/hesiod.3
@@ -0,0 +1,176 @@
+.\"	$NetBSD: hesiod.3,v 1.1 1999/01/25 03:43:04 lukem Exp $
+.\"
+.\" from: #Id: hesiod.3,v 1.9.2.1 1997/01/03 21:02:23 ghudson Exp #
+.\"
+.\" Copyright 1988, 1996 by the Massachusetts Institute of Technology.
+.\"
+.\" Permission to use, copy, modify, and distribute this
+.\" software and its documentation for any purpose and without
+.\" fee is hereby granted, provided that the above copyright
+.\" notice appear in all copies and that both that copyright
+.\" notice and this permission notice appear in supporting
+.\" documentation, and that the name of M.I.T. not be used in
+.\" advertising or publicity pertaining to distribution of the
+.\" software without specific, written prior permission.
+.\" M.I.T. makes no representations about the suitability of
+.\" this software for any purpose.  It is provided "as is"
+.\" without express or implied warranty.
+.\"
+.\" $FreeBSD: src/lib/libc/net/hesiod.3,v 1.5 2005/01/20 09:17:03 ru Exp $
+.\"
+.Dd November 30, 1996
+.Dt HESIOD 3
+.Os
+.Sh NAME
+.Nm hesiod ,
+.Nm hesiod_init ,
+.Nm hesiod_resolve ,
+.Nm hesiod_free_list ,
+.Nm hesiod_to_bind ,
+.Nm hesiod_end
+.Nd Hesiod name server interface library
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In hesiod.h
+.Ft int
+.Fn hesiod_init "void **context"
+.Ft char **
+.Fn hesiod_resolve "void *context" "const char *name" "const char *type"
+.Ft void
+.Fn hesiod_free_list "void *context" "char **list"
+.Ft char *
+.Fn hesiod_to_bind "void *context" "const char *name" "const char *type"
+.Ft void
+.Fn hesiod_end "void *context"
+.Sh DESCRIPTION
+This family of functions allows you to perform lookups of Hesiod
+information, which is stored as text records in the Domain Name
+Service.
+To perform lookups, you must first initialize a
+.Fa context ,
+an opaque object which stores information used internally by the
+library between calls.
+The
+.Fn hesiod_init
+function
+initializes a context, storing a pointer to the context in the
+location pointed to by the
+.Fa context
+argument.
+The
+.Fn hesiod_end
+function
+frees the resources used by a context.
+.Pp
+The
+.Fn hesiod_resolve
+function
+is the primary interface to the library.
+If successful, it returns a
+list of one or more strings giving the records matching
+.Fa name
+and
+.Fa type .
+The last element of the list is followed by a
+.Dv NULL
+pointer.
+It is the
+caller's responsibility to call
+.Fn hesiod_free_list
+to free the resources used by the returned list.
+.Pp
+The
+.Fn hesiod_to_bind
+function
+converts
+.Fa name
+and
+.Fa type
+into the DNS name used by
+.Fn hesiod_resolve .
+It is the caller's responsibility to free the returned string using
+.Fn free .
+.Sh RETURN VALUES
+.Rv -std hesiod_init
+On failure,
+.Fn hesiod_resolve
+and
+.Fn hesiod_to_bind
+return
+.Dv NULL
+and set the global variable
+.Va errno
+to indicate the error.
+.Sh ENVIRONMENT
+.Bl -tag -width HESIOD_CONFIG
+.It Ev HES_DOMAIN
+If the environment variable
+.Ev HES_DOMAIN
+is set, it will override the domain in the Hesiod configuration file.
+.It Ev HESIOD_CONFIG
+If the environment variable
+.Ev HESIOD_CONFIG
+is set, it specifies the location of the Hesiod configuration file.
+.El
+.Sh ERRORS
+Hesiod calls may fail because of:
+.Bl -tag -width Er
+.It Bq Er ENOMEM
+Insufficient memory was available to carry out the requested
+operation.
+.It Bq Er ENOEXEC
+The
+.Fn hesiod_init
+function
+failed because the Hesiod configuration file was invalid.
+.It Bq Er ECONNREFUSED
+The
+.Fn hesiod_resolve
+function
+failed because no name server could be contacted to answer the query.
+.It Bq Er EMSGSIZE
+The
+.Fn hesiod_resolve
+or
+.Fn hesiod_to_bind
+function
+failed because the query or response was too big to fit into the
+packet buffers.
+.It Bq Er ENOENT
+The
+.Fn hesiod_resolve
+function
+failed because the name server had no text records matching
+.Fa name
+and
+.Fa type ,
+or
+.Fn hesiod_to_bind
+failed because the
+.Fa name
+argument had a domain extension which could not be resolved with type
+.Dq rhs\-extension
+in the local Hesiod domain.
+.El
+.Sh SEE ALSO
+.Xr hesiod.conf 5 ,
+.Xr named 8
+.Rs
+.%T "Hesiod - Project Athena Technical Plan -- Name Service"
+.Re
+.Sh AUTHORS
+.An Steve Dyer ,
+IBM/Project Athena
+.An Greg Hudson ,
+MIT Team Athena
+.Pp
+Copyright 1987, 1988, 1995, 1996 by the Massachusetts Institute of Technology.
+.Sh BUGS
+The strings corresponding to the
+.Va errno
+values set by the Hesiod functions are not particularly indicative of
+what went wrong, especially for
+.Er ENOEXEC
+and
+.Er ENOENT .
diff --git a/lib/libc/net/hesiod.c b/lib/libc/net/hesiod.c
new file mode 100644
index 0000000000..fff599ac56
--- /dev/null
+++ b/lib/libc/net/hesiod.c
@@ -0,0 +1,560 @@
+/* Copyright (c) 1996 by Internet Software Consortium.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS
+ * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE
+ * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
+ * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
+ * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
+ * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
+ * SOFTWARE.
+ */
+
+/* Copyright 1996 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+
+/* This file is part of the hesiod library.  It implements the core
+ * portion of the hesiod resolver.
+ *
+ * This file is loosely based on an interim version of hesiod.c from
+ * the BIND IRS library, which was in turn based on an earlier version
+ * of this file.  Extensive changes have been made on each step of the
+ * path.
+ *
+ * This implementation is not truly thread-safe at the moment because
+ * it uses res_send() and accesses _res.
+ *
+ * $NetBSD: hesiod.c,v 1.9 1999/02/11 06:16:38 simonb Exp $
+ * $FreeBSD: src/lib/libc/net/hesiod.c,v 1.9 2003/05/01 19:03:14 nectar Exp $
+ */
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+
+#include <ctype.h>
+#include <errno.h>
+#include <hesiod.h>
+#include <resolv.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+struct hesiod_p {
+	char	*lhs;			/* normally ".ns" */
+	char	*rhs;			/* AKA the default hesiod domain */
+	int	 classes[2];		/* The class search order. */
+};
+
+#define	MAX_HESRESP	1024
+
+static int	  read_config_file(struct hesiod_p *, const char *);
+static char	**get_txt_records(int, const char *);
+static int	  init_context(void);
+static void	  translate_errors(void);
+
+
+/*
+ * hesiod_init --
+ *	initialize a hesiod_p.
+ */
+int
+hesiod_init(void **context)
+{
+	struct hesiod_p	*ctx;
+	const char	*p, *configname;
+
+	ctx = malloc(sizeof(struct hesiod_p));
+	if (ctx) {
+		*context = ctx;
+		if (!issetugid())
+			configname = getenv("HESIOD_CONFIG");
+		else
+			configname = NULL;
+		if (!configname)
+			configname = _PATH_HESIOD_CONF;
+		if (read_config_file(ctx, configname) >= 0) {
+			/*
+			 * The default rhs can be overridden by an
+			 * environment variable.
+			 */
+			if (!issetugid())
+				p = getenv("HES_DOMAIN");
+			else
+				p = NULL;
+			if (p) {
+				if (ctx->rhs)
+					free(ctx->rhs);
+				ctx->rhs = malloc(strlen(p) + 2);
+				if (ctx->rhs) {
+					*ctx->rhs = '.';
+					strcpy(ctx->rhs + 1,
+					    (*p == '.') ? p + 1 : p);
+					return 0;
+				} else
+					errno = ENOMEM;
+			} else
+				return 0;
+		}
+	} else
+		errno = ENOMEM;
+
+	if (ctx->lhs)
+		free(ctx->lhs);
+	if (ctx->rhs)
+		free(ctx->rhs);
+	if (ctx)
+		free(ctx);
+	return -1;
+}
+
+/*
+ * hesiod_end --
+ *	Deallocates the hesiod_p.
+ */
+void
+hesiod_end(void *context)
+{
+	struct hesiod_p *ctx = (struct hesiod_p *) context;
+
+	free(ctx->rhs);
+	if (ctx->lhs)
+		free(ctx->lhs);
+	free(ctx);
+}
+
+/*
+ * hesiod_to_bind --
+ * 	takes a hesiod (name, type) and returns a DNS
+ *	name which is to be resolved.
+ */
+char *
+hesiod_to_bind(void *context, const char *name, const char *type)
+{
+	struct hesiod_p *ctx = (struct hesiod_p *) context;
+	char		 bindname[MAXDNAME], *p, *ret, **rhs_list = NULL;
+	const char	*rhs;
+	int		 len;
+
+	if (strlcpy(bindname, name, sizeof(bindname)) >= sizeof(bindname)) {
+		errno = EMSGSIZE;
+		return NULL;
+	}
+
+		/*
+		 * Find the right right hand side to use, possibly
+		 * truncating bindname.
+		 */
+	p = strchr(bindname, '@');
+	if (p) {
+		*p++ = 0;
+		if (strchr(p, '.'))
+			rhs = name + (p - bindname);
+		else {
+			rhs_list = hesiod_resolve(context, p, "rhs-extension");
+			if (rhs_list)
+				rhs = *rhs_list;
+			else {
+				errno = ENOENT;
+				return NULL;
+			}
+		}
+	} else
+		rhs = ctx->rhs;
+
+		/* See if we have enough room. */
+	len = strlen(bindname) + 1 + strlen(type);
+	if (ctx->lhs)
+		len += strlen(ctx->lhs) + ((ctx->lhs[0] != '.') ? 1 : 0);
+	len += strlen(rhs) + ((rhs[0] != '.') ? 1 : 0);
+	if (len > sizeof(bindname) - 1) {
+		if (rhs_list)
+			hesiod_free_list(context, rhs_list);
+		errno = EMSGSIZE;
+		return NULL;
+	}
+		/* Put together the rest of the domain. */
+	strcat(bindname, ".");
+	strcat(bindname, type);
+		/* Only append lhs if it isn't empty. */
+	if (ctx->lhs && ctx->lhs[0] != '\0' ) {
+		if (ctx->lhs[0] != '.')
+			strcat(bindname, ".");
+		strcat(bindname, ctx->lhs);
+	}
+	if (rhs[0] != '.')
+		strcat(bindname, ".");
+	strcat(bindname, rhs);
+
+		/* rhs_list is no longer needed, since we're done with rhs. */
+	if (rhs_list)
+		hesiod_free_list(context, rhs_list);
+
+		/* Make a copy of the result and return it to the caller. */
+	ret = strdup(bindname);
+	if (!ret)
+		errno = ENOMEM;
+	return ret;
+}
+
+/*
+ * hesiod_resolve --
+ *	Given a hesiod name and type, return an array of strings returned
+ *	by the resolver.
+ */
+char **
+hesiod_resolve(void *context, const char *name, const char *type)
+{
+	struct hesiod_p	*ctx = (struct hesiod_p *) context;
+	char		*bindname, **retvec;
+
+	bindname = hesiod_to_bind(context, name, type);
+	if (!bindname)
+		return NULL;
+
+	retvec = get_txt_records(ctx->classes[0], bindname);
+	if (retvec == NULL && errno == ENOENT && ctx->classes[1])
+		retvec = get_txt_records(ctx->classes[1], bindname);
+
+	free(bindname);
+	return retvec;
+}
+
+/*ARGSUSED*/
+void
+hesiod_free_list(void *context, char **list)
+{
+	char  **p;
+
+	if (list == NULL)
+		return;
+	for (p = list; *p; p++)
+		free(*p);
+	free(list);
+}
+
+
+/* read_config_file --
+ *	Parse the /etc/hesiod.conf file.  Returns 0 on success,
+ *	-1 on failure.  On failure, it might leave values in ctx->lhs
+ *	or ctx->rhs which need to be freed by the caller.
+ */
+static int
+read_config_file(struct hesiod_p *ctx, const char *filename)
+{
+	char	*key, *data, *p, **which;
+	char	 buf[MAXDNAME + 7];
+	int	 n;
+	FILE	*fp;
+
+		/* Set default query classes. */
+	ctx->classes[0] = C_IN;
+	ctx->classes[1] = C_HS;
+
+		/* Try to open the configuration file. */
+	fp = fopen(filename, "r");
+	if (!fp) {
+		/* Use compiled in default domain names. */
+		ctx->lhs = strdup(DEF_LHS);
+		ctx->rhs = strdup(DEF_RHS);
+		if (ctx->lhs && ctx->rhs)
+			return 0;
+		else {
+			errno = ENOMEM;
+			return -1;
+		}
+	}
+	ctx->lhs = NULL;
+	ctx->rhs = NULL;
+	while (fgets(buf, sizeof(buf), fp) != NULL) {
+		p = buf;
+		if (*p == '#' || *p == '\n' || *p == '\r')
+			continue;
+		while (*p == ' ' || *p == '\t')
+			p++;
+		key = p;
+		while (*p != ' ' && *p != '\t' && *p != '=')
+			p++;
+		*p++ = 0;
+
+		while (isspace(*p) || *p == '=')
+			p++;
+		data = p;
+		while (!isspace(*p))
+			p++;
+		*p = 0;
+
+		if (strcasecmp(key, "lhs") == 0 ||
+		    strcasecmp(key, "rhs") == 0) {
+			which = (strcasecmp(key, "lhs") == 0)
+			    ? &ctx->lhs : &ctx->rhs;
+			*which = strdup(data);
+			if (!*which) {
+				errno = ENOMEM;
+				return -1;
+			}
+		} else {
+			if (strcasecmp(key, "classes") == 0) {
+				n = 0;
+				while (*data && n < 2) {
+					p = data;
+					while (*p && *p != ',')
+						p++;
+					if (*p)
+						*p++ = 0;
+					if (strcasecmp(data, "IN") == 0)
+						ctx->classes[n++] = C_IN;
+					else
+						if (strcasecmp(data, "HS") == 0)
+							ctx->classes[n++] =
+							    C_HS;
+					data = p;
+				}
+				while (n < 2)
+					ctx->classes[n++] = 0;
+			}
+		}
+	}
+	fclose(fp);
+
+	if (!ctx->rhs || ctx->classes[0] == 0 ||
+	    ctx->classes[0] == ctx->classes[1]) {
+		errno = ENOEXEC;
+		return -1;
+	}
+	return 0;
+}
+
+/*
+ * get_txt_records --
+ *	Given a DNS class and a DNS name, do a lookup for TXT records, and
+ *	return a list of them.
+ */
+static char **
+get_txt_records(int qclass, const char *name)
+{
+	HEADER		*hp;
+	unsigned char	 qbuf[PACKETSZ], abuf[MAX_HESRESP], *p, *eom, *eor;
+	char		*dst, **list;
+	int		 ancount, qdcount, i, j, n, skip, type, class, len;
+
+		/* Make sure the resolver is initialized. */
+	if ((_res.options & RES_INIT) == 0 && res_init() == -1)
+		return NULL;
+
+		/* Construct the query. */
+	n = res_mkquery(QUERY, name, qclass, T_TXT, NULL, 0,
+	    NULL, qbuf, PACKETSZ);
+	if (n < 0)
+		return NULL;
+
+		/* Send the query. */
+	n = res_send(qbuf, n, abuf, MAX_HESRESP);
+	if (n < 0 || n > MAX_HESRESP) {
+		errno = ECONNREFUSED; /* XXX */
+		return NULL;
+	}
+		/* Parse the header of the result. */
+	hp = (HEADER *) (void *) abuf;
+	ancount = ntohs(hp->ancount);
+	qdcount = ntohs(hp->qdcount);
+	p = abuf + sizeof(HEADER);
+	eom = abuf + n;
+
+		/*
+		 * Skip questions, trying to get to the answer section
+		 * which follows.
+		 */
+	for (i = 0; i < qdcount; i++) {
+		skip = dn_skipname(p, eom);
+		if (skip < 0 || p + skip + QFIXEDSZ > eom) {
+			errno = EMSGSIZE;
+			return NULL;
+		}
+		p += skip + QFIXEDSZ;
+	}
+
+		/* Allocate space for the text record answers. */
+	list = malloc((ancount + 1) * sizeof(char *));
+	if (!list) {
+		errno = ENOMEM;
+		return NULL;
+	}
+		/* Parse the answers. */
+	j = 0;
+	for (i = 0; i < ancount; i++) {
+		/* Parse the header of this answer. */
+		skip = dn_skipname(p, eom);
+		if (skip < 0 || p + skip + 10 > eom)
+			break;
+		type = p[skip + 0] << 8 | p[skip + 1];
+		class = p[skip + 2] << 8 | p[skip + 3];
+		len = p[skip + 8] << 8 | p[skip + 9];
+		p += skip + 10;
+		if (p + len > eom) {
+			errno = EMSGSIZE;
+			break;
+		}
+		/* Skip entries of the wrong class and type. */
+		if (class != qclass || type != T_TXT) {
+			p += len;
+			continue;
+		}
+		/* Allocate space for this answer. */
+		list[j] = malloc((size_t)len);
+		if (!list[j]) {
+			errno = ENOMEM;
+			break;
+		}
+		dst = list[j++];
+
+		/* Copy answer data into the allocated area. */
+		eor = p + len;
+		while (p < eor) {
+			n = (unsigned char) *p++;
+			if (p + n > eor) {
+				errno = EMSGSIZE;
+				break;
+			}
+			memcpy(dst, p, (size_t)n);
+			p += n;
+			dst += n;
+		}
+		if (p < eor) {
+			errno = EMSGSIZE;
+			break;
+		}
+		*dst = 0;
+	}
+
+		/*
+		 * If we didn't terminate the loop normally, something
+		 * went wrong.
+		 */
+	if (i < ancount) {
+		for (i = 0; i < j; i++)
+			free(list[i]);
+		free(list);
+		return NULL;
+	}
+	if (j == 0) {
+		errno = ENOENT;
+		free(list);
+		return NULL;
+	}
+	list[j] = NULL;
+	return list;
+}
+
+		/*
+		 *	COMPATIBILITY FUNCTIONS
+		 */
+
+static int	  inited = 0;
+static void	 *context;
+static int	  errval = HES_ER_UNINIT;
+
+int
+hes_init(void)
+{
+	init_context();
+	return errval;
+}
+
+char *
+hes_to_bind(const char *name, const char *type)
+{
+	static	char	*bindname;
+	if (init_context() < 0)
+		return NULL;
+	if (bindname)
+		free(bindname);
+	bindname = hesiod_to_bind(context, name, type);
+	if (!bindname)
+		translate_errors();
+	return bindname;
+}
+
+char **
+hes_resolve(const char *name, const char *type)
+{
+	static char	**list;
+
+	if (init_context() < 0)
+		return NULL;
+
+	/*
+	 * In the old Hesiod interface, the caller was responsible for
+	 * freeing the returned strings but not the vector of strings itself.
+	 */
+	if (list)
+		free(list);
+
+	list = hesiod_resolve(context, name, type);
+	if (!list)
+		translate_errors();
+	return list;
+}
+
+int
+hes_error(void)
+{
+	return errval;
+}
+
+void
+hes_free(char **hp)
+{
+	hesiod_free_list(context, hp);
+}
+
+static int
+init_context(void)
+{
+	if (!inited) {
+		inited = 1;
+		if (hesiod_init(&context) < 0) {
+			errval = HES_ER_CONFIG;
+			return -1;
+		}
+		errval = HES_ER_OK;
+	}
+	return 0;
+}
+
+static void
+translate_errors(void)
+{
+	switch (errno) {
+	case ENOENT:
+		errval = HES_ER_NOTFOUND;
+		break;
+	case ECONNREFUSED:
+	case EMSGSIZE:
+		errval = HES_ER_NET;
+		break;
+	case ENOMEM:
+	default:
+		/* Not a good match, but the best we can do. */
+		errval = HES_ER_CONFIG;
+		break;
+	}
+}
diff --git a/lib/libc/net/name6.c b/lib/libc/net/name6.c
index 8ca751c82e..4f80727e7d 100644
--- a/lib/libc/net/name6.c
+++ b/lib/libc/net/name6.c
@@ -1,5 +1,4 @@
 /*	$FreeBSD: src/lib/libc/net/name6.c,v 1.6.2.9 2002/11/02 18:54:57 ume Exp $	*/
-/*	$DragonFly: src/lib/libc/net/name6.c,v 1.9 2005/11/13 02:04:47 swildner Exp $	*/
 /*	$KAME: name6.c,v 1.25 2000/06/26 16:44:40 itojun Exp $	*/
 
 /*
@@ -107,8 +106,13 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdarg.h>
+#include <nsswitch.h>
 #include <unistd.h>
 #include "un-namespace.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
 
 #ifndef _PATH_HOSTS
 #define	_PATH_HOSTS	"/etc/hosts"
@@ -168,17 +172,22 @@ static char	*_hgetword(char **pp);
 static int	 _mapped_addr_enabled(void);
 
 static FILE	*_files_open(int *errp);
-static struct	 hostent *_files_ghbyname(const char *name, int af, int *errp);
-static struct	 hostent *_files_ghbyaddr(const void *addr, int addrlen, int af, int *errp);
+static int	 _files_ghbyname(void *, void *, va_list);
+static int	 _files_ghbyaddr(void *, void *, va_list);
 #ifdef YP
-static struct	 hostent *_nis_ghbyname(const char *name, int af, int *errp);
-static struct	 hostent *_nis_ghbyaddr(const void *addr, int addrlen, int af, int *errp);
+static int	 _nis_ghbyname(void *, void *, va_list);
+static int	 _nis_ghbyaddr(void *, void *, va_list);
 #endif
-static struct	 hostent *_dns_ghbyname(const char *name, int af, int *errp);
-static struct	 hostent *_dns_ghbyaddr(const void *addr, int addrlen, int af, int *errp);
+static int	 _dns_ghbyname(void *, void *, va_list);
+static int	 _dns_ghbyaddr(void *, void *, va_list);
 #ifdef ICMPNL
-static struct	 hostent *_icmp_ghbyaddr(const void *addr, int addrlen, int af, int *errp);
+static int	 _icmp_ghbyaddr(void *, void *, va_list);
 #endif /* ICMPNL */
+#ifdef NS_CACHING
+static int ipnode_id_func(char *, size_t *, va_list, void *);
+static int ipnode_marshal_func(char *, size_t *, void *, va_list, void *);
+static int ipnode_unmarshal_func(char *, size_t, void *, va_list, void *);
+#endif
 
 /* Make getipnodeby*() thread-safe in libc for use with kernel threads. */
 #include "libc_private.h"
@@ -195,95 +204,16 @@ extern spinlock_t __getaddrinfo_thread_lock;
 #define THREAD_UNLOCK() \
 	if (__isthreaded) _SPINUNLOCK(&__getaddrinfo_thread_lock);
 
-/*
- * Select order host function.
- */
-#define	MAXHOSTCONF	4
-
-#ifndef HOSTCONF
-#  define	HOSTCONF	"/etc/host.conf"
-#endif /* !HOSTCONF */
-
-struct _hostconf {
-	struct hostent *(*byname)(const char *name, int af, int *errp);
-	struct hostent *(*byaddr)(const void *addr, int addrlen, int af, int *errp);
-};
-
-/* default order */
-static struct _hostconf _hostconf[MAXHOSTCONF] = {
-	{ _dns_ghbyname,	_dns_ghbyaddr },
-	{ _files_ghbyname,	_files_ghbyaddr },
+/* Host lookup order if nsswitch.conf is broken or nonexistant */
+static const ns_src default_src[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ NSSRC_DNS, NS_SUCCESS },
 #ifdef ICMPNL
-	{ NULL,			_icmp_ghbyaddr },
-#endif /* ICMPNL */
-};
-
-static int	_hostconf_init_done;
-static void	_hostconf_init(void);
-
-/*
- * Initialize hostconf structure.
- */
-
-static void
-_hostconf_init(void)
-{
-	FILE *fp;
-	int n;
-	const char *p;
-	char *line;
-	char buf[BUFSIZ];
-
-	_hostconf_init_done = 1;
-	n = 0;
-	p = HOSTCONF;
-	if ((fp = fopen(p, "r")) == NULL)
-		return;
-	while (n < MAXHOSTCONF && fgets(buf, sizeof(buf), fp)) {
-		line = buf;
-		if ((p = _hgetword(&line)) == NULL)
-			continue;
-		do {
-			if (strcmp(p, "hosts") == 0
-			||  strcmp(p, "local") == 0
-			||  strcmp(p, "file") == 0
-			||  strcmp(p, "files") == 0) {
-				_hostconf[n].byname = _files_ghbyname;
-				_hostconf[n].byaddr = _files_ghbyaddr;
-				n++;
-			}
-			else if (strcmp(p, "dns") == 0
-			     ||  strcmp(p, "bind") == 0) {
-				_hostconf[n].byname = _dns_ghbyname;
-				_hostconf[n].byaddr = _dns_ghbyaddr;
-				n++;
-			}
-#ifdef YP
-			else if (strcmp(p, "nis") == 0) {
-				_hostconf[n].byname = _nis_ghbyname;
-				_hostconf[n].byaddr = _nis_ghbyaddr;
-				n++;
-			}
+#define NSSRC_ICMP "icmp"
+	{ NSSRC_ICMP, NS_SUCCESS },
 #endif
-#ifdef ICMPNL
-			else if (strcmp(p, "icmp") == 0) {
-				_hostconf[n].byname = NULL;
-				_hostconf[n].byaddr = _icmp_ghbyaddr;
-				n++;
-			}
-#endif /* ICMPNL */
-		} while ((p = _hgetword(&line)) != NULL);
-	}
-	fclose(fp);
-	if (n < 0) {
-		/* no keyword found. do not change default configuration */
-		return;
-	}
-	for (; n < MAXHOSTCONF; n++) {
-		_hostconf[n].byname = NULL;
-		_hostconf[n].byaddr = NULL;
-	}
-}
+	{ 0 }
+};
 
 /*
  * Check if kernel supports mapped address.
@@ -313,6 +243,239 @@ _mapped_addr_enabled(void)
 	return 0;
 }
 
+#ifdef NS_CACHING
+static int
+ipnode_id_func(char *buffer, size_t *buffer_size, va_list ap,
+    void *cache_mdata)
+{
+	res_state statp;
+	u_long res_options;
+
+	const int op_id = 2;
+	char *name;
+	int af;
+	size_t len;
+	void *src;
+
+	char *p;
+	size_t desired_size, size;
+	enum nss_lookup_type lookup_type;
+	int res = NS_UNAVAIL;
+
+	statp = __res_state();
+	res_options = statp->options & (RES_RECURSE | RES_DEFNAMES |
+	    RES_DNSRCH | RES_NOALIASES | RES_USE_INET6);
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		af = va_arg(ap, int);
+
+		size = strlen(name);
+		desired_size = sizeof(res_options) + sizeof(int) +
+		    sizeof(enum nss_lookup_type) + sizeof(int) + size + 1;
+
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		p = buffer;
+		memcpy(p, &res_options, sizeof(res_options));
+		p += sizeof(res_options);
+
+		memcpy(p, &op_id, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, &lookup_type, sizeof(enum nss_lookup_type));
+		p += sizeof(enum nss_lookup_type);
+
+		memcpy(p, &af, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, name, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		src = va_arg(ap, void *);
+		len = va_arg(ap, size_t);
+		af = va_arg(ap, int);
+
+		desired_size = sizeof(res_options) + sizeof(int) +
+		    sizeof(enum nss_lookup_type) + sizeof(int) +
+		    sizeof(size_t) + len;
+
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		p = buffer;
+		memcpy(p, &res_options, sizeof(res_options));
+		p += sizeof(res_options);
+
+		memcpy(p, &op_id, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, &lookup_type, sizeof(enum nss_lookup_type));
+		p += sizeof(enum nss_lookup_type);
+
+		memcpy(p, &af, sizeof(int));
+		p += sizeof(int);
+
+		memcpy(p, &len, sizeof(size_t));
+		p += sizeof(size_t);
+
+		memcpy(p, src, len);
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+fin:
+	*buffer_size = desired_size;
+	return (res);
+}
+
+static int
+ipnode_marshal_func(char *buffer, size_t *buffer_size, void *retval,
+    va_list ap, void *cache_mdata)
+{
+	struct hostent *ht;
+
+	struct hostent new_ht;
+	size_t desired_size, aliases_size, addr_size, size;
+	char *p, **iter;
+
+	ht = *((struct hostent **)retval);
+
+	desired_size = _ALIGNBYTES + sizeof(struct hostent) + sizeof(char *);
+	if (ht->h_name != NULL)
+		desired_size += strlen(ht->h_name) + 1;
+
+	if (ht->h_aliases != NULL) {
+		aliases_size = 0;
+		for (iter = ht->h_aliases; *iter; ++iter) {
+			desired_size += strlen(*iter) + 1;
+			++aliases_size;
+		}
+
+		desired_size += _ALIGNBYTES +
+		    (aliases_size + 1) * sizeof(char *);
+	}
+
+	if (ht->h_addr_list != NULL) {
+		addr_size = 0;
+		for (iter = ht->h_addr_list; *iter; ++iter)
+			++addr_size;
+
+		desired_size += addr_size * _ALIGN(ht->h_length);
+		desired_size += _ALIGNBYTES + (addr_size + 1) * sizeof(char *);
+	}
+
+	if (desired_size > *buffer_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_ht, ht, sizeof(struct hostent));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct hostent) + sizeof(char *);
+	memcpy(buffer + sizeof(struct hostent), &p, sizeof(char *));
+	p = (char *)_ALIGN(p);
+
+	if (new_ht.h_name != NULL) {
+		size = strlen(new_ht.h_name);
+		memcpy(p, new_ht.h_name, size);
+		new_ht.h_name = p;
+		p += size + 1;
+	}
+
+	if (new_ht.h_aliases != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_ht.h_aliases, sizeof(char *) * aliases_size);
+		new_ht.h_aliases = (char **)p;
+		p += sizeof(char *) * (aliases_size + 1);
+
+		for (iter = new_ht.h_aliases; *iter; ++iter) {
+			size = strlen(*iter);
+			memcpy(p, *iter, size);
+			*iter = p;
+			p += size + 1;
+		}
+	}
+
+	if (new_ht.h_addr_list != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_ht.h_addr_list, sizeof(char *) * addr_size);
+		new_ht.h_addr_list = (char **)p;
+		p += sizeof(char *) * (addr_size + 1);
+
+		size = _ALIGN(new_ht.h_length);
+		for (iter = new_ht.h_addr_list; *iter; ++iter) {
+			memcpy(p, *iter, size);
+			*iter = p;
+			p += size + 1;
+		}
+	}
+	memcpy(buffer, &new_ht, sizeof(struct hostent));
+	return (NS_SUCCESS);
+}
+
+static int
+ipnode_unmarshal_func(char *buffer, size_t buffer_size, void *retval,
+    va_list ap, void *cache_mdata)
+{
+	struct hostent new_ht;
+	struct hostent *ht;
+
+	char *p;
+	char **iter;
+	char *orig_buf;
+	int err;
+
+	ht = &new_ht;
+
+	memcpy(ht, buffer, sizeof(struct hostent));
+	memcpy(&p, buffer + sizeof(struct hostent), sizeof(char *));
+
+	orig_buf = buffer + sizeof(struct hostent) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p;
+	p = (char *)_ALIGN(p);
+
+
+	NS_APPLY_OFFSET(ht->h_name, orig_buf, p, char *);
+	if (ht->h_aliases != NULL) {
+		NS_APPLY_OFFSET(ht->h_aliases, orig_buf, p, char **);
+
+		for (iter = ht->h_aliases; *iter; ++iter)
+			NS_APPLY_OFFSET(*iter, orig_buf, p, char *);
+	}
+
+	if (ht->h_addr_list != NULL) {
+		NS_APPLY_OFFSET(ht->h_addr_list, orig_buf, p, char **);
+
+		for (iter = ht->h_addr_list; *iter; ++iter)
+			NS_APPLY_OFFSET(*iter, orig_buf, p, char *);
+	}
+
+	ht = _hpcopy(ht, &err);
+	if (ht == NULL)
+		return (NS_UNAVAIL);
+
+	*((struct hostent **)retval) = ht;
+	return (NS_SUCCESS);
+}
+#endif
+
 /*
  * Functions defined in RFC2553
  *	getipnodebyname, getipnodebyaddr, freehostent
@@ -322,7 +485,24 @@ static struct hostent *
 _ghbyname(const char *name, int af, int flags, int *errp)
 {
 	struct hostent *hp;
-	int i;
+	int i, rval;
+
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+	NS_COMMON_CACHE_INFO_INITIALIZER(
+		hosts, (void *)nss_lt_name,
+		ipnode_id_func, ipnode_marshal_func, ipnode_unmarshal_func);
+#endif
+
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_files_ghbyname, NULL)
+		{ NSSRC_DNS, _dns_ghbyname, NULL },
+		NS_NIS_CB(_nis_ghbyname, NULL)
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ 0 }
+	};
 
 	if (flags & AI_ADDRCONFIG) {
 		int s;
@@ -353,17 +533,9 @@ _ghbyname(const char *name, int af, int flags, int *errp)
 		}
 	}
 
-	THREAD_LOCK();
-	for (i = 0; i < MAXHOSTCONF; i++) {
-		if (_hostconf[i].byname
-		    && (hp = (*_hostconf[i].byname)(name, af, errp)) != NULL) {
-			THREAD_UNLOCK();
-			return hp;
-		}
-	}
-	THREAD_UNLOCK();
-
-	return NULL;
+	rval = nsdispatch(&hp, dtab, NSDB_HOSTS, "ghbyname", default_src,
+			  name, af, errp);
+	return (rval == NS_SUCCESS) ? hp : NULL;
 }
 
 /* getipnodebyname() internal routine for multiple query(PF_UNSPEC) support. */
@@ -407,9 +579,6 @@ _getipnodebyname_multi(const char *name, int af, int flags, int *errp)
 		return _hpaddr(af, name, &addrbuf, errp);
 	}
 
-	if (!_hostconf_init_done)
-		_hostconf_init();
-
 	*errp = HOST_NOT_FOUND;
 	hp = _ghbyname(name, af, flags, errp);
 
@@ -451,13 +620,32 @@ struct hostent *
 getipnodebyaddr(const void *src, size_t len, int af, int *errp)
 {
 	struct hostent *hp;
-	int i;
+	int i, rval;
 #ifdef INET6
 	struct in6_addr addrbuf;
 #else
 	struct in_addr addrbuf;
 #endif
 
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+	NS_COMMON_CACHE_INFO_INITIALIZER(
+		hosts, (void *)nss_lt_id,
+		ipnode_id_func, ipnode_marshal_func, ipnode_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		NS_FILES_CB(_files_ghbyaddr, NULL)
+		{ NSSRC_DNS, _dns_ghbyaddr, NULL },
+		NS_NIS_CB(_nis_ghbyaddr, NULL)
+#ifdef ICMPNL
+		{ NSSRC_ICMP, _icmp_ghbyaddr, NULL },
+#endif
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ 0 }
+	};
+
 	*errp = HOST_NOT_FOUND;
 
 	switch (af) {
@@ -499,19 +687,9 @@ getipnodebyaddr(const void *src, size_t len, int af, int *errp)
 		return NULL;
 	}
 
-	if (!_hostconf_init_done)
-		_hostconf_init();
-	THREAD_LOCK();
-	for (i = 0; i < MAXHOSTCONF; i++) {
-		if (_hostconf[i].byaddr
-		&& (hp = (*_hostconf[i].byaddr)(src, len, af, errp)) != NULL) {
-			THREAD_UNLOCK();
-			return hp;
-		}
-	}
-	THREAD_UNLOCK();
-
-	return NULL;
+	rval = nsdispatch(&hp, dtab, NSDB_HOSTS, "ghbyaddr", default_src,
+			  src, len, af, errp);
+	return (rval == NS_SUCCESS) ? hp : NULL;
 }
 
 void
@@ -847,9 +1025,12 @@ _files_open(int *errp)
 	return fp;
 }
 
-static struct hostent *
-_files_ghbyname(const char *name, int af, int *errp)
+static int
+_files_ghbyname(void *rval, void *cb_data, va_list ap)
 {
+	const char *name;
+	int af;
+	int *errp;
 	int match, nalias;
 	char *p, *line, *addrstr, *cname;
 	FILE *fp;
@@ -859,8 +1040,14 @@ _files_ghbyname(const char *name, int af, int *errp)
 	char buf[BUFSIZ];
 	int af0 = af;
 
+	name = va_arg(ap, const char *);
+	af = va_arg(ap, int);
+	errp = va_arg(ap, int *);
+
+	*(struct hostent **)rval = NULL;
+
 	if ((fp = _files_open(errp)) == NULL)
-		return NULL;
+		return NS_UNAVAIL;
 	rethp = hp = NULL;
 
 	while (fgets(buf, sizeof(buf), fp)) {
@@ -925,12 +1112,17 @@ _files_ghbyname(const char *name, int af, int *errp)
 		rethp = _hpmerge(rethp, hp, errp);
 	}
 	fclose(fp);
-	return rethp;
+	*(struct hostent **)rval = rethp;
+	return (rethp != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
-static struct hostent *
-_files_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
+static int
+_files_ghbyaddr(void *rval, void *cb_data, va_list ap)
 {
+	const void *addr;
+	int addrlen;
+	int af;
+	int *errp;
 	int nalias;
 	char *p, *line;
 	FILE *fp;
@@ -939,8 +1131,15 @@ _files_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
 	union inx_addr addrbuf;
 	char buf[BUFSIZ];
 
+	addr = va_arg(ap, const void *);
+	addrlen = va_arg(ap, int);
+	af = va_arg(ap, int);
+	errp = va_arg(ap, int *);
+
+	*(struct hostent**)rval = NULL;
+
 	if ((fp = _files_open(errp)) == NULL)
-		return NULL;
+		return NS_UNAVAIL;
 	hp = NULL;
 	while (fgets(buf, sizeof(buf), fp)) {
 		line = buf;
@@ -969,7 +1168,8 @@ _files_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
 		break;
 	}
 	fclose(fp);
-	return hp;
+	*(struct hostent **)rval = hp;
+	return (hp != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
 #ifdef YP
@@ -978,11 +1178,18 @@ _files_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
  *
  * XXX actually a hack, these are INET4 specific.
  */
-static struct hostent *
-_nis_ghbyname(const char *name, int af, int *errp)
+static int
+_nis_ghbyname(void *rval, void *cb_data, va_list ap)
 {
+	const char *name;
+	int af;
+	int *errp;
 	struct hostent *hp = NULL;
 
+	name = va_arg(ap, const char *);
+	af = va_arg(ap, int);
+	errp = va_arg(ap, int *);
+
 	if (af == AF_UNSPEC)
 		af = AF_INET;
 	if (af == AF_INET) {
@@ -990,21 +1197,31 @@ _nis_ghbyname(const char *name, int af, int *errp)
 		if (hp != NULL)
 			hp = _hpcopy(hp, errp);
 	}
-	return (hp);
-	
+
+	*(struct hostent **)rval = hp;
+	return (hp != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 
-static struct hostent *
-_nis_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
+static int
+_nis_ghbyaddr(void *rval, void *cb_data, va_list ap)
 {
+	const void *addr;
+	int addrlen;
+	int af;
+	int *errp;
 	struct hostent *hp = NULL;
 
+	addr = va_arg(ap, const void *);
+	addrlen = va_arg(ap, int);
+	af = va_arg(ap, int);
+
 	if (af == AF_INET) {
 		hp = _gethostbynisaddr(addr, addrlen, af);
 		if (hp != NULL)
 			hp = _hpcopy(hp, errp);
 	}
-	return (hp);
+	*(struct hostent **)rval = hp;
+	return (hp != NULL) ? NS_SUCCESS : NS_NOTFOUND;
 }
 #endif
 
@@ -1345,7 +1562,8 @@ _res_search_multi(const char *name, struct __res_type_list *rtl, int *errp)
 					continue;
 				hp = _hpcopy(&hpbuf, errp);
 				hp0 = _hpmerge(hp0, hp, errp);
-			}
+			} else
+				*errp = h_errno;
 		}
 		free(buf);
 		return (hp0);
@@ -1371,7 +1589,8 @@ _res_search_multi(const char *name, struct __res_type_list *rtl, int *errp)
 					continue;
 				hp = _hpcopy(&hpbuf, errp);
 				hp0 = _hpmerge(hp0, hp, errp);
-			}
+			} else
+				*errp = h_errno;
 		}
 		if (hp0 != NULL) {
 			free(buf);
@@ -1410,7 +1629,8 @@ _res_search_multi(const char *name, struct __res_type_list *rtl, int *errp)
 						continue;
 					hp = _hpcopy(&hpbuf, errp);
 					hp0 = _hpmerge(hp0, hp, errp);
-				}
+				} else
+					*errp = h_errno;
 			}
 			if (hp0 != NULL) {
 				free(buf);
@@ -1483,7 +1703,8 @@ _res_search_multi(const char *name, struct __res_type_list *rtl, int *errp)
 					continue;
 				hp = _hpcopy(&hpbuf, errp);
 				hp0 = _hpmerge(hp0, hp, errp);
-			}
+			} else
+				*errp = h_errno;
 		}
 		if (hp0 != NULL) {
 			free(buf);
@@ -1509,14 +1730,21 @@ _res_search_multi(const char *name, struct __res_type_list *rtl, int *errp)
 	return (NULL);
 }
 
-static struct hostent *
-_dns_ghbyname(const char *name, int af, int *errp)
+static int
+_dns_ghbyname(void *rval, void *cb_data, va_list ap)
 {
+	const char *name;
+	int af;
+	int *errp;
 	struct __res_type_list *rtl, rtl4;
 #ifdef INET6
 	struct __res_type_list rtl6;
 #endif
 
+	name = va_arg(ap, const char *);
+	af = va_arg(ap, int);
+	errp = va_arg(ap, int *);
+
 #ifdef INET6
 	switch (af) {
 	case AF_UNSPEC:
@@ -1539,12 +1767,22 @@ _dns_ghbyname(const char *name, int af, int *errp)
 	SLIST_NEXT(&rtl4, rtl_entry) = NULL; rtl4.rtl_type = T_A;
 	rtl = &rtl4;
 #endif
-	return(_res_search_multi(name, rtl, errp));
+	*(struct hostent **)rval = _res_search_multi(name, rtl, errp);
+	if (*(struct hostent **)rval != NULL)
+		return NS_SUCCESS;
+	else if (*errp == TRY_AGAIN)
+		return NS_TRYAGAIN;
+	else
+		return NS_NOTFOUND;
 }
 
-static struct hostent *
-_dns_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
+static int
+_dns_ghbyaddr(void *rval, void *cb_data, va_list ap)
 {
+	const void *addr;
+	int addrlen;
+	int af;
+	int *errp;
 	int n;
 	struct hostent *hp;
 	u_char c;
@@ -1562,10 +1800,17 @@ _dns_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
 	const char *tld4[] = { "in-addr.arpa", NULL };
 	const char **tld;
 
+	addr = va_arg(ap, const void *);
+	addrlen = va_arg(ap, int);
+	af = va_arg(ap, int);
+	errp = va_arg(ap, int *);
+
+	*(struct hostent **)rval = NULL;
+
 #ifdef INET6
 	/* XXX */
 	if (af == AF_INET6 && IN6_IS_ADDR_LINKLOCAL((const struct in6_addr *)addr))
-		return NULL;
+		return NS_NOTFOUND;
 #endif
 
 	switch (af) {
@@ -1584,7 +1829,7 @@ _dns_ghbyaddr(const void *addr, int addrlen, int af, int *errp)
 	if ((_res.options & RES_INIT) == 0) {
 		if (res_init() < 0) {
 			*errp = h_errno;
-			return NULL;
+			return NS_UNAVAIL;
 		}
 	}
 	memset(&hbuf, 0, sizeof(hbuf));
diff --git a/lib/libc/net/netdb_private.h b/lib/libc/net/netdb_private.h
new file mode 100644
index 0000000000..cef0b7ce1c
--- /dev/null
+++ b/lib/libc/net/netdb_private.h
@@ -0,0 +1,145 @@
+/*-
+ * Copyright (C) 2005 The FreeBSD Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/net/netdb_private.h,v 1.13 2006/05/12 15:37:23 ume Exp $
+ */
+
+#ifndef _NETDB_PRIVATE_H_
+#define _NETDB_PRIVATE_H_
+
+#include <stdio.h>				/* XXX: for FILE */
+
+#define	NETDB_THREAD_ALLOC(name)					\
+static struct name name;						\
+static thread_key_t name##_key;						\
+static once_t name##_init_once = ONCE_INITIALIZER;			\
+static int name##_thr_keycreated = 0;					\
+\
+static void name##_free(void *);					\
+\
+static void								\
+name##_keycreate(void)							\
+{									\
+	name##_thr_keycreated =						\
+	    (thr_keycreate(&name##_key, name##_free) == 0);		\
+}									\
+\
+struct name *								\
+__##name##_init(void)							\
+{									\
+	struct name *he;						\
+									\
+	if (thr_main() != 0)						\
+		return (&name);						\
+	if (thr_once(&name##_init_once, name##_keycreate) != 0 ||	\
+	    !name##_thr_keycreated)					\
+		return (NULL);						\
+	if ((he = thr_getspecific(name##_key)) != NULL)			\
+		return (he);						\
+	if ((he = calloc(1, sizeof(*he))) == NULL)			\
+		return (NULL);						\
+	if (thr_setspecific(name##_key, he) == 0)			\
+		return (he);						\
+	free(he);							\
+	return (NULL);							\
+}
+
+#define	_MAXALIASES	35
+#define	_MAXLINELEN	1024
+#define	_MAXADDRS	35
+#define	_HOSTBUFSIZE	(8 * 1024)
+#define	_NETBUFSIZE	1025
+
+struct hostent_data {
+	uint32_t host_addr[4];			/* IPv4 or IPv6 */
+	char *h_addr_ptrs[_MAXADDRS + 1];
+	char *host_aliases[_MAXALIASES];
+	char hostbuf[_HOSTBUFSIZE];
+	FILE *hostf;
+	int stayopen;
+#ifdef YP
+	char *yp_domain;
+#endif
+};
+
+struct netent_data {
+	char *net_aliases[_MAXALIASES];
+	char netbuf[_NETBUFSIZE];
+	FILE *netf;
+	int stayopen;
+#ifdef YP
+	char *yp_domain;
+#endif
+};
+
+struct protoent_data {
+	FILE *fp;
+	char *aliases[_MAXALIASES];
+	int stayopen;
+	char line[_MAXLINELEN + 1];
+};
+
+struct hostdata {
+	struct hostent host;
+	char data[sizeof(struct hostent_data)];
+};
+
+struct netdata {
+	struct netent net;
+	char data[sizeof(struct netent_data)];
+};
+
+struct protodata {
+	struct protoent proto;
+	char data[sizeof(struct protoent_data)];
+};
+
+struct hostdata *__hostdata_init(void);
+struct hostent *__hostent_init(void);
+struct hostent_data *__hostent_data_init(void);
+struct netdata *__netdata_init(void);
+struct netent_data *__netent_data_init(void);
+struct protodata *__protodata_init(void);
+struct protoent_data *__protoent_data_init(void);
+int __copy_hostent(struct hostent *, struct hostent *, char *, size_t);
+int __copy_netent(struct netent *, struct netent *, char *, size_t);
+int __copy_protoent(struct protoent *, struct protoent *, char *, size_t);
+
+void __endprotoent_p(struct protoent_data *);
+int __getprotoent_p(struct protoent *, struct protoent_data *);
+void __setprotoent_p(int, struct protoent_data *);
+void _endhostdnsent(void);
+void _endhosthtent(void);
+void _endnetdnsent(void);
+void _endnethtent(void);
+struct hostent *_gethostbynisaddr(const char *, int, int);
+struct hostent *_gethostbynisname(const char *, int);
+void _map_v4v6_address(const char *, char *);
+void _map_v4v6_hostent(struct hostent *, char **, int *);
+void _sethostdnsent(int);
+void _sethosthtent(int);
+void _setnetdnsent(int);
+void _setnethtent(int);
+
+#endif /* _NETDB_PRIVATE_H_ */
diff --git a/lib/libc/net/nscache.c b/lib/libc/net/nscache.c
new file mode 100644
index 0000000000..81baa4df97
--- /dev/null
+++ b/lib/libc/net/nscache.c
@@ -0,0 +1,436 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/net/nscache.c,v 1.2 2007/10/17 23:20:49 tmclaugh Exp $
+ */
+
+#include "namespace.h"
+#include <nsswitch.h>
+#include <stdlib.h>
+#include <string.h>
+#include "un-namespace.h"
+#include "nscachedcli.h"
+#include "nscache.h"
+
+#define NSS_CACHE_KEY_INITIAL_SIZE	(256)
+#define NSS_CACHE_KEY_SIZE_LIMIT	(NSS_CACHE_KEY_INITIAL_SIZE << 4)
+
+#define NSS_CACHE_BUFFER_INITIAL_SIZE	(1024)
+#define NSS_CACHE_BUFFER_SIZE_LIMIT	(NSS_CACHE_BUFFER_INITIAL_SIZE << 8)
+
+#define CACHED_SOCKET_PATH 		"/var/run/nscd"
+
+int
+__nss_cache_handler(void *retval, void *mdata, va_list ap)
+{
+	return (NS_UNAVAIL);
+}
+
+int
+__nss_common_cache_read(void *retval, void *mdata, va_list ap)
+{
+	struct cached_connection_params params;
+	cached_connection connection;
+
+	char *buffer;
+	size_t buffer_size, size;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+	va_list ap_new;
+	int res;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	memset(&params, 0, sizeof(struct cached_connection_params));
+	params.socket_path = CACHED_SOCKET_PATH;
+
+	cache_data->key = (char *)malloc(NSS_CACHE_KEY_INITIAL_SIZE);
+	memset(cache_data->key, 0, NSS_CACHE_KEY_INITIAL_SIZE);
+	cache_data->key_size = NSS_CACHE_KEY_INITIAL_SIZE;
+	va_copy(ap_new, ap);
+
+	do {
+		size = cache_data->key_size;
+		res = cache_info->id_func(cache_data->key, &size, ap_new,
+		    cache_info->mdata);
+		va_end(ap_new);
+		if (res == NS_RETURN) {
+			if (cache_data->key_size > NSS_CACHE_KEY_SIZE_LIMIT)
+				break;
+
+			cache_data->key_size <<= 1;
+			cache_data->key = realloc(cache_data->key,
+			    cache_data->key_size);
+			memset(cache_data->key, 0, cache_data->key_size);
+			va_copy(ap_new, ap);
+		}
+	} while (res == NS_RETURN);
+
+	if (res != NS_SUCCESS) {
+		free(cache_data->key);
+		cache_data->key = NULL;
+		cache_data->key_size = 0;
+		return (res);
+	} else
+		cache_data->key_size = size;
+
+	buffer_size = NSS_CACHE_BUFFER_INITIAL_SIZE;
+	buffer = (char *)malloc(NSS_CACHE_BUFFER_INITIAL_SIZE);
+	memset(buffer, 0, NSS_CACHE_BUFFER_INITIAL_SIZE);
+
+	do {
+		connection = __open_cached_connection(&params);
+		if (connection == NULL) {
+			res = -1;
+			break;
+		}
+		res = __cached_read(connection, cache_info->entry_name,
+		    cache_data->key, cache_data->key_size, buffer,
+		    &buffer_size);
+		__close_cached_connection(connection);
+		if (res == -2 && buffer_size < NSS_CACHE_BUFFER_SIZE_LIMIT) {
+			buffer = (char *)realloc(buffer, buffer_size);
+			memset(buffer, 0, buffer_size);
+		}
+	} while (res == -2);
+
+	if (res == 0) {
+		if (buffer_size == 0) {
+			free(buffer);
+			free(cache_data->key);
+			cache_data->key = NULL;
+			cache_data->key_size = 0;
+			return (NS_RETURN);
+		}
+
+		va_copy(ap_new, ap);
+		res = cache_info->unmarshal_func(buffer, buffer_size, retval,
+		    ap_new, cache_info->mdata);
+		va_end(ap_new);
+
+		if (res != NS_SUCCESS) {
+			free(buffer);
+			free(cache_data->key);
+			cache_data->key = NULL;
+			cache_data->key_size = 0;
+			return (res);
+		} else
+			res = 0;
+	}
+
+	if (res == 0) {
+		free(cache_data->key);
+		cache_data->key = NULL;
+		cache_data->key_size = 0;
+	}
+
+	free(buffer);
+	return (res == 0 ? NS_SUCCESS : NS_NOTFOUND);
+}
+
+int
+__nss_common_cache_write(void *retval, void *mdata, va_list ap)
+{
+	struct cached_connection_params params;
+	cached_connection connection;
+
+	char *buffer;
+	size_t buffer_size;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+	va_list ap_new;
+	int res;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	if (cache_data->key == NULL)
+		return (NS_UNAVAIL);
+
+	memset(&params, 0, sizeof(struct cached_connection_params));
+	params.socket_path = CACHED_SOCKET_PATH;
+
+	connection = __open_cached_connection(&params);
+	if (connection == NULL) {
+		free(cache_data->key);
+		return (NS_UNAVAIL);
+	}
+
+	buffer_size = NSS_CACHE_BUFFER_INITIAL_SIZE;
+	buffer = (char *)malloc(NSS_CACHE_BUFFER_INITIAL_SIZE);
+	memset(buffer, 0, NSS_CACHE_BUFFER_INITIAL_SIZE);
+
+	do {
+		size_t size;
+
+		size = buffer_size;
+		va_copy(ap_new, ap);
+		res = cache_info->marshal_func(buffer, &size, retval, ap_new,
+		    cache_info->mdata);
+		va_end(ap_new);
+
+		if (res == NS_RETURN) {
+			if (buffer_size > NSS_CACHE_BUFFER_SIZE_LIMIT)
+				break;
+
+			buffer_size <<= 1;
+			buffer = (char *)realloc(buffer, buffer_size);
+			memset(buffer, 0, buffer_size);
+		}
+	} while (res == NS_RETURN);
+
+	if (res != NS_SUCCESS) {
+		__close_cached_connection(connection);
+		free(cache_data->key);
+		free(buffer);
+		return (res);
+	}
+
+	res = __cached_write(connection, cache_info->entry_name,
+	    cache_data->key, cache_data->key_size, buffer, buffer_size);
+	__close_cached_connection(connection);
+
+	free(cache_data->key);
+	free(buffer);
+
+	return (res == 0 ? NS_SUCCESS : NS_UNAVAIL);
+}
+
+int
+__nss_common_cache_write_negative(void *mdata)
+{
+	struct cached_connection_params params;
+	cached_connection connection;
+	int res;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	if (cache_data->key == NULL)
+		return (NS_UNAVAIL);
+
+	memset(&params, 0, sizeof(struct cached_connection_params));
+	params.socket_path = CACHED_SOCKET_PATH;
+
+	connection = __open_cached_connection(&params);
+	if (connection == NULL) {
+		free(cache_data->key);
+		return (NS_UNAVAIL);
+	}
+
+	res = __cached_write(connection, cache_info->entry_name,
+	    cache_data->key, cache_data->key_size, NULL, 0);
+	__close_cached_connection(connection);
+
+	free(cache_data->key);
+	return (res == 0 ? NS_SUCCESS : NS_UNAVAIL);
+}
+
+int
+__nss_mp_cache_read(void *retval, void *mdata, va_list ap)
+{
+	struct cached_connection_params params;
+	cached_mp_read_session rs;
+
+	char *buffer;
+	size_t buffer_size;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+	va_list ap_new;
+	int res;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	if (cache_info->get_mp_ws_func() != INVALID_CACHED_MP_WRITE_SESSION)
+		return (NS_UNAVAIL);
+
+	rs = cache_info->get_mp_rs_func();
+	if (rs == INVALID_CACHED_MP_READ_SESSION) {
+		memset(&params, 0, sizeof(struct cached_connection_params));
+		params.socket_path = CACHED_SOCKET_PATH;
+
+		rs = __open_cached_mp_read_session(&params,
+		    cache_info->entry_name);
+		if (rs == INVALID_CACHED_MP_READ_SESSION)
+			return (NS_UNAVAIL);
+
+		cache_info->set_mp_rs_func(rs);
+	}
+
+	buffer_size = NSS_CACHE_BUFFER_INITIAL_SIZE;
+	buffer = (char *)malloc(NSS_CACHE_BUFFER_INITIAL_SIZE);
+	memset(buffer, 0, NSS_CACHE_BUFFER_INITIAL_SIZE);
+
+	do {
+		res = __cached_mp_read(rs, buffer, &buffer_size);
+		if (res == -2 && buffer_size < NSS_CACHE_BUFFER_SIZE_LIMIT) {
+			buffer = (char *)realloc(buffer, buffer_size);
+			memset(buffer, 0, buffer_size);
+		}
+	} while (res == -2);
+
+	if (res == 0) {
+		va_copy(ap_new, ap);
+		res = cache_info->unmarshal_func(buffer, buffer_size, retval,
+		    ap_new, cache_info->mdata);
+		va_end(ap_new);
+
+		if (res != NS_SUCCESS) {
+			free(buffer);
+			return (res);
+		} else
+			res = 0;
+	} else {
+		free(buffer);
+		__close_cached_mp_read_session(rs);
+		rs = INVALID_CACHED_MP_READ_SESSION;
+		cache_info->set_mp_rs_func(rs);
+		return (res == -1 ? NS_RETURN : NS_UNAVAIL);
+	}
+
+	free(buffer);
+	return (res == 0 ? NS_SUCCESS : NS_NOTFOUND);
+}
+
+int
+__nss_mp_cache_write(void *retval, void *mdata, va_list ap)
+{
+	struct cached_connection_params params;
+	cached_mp_write_session ws;
+
+	char *buffer;
+	size_t buffer_size;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+	va_list ap_new;
+	int res;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	ws = cache_info->get_mp_ws_func();
+	if (ws == INVALID_CACHED_MP_WRITE_SESSION) {
+		memset(&params, 0, sizeof(struct cached_connection_params));
+		params.socket_path = CACHED_SOCKET_PATH;
+
+		ws = __open_cached_mp_write_session(&params,
+		    cache_info->entry_name);
+		if (ws == INVALID_CACHED_MP_WRITE_SESSION)
+			return (NS_UNAVAIL);
+
+		cache_info->set_mp_ws_func(ws);
+	}
+
+	buffer_size = NSS_CACHE_BUFFER_INITIAL_SIZE;
+	buffer = (char *)malloc(NSS_CACHE_BUFFER_INITIAL_SIZE);
+	memset(buffer, 0, NSS_CACHE_BUFFER_INITIAL_SIZE);
+
+	do {
+		size_t size;
+
+		size = buffer_size;
+		va_copy(ap_new, ap);
+		res = cache_info->marshal_func(buffer, &size, retval, ap_new,
+		    cache_info->mdata);
+		va_end(ap_new);
+
+		if (res == NS_RETURN) {
+			if (buffer_size > NSS_CACHE_BUFFER_SIZE_LIMIT)
+				break;
+
+			buffer_size <<= 1;
+			buffer = (char *)realloc(buffer, buffer_size);
+			memset(buffer, 0, buffer_size);
+		}
+	} while (res == NS_RETURN);
+
+	if (res != NS_SUCCESS) {
+		free(buffer);
+		return (res);
+	}
+
+	res = __cached_mp_write(ws, buffer, buffer_size);
+
+	free(buffer);
+	return (res == 0 ? NS_SUCCESS : NS_UNAVAIL);
+}
+
+int
+__nss_mp_cache_write_submit(void *retval, void *mdata, va_list ap)
+{
+	cached_mp_write_session ws;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	ws = cache_info->get_mp_ws_func();
+	if (ws != INVALID_CACHED_MP_WRITE_SESSION) {
+		__close_cached_mp_write_session(ws);
+		ws = INVALID_CACHED_MP_WRITE_SESSION;
+		cache_info->set_mp_ws_func(ws);
+	}
+	return (NS_UNAVAIL);
+}
+
+int
+__nss_mp_cache_end(void *retval, void *mdata, va_list ap)
+{
+	cached_mp_write_session ws;
+	cached_mp_read_session rs;
+
+	nss_cache_info const *cache_info;
+	nss_cache_data *cache_data;
+
+	cache_data = (nss_cache_data *)mdata;
+	cache_info = cache_data->info;
+
+	ws = cache_info->get_mp_ws_func();
+	if (ws != INVALID_CACHED_MP_WRITE_SESSION) {
+		__abandon_cached_mp_write_session(ws);
+		ws = INVALID_CACHED_MP_WRITE_SESSION;
+		cache_info->set_mp_ws_func(ws);
+	}
+
+	rs = cache_info->get_mp_rs_func();
+	if (rs != INVALID_CACHED_MP_READ_SESSION) {
+		__close_cached_mp_read_session(rs);
+		rs = INVALID_CACHED_MP_READ_SESSION;
+		cache_info->set_mp_rs_func(rs);
+	}
+
+	return (NS_UNAVAIL);
+}
diff --git a/lib/libc/net/nscachedcli.c b/lib/libc/net/nscachedcli.c
new file mode 100644
index 0000000000..b6b1ca785b
--- /dev/null
+++ b/lib/libc/net/nscachedcli.c
@@ -0,0 +1,574 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/net/nscachedcli.c,v 1.3 2006/12/04 17:08:43 ume Exp $
+ */
+
+#include "namespace.h"
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/event.h>
+#include <sys/uio.h>
+#include <sys/un.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "un-namespace.h"
+#include "nscachedcli.h"
+
+#define NS_DEFAULT_CACHED_IO_TIMEOUT	4
+
+static int safe_write(struct cached_connection_ *, const void *, size_t);
+static int safe_read(struct cached_connection_ *, void *, size_t);
+static int send_credentials(struct cached_connection_ *, int);
+
+/*
+ * safe_write writes data to the specified connection and tries to do it in
+ * the very safe manner. We ensure, that we can write to the socket with
+ * kevent. If the data_size can't be sent in one piece, then it would be
+ * splitted.
+ */
+static int
+safe_write(struct cached_connection_ *connection, const void *data,
+    size_t data_size)
+{
+	struct kevent eventlist;
+	int nevents;
+	size_t result;
+	ssize_t s_result;
+	struct timespec timeout;
+
+	if (data_size == 0)
+		return (0);
+
+	timeout.tv_sec = NS_DEFAULT_CACHED_IO_TIMEOUT;
+	timeout.tv_nsec = 0;
+	result = 0;
+	do {
+		nevents = _kevent(connection->write_queue, NULL, 0, &eventlist,
+		    1, &timeout);
+		if ((nevents == 1) && (eventlist.filter == EVFILT_WRITE)) {
+			s_result = _write(connection->sockfd, data + result,
+			    eventlist.data < data_size - result ?
+			    eventlist.data : data_size - result);
+			if (s_result == -1)
+				return (-1);
+			else
+				result += s_result;
+
+			if (eventlist.flags & EV_EOF)
+				return (result < data_size ? -1 : 0);
+		} else
+			return (-1);
+	} while (result < data_size);
+
+	return (0);
+}
+
+/*
+ * safe_read reads data from connection and tries to do it in the very safe
+ * and stable way. It uses kevent to ensure, that the data are availabe for
+ * reading. If the amount of data to be read is too large, then they would
+ * be splitted.
+ */
+static int
+safe_read(struct cached_connection_ *connection, void *data, size_t data_size)
+{
+	struct kevent eventlist;
+	size_t result;
+	ssize_t s_result;
+	struct timespec timeout;
+	int nevents;
+
+	if (data_size == 0)
+		return (0);
+
+	timeout.tv_sec = NS_DEFAULT_CACHED_IO_TIMEOUT;
+	timeout.tv_nsec = 0;
+	result = 0;
+	do {
+		nevents = _kevent(connection->read_queue, NULL, 0, &eventlist,
+		    1, &timeout);
+		if (nevents == 1 && eventlist.filter == EVFILT_READ) {
+			s_result = _read(connection->sockfd, data + result,
+			    eventlist.data <= data_size - result ?
+			    eventlist.data : data_size - result);
+			if (s_result == -1)
+				return (-1);
+			else
+				result += s_result;
+
+			if (eventlist.flags & EV_EOF)
+				return (result < data_size ? -1 : 0);
+		} else
+			return (-1);
+	} while (result < data_size);
+
+	return (0);
+}
+
+/*
+ * Sends the credentials information to the connection along with the
+ * communication element type.
+ */
+static int
+send_credentials(struct cached_connection_ *connection, int type)
+{
+	struct kevent eventlist;
+	int nevents;
+	ssize_t result;
+	int res;
+
+	struct msghdr cred_hdr;
+	struct iovec iov;
+
+	struct {
+		struct cmsghdr hdr;
+		char cred[CMSG_SPACE(sizeof(struct cmsgcred))];
+	} cmsg;
+
+	memset(&cmsg, 0, sizeof(cmsg));
+	cmsg.hdr.cmsg_len =  CMSG_LEN(sizeof(struct cmsgcred));
+	cmsg.hdr.cmsg_level = SOL_SOCKET;
+	cmsg.hdr.cmsg_type = SCM_CREDS;
+
+	memset(&cred_hdr, 0, sizeof(struct msghdr));
+	cred_hdr.msg_iov = &iov;
+	cred_hdr.msg_iovlen = 1;
+	cred_hdr.msg_control = (caddr_t)&cmsg;
+	cred_hdr.msg_controllen = CMSG_SPACE(sizeof(struct cmsgcred));
+
+	iov.iov_base = &type;
+	iov.iov_len = sizeof(int);
+
+	EV_SET(&eventlist, connection->sockfd, EVFILT_WRITE, EV_ADD,
+	    NOTE_LOWAT, sizeof(int), NULL);
+	res = _kevent(connection->write_queue, &eventlist, 1, NULL, 0, NULL);
+
+	nevents = _kevent(connection->write_queue, NULL, 0, &eventlist, 1,
+	    NULL);
+	if (nevents == 1 && eventlist.filter == EVFILT_WRITE) {
+		result = (_sendmsg(connection->sockfd, &cred_hdr, 0) == -1) ?
+		    -1 : 0;
+		EV_SET(&eventlist, connection->sockfd, EVFILT_WRITE, EV_ADD,
+		    0, 0, NULL);
+		_kevent(connection->write_queue, &eventlist, 1, NULL, 0, NULL);
+		return (result);
+	} else
+		return (-1);
+}
+
+/*
+ * Opens the connection with the specified params. Initializes all kqueues.
+ */
+struct cached_connection_ *
+__open_cached_connection(struct cached_connection_params const *params)
+{
+	struct cached_connection_ *retval;
+	struct kevent eventlist;
+	struct sockaddr_un client_address;
+	int client_address_len, client_socket;
+	int res;
+
+	assert(params != NULL);
+
+	client_socket = _socket(PF_LOCAL, SOCK_STREAM, 0);
+	client_address.sun_family = PF_LOCAL;
+	strncpy(client_address.sun_path, params->socket_path,
+	    sizeof(client_address.sun_path));
+	client_address_len = sizeof(client_address.sun_family) +
+	    strlen(client_address.sun_path) + 1;
+
+	res = _connect(client_socket, (struct sockaddr *)&client_address,
+	    client_address_len);
+	if (res == -1) {
+		_close(client_socket);
+		return (NULL);
+	}
+	_fcntl(client_socket, F_SETFL, O_NONBLOCK);
+
+	retval = malloc(sizeof(struct cached_connection_));
+	assert(retval != NULL);
+	memset(retval, 0, sizeof(struct cached_connection_));
+
+	retval->sockfd = client_socket;
+
+	retval->write_queue = kqueue();
+	assert(retval->write_queue != -1);
+
+	EV_SET(&eventlist, retval->sockfd, EVFILT_WRITE, EV_ADD, 0, 0, NULL);
+	res = _kevent(retval->write_queue, &eventlist, 1, NULL, 0, NULL);
+
+	retval->read_queue = kqueue();
+	assert(retval->read_queue != -1);
+
+	EV_SET(&eventlist, retval->sockfd, EVFILT_READ, EV_ADD, 0, 0, NULL);
+	res = _kevent(retval->read_queue, &eventlist, 1, NULL, 0, NULL);
+
+	return (retval);
+}
+
+void
+__close_cached_connection(struct cached_connection_ *connection)
+{
+	assert(connection != NULL);
+
+	_close(connection->sockfd);
+	_close(connection->read_queue);
+	_close(connection->write_queue);
+	free(connection);
+}
+
+/*
+ * This function is very close to the cache_write function of the caching
+ * library, which is used in the caching daemon. It caches the data with the
+ * specified key in the cache entry with entry_name.
+ */
+int
+__cached_write(struct cached_connection_ *connection, const char *entry_name,
+    const char *key, size_t key_size, const char *data, size_t data_size)
+{
+	size_t name_size;
+	int error_code;
+	int result;
+
+	error_code = -1;
+	result = 0;
+	result = send_credentials(connection, CET_WRITE_REQUEST);
+	if (result != 0)
+		goto fin;
+
+	name_size = strlen(entry_name);
+	result = safe_write(connection, &name_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, &key_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, &data_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, entry_name, name_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, key, key_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, data, data_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_read(connection, &error_code, sizeof(int));
+	if (result != 0)
+		error_code = -1;
+
+fin:
+	return (error_code);
+}
+
+/*
+ * This function is very close to the cache_read function of the caching
+ * library, which is used in the caching daemon. It reads cached data with the
+ * specified key from the cache entry with entry_name.
+ */
+int
+__cached_read(struct cached_connection_ *connection, const char *entry_name,
+    const char *key, size_t key_size, char *data, size_t *data_size)
+{
+	size_t name_size, result_size;
+	int error_code, rec_error_code;
+	int result;
+
+	assert(connection != NULL);
+	result = 0;
+	error_code = -1;
+
+	result = send_credentials(connection, CET_READ_REQUEST);
+	if (result != 0)
+		goto fin;
+
+	name_size = strlen(entry_name);
+	result = safe_write(connection, &name_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, &key_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, entry_name, name_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, key, key_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_read(connection, &rec_error_code, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	if (rec_error_code != 0) {
+		error_code = rec_error_code;
+		goto fin;
+	}
+
+	result = safe_read(connection, &result_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	 if (result_size > *data_size) {
+		 *data_size = result_size;
+		 error_code = -2;
+		 goto fin;
+	 }
+
+	result = safe_read(connection, data, result_size);
+	if (result != 0)
+		goto fin;
+
+	*data_size = result_size;
+	error_code = 0;
+
+fin:
+	return (error_code);
+}
+
+/*
+ * Initializes the mp_write_session. For such a session the new connection
+ * would be opened. The data should be written to the session with
+ * __cached_mp_write function. The __close_cached_mp_write_session function
+ * should be used to submit session and __abandon_cached_mp_write_session - to
+ * abandon it. When the session is submitted, the whole se
+ */
+struct cached_connection_ *
+__open_cached_mp_write_session(struct cached_connection_params const *params,
+    const char *entry_name)
+{
+	struct cached_connection_ *connection, *retval;
+	size_t name_size;
+	int error_code;
+	int result;
+
+	retval = NULL;
+	connection = __open_cached_connection(params);
+	if (connection == NULL)
+		return (NULL);
+	connection->mp_flag = 1;
+
+	result = send_credentials(connection, CET_MP_WRITE_SESSION_REQUEST);
+	if (result != 0)
+		goto fin;
+
+	name_size = strlen(entry_name);
+	result = safe_write(connection, &name_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, entry_name, name_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_read(connection, &error_code, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	if (error_code != 0)
+		result = error_code;
+
+fin:
+	if (result != 0)
+		__close_cached_connection(connection);
+	else
+		retval = connection;
+	return (retval);
+}
+
+/*
+ * Adds new portion of data to the opened write session
+ */
+int
+__cached_mp_write(struct cached_connection_ *ws, const char *data,
+    size_t data_size)
+{
+	int request, result;
+	int error_code;
+
+	error_code = -1;
+
+	request = CET_MP_WRITE_SESSION_WRITE_REQUEST;
+	result = safe_write(ws, &request, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(ws, &data_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(ws, data, data_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_read(ws, &error_code, sizeof(int));
+	if (result != 0)
+		error_code = -1;
+
+fin:
+	return (error_code);
+}
+
+/*
+ * Abandons all operations with the write session. All data, that were written
+ * to the session before, are discarded.
+ */
+int
+__abandon_cached_mp_write_session(struct cached_connection_ *ws)
+{
+	int notification;
+	int result;
+
+	notification = CET_MP_WRITE_SESSION_ABANDON_NOTIFICATION;
+	result = safe_write(ws, &notification, sizeof(int));
+	__close_cached_connection(ws);
+	return (result);
+}
+
+/*
+ * Gracefully closes the write session. The data, that were previously written
+ * to the session, are committed.
+ */
+int
+__close_cached_mp_write_session(struct cached_connection_ *ws)
+{
+	int notification;
+	int result;
+
+	notification = CET_MP_WRITE_SESSION_CLOSE_NOTIFICATION;
+	result = safe_write(ws, &notification, sizeof(int));
+	__close_cached_connection(ws);
+	return (0);
+}
+
+struct cached_connection_ *
+__open_cached_mp_read_session(struct cached_connection_params const *params,
+	const char *entry_name)
+{
+	struct cached_connection_ *connection, *retval;
+	size_t name_size;
+	int error_code;
+	int result;
+
+	retval = NULL;
+	connection = __open_cached_connection(params);
+	if (connection == NULL)
+		return (NULL);
+	connection->mp_flag = 1;
+
+	result = send_credentials(connection, CET_MP_READ_SESSION_REQUEST);
+	if (result != 0)
+		goto fin;
+
+	name_size = strlen(entry_name);
+	result = safe_write(connection, &name_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, entry_name, name_size);
+	if (result != 0)
+		goto fin;
+
+	result = safe_read(connection, &error_code, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	if (error_code != 0)
+		result = error_code;
+
+fin:
+	if (result != 0)
+		__close_cached_connection(connection);
+	else
+		retval = connection;
+	return (retval);
+}
+
+int
+__cached_mp_read(struct cached_connection_ *rs, char *data, size_t *data_size)
+{
+	size_t result_size;
+	int error_code, rec_error_code;
+	int request, result;
+
+	error_code = -1;
+	request = CET_MP_READ_SESSION_READ_REQUEST;
+	result = safe_write(rs, &request, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	result = safe_read(rs, &rec_error_code, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	if (rec_error_code != 0) {
+		error_code = rec_error_code;
+		goto fin;
+	}
+
+	result = safe_read(rs, &result_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	if (result_size > *data_size) {
+		*data_size = result_size;
+		error_code = -2;
+		goto fin;
+	}
+
+	result = safe_read(rs, data, result_size);
+	if (result != 0)
+		goto fin;
+
+	*data_size = result_size;
+	error_code = 0;
+
+fin:
+	return (error_code);
+}
+
+int
+__close_cached_mp_read_session(struct cached_connection_ *rs)
+{
+
+	__close_cached_connection(rs);
+	return (0);
+}
diff --git a/lib/libc/net/nsdispatch.3 b/lib/libc/net/nsdispatch.3
new file mode 100644
index 0000000000..3b9364fcbd
--- /dev/null
+++ b/lib/libc/net/nsdispatch.3
@@ -0,0 +1,258 @@
+.\"	$NetBSD: nsdispatch.3,v 1.8 1999/03/22 19:44:53 garbled Exp $
+.\"
+.\" Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Luke Mewburn.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 4. Neither the name of The NetBSD Foundation nor the names of its
+.\"    contributors may be used to endorse or promote products derived
+.\"    from this software without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/lib/libc/net/nsdispatch.3,v 1.14 2007/01/22 11:45:25 bms Exp $
+.\"
+.Dd January 22, 2007
+.Dt NSDISPATCH 3
+.Os
+.Sh NAME
+.Nm nsdispatch
+.Nd name-service switch dispatcher routine
+.Sh LIBRARY
+.Lb libc
+.Sh SYNOPSIS
+.In sys/types.h
+.In stdarg.h
+.In nsswitch.h
+.Ft int
+.Fo nsdispatch
+.Fa "void *retval"
+.Fa "const ns_dtab dtab[]"
+.Fa "const char *database"
+.Fa "const char *method_name"
+.Fa "const ns_src defaults[]"
+.Fa "..."
+.Fc
+.Sh DESCRIPTION
+The
+.Fn nsdispatch
+function invokes the methods specified in
+.Va dtab
+in the order given by
+.Xr nsswitch.conf 5
+for the database
+.Va database
+until a successful entry is found.
+.Pp
+.Va retval
+is passed to each method to modify as necessary, to pass back results to
+the caller of
+.Fn nsdispatch .
+.Pp
+Each method has the function signature described by the typedef:
+.Pp
+.Ft typedef int
+.Fn \*(lp*nss_method\*(rp "void *retval" "void *mdata" "va_list *ap" ;
+.Pp
+.Va dtab
+is an array of
+.Va ns_dtab
+structures, which have the following format:
+.Bd -literal -offset indent
+typedef struct _ns_dtab {
+	const char	*src;
+	nss_method	 method;
+	void		*mdata;
+} ns_dtab;
+.Ed
+.Pp
+.Bd -ragged -offset indent
+The
+.Fa dtab
+array should consist of one entry for each source type that is
+implemented, with
+.Va src
+as the name of the source,
+.Va method
+as a function which handles that source, and
+.Va mdata
+as a handle on arbitrary data to be passed to the method.
+The last entry in
+.Va dtab
+should contain
+.Dv NULL
+values for
+.Va src ,
+.Va method ,
+and
+.Va mdata .
+.Ed
+.Pp
+Additionally, methods may be implemented in NSS modules, in
+which case they are selected using the
+.Fa database
+and
+.Fa method_name
+arguments along with the configured source.
+(The methods supplied via
+.Fa dtab
+take priority over those implemented in NSS modules in the event
+of a conflict.)
+.Pp
+.Va defaults
+contains a list of default sources to try if
+.Xr nsswitch.conf 5
+is missing or corrupted, or if there is no relevant entry for
+.Va database .
+It is an array of
+.Va ns_src
+structures, which have the following format:
+.Bd -literal -offset indent
+typedef struct _ns_src {
+	const char	*src;
+	u_int32_t	 flags;
+} ns_src;
+.Ed
+.Pp
+.Bd -ragged -offset indent
+The
+.Fa defaults
+array should consist of one entry for each source to be configured by
+default indicated by
+.Va src ,
+and
+.Va flags
+set to the criterion desired
+(usually
+.Dv NS_SUCCESS ;
+refer to
+.Sx Method return values
+for more information).
+The last entry in
+.Va defaults
+should have
+.Va src
+set to
+.Dv NULL
+and
+.Va flags
+set to 0.
+.Pp
+For convenience, a global variable defined as:
+.Dl extern const ns_src __nsdefaultsrc[];
+exists which contains a single default entry for the source
+.Sq files
+that may be used by callers which do not require complicated default
+rules.
+.Ed
+.Pp
+.Sq Va ...
+are optional extra arguments, which are passed to the appropriate method
+as a variable argument list of the type
+.Vt va_list .
+.Ss Valid source types
+While there is support for arbitrary sources, the following
+#defines for commonly implemented sources are available:
+.Bl -column NSSRC_COMPAT compat -offset indent
+.It Sy "#define	value"
+.It Dv NSSRC_FILES Ta """files""
+.It Dv NSSRC_DNS Ta """dns""
+.It Dv NSSRC_NIS Ta """nis""
+.It Dv NSSRC_COMPAT Ta """compat""
+.El
+.Pp
+Refer to
+.Xr nsswitch.conf 5
+for a complete description of what each source type is.
+.Pp
+.Ss Method return values
+The
+.Vt nss_method
+functions must return one of the following values depending upon status
+of the lookup:
+.Bl -column "Return value" "Status code"
+.It Sy "Return value	Status code"
+.It Dv NS_SUCCESS Ta success
+.It Dv NS_NOTFOUND Ta notfound
+.It Dv NS_UNAVAIL Ta unavail
+.It Dv NS_TRYAGAIN Ta tryagain
+.It Dv NS_RETURN Ta -none-
+.El
+.Pp
+Refer to
+.Xr nsswitch.conf 5
+for a complete description of each status code.
+.Pp
+The
+.Fn nsdispatch
+function returns the value of the method that caused the dispatcher to
+terminate, or
+.Dv NS_NOTFOUND
+otherwise.
+.Sh NOTES
+.Dx Ns 's
+.Lb libc
+provides stubs for compatibility with NSS modules
+written for the
+.Tn GNU
+C Library
+.Nm nsswitch
+interface.
+However, these stubs only support the use of the
+.Dq Li passwd
+and
+.Dq Li group
+databases.
+.Sh SEE ALSO
+.Xr hesiod 3 ,
+.Xr stdarg 3 ,
+.Xr nsswitch.conf 5 ,
+.Xr yp 8
+.Sh HISTORY
+The
+.Fn nsdispatch
+function first appeared in
+.Dx 2.1 .
+It was imported from the
+.Fx
+Project,
+where it appeared first in
+.Fx 5.0 .
+.Sh AUTHORS
+Luke Mewburn
+.Aq lukem@netbsd.org
+wrote this freely-distributable name-service switch implementation,
+using ideas from the
+.Tn ULTRIX
+svc.conf(5)
+and
+.Tn Solaris
+nsswitch.conf(4)
+manual pages.
+The
+.Fx
+Project
+added the support for threads and NSS modules, and normalized the uses
+of
+.Fn nsdispatch
+within the standard C library.
diff --git a/lib/libc/net/nsdispatch.c b/lib/libc/net/nsdispatch.c
new file mode 100644
index 0000000000..cd8b9cfa98
--- /dev/null
+++ b/lib/libc/net/nsdispatch.c
@@ -0,0 +1,744 @@
+/*	$NetBSD: nsdispatch.c,v 1.9 1999/01/25 00:16:17 lukem Exp $	*/
+
+/*-
+ * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Luke Mewburn.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * Portions of this software were developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/net/nsdispatch.c,v 1.17 2008/05/02 14:51:22 jhb Exp $
+ */
+
+#include "namespace.h"
+#include <sys/param.h>
+#include <sys/stat.h>
+
+#include <dlfcn.h>
+#include <errno.h>
+#include <fcntl.h>
+#define _NS_PRIVATE
+#include <nsswitch.h>
+#include <pthread.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
+#include "un-namespace.h"
+#include "libc_private.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
+
+enum _nss_constants {
+	/* Number of elements allocated when we grow a vector */
+	ELEMSPERCHUNK =	8
+};
+
+/*
+ * Global NSS data structures are mostly read-only, but we update
+ * them when we read or re-read the nsswitch.conf.
+ */
+static	pthread_rwlock_t	nss_lock = PTHREAD_RWLOCK_INITIALIZER;
+
+/*
+ * Runtime determination of whether we are dynamically linked or not.
+ */
+extern	int		_DYNAMIC __attribute__ ((weak));
+#define	is_dynamic()	(&_DYNAMIC != NULL)
+
+/*
+ * default sourcelist: `files'
+ */
+const ns_src __nsdefaultsrc[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+	{ 0 },
+};
+
+/* Database, source mappings. */
+static	unsigned int		 _nsmapsize;
+static	ns_dbt			*_nsmap = NULL;
+
+/* NSS modules. */
+static	unsigned int		 _nsmodsize;
+static	ns_mod			*_nsmod;
+
+/* Placeholder for builtin modules' dlopen `handle'. */
+static	int			 __nss_builtin_handle;
+static	void			*nss_builtin_handle = &__nss_builtin_handle;
+
+#ifdef NS_CACHING
+/*
+ * Cache lookup cycle prevention function - if !NULL then no cache lookups
+ * will be made
+ */
+static	void			*nss_cache_cycle_prevention_func = NULL;
+#endif
+
+/*
+ * When this is set to 1, nsdispatch won't use nsswitch.conf
+ * but will consult the 'defaults' source list only.
+ * NOTE: nested fallbacks (when nsdispatch calls fallback functions,
+ *     which in turn calls nsdispatch, which should call fallback
+ *     function) are not supported
+ */
+static	int			fallback_dispatch = 0;
+
+/*
+ * Attempt to spew relatively uniform messages to syslog.
+ */
+#define nss_log(level, fmt, ...) \
+	syslog((level), "NSSWITCH(%s): " fmt, __func__, __VA_ARGS__)
+#define nss_log_simple(level, s) \
+	syslog((level), "NSSWITCH(%s): " s, __func__)
+
+/*
+ * Dynamically growable arrays are used for lists of databases, sources,
+ * and modules.  The following `vector' interface is used to isolate the
+ * common operations.
+ */
+typedef	int	(*vector_comparison)(const void *, const void *);
+typedef	void	(*vector_free_elem)(void *);
+static	void	  vector_sort(void *, unsigned int, size_t,
+		    vector_comparison);
+static	void	  vector_free(void *, unsigned int *, size_t,
+		    vector_free_elem);
+static	void	 *vector_ref(unsigned int, void *, unsigned int, size_t);
+static	void	 *vector_search(const void *, void *, unsigned int, size_t,
+		    vector_comparison);
+static	void	 *vector_append(const void *, void *, unsigned int *, size_t);
+
+
+/*
+ * Internal interfaces.
+ */
+static	int	 string_compare(const void *, const void *);
+static	int	 mtab_compare(const void *, const void *);
+static	int	 nss_configure(void);
+static	void	 ns_dbt_free(ns_dbt *);
+static	void	 ns_mod_free(ns_mod *);
+static	void	 ns_src_free(ns_src **, int);
+static	void	 nss_load_builtin_modules(void);
+static	void	 nss_load_module(const char *, nss_module_register_fn);
+static	void	 nss_atexit(void);
+/* nsparser */
+extern	FILE	*_nsyyin;
+
+
+/*
+ * The vector operations
+ */
+static void
+vector_sort(void *vec, unsigned int count, size_t esize,
+    vector_comparison comparison)
+{
+	qsort(vec, count, esize, comparison);
+}
+
+
+static void *
+vector_search(const void *key, void *vec, unsigned int count, size_t esize,
+    vector_comparison comparison)
+{
+	return (bsearch(key, vec, count, esize, comparison));
+}
+
+
+static void *
+vector_append(const void *elem, void *vec, unsigned int *count, size_t esize)
+{
+	void	*p;
+
+	if ((*count % ELEMSPERCHUNK) == 0) {
+		p = realloc(vec, (*count + ELEMSPERCHUNK) * esize);
+		if (p == NULL) {
+			nss_log_simple(LOG_ERR, "memory allocation failure");
+			return (vec);
+		}
+		vec = p;
+	}
+	memmove((void *)(((uintptr_t)vec) + (*count * esize)), elem, esize);
+	(*count)++;
+	return (vec);
+}
+
+
+static void *
+vector_ref(unsigned int i, void *vec, unsigned int count, size_t esize)
+{
+	if (i < count)
+		return (void *)((uintptr_t)vec + (i * esize));
+	else
+		return (NULL);
+}
+
+
+#define VECTOR_FREE(v, c, s, f) \
+	do { vector_free(v, c, s, f); v = NULL; } while (0)
+static void
+vector_free(void *vec, unsigned int *count, size_t esize,
+    vector_free_elem free_elem)
+{
+	unsigned int	 i;
+	void		*elem;
+
+	for (i = 0; i < *count; i++) {
+		elem = vector_ref(i, vec, *count, esize);
+		if (elem != NULL)
+			free_elem(elem);
+	}
+	free(vec);
+	*count = 0;
+}
+
+/*
+ * Comparison functions for vector_search.
+ */
+static int
+string_compare(const void *a, const void *b)
+{
+      return (strcasecmp(*(const char * const *)a, *(const char * const *)b));
+}
+
+
+static int
+mtab_compare(const void *a, const void *b)
+{
+      int     cmp;
+
+      cmp = strcmp(((const ns_mtab *)a)->name, ((const ns_mtab *)b)->name);
+      if (cmp != 0)
+	      return (cmp);
+      else
+	      return (strcmp(((const ns_mtab *)a)->database,
+		  ((const ns_mtab *)b)->database));
+}
+
+/*
+ * NSS nsmap management.
+ */
+void
+_nsdbtaddsrc(ns_dbt *dbt, const ns_src *src)
+{
+	const ns_mod	*modp;
+
+	dbt->srclist = vector_append(src, dbt->srclist, &dbt->srclistsize,
+	    sizeof(*src));
+	modp = vector_search(&src->name, _nsmod, _nsmodsize, sizeof(*_nsmod),
+	    string_compare);
+	if (modp == NULL)
+		nss_load_module(src->name, NULL);
+}
+
+
+#ifdef _NSS_DEBUG
+void
+_nsdbtdump(const ns_dbt *dbt)
+{
+	int i;
+
+	printf("%s (%d source%s):", dbt->name, dbt->srclistsize,
+	    dbt->srclistsize == 1 ? "" : "s");
+	for (i = 0; i < (int)dbt->srclistsize; i++) {
+		printf(" %s", dbt->srclist[i].name);
+		if (!(dbt->srclist[i].flags &
+		    (NS_UNAVAIL|NS_NOTFOUND|NS_TRYAGAIN)) &&
+		    (dbt->srclist[i].flags & NS_SUCCESS))
+			continue;
+		printf(" [");
+		if (!(dbt->srclist[i].flags & NS_SUCCESS))
+			printf(" SUCCESS=continue");
+		if (dbt->srclist[i].flags & NS_UNAVAIL)
+			printf(" UNAVAIL=return");
+		if (dbt->srclist[i].flags & NS_NOTFOUND)
+			printf(" NOTFOUND=return");
+		if (dbt->srclist[i].flags & NS_TRYAGAIN)
+			printf(" TRYAGAIN=return");
+		printf(" ]");
+	}
+	printf("\n");
+}
+#endif
+
+
+/*
+ * The first time nsdispatch is called (during a process's lifetime,
+ * or after nsswitch.conf has been updated), nss_configure will
+ * prepare global data needed by NSS.
+ */
+static int
+nss_configure(void)
+{
+	static pthread_mutex_t conf_lock = PTHREAD_MUTEX_INITIALIZER;
+	static time_t	 confmod;
+	struct stat	 statbuf;
+	int		 result, isthreaded;
+	const char	*path;
+#ifdef NS_CACHING
+	void		*handle;
+#endif
+
+	result = 0;
+	isthreaded = __isthreaded;
+#if defined(_NSS_DEBUG) && defined(_NSS_SHOOT_FOOT)
+	/* NOTE WELL:  THIS IS A SECURITY HOLE. This must only be built
+	 * for debugging purposes and MUST NEVER be used in production.
+	 */
+	path = getenv("NSSWITCH_CONF");
+	if (path == NULL)
+#endif
+	path = _PATH_NS_CONF;
+	if (stat(path, &statbuf) != 0)
+		return (0);
+	if (statbuf.st_mtime <= confmod)
+		return (0);
+	if (isthreaded) {
+	    result = _pthread_mutex_trylock(&conf_lock);
+	    if (result != 0)
+		    return (0);
+	    _pthread_rwlock_unlock(&nss_lock);
+	    result = _pthread_rwlock_wrlock(&nss_lock);
+	    if (result != 0)
+		    goto fin2;
+	}
+	_nsyyin = fopen(path, "r");
+	if (_nsyyin == NULL)
+		goto fin;
+	VECTOR_FREE(_nsmap, &_nsmapsize, sizeof(*_nsmap),
+	    (vector_free_elem)ns_dbt_free);
+	VECTOR_FREE(_nsmod, &_nsmodsize, sizeof(*_nsmod),
+	    (vector_free_elem)ns_mod_free);
+	nss_load_builtin_modules();
+	_nsyyparse();
+	fclose(_nsyyin);
+	vector_sort(_nsmap, _nsmapsize, sizeof(*_nsmap), string_compare);
+	if (confmod == 0)
+		atexit(nss_atexit);
+	confmod = statbuf.st_mtime;
+
+#ifdef NS_CACHING
+	handle = dlopen(NULL, RTLD_LAZY | RTLD_GLOBAL);
+	if (handle != NULL) {
+		nss_cache_cycle_prevention_func = dlsym(handle,
+			"_nss_cache_cycle_prevention_function");
+		dlclose(handle);
+	}
+#endif
+fin:
+	if (isthreaded) {
+	    _pthread_rwlock_unlock(&nss_lock);
+	    if (result == 0)
+		    result = _pthread_rwlock_rdlock(&nss_lock);
+	}
+fin2:
+	if (isthreaded)
+		_pthread_mutex_unlock(&conf_lock);
+	return (result);
+}
+
+
+void
+_nsdbtput(const ns_dbt *dbt)
+{
+	unsigned int	 i;
+	ns_dbt		*p;
+
+	for (i = 0; i < _nsmapsize; i++) {
+		p = vector_ref(i, _nsmap, _nsmapsize, sizeof(*_nsmap));
+		if (string_compare(&dbt->name, &p->name) == 0) {
+			/* overwrite existing entry */
+			if (p->srclist != NULL)
+				ns_src_free(&p->srclist, p->srclistsize);
+			memmove(p, dbt, sizeof(*dbt));
+			return;
+		}
+	}
+	_nsmap = vector_append(dbt, _nsmap, &_nsmapsize, sizeof(*_nsmap));
+}
+
+
+static void
+ns_dbt_free(ns_dbt *dbt)
+{
+	ns_src_free(&dbt->srclist, dbt->srclistsize);
+	if (dbt->name)
+		free((void *)dbt->name);
+}
+
+
+static void
+ns_src_free(ns_src **src, int srclistsize)
+{
+	int	i;
+
+	for (i = 0; i < srclistsize; i++)
+		if ((*src)[i].name != NULL)
+			/* This one was allocated by nslexer. You'll just
+			 * have to trust me.
+			 */
+			free((void *)((*src)[i].name));
+	free(*src);
+	*src = NULL;
+}
+
+
+
+/*
+ * NSS module management.
+ */
+/* The built-in NSS modules are all loaded at once. */
+#define NSS_BACKEND(name, reg) \
+ns_mtab	*reg(unsigned int *, nss_module_unregister_fn *);
+#include "nss_backends.h"
+#undef NSS_BACKEND
+
+static void
+nss_load_builtin_modules(void)
+{
+#define NSS_BACKEND(name, reg) nss_load_module(#name, reg);
+#include "nss_backends.h"
+#undef NSS_BACKEND
+}
+
+
+/* Load a built-in or dynamically linked module.  If the `reg_fn'
+ * argument is non-NULL, assume a built-in module and use reg_fn to
+ * register it.  Otherwise, search for a dynamic NSS module.
+ */
+static void
+nss_load_module(const char *source, nss_module_register_fn reg_fn)
+{
+	char		 buf[PATH_MAX];
+	ns_mod		 mod;
+	nss_module_register_fn fn;
+
+	memset(&mod, 0, sizeof(mod));
+	mod.name = strdup(source);
+	if (mod.name == NULL) {
+		nss_log_simple(LOG_ERR, "memory allocation failure");
+		return;
+	}
+	if (reg_fn != NULL) {
+		/* The placeholder is required, as a NULL handle
+		 * represents an invalid module.
+		 */
+		mod.handle = nss_builtin_handle;
+		fn = reg_fn;
+	} else if (!is_dynamic())
+		goto fin;
+	else {
+		if (snprintf(buf, sizeof(buf), "nss_%s.so.%d", mod.name,
+		    NSS_MODULE_INTERFACE_VERSION) >= (int)sizeof(buf))
+			goto fin;
+		mod.handle = dlopen(buf, RTLD_LOCAL|RTLD_LAZY);
+		if (mod.handle == NULL) {
+#ifdef _NSS_DEBUG
+			/* This gets pretty annoying since the built-in
+			 * sources aren't modules yet.
+			 */
+			nss_log(LOG_DEBUG, "%s, %s", mod.name, dlerror());
+#endif
+			goto fin;
+		}
+		fn = (nss_module_register_fn)dlfunc(mod.handle,
+		    "nss_module_register");
+		if (fn == NULL) {
+			dlclose(mod.handle);
+			mod.handle = NULL;
+			nss_log(LOG_ERR, "%s, %s", mod.name, dlerror());
+			goto fin;
+		}
+	}
+	mod.mtab = fn(mod.name, &mod.mtabsize, &mod.unregister);
+	if (mod.mtab == NULL || mod.mtabsize == 0) {
+		if (mod.handle != nss_builtin_handle)
+			dlclose(mod.handle);
+		mod.handle = NULL;
+		nss_log(LOG_ERR, "%s, registration failed", mod.name);
+		goto fin;
+	}
+	if (mod.mtabsize > 1)
+		qsort(mod.mtab, mod.mtabsize, sizeof(mod.mtab[0]),
+		    mtab_compare);
+fin:
+	_nsmod = vector_append(&mod, _nsmod, &_nsmodsize, sizeof(*_nsmod));
+	vector_sort(_nsmod, _nsmodsize, sizeof(*_nsmod), string_compare);
+}
+
+
+
+static void
+ns_mod_free(ns_mod *mod)
+{
+
+	free(mod->name);
+	if (mod->handle == NULL)
+		return;
+	if (mod->unregister != NULL)
+		mod->unregister(mod->mtab, mod->mtabsize);
+	if (mod->handle != nss_builtin_handle)
+		dlclose(mod->handle);
+}
+
+
+
+/*
+ * Cleanup
+ */
+static void
+nss_atexit(void)
+{
+	int isthreaded;
+
+	isthreaded = __isthreaded;
+	if (isthreaded)
+		_pthread_rwlock_wrlock(&nss_lock);
+	VECTOR_FREE(_nsmap, &_nsmapsize, sizeof(*_nsmap),
+	    (vector_free_elem)ns_dbt_free);
+	VECTOR_FREE(_nsmod, &_nsmodsize, sizeof(*_nsmod),
+	    (vector_free_elem)ns_mod_free);
+	if (isthreaded)
+		_pthread_rwlock_unlock(&nss_lock);
+}
+
+
+
+/*
+ * Finally, the actual implementation.
+ */
+static nss_method
+nss_method_lookup(const char *source, const char *database,
+    const char *method, const ns_dtab disp_tab[], void **mdata)
+{
+	ns_mod	*mod;
+	ns_mtab	*match, key;
+	int	 i;
+
+	if (disp_tab != NULL)
+		for (i = 0; disp_tab[i].src != NULL; i++)
+			if (strcasecmp(source, disp_tab[i].src) == 0) {
+				*mdata = disp_tab[i].mdata;
+				return (disp_tab[i].method);
+			}
+	mod = vector_search(&source, _nsmod, _nsmodsize, sizeof(*_nsmod),
+	    string_compare);
+	if (mod != NULL && mod->handle != NULL) {
+		key.database = database;
+		key.name = method;
+		match = bsearch(&key, mod->mtab, mod->mtabsize,
+		    sizeof(mod->mtab[0]), mtab_compare);
+		if (match != NULL) {
+			*mdata = match->mdata;
+			return (match->method);
+		}
+	}
+
+	*mdata = NULL;
+	return (NULL);
+}
+
+
+__weak_reference(_nsdispatch, nsdispatch);
+
+int
+_nsdispatch(void *retval, const ns_dtab disp_tab[], const char *database,
+	    const char *method_name, const ns_src defaults[], ...)
+{
+	va_list		 ap;
+	const ns_dbt	*dbt;
+	const ns_src	*srclist;
+	nss_method	 method, fb_method;
+	void		*mdata;
+	int		 isthreaded, serrno, i, result, srclistsize;
+
+#ifdef NS_CACHING
+	nss_cache_data	 cache_data;
+	nss_cache_data	*cache_data_p;
+	int		 cache_flag;
+#endif
+
+	dbt = NULL;
+	fb_method = NULL;
+
+	isthreaded = __isthreaded;
+	serrno = errno;
+	if (isthreaded) {
+		result = _pthread_rwlock_rdlock(&nss_lock);
+		if (result != 0) {
+			result = NS_UNAVAIL;
+			goto fin;
+		}
+	}
+	result = nss_configure();
+	if (result != 0) {
+		result = NS_UNAVAIL;
+		goto fin;
+	}
+	if (fallback_dispatch == 0) {
+		dbt = vector_search(&database, _nsmap, _nsmapsize, sizeof(*_nsmap),
+		    string_compare);
+		fb_method = nss_method_lookup(NSSRC_FALLBACK, database,
+		    method_name, disp_tab, &mdata);
+	}
+
+	if (dbt != NULL) {
+		srclist = dbt->srclist;
+		srclistsize = dbt->srclistsize;
+	} else {
+		srclist = defaults;
+		srclistsize = 0;
+		while (srclist[srclistsize].name != NULL)
+			srclistsize++;
+	}
+
+#ifdef NS_CACHING
+	cache_data_p = NULL;
+	cache_flag = 0;
+#endif
+	for (i = 0; i < srclistsize; i++) {
+		result = NS_NOTFOUND;
+		method = nss_method_lookup(srclist[i].name, database,
+		    method_name, disp_tab, &mdata);
+
+		if (method != NULL) {
+#ifdef NS_CACHING
+			if (strcmp(srclist[i].name, NSSRC_CACHE) == 0 &&
+			    nss_cache_cycle_prevention_func == NULL) {
+#ifdef NS_STRICT_LIBC_EID_CHECKING
+				if (issetugid() != 0)
+					continue;
+#endif
+				cache_flag = 1;
+
+				memset(&cache_data, 0, sizeof(nss_cache_data));
+				cache_data.info = (nss_cache_info const *)mdata;
+				cache_data_p = &cache_data;
+
+				va_start(ap, defaults);
+				if (cache_data.info->id_func != NULL)
+					result = __nss_common_cache_read(retval,
+					    cache_data_p, ap);
+				else if (cache_data.info->marshal_func != NULL)
+					result = __nss_mp_cache_read(retval,
+					    cache_data_p, ap);
+				else
+					result = __nss_mp_cache_end(retval,
+					    cache_data_p, ap);
+				va_end(ap);
+			} else {
+				cache_flag = 0;
+				va_start(ap, defaults);
+				result = method(retval, mdata, ap);
+				va_end(ap);
+			}
+#else /* NS_CACHING */
+			va_start(ap, defaults);
+			result = method(retval, mdata, ap);
+			va_end(ap);
+#endif /* NS_CACHING */
+
+			if (result & (srclist[i].flags))
+				break;
+		} else {
+			if (fb_method != NULL) {
+				fallback_dispatch = 1;
+				va_start(ap, defaults);
+				result = fb_method(retval,
+				    (void *)srclist[i].name, ap);
+				va_end(ap);
+				fallback_dispatch = 0;
+			} else
+				nss_log(LOG_DEBUG, "%s, %s, %s, not found, "
+				    "and no fallback provided",
+				    srclist[i].name, database, method_name);
+		}
+	}
+
+#ifdef NS_CACHING
+	if (cache_data_p != NULL &&
+	    (result & (NS_NOTFOUND | NS_SUCCESS)) && cache_flag == 0) {
+		va_start(ap, defaults);
+		if (result == NS_SUCCESS) {
+			if (cache_data.info->id_func != NULL)
+				__nss_common_cache_write(retval, cache_data_p,
+				    ap);
+			else if (cache_data.info->marshal_func != NULL)
+				__nss_mp_cache_write(retval, cache_data_p, ap);
+		} else if (result == NS_NOTFOUND) {
+			if (cache_data.info->id_func == NULL) {
+				if (cache_data.info->marshal_func != NULL)
+					__nss_mp_cache_write_submit(retval,
+					    cache_data_p, ap);
+			} else
+				__nss_common_cache_write_negative(cache_data_p);
+		}
+		va_end(ap);
+	}
+#endif /* NS_CACHING */
+
+	if (isthreaded)
+		_pthread_rwlock_unlock(&nss_lock);
+fin:
+	errno = serrno;
+	return (result);
+}
diff --git a/lib/libc/net/nslexer.l b/lib/libc/net/nslexer.l
new file mode 100644
index 0000000000..e8211c1235
--- /dev/null
+++ b/lib/libc/net/nslexer.l
@@ -0,0 +1,115 @@
+%{
+/*	$NetBSD: nslexer.l,v 1.3 1999/01/25 00:16:17 lukem Exp $	*/
+
+/*-
+ * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Luke Mewburn.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/net/nslexer.l,v 1.5 2003/04/17 14:14:22 nectar Exp $
+ */
+
+
+#include "namespace.h"
+#include <ctype.h>
+#define _NS_PRIVATE
+#include <nsswitch.h>
+#include <string.h>
+#include <syslog.h>
+#include "un-namespace.h"
+
+#include "nsparser.h"
+
+#define YY_NO_UNPUT
+
+%}
+
+%option yylineno
+
+BLANK		[ \t]
+CR		\n
+STRING		[a-zA-Z][a-zA-Z0-9_]*
+
+%%
+
+{BLANK}+	;			/* skip whitespace */
+
+#.*		;			/* skip comments */
+
+\\{CR}		;			/* allow continuation */
+
+{CR}		return NL;
+
+[sS][uU][cC][cC][eE][sS][sS]		return SUCCESS;
+[uU][nN][aA][vV][aA][iI][lL]		return UNAVAIL;
+[nN][oO][tT][fF][oO][uU][nN][dD]	return NOTFOUND;
+[tT][rR][yY][aA][gG][aA][iI][nN]	return TRYAGAIN;
+
+[rR][eE][tT][uU][rR][nN]		return RETURN;
+[cC][oO][nN][tT][iI][nN][uU][eE]	return CONTINUE;
+
+{STRING}	{
+			char *p;
+			int i;
+
+			if ((p = strdup(yytext)) == NULL) {
+				syslog(LOG_ERR,
+			       "NSSWITCH(nslexer): memory allocation failure");
+				return ERRORTOKEN;
+			}
+			for (i = 0; i < strlen(p); i++) {
+				if (isupper((unsigned char)p[i]))
+					p[i] = tolower((unsigned char)p[i]);
+			}
+			_nsyylval.str = p;
+			return STRING;
+		}
+
+.		return yytext[0];
+
+%%
+
+#undef _nsyywrap
+int
+_nsyywrap(void)
+{
+	return 1;
+} /* _nsyywrap */
+
+void
+_nsyyerror(const char *msg)
+{
+
+	 syslog(LOG_ERR, "NSSWITCH(nslexer): %s line %d: %s at '%s'",
+	     _PATH_NS_CONF, yylineno, msg, yytext);
+} /* _nsyyerror */
diff --git a/lib/libc/net/nsparser.y b/lib/libc/net/nsparser.y
new file mode 100644
index 0000000000..2689efdb62
--- /dev/null
+++ b/lib/libc/net/nsparser.y
@@ -0,0 +1,182 @@
+%{
+/*	$NetBSD: nsparser.y,v 1.3 1999/01/25 00:16:18 lukem Exp $	*/
+
+/*-
+ * Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * This code is derived from software contributed to The NetBSD Foundation
+ * by Luke Mewburn.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *        This product includes software developed by the NetBSD
+ *        Foundation, Inc. and its contributors.
+ * 4. Neither the name of The NetBSD Foundation nor the names of its
+ *    contributors may be used to endorse or promote products derived
+ *    from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD: src/lib/libc/net/nsparser.y,v 1.6 2007/05/17 03:33:23 jon Exp $
+ */
+
+#include "namespace.h"
+#define _NS_PRIVATE
+#include <nsswitch.h>
+#include <stdio.h>
+#include <string.h>
+#include <syslog.h>
+#include "un-namespace.h"
+
+static	void	_nsaddsrctomap(const char *);
+
+static	ns_dbt		curdbt;
+static	ns_src		cursrc;
+%}
+
+%union {
+	char *str;
+	int   mapval;
+}
+
+%token	NL
+%token	SUCCESS UNAVAIL NOTFOUND TRYAGAIN
+%token	RETURN CONTINUE
+%token  ERRORTOKEN
+%token	<str> STRING
+
+%type	<mapval> Status Action
+
+%%
+
+File
+	:	/* empty */
+	| Lines
+	;
+
+Lines
+	: Entry
+	| Lines Entry
+	;
+
+Entry
+	: NL
+	| Database ':' NL
+		{
+			free((char*)curdbt.name);
+		}
+	| Database ':' Srclist NL
+		{
+			_nsdbtput(&curdbt);
+		}
+	| error NL
+		{
+			yyerrok;
+		}
+	;
+
+Database
+	: STRING
+		{
+			curdbt.name = yylval.str;
+			curdbt.srclist = NULL;
+			curdbt.srclistsize = 0;
+		}
+	;
+
+Srclist
+	: Item
+	| Srclist Item
+	;
+
+Item
+	: STRING
+		{
+			cursrc.flags = NS_TERMINATE;
+			_nsaddsrctomap($1);
+		}
+	| STRING '[' { cursrc.flags = NS_SUCCESS; } Criteria ']'
+		{
+			_nsaddsrctomap($1);
+		}
+	;
+
+Criteria
+	: Criterion
+	| Criteria Criterion
+	;
+
+Criterion
+	: Status '=' Action
+		{
+			if ($3)	     /* if action == RETURN set RETURN bit */
+				cursrc.flags |= $1;
+			else	     /* else unset it */
+				cursrc.flags &= ~$1;
+		}
+	;
+
+Status
+	: SUCCESS	{ $$ = NS_SUCCESS; }
+	| UNAVAIL	{ $$ = NS_UNAVAIL; }
+	| NOTFOUND	{ $$ = NS_NOTFOUND; }
+	| TRYAGAIN	{ $$ = NS_TRYAGAIN; }
+	;
+
+Action
+	: RETURN	{ $$ = NS_ACTION_RETURN; }
+	| CONTINUE	{ $$ = NS_ACTION_CONTINUE; }
+	;
+
+%%
+
+static void
+_nsaddsrctomap(const char *elem)
+{
+	int		i, lineno;
+	extern int	_nsyylineno;
+	extern char *	_nsyytext;
+
+	lineno = _nsyylineno - (*_nsyytext == '\n' ? 1 : 0);
+	if (curdbt.srclistsize > 0) {
+		if (((strcasecmp(elem, NSSRC_COMPAT) == 0) &&
+		    (strcasecmp(curdbt.srclist[0].name, NSSRC_CACHE) != 0)) ||
+		    (strcasecmp(curdbt.srclist[0].name, NSSRC_COMPAT) == 0)) {
+			syslog(LOG_ERR,
+	    "NSSWITCH(nsparser): %s line %d: 'compat' used with sources, other than 'cache'",
+			    _PATH_NS_CONF, lineno);
+			free((void*)elem);
+			return;
+		}
+	}
+	for (i = 0; i < curdbt.srclistsize; i++) {
+		if (strcasecmp(curdbt.srclist[i].name, elem) == 0) {
+			syslog(LOG_ERR,
+		       "NSSWITCH(nsparser): %s line %d: duplicate source '%s'",
+			    _PATH_NS_CONF, lineno, elem);
+			free((void*)elem);
+			return;
+		}
+	}
+	cursrc.name = elem;
+	_nsdbtaddsrc(&curdbt, &cursrc);
+}
diff --git a/lib/libc/net/getproto.c b/lib/libc/net/nss_backends.h
similarity index 54%
copy from lib/libc/net/getproto.c
copy to lib/libc/net/nss_backends.h
index e0a0085c50..e39a25a19f 100644
--- a/lib/libc/net/getproto.c
+++ b/lib/libc/net/nss_backends.h
@@ -1,6 +1,12 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +16,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +29,15 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/lib/libc/net/nss_backends.h,v 1.1 2003/04/17 14:14:22 nectar Exp $
+ */
+/*
+ * Eventually, the implementations of existing built-in NSS functions
+ * may be moved into NSS modules and live here.
  */
-
-#include <netdb.h>
-
-extern int _proto_stayopen;
-
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+#if 0
+NSS_BACKEND(	files,	_files_nss_module_register	)
+NSS_BACKEND(	dns,	_dns_nss_module_register	)
+NSS_BACKEND(	nis,	_nis_nss_module_register	)
+NSS_BACKEND(	compat,	_compat_nss_module_register	)
+#endif
diff --git a/lib/libc/net/nss_compat.c b/lib/libc/net/nss_compat.c
new file mode 100644
index 0000000000..b5bfa87457
--- /dev/null
+++ b/lib/libc/net/nss_compat.c
@@ -0,0 +1,278 @@
+/*-
+ * Copyright (c) 2003 Networks Associates Technology, Inc.
+ * All rights reserved.
+ *
+ * This software was developed for the FreeBSD Project by
+ * Jacques A. Vidrine, Safeport Network Services, and Network
+ * Associates Laboratories, the Security Research Division of Network
+ * Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
+ * ("CBOSS"), as part of the DARPA CHATS research program.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * Compatibility shims for the GNU C Library-style nsswitch interface.
+ *
+ * $FreeBSD: src/lib/libc/net/nss_compat.c,v 1.3 2004/03/30 15:56:15 nectar Exp $
+ */
+
+#include "namespace.h"
+#include <sys/param.h>
+#include <errno.h>
+#include <nss.h>
+#include <pthread.h>
+#include <pthread_np.h>
+#include "un-namespace.h"
+#include "libc_private.h"
+
+
+struct group;
+struct passwd;
+
+static int	terminator;
+
+#define DECLARE_TERMINATOR(x)					\
+static pthread_key_t	 _term_key_##x;				\
+static void							\
+_term_create_##x(void)						\
+{								\
+	_pthread_key_create(&_term_key_##x, NULL);		\
+}								\
+static void		*_term_main_##x;			\
+static pthread_once_t	 _term_once_##x = PTHREAD_ONCE_INIT
+
+#define SET_TERMINATOR(x, y)						\
+do {									\
+	if (!__isthreaded || _pthread_main_np())			\
+		_term_main_##x = (y);					\
+	else {								\
+		_pthread_once(&_term_once_##x, _term_create_##x);	\
+		_pthread_setspecific(_term_key_##x, y);			\
+	}								\
+} while (0)
+
+#define CHECK_TERMINATOR(x)					\
+(!__isthreaded || _pthread_main_np() ?				\
+    (_term_main_##x) :						\
+    (_pthread_once(&_term_once_##x, _term_create_##x),		\
+    _pthread_getspecific(_term_key_##x)))
+
+
+
+DECLARE_TERMINATOR(group);
+
+
+int
+__nss_compat_getgrnam_r(void *retval, void *mdata, va_list ap)
+{
+	int (*fn)(const char *, struct group *, char *, size_t, int *);
+	const char	*name;
+	struct group	*grp;
+	char		*buffer;
+	int		*errnop;
+	size_t		 bufsize;
+	enum nss_status	 status;
+
+	fn = mdata;
+	name = va_arg(ap, const char *);
+	grp = va_arg(ap, struct group *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	status = fn(name, grp, buffer, bufsize, errnop);
+	status = __nss_compat_result(status, *errnop);
+	if (status == NS_SUCCESS)
+		*(struct group **)retval = grp;
+	return (status);
+}
+
+
+int
+__nss_compat_getgrgid_r(void *retval, void *mdata, va_list ap)
+{
+	int (*fn)(gid_t, struct group *, char *, size_t, int *);
+	gid_t		 gid;
+	struct group	*grp;
+	char		*buffer;
+	int		*errnop;
+	size_t		 bufsize;
+	enum nss_status	 status;
+
+	fn = mdata;
+	gid = va_arg(ap, gid_t);
+	grp = va_arg(ap, struct group *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	status = fn(gid, grp, buffer, bufsize, errnop);
+	status = __nss_compat_result(status, *errnop);
+	if (status == NS_SUCCESS)
+		*(struct group **)retval = grp;
+	return (status);
+}
+
+
+int
+__nss_compat_getgrent_r(void *retval, void *mdata, va_list ap)
+{
+	int (*fn)(struct group *, char *, size_t, int *);
+	struct group	*grp;
+	char		*buffer;
+	int		*errnop;
+	size_t		 bufsize;
+	enum nss_status	 status;
+
+	if (CHECK_TERMINATOR(group))
+		return (NS_NOTFOUND);
+	fn = mdata;
+	grp = va_arg(ap, struct group *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	status = fn(grp, buffer, bufsize, errnop);
+	status = __nss_compat_result(status, *errnop);
+	if (status == NS_SUCCESS)
+		*(struct group **)retval = grp;
+	else if (status != NS_RETURN)
+		SET_TERMINATOR(group, &terminator);
+	return (status);
+}
+
+
+int
+__nss_compat_setgrent(void *retval, void *mdata, va_list ap)
+{
+
+	SET_TERMINATOR(group, NULL);
+	((int (*)(void))mdata)();
+	return (NS_UNAVAIL);
+}
+
+
+int
+__nss_compat_endgrent(void *retval, void *mdata, va_list ap)
+{
+
+	SET_TERMINATOR(group, NULL);
+	((int (*)(void))mdata)();
+	return (NS_UNAVAIL);
+}
+
+
+
+DECLARE_TERMINATOR(passwd);
+
+
+int
+__nss_compat_getpwnam_r(void *retval, void *mdata, va_list ap)
+{
+	int (*fn)(const char *, struct passwd *, char *, size_t, int *);
+	const char	*name;
+	struct passwd	*pwd;
+	char		*buffer;
+	int		*errnop;
+	size_t		 bufsize;
+	enum nss_status	 status;
+
+	fn = mdata;
+	name = va_arg(ap, const char *);
+	pwd = va_arg(ap, struct passwd *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	status = fn(name, pwd, buffer, bufsize, errnop);
+	status = __nss_compat_result(status, *errnop);
+	if (status == NS_SUCCESS)
+		*(struct passwd **)retval = pwd;
+	return (status);
+}
+
+
+int
+__nss_compat_getpwuid_r(void *retval, void *mdata, va_list ap)
+{
+	int (*fn)(uid_t, struct passwd *, char *, size_t, int *);
+	uid_t		 uid;
+	struct passwd	*pwd;
+	char		*buffer;
+	int		*errnop;
+	size_t		 bufsize;
+	enum nss_status	 status;
+
+	fn = mdata;
+	uid = va_arg(ap, uid_t);
+	pwd = va_arg(ap, struct passwd *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	status = fn(uid, pwd, buffer, bufsize, errnop);
+	status = __nss_compat_result(status, *errnop);
+	if (status == NS_SUCCESS)
+		*(struct passwd **)retval = pwd;
+	return (status);
+}
+
+
+int
+__nss_compat_getpwent_r(void *retval, void *mdata, va_list ap)
+{
+	int (*fn)(struct passwd *, char *, size_t, int *);
+	struct passwd	*pwd;
+	char		*buffer;
+	int		*errnop;
+	size_t		 bufsize;
+	enum nss_status	 status;
+
+	if (CHECK_TERMINATOR(passwd))
+		return (NS_NOTFOUND);
+	fn = mdata;
+	pwd = va_arg(ap, struct passwd *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+	status = fn(pwd, buffer, bufsize, errnop);
+	status = __nss_compat_result(status, *errnop);
+	if (status == NS_SUCCESS)
+		*(struct passwd **)retval = pwd;
+	else if (status != NS_RETURN)
+		SET_TERMINATOR(passwd, &terminator);
+	return (status);
+}
+
+
+int
+__nss_compat_setpwent(void *retval, void *mdata, va_list ap)
+{
+
+	SET_TERMINATOR(passwd, NULL);
+	((int (*)(void))mdata)();
+	return (NS_UNAVAIL);
+}
+
+
+int
+__nss_compat_endpwent(void *retval, void *mdata, va_list ap)
+{
+
+	SET_TERMINATOR(passwd, NULL);
+	((int (*)(void))mdata)();
+	return (NS_UNAVAIL);
+}
diff --git a/lib/libc/rpc/getrpcent.c b/lib/libc/rpc/getrpcent.c
index f5239d4d71..a5b8b55878 100644
--- a/lib/libc/rpc/getrpcent.c
+++ b/lib/libc/rpc/getrpcent.c
@@ -29,7 +29,7 @@
  *
  * @(#)getrpcent.c 1.14 91/03/11 Copyr 1984 Sun Micro
  * $NetBSD: getrpcent.c,v 1.17 2000/01/22 22:19:17 mycroft Exp $
- * $FreeBSD: src/lib/libc/rpc/getrpcent.c,v 1.14 2003/02/27 13:40:01 nectar Exp $
+ * $FreeBSD: src/lib/libc/rpc/getrpcent.c,v 1.16 2007/05/17 03:34:33 jon Exp $
  * $DragonFly: src/lib/libc/rpc/getrpcent.c,v 1.4 2005/11/13 12:27:04 swildner Exp $
  */
 
@@ -37,276 +37,1008 @@
  * Copyright (c) 1984 by Sun Microsystems, Inc.
  */
 
-#include "namespace.h"
+#include <sys/param.h>
 #include <sys/types.h>
-
-#include <netinet/in.h>
+#include <sys/socket.h>
 #include <arpa/inet.h>
-
 #include <assert.h>
-#include <netdb.h>
+#include <errno.h>
+#include <nsswitch.h>
+#include <netinet/in.h>
 #include <stdio.h>
-#include <stdlib.h>
 #include <string.h>
-
+#include <stdarg.h>
+#include <stdlib.h>
 #include <rpc/rpc.h>
 #ifdef YP
 #include <rpcsvc/yp_prot.h>
 #include <rpcsvc/ypclnt.h>
 #endif
+#include <unistd.h>
+#include "namespace.h"
+#include "reentrant.h"
 #include "un-namespace.h"
 #include "libc_private.h"
+#include "nss_tls.h"
+#ifdef NS_CACHING
+#include "nscache.h"
+#endif
 
-/*
- * Internet version.
- */
-static struct rpcdata {
-	FILE	*rpcf;
+#define	RPCDB	"/etc/rpc"
+
+/* nsswitch declarations */
+enum constants
+{
+	SETRPCENT = 1,
+	ENDRPCENT = 2,
+	RPCENT_STORAGE_INITIAL	= 1 << 10, /* 1 KByte */
+	RPCENT_STORAGE_MAX	= 1 << 20, /* 1 MByte */
+};
+
+static const ns_src defaultsrc[] = {
+	{ NSSRC_FILES, NS_SUCCESS },
+#ifdef YP
+	{ NSSRC_NIS, NS_SUCCESS },
+#endif
+	{ NULL, 0 }
+};
+
+/* files backend declarations */
+struct files_state {
+	FILE	*fp;
 	int	stayopen;
-#define	MAXALIASES	35
-	char	*rpc_aliases[MAXALIASES];
-	struct	rpcent rpc;
-	char	line[BUFSIZ+1];
-#ifdef	YP
-	char	*domain;
+};
+
+static	int	files_rpcent(void *, void *, va_list);
+static	int	files_setrpcent(void *, void *, va_list);
+
+static	void	files_endstate(void *);
+NSS_TLS_HANDLING(files);
+
+/* nis backend declarations */
+#ifdef YP
+struct nis_state {
+	char	domain[MAXHOSTNAMELEN];
 	char	*current;
 	int	currentlen;
+	int	stepping;
+	int	no_name_map;
+};
+
+static	int	nis_rpcent(void *, void *, va_list);
+static	int	nis_setrpcent(void *, void *, va_list);
+
+static	void	nis_endstate(void *);
+NSS_TLS_HANDLING(nis);
 #endif
-} *rpcdata;
 
-static	struct rpcent *interpret(char *val, size_t len);
+/* get** wrappers for get**_r functions declarations */
+struct rpcent_state {
+	struct rpcent	rpc;
+	char		*buffer;
+	size_t	bufsize;
+};
+static	void	rpcent_endstate(void *);
+NSS_TLS_HANDLING(rpcent);
 
-#ifdef	YP
-static int	__yp_nomap = 0;
-#endif	/* YP */
+union key {
+	const char	*name;
+	int		number;
+};
 
-#define	RPCDB	"/etc/rpc"
+static int wrap_getrpcbyname_r(union key, struct rpcent *, char *,
+			size_t, struct rpcent **);
+static int wrap_getrpcbynumber_r(union key, struct rpcent *, char *,
+			size_t, struct rpcent **);
+static int wrap_getrpcent_r(union key, struct rpcent *, char *,
+			size_t, struct rpcent **);
+static struct rpcent *getrpc(int (*fn)(union key, struct rpcent *, char *,
+			size_t, struct rpcent **), union key);
 
-static struct rpcdata *_rpcdata(void);
+#ifdef NS_CACHING
+static int rpc_id_func(char *, size_t *, va_list, void *);
+static int rpc_marshal_func(char *, size_t *, void *, va_list, void *);
+static int rpc_unmarshal_func(char *, size_t, void *, va_list, void *);
+#endif
 
-static struct rpcdata *
-_rpcdata(void)
+static int
+rpcent_unpack(char *p, struct rpcent *rpc, char **r_aliases,
+	size_t aliases_size, int *errnop)
 {
-	struct rpcdata *d = rpcdata;
+	char *cp, **q;
 
-	if (d == 0) {
-		d = (struct rpcdata *)calloc(1, sizeof (struct rpcdata));
-		rpcdata = d;
+	assert(p != NULL);
+
+	if (*p == '#')
+		return (-1);
+	cp = strpbrk(p, "#\n");
+	if (cp == NULL)
+		return (-1);
+	*cp = '\0';
+	cp = strpbrk(p, " \t");
+	if (cp == NULL)
+		return (-1);
+	*cp++ = '\0';
+	/* THIS STUFF IS INTERNET SPECIFIC */
+	rpc->r_name = p;
+	while (*cp == ' ' || *cp == '\t')
+		cp++;
+	rpc->r_number = atoi(cp);
+	q = rpc->r_aliases = r_aliases;
+	cp = strpbrk(cp, " \t");
+	if (cp != NULL)
+		*cp++ = '\0';
+	while (cp && *cp) {
+		if (*cp == ' ' || *cp == '\t') {
+			cp++;
+			continue;
+		}
+		if (q < &(r_aliases[aliases_size - 1]))
+			*q++ = cp;
+		else {
+			*errnop = ERANGE;
+			return -1;
+		}
+
+		cp = strpbrk(cp, " \t");
+		if (cp != NULL)
+			*cp++ = '\0';
 	}
-	return (d);
+	*q = NULL;
+	return 0;
 }
 
-struct rpcent *
-getrpcbynumber(int number)
+/* files backend implementation */
+static	void
+files_endstate(void *p)
 {
-#ifdef	YP
-	int reason;
-	char adrstr[16];
-#endif
-	struct rpcent *p;
-	struct rpcdata *d = _rpcdata();
+	FILE * f;
 
-	if (d == 0)
-		return (0);
-#ifdef	YP
-        if (!__yp_nomap && _yp_check(&d->domain)) {
-                sprintf(adrstr, "%d", number);
-                reason = yp_match(d->domain, "rpc.bynumber", adrstr, strlen(adrstr),
-                                  &d->current, &d->currentlen);
-                switch(reason) {
-                case 0:
-                        break;
-                case YPERR_MAP:
-                        __yp_nomap = 1;
-                        goto no_yp;
-                        break;
-                default:
-                        return(0);
-                        break;
-                }
-                d->current[d->currentlen] = '\0';
-                p = interpret(d->current, d->currentlen);
-                free(d->current);
-                return p;
-        }
-no_yp:
-#endif	/* YP */
-
-	setrpcent(0);
-	while ((p = getrpcent()) != NULL) {
-		if (p->r_number == number)
-			break;
-	}
-	endrpcent();
-	return (p);
+	if (p == NULL)
+		return;
+
+	f = ((struct files_state *)p)->fp;
+	if (f != NULL)
+		fclose(f);
+
+	free(p);
 }
 
-struct rpcent *
-getrpcbyname(char *name)
+static int
+files_rpcent(void *retval, void *mdata, va_list ap)
 {
-	struct rpcent *rpc = NULL;
+	char *name;
+	int number;
+	struct rpcent *rpc;
+	char *buffer;
+	size_t bufsize;
+	int *errnop;
+
+	char *line;
+	size_t linesize;
+	char **aliases;
+	int aliases_size;
 	char **rp;
 
-	assert(name != NULL);
+	struct files_state	*st;
+	int rv;
+	int stayopen;
+	enum nss_lookup_type how;
+
+	how = (enum nss_lookup_type)mdata;
+	switch (how)
+	{
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		number = va_arg(ap, int);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		return (NS_NOTFOUND);
+	}
+
+	rpc = va_arg(ap, struct rpcent *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+
+	*errnop = files_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+
+	if (st->fp == NULL && (st->fp = fopen(RPCDB, "r")) == NULL) {
+		*errnop = errno;
+		return (NS_UNAVAIL);
+	}
+
+	if (how == nss_lt_all)
+		stayopen = 1;
+	else {
+		rewind(st->fp);
+		stayopen = st->stayopen;
+	}
+
+	do {
+		if ((line = fgetln(st->fp, &linesize)) == NULL) {
+			*errnop = errno;
+			rv = NS_RETURN;
+			break;
+		}
+
+		if (bufsize <= linesize + _ALIGNBYTES + sizeof(char *)) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+
+		aliases = (char **)_ALIGN(&buffer[linesize+1]);
+		aliases_size = (buffer + bufsize -
+			(char *)aliases)/sizeof(char *);
+		if (aliases_size < 1) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+
+		memcpy(buffer, line, linesize);
+		buffer[linesize] = '\0';
 
-	setrpcent(0);
-	while ((rpc = getrpcent()) != NULL) {
-		if (strcmp(rpc->r_name, name) == 0)
-			goto done;
-		for (rp = rpc->r_aliases; *rp != NULL; rp++) {
-			if (strcmp(*rp, name) == 0)
+		rv = rpcent_unpack(buffer, rpc, aliases, aliases_size, errnop);
+		if (rv != 0) {
+			if (*errnop == 0) {
+				rv = NS_NOTFOUND;
+				continue;
+			}
+			else {
+				rv = NS_RETURN;
+				break;
+			}
+		}
+
+		switch (how)
+		{
+		case nss_lt_name:
+			if (strcmp(rpc->r_name, name) == 0)
 				goto done;
+			for (rp = rpc->r_aliases; *rp != NULL; rp++) {
+				if (strcmp(*rp, name) == 0)
+					goto done;
+			}
+			rv = NS_NOTFOUND;
+			continue;
+done:
+			rv = NS_SUCCESS;
+			break;
+		case nss_lt_id:
+			rv = (rpc->r_number == number) ? NS_SUCCESS :
+				NS_NOTFOUND;
+			break;
+		case nss_lt_all:
+			rv = NS_SUCCESS;
+			break;
 		}
+
+	} while (!(rv & NS_TERMINATE));
+
+	if (!stayopen && st->fp!=NULL) {
+		fclose(st->fp);
+		st->fp = NULL;
 	}
-done:
-	endrpcent();
-	return (rpc);
+
+	if ((rv == NS_SUCCESS) && (retval != NULL))
+		*((struct rpcent **)retval) = rpc;
+
+	return (rv);
 }
 
-void
-setrpcent(int f)
+static int
+files_setrpcent(void *retval, void *mdata, va_list ap)
 {
-	struct rpcdata *d = _rpcdata();
+	struct files_state	*st;
+	int	rv;
+	int	f;
+
+	rv = files_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+
+	switch ((enum constants)mdata)
+	{
+	case SETRPCENT:
+		f = va_arg(ap,int);
+		if (st->fp == NULL)
+			st->fp = fopen(RPCDB, "r");
+		else
+			rewind(st->fp);
+		st->stayopen |= f;
+		break;
+	case ENDRPCENT:
+		if (st->fp != NULL) {
+			fclose(st->fp);
+			st->fp = NULL;
+		}
+		st->stayopen = 0;
+		break;
+	default:
+		break;
+	}
 
-	if (d == 0)
+	return (NS_UNAVAIL);
+}
+
+/* nis backend implementation */
+#ifdef YP
+static 	void
+nis_endstate(void *p)
+{
+	if (p == NULL)
 		return;
-#ifdef	YP
-        if (!__yp_nomap && _yp_check(NULL)) {
-                if (d->current)
-                        free(d->current);
-                d->current = NULL;
-                d->currentlen = 0;
-                return;
-        }
-        __yp_nomap = 0;
-#endif	/* YP */
-	if (d->rpcf == NULL)
-		d->rpcf = fopen(RPCDB, "r");
-	else
-		rewind(d->rpcf);
-	d->stayopen |= f;
+
+	free(((struct nis_state *)p)->current);
+	free(p);
 }
 
-void
-endrpcent(void)
+static int
+nis_rpcent(void *retval, void *mdata, va_list ap)
 {
-	struct rpcdata *d = _rpcdata();
+	char		*name;
+	int		number;
+	struct rpcent	*rpc;
+	char		*buffer;
+	size_t	bufsize;
+	int		*errnop;
 
-	if (d == 0)
-		return;
-#ifdef	YP
-        if (!__yp_nomap && _yp_check(NULL)) {
-        	if (d->current && !d->stayopen)
-                        free(d->current);
-                d->current = NULL;
-                d->currentlen = 0;
-                return;
-        }
-        __yp_nomap = 0;
-#endif	/* YP */
-	if (d->rpcf && !d->stayopen) {
-		fclose(d->rpcf);
-		d->rpcf = NULL;
+	char		**rp;
+	char		**aliases;
+	int		aliases_size;
+
+	char	*lastkey;
+	char	*resultbuf;
+	int	resultbuflen;
+	char	buf[YPMAXRECORD + 2];
+
+	struct nis_state	*st;
+	int		rv;
+	enum nss_lookup_type	how;
+	int	no_name_active;
+
+	how = (enum nss_lookup_type)mdata;
+	switch (how)
+	{
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		number = va_arg(ap, int);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		return (NS_NOTFOUND);
+	}
+
+	rpc = va_arg(ap, struct rpcent *);
+	buffer = va_arg(ap, char *);
+	bufsize = va_arg(ap, size_t);
+	errnop = va_arg(ap, int *);
+
+	*errnop = nis_getstate(&st);
+	if (*errnop != 0)
+		return (NS_UNAVAIL);
+
+	if (st->domain[0] == '\0') {
+		if (getdomainname(st->domain, sizeof(st->domain)) != 0) {
+			*errnop = errno;
+			return (NS_UNAVAIL);
+		}
 	}
+
+	no_name_active = 0;
+	do {
+		switch (how)
+		{
+		case nss_lt_name:
+			if (!st->no_name_map)
+			{
+				snprintf(buf, sizeof buf, "%s", name);
+				rv = yp_match(st->domain, "rpc.byname", buf,
+					strlen(buf), &resultbuf, &resultbuflen);
+
+				switch (rv) {
+				case 0:
+					break;
+				case YPERR_MAP:
+					st->stepping = 0;
+					no_name_active = 1;
+					how = nss_lt_all;
+
+					rv = NS_NOTFOUND;
+					continue;
+				default:
+					rv = NS_NOTFOUND;
+					goto fin;
+				}
+			} else {
+				st->stepping = 0;
+				no_name_active = 1;
+				how = nss_lt_all;
+
+				rv = NS_NOTFOUND;
+				continue;
+			}
+		break;
+		case nss_lt_id:
+			snprintf(buf, sizeof buf, "%d", number);
+			if (yp_match(st->domain, "rpc.bynumber", buf,
+				strlen(buf), &resultbuf, &resultbuflen)) {
+				rv = NS_NOTFOUND;
+				goto fin;
+			}
+			break;
+		case nss_lt_all:
+				if (!st->stepping) {
+					rv = yp_first(st->domain, "rpc.bynumber",
+						&st->current,
+						&st->currentlen, &resultbuf,
+						&resultbuflen);
+					if (rv) {
+						rv = NS_NOTFOUND;
+						goto fin;
+					}
+					st->stepping = 1;
+				} else {
+					lastkey = st->current;
+					rv = yp_next(st->domain, "rpc.bynumber",
+						st->current,
+						st->currentlen, &st->current,
+						&st->currentlen,
+						&resultbuf,	&resultbuflen);
+					free(lastkey);
+					if (rv) {
+						st->stepping = 0;
+						rv = NS_NOTFOUND;
+						goto fin;
+					}
+				}
+			break;
+		}
+
+		/* we need a room for additional \n symbol */
+		if (bufsize <= resultbuflen + 1 + _ALIGNBYTES +
+		    sizeof(char *)) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+
+		aliases=(char **)_ALIGN(&buffer[resultbuflen+2]);
+		aliases_size = (buffer + bufsize - (char *)aliases) /
+			sizeof(char *);
+		if (aliases_size < 1) {
+			*errnop = ERANGE;
+			rv = NS_RETURN;
+			break;
+		}
+
+		/*
+		 * rpcent_unpack expects lines terminated with \n -- make it happy
+		 */
+		memcpy(buffer, resultbuf, resultbuflen);
+		buffer[resultbuflen] = '\n';
+		buffer[resultbuflen+1] = '\0';
+		free(resultbuf);
+
+		if (rpcent_unpack(buffer, rpc, aliases, aliases_size,
+		    errnop) != 0) {
+			if (*errnop == 0)
+				rv = NS_NOTFOUND;
+			else
+				rv = NS_RETURN;
+		} else {
+			if ((how == nss_lt_all) && (no_name_active != 0)) {
+				if (strcmp(rpc->r_name, name) == 0)
+					goto done;
+				for (rp = rpc->r_aliases; *rp != NULL; rp++) {
+					if (strcmp(*rp, name) == 0)
+						goto done;
+				}
+				rv = NS_NOTFOUND;
+				continue;
+done:
+				rv = NS_SUCCESS;
+			} else
+				rv = NS_SUCCESS;
+		}
+
+	} while (!(rv & NS_TERMINATE) && (how == nss_lt_all));
+
+fin:
+	if ((rv == NS_SUCCESS) && (retval != NULL))
+		*((struct rpcent **)retval) = rpc;
+
+	return (rv);
 }
 
-struct rpcent *
-getrpcent(void)
+static int
+nis_setrpcent(void *retval, void *mdata, va_list ap)
 {
-	struct rpcdata *d = _rpcdata();
-#ifdef	YP
-	struct rpcent *hp;
-	int reason;
-	char *val = NULL;
-	int vallen;
+	struct nis_state	*st;
+	int	rv;
+
+	rv = nis_getstate(&st);
+	if (rv != 0)
+		return (NS_UNAVAIL);
+
+	switch ((enum constants)mdata)
+	{
+	case SETRPCENT:
+	case ENDRPCENT:
+		free(st->current);
+		st->current = NULL;
+		st->stepping = 0;
+		break;
+	default:
+		break;
+	}
+
+	return (NS_UNAVAIL);
+}
 #endif
 
-	if (d == 0)
-		return(NULL);
-#ifdef	YP
-        if (!__yp_nomap && _yp_check(&d->domain)) {
-                if (d->current == NULL && d->currentlen == 0) {
-                        reason = yp_first(d->domain, "rpc.bynumber",
-                                          &d->current, &d->currentlen,
-                                          &val, &vallen);
-                } else {
-                        reason = yp_next(d->domain, "rpc.bynumber",
-                                         d->current, d->currentlen,
-                                         &d->current, &d->currentlen,
-                                         &val, &vallen);
-                }
-                switch(reason) {
-                case 0:
-                        break;
-                case YPERR_MAP:
-                        __yp_nomap = 1;
-                        goto no_yp;
-                        break;
-                default:
-                        return(0);
-                        break;
-                }
-                val[vallen] = '\0';
-                hp = interpret(val, vallen);
-                free(val);
-                return hp;
-        }
-no_yp:
-#endif	/* YP */
-	if (d->rpcf == NULL && (d->rpcf = fopen(RPCDB, "r")) == NULL)
-		return (NULL);
-	/* -1 so there is room to append a \n below */
-        if (fgets(d->line, BUFSIZ - 1, d->rpcf) == NULL)
-		return (NULL);
-	return (interpret(d->line, strlen(d->line)));
+#ifdef NS_CACHING
+static int
+rpc_id_func(char *buffer, size_t *buffer_size, va_list ap, void *cache_mdata)
+{
+	char *name;
+	int rpc;
+
+	size_t desired_size, size;
+	enum nss_lookup_type lookup_type;
+	int res = NS_UNAVAIL;
+
+	lookup_type = (enum nss_lookup_type)cache_mdata;
+	switch (lookup_type) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+
+		size = strlen(name);
+		desired_size = sizeof(enum nss_lookup_type) + size + 1;
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), name, size + 1);
+
+		res = NS_SUCCESS;
+		break;
+	case nss_lt_id:
+		rpc = va_arg(ap, int);
+
+		desired_size = sizeof(enum nss_lookup_type) + sizeof(int);
+		if (desired_size > *buffer_size) {
+			res = NS_RETURN;
+			goto fin;
+		}
+
+		memcpy(buffer, &lookup_type, sizeof(enum nss_lookup_type));
+		memcpy(buffer + sizeof(enum nss_lookup_type), &rpc,
+		    sizeof(int));
+
+		res = NS_SUCCESS;
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+fin:
+	*buffer_size = desired_size;
+	return (res);
 }
 
-static struct rpcent *
-interpret(char *val, size_t len)
+static int
+rpc_marshal_func(char *buffer, size_t *buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
 {
-	struct rpcdata *d = _rpcdata();
+	char *name;
+	int num;
+	struct rpcent *rpc;
+	char *orig_buf;
+	size_t orig_buf_size;
+
+	struct rpcent new_rpc;
+	size_t desired_size, size, aliases_size;
 	char *p;
-	char *cp, **q;
+	char **alias;
 
-	assert(val != NULL);
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		num = va_arg(ap, int);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
 
-	if (d == 0)
-		return (0);
-	strncpy(d->line, val, BUFSIZ);
-	d->line[BUFSIZ] = '\0';
-	p = d->line;
-	p[len] = '\n';
-	if (*p == '#')
-		return (getrpcent());
-	cp = strpbrk(p, "#\n");
-	if (cp == NULL)
-		return (getrpcent());
-	*cp = '\0';
-	cp = strpbrk(p, " \t");
-	if (cp == NULL)
-		return (getrpcent());
-	*cp++ = '\0';
-	/* THIS STUFF IS INTERNET SPECIFIC */
-	d->rpc.r_name = d->line;
-	while (*cp == ' ' || *cp == '\t')
-		cp++;
-	d->rpc.r_number = atoi(cp);
-	q = d->rpc.r_aliases = d->rpc_aliases;
-	cp = strpbrk(cp, " \t");
-	if (cp != NULL)
-		*cp++ = '\0';
-	while (cp && *cp) {
-		if (*cp == ' ' || *cp == '\t') {
-			cp++;
-			continue;
+	rpc = va_arg(ap, struct rpcent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+
+	desired_size = _ALIGNBYTES + sizeof(struct rpcent) + sizeof(char *);
+	if (rpc->r_name != NULL)
+		desired_size += strlen(rpc->r_name) + 1;
+
+	if (rpc->r_aliases != NULL) {
+		aliases_size = 0;
+		for (alias = rpc->r_aliases; *alias; ++alias) {
+			desired_size += strlen(*alias) + 1;
+			++aliases_size;
 		}
-		if (q < &(d->rpc_aliases[MAXALIASES - 1]))
-			*q++ = cp;
-		cp = strpbrk(cp, " \t");
-		if (cp != NULL)
-			*cp++ = '\0';
+
+		desired_size += _ALIGNBYTES + (aliases_size + 1) *
+		    sizeof(char *);
 	}
-	*q = NULL;
-	return (&d->rpc);
+
+	if (*buffer_size < desired_size) {
+		/* this assignment is here for future use */
+		*buffer_size = desired_size;
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_rpc, rpc, sizeof(struct rpcent));
+
+	*buffer_size = desired_size;
+	memset(buffer, 0, desired_size);
+	p = buffer + sizeof(struct rpcent) + sizeof(char *);
+	memcpy(buffer + sizeof(struct rpcent), &p, sizeof(char *));
+	p = (char *)_ALIGN(p);
+
+	if (new_rpc.r_name != NULL) {
+		size = strlen(new_rpc.r_name);
+		memcpy(p, new_rpc.r_name, size);
+		new_rpc.r_name = p;
+		p += size + 1;
+	}
+
+	if (new_rpc.r_aliases != NULL) {
+		p = (char *)_ALIGN(p);
+		memcpy(p, new_rpc.r_aliases, sizeof(char *) * aliases_size);
+		new_rpc.r_aliases = (char **)p;
+		p += sizeof(char *) * (aliases_size + 1);
+
+		for (alias = new_rpc.r_aliases; *alias; ++alias) {
+			size = strlen(*alias);
+			memcpy(p, *alias, size);
+			*alias = p;
+			p += size + 1;
+		}
+	}
+
+	memcpy(buffer, &new_rpc, sizeof(struct rpcent));
+	return (NS_SUCCESS);
+}
+
+static int
+rpc_unmarshal_func(char *buffer, size_t buffer_size, void *retval, va_list ap,
+    void *cache_mdata)
+{
+	char *name;
+	int num;
+	struct rpcent *rpc;
+	char *orig_buf;
+	size_t orig_buf_size;
+	int *ret_errno;
+
+	char *p;
+	char **alias;
+
+	switch ((enum nss_lookup_type)cache_mdata) {
+	case nss_lt_name:
+		name = va_arg(ap, char *);
+		break;
+	case nss_lt_id:
+		num = va_arg(ap, int);
+		break;
+	case nss_lt_all:
+		break;
+	default:
+		/* should be unreachable */
+		return (NS_UNAVAIL);
+	}
+
+	rpc = va_arg(ap, struct rpcent *);
+	orig_buf = va_arg(ap, char *);
+	orig_buf_size = va_arg(ap, size_t);
+	ret_errno = va_arg(ap, int *);
+
+	if (orig_buf_size <
+	    buffer_size - sizeof(struct rpcent) - sizeof(char *)) {
+		*ret_errno = ERANGE;
+		return (NS_RETURN);
+	}
+
+	memcpy(rpc, buffer, sizeof(struct rpcent));
+	memcpy(&p, buffer + sizeof(struct rpcent), sizeof(char *));
+
+	orig_buf = (char *)_ALIGN(orig_buf);
+	memcpy(orig_buf, buffer + sizeof(struct rpcent) + sizeof(char *) +
+	    _ALIGN(p) - (size_t)p,
+	    buffer_size - sizeof(struct rpcent) - sizeof(char *) -
+	    _ALIGN(p) + (size_t)p);
+	p = (char *)_ALIGN(p);
+
+	NS_APPLY_OFFSET(rpc->r_name, orig_buf, p, char *);
+	if (rpc->r_aliases != NULL) {
+		NS_APPLY_OFFSET(rpc->r_aliases, orig_buf, p, char **);
+
+		for (alias = rpc->r_aliases	; *alias; ++alias)
+			NS_APPLY_OFFSET(*alias, orig_buf, p, char *);
+	}
+
+	if (retval != NULL)
+		*((struct rpcent **)retval) = rpc;
+
+	return (NS_SUCCESS);
+}
+
+NSS_MP_CACHE_HANDLING(rpc);
+#endif /* NS_CACHING */
+
+
+/* get**_r functions implementation */
+static int
+getrpcbyname_r(const char *name, struct rpcent *rpc, char *buffer,
+	size_t bufsize, struct rpcent **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		rpc, (void *)nss_lt_name,
+		rpc_id_func, rpc_marshal_func, rpc_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_rpcent, (void *)nss_lt_name },
+#ifdef YP
+		{ NSSRC_NIS, nis_rpcent, (void *)nss_lt_name },
+#endif
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_RPC, "getrpcbyname_r", defaultsrc,
+	    name, rpc, buffer, bufsize, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
+
+static int
+getrpcbynumber_r(int number, struct rpcent *rpc, char *buffer,
+	size_t bufsize, struct rpcent **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info =
+		NS_COMMON_CACHE_INFO_INITIALIZER(
+		rpc, (void *)nss_lt_id,
+		rpc_id_func, rpc_marshal_func, rpc_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_rpcent, (void *)nss_lt_id },
+#ifdef YP
+		{ NSSRC_NIS, nis_rpcent, (void *)nss_lt_id },
+#endif
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_RPC, "getrpcbynumber_r", defaultsrc,
+	    number, rpc, buffer, bufsize, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
+
+static int
+getrpcent_r(struct rpcent *rpc, char *buffer, size_t bufsize,
+	struct rpcent **result)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		rpc, (void *)nss_lt_all,
+		rpc_marshal_func, rpc_unmarshal_func);
+#endif
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_rpcent, (void *)nss_lt_all },
+#ifdef YP
+		{ NSSRC_NIS, nis_rpcent, (void *)nss_lt_all },
+#endif
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+	int rv, ret_errno;
+
+	ret_errno = 0;
+	*result = NULL;
+	rv = nsdispatch(result, dtab, NSDB_RPC, "getrpcent_r", defaultsrc,
+	    rpc, buffer, bufsize, &ret_errno);
+
+	if (rv == NS_SUCCESS)
+		return (0);
+	else
+		return (ret_errno);
+}
+
+/* get** wrappers for get**_r functions implementation */
+static 	void
+rpcent_endstate(void *p)
+{
+	if (p == NULL)
+		return;
+
+	free(((struct rpcent_state *)p)->buffer);
+	free(p);
+}
+
+static	int
+wrap_getrpcbyname_r(union key key, struct rpcent *rpc, char *buffer,
+    size_t bufsize, struct rpcent **res)
+{
+	return (getrpcbyname_r(key.name, rpc, buffer, bufsize, res));
+}
+
+static	int
+wrap_getrpcbynumber_r(union key key, struct rpcent *rpc, char *buffer,
+    size_t bufsize, struct rpcent **res)
+{
+	return (getrpcbynumber_r(key.number, rpc, buffer, bufsize, res));
+}
+
+static	int
+wrap_getrpcent_r(union key key __unused, struct rpcent *rpc, char *buffer,
+    size_t bufsize, struct rpcent **res)
+{
+	return (getrpcent_r(rpc, buffer, bufsize, res));
+}
+
+static struct rpcent *
+getrpc(int (*fn)(union key, struct rpcent *, char *, size_t, struct rpcent **),
+    union key key)
+{
+	int		 rv;
+	struct rpcent	*res;
+	struct rpcent_state * st;
+
+	rv=rpcent_getstate(&st);
+	if (rv != 0) {
+		errno = rv;
+		return NULL;
+	}
+
+	if (st->buffer == NULL) {
+		st->buffer = malloc(RPCENT_STORAGE_INITIAL);
+		if (st->buffer == NULL)
+			return (NULL);
+		st->bufsize = RPCENT_STORAGE_INITIAL;
+	}
+	do {
+		rv = fn(key, &st->rpc, st->buffer, st->bufsize, &res);
+		if (res == NULL && rv == ERANGE) {
+			free(st->buffer);
+			if ((st->bufsize << 1) > RPCENT_STORAGE_MAX) {
+				st->buffer = NULL;
+				errno = ERANGE;
+				return (NULL);
+			}
+			st->bufsize <<= 1;
+			st->buffer = malloc(st->bufsize);
+			if (st->buffer == NULL)
+				return (NULL);
+		}
+	} while (res == NULL && rv == ERANGE);
+	if (rv != 0)
+		errno = rv;
+
+	return (res);
 }
 
+struct rpcent *
+getrpcbyname(char *name)
+{
+	union key key;
+
+	key.name = name;
+
+	return (getrpc(wrap_getrpcbyname_r, key));
+}
+
+struct rpcent *
+getrpcbynumber(int number)
+{
+	union key key;
+
+	key.number = number;
+
+	return (getrpc(wrap_getrpcbynumber_r, key));
+}
+
+struct rpcent *
+getrpcent(void)
+{
+	union key key;
+
+	key.number = 0;	/* not used */
+
+	return (getrpc(wrap_getrpcent_r, key));
+}
+
+void
+setrpcent(int stayopen)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		rpc, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setrpcent, (void *)SETRPCENT },
+#ifdef YP
+		{ NSSRC_NIS, nis_setrpcent, (void *)SETRPCENT },
+#endif
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	nsdispatch(NULL, dtab, NSDB_RPC, "setrpcent", defaultsrc, stayopen);
+}
+
+void
+endrpcent(void)
+{
+#ifdef NS_CACHING
+	static const nss_cache_info cache_info = NS_MP_CACHE_INFO_INITIALIZER(
+		rpc, (void *)nss_lt_all,
+		NULL, NULL);
+#endif
+
+	static const ns_dtab dtab[] = {
+		{ NSSRC_FILES, files_setrpcent, (void *)ENDRPCENT },
+#ifdef YP
+		{ NSSRC_NIS, nis_setrpcent, (void *)ENDRPCENT },
+#endif
+#ifdef NS_CACHING
+		NS_CACHE_CB(&cache_info)
+#endif
+		{ NULL, NULL, NULL }
+	};
+
+	nsdispatch(NULL, dtab, NSDB_RPC, "endrpcent", defaultsrc);
+}
diff --git a/share/man/man5/Makefile b/share/man/man5/Makefile
index 5c7ddf1f86..9463f1322b 100644
--- a/share/man/man5/Makefile
+++ b/share/man/man5/Makefile
@@ -58,6 +58,10 @@ MAN=	acct.5 \
 	uuids.5 \
 	varsym.conf.5
 
+.if defined(WANT_HESIOD)
+MAN+=	hesiod.conf.5
+.endif
+
 MLINKS=	dir.5 dirent.5
 MLINKS+=ffs.5 UFS.5
 MLINKS+=fs.5 inode.5
diff --git a/share/man/man5/group.5 b/share/man/man5/group.5
index fe386b25e9..8f77cbe3ce 100644
--- a/share/man/man5/group.5
+++ b/share/man/man5/group.5
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     From: @(#)group.5	8.3 (Berkeley) 4/19/94
-.\" $FreeBSD: src/share/man/man5/group.5,v 1.15.2.4 2002/02/01 15:51:18 ru Exp $
+.\" $FreeBSD: src/share/man/man5/group.5,v 1.29 2006/02/18 16:48:56 brueffer Exp $
 .\" $DragonFly: src/share/man/man5/group.5,v 1.6 2007/04/07 19:29:52 swildner Exp $
 .\"
 .Dd September 29, 1994
@@ -40,8 +40,16 @@
 .Nm group
 .Nd format of the group permissions file
 .Sh DESCRIPTION
+The
+.Nm
+file is the local source of group information.
+It can be used in conjunction with the Hesiod domain
+`group', and the NIS maps `group.byname' and `group.bygid',
+as controlled by
+.Xr nsswitch.conf 5 .
+.Pp
 The file
-.Aq Pa /etc/group
+.Nm
 consists of newline separated
 .Tn ASCII
 records, one per group, containing four colon
@@ -92,7 +100,7 @@ A user is automatically in a group if that group was specified
 in their
 .Pa /etc/passwd
 entry and does not need to be added to that group in the
-.Pa /etc/group
+.Nm
 file.
 .\" .Pp
 .\" When the system reads the file
@@ -109,28 +117,6 @@ file.
 .\"	char    **gr_mem;        /* group members */
 .\" };
 .\" .Ed
-.Sh YP/NIS INTERACTION
-The
-.Pa /etc/group
-file can be configured to enable the YP/NIS group database.
-An entry whose
-.Ar name
-field consists of a plus sign (`+') followed by a group name, will be
-replaced internally to the C library with the YP/NIS group entry for the
-named group.  An entry whose
-.Ar name
-field consists of a single plus sign with no group name following,
-will be replaced with the entire YP/NIS
-.Dq Li group.byname
-map.
-.Pp
-If the YP/NIS group database is enabled for any reason, all reverse
-lookups (i.e.,
-.Fn getgrgid )
-will use the entire database, even if only a few groups are enabled.
-Thus, the group name returned by
-.Fn getgrgid
-is not guaranteed to have a valid forward mapping.
 .Sh LIMITS
 There are various limitations which are explained in
 the function where they occur; see section
@@ -148,7 +134,7 @@ Older binaries that are statically linked, depend on old
 shared libraries, or
 .No non- Ns Dx
 binaries in compatibility mode
-may still have this limits.
+may still have this limit.
 .Sh FILES
 .Bl -tag -width /etc/group -compact
 .It Pa /etc/group
@@ -159,17 +145,16 @@ may still have this limits.
 .Xr crypt 3 ,
 .Xr getgrent 3 ,
 .Xr initgroups 3 ,
+.Xr nsswitch.conf 5 ,
 .Xr passwd 5 ,
+.Xr chkgrp 8 ,
+.Xr pw 8 ,
 .Xr yp 8
 .Sh HISTORY
 A
 .Nm
 file format appeared in
 .At v6 .
-The YP/NIS functionality is modeled after
-.Tn SunOS
-and first appeared in
-.Fx 1.1 .
 Support for comments first appeared in
 .Fx 3.0 .
 .Sh BUGS
diff --git a/share/man/man5/hesiod.conf.5 b/share/man/man5/hesiod.conf.5
new file mode 100644
index 0000000000..f437638c08
--- /dev/null
+++ b/share/man/man5/hesiod.conf.5
@@ -0,0 +1,80 @@
+.\"	$NetBSD: hesiod.conf.5,v 1.2 1999/01/25 22:37:06 lukem Exp $
+.\"
+.\" from: #Id: hesiod.conf.5,v 1.1 1996/12/08 21:36:38 ghudson Exp #
+.\"
+.\" Copyright 1996 by the Massachusetts Institute of Technology.
+.\"
+.\" Permission to use, copy, modify, and distribute this
+.\" software and its documentation for any purpose and without
+.\" fee is hereby granted, provided that the above copyright
+.\" notice appear in all copies and that both that copyright
+.\" notice and this permission notice appear in supporting
+.\" documentation, and that the name of M.I.T. not be used in
+.\" advertising or publicity pertaining to distribution of the
+.\" software without specific, written prior permission.
+.\" M.I.T. makes no representations about the suitability of
+.\" this software for any purpose.  It is provided "as is"
+.\" without express or implied warranty.
+.\"
+.\" $FreeBSD: src/share/man/man5/hesiod.conf.5,v 1.3 2005/02/09 18:07:16 ru Exp $
+.\"
+.Dd November 30, 1996
+.Dt HESIOD.CONF 5
+.Os
+.Sh NAME
+.Nm hesiod.conf
+.Nd "configuration file for the Hesiod library"
+.Sh DESCRIPTION
+The file
+.Nm
+determines the behavior of the Hesiod library.
+Blank lines and lines beginning with a
+.Ql #
+character are ignored.
+All
+other lines should be of the form
+.Ar variable
+=
+.Ar value ,
+where the
+.Ar value
+should be a single word.
+Possible
+.Ar variables
+and
+.Ar values
+are:
+.Bl -tag -width classes
+.It Ic lhs
+Specifies the domain prefix used for Hesiod queries.
+In almost all cases, you should specify
+.Dq Li lhs=.ns .
+The default value if you do
+not specify an lhs value is no domain prefix, which is not compatible
+with most Hesiod domains.
+.It Ic rhs
+Specifies the default Hesiod domain; this value may be overridden by
+the
+.Ev HES_DOMAIN
+environment variable.
+You must specify an rhs line for the Hesiod
+library to work properly.
+.It Ic classes
+Specifies which DNS classes Hesiod should do lookups in.
+Possible values are
+.Cm IN
+(the preferred class) and
+.Cm HS
+(the deprecated class, still used by some sites).
+You may specify both classes separated by
+a comma to try one class first and then the other if no entry is
+available in the first class.
+The default value of the classes variable is
+.Dq Li IN,HS .
+.El
+.Sh SEE ALSO
+.Xr hesiod 3
+.Sh BUGS
+The default value for
+.Ic lhs
+should probably be more reasonable.
diff --git a/share/man/man5/hosts.5 b/share/man/man5/hosts.5
index 4168840aba..a24bac43c4 100644
--- a/share/man/man5/hosts.5
+++ b/share/man/man5/hosts.5
@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     @(#)hosts.5	8.2 (Berkeley) 12/11/93
-.\" $FreeBSD: src/share/man/man5/hosts.5,v 1.5.2.3 2001/08/17 13:08:47 ru Exp $
+.\" $FreeBSD: src/share/man/man5/hosts.5,v 1.10 2004/07/03 18:29:22 ru Exp $
 .\" $DragonFly: src/share/man/man5/hosts.5,v 1.2 2003/06/17 04:37:00 dillon Exp $
 .\"
 .Dd December 11, 1993
@@ -44,6 +44,9 @@ The
 .Nm
 file contains information regarding
 the known hosts on the network.
+It can be used in conjunction with DNS, and the NIS
+maps `hosts.byaddr' and `hosts.byname', as controlled by
+.Xr nsswitch.conf 5 .
 For each host a single line should be present
 with the following information:
 .Bd -unfilled -offset indent
@@ -53,7 +56,8 @@ aliases
 .Ed
 .Pp
 Items are separated by any number of blanks and/or
-tab characters.  A ``#'' indicates the beginning of
+tab characters.
+A ``#'' indicates the beginning of
 a comment; characters up to the end of the line are
 not interpreted by routines which search the file.
 .Pp
@@ -73,7 +77,8 @@ Center
 .Pq Tn NIC ,
 though local changes may be required
 to bring it up to date regarding unofficial aliases
-and/or unknown hosts.  As the data base maintained at
+and/or unknown hosts.
+As the data base maintained at
 .Tn NIC
 is incomplete, use of the name server is recommended for
 sites on the
@@ -99,6 +104,7 @@ file resides in
 .El
 .Sh SEE ALSO
 .Xr gethostbyname 3 ,
+.Xr nsswitch.conf 5 ,
 .Xr ifconfig 8 ,
 .Xr named 8
 .Rs
diff --git a/share/man/man5/make.conf.5 b/share/man/man5/make.conf.5
index aebd6cbcdb..0881427215 100644
--- a/share/man/man5/make.conf.5
+++ b/share/man/man5/make.conf.5
@@ -207,6 +207,17 @@ as the standard
 .Xr cpio 1 .
 The default is to use
 .Xr bsdcpio 1 .
+.It Va WANT_HESIOD
+.Pq Vt bool
+Set this to build
+.Xr hesiod 3
+support into libc.
+.It Va NO_NS_CACHING
+.Pq Vt bool
+Set this to disable name caching in the nsswitch subsystem.
+The generic caching daemon,
+.Xr nscd 8 ,
+will not be built either if this option is set.
 .El
 .Pp
 The following list provides a name and short description for variables
diff --git a/share/man/man5/nsswitch.conf.5 b/share/man/man5/nsswitch.conf.5
index 3230b4f093..bf828d0d24 100644
--- a/share/man/man5/nsswitch.conf.5
+++ b/share/man/man5/nsswitch.conf.5
@@ -1,39 +1,40 @@
 .\"	$NetBSD: nsswitch.conf.5,v 1.14 1999/03/17 20:19:47 garbled Exp $
-.\"	$FreeBSD: src/share/man/man5/nsswitch.conf.5,v 1.8 2002/12/12 22:22:51 trhodes Exp $
-.\"	$DragonFly: src/share/man/man5/nsswitch.conf.5,v 1.1 2003/08/01 04:11:23 rob Exp $
 .\"
-.\"  Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
-.\"  All rights reserved.
+.\" Copyright (c) 1997, 1998, 1999 The NetBSD Foundation, Inc.
+.\" All rights reserved.
 .\"
-.\"  This code is derived from software contributed to The NetBSD Foundation
-.\"  by Luke Mewburn.
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Luke Mewburn.
 .\"
-.\"  Redistribution and use in source and binary forms, with or without
-.\"  modification, are permitted provided that the following conditions
-.\"  are met:
-.\"  1. Redistributions of source code must retain the above copyright
-.\"     notice, this list of conditions and the following disclaimer.
-.\"  2. Redistributions in binary form must reproduce the above copyright
-.\"     notice, this list of conditions and the following disclaimer in the
-.\"     documentation and/or other materials provided with the distribution.
-.\"  3. All advertising materials mentioning features or use of this software
-.\"     must display the following acknowledgement:
-.\"  	This product includes software developed by Luke Mewburn.
-.\"  4. The name of the author may not be used to endorse or promote products
-.\"     derived from this software without specific prior written permission.
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\" 	This product includes software developed by Luke Mewburn.
+.\" 4. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission.
 .\"
-.\"  THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-.\"  IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-.\"  OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-.\"  IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-.\"  INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
-.\"  BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
-.\"  OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
-.\"  ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
-.\"  TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
-.\"  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS
+.\" OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+.\" ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR
+.\" TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
+.\" USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd January 22, 1998
+.\" $FreeBSD: src/share/man/man5/nsswitch.conf.5,v 1.18 2007/10/19 00:16:29 bushman Exp $
+.\" $DragonFly: src/share/man/man5/nsswitch.conf.5,v 1.1 2003/08/01 04:11:23 rob Exp $
+.\"
+.Dd January 22, 2007
 .Dt NSSWITCH.CONF 5
 .Os
 .Sh NAME
@@ -48,9 +49,9 @@ file specifies how the
 .Pp
 The configuration file controls how a process looks up various databases
 containing information regarding hosts, users (passwords), groups, etc.
-Each database comes from a source (such as local files, DNS, and
-.Tn NIS ) ,
-and the order to look up the sources is specified in
+Each database comes from a source (such as local files, DNS,
+.Tn NIS ,
+and cache), and the order to look up the sources is specified in
 .Nm .
 .Pp
 Each entry in
@@ -93,6 +94,10 @@ and
 .Dq group
 databases.
 If this is present, it must be the only source for that entry.
+.It cache
+makes use of the
+.Xr nscd 8
+daemon.
 .El
 .Ss Databases
 The following databases are used by the following C library functions:
@@ -101,15 +106,45 @@ The following databases are used by the following C library functions:
 .It Sy Database
 .Sy "Used by"
 .It group
-.Xr getgrent 3
+.Xr getgrent 3 ,
+.Xr getgrent_r 3 ,
+.Xr getgrgid_r 3 ,
+.Xr getgrnam_r 3 ,
+.Xr setgrent 3 ,
+.Xr endgrent 3
 .It hosts
-.Xr gethostbyname 3
+.Xr getaddrinfo 3 ,
+.Xr gethostbyaddr 3 ,
+.Xr gethostbyaddr_r 3 ,
+.Xr gethostbyname 3 ,
+.Xr gethostbyname2 3 ,
+.Xr gethostbyname_r 3 ,
+.Xr getipnodebyaddr 3 ,
+.Xr getipnodebyname 3
 .It networks
-.Xr getnetbyname 3
+.Xr getnetbyaddr 3 ,
+.Xr getnetbyaddr_r 3 ,
+.Xr getnetbyname 3 ,
+.Xr getnetbyname_r 3
 .It passwd
-.Xr getpwent 3
+.Xr getpwent 3 ,
+.Xr getpwent_r 3 ,
+.Xr getpwnam_r 3 ,
+.Xr getpwuid_r 3 ,
+.Xr setpwent 3 ,
+.Xr endpwent 3
 .It shells
 .Xr getusershell 3
+.It services
+.Xr getservent 3
+.It rpc
+.Xr getrpcbyname 3 ,
+.Xr getrpcbynumber 3 ,
+.Xr getrpcent 3
+.It proto
+.Xr getprotobyname 3
+.Xr getprotobynumber 3 ,
+.Xr getprotoent 3
 .El
 .Ss Status codes
 The following status codes are available:
@@ -177,6 +212,25 @@ The default criteria is to return on
 .Dq success ,
 and continue on anything else (i.e,
 .Li "[success=return notfound=continue unavail=continue tryagain=continue]" ) .
+.Ss Cache
+You can enable caching for the particular database by specifying
+.Dq cache
+as the first source in the
+.Xr nsswitch.conf 5
+file.
+You should also enable caching for this database in
+.Xr nscd.conf 5 .
+If for the particular query
+.Dq cache
+source returns success, no further sources are queried.
+On the other hand, if there are no previously cached data, the
+query result will be placed into the cache right after
+all other sources are processed.
+Note, that
+.Dq cache
+requires
+.Xr nscd 8
+daemon to be running.
 .Ss Compat mode: +/- syntax
 In historical multi-source implementations, the
 .Sq +
@@ -210,7 +264,7 @@ and
 Historically, many of the databases had enumeration functions, often of
 the form
 .Fn getXXXent .
-These made sense when the databases were in local files, but don't make
+These made sense when the databases were in local files, but do not make
 sense or have lesser relevance when there are possibly multiple sources,
 each of an unknown size.
 The interfaces are still provided for compatibility, but the source
@@ -224,14 +278,14 @@ source must appear alone for a given database.
 .Ss Default source lists
 If, for any reason,
 .Nm
-doesn't exist, or it has missing or corrupt entries,
+does not exist, or it has missing or corrupt entries,
 .Xr nsdispatch 3
 will default to an entry of
 .Dq files
 for the requested database.
 Exceptions are:
 .Pp
-.Bl -tag -width passwd_compat -compact
+.Bl -tag -width services_compat -compact
 .It Sy Database
 .Sy "Default source list"
 .It group
@@ -239,11 +293,15 @@ compat
 .It group_compat
 nis
 .It hosts
-dns files
+files dns
 .It passwd
 compat
 .It passwd_compat
 nis
+.It services
+compat
+.It services_compat
+nis
 .El
 .Sh FILES
 .Bl -tag -width /etc/nsswitch.conf -compact
@@ -254,7 +312,7 @@ resides in
 .Pa /etc .
 .El
 .Sh EXAMPLES
-To lookup hosts in
+To lookup hosts in cache, then in
 .Pa /etc/hosts
 and then from the DNS, and lookup user information from
 .Tn NIS
@@ -262,7 +320,7 @@ then files, use:
 .Pp
 .Bl -tag -width passwd: -compact
 .It hosts:
-files dns
+cache files dns
 .It passwd:
 nis [notfound=return] files
 .It group:
@@ -271,23 +329,45 @@ nis [notfound=return] files
 .Pp
 The criteria
 .Dq [notfound=return]
-sets a policy of "if the user is notfound in nis, don't try files."
+sets a policy of "if the user is notfound in nis, do not try files."
 This treats nis as the authoritative source of information, except
 when the server is down.
+.Sh NOTES
+If system got compiled with
+.Va WITHOUT_NIS
+you have to remove
+.Sq nis
+entries.
+.Pp
+.Dx Ns 's
+.Lb libc
+provides stubs for compatibility with NSS modules
+written for the
+.Tn GNU
+C Library
+.Nm nsswitch
+interface.
+However, these stubs only support the use of the
+.Dq Li passwd
+and
+.Dq Li group
+databases.
 .Sh SEE ALSO
 .Xr nsdispatch 3 ,
+.Xr nscd.conf 5 ,
 .Xr resolv.conf 5 ,
+.Xr nscd 8 ,
 .Xr named 8 ,
 .Xr ypbind 8
 .Sh HISTORY
 The
 .Nm
 file format first appeared in
-.Fx 5.0 .
+.Dx 2.1 .
 It was imported from the
-.Nx
+.Fx
 Project, where it appeared first in
-.Nx 1.4 .
+.Fx 5.0 .
 .Sh AUTHORS
 Luke Mewburn
 .Aq lukem@netbsd.org
diff --git a/share/man/man5/passwd.5 b/share/man/man5/passwd.5
index ca882b9aa7..6bac874ca4 100644
--- a/share/man/man5/passwd.5
+++ b/share/man/man5/passwd.5
@@ -1,5 +1,8 @@
+.\"	$NetBSD: passwd.5,v 1.12.2.2 1999/12/17 23:14:50 he Exp $
+.\"
 .\" Copyright (c) 1988, 1991, 1993
 .\"	The Regents of the University of California.  All rights reserved.
+.\" Portions Copyright (c) 1994, Jason Downs.  All rights reserved.
 .\"
 .\" Redistribution and use in source and binary forms, with or without
 .\" modification, are permitted provided that the following conditions
@@ -30,10 +33,10 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     From: @(#)passwd.5	8.1 (Berkeley) 6/5/93
-.\" $FreeBSD: src/share/man/man5/passwd.5,v 1.26.2.5 2002/02/01 15:51:18 ru Exp $
+.\" $FreeBSD: src/share/man/man5/passwd.5,v 1.50 2007/05/08 11:00:07 yar Exp $
 .\" $DragonFly: src/share/man/man5/passwd.5,v 1.9 2008/05/02 02:05:06 swildner Exp $
 .\"
-.Dd September 29, 1994
+.Dd May 8, 2007
 .Dt PASSWD 5
 .Os
 .Sh NAME
@@ -43,108 +46,173 @@
 .Sh DESCRIPTION
 The
 .Nm
-files are files consisting of newline separated records, one per user,
-containing ten colon
+files are the local source of password information.
+They can be used in conjunction with the Hesiod domains
+.Sq Li passwd
+and
+.Sq Li uid ,
+and the
+.Tn NIS
+maps
+.Sq Li passwd.byname ,
+.Sq Li passwd.byuid ,
+.Sq Li master.passwd.byname ,
+and
+.Sq Li master.passwd.byuid ,
+as controlled by
+.Xr nsswitch.conf 5 .
+.Pp
+For consistency, none of these files should ever be modified
+manually.
+.Pp
+The
+.Nm master.passwd
+file is readable only by root, and consists of newline separated
+records, one per user, containing ten colon
 .Pq Ql \&:
-separated fields.  These fields are as
-follows:
-.Bl -tag -width password -offset indent
-.It name
+separated
+fields.
+These fields are as follows:
+.Bl -tag -width ".Ar password" -offset indent
+.It Ar name
 User's login name.
-.It password
+.It Ar password
 User's
 .Em encrypted
 password.
-.It uid
+.It Ar uid
 User's id.
-.It gid
+.It Ar gid
 User's login group id.
-.It class
+.It Ar class
 User's login class.
-.It change
+.It Ar change
 Password change time.
-.It expire
+.It Ar expire
 Account expiration time.
-.It gecos
+.It Ar gecos
 General information about the user.
-.It home_dir
+.It Ar home_dir
 User's home directory.
-.It shell
+.It Ar shell
 User's login shell.
 .El
 .Pp
-Lines whose first non-whitespace character is a pound-sign (#)
-are comments, and are ignored.  Blank lines which consist
-only of spaces, tabs or newlines are also ignored.
+The
+.Nm
+file is generated from the
+.Nm master.passwd
+file by
+.Xr pwd_mkdb 8 ,
+has the
+.Ar class ,
+.Ar change ,
+and
+.Ar expire
+fields removed, and the
+.Ar password
+field replaced by a
+.Ql *
+character.
 .Pp
 The
 .Ar name
 field is the login used to access the computer account, and the
 .Ar uid
-field is the number associated with it.  They should both be unique
+field is the number associated with it.
+They should both be unique
 across the system (and often across a group of systems) since they
 control file access.
 .Pp
 While it is possible to have multiple entries with identical login names
-and/or identical uids, it is usually a mistake to do so.  Routines
+and/or identical user id's, it is usually a mistake to do so.
+Routines
 that manipulate these files will often return only one of the multiple
 entries, and that one by random selection.
 .Pp
 The login name must never begin with a hyphen
-.Pq Ql \&- ;
+.Pq Ql - ;
 also, it is strongly
-suggested that neither upper-case characters nor dots
+suggested that neither upper-case characters or dots
 .Pq Ql \&.
 be part
 of the name, as this tends to confuse mailers.
+No field may contain a
+colon
+.Pq Ql \&:
+as this has been used historically to separate the fields
+in the user database.
 .Pp
-The password field is the
+In the
+.Nm master.passwd
+file,
+the
+.Ar password
+field is the
 .Em encrypted
-form of the password.
+form of the password, see
+.Xr crypt 3 .
 If the
 .Ar password
 field is empty, no password will be required to gain access to the
-machine.  This is almost invariably a mistake.
-Because these files contain the encrypted user passwords, they should
+machine.
+This is almost invariably a mistake, so authentication components
+such as PAM can forcibly disallow remote access to passwordless accounts.
+Because this file contains the encrypted user passwords, it should
 not be readable by anyone without appropriate privileges.
-Administrative accounts have a password field containing an asterisk
-.Ql \&*
-which disallows normal logins.
 .Pp
-The group field is the group that the user will be placed in upon login.
-Although this system supports multiple groups (see
+A password of
+.Ql *
+indicates that
+password authentication is disabled for that account
+(logins through other forms of
+authentication, e.g., using
+.Xr ssh 1
+keys, will still work).
+The field only contains encrypted passwords, and
+.Ql *
+can never be the result of encrypting a password.
+.Pp
+An encrypted password prefixed by
+.Ql *LOCKED*
+means that the account is temporarily locked out
+and no one can log into it using any authentication.
+For a convenient command-line interface to account locking, see
+.Xr pw 8 .
+.Pp
+The
+.Ar group
+field is the group that the user will be placed in upon login.
+Since this system supports multiple groups (see
 .Xr groups 1 )
-this field indicates the user's primary group.
-Secondary group memberships are selected in
-.Pa /etc/group .
+this field currently has little special meaning.
 .Pp
 The
 .Ar class
 field is a key for a user's login class.
-Login classes are defined in
+Login classes
+are defined in
 .Xr login.conf 5 ,
 which is a
 .Xr termcap 5
-style database of user attributes, accounting, resource and
-environment settings.
+style database of user attributes, accounting, resource,
+and environment settings.
 .Pp
 The
 .Ar change
-field is the number in seconds,
-.Dv GMT ,
-from the epoch, until the
+field is the number of seconds from the epoch,
+.Dv UTC ,
+until the
 password for the account must be changed.
-This field may be left empty or set to 0 to turn off the
-password aging feature.
+This field may be left empty to turn off the password aging feature.
 .Pp
 The
 .Ar expire
-field is the number in seconds,
-.Dv GMT ,
-from the epoch, until the
+field is the number of seconds from the epoch,
+.Dv UTC ,
+until the
 account expires.
-This field may be left empty or set to 0 to turn off the account
-aging feature.
+This field may be left empty to turn off the account aging feature.
 .Pp
 The
 .Ar gecos
@@ -152,584 +220,174 @@ field normally contains comma
 .Pq Ql \&,
 separated subfields as follows:
 .Pp
-.Bl -bullet -compact -offset indent
-.It
+.Bl -tag -width ".Ar office" -offset indent -compact
+.It Ar name
 user's full name
-.It
-user's office location
-.It
+.It Ar office
+user's office number
+.It Ar wphone
 user's work phone number
-.It
+.It Ar hphone
 user's home phone number
 .El
 .Pp
-This information is used by the
+The full
+.Ar name
+may contain a ampersand
+.Pq Ql &
+which will be replaced by
+the capitalized login
+.Ar name
+when the
+.Ar gecos
+field is displayed or used
+by various programs such as
+.Xr finger 1 ,
+.Xr sendmail 8 ,
+etc.
+.Pp
+The
+.Ar office
+and phone number subfields are used by the
 .Xr finger 1
-program, and the first field used by the system mailer.
-If an ampersand
-.Pq Ql \&&
-character appears within the fullname field, programs that
-use this field will substitute it with a capitalized version
-of the account's login name.
+program, and possibly other applications.
 .Pp
-The user's home directory is the full
+The user's home directory,
+.Ar home_dir ,
+is the full
 .Ux
 path name where the user
 will be placed on login.
 .Pp
-The shell field is the command interpreter the user prefers.
+The
+.Ar shell
+field is the command interpreter the user prefers.
 If there is nothing in the
 .Ar shell
 field, the Bourne shell
 .Pq Pa /bin/sh
 is assumed.
-For security reasons, if the shell is set to a script that disallows
-access to the system (the
-.Xr nologin 8
-script, for example), care should be taken not to import any environment
-variables.  With
-.Xr sh 1 ,
-this can be done by specifying the
-.Fl p
-flag.
-Check the specific shell documentation to determine how this is
-done with other shells.
-.Sh YP/NIS INTERACTION
-.Ss Enabling access to NIS passwd data
-The system administrator can configure
-.Dx
-to use NIS/YP for
-its password information by adding special records to the
-.Pa /etc/master.passwd
-file.
-These entries should be added with
-.Xr vipw 8
-so that the changes can be properly merged with the hashed
-password databases and the
-.Pa /etc/passwd
-file (
-.Pa /etc/passwd
-should never be edited manually). Alternatively, the administrator
-can modify
-.Pa /etc/master.passwd
-in some other way and then manually update the password databases with
-.Xr pwd_mkdb 8 .
-.Pp
-The simplest way to activate NIS is to add an empty record
-with only a plus sign
-.Pq Ql \&+
-in the name field, such as this:
-.Bd -literal -offset indent
-+:::::::::
-
-.Ed
-The
-.Ql \&+
-will tell the
-.Xr getpwent 3
-routines in
-.Dx Ap s
-standard C library to begin using the NIS passwd maps
-for lookups.
-.Pp
-Note that the entry shown above is known as a
-.Em wildcard
-entry, because it matches all users (the
-.Ql \&+
-without any other information
-matches everybody) and allows all NIS password data to be retrieved
-unaltered.
-However, by
-specifying a username or netgroup next to the
-.Ql \&+
-in the NIS
-entry, the administrator can affect what data are extracted from the
-NIS passwd maps and how it is interpreted.
-Here are a few example
-records that illustrate this feature (note that you can have several
-NIS entries in a single
-.Pa master.passwd
-file):
-.Bd -literal -offset indent
--mitnick:::::::::
-+@staff:::::::::
-+@permitted-users:::::::::
-+dennis:::::::::
-+ken:::::::::/bin/csh
-+@rejected-users::32767:32767::::::/bin/false
-
-.Ed
-Specific usernames are listed explicitly while netgroups are signified
-by a preceding
-.Ql \&@ .
-In the above example, users in the
-.Dq staff
-and
-.Dq permitted-users
-netgroups will have their password information
-read from NIS and used unaltered.
-In other words, they will be allowed
-normal access to the machine.
-Users
-.Dq ken
-and
-.Dq dennis ,
-who have
-been named explicitly rather than through a netgroup, will also have
-their password data read from NIS,
-.Em except
-that user
-.Dq ken
-will have his shell remapped to
-.Pa /bin/csh .
-This means that value for his shell specified in the NIS password map
-will be overridden by the value specified in the special NIS entry in
-the local
-.Pa master.passwd
-file.
-User
-.Dq ken
-may have been assigned the csh shell because his
-NIS password entry specified a different shell that may not be
-installed on the client machine for political or technical reasons.
-Meanwhile, users in the
-.Dq rejected-users
-netgroup are prevented
-from logging in because their UIDs, GIDs and shells have been overridden
-with invalid values.
-.Pp
-User
-.Dq mitnick
-will be be ignored entirely because his entry is
-specified with a
-.Ql \&-
-instead of a
-.Ql \&+ .
-A minus entry can be used
-to block out certain NIS password entries completely; users whose
-password data has been excluded in this way are not recognized by
-the system at all.
-(Any overrides specified with minus entries are
-also ignored since there is no point in processing override information
-for a user that the system isn't going to recognize in the first place.)
-In general, a minus entry is used to specifically exclude a user
-who might otherwise be granted access because he happens to be a
-member of an authorized netgroup.
-For example, if
-.Dq mitnick
-is
-a member of the
-.Dq permitted-users
-netgroup and must, for whatever
-the reason, be permitted to remain in that netgroup (possibly to
-retain access to other machines within the domain), the administrator
-can still deny him access to a particular system with a minus entry.
-Also, it is sometimes easier to explicitly list those users who are not
-allowed access rather than generate a possibly complicated list of
-users who are allowed access and omit the rest.
-.Pp
-Note that the plus and minus entries are evaluated in order from
-first to last with the first match taking precedence.
-This means
-the system will only use the first entry that matches a particular user.
-If, using the same example, there is a user
-.Dq foo
-who is a member of both the
-.Dq staff
-netgroup and the
-.Dq rejected-users
-netgroup, he will be admitted to
-the system because the above example lists the entry for
-.Dq staff
-before the entry for
-.Dq rejected-users .
-If the order were reversed,
-user
-.Dq foo
-would be flagged as a
-.Dq rejected-user
-instead and denied access.
-.Pp
-Lastly, any NIS password database records that do not match against
-at least one of the users or netgroups specified by the NIS access
-entries in the
-.Pa /etc/master.passwd
-file will be ignored (along with any users specified using minus
-entries). In our example shown above, we do not have a wildcard
-entry at the end of the list; therefore, the system will not recognize
-anyone except
-.Dq ken ,
-.Dq dennis ,
-the
-.Dq staff
-netgroup, and the
-.Dq permitted-users
-netgroup as authorized users.
-The
-.Dq rejected-users
-netgroup will
-be recognized but all members will have their shells remapped and
-therefore be denied access.
-All other NIS password records
-will be ignored.
-The administrator may add a wildcard entry to the
-end of the list such as:
-.Bd -literal -offset indent
-+:::::::::/sbin/nologin
-
-.Ed
-This entry acts as a catch-all for all users that don't match against
-any of the other entries.
-This technique is sometimes useful when it is
-desirable to have the system be able to recognize all users in a
-particular NIS domain without necessarily granting them login access.
-See the description of the shell field regarding security concerns when using
-a shell script as the login shell.
-.Pp
-The primary use of this
-.Pa override
-feature is to permit the administrator
-to enforce access restrictions on NIS client systems.
-Users can be
-granted access to one group of machines and denied access to other
-machines simply by adding or removing them from a particular netgroup.
-Since the netgroup database can also be accessed via NIS, this allows
-access restrictions to be administered from a single location, namely
-the NIS master server; once a host's access list has been set in
-.Pa /etc/master.passwd ,
-it need not be modified again unless new netgroups are created.
-.Sh NOTES
-.Ss Shadow passwords through NIS
-.Dx
-uses a shadow password scheme: users' encrypted passwords
-are stored only in
-.Pa /etc/master.passwd
-and
-.Pa /etc/spwd.db ,
-which are readable and writable only by the superuser.
-This is done
-to prevent users from running the encrypted passwords through
-password-guessing programs and gaining unauthorized access to
-other users' accounts.
-NIS does not support a standard means of
-password shadowing, which implies that placing your password data
-into the NIS passwd maps totally defeats the security of
-.Dx Ap s
-password shadowing system.
-.Pp
-.Dx
-provides a few special features to help get around this
-problem.
-It is possible to implement password shadowing between
-.Dx
-NIS clients and
-.Dx
-NIS servers.
-The
-.Xr getpwent 3
-routines will search for a
-.Pa master.passwd.byname
-and
-.Pa master.passwd.byuid
-maps which should contain the same data found in the
-.Pa /etc/master.passwd
-file.
-If the maps exist,
-.Dx
-will attempt to use them for user
-authentication instead of the standard
-.Pa passwd.byname
+The conventional way to disable logging into an account once and for all,
+as it is done for system accounts,
+is to set its
+.Ar shell
+to
+.Xr nologin 8 .
+.Sh HESIOD SUPPORT
+If
+.Sq Li dns
+is specified for the
+.Sq Li passwd
+database in
+.Xr nsswitch.conf 5 ,
+then
+.Nm
+lookups occur from the
+.Sq Li passwd
+Hesiod domain.
+.Sh NIS SUPPORT
+If
+.Sq Li nis
+is specified for the
+.Sq Li passwd
+database in
+.Xr nsswitch.conf 5 ,
+then
+.Nm
+lookups occur from the
+.Sq Li passwd.byname ,
+.Sq Li passwd.byuid ,
+.Sq Li master.passwd.byname ,
 and
-.Pa passwd.byuid
+.Sq Li master.passwd.byuid
+.Tn NIS
 maps.
-The
-.Dx
-.Xr ypserv 8
-will also check client requests to make sure they originate on a
-privileged port.
-Since only the superuser is allowed to bind to
-a privileged port, the server can tell if the requesting user
-is the superuser; all requests from non-privileged users to access
-the
-.Pa master.passwd
-maps will be refused.
-Since all user authentication programs run
-with superuser privilege, they should have the required access to
-users' encrypted password data while normal users will only
-be allowed access to the standard
-.Pa passwd
-maps which contain no password information.
-.Pp
-Note that this feature cannot be used in an environment with
-.No non- Ns Tn Dx
-systems.
-Note also that a truly determined user with
-unrestricted access to your network could still compromise the
-.Pa master.passwd
-maps.
-.Ss UID and GID remapping with NIS overrides
-Unlike
-.Tn SunOS
-and other operating systems that use Sun's NIS code,
-.Dx
-allows the user to override
-.Pa all
-of the fields in a user's NIS
-.Pa passwd
-entry.
-For example, consider the following
-.Pa /etc/master.passwd
-entry:
-.Bd -literal -offset indent
-+@foo-users:???:666:666:0:0:0:Bogus user:/home/bogus:/bin/bogus
-
-.Ed
-This entry will cause all users in the `foo-users' netgroup to
-have
-.Pa all
-of their password information overridden, including UIDs,
-GIDs and passwords.
-The result is that all `foo-users' will be
-locked out of the system, since their passwords will be remapped
-to invalid values.
-.Pp
-This is important to remember because most people are accustomed to
-using an NIS wildcard entry that looks like this:
-.Bd -literal -offset indent
-+:*:0:0:::
-
-.Ed
-This often leads to new
-.Dx
-administrators choosing NIS entries for their
-.Pa master.passwd
-files that look like this:
-.Bd -literal -offset indent
-+:*:0:0::::::
-
-.Ed
-Or worse, this
-.Bd -literal -offset indent
-+::0:0::::::
-
-.Ed
-.Sy DO _NOT_ PUT ENTRIES LIKE THIS IN YOUR
-.Pa master.passwd
-.Sy FILE!!
-The first tells
-.Dx
-to remap all passwords to
-.Ql \&*
-(which
-will prevent anybody from logging in) and to remap all UIDs and GIDs
-to 0 (which will make everybody appear to be the superuser). The
-second case just maps all UIDs and GIDs to 0, which means that
-all users will appear to be root!
-.Ss Compatibility of NIS override evaluation
-When Sun originally added NIS support to their
-.Xr getpwent 3
-routines, they took into account the fact that the
-.Tn SunOS
-password
-.Pa /etc/passwd
-file is in plain
-.Tn ASCII
-format.
-The
-.Tn SunOS
-documentation claims that
-adding a
-.Ql \&+
-entry to the password file causes the contents of
-the NIS password database to be
-.Dq inserted
-at the position in the file where the
-.Ql \&+
-entry appears.
-If, for example, the
-administrator places a
-.Ql \&+::::::
-entry in the middle of
-.Pa /etc/passwd ,
-then the entire contents of the NIS password map would appear
-as though it had been copied into the middle of the password
-file.
-If the administrator places
-.Ql \&+::::::
-entries at both the middle and the end of
-.Pa /etc/passwd ,
-then the NIS password map would appear twice: once in the middle
-of the file and once at the end.
-(By using override entries
-instead of simple wildcards, other combinations could be achieved.)
-.Pp
-By contrast,
-.Dx
-does not have a single
-.Tn ASCII
-password file: it
-has a hashed password database.
-This database does not have an
-easily-defined beginning, middle or end, which makes it very hard
-to design a scheme that is 100% compatible with
-.Tn SunOS .
-For example,
-the
-.Fn getpwnam
-and
-.Fn getpwuid
-functions in
-.Dx
-are designed to do direct queries to the
-hash database rather than a linear search.
-This approach is faster
-on systems where the password database is large.
-However, when
-using direct database queries, the system does not know or care
-about the order of the original password file, and therefore
-it cannot easily apply the same override logic used by
-.Tn SunOS .
+.Sh COMPAT SUPPORT
+If
+.Sq Li compat
+is specified for the
+.Sq Li passwd
+database, and either
+.Sq Li dns
+or
+.Sq Li nis
+is specified for the
+.Sq Li passwd_compat
+database in
+.Xr nsswitch.conf 5 ,
+then the
+.Nm
+file also supports standard
+.Sq Li + Ns / Ns Li -
+exclusions and inclusions, based on user names and netgroups.
 .Pp
-Instead,
-.Dx
-groups all the NIS override entries together
-and constructs a filter out of them.
-Each NIS password entry
-is compared against the override filter exactly once and
-treated accordingly: if the filter allows the entry through
-unaltered, it's treated unaltered; if the filter calls for remapping
-of fields, then fields are remapped; if the filter calls for
-explicit exclusion (i.e., the entry matches a
-.Ql \&-
-override), the entry is ignored; if the entry doesn't match against any
-of the filter specifications, it's discarded.
+Lines beginning with a
+.Ql -
+(minus sign) are entries marked as being excluded
+from any following inclusions, which are marked with a
+.Ql +
+(plus sign).
 .Pp
-Again, note that the NIS
-.Ql \&+
-and
-.Ql \&-
-entries themselves are handled in the order in which they were specified
-in the
-.Pa /etc/master.passwd
-file, since doing otherwise would lead to unpredictable behavior.
+If the second character of the line is a
+.Ql @
+(at sign), the operation
+involves the user fields of all entries in the netgroup specified by the
+remaining characters of the
+.Ar name
+field.
+Otherwise, the remainder of the
+.Ar name
+field is assumed to be a specific user name.
 .Pp
-The end result is that
-.Dx
-provides a very close approximation
-of
-.Tn SunOS Ns 's
-behavior while maintaining the database paradigm, though the
-.Xr getpwent 3
-functions do behave somewhat differently from their
-.Tn SunOS
-counterparts.
-The primary differences are:
-.Bl -bullet -offset indent
-.It
-Each NIS password map record can be mapped into the password
-local password space only once.
-.It
-The placement of the NIS
-.Ql \&+
+The
+.Ql +
+token may also be alone in the
+.Ar name
+field, which causes all users from either the Hesiod domain
+.Nm
+(with
+.Sq Li passwd_compat: dns )
+or
+.Sq Li passwd.byname
 and
-.Ql \&-
-entries does not necessarily
-affect where NIS password records will be mapped into
-the password space.
-.El
+.Sq Li passwd.byuid
+.Tn NIS
+maps (with
+.Sq Li passwd_compat: nis )
+to be included.
 .Pp
-In 99% of all
-.Dx
-configurations, NIS client behavior will be
-indistinguishable from that of
-.Tn SunOS
-or other similar systems.
-Even
-so, users should be aware of these architectural differences.
-.Ss Using groups instead of netgroups for NIS overrides
-.Dx
-offers the capability to do override matching based on
-user groups rather than netgroups.
-If, for example, an NIS entry
-is specified as:
-.Bd -literal -offset indent
-+@operator:::::::::
-
-.Ed
-the system will first try to match users against a netgroup called
-.Ql operator .
-If an
-.Ql operator
-netgroup doesn't exist, the system
-will try to match users against the normal
-.Ql operator
-group instead.
-.Ss Changes in behavior from old versions of FreeBSD
-There have been several bug fixes and improvements in
-.Fx Ap s
-NIS/YP handling, some of which have caused changes in behavior.
-While the behavior changes are generally positive, it is important
-that users and system administrators be aware of them:
-.Bl -enum -offset indent
-.It
-In
-.Fx
-versions prior to 2.0.5, reverse lookups (i.e. using
-.Fn getpwuid )
-would not have overrides applied, which is to say that it
-was possible for
-.Fn getpwuid
-to return a login name that
-.Fn getpwnam
-would not recognize.
-This has been fixed: overrides specified
-in
-.Pa /etc/master.passwd
-now apply to all
-.Xr getpwent 3
-functions.
-.It
-Prior to
-.Fx 2.0.5 ,
-netgroup overrides did not work at
-all, largely because
-.Fx
-did not have support for reading
-netgroups through NIS.
-Again, this has been fixed, and
-netgroups can be specified just as in
-.Tn SunOS
-and similar NIS-capable
-systems.
-.It
-.Fx
-now has NIS server capabilities and supports the use
-of
-.Pa master.passwd
-NIS maps in addition to the standard Sixth Edition format
-.Pa passwd
+If the entry contains non-empty
+.Ar uid
+or
+.Ar gid
+fields, the specified numbers will override the information retrieved
+from the Hesiod domain or the
+.Tn NIS
 maps.
-This means that you can specify change, expiration and class
-information through NIS, provided you use a
-.Dx
+As well, if the
+.Ar gecos ,
+.Ar dir
 or
-.Fx
-system as
-the NIS server.
-.El
+.Ar shell
+entries contain text, it will override the information included via
+Hesiod or
+.Tn NIS .
+On some systems, the
+.Ar passwd
+field may also be overridden.
 .Sh FILES
-.Bl -tag -width /etc/master.passwd -compact
+.Bl -tag -width ".Pa /etc/master.passwd" -compact
 .It Pa /etc/passwd
 .Tn ASCII
 password file, with passwords removed
 .It Pa /etc/pwd.db
-.Xr db 3 -format
+.Xr db 3 Ns -format
 password database, with passwords removed
 .It Pa /etc/master.passwd
 .Tn ASCII
 password file, with passwords intact
 .It Pa /etc/spwd.db
-.Xr db 3 -format
+.Xr db 3 Ns -format
 password database, with passwords intact
 .El
 .Sh COMPATIBILITY
@@ -738,15 +396,14 @@ The password file format has changed since
 The following awk script can be used to convert your old-style password
 file into a new style password file.
 The additional fields
-.Dq class ,
-.Dq change
+.Ar class ,
+.Ar change
 and
-.Dq expire
+.Ar expire
 are added, but are turned off by default.
-These fields can then be set using
-.Xr vipw 8
-or
-.Xr pw 8 .
+Class is currently not implemented, but change and expire are; to set them,
+use the current day in seconds from the epoch + whatever number of seconds
+of offset you want.
 .Bd -literal -offset indent
 BEGIN { FS = ":"}
 { print $1 ":" $2 ":" $3 ":" $4 "::0:0:" $5 ":" $6 ":" $7 }
@@ -755,52 +412,41 @@ BEGIN { FS = ":"}
 .Xr chpass 1 ,
 .Xr login 1 ,
 .Xr passwd 1 ,
+.Xr crypt 3 ,
 .Xr getpwent 3 ,
-.Xr login_getclass 3 ,
 .Xr login.conf 5 ,
+.Xr netgroup 5 ,
+.Xr nsswitch.conf 5 ,
 .Xr adduser 8 ,
+.Xr nologin 8 ,
 .Xr pw 8 ,
 .Xr pwd_mkdb 8 ,
 .Xr vipw 8 ,
 .Xr yp 8
+.Pp
+.%T "Managing NFS and NIS"
+(O'Reilly & Associates)
 .Sh HISTORY
 A
 .Nm
 file format appeared in
 .At v6 .
-The YP/NIS functionality is modeled after
-.Tn SunOS
-and first appeared in
-.Fx 1.1 .
-The override capability was new in
-.Fx 2.0 .
-The override capability was updated to properly support netgroups
-in
-.Fx 2.0.5 .
-Support for comments first appeared in
-.Fx 3.0 .
+.Pp
+The
+.Tn NIS
+.Nm
+file format first appeared in SunOS.
+.Pp
+The Hesiod support first appeared in
+.Fx 4.1 .
+It was imported from the
+.Nx
+Project, where it first appeared in
+.Nx 1.4 .
 .Sh BUGS
 User information should (and eventually will) be stored elsewhere.
 .Pp
-The YP/NIS password database makes encrypted passwords visible to
-ordinary users, thus making password cracking easier unless you use
-shadow passwords with the
-.Pa master.passwd
-maps and
-.Dx Ns 's
-.Xr ypserv 8
-server.
-.Pp
-Unless you're using
-.Dx Ns 's
-.Xr ypserv 8 ,
-which supports the use of
-.Pa master.passwd
-type maps,
-the YP/NIS password database will be in old-style (Sixth Edition) format,
-which means that site-wide values for user login class, password
-expiration date, and other fields present in the current format
-will not be available when a
-.Dx
-system is used as a client with
-a standard NIS server.
+Placing
+.Sq Li compat
+exclusions in the file after any inclusions will have
+unexpected results.
diff --git a/share/man/man8/yp.8 b/share/man/man8/yp.8
index 4613a349ea..57ad9bbafd 100644
--- a/share/man/man8/yp.8
+++ b/share/man/man8/yp.8
@@ -26,7 +26,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"     from: @(#)yp.8	1.0 (deraadt) 4/26/93
-.\" $FreeBSD: src/share/man/man8/yp.8,v 1.30.2.2 2002/09/30 08:19:41 max Exp $
+.\" $FreeBSD: src/share/man/man8/yp.8,v 1.36 2005/01/21 08:36:40 ru Exp $
 .\" $DragonFly: src/share/man/man8/yp.8,v 1.5 2006/02/17 19:37:10 swildner Exp $
 .\"
 .Dd April 5, 1993
@@ -58,16 +58,8 @@ daemon makes direct
 library calls since there are no
 functions in the standard C library for reading bootparams.
 .Tn NIS
-support for the hosts, services and rpc databases is enabled by
-uncommenting the
-.Dq Li nis
-line in
-.Pa /etc/host.conf .
-.Tn NIS
-support for the remaining services is
-activated by adding a special
-.Ql +
-entry to the appropriate file.
+support is enabled in
+.Xr nsswitch.conf 5 .
 .Pp
 The
 .Nm YP
@@ -214,8 +206,9 @@ to a particular
 server using the
 .Xr ypbind 8
 daemon.
-.Xr Ypbind 8
-checks the system's default domain (as set by the
+The
+.Xr ypbind 8
+utility checks the system's default domain (as set by the
 .Xr domainname 1
 command) and begins broadcasting
 .Tn RPC
@@ -236,8 +229,9 @@ From that point
 on, the client system will direct all of its
 .Tn NIS
 requests to that server.
-.Xr Ypbind 8
-will occasionally
+The
+.Xr ypbind 8
+utility will occasionally
 .Dq ping
 the server to make sure it is still up
 and running.
@@ -253,8 +247,9 @@ master and slave servers handle all
 requests with the
 .Xr ypserv 8
 daemon.
-.Xr Ypserv 8
-is responsible for receiving incoming requests from
+The
+.Xr ypserv 8
+utility is responsible for receiving incoming requests from
 .Tn NIS
 clients,
 translating the requested domain and map name to a path to the
@@ -294,7 +289,7 @@ retrieve the entire contents of a map
 .Pp
 There are a few other requests which
 .Xr ypserv 8
-is capable of handling (i.e. acknowledge whether or not you can handle
+is capable of handling (i.e., acknowledge whether or not you can handle
 a particular domain
 .Pq Dv YPPROC_DOMAIN ,
 or acknowledge only if you can handle the domain and be silent otherwise
@@ -375,7 +370,7 @@ placing a slave server on the local network.
 The
 .Dx
 .Xr ypserv 8
-is specially designed to provided enhanced security
+is specially designed to provide enhanced security
 .Po
 compared to other
 .Tn NIS
@@ -429,7 +424,7 @@ wrapper support enabled, the administrator can configure
 to respond only to selected client machines.
 .Pp
 While these enhancements provide better security than stock
-.Tn NIS Ns ,
+.Tn NIS ,
 they are by no means 100% effective.
 It is still possible for
 someone with access to your network to spoof the server into disclosing
diff --git a/usr.bin/Makefile b/usr.bin/Makefile
index 002fbd6ef7..86a074fa2a 100644
--- a/usr.bin/Makefile
+++ b/usr.bin/Makefile
@@ -241,6 +241,10 @@ SUBDIR+=dig \
 	host
 .endif
 
+.if defined(WANT_HESIOD)
+SUBDIR+=hesinfo
+.endif
+
 .if !defined(NO_OPENSSL)
 SUBDIR+=bc \
 	dc
diff --git a/usr.bin/chpass/chpass.c b/usr.bin/chpass/chpass.c
index e865771f0d..e861a857a9 100644
--- a/usr.bin/chpass/chpass.c
+++ b/usr.bin/chpass/chpass.c
@@ -203,7 +203,7 @@ main(int argc, char **argv)
 		if (uid)
 			baduser();
 		pw = &lpw;
-		if (!pw_scan(arg, pw))
+		if (!__pw_scan(arg, pw, _PWSCAN_WARN|_PWSCAN_MASTER))
 			exit(1);
 		if ((pold_pw = getpwnam(pw->pw_name)) != NULL) {
 			old_pw = *pold_pw;
diff --git a/usr.bin/chpass/edit.c b/usr.bin/chpass/edit.c
index 485bb1c591..44a59407bb 100644
--- a/usr.bin/chpass/edit.c
+++ b/usr.bin/chpass/edit.c
@@ -261,5 +261,5 @@ bad:					(void)fclose(fp);
 		return (0);
 	}
 	free(p);
-	return (pw_scan(buf, pw));
+	return (__pw_scan(buf, pw, _PWSCAN_WARN|_PWSCAN_MASTER));
 }
diff --git a/usr.bin/chpass/pw_copy.c b/usr.bin/chpass/pw_copy.c
index a79c60b993..392e038b68 100644
--- a/usr.bin/chpass/pw_copy.c
+++ b/usr.bin/chpass/pw_copy.c
@@ -64,7 +64,7 @@ pw_equal(char *buf, struct passwd *pw)
 	len = strlen (buf);
 	if (buf[len-1] == '\n')
 		buf[len-1] = '\0';
-	if (!pw_scan(buf, &buf_pw))
+	if (!__pw_scan(buf, &buf_pw, _PWSCAN_MASTER))
 		return 0;
 	return (strcmp(pw->pw_name, buf_pw.pw_name) == 0
 	    && pw->pw_uid == buf_pw.pw_uid
diff --git a/usr.bin/hesinfo/Makefile b/usr.bin/hesinfo/Makefile
new file mode 100644
index 0000000000..c4c46764ff
--- /dev/null
+++ b/usr.bin/hesinfo/Makefile
@@ -0,0 +1,5 @@
+#	$FreeBSD: src/usr.bin/hesinfo/Makefile,v 1.3 2002/02/08 22:31:40 markm Exp $
+
+PROG=	hesinfo
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/hesinfo/hesinfo.1 b/usr.bin/hesinfo/hesinfo.1
new file mode 100644
index 0000000000..004b407029
--- /dev/null
+++ b/usr.bin/hesinfo/hesinfo.1
@@ -0,0 +1,198 @@
+.\"	$NetBSD: hesinfo.1,v 1.1 1999/01/25 22:45:55 lukem Exp $
+.\"
+.\" from: #Id: hesinfo.1,v 1.9 1996/11/07 01:57:12 ghudson Exp #
+.\"
+.\" Copyright 1987, 1996 by the Massachusetts Institute of Technology.
+.\"
+.\" Permission to use, copy, modify, and distribute this
+.\" software and its documentation for any purpose and without
+.\" fee is hereby granted, provided that the above copyright
+.\" notice appear in all copies and that both that copyright
+.\" notice and this permission notice appear in supporting
+.\" documentation, and that the name of M.I.T. not be used in
+.\" advertising or publicity pertaining to distribution of the
+.\" software without specific, written prior permission.
+.\" M.I.T. makes no representations about the suitability of
+.\" this software for any purpose.  It is provided "as is"
+.\" without express or implied warranty.
+.\"
+.\" $FreeBSD: src/usr.bin/hesinfo/hesinfo.1,v 1.6 2005/02/09 18:04:22 ru Exp $
+.\"
+.Dd October 27, 1996
+.Dt HESINFO 1
+.Os
+.Sh NAME
+.Nm hesinfo
+.Nd "find out what is stored in the Hesiod database"
+.Sh SYNOPSIS
+.Nm
+.Op Fl bl
+.Ar HesiodName HesiodNameType
+.Sh DESCRIPTION
+The
+.Nm
+utility takes two arguments, a name to be resolved and a string, known
+as a
+.Ar HesiodNameType .
+It then prints the information returned by
+the Hesiod nameserver.
+.Pp
+The value returned by
+.Nm
+is of the type
+.Ar HesiodNameType .
+.Pp
+The following options are available:
+.Bl -tag -width indent
+.It Fl l
+Selects long format.
+.It Fl b
+Prints the fully\-qualified string passed to the nameserver.
+.El
+.Ss VALID Hesiod_Names
+The following types of identifiers may be used in the
+.Ar HesiodName
+argument to
+.Nm .
+These values will be resolved by accessing the
+.Xr hesiod 3
+database.
+.Bl -tag -width indent
+.It Aq Ar username
+the 8\-character\-or\-less string used to identify users or classes
+(e.g.\& joeuser, root, 1.00, etc).
+Used with the
+.Ar Hesiod_Name_Types
+.Cm passwd ,
+.Cm pobox ,
+and
+.Cm filsys .
+.It Aq Ar uid
+the id number assigned to a user.
+.It Aq Ar groupid
+the id number assigned to a group.
+.It Aq Ar groupname
+a name identifying a unique group.
+.It Aq Ar file\-system\-name
+the name of an Athena file system.
+.It Xo
+.Ao Ar "rvd\-server" Ac : Ns Aq Ar pack
+.Xc
+the name of an rvd's server and pack separated by a colon.
+.It Xo
+.Ao Ar "nfs\-server" Ac : Ns Aq Ar partition
+.Xc
+the name of an
+.Tn NFS
+server and its partition separated by a colon.
+.It Aq Ar workstation\-name
+the machine name of an Athena workstation (e.g.\& E40\-343\-3).
+.It Aq Ar service\-name
+name of an Athena service (e.g.\& Zephyr).
+.It Aq Ar service\-type
+name of
+.Ux
+service (valid entries are defined in
+.Pa /etc/services ) .
+.It Aq Ar printer\-name
+name of a printer.
+.It Aq Ar printer\-cluster\-name
+name of an Athena print cluster.
+.It Aq Ar foo
+some
+.Nm
+calls (e.g.\&
+.Cm prclusterlist )
+do not require a specific
+.Ar HesiodName
+argument.
+However, you must include a dummy string (e.g.\&
+.Ql foo )
+for
+.Nm
+to work properly.
+.El
+.Ss VALID Hesiod_Name_Types
+The following symbols are valid substitutions for the
+.Ar HesiodNameType
+argument to
+.Nm .
+.Bl -tag -width indent
+.It Cm passwd
+returns string suitable for inclusion in
+.Pa /etc/passwd ,
+searching with
+.Aq Ar username .
+.It Cm pobox
+returns information on the pobox assigned to the user specified by
+.Ar HesiodName ,
+searching with
+.Aq Ar username .
+.It Cm uid
+returns string suitable for inclusion in
+.Pa /etc/passwd ,
+searching with
+.Aq Ar uid .
+.It Cm gid
+returns string suitable for inclusion in
+.Pa /etc/group ,
+searching with
+.Aq Ar groupid .
+.It Cm group
+returns string suitable for inclusion in
+.Pa /etc/group ,
+searching with
+.Aq Ar groupname .
+.It Cm grplist
+returns subgroups included in superset
+defined by
+.Aq Ar groupname .
+.It Cm filsys
+returns file system type, export point, server, mount mode, and import point
+for the following valid
+.Ar HesiodNames
+(see above) -
+.Aq Ar "file\-system\-name" ,
+.Aq Ar username ,
+.Ao Ar "rvd\-server" Ac : Ns Aq Ar pack ,
+and
+.Ao Ar "nfs\-server" Ac : Ns Aq Ar partition .
+.It Cm cluster
+returns information about the local cluster the workstation, specified by
+.Aq Ar "workstation\-name" .
+Included is information about the local file and print servers.
+This information is accesses by
+.Sy clusterinfo
+at boot time.
+.It Cm sloc
+returns network name of service host for
+.Aq Ar service\-name .
+.It Cm service
+returns Internet protocol type and protocol service port for
+.Aq Ar service\-type .
+.It Cm pcap
+returns a valid entry for
+.Pa /etc/printcap
+for
+.Aq Ar printer\-name .
+.It Cm prcluserlist
+returns a list of print clusters.
+.It Cm prcluster
+returns a list of printers in a cluster specified by
+.Aq Ar printer\-cluster\-name .
+.El
+.Sh FILES
+.Bl -tag -width /etc/hesiod.conf
+.It Pa /etc/hesiod.conf
+.El
+.Sh SEE ALSO
+.Xr hesiod 3 ,
+.Xr named 8
+.Rs
+.%T "Hesiod - Project Athena Technical Plan -- Name Service"
+.Re
+.Sh AUTHORS
+.An Steve Dyer ,
+IBM/Project Athena
+.Pp
+Copyright 1987, 1988, 1996 by the Massachusetts Institute of Technology.
diff --git a/usr.bin/hesinfo/hesinfo.c b/usr.bin/hesinfo/hesinfo.c
new file mode 100644
index 0000000000..c8e38d9e04
--- /dev/null
+++ b/usr.bin/hesinfo/hesinfo.c
@@ -0,0 +1,106 @@
+/*	$NetBSD: hesinfo.c,v 1.1 1999/01/25 22:45:55 lukem Exp $	*/
+
+/* Copyright 1988, 1996 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ *
+ * $FreeBSD: src/usr.bin/hesinfo/hesinfo.c,v 1.7 2002/09/04 23:29:01 dwmalone Exp $
+ */
+
+/* This file is a simple driver for the Hesiod library. */
+
+#include <err.h>
+#include <errno.h>
+#include <hesiod.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int
+main(int argc, char **argv)
+{
+	char  **list, **p, *bindname, *name, *type;
+	int     lflag = 0, errflg = 0, bflag = 0, c;
+	void   *context;
+
+	while ((c = getopt(argc, argv, "lb")) != -1) {
+		switch (c) {
+		case 'l':
+			lflag = 1;
+			break;
+		case 'b':
+			bflag = 1;
+			break;
+		default:
+			errflg++;
+			break;
+		}
+	}
+	if (argc - optind != 2 || errflg) {
+		fprintf(stderr, "usage: hesinfo [-bl] name type\n");
+		fprintf(stderr, "\t-l selects long format\n");
+		fprintf(stderr, "\t-b also does hes_to_bind conversion\n");
+		exit(2);
+	}
+	name = argv[optind];
+	type = argv[optind + 1];
+
+	if (hesiod_init(&context) < 0) {
+		if (errno == ENOEXEC)
+			warnx(
+			    "hesiod_init: Invalid Hesiod configuration file.");
+		else
+			warn("hesiod_init");
+	}
+	/* Display bind name if requested. */
+	if (bflag) {
+		if (lflag)
+			printf("hes_to_bind(%s, %s) expands to\n", name, type);
+		bindname = hesiod_to_bind(context, name, type);
+		if (!bindname) {
+			if (lflag)
+				printf("nothing\n");
+			if (errno == ENOENT)
+				warnx("hesiod_to_bind: Unknown rhs-extension.");
+			else
+				warn("hesiod_to_bind");
+			exit(1);
+		}
+		printf("%s\n", bindname);
+		free(bindname);
+		if (lflag)
+			printf("which ");
+	}
+	if (lflag)
+		printf("resolves to\n");
+
+	/* Do the hesiod resolve and check for errors. */
+	list = hesiod_resolve(context, name, type);
+	if (!list) {
+		if (lflag)
+			printf("nothing\n");
+		if (errno == ENOENT)
+			warnx("hesiod_resolve: Hesiod name not found.");
+		else
+			warn("hesiod_resolve");
+		exit(1);
+	}
+	/* Display the results. */
+	for (p = list; *p; p++)
+		printf("%s\n", *p);
+
+	hesiod_free_list(context, list);
+	hesiod_end(context);
+	exit(0);
+}
diff --git a/usr.bin/passwd/Makefile b/usr.bin/passwd/Makefile
index 21b8059a24..51d4496ef7 100644
--- a/usr.bin/passwd/Makefile
+++ b/usr.bin/passwd/Makefile
@@ -7,7 +7,7 @@
 .if defined(NOPAM)
 
 PROG=	passwd
-SRCS=	local_passwd.c passwd.c pw_copy.c pw_scan.c pw_util.c 
+SRCS=	local_passwd.c passwd.c pw_copy.c pw_util.c
 
 GENSRCS=yp.h yp_clnt.c yppasswd.h yppasswd_clnt.c \
 	yppasswd_private.h yppasswd_private_clnt.c yppasswd_private_xdr.c
@@ -22,12 +22,13 @@ CFLAGS+= -DLOGIN_CAP -DCRYPT -I. -I${.CURDIR} \
 	-I${.CURDIR}/../../usr.sbin/vipw \
 	-I${.CURDIR}/../../usr.bin/chpass \
 	-I${.CURDIR}/../../usr.sbin/pwd_mkdb \
+	-I${.CURDIR}/../../lib/libc/gen \
 	-Dyp_error=warnx -DLOGGING
 
 .else
 
 PROG=	passwd
-SRCS=	local_passwd.c passwd.c pw_copy.c pw_scan.c pw_util.c pw_yp.c \
+SRCS=	local_passwd.c passwd.c pw_copy.c pw_util.c pw_yp.c \
 	yp_passwd.c ypxfr_misc.c ${GENSRCS}
 GENSRCS=yp.h yp_clnt.c yppasswd.h yppasswd_clnt.c \
 	yppasswd_private.h yppasswd_private_clnt.c yppasswd_private_xdr.c
@@ -45,6 +46,7 @@ CFLAGS+= -DLOGIN_CAP -DCRYPT -DYP -I. -I${.CURDIR} \
 	-I${.CURDIR}/../../libexec/ypxfr \
 	-I${.CURDIR}/../../usr.sbin/pwd_mkdb \
 	-I${.CURDIR}/../../usr.sbin/rpc.yppasswdd \
+	-I${.CURDIR}/../../lib/libc/gen \
 	-Dyp_error=warnx -DLOGGING
 
 .endif
diff --git a/usr.sbin/Makefile b/usr.sbin/Makefile
index 76082d89f2..ba80da7c0d 100644
--- a/usr.sbin/Makefile
+++ b/usr.sbin/Makefile
@@ -161,6 +161,11 @@ SUBDIR+=named \
 SUBDIR+=lpr
 .endif
 
+# This isn't ready yet.
+#.if !defined(NO_NS_CACHING)
+#SUBDIR+=nscd
+#.endif
+
 .if !defined(NO_SENDMAIL)
 SUBDIR+=editmap \
 	mailstats \
diff --git a/usr.sbin/nscd/Makefile b/usr.sbin/nscd/Makefile
new file mode 100644
index 0000000000..d1e1da0d5a
--- /dev/null
+++ b/usr.sbin/nscd/Makefile
@@ -0,0 +1,17 @@
+# $FreeBSD: src/usr.sbin/nscd/Makefile,v 1.5 2007/11/20 02:07:29 jb Exp $
+
+PROG=	nscd
+MAN=	nscd.conf.5 nscd.8
+
+WARNS?=	2
+CFLAGS+=-fno-strict-aliasing
+SRCS=	agent.c nscd.c nscdcli.c cachelib.c cacheplcs.c debug.c log.c \
+	config.c query.c mp_ws_query.c mp_rs_query.c singletons.c protocol.c \
+	parser.c
+CFLAGS+= -DCONFIG_PATH="\"${PREFIX}/etc/nscd.conf\""
+DPADD=	${LIBM} ${LIBPTHREAD} ${LIBUTIL}
+LDADD=	-lm -lpthread -lutil
+
+.PATH: ${.CURDIR}/agents
+.include "${.CURDIR}/agents/Makefile.inc"
+.include <bsd.prog.mk>
diff --git a/usr.sbin/nscd/agent.c b/usr.sbin/nscd/agent.c
new file mode 100644
index 0000000000..59f552268a
--- /dev/null
+++ b/usr.sbin/nscd/agent.c
@@ -0,0 +1,124 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/agent.c,v 1.3 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#include <assert.h>
+#include <string.h>
+#include <stdlib.h>
+#include "agent.h"
+#include "debug.h"
+
+static int
+agent_cmp_func(const void *a1, const void *a2)
+{
+	struct agent const *ap1 = *((struct agent const **)a1);
+	struct agent const *ap2 = *((struct agent const **)a2);
+	int res;
+
+	res = strcmp(ap1->name, ap2->name);
+	if (res == 0) {
+		if (ap1->type == ap2->type)
+			res = 0;
+		else if (ap1->type < ap2->type)
+			res = -1;
+		else
+			res = 1;
+	}
+
+	return (res);
+}
+
+struct agent_table *
+init_agent_table(void)
+{
+	struct agent_table	*retval;
+
+	TRACE_IN(init_agent_table);
+	retval = (struct agent_table *)calloc(1, sizeof(struct agent_table));
+	assert(retval != NULL);
+
+	TRACE_OUT(init_agent_table);
+	return (retval);
+}
+
+void
+register_agent(struct agent_table *at, struct agent *a)
+{
+	struct agent **new_agents;
+	size_t new_agents_num;
+
+	TRACE_IN(register_agent);
+	assert(at != NULL);
+	assert(a != NULL);
+	new_agents_num = at->agents_num + 1;
+	new_agents = (struct agent **)malloc(sizeof(struct agent *) *
+		new_agents_num);
+	assert(new_agents != NULL);
+	memcpy(new_agents, at->agents, at->agents_num * sizeof(struct agent *));
+	new_agents[new_agents_num - 1] = a;
+	qsort(new_agents, new_agents_num, sizeof(struct agent *),
+		agent_cmp_func);
+
+	free(at->agents);
+	at->agents = new_agents;
+	at->agents_num = new_agents_num;
+	TRACE_OUT(register_agent);
+}
+
+struct agent *
+find_agent(struct agent_table *at, const char *name, enum agent_type type)
+{
+	struct agent **res;
+	struct agent model, *model_p;
+
+	TRACE_IN(find_agent);
+	model.name = (char *)name;
+	model.type = type;
+	model_p = &model;
+	res = bsearch(&model_p, at->agents, at->agents_num,
+		sizeof(struct agent *), agent_cmp_func);
+
+	TRACE_OUT(find_agent);
+	return ( res == NULL ? NULL : *res);
+}
+
+void
+destroy_agent_table(struct agent_table *at)
+{
+	size_t i;
+
+	TRACE_IN(destroy_agent_table);
+	assert(at != NULL);
+	for (i = 0; i < at->agents_num; ++i) {
+		free(at->agents[i]->name);
+		free(at->agents[i]);
+	}
+
+	free(at->agents);
+	free(at);
+	TRACE_OUT(destroy_agent_table);
+}
diff --git a/usr.sbin/nscd/agent.h b/usr.sbin/nscd/agent.h
new file mode 100644
index 0000000000..1ea540efb2
--- /dev/null
+++ b/usr.sbin/nscd/agent.h
@@ -0,0 +1,72 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/agent.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#ifndef __NSCD_AGENT_H__
+#define __NSCD_AGENT_H__
+
+/*
+ * Agents are used to perform the actual lookups from the caching daemon.
+ * There are two types of daemons: for common requests and for multipart
+ * requests.
+ * All agents are stored in the agents table, which is the singleton.
+ */
+
+enum agent_type {
+    COMMON_AGENT = 0,
+    MULTIPART_AGENT = 1
+};
+
+struct agent {
+	char	*name;
+	enum agent_type type;
+};
+
+struct common_agent {
+	struct agent	parent;
+	int (*lookup_func)(const char *, size_t, char **, size_t *);
+};
+
+struct multipart_agent {
+	struct agent	parent;
+	void *(*mp_init_func)(void);
+	int (*mp_lookup_func)(char **, size_t *, void *);
+	void (*mp_destroy_func)(void *);
+};
+
+struct agent_table {
+	struct agent	**agents;
+	size_t		agents_num;
+};
+
+extern struct agent_table *init_agent_table(void);
+extern void register_agent(struct agent_table *, struct agent *);
+extern struct agent *find_agent(struct agent_table *, const char *,
+	enum agent_type);
+extern void destroy_agent_table(struct agent_table *);
+
+#endif
diff --git a/usr.sbin/nscd/agents/Makefile.inc b/usr.sbin/nscd/agents/Makefile.inc
new file mode 100644
index 0000000000..4f2c88dae4
--- /dev/null
+++ b/usr.sbin/nscd/agents/Makefile.inc
@@ -0,0 +1,3 @@
+# $FreeBSD: src/usr.sbin/nscd/agents/Makefile.inc,v 1.2 2007/09/27 12:30:10 bushman Exp $
+
+SRCS+=	group.c passwd.c services.c
diff --git a/usr.sbin/nscd/agents/group.c b/usr.sbin/nscd/agents/group.c
new file mode 100644
index 0000000000..43f9356658
--- /dev/null
+++ b/usr.sbin/nscd/agents/group.c
@@ -0,0 +1,257 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/agents/group.c,v 1.3 2008/10/23 00:15:00 delphij Exp $
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <assert.h>
+#include <nsswitch.h>
+#include <grp.h>
+#include <string.h>
+#include <stdlib.h>
+#include "../debug.h"
+#include "passwd.h"
+
+static int group_marshal_func(struct group *, char *, size_t *);
+static int group_lookup_func(const char *, size_t, char **, size_t *);
+static void *group_mp_init_func(void);
+static int group_mp_lookup_func(char **, size_t *, void *);
+static void group_mp_destroy_func(void *);
+
+static int
+group_marshal_func(struct group *grp, char *buffer, size_t *buffer_size)
+{
+	struct group new_grp;
+	size_t desired_size, size, mem_size;
+	char *p, **mem;
+
+	TRACE_IN(group_marshal_func);
+	desired_size = ALIGNBYTES + sizeof(struct group) + sizeof(char *);
+
+	if (grp->gr_name != NULL)
+		desired_size += strlen(grp->gr_name) + 1;
+	if (grp->gr_passwd != NULL)
+		desired_size += strlen(grp->gr_passwd) + 1;
+
+	if (grp->gr_mem != NULL) {
+		mem_size = 0;
+		for (mem = grp->gr_mem; *mem; ++mem) {
+			desired_size += strlen(*mem) + 1;
+			++mem_size;
+		}
+
+		desired_size += ALIGNBYTES + (mem_size + 1) * sizeof(char *);
+	}
+
+	if ((desired_size > *buffer_size) || (buffer == NULL)) {
+		*buffer_size = desired_size;
+		TRACE_OUT(group_marshal_func);
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_grp, grp, sizeof(struct group));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct group) + sizeof(char *);
+	memcpy(buffer + sizeof(struct group), &p, sizeof(char *));
+	p = (char *)ALIGN(p);
+
+	if (new_grp.gr_name != NULL) {
+		size = strlen(new_grp.gr_name);
+		memcpy(p, new_grp.gr_name, size);
+		new_grp.gr_name = p;
+		p += size + 1;
+	}
+
+	if (new_grp.gr_passwd != NULL) {
+		size = strlen(new_grp.gr_passwd);
+		memcpy(p, new_grp.gr_passwd, size);
+		new_grp.gr_passwd = p;
+		p += size + 1;
+	}
+
+	if (new_grp.gr_mem != NULL) {
+		p = (char *)ALIGN(p);
+		memcpy(p, new_grp.gr_mem, sizeof(char *) * mem_size);
+		new_grp.gr_mem = (char **)p;
+		p += sizeof(char *) * (mem_size + 1);
+
+		for (mem = new_grp.gr_mem; *mem; ++mem) {
+			size = strlen(*mem);
+			memcpy(p, *mem, size);
+			*mem = p;
+			p += size + 1;
+		}
+	}
+
+	memcpy(buffer, &new_grp, sizeof(struct group));
+	TRACE_OUT(group_marshal_func);
+	return (NS_SUCCESS);
+}
+
+static int
+group_lookup_func(const char *key, size_t key_size, char **buffer,
+	size_t *buffer_size)
+{
+	enum nss_lookup_type lookup_type;
+	char	*name;
+	size_t	size;
+	gid_t	gid;
+
+	struct group *result;
+
+	TRACE_IN(group_lookup_func);
+	assert(buffer != NULL);
+	assert(buffer_size != NULL);
+
+	if (key_size < sizeof(enum nss_lookup_type)) {
+		TRACE_OUT(group_lookup_func);
+		return (NS_UNAVAIL);
+	}
+	memcpy(&lookup_type, key, sizeof(enum nss_lookup_type));
+
+	switch (lookup_type) {
+	case nss_lt_name:
+		size = key_size - sizeof(enum nss_lookup_type)	+ 1;
+		name = (char *)calloc(1, size);
+		assert(name != NULL);
+		memcpy(name, key + sizeof(enum nss_lookup_type), size - 1);
+		break;
+	case nss_lt_id:
+		if (key_size < sizeof(enum nss_lookup_type) +
+			sizeof(gid_t)) {
+			TRACE_OUT(passwd_lookup_func);
+			return (NS_UNAVAIL);
+		}
+
+		memcpy(&gid, key + sizeof(enum nss_lookup_type), sizeof(gid_t));
+		break;
+	default:
+		TRACE_OUT(group_lookup_func);
+		return (NS_UNAVAIL);
+	}
+
+	switch (lookup_type) {
+	case nss_lt_name:
+		TRACE_STR(name);
+		result = getgrnam(name);
+		free(name);
+		break;
+	case nss_lt_id:
+		result = getgrgid(gid);
+		break;
+	default:
+		/* SHOULD NOT BE REACHED */
+		break;
+	}
+
+	if (result != NULL) {
+		group_marshal_func(result, NULL, buffer_size);
+		*buffer = (char *)malloc(*buffer_size);
+		assert(*buffer != NULL);
+		group_marshal_func(result, *buffer, buffer_size);
+	}
+
+	TRACE_OUT(group_lookup_func);
+	return (result == NULL ? NS_NOTFOUND : NS_SUCCESS);
+}
+
+static void *
+group_mp_init_func(void)
+{
+	TRACE_IN(group_mp_init_func);
+	setgrent();
+	TRACE_OUT(group_mp_init_func);
+
+	return (NULL);
+}
+
+static int
+group_mp_lookup_func(char **buffer, size_t *buffer_size, void *mdata)
+{
+	struct group *result;
+
+	TRACE_IN(group_mp_lookup_func);
+	result = getgrent();
+	if (result != NULL) {
+		group_marshal_func(result, NULL, buffer_size);
+		*buffer = (char *)malloc(*buffer_size);
+		assert(*buffer != NULL);
+		group_marshal_func(result, *buffer, buffer_size);
+	}
+
+	TRACE_OUT(group_mp_lookup_func);
+	return (result == NULL ? NS_NOTFOUND : NS_SUCCESS);
+}
+
+static void
+group_mp_destroy_func(void *mdata)
+{
+	TRACE_IN(group_mp_destroy_func);
+	TRACE_OUT(group_mp_destroy_func);
+}
+
+struct agent *
+init_group_agent(void)
+{
+	struct common_agent	*retval;
+
+	TRACE_IN(init_group_agent);
+	retval = (struct common_agent *)calloc(1, sizeof(struct common_agent));
+	assert(retval != NULL);
+
+	retval->parent.name = strdup("group");
+	assert(retval->parent.name != NULL);
+
+	retval->parent.type = COMMON_AGENT;
+	retval->lookup_func = group_lookup_func;
+
+	TRACE_OUT(init_group_agent);
+	return ((struct agent *)retval);
+}
+
+struct agent *
+init_group_mp_agent(void)
+{
+	struct multipart_agent	*retval;
+
+	TRACE_IN(init_group_mp_agent);
+	retval = (struct multipart_agent *)calloc(1,
+		sizeof(struct multipart_agent));
+	assert(retval != NULL);
+
+	retval->parent.name = strdup("group");
+	retval->parent.type = MULTIPART_AGENT;
+	retval->mp_init_func = group_mp_init_func;
+	retval->mp_lookup_func = group_mp_lookup_func;
+	retval->mp_destroy_func = group_mp_destroy_func;
+	assert(retval->parent.name != NULL);
+
+	TRACE_OUT(init_group_mp_agent);
+	return ((struct agent *)retval);
+}
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/agents/group.h
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/agents/group.h
index e0a0085c50..2759bbd99e 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/agents/group.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,10 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/agents/group.h,v 1.2 2007/09/27 12:30:10 bushman Exp $
  */
 
-#include <netdb.h>
+#include "../agent.h"
 
-extern int _proto_stayopen;
-
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+extern struct agent *init_group_agent(void);
+extern struct agent *init_group_mp_agent(void);
diff --git a/usr.sbin/nscd/agents/passwd.c b/usr.sbin/nscd/agents/passwd.c
new file mode 100644
index 0000000000..631f655e06
--- /dev/null
+++ b/usr.sbin/nscd/agents/passwd.c
@@ -0,0 +1,264 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/agents/passwd.c,v 1.3 2008/10/23 00:15:00 delphij Exp $
+ */
+
+#include <sys/types.h>
+#include <assert.h>
+#include <nsswitch.h>
+#include <pwd.h>
+#include <string.h>
+#include <stdlib.h>
+#include "../debug.h"
+#include "passwd.h"
+
+static int passwd_marshal_func(struct passwd *, char *, size_t *);
+static int passwd_lookup_func(const char *, size_t, char **, size_t *);
+static void *passwd_mp_init_func(void);
+static int passwd_mp_lookup_func(char **, size_t *, void *);
+static void passwd_mp_destroy_func(void *mdata);
+
+static int
+passwd_marshal_func(struct passwd *pwd, char *buffer, size_t *buffer_size)
+{
+	char		*p;
+	struct passwd	new_pwd;
+	size_t		desired_size, size;
+
+	TRACE_IN(passwd_marshal_func);
+	desired_size = sizeof(struct passwd) + sizeof(char *) +
+		strlen(pwd->pw_name) + 1;
+	if (pwd->pw_passwd != NULL)
+		desired_size += strlen(pwd->pw_passwd) + 1;
+	if (pwd->pw_class != NULL)
+		desired_size += strlen(pwd->pw_class) + 1;
+	if (pwd->pw_gecos != NULL)
+		desired_size += strlen(pwd->pw_gecos) + 1;
+	if (pwd->pw_dir != NULL)
+		desired_size += strlen(pwd->pw_dir) + 1;
+	if (pwd->pw_shell != NULL)
+		desired_size += strlen(pwd->pw_shell) + 1;
+
+	if ((*buffer_size < desired_size) || (buffer == NULL)) {
+		*buffer_size = desired_size;
+		TRACE_OUT(passwd_marshal_func);
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_pwd, pwd, sizeof(struct passwd));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct passwd) + sizeof(char *);
+	memcpy(buffer + sizeof(struct passwd), &p, sizeof(char *));
+
+	if (new_pwd.pw_name != NULL) {
+		size = strlen(new_pwd.pw_name);
+		memcpy(p, new_pwd.pw_name, size);
+		new_pwd.pw_name = p;
+		p += size + 1;
+	}
+
+	if (new_pwd.pw_passwd != NULL) {
+		size = strlen(new_pwd.pw_passwd);
+		memcpy(p, new_pwd.pw_passwd, size);
+		new_pwd.pw_passwd = p;
+		p += size + 1;
+	}
+
+	if (new_pwd.pw_class != NULL) {
+		size = strlen(new_pwd.pw_class);
+		memcpy(p, new_pwd.pw_class, size);
+		new_pwd.pw_class = p;
+		p += size + 1;
+	}
+
+	if (new_pwd.pw_gecos != NULL) {
+		size = strlen(new_pwd.pw_gecos);
+		memcpy(p, new_pwd.pw_gecos, size);
+		new_pwd.pw_gecos = p;
+		p += size + 1;
+	}
+
+	if (new_pwd.pw_dir != NULL) {
+		size = strlen(new_pwd.pw_dir);
+		memcpy(p, new_pwd.pw_dir, size);
+		new_pwd.pw_dir = p;
+		p += size + 1;
+	}
+
+	if (new_pwd.pw_shell != NULL) {
+		size = strlen(new_pwd.pw_shell);
+		memcpy(p, new_pwd.pw_shell, size);
+		new_pwd.pw_shell = p;
+		p += size + 1;
+	}
+
+	memcpy(buffer, &new_pwd, sizeof(struct passwd));
+	TRACE_OUT(passwd_marshal_func);
+	return (NS_SUCCESS);
+}
+
+static int
+passwd_lookup_func(const char *key, size_t key_size, char **buffer,
+	size_t *buffer_size)
+{
+	enum nss_lookup_type lookup_type;
+	char	*login;
+	size_t	size;
+	uid_t	uid;
+
+	struct passwd *result;
+
+	TRACE_IN(passwd_lookup_func);
+	assert(buffer != NULL);
+	assert(buffer_size != NULL);
+
+	if (key_size < sizeof(enum nss_lookup_type)) {
+		TRACE_OUT(passwd_lookup_func);
+		return (NS_UNAVAIL);
+	}
+	memcpy(&lookup_type, key, sizeof(enum nss_lookup_type));
+
+	switch (lookup_type) {
+	case nss_lt_name:
+		size = key_size - sizeof(enum nss_lookup_type)	+ 1;
+		login = (char *)calloc(1, size);
+		assert(login != NULL);
+		memcpy(login, key + sizeof(enum nss_lookup_type), size - 1);
+		break;
+	case nss_lt_id:
+		if (key_size < sizeof(enum nss_lookup_type) +
+			sizeof(uid_t)) {
+			TRACE_OUT(passwd_lookup_func);
+			return (NS_UNAVAIL);
+		}
+
+		memcpy(&uid, key + sizeof(enum nss_lookup_type), sizeof(uid_t));
+		break;
+	default:
+		TRACE_OUT(passwd_lookup_func);
+		return (NS_UNAVAIL);
+	}
+
+	switch (lookup_type) {
+	case nss_lt_name:
+		result = getpwnam(login);
+		free(login);
+		break;
+	case nss_lt_id:
+		result = getpwuid(uid);
+		break;
+	default:
+		/* SHOULD NOT BE REACHED */
+		break;
+	}
+
+	if (result != NULL) {
+		passwd_marshal_func(result, NULL, buffer_size);
+		*buffer = (char *)malloc(*buffer_size);
+		assert(*buffer != NULL);
+		passwd_marshal_func(result, *buffer, buffer_size);
+	}
+
+	TRACE_OUT(passwd_lookup_func);
+	return (result == NULL ? NS_NOTFOUND : NS_SUCCESS);
+}
+
+static void *
+passwd_mp_init_func(void)
+{
+	TRACE_IN(passwd_mp_init_func);
+	setpwent();
+	TRACE_OUT(passwd_mp_init_func);
+
+	return (NULL);
+}
+
+static int
+passwd_mp_lookup_func(char **buffer, size_t *buffer_size, void *mdata)
+{
+	struct passwd	*result;
+
+	TRACE_IN(passwd_mp_lookup_func);
+	result = getpwent();
+	if (result != NULL) {
+		passwd_marshal_func(result, NULL, buffer_size);
+		*buffer = (char *)malloc(*buffer_size);
+		assert(*buffer != NULL);
+		passwd_marshal_func(result, *buffer, buffer_size);
+	}
+
+	TRACE_OUT(passwd_mp_lookup_func);
+	return (result == NULL ? NS_NOTFOUND : NS_SUCCESS);
+}
+
+static void
+passwd_mp_destroy_func(void *mdata)
+{
+	TRACE_IN(passwd_mp_destroy_func);
+	TRACE_OUT(passwd_mp_destroy_func);
+}
+
+struct agent *
+init_passwd_agent(void)
+{
+	struct common_agent	*retval;
+
+	TRACE_IN(init_passwd_agent);
+	retval = (struct common_agent *)calloc(1, sizeof(struct common_agent));
+	assert(retval != NULL);
+
+	retval->parent.name = strdup("passwd");
+	assert(retval->parent.name != NULL);
+
+	retval->parent.type = COMMON_AGENT;
+	retval->lookup_func = passwd_lookup_func;
+
+	TRACE_OUT(init_passwd_agent);
+	return ((struct agent *)retval);
+}
+
+struct agent *
+init_passwd_mp_agent(void)
+{
+	struct multipart_agent	*retval;
+
+	TRACE_IN(init_passwd_mp_agent);
+	retval = (struct multipart_agent *)calloc(1,
+		sizeof(struct multipart_agent));
+	assert(retval != NULL);
+
+	retval->parent.name = strdup("passwd");
+	retval->parent.type = MULTIPART_AGENT;
+	retval->mp_init_func = passwd_mp_init_func;
+	retval->mp_lookup_func = passwd_mp_lookup_func;
+	retval->mp_destroy_func = passwd_mp_destroy_func;
+	assert(retval->parent.name != NULL);
+
+	TRACE_OUT(init_passwd_mp_agent);
+	return ((struct agent *)retval);
+}
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/agents/passwd.h
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/agents/passwd.h
index e0a0085c50..ae7db896d2 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/agents/passwd.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,10 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/agents/passwd.h,v 1.2 2007/09/27 12:30:10 bushman Exp $
  */
 
-#include <netdb.h>
+#include "../agent.h"
 
-extern int _proto_stayopen;
-
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+extern struct agent *init_passwd_agent(void);
+extern struct agent *init_passwd_mp_agent(void);
diff --git a/usr.sbin/nscd/agents/services.c b/usr.sbin/nscd/agents/services.c
new file mode 100644
index 0000000000..726cc8d7ff
--- /dev/null
+++ b/usr.sbin/nscd/agents/services.c
@@ -0,0 +1,278 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/agents/services.c,v 1.4 2008/10/23 00:15:00 delphij Exp $
+ */
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <assert.h>
+#include <nsswitch.h>
+#include <netdb.h>
+#include <string.h>
+#include <stdlib.h>
+#include "../debug.h"
+#include "services.h"
+
+static int services_marshal_func(struct servent *, char *, size_t *);
+static int services_lookup_func(const char *, size_t, char **, size_t *);
+static void *services_mp_init_func(void);
+static int services_mp_lookup_func(char **, size_t *, void *);
+static void services_mp_destroy_func(void *);
+
+static int
+services_marshal_func(struct servent *serv, char *buffer, size_t *buffer_size)
+{
+	struct servent	new_serv;
+	size_t	desired_size;
+	char	**alias;
+	char	*p;
+	size_t	size;
+	size_t	aliases_size;
+
+	TRACE_IN(services_marshal_func);
+	desired_size = ALIGNBYTES + sizeof(struct servent) + sizeof(char *);
+	if (serv->s_name != NULL)
+		desired_size += strlen(serv->s_name) + 1;
+	if (serv->s_proto != NULL)
+		desired_size += strlen(serv->s_proto) + 1;
+
+	aliases_size = 0;
+	if (serv->s_aliases != NULL) {
+		for (alias = serv->s_aliases; *alias; ++alias) {
+			desired_size += strlen(*alias) + 1;
+			++aliases_size;
+		}
+
+		desired_size += ALIGNBYTES + sizeof(char *) *
+		    (aliases_size + 1);
+	}
+
+	if ((*buffer_size < desired_size) || (buffer == NULL)) {
+		*buffer_size = desired_size;
+		TRACE_OUT(services_marshal_func);
+		return (NS_RETURN);
+	}
+
+	memcpy(&new_serv, serv, sizeof(struct servent));
+	memset(buffer, 0, desired_size);
+
+	*buffer_size = desired_size;
+	p = buffer + sizeof(struct servent) + sizeof(char *);
+	memcpy(buffer + sizeof(struct servent), &p, sizeof(char *));
+	p = (char *)ALIGN(p);
+
+	if (new_serv.s_name != NULL) {
+		size = strlen(new_serv.s_name);
+		memcpy(p, new_serv.s_name, size);
+		new_serv.s_name = p;
+		p += size + 1;
+	}
+
+	if (new_serv.s_proto != NULL) {
+		size = strlen(new_serv.s_proto);
+		memcpy(p, new_serv.s_proto, size);
+		new_serv.s_proto = p;
+		p += size + 1;
+	}
+
+	if (new_serv.s_aliases != NULL) {
+		p = (char *)ALIGN(p);
+		memcpy(p, new_serv.s_aliases, sizeof(char *) * aliases_size);
+		new_serv.s_aliases = (char **)p;
+		p += sizeof(char *) * (aliases_size + 1);
+
+		for (alias = new_serv.s_aliases; *alias; ++alias) {
+			size = strlen(*alias);
+			memcpy(p, *alias, size);
+			*alias = p;
+			p += size + 1;
+		}
+	}
+
+	memcpy(buffer, &new_serv, sizeof(struct servent));
+	TRACE_OUT(services_marshal_func);
+	return (NS_SUCCESS);
+}
+
+static int
+services_lookup_func(const char *key, size_t key_size, char **buffer,
+	size_t *buffer_size)
+{
+	enum nss_lookup_type lookup_type;
+	char	*name = NULL;
+	char	*proto = NULL;
+	size_t	size, size2;
+	int	port;
+
+	struct servent *result;
+
+	TRACE_IN(services_lookup_func);
+
+	assert(buffer != NULL);
+	assert(buffer_size != NULL);
+
+	if (key_size < sizeof(enum nss_lookup_type)) {
+		TRACE_OUT(passwd_lookup_func);
+		return (NS_UNAVAIL);
+	}
+	memcpy(&lookup_type, key, sizeof(enum nss_lookup_type));
+
+	switch (lookup_type) {
+	case nss_lt_name:
+		size = key_size - sizeof(enum nss_lookup_type);
+		name = (char *)calloc(1, size + 1);
+		assert(name != NULL);
+		memcpy(name, key + sizeof(enum nss_lookup_type), size);
+
+		size2 = strlen(name) + 1;
+
+		if (size2 < size)
+			proto = name + size2;
+		else
+			proto = NULL;
+		break;
+	case nss_lt_id:
+		if (key_size < sizeof(enum nss_lookup_type) +
+			sizeof(int)) {
+			TRACE_OUT(passwd_lookup_func);
+			return (NS_UNAVAIL);
+		}
+
+		memcpy(&port, key + sizeof(enum nss_lookup_type),
+			sizeof(int));
+
+		size = key_size - sizeof(enum nss_lookup_type) - sizeof(int);
+		if (size > 0) {
+			proto = (char *)calloc(1, size + 1);
+			assert(proto != NULL);
+			memcpy(proto, key + sizeof(enum nss_lookup_type) +
+				sizeof(int), size);
+		}
+		break;
+	default:
+		TRACE_OUT(passwd_lookup_func);
+		return (NS_UNAVAIL);
+	}
+
+	switch (lookup_type) {
+	case nss_lt_name:
+		result = getservbyname(name, proto);
+		free(name);
+		break;
+	case nss_lt_id:
+		result = getservbyport(port, proto);
+		free(proto);
+		break;
+	default:
+		/* SHOULD NOT BE REACHED */
+		break;
+	}
+
+	if (result != NULL) {
+		services_marshal_func(result, NULL, buffer_size);
+		*buffer = (char *)malloc(*buffer_size);
+		assert(*buffer != NULL);
+		services_marshal_func(result, *buffer, buffer_size);
+	}
+
+	TRACE_OUT(services_lookup_func);
+	return (result == NULL ? NS_NOTFOUND : NS_SUCCESS);
+}
+
+static void *
+services_mp_init_func(void)
+{
+	TRACE_IN(services_mp_init_func);
+	setservent(0);
+	TRACE_OUT(services_mp_init_func);
+
+	return (NULL);
+}
+
+static int
+services_mp_lookup_func(char **buffer, size_t *buffer_size, void *mdata)
+{
+	struct servent *result;
+
+	TRACE_IN(services_mp_lookup_func);
+	result = getservent();
+	if (result != NULL) {
+		services_marshal_func(result, NULL, buffer_size);
+		*buffer = (char *)malloc(*buffer_size);
+		assert(*buffer != NULL);
+		services_marshal_func(result, *buffer, buffer_size);
+	}
+
+	TRACE_OUT(services_mp_lookup_func);
+	return (result == NULL ? NS_NOTFOUND : NS_SUCCESS);
+}
+
+static void
+services_mp_destroy_func(void *mdata)
+{
+	TRACE_IN(services_mp_destroy_func);
+	TRACE_OUT(services_mp_destroy_func);
+}
+
+struct agent *
+init_services_agent(void)
+{
+	struct common_agent	*retval;
+	TRACE_IN(init_services_agent);
+
+	retval = (struct common_agent *)calloc(1, sizeof(struct common_agent));
+	assert(retval != NULL);
+
+	retval->parent.name = strdup("services");
+	assert(retval->parent.name != NULL);
+
+	retval->parent.type = COMMON_AGENT;
+	retval->lookup_func = services_lookup_func;
+
+	TRACE_OUT(init_services_agent);
+	return ((struct agent *)retval);
+}
+
+struct agent *
+init_services_mp_agent(void)
+{
+	struct multipart_agent	*retval;
+
+	TRACE_IN(init_services_mp_agent);
+	retval = (struct multipart_agent *)calloc(1,
+		sizeof(struct multipart_agent));
+	assert(retval != NULL);
+
+	retval->parent.name = strdup("services");
+	retval->parent.type = MULTIPART_AGENT;
+	retval->mp_init_func = services_mp_init_func;
+	retval->mp_lookup_func = services_mp_lookup_func;
+	retval->mp_destroy_func = services_mp_destroy_func;
+	assert(retval->parent.name != NULL);
+
+	TRACE_OUT(init_services_mp_agent);
+	return ((struct agent *)retval);
+}
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/agents/services.h
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/agents/services.h
index e0a0085c50..51a659e344 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/agents/services.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,10 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/agents/services.h,v 1.2 2007/09/27 12:30:10 bushman Exp $
  */
 
-#include <netdb.h>
+#include "../agent.h"
 
-extern int _proto_stayopen;
-
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+extern struct agent *init_services_agent(void);
+extern struct agent *init_services_mp_agent(void);
diff --git a/usr.sbin/nscd/cachelib.c b/usr.sbin/nscd/cachelib.c
new file mode 100644
index 0000000000..4abd1f87dd
--- /dev/null
+++ b/usr.sbin/nscd/cachelib.c
@@ -0,0 +1,1216 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/cachelib.c,v 1.4 2008/10/23 00:31:15 delphij Exp $
+ */
+
+#include <sys/time.h>
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include "cachelib.h"
+#include "debug.h"
+
+#define INITIAL_ENTRIES_CAPACITY 32
+#define ENTRIES_CAPACITY_STEP 32
+
+#define STRING_SIMPLE_HASH_BODY(in_var, var, a, M)		\
+	for ((var) = 0; *(in_var) != '\0'; ++(in_var))		\
+		(var) = ((a)*(var) + *(in_var)) % (M)
+
+#define STRING_SIMPLE_MP2_HASH_BODY(in_var, var, a, M)		\
+	for ((var) = 0; *(in_var) != 0; ++(in_var))		\
+		(var) = ((a)*(var) + *(in_var)) & (M - 1)
+
+static int cache_elemsize_common_continue_func(struct cache_common_entry_ *,
+	struct cache_policy_item_ *);
+static int cache_lifetime_common_continue_func(struct cache_common_entry_ *,
+	struct cache_policy_item_ *);
+static void clear_cache_entry(struct cache_entry_ *);
+static void destroy_cache_entry(struct cache_entry_ *);
+static void destroy_cache_mp_read_session(struct cache_mp_read_session_ *);
+static void destroy_cache_mp_write_session(struct cache_mp_write_session_ *);
+static int entries_bsearch_cmp_func(const void *, const void *);
+static int entries_qsort_cmp_func(const void *, const void *);
+static struct cache_entry_ ** find_cache_entry_p(struct cache_ *,
+	const char *);
+static void flush_cache_entry(struct cache_entry_ *);
+static void flush_cache_policy(struct cache_common_entry_ *,
+	struct cache_policy_ *, struct cache_policy_ *,
+		int (*)(struct cache_common_entry_ *,
+		struct cache_policy_item_ *));
+static int ht_items_cmp_func(const void *, const void *);
+static int ht_items_fixed_size_left_cmp_func(const void *, const void *);
+static hashtable_index_t ht_item_hash_func(const void *, size_t);
+
+/*
+ * Hashing and comparing routines, that are used with the hash tables
+ */
+static int
+ht_items_cmp_func(const void *p1, const void *p2)
+{
+	struct cache_ht_item_data_ *hp1, *hp2;
+	size_t min_size;
+	int result;
+
+	hp1 = (struct cache_ht_item_data_ *)p1;
+	hp2 = (struct cache_ht_item_data_ *)p2;
+
+	assert(hp1->key != NULL);
+	assert(hp2->key != NULL);
+
+	if (hp1->key_size != hp2->key_size) {
+		min_size = (hp1->key_size < hp2->key_size) ? hp1->key_size :
+			hp2->key_size;
+		result = memcmp(hp1->key, hp2->key, min_size);
+
+		if (result == 0)
+			return ((hp1->key_size < hp2->key_size) ? -1 : 1);
+		else
+			return (result);
+	} else
+		return (memcmp(hp1->key, hp2->key, hp1->key_size));
+}
+
+static int
+ht_items_fixed_size_left_cmp_func(const void *p1, const void *p2)
+{
+	struct cache_ht_item_data_ *hp1, *hp2;
+	size_t min_size;
+	int result;
+
+	hp1 = (struct cache_ht_item_data_ *)p1;
+	hp2 = (struct cache_ht_item_data_ *)p2;
+
+	assert(hp1->key != NULL);
+	assert(hp2->key != NULL);
+
+	if (hp1->key_size != hp2->key_size) {
+		min_size = (hp1->key_size < hp2->key_size) ? hp1->key_size :
+			hp2->key_size;
+		result = memcmp(hp1->key, hp2->key, min_size);
+
+		if (result == 0)
+			if (min_size == hp1->key_size)
+			    return (0);
+			else
+			    return ((hp1->key_size < hp2->key_size) ? -1 : 1);
+		else
+			return (result);
+	} else
+		return (memcmp(hp1->key, hp2->key, hp1->key_size));
+}
+
+static hashtable_index_t
+ht_item_hash_func(const void *p, size_t cache_entries_size)
+{
+	struct cache_ht_item_data_ *hp;
+	size_t i;
+
+	hashtable_index_t retval;
+
+	hp = (struct cache_ht_item_data_ *)p;
+	assert(hp->key != NULL);
+
+	retval = 0;
+	for (i = 0; i < hp->key_size; ++i)
+	    retval = (127 * retval + (unsigned char)hp->key[i]) %
+		cache_entries_size;
+
+	return retval;
+}
+
+HASHTABLE_GENERATE(cache_ht_, cache_ht_item_, struct cache_ht_item_data_, data,
+	ht_item_hash_func, ht_items_cmp_func);
+
+/*
+ * Routines to sort and search the entries by name
+ */
+static int
+entries_bsearch_cmp_func(const void *key, const void *ent)
+{
+
+	assert(key != NULL);
+	assert(ent != NULL);
+
+	return (strcmp((char const *)key,
+		(*(struct cache_entry_ const **)ent)->name));
+}
+
+static int
+entries_qsort_cmp_func(const void *e1, const void *e2)
+{
+
+	assert(e1 != NULL);
+	assert(e2 != NULL);
+
+	return (strcmp((*(struct cache_entry_ const **)e1)->name,
+		(*(struct cache_entry_ const **)e2)->name));
+}
+
+static struct cache_entry_ **
+find_cache_entry_p(struct cache_ *the_cache, const char *entry_name)
+{
+
+	return ((struct cache_entry_ **)(bsearch(entry_name, the_cache->entries,
+		the_cache->entries_size, sizeof(struct cache_entry_ *),
+		entries_bsearch_cmp_func)));
+}
+
+static void
+destroy_cache_mp_write_session(struct cache_mp_write_session_ *ws)
+{
+
+	struct cache_mp_data_item_	*data_item;
+
+	TRACE_IN(destroy_cache_mp_write_session);
+	assert(ws != NULL);
+	while (!TAILQ_EMPTY(&ws->items)) {
+		data_item = TAILQ_FIRST(&ws->items);
+		TAILQ_REMOVE(&ws->items, data_item, entries);
+		free(data_item->value);
+		free(data_item);
+	}
+
+	free(ws);
+	TRACE_OUT(destroy_cache_mp_write_session);
+}
+
+static void
+destroy_cache_mp_read_session(struct cache_mp_read_session_ *rs)
+{
+
+	TRACE_IN(destroy_cache_mp_read_session);
+	assert(rs != NULL);
+	free(rs);
+	TRACE_OUT(destroy_cache_mp_read_session);
+}
+
+static void
+destroy_cache_entry(struct cache_entry_ *entry)
+{
+	struct cache_common_entry_	*common_entry;
+	struct cache_mp_entry_		*mp_entry;
+	struct cache_mp_read_session_	*rs;
+	struct cache_mp_write_session_	*ws;
+	struct cache_ht_item_ *ht_item;
+	struct cache_ht_item_data_ *ht_item_data;
+
+	TRACE_IN(destroy_cache_entry);
+	assert(entry != NULL);
+
+	if (entry->params->entry_type == CET_COMMON) {
+		common_entry = (struct cache_common_entry_ *)entry;
+
+		HASHTABLE_FOREACH(&(common_entry->items), ht_item) {
+			HASHTABLE_ENTRY_FOREACH(ht_item, data, ht_item_data)
+			{
+				free(ht_item_data->key);
+				free(ht_item_data->value);
+			}
+			HASHTABLE_ENTRY_CLEAR(ht_item, data);
+		}
+
+		HASHTABLE_DESTROY(&(common_entry->items), data);
+
+		/* FIFO policy is always first */
+		destroy_cache_fifo_policy(common_entry->policies[0]);
+		switch (common_entry->common_params.policy) {
+		case CPT_LRU:
+			destroy_cache_lru_policy(common_entry->policies[1]);
+			break;
+		case CPT_LFU:
+			destroy_cache_lfu_policy(common_entry->policies[1]);
+			break;
+		default:
+		break;
+		}
+		free(common_entry->policies);
+	} else {
+		mp_entry = (struct cache_mp_entry_ *)entry;
+
+		while (!TAILQ_EMPTY(&mp_entry->ws_head)) {
+			ws = TAILQ_FIRST(&mp_entry->ws_head);
+			TAILQ_REMOVE(&mp_entry->ws_head, ws, entries);
+			destroy_cache_mp_write_session(ws);
+		}
+
+		while (!TAILQ_EMPTY(&mp_entry->rs_head)) {
+			rs = TAILQ_FIRST(&mp_entry->rs_head);
+			TAILQ_REMOVE(&mp_entry->rs_head, rs, entries);
+			destroy_cache_mp_read_session(rs);
+		}
+
+		if (mp_entry->completed_write_session != NULL)
+			destroy_cache_mp_write_session(
+				mp_entry->completed_write_session);
+
+		if (mp_entry->pending_write_session != NULL)
+			destroy_cache_mp_write_session(
+				mp_entry->pending_write_session);
+	}
+
+	free(entry->name);
+	free(entry);
+	TRACE_OUT(destroy_cache_entry);
+}
+
+static void
+clear_cache_entry(struct cache_entry_ *entry)
+{
+	struct cache_mp_entry_		*mp_entry;
+	struct cache_common_entry_	*common_entry;
+	struct cache_ht_item_ *ht_item;
+	struct cache_ht_item_data_ *ht_item_data;
+	struct cache_policy_ *policy;
+	struct cache_policy_item_ *item, *next_item;
+	size_t entry_size;
+	int i;
+
+	if (entry->params->entry_type == CET_COMMON) {
+		common_entry = (struct cache_common_entry_ *)entry;
+
+		entry_size = 0;
+		HASHTABLE_FOREACH(&(common_entry->items), ht_item) {
+			HASHTABLE_ENTRY_FOREACH(ht_item, data, ht_item_data)
+			{
+				free(ht_item_data->key);
+				free(ht_item_data->value);
+			}
+			entry_size += HASHTABLE_ENTRY_SIZE(ht_item, data);
+			HASHTABLE_ENTRY_CLEAR(ht_item, data);
+		}
+
+		common_entry->items_size -= entry_size;
+		for (i = 0; i < common_entry->policies_size; ++i) {
+			policy = common_entry->policies[i];
+
+			next_item = NULL;
+			item = policy->get_first_item_func(policy);
+			while (item != NULL) {
+				next_item = policy->get_next_item_func(policy,
+					item);
+				policy->remove_item_func(policy, item);
+				policy->destroy_item_func(item);
+				item = next_item;
+			}
+		}
+	} else {
+		mp_entry = (struct cache_mp_entry_ *)entry;
+
+		if (mp_entry->rs_size == 0) {
+			if (mp_entry->completed_write_session != NULL) {
+				destroy_cache_mp_write_session(
+					mp_entry->completed_write_session);
+				mp_entry->completed_write_session = NULL;
+			}
+
+			memset(&mp_entry->creation_time, 0,
+				sizeof(struct timeval));
+			memset(&mp_entry->last_request_time, 0,
+				sizeof(struct timeval));
+		}
+	}
+}
+
+/*
+ * When passed to the flush_cache_policy, ensures that all old elements are
+ * deleted.
+ */
+static int
+cache_lifetime_common_continue_func(struct cache_common_entry_ *entry,
+	struct cache_policy_item_ *item)
+{
+
+	return ((item->last_request_time.tv_sec - item->creation_time.tv_sec >
+		entry->common_params.max_lifetime.tv_sec) ? 1: 0);
+}
+
+/*
+ * When passed to the flush_cache_policy, ensures that all elements, that
+ * exceed the size limit, are deleted.
+ */
+static int
+cache_elemsize_common_continue_func(struct cache_common_entry_ *entry,
+	struct cache_policy_item_ *item)
+{
+
+	return ((entry->items_size > entry->common_params.satisf_elemsize) ? 1
+		: 0);
+}
+
+/*
+ * Removes the elements from the cache entry, while the continue_func returns 1.
+ */
+static void
+flush_cache_policy(struct cache_common_entry_ *entry,
+	struct cache_policy_ *policy,
+	struct cache_policy_ *connected_policy,
+	int (*continue_func)(struct cache_common_entry_ *,
+		struct cache_policy_item_ *))
+{
+	struct cache_policy_item_ *item, *next_item, *connected_item;
+	struct cache_ht_item_ *ht_item;
+	struct cache_ht_item_data_ *ht_item_data, ht_key;
+	hashtable_index_t hash;
+
+	assert(policy != NULL);
+
+	next_item = NULL;
+	item = policy->get_first_item_func(policy);
+	while ((item != NULL) && (continue_func(entry, item) == 1)) {
+		next_item = policy->get_next_item_func(policy, item);
+
+		connected_item = item->connected_item;
+		policy->remove_item_func(policy, item);
+
+		memset(&ht_key, 0, sizeof(struct cache_ht_item_data_));
+		ht_key.key = item->key;
+		ht_key.key_size = item->key_size;
+
+		hash = HASHTABLE_CALCULATE_HASH(cache_ht_, &entry->items,
+			&ht_key);
+		assert(hash >= 0);
+		assert(hash < HASHTABLE_ENTRIES_COUNT(&entry->items));
+
+		ht_item = HASHTABLE_GET_ENTRY(&(entry->items), hash);
+		ht_item_data = HASHTABLE_ENTRY_FIND(cache_ht_, ht_item,
+			&ht_key);
+		assert(ht_item_data != NULL);
+		free(ht_item_data->key);
+		free(ht_item_data->value);
+		HASHTABLE_ENTRY_REMOVE(cache_ht_, ht_item, ht_item_data);
+		--entry->items_size;
+
+		policy->destroy_item_func(item);
+
+		if (connected_item != NULL) {
+			connected_policy->remove_item_func(connected_policy,
+				connected_item);
+			connected_policy->destroy_item_func(connected_item);
+		}
+
+		item = next_item;
+	}
+}
+
+static void
+flush_cache_entry(struct cache_entry_ *entry)
+{
+	struct cache_mp_entry_		*mp_entry;
+	struct cache_common_entry_	*common_entry;
+	struct cache_policy_ *policy, *connected_policy;
+
+	connected_policy = NULL;
+	if (entry->params->entry_type == CET_COMMON) {
+		common_entry = (struct cache_common_entry_ *)entry;
+		if ((common_entry->common_params.max_lifetime.tv_sec != 0) ||
+		    (common_entry->common_params.max_lifetime.tv_usec != 0)) {
+
+			policy = common_entry->policies[0];
+			if (common_entry->policies_size > 1)
+				connected_policy = common_entry->policies[1];
+
+			flush_cache_policy(common_entry, policy,
+				connected_policy,
+				cache_lifetime_common_continue_func);
+		}
+
+
+		if ((common_entry->common_params.max_elemsize != 0) &&
+			common_entry->items_size >
+			common_entry->common_params.max_elemsize) {
+
+			if (common_entry->policies_size > 1) {
+				policy = common_entry->policies[1];
+				connected_policy = common_entry->policies[0];
+			} else {
+				policy = common_entry->policies[0];
+				connected_policy = NULL;
+			}
+
+			flush_cache_policy(common_entry, policy,
+				connected_policy,
+				cache_elemsize_common_continue_func);
+		}
+	} else {
+		mp_entry = (struct cache_mp_entry_ *)entry;
+
+		if ((mp_entry->mp_params.max_lifetime.tv_sec != 0)
+			|| (mp_entry->mp_params.max_lifetime.tv_usec != 0)) {
+
+			if (mp_entry->last_request_time.tv_sec -
+				mp_entry->last_request_time.tv_sec >
+				mp_entry->mp_params.max_lifetime.tv_sec)
+				clear_cache_entry(entry);
+		}
+	}
+}
+
+struct cache_ *
+init_cache(struct cache_params const *params)
+{
+	struct cache_ *retval;
+
+	TRACE_IN(init_cache);
+	assert(params != NULL);
+
+	retval = (struct cache_ *)calloc(1, sizeof(struct cache_));
+	assert(retval != NULL);
+
+	assert(params != NULL);
+	memcpy(&retval->params, params, sizeof(struct cache_params));
+
+	retval->entries = (struct cache_entry_ **)calloc(1,
+		sizeof(struct cache_entry_ *) * INITIAL_ENTRIES_CAPACITY);
+	assert(retval->entries != NULL);
+
+	retval->entries_capacity = INITIAL_ENTRIES_CAPACITY;
+	retval->entries_size = 0;
+
+	TRACE_OUT(init_cache);
+	return (retval);
+}
+
+void
+destroy_cache(struct cache_ *the_cache)
+{
+
+	TRACE_IN(destroy_cache);
+	assert(the_cache != NULL);
+
+	if (the_cache->entries != NULL) {
+		size_t i;
+		for (i = 0; i < the_cache->entries_size; ++i)
+			destroy_cache_entry(the_cache->entries[i]);
+
+		free(the_cache->entries);
+	}
+
+	free(the_cache);
+	TRACE_OUT(destroy_cache);
+}
+
+int
+register_cache_entry(struct cache_ *the_cache,
+	struct cache_entry_params const *params)
+{
+	int policies_size;
+	size_t entry_name_size;
+	struct cache_common_entry_	*new_common_entry;
+	struct cache_mp_entry_		*new_mp_entry;
+
+	TRACE_IN(register_cache_entry);
+	assert(the_cache != NULL);
+
+	if (find_cache_entry(the_cache, params->entry_name) != NULL) {
+		TRACE_OUT(register_cache_entry);
+		return (-1);
+	}
+
+	if (the_cache->entries_size == the_cache->entries_capacity) {
+		struct cache_entry_ **new_entries;
+		size_t	new_capacity;
+
+		new_capacity = the_cache->entries_capacity +
+			ENTRIES_CAPACITY_STEP;
+		new_entries = (struct cache_entry_ **)calloc(1,
+			sizeof(struct cache_entry_ *) * new_capacity);
+		assert(new_entries != NULL);
+
+		memcpy(new_entries, the_cache->entries,
+			sizeof(struct cache_entry_ *)
+			* the_cache->entries_size);
+
+		free(the_cache->entries);
+		the_cache->entries = new_entries;
+	}
+
+	entry_name_size = strlen(params->entry_name) + 1;
+	switch (params->entry_type)
+	{
+	case CET_COMMON:
+		new_common_entry = (struct cache_common_entry_ *)calloc(1,
+			sizeof(struct cache_common_entry_));
+		assert(new_common_entry != NULL);
+
+		memcpy(&new_common_entry->common_params, params,
+			sizeof(struct common_cache_entry_params));
+		new_common_entry->params =
+		  (struct cache_entry_params *)&new_common_entry->common_params;
+
+		new_common_entry->common_params.entry_name = (char *)calloc(1,
+			entry_name_size);
+		assert(new_common_entry->common_params.entry_name != NULL);
+		strlcpy(new_common_entry->common_params.entry_name,
+			params->entry_name, entry_name_size);
+		new_common_entry->name =
+			new_common_entry->common_params.entry_name;
+
+		HASHTABLE_INIT(&(new_common_entry->items),
+			struct cache_ht_item_data_, data,
+			new_common_entry->common_params.cache_entries_size);
+
+		if (new_common_entry->common_params.policy == CPT_FIFO)
+			policies_size = 1;
+		else
+			policies_size = 2;
+
+		new_common_entry->policies = (struct cache_policy_ **)calloc(1,
+			sizeof(struct cache_policy_ *) * policies_size);
+		assert(new_common_entry->policies != NULL);
+
+		new_common_entry->policies_size = policies_size;
+		new_common_entry->policies[0] = init_cache_fifo_policy();
+
+		if (policies_size > 1) {
+			switch (new_common_entry->common_params.policy) {
+			case CPT_LRU:
+				new_common_entry->policies[1] =
+					init_cache_lru_policy();
+			break;
+			case CPT_LFU:
+				new_common_entry->policies[1] =
+					init_cache_lfu_policy();
+			break;
+			default:
+			break;
+			}
+		}
+
+		new_common_entry->get_time_func =
+			the_cache->params.get_time_func;
+		the_cache->entries[the_cache->entries_size++] =
+			(struct cache_entry_ *)new_common_entry;
+		break;
+	case CET_MULTIPART:
+		new_mp_entry = (struct cache_mp_entry_ *)calloc(1,
+			sizeof(struct cache_mp_entry_));
+		assert(new_mp_entry != NULL);
+
+		memcpy(&new_mp_entry->mp_params, params,
+			sizeof(struct mp_cache_entry_params));
+		new_mp_entry->params =
+			(struct cache_entry_params *)&new_mp_entry->mp_params;
+
+		new_mp_entry->mp_params.entry_name = (char *)calloc(1,
+			entry_name_size);
+		assert(new_mp_entry->mp_params.entry_name != NULL);
+		strlcpy(new_mp_entry->mp_params.entry_name, params->entry_name,
+			entry_name_size);
+		new_mp_entry->name = new_mp_entry->mp_params.entry_name;
+
+		TAILQ_INIT(&new_mp_entry->ws_head);
+		TAILQ_INIT(&new_mp_entry->rs_head);
+
+		new_mp_entry->get_time_func = the_cache->params.get_time_func;
+		the_cache->entries[the_cache->entries_size++] =
+			(struct cache_entry_ *)new_mp_entry;
+		break;
+	}
+
+
+	qsort(the_cache->entries, the_cache->entries_size,
+		sizeof(struct cache_entry_ *), entries_qsort_cmp_func);
+
+	TRACE_OUT(register_cache_entry);
+	return (0);
+}
+
+int
+unregister_cache_entry(struct cache_ *the_cache, const char *entry_name)
+{
+	struct cache_entry_ **del_ent;
+
+	TRACE_IN(unregister_cache_entry);
+	assert(the_cache != NULL);
+
+	del_ent = find_cache_entry_p(the_cache, entry_name);
+	if (del_ent != NULL) {
+		destroy_cache_entry(*del_ent);
+		--the_cache->entries_size;
+
+		memmove(del_ent, del_ent + 1,
+			(&(the_cache->entries[--the_cache->entries_size]) -
+			del_ent) * sizeof(struct cache_entry_ *));
+
+		TRACE_OUT(unregister_cache_entry);
+		return (0);
+	} else {
+		TRACE_OUT(unregister_cache_entry);
+		return (-1);
+	}
+}
+
+struct cache_entry_ *
+find_cache_entry(struct cache_ *the_cache, const char *entry_name)
+{
+	struct cache_entry_ **result;
+
+	TRACE_IN(find_cache_entry);
+	result = find_cache_entry_p(the_cache, entry_name);
+
+	if (result == NULL) {
+		TRACE_OUT(find_cache_entry);
+		return (NULL);
+	} else {
+		TRACE_OUT(find_cache_entry);
+		return (*result);
+	}
+}
+
+/*
+ * Tries to read the element with the specified key from the cache. If the
+ * value_size is too small, it will be filled with the proper number, and
+ * the user will need to call cache_read again with the value buffer, that
+ * is large enough.
+ * Function returns 0 on success, -1 on error, and -2 if the value_size is too
+ * small.
+ */
+int
+cache_read(struct cache_entry_ *entry, const char *key, size_t key_size,
+	char *value, size_t *value_size)
+{
+	struct cache_common_entry_	*common_entry;
+	struct cache_ht_item_data_	item_data, *find_res;
+	struct cache_ht_item_		*item;
+	hashtable_index_t	hash;
+	struct cache_policy_item_ *connected_item;
+
+	TRACE_IN(cache_read);
+	assert(entry != NULL);
+	assert(key != NULL);
+	assert(value_size != NULL);
+	assert(entry->params->entry_type == CET_COMMON);
+
+	common_entry = (struct cache_common_entry_ *)entry;
+
+	memset(&item_data, 0, sizeof(struct cache_ht_item_data_));
+	/* can't avoid the cast here */
+	item_data.key = (char *)key;
+	item_data.key_size = key_size;
+
+	hash = HASHTABLE_CALCULATE_HASH(cache_ht_, &common_entry->items,
+		&item_data);
+	assert(hash >= 0);
+	assert(hash < HASHTABLE_ENTRIES_COUNT(&common_entry->items));
+
+	item = HASHTABLE_GET_ENTRY(&(common_entry->items), hash);
+	find_res = HASHTABLE_ENTRY_FIND(cache_ht_, item, &item_data);
+	if (find_res == NULL) {
+		TRACE_OUT(cache_read);
+		return (-1);
+	}
+
+	if ((common_entry->common_params.max_lifetime.tv_sec != 0) ||
+		(common_entry->common_params.max_lifetime.tv_usec != 0)) {
+
+		if (find_res->fifo_policy_item->last_request_time.tv_sec -
+			find_res->fifo_policy_item->creation_time.tv_sec >
+			common_entry->common_params.max_lifetime.tv_sec) {
+
+			free(find_res->key);
+			free(find_res->value);
+
+			connected_item =
+			    find_res->fifo_policy_item->connected_item;
+			if (connected_item != NULL) {
+				common_entry->policies[1]->remove_item_func(
+					common_entry->policies[1],
+					connected_item);
+				common_entry->policies[1]->destroy_item_func(
+					connected_item);
+			}
+
+			common_entry->policies[0]->remove_item_func(
+				common_entry->policies[0],
+					find_res->fifo_policy_item);
+			common_entry->policies[0]->destroy_item_func(
+				find_res->fifo_policy_item);
+
+			HASHTABLE_ENTRY_REMOVE(cache_ht_, item, find_res);
+			--common_entry->items_size;
+		}
+	}
+
+	if ((*value_size < find_res->value_size) || (value == NULL)) {
+		*value_size = find_res->value_size;
+		TRACE_OUT(cache_read);
+		return (-2);
+	}
+
+	*value_size = find_res->value_size;
+	memcpy(value, find_res->value, find_res->value_size);
+
+	++find_res->fifo_policy_item->request_count;
+	common_entry->get_time_func(
+		&find_res->fifo_policy_item->last_request_time);
+	common_entry->policies[0]->update_item_func(common_entry->policies[0],
+		find_res->fifo_policy_item);
+
+	if (find_res->fifo_policy_item->connected_item != NULL) {
+		connected_item = find_res->fifo_policy_item->connected_item;
+		memcpy(&connected_item->last_request_time,
+			&find_res->fifo_policy_item->last_request_time,
+			sizeof(struct timeval));
+		connected_item->request_count =
+			find_res->fifo_policy_item->request_count;
+
+		common_entry->policies[1]->update_item_func(
+			common_entry->policies[1], connected_item);
+	}
+
+	TRACE_OUT(cache_read);
+	return (0);
+}
+
+/*
+ * Writes the value with the specified key into the cache entry.
+ * Functions returns 0 on success, and -1 on error.
+ */
+int
+cache_write(struct cache_entry_ *entry, const char *key, size_t key_size,
+	char const *value, size_t value_size)
+{
+	struct cache_common_entry_	*common_entry;
+	struct cache_ht_item_data_	item_data, *find_res;
+	struct cache_ht_item_		*item;
+	hashtable_index_t	hash;
+
+	struct cache_policy_		*policy, *connected_policy;
+	struct cache_policy_item_	*policy_item;
+	struct cache_policy_item_	*connected_policy_item;
+
+	TRACE_IN(cache_write);
+	assert(entry != NULL);
+	assert(key != NULL);
+	assert(value != NULL);
+	assert(entry->params->entry_type == CET_COMMON);
+
+	common_entry = (struct cache_common_entry_ *)entry;
+
+	memset(&item_data, 0, sizeof(struct cache_ht_item_data_));
+	/* can't avoid the cast here */
+	item_data.key = (char *)key;
+	item_data.key_size = key_size;
+
+	hash = HASHTABLE_CALCULATE_HASH(cache_ht_, &common_entry->items,
+		&item_data);
+	assert(hash >= 0);
+	assert(hash < HASHTABLE_ENTRIES_COUNT(&common_entry->items));
+
+	item = HASHTABLE_GET_ENTRY(&(common_entry->items), hash);
+	find_res = HASHTABLE_ENTRY_FIND(cache_ht_, item, &item_data);
+	if (find_res != NULL) {
+		TRACE_OUT(cache_write);
+		return (-1);
+	}
+
+	item_data.key = (char *)malloc(key_size);
+	memcpy(item_data.key, key, key_size);
+
+	item_data.value = (char *)malloc(value_size);
+	assert(item_data.value != NULL);
+
+	memcpy(item_data.value, value, value_size);
+	item_data.value_size = value_size;
+
+	policy_item = common_entry->policies[0]->create_item_func();
+	policy_item->key = item_data.key;
+	policy_item->key_size = item_data.key_size;
+	common_entry->get_time_func(&policy_item->creation_time);
+
+	if (common_entry->policies_size > 1) {
+		connected_policy_item =
+			common_entry->policies[1]->create_item_func();
+		memcpy(&connected_policy_item->creation_time,
+			&policy_item->creation_time,
+			sizeof(struct timeval));
+		connected_policy_item->key = policy_item->key;
+		connected_policy_item->key_size = policy_item->key_size;
+
+		connected_policy_item->connected_item = policy_item;
+		policy_item->connected_item = connected_policy_item;
+	}
+
+	item_data.fifo_policy_item = policy_item;
+
+	common_entry->policies[0]->add_item_func(common_entry->policies[0],
+		policy_item);
+	if (common_entry->policies_size > 1)
+		common_entry->policies[1]->add_item_func(
+			common_entry->policies[1], connected_policy_item);
+
+	HASHTABLE_ENTRY_STORE(cache_ht_, item, &item_data);
+	++common_entry->items_size;
+
+	if ((common_entry->common_params.max_elemsize != 0) &&
+		(common_entry->items_size >
+		common_entry->common_params.max_elemsize)) {
+		if (common_entry->policies_size > 1) {
+			policy = common_entry->policies[1];
+			connected_policy = common_entry->policies[0];
+		} else {
+			policy = common_entry->policies[0];
+			connected_policy = NULL;
+		}
+
+		flush_cache_policy(common_entry, policy, connected_policy,
+			cache_elemsize_common_continue_func);
+	}
+
+	TRACE_OUT(cache_write);
+	return (0);
+}
+
+/*
+ * Initializes the write session for the specified multipart entry. This
+ * session then should be filled with data either committed or abandoned by
+ * using close_cache_mp_write_session or abandon_cache_mp_write_session
+ * respectively.
+ * Returns NULL on errors (when there are too many opened write sessions for
+ * the entry).
+ */
+struct cache_mp_write_session_ *
+open_cache_mp_write_session(struct cache_entry_ *entry)
+{
+	struct cache_mp_entry_	*mp_entry;
+	struct cache_mp_write_session_	*retval;
+
+	TRACE_IN(open_cache_mp_write_session);
+	assert(entry != NULL);
+	assert(entry->params->entry_type == CET_MULTIPART);
+	mp_entry = (struct cache_mp_entry_ *)entry;
+
+	if ((mp_entry->mp_params.max_sessions > 0) &&
+		(mp_entry->ws_size == mp_entry->mp_params.max_sessions)) {
+		TRACE_OUT(open_cache_mp_write_session);
+		return (NULL);
+	}
+
+	retval = (struct cache_mp_write_session_ *)calloc(1,
+		sizeof(struct cache_mp_write_session_));
+	assert(retval != NULL);
+
+	TAILQ_INIT(&retval->items);
+	retval->parent_entry = mp_entry;
+
+	TAILQ_INSERT_HEAD(&mp_entry->ws_head, retval, entries);
+	++mp_entry->ws_size;
+
+	TRACE_OUT(open_cache_mp_write_session);
+	return (retval);
+}
+
+/*
+ * Writes data to the specified session. Return 0 on success and -1 on errors
+ * (when write session size limit is exceeded).
+ */
+int
+cache_mp_write(struct cache_mp_write_session_ *ws, char *data,
+	size_t data_size)
+{
+	struct cache_mp_data_item_	*new_item;
+
+	TRACE_IN(cache_mp_write);
+	assert(ws != NULL);
+	assert(ws->parent_entry != NULL);
+	assert(ws->parent_entry->params->entry_type == CET_MULTIPART);
+
+	if ((ws->parent_entry->mp_params.max_elemsize > 0) &&
+		(ws->parent_entry->mp_params.max_elemsize == ws->items_size)) {
+		TRACE_OUT(cache_mp_write);
+		return (-1);
+	}
+
+	new_item = (struct cache_mp_data_item_ *)calloc(1,
+		sizeof(struct cache_mp_data_item_));
+	assert(new_item != NULL);
+
+	new_item->value = (char *)malloc(data_size);
+	assert(new_item->value != NULL);
+	memcpy(new_item->value, data, data_size);
+	new_item->value_size = data_size;
+
+	TAILQ_INSERT_TAIL(&ws->items, new_item, entries);
+	++ws->items_size;
+
+	TRACE_OUT(cache_mp_write);
+	return (0);
+}
+
+/*
+ * Abandons the write session and frees all the connected resources.
+ */
+void
+abandon_cache_mp_write_session(struct cache_mp_write_session_ *ws)
+{
+
+	TRACE_IN(abandon_cache_mp_write_session);
+	assert(ws != NULL);
+	assert(ws->parent_entry != NULL);
+	assert(ws->parent_entry->params->entry_type == CET_MULTIPART);
+
+	TAILQ_REMOVE(&ws->parent_entry->ws_head, ws, entries);
+	--ws->parent_entry->ws_size;
+
+	destroy_cache_mp_write_session(ws);
+	TRACE_OUT(abandon_cache_mp_write_session);
+}
+
+/*
+ * Commits the session to the entry, for which it was created.
+ */
+void
+close_cache_mp_write_session(struct cache_mp_write_session_ *ws)
+{
+
+	TRACE_IN(close_cache_mp_write_session);
+	assert(ws != NULL);
+	assert(ws->parent_entry != NULL);
+	assert(ws->parent_entry->params->entry_type == CET_MULTIPART);
+
+	TAILQ_REMOVE(&ws->parent_entry->ws_head, ws, entries);
+	--ws->parent_entry->ws_size;
+
+	if (ws->parent_entry->completed_write_session == NULL) {
+		/*
+		 * If there is no completed session yet, this will be the one
+		 */
+		ws->parent_entry->get_time_func(
+			&ws->parent_entry->creation_time);
+		ws->parent_entry->completed_write_session = ws;
+	} else {
+		/*
+		 * If there is a completed session, then we'll save our session
+		 * as a pending session. If there is already a pending session,
+		 * it would be destroyed.
+		 */
+		if (ws->parent_entry->pending_write_session != NULL)
+			destroy_cache_mp_write_session(
+				ws->parent_entry->pending_write_session);
+
+		ws->parent_entry->pending_write_session = ws;
+	}
+	TRACE_OUT(close_cache_mp_write_session);
+}
+
+/*
+ * Opens read session for the specified entry. Returns NULL on errors (when
+ * there are no data in the entry, or the data are obsolete).
+ */
+struct cache_mp_read_session_ *
+open_cache_mp_read_session(struct cache_entry_ *entry)
+{
+	struct cache_mp_entry_			*mp_entry;
+	struct cache_mp_read_session_	*retval;
+
+	TRACE_IN(open_cache_mp_read_session);
+	assert(entry != NULL);
+	assert(entry->params->entry_type == CET_MULTIPART);
+	mp_entry = (struct cache_mp_entry_ *)entry;
+
+	if (mp_entry->completed_write_session == NULL) {
+		TRACE_OUT(open_cache_mp_read_session);
+		return (NULL);
+	}
+
+	if ((mp_entry->mp_params.max_lifetime.tv_sec != 0)
+		|| (mp_entry->mp_params.max_lifetime.tv_usec != 0)) {
+		if (mp_entry->last_request_time.tv_sec -
+			mp_entry->last_request_time.tv_sec >
+			mp_entry->mp_params.max_lifetime.tv_sec) {
+			flush_cache_entry(entry);
+			TRACE_OUT(open_cache_mp_read_session);
+			return (NULL);
+		}
+	}
+
+	retval = (struct cache_mp_read_session_ *)calloc(1,
+		sizeof(struct cache_mp_read_session_));
+	assert(retval != NULL);
+
+	retval->parent_entry = mp_entry;
+	retval->current_item = TAILQ_FIRST(
+		&mp_entry->completed_write_session->items);
+
+	TAILQ_INSERT_HEAD(&mp_entry->rs_head, retval, entries);
+	++mp_entry->rs_size;
+
+	mp_entry->get_time_func(&mp_entry->last_request_time);
+	TRACE_OUT(open_cache_mp_read_session);
+	return (retval);
+}
+
+/*
+ * Reads the data from the read session - step by step.
+ * Returns 0 on success, -1 on error (when there are no more data), and -2 if
+ * the data_size is too small.  In the last case, data_size would be filled
+ * the proper value.
+ */
+int
+cache_mp_read(struct cache_mp_read_session_ *rs, char *data, size_t *data_size)
+{
+
+	TRACE_IN(cache_mp_read);
+	assert(rs != NULL);
+
+	if (rs->current_item == NULL) {
+		TRACE_OUT(cache_mp_read);
+		return (-1);
+	}
+
+	if (rs->current_item->value_size > *data_size) {
+		*data_size = rs->current_item->value_size;
+		if (data == NULL) {
+			TRACE_OUT(cache_mp_read);
+			return (0);
+		}
+
+		TRACE_OUT(cache_mp_read);
+		return (-2);
+	}
+
+	*data_size = rs->current_item->value_size;
+	memcpy(data, rs->current_item->value, rs->current_item->value_size);
+	rs->current_item = TAILQ_NEXT(rs->current_item, entries);
+
+	TRACE_OUT(cache_mp_read);
+	return (0);
+}
+
+/*
+ * Closes the read session. If there are no more read sessions and there is
+ * a pending write session, it will be committed and old
+ * completed_write_session will be destroyed.
+ */
+void
+close_cache_mp_read_session(struct cache_mp_read_session_ *rs)
+{
+
+	TRACE_IN(close_cache_mp_read_session);
+	assert(rs != NULL);
+	assert(rs->parent_entry != NULL);
+
+	TAILQ_REMOVE(&rs->parent_entry->rs_head, rs, entries);
+	--rs->parent_entry->rs_size;
+
+	if ((rs->parent_entry->rs_size == 0) &&
+		(rs->parent_entry->pending_write_session != NULL)) {
+		destroy_cache_mp_write_session(
+			rs->parent_entry->completed_write_session);
+		rs->parent_entry->completed_write_session =
+			rs->parent_entry->pending_write_session;
+		rs->parent_entry->pending_write_session = NULL;
+	}
+
+	destroy_cache_mp_read_session(rs);
+	TRACE_OUT(close_cache_mp_read_session);
+}
+
+int
+transform_cache_entry(struct cache_entry_ *entry,
+	enum cache_transformation_t transformation)
+{
+
+	TRACE_IN(transform_cache_entry);
+	switch (transformation) {
+	case CTT_CLEAR:
+		clear_cache_entry(entry);
+		TRACE_OUT(transform_cache_entry);
+		return (0);
+	case CTT_FLUSH:
+		flush_cache_entry(entry);
+		TRACE_OUT(transform_cache_entry);
+		return (0);
+	default:
+		TRACE_OUT(transform_cache_entry);
+		return (-1);
+	}
+}
+
+int
+transform_cache_entry_part(struct cache_entry_ *entry,
+	enum cache_transformation_t transformation, const char *key_part,
+	size_t key_part_size, enum part_position_t part_position)
+{
+	struct cache_common_entry_ *common_entry;
+	struct cache_ht_item_ *ht_item;
+	struct cache_ht_item_data_ *ht_item_data, ht_key;
+
+	struct cache_policy_item_ *item, *connected_item;
+
+	TRACE_IN(transform_cache_entry_part);
+	if (entry->params->entry_type != CET_COMMON) {
+		TRACE_OUT(transform_cache_entry_part);
+		return (-1);
+	}
+
+	if (transformation != CTT_CLEAR) {
+		TRACE_OUT(transform_cache_entry_part);
+		return (-1);
+	}
+
+	memset(&ht_key, 0, sizeof(struct cache_ht_item_data_));
+	ht_key.key = (char *)key_part;	/* can't avoid casting here */
+	ht_key.key_size = key_part_size;
+
+	common_entry = (struct cache_common_entry_ *)entry;
+	HASHTABLE_FOREACH(&(common_entry->items), ht_item) {
+		do {
+			ht_item_data = HASHTABLE_ENTRY_FIND_SPECIAL(cache_ht_,
+				ht_item, &ht_key,
+				ht_items_fixed_size_left_cmp_func);
+
+			if (ht_item_data != NULL) {
+			    item = ht_item_data->fifo_policy_item;
+			    connected_item = item->connected_item;
+
+			    common_entry->policies[0]->remove_item_func(
+				common_entry->policies[0],
+				item);
+
+			    free(ht_item_data->key);
+			    free(ht_item_data->value);
+			    HASHTABLE_ENTRY_REMOVE(cache_ht_, ht_item,
+				ht_item_data);
+			    --common_entry->items_size;
+
+			    common_entry->policies[0]->destroy_item_func(
+				item);
+			    if (common_entry->policies_size == 2) {
+				common_entry->policies[1]->remove_item_func(
+				    common_entry->policies[1],
+				    connected_item);
+				common_entry->policies[1]->destroy_item_func(
+				    connected_item);
+			    }
+			}
+		} while (ht_item_data != NULL);
+	}
+
+	TRACE_OUT(transform_cache_entry_part);
+	return (0);
+}
diff --git a/usr.sbin/nscd/cachelib.h b/usr.sbin/nscd/cachelib.h
new file mode 100644
index 0000000000..5671b13e6d
--- /dev/null
+++ b/usr.sbin/nscd/cachelib.h
@@ -0,0 +1,281 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/cachelib.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#ifndef __NSCD_CACHELIB_H__
+#define __NSCD_CACHELIB_H__
+
+#include <sys/queue.h>
+#include <sys/time.h>
+#include <stdlib.h>
+#include "hashtable.h"
+#include "cacheplcs.h"
+
+enum cache_entry_t	{
+	CET_COMMON = 0,	/* cache item is atomic */
+	CET_MULTIPART	/* cache item is formed part by part */
+};
+
+enum cache_transformation_t {
+	CTT_FLUSH = 0,	/* flush the cache - delete all obsolete items */
+	CTT_CLEAR = 1	/* delete all items in the cache */
+};
+
+/* cache deletion policy type enum */
+enum cache_policy_t {
+	CPT_FIFO = 0, 	/* first-in first-out */
+	CPT_LRU = 1,	/* least recently used */
+	CPT_LFU = 2 	/* least frequently used */
+};
+
+/* multipart sessions can be used for reading and writing */
+enum cache_mp_session_t {
+	CMPT_READ_SESSION,
+	CMPT_WRITE_SESSION
+};
+
+/*
+ * When doing partial transformations of entries (which are applied for
+ * elements with keys, that contain specified buffer in its left or
+ * right part), this enum will show the needed position of the key part.
+ */
+enum part_position_t {
+	KPPT_LEFT,
+	KPPT_RIGHT
+};
+
+/* num_levels attribute is obsolete, i think - user can always emulate it
+ * by using one entry.
+ * get_time_func is needed to have the clocks-independent counter
+ */
+struct cache_params
+{
+	void	(*get_time_func)(struct timeval *);
+};
+
+/*
+ * base structure - normal_cache_entry_params and multipart_cache_entry_params
+ * are "inherited" from it
+ */
+struct cache_entry_params
+{
+	enum cache_entry_t entry_type;
+	char	*entry_name;
+};
+
+/* params, used for most entries */
+struct common_cache_entry_params
+{
+	/* inherited fields */
+	enum cache_entry_t	entry_type;
+
+	/* unique fields */
+	char	*entry_name;
+	size_t	cache_entries_size;
+
+	size_t	max_elemsize;		/* if 0 then no check is made */
+	size_t	satisf_elemsize;	/* if entry size is exceeded,
+					 * this number of elements will be left,
+					 * others will be deleted */
+	struct timeval	max_lifetime;	/* if 0 then no check is made */
+	enum cache_policy_t policy;	/* policy used for transformations */
+};
+
+/* params, used for multipart entries */
+struct	mp_cache_entry_params
+{
+	/* inherited fields */
+	enum cache_entry_t entry_type;
+	char	*entry_name;
+
+	/* unique fields */
+	size_t	max_elemsize;	/* if 0 then no check is made */
+	size_t	max_sessions;	/* maximum number of active sessions */
+
+	struct timeval	max_lifetime;	/* maximum elements lifetime */
+};
+
+struct cache_ht_item_data_
+{
+	/* key is the bytes sequence only - not the null-terminated string */
+	char	*key;
+	size_t	key_size;
+
+	char	*value;
+	size_t	value_size;
+
+	struct cache_policy_item_ *fifo_policy_item;
+};
+
+struct cache_ht_item_
+{
+	HASHTABLE_ENTRY_HEAD(ht_item_, struct cache_ht_item_data_) data;
+};
+
+struct cache_entry_
+{
+	char	*name;
+	struct cache_entry_params *params;
+};
+
+struct cache_common_entry_
+{
+	char	*name;
+	struct cache_entry_params *params;
+
+	struct common_cache_entry_params common_params;
+
+	HASHTABLE_HEAD(cache_ht_, cache_ht_item_) items;
+	size_t items_size;
+
+	/*
+	 * Entry always has the FIFO policy, that is used to eliminate old
+	 * elements (the ones, with lifetime more than max_lifetime). Besides,
+	 * user can specify another policy to be applied, when there are too
+	 * many elements in the entry. So policies_size can be 1 or 2.
+	 */
+	struct cache_policy_ **policies;
+	size_t policies_size;
+
+	void	(*get_time_func)(struct timeval *);
+};
+
+struct cache_mp_data_item_ {
+	char	*value;
+	size_t	value_size;
+
+	TAILQ_ENTRY(cache_mp_data_item_) entries;
+};
+
+struct cache_mp_write_session_
+{
+	struct cache_mp_entry_	*parent_entry;
+
+	/*
+	 * All items are accumulated in this queue. When the session is
+	 * committed, they all will be copied to the multipart entry.
+	 */
+	TAILQ_HEAD(cache_mp_data_item_head, cache_mp_data_item_) items;
+	size_t	items_size;
+
+	TAILQ_ENTRY(cache_mp_write_session_) entries;
+};
+
+struct cache_mp_read_session_
+{
+	struct cache_mp_entry_ *parent_entry;
+	struct cache_mp_data_item_ *current_item;
+
+	TAILQ_ENTRY(cache_mp_read_session_) entries;
+};
+
+struct cache_mp_entry_
+{
+	char	*name;
+	struct cache_entry_params *params;
+
+	struct mp_cache_entry_params mp_params;
+
+	/* All opened write sessions */
+	TAILQ_HEAD(write_sessions_head, cache_mp_write_session_) ws_head;
+	size_t	ws_size;
+
+	/* All opened read sessions */
+	TAILQ_HEAD(read_sessions_head, cache_mp_read_session_) rs_head;
+	size_t	rs_size;
+
+	/*
+	 * completed_write_session is the committed write sessions. All read
+	 * sessions use data from it. If the completed_write_session is out of
+	 * date, but still in use by some of the read sessions, the newly
+	 * committed write session is stored in the pending_write_session.
+	 * In such a case, completed_write_session will be substituted with
+	 * pending_write_session as soon as it won't be used by any of
+	 * the read sessions.
+	 */
+	struct cache_mp_write_session_	*completed_write_session;
+	struct cache_mp_write_session_	*pending_write_session;
+	struct timeval	creation_time;
+	struct timeval	last_request_time;
+
+	void	(*get_time_func)(struct timeval *);
+};
+
+struct cache_
+{
+	struct cache_params params;
+
+	struct cache_entry_ **entries;
+	size_t	entries_capacity;
+	size_t	entries_size;
+};
+
+/* simple abstractions - for not to write "struct" every time */
+typedef struct cache_		*cache;
+typedef struct cache_entry_	*cache_entry;
+typedef struct cache_mp_write_session_	*cache_mp_write_session;
+typedef struct cache_mp_read_session_	*cache_mp_read_session;
+
+#define INVALID_CACHE		(NULL)
+#define INVALID_CACHE_ENTRY	(NULL)
+#define INVALID_CACHE_MP_WRITE_SESSION	(NULL)
+#define INVALID_CACHE_MP_READ_SESSION	(NULL)
+
+/*
+ * NOTE: all cache operations are thread-unsafe. You must ensure thread-safety
+ * externally, by yourself.
+ */
+
+/* cache initialization/destruction routines */
+extern cache init_cache(struct cache_params const *);
+extern void destroy_cache(cache);
+
+/* cache entries manipulation routines */
+extern int register_cache_entry(cache, struct cache_entry_params const *);
+extern int unregister_cache_entry(cache, const char *);
+extern cache_entry find_cache_entry(cache, const char *);
+
+/* read/write operations used on common entries */
+extern int cache_read(cache_entry, const char *, size_t, char *, size_t *);
+extern int cache_write(cache_entry, const char *, size_t, char const *, size_t);
+
+/* read/write operations used on multipart entries */
+extern cache_mp_write_session open_cache_mp_write_session(cache_entry);
+extern int cache_mp_write(cache_mp_write_session, char *, size_t);
+extern void abandon_cache_mp_write_session(cache_mp_write_session);
+extern void close_cache_mp_write_session(cache_mp_write_session);
+
+extern cache_mp_read_session open_cache_mp_read_session(cache_entry);
+extern int cache_mp_read(cache_mp_read_session, char *, size_t *);
+extern void close_cache_mp_read_session(cache_mp_read_session);
+
+/* transformation routines */
+extern int transform_cache_entry(cache_entry, enum cache_transformation_t);
+extern int transform_cache_entry_part(cache_entry, enum cache_transformation_t,
+	const char *, size_t, enum part_position_t);
+
+#endif
diff --git a/usr.sbin/nscd/cacheplcs.c b/usr.sbin/nscd/cacheplcs.c
new file mode 100644
index 0000000000..259a8bb66a
--- /dev/null
+++ b/usr.sbin/nscd/cacheplcs.c
@@ -0,0 +1,584 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/cacheplcs.c,v 1.3 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#include <assert.h>
+#include <string.h>
+#include "cacheplcs.h"
+#include "debug.h"
+
+static void cache_fifo_policy_update_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static void cache_lfu_policy_add_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static struct cache_policy_item_ * cache_lfu_policy_create_item(void);
+static void cache_lfu_policy_destroy_item(struct cache_policy_item_ *);
+static struct cache_policy_item_ *cache_lfu_policy_get_first_item(
+	struct cache_policy_ *);
+static struct cache_policy_item_ *cache_lfu_policy_get_last_item(
+	struct cache_policy_ *);
+static struct cache_policy_item_ *cache_lfu_policy_get_next_item(
+	struct cache_policy_ *, struct cache_policy_item_ *);
+static struct cache_policy_item_ *cache_lfu_policy_get_prev_item(
+	struct cache_policy_ *, struct cache_policy_item_ *);
+static void cache_lfu_policy_remove_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static void cache_lfu_policy_update_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static void cache_lru_policy_update_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static void cache_queue_policy_add_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static struct cache_policy_item_ * cache_queue_policy_create_item();
+static void cache_queue_policy_destroy_item(struct cache_policy_item_ *);
+static struct cache_policy_item_ *cache_queue_policy_get_first_item(
+	struct cache_policy_ *);
+static struct cache_policy_item_ *cache_queue_policy_get_last_item(
+	struct cache_policy_ *);
+static struct cache_policy_item_ *cache_queue_policy_get_next_item(
+	struct cache_policy_ *, struct cache_policy_item_ *);
+static struct cache_policy_item_ *cache_queue_policy_get_prev_item(
+	struct cache_policy_ *, struct cache_policy_item_ *);
+static void cache_queue_policy_remove_item(struct cache_policy_ *,
+	struct cache_policy_item_ *);
+static void destroy_cache_queue_policy(struct cache_queue_policy_ *);
+static struct cache_queue_policy_ *init_cache_queue_policy(void);
+
+/*
+ * All cache_queue_policy_XXX functions below will be used to fill
+ * the cache_queue_policy structure. They implement the most functionality of
+ * LRU and FIFO policies. LRU and FIFO policies are actually the
+ * cache_queue_policy_ with cache_update_item function changed.
+ */
+static struct cache_policy_item_ *
+cache_queue_policy_create_item(void)
+{
+	struct cache_queue_policy_item_ *retval;
+
+	TRACE_IN(cache_queue_policy_create_item);
+	retval = (struct cache_queue_policy_item_ *)calloc(1,
+		sizeof(struct cache_queue_policy_item_));
+	assert(retval != NULL);
+
+	TRACE_OUT(cache_queue_policy_create_item);
+	return ((struct cache_policy_item_ *)retval);
+}
+
+static void
+cache_queue_policy_destroy_item(struct cache_policy_item_ *item)
+{
+
+	TRACE_IN(cache_queue_policy_destroy_item);
+	assert(item != NULL);
+	free(item);
+	TRACE_OUT(cache_queue_policy_destroy_item);
+}
+
+static void
+cache_queue_policy_add_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_queue_policy_ *queue_policy;
+	struct cache_queue_policy_item_ *queue_item;
+
+	TRACE_IN(cache_queue_policy_add_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	queue_item = (struct cache_queue_policy_item_ *)item;
+	TAILQ_INSERT_TAIL(&queue_policy->head, queue_item, entries);
+	TRACE_OUT(cache_queue_policy_add_item);
+}
+
+static void
+cache_queue_policy_remove_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_queue_policy_ *queue_policy;
+	struct cache_queue_policy_item_	*queue_item;
+
+	TRACE_IN(cache_queue_policy_remove_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	queue_item = (struct cache_queue_policy_item_ *)item;
+	TAILQ_REMOVE(&queue_policy->head, queue_item, entries);
+	TRACE_OUT(cache_queue_policy_remove_item);
+}
+
+static struct cache_policy_item_ *
+cache_queue_policy_get_first_item(struct cache_policy_ *policy)
+{
+	struct cache_queue_policy_ *queue_policy;
+
+	TRACE_IN(cache_queue_policy_get_first_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	TRACE_OUT(cache_queue_policy_get_first_item);
+	return ((struct cache_policy_item_ *)TAILQ_FIRST(&queue_policy->head));
+}
+
+static struct cache_policy_item_ *
+cache_queue_policy_get_last_item(struct cache_policy_ *policy)
+{
+	struct cache_queue_policy_ *queue_policy;
+
+	TRACE_IN(cache_queue_policy_get_last_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	TRACE_OUT(cache_queue_policy_get_last_item);
+	return ((struct cache_policy_item_ *)TAILQ_LAST(&queue_policy->head,
+		cache_queue_policy_head_));
+}
+
+static struct cache_policy_item_ *
+cache_queue_policy_get_next_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_queue_policy_ *queue_policy;
+	struct cache_queue_policy_item_	*queue_item;
+
+	TRACE_IN(cache_queue_policy_get_next_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	queue_item = (struct cache_queue_policy_item_ *)item;
+
+	TRACE_OUT(cache_queue_policy_get_next_item);
+	return ((struct cache_policy_item_ *)TAILQ_NEXT(queue_item, entries));
+}
+
+static struct cache_policy_item_ *
+cache_queue_policy_get_prev_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_queue_policy_ *queue_policy;
+	struct cache_queue_policy_item_	*queue_item;
+
+	TRACE_IN(cache_queue_policy_get_prev_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	queue_item = (struct cache_queue_policy_item_ *)item;
+
+	TRACE_OUT(cache_queue_policy_get_prev_item);
+	return ((struct cache_policy_item_ *)TAILQ_PREV(queue_item,
+		cache_queue_policy_head_, entries));
+}
+
+/*
+ * Initializes cache_queue_policy_ by filling the structure with the functions
+ * pointers, defined above
+ */
+static struct cache_queue_policy_ *
+init_cache_queue_policy(void)
+{
+	struct cache_queue_policy_	*retval;
+
+	TRACE_IN(init_cache_queue_policy);
+	retval = (struct cache_queue_policy_ *)calloc(1,
+		sizeof(struct cache_queue_policy_));
+	assert(retval != NULL);
+
+	retval->parent_data.create_item_func = cache_queue_policy_create_item;
+	retval->parent_data.destroy_item_func = cache_queue_policy_destroy_item;
+
+	retval->parent_data.add_item_func = cache_queue_policy_add_item;
+	retval->parent_data.remove_item_func = cache_queue_policy_remove_item;
+
+	retval->parent_data.get_first_item_func =
+		cache_queue_policy_get_first_item;
+	retval->parent_data.get_last_item_func =
+		cache_queue_policy_get_last_item;
+	retval->parent_data.get_next_item_func =
+		cache_queue_policy_get_next_item;
+	retval->parent_data.get_prev_item_func =
+		cache_queue_policy_get_prev_item;
+
+	TAILQ_INIT(&retval->head);
+	TRACE_OUT(init_cache_queue_policy);
+	return (retval);
+}
+
+static void
+destroy_cache_queue_policy(struct cache_queue_policy_ *queue_policy)
+{
+	struct cache_queue_policy_item_	*queue_item;
+
+	TRACE_IN(destroy_cache_queue_policy);
+	while (!TAILQ_EMPTY(&queue_policy->head)) {
+		queue_item = TAILQ_FIRST(&queue_policy->head);
+		TAILQ_REMOVE(&queue_policy->head, queue_item, entries);
+		cache_queue_policy_destroy_item(
+			(struct cache_policy_item_ *)queue_item);
+	}
+	free(queue_policy);
+	TRACE_OUT(destroy_cache_queue_policy);
+}
+
+/*
+ * Makes cache_queue_policy_ behave like FIFO policy - we don't do anything,
+ * when the cache element is updated. So it always stays in its initial
+ * position in the queue - that is exactly the FIFO functionality.
+ */
+static void
+cache_fifo_policy_update_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+
+	TRACE_IN(cache_fifo_policy_update_item);
+	/* policy and item arguments are ignored */
+	TRACE_OUT(cache_fifo_policy_update_item);
+}
+
+struct cache_policy_ *
+init_cache_fifo_policy(void)
+{
+	struct cache_queue_policy_ *retval;
+
+	TRACE_IN(init_cache_fifo_policy);
+	retval = init_cache_queue_policy();
+	retval->parent_data.update_item_func = cache_fifo_policy_update_item;
+
+	TRACE_OUT(init_cache_fifo_policy);
+	return ((struct cache_policy_ *)retval);
+}
+
+void
+destroy_cache_fifo_policy(struct cache_policy_ *policy)
+{
+	struct cache_queue_policy_	*queue_policy;
+
+	TRACE_IN(destroy_cache_fifo_policy);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	destroy_cache_queue_policy(queue_policy);
+	TRACE_OUT(destroy_cache_fifo_policy);
+}
+
+/*
+ * Makes cache_queue_policy_ behave like LRU policy. On each update, cache
+ * element is moved to the end of the queue - so it would be deleted in last
+ * turn. That is exactly the LRU policy functionality.
+ */
+static void
+cache_lru_policy_update_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_queue_policy_ *queue_policy;
+	struct cache_queue_policy_item_ *queue_item;
+
+	TRACE_IN(cache_lru_policy_update_item);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	queue_item = (struct cache_queue_policy_item_ *)item;
+
+	TAILQ_REMOVE(&queue_policy->head, queue_item, entries);
+	TAILQ_INSERT_TAIL(&queue_policy->head, queue_item, entries);
+	TRACE_OUT(cache_lru_policy_update_item);
+}
+
+struct cache_policy_ *
+init_cache_lru_policy(void)
+{
+	struct cache_queue_policy_ *retval;
+
+	TRACE_IN(init_cache_lru_policy);
+	retval = init_cache_queue_policy();
+	retval->parent_data.update_item_func = cache_lru_policy_update_item;
+
+	TRACE_OUT(init_cache_lru_policy);
+	return ((struct cache_policy_ *)retval);
+}
+
+void
+destroy_cache_lru_policy(struct cache_policy_ *policy)
+{
+	struct cache_queue_policy_	*queue_policy;
+
+	TRACE_IN(destroy_cache_lru_policy);
+	queue_policy = (struct cache_queue_policy_ *)policy;
+	destroy_cache_queue_policy(queue_policy);
+	TRACE_OUT(destroy_cache_lru_policy);
+}
+
+/*
+ * LFU (least frequently used) policy implementation differs much from the
+ * LRU and FIFO (both based on cache_queue_policy_). Almost all cache_policy_
+ * functions are implemented specifically for this policy. The idea of this
+ * policy is to represent frequency (real number) as the integer number and
+ * use it as the index in the array. Each array's element is
+ * the list of elements. For example, if we have the 100-elements
+ * array for this policy, the elements with frequency 0.1 (calls per-second)
+ * would be in 10th element of the array.
+ */
+static struct cache_policy_item_ *
+cache_lfu_policy_create_item(void)
+{
+	struct cache_lfu_policy_item_ *retval;
+
+	TRACE_IN(cache_lfu_policy_create_item);
+	retval = (struct cache_lfu_policy_item_ *)calloc(1,
+		sizeof(struct cache_lfu_policy_item_));
+	assert(retval != NULL);
+
+	TRACE_OUT(cache_lfu_policy_create_item);
+	return ((struct cache_policy_item_ *)retval);
+}
+
+static void
+cache_lfu_policy_destroy_item(struct cache_policy_item_ *item)
+{
+
+	TRACE_IN(cache_lfu_policy_destroy_item);
+	assert(item != NULL);
+	free(item);
+	TRACE_OUT(cache_lfu_policy_destroy_item);
+}
+
+/*
+ * When placed in the LFU policy queue for the first time, the maximum
+ * frequency is assigned to the element
+ */
+static void
+cache_lfu_policy_add_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+
+	TRACE_IN(cache_lfu_policy_add_item);
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	lfu_item = (struct cache_lfu_policy_item_ *)item;
+
+	lfu_item->frequency = CACHELIB_MAX_FREQUENCY - 1;
+	TAILQ_INSERT_HEAD(&(lfu_policy->groups[CACHELIB_MAX_FREQUENCY - 1]),
+		lfu_item, entries);
+	TRACE_OUT(cache_lfu_policy_add_item);
+}
+
+/*
+ * On each update the frequency of the element is recalculated and, if it
+ * changed, the element would be moved to the another place in the array.
+ */
+static void
+cache_lfu_policy_update_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+	int index;
+
+	TRACE_IN(cache_lfu_policy_update_item);
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	lfu_item = (struct cache_lfu_policy_item_ *)item;
+
+	/*
+	 * We calculate the square of the request_count to avoid grouping of
+	 * all elements at the start of the array (for example, if array size is
+	 * 100 and most of its elements has frequency below the 0.01, they
+	 * all would be grouped in the first array's position). Other
+	 * techniques should be used here later to ensure, that elements are
+	 * equally distributed  in the array and not grouped in its beginning.
+	 */
+	if (lfu_item->parent_data.last_request_time.tv_sec !=
+		lfu_item->parent_data.creation_time.tv_sec) {
+		index = ((double)lfu_item->parent_data.request_count *
+			(double)lfu_item->parent_data.request_count /
+			(lfu_item->parent_data.last_request_time.tv_sec -
+			    lfu_item->parent_data.creation_time.tv_sec + 1)) *
+			    CACHELIB_MAX_FREQUENCY;
+		if (index >= CACHELIB_MAX_FREQUENCY)
+			index = CACHELIB_MAX_FREQUENCY - 1;
+	} else
+		index = CACHELIB_MAX_FREQUENCY - 1;
+
+	TAILQ_REMOVE(&(lfu_policy->groups[lfu_item->frequency]), lfu_item,
+		entries);
+	lfu_item->frequency = index;
+	TAILQ_INSERT_HEAD(&(lfu_policy->groups[index]), lfu_item, entries);
+
+	TRACE_OUT(cache_lfu_policy_update_item);
+}
+
+static void
+cache_lfu_policy_remove_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+
+	TRACE_IN(cache_lfu_policy_remove_item);
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	lfu_item = (struct cache_lfu_policy_item_ *)item;
+
+	TAILQ_REMOVE(&(lfu_policy->groups[lfu_item->frequency]), lfu_item,
+		entries);
+	TRACE_OUT(cache_lfu_policy_remove_item);
+}
+
+static struct cache_policy_item_ *
+cache_lfu_policy_get_first_item(struct cache_policy_ *policy)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+	int i;
+
+	TRACE_IN(cache_lfu_policy_get_first_item);
+	lfu_item = NULL;
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	for (i = 0; i < CACHELIB_MAX_FREQUENCY; ++i)
+		if (!TAILQ_EMPTY(&(lfu_policy->groups[i]))) {
+			lfu_item = TAILQ_FIRST(&(lfu_policy->groups[i]));
+			break;
+		}
+
+	TRACE_OUT(cache_lfu_policy_get_first_item);
+	return ((struct cache_policy_item_ *)lfu_item);
+}
+
+static struct cache_policy_item_ *
+cache_lfu_policy_get_last_item(struct cache_policy_ *policy)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+	int i;
+
+	TRACE_IN(cache_lfu_policy_get_last_item);
+	lfu_item = NULL;
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	for (i = CACHELIB_MAX_FREQUENCY - 1; i >= 0; --i)
+		if (!TAILQ_EMPTY(&(lfu_policy->groups[i]))) {
+			lfu_item = TAILQ_LAST(&(lfu_policy->groups[i]),
+				cache_lfu_policy_group_);
+			break;
+		}
+
+	TRACE_OUT(cache_lfu_policy_get_last_item);
+	return ((struct cache_policy_item_ *)lfu_item);
+}
+
+static struct cache_policy_item_ *
+cache_lfu_policy_get_next_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+	int i;
+
+	TRACE_IN(cache_lfu_policy_get_next_item);
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	lfu_item = TAILQ_NEXT((struct cache_lfu_policy_item_ *)item, entries);
+	if (lfu_item == NULL)
+	{
+		for (i = ((struct cache_lfu_policy_item_ *)item)->frequency + 1;
+			i < CACHELIB_MAX_FREQUENCY; ++i) {
+			if (!TAILQ_EMPTY(&(lfu_policy->groups[i]))) {
+			    lfu_item = TAILQ_FIRST(&(lfu_policy->groups[i]));
+			    break;
+			}
+		}
+	}
+
+	TRACE_OUT(cache_lfu_policy_get_next_item);
+	return ((struct cache_policy_item_ *)lfu_item);
+}
+
+static struct cache_policy_item_ *
+cache_lfu_policy_get_prev_item(struct cache_policy_ *policy,
+	struct cache_policy_item_ *item)
+{
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+	int i;
+
+	TRACE_IN(cache_lfu_policy_get_prev_item);
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	lfu_item = TAILQ_PREV((struct cache_lfu_policy_item_ *)item,
+		cache_lfu_policy_group_, entries);
+	if (lfu_item == NULL)
+	{
+		for (i = ((struct cache_lfu_policy_item_ *)item)->frequency - 1;
+			i >= 0; --i)
+			if (!TAILQ_EMPTY(&(lfu_policy->groups[i]))) {
+				lfu_item = TAILQ_LAST(&(lfu_policy->groups[i]),
+					cache_lfu_policy_group_);
+				break;
+		}
+	}
+
+	TRACE_OUT(cache_lfu_policy_get_prev_item);
+	return ((struct cache_policy_item_ *)lfu_item);
+}
+
+/*
+ * Initializes the cache_policy_ structure by filling it with appropriate
+ * functions pointers
+ */
+struct cache_policy_ *
+init_cache_lfu_policy(void)
+{
+	int i;
+	struct cache_lfu_policy_ *retval;
+
+	TRACE_IN(init_cache_lfu_policy);
+	retval = (struct cache_lfu_policy_ *)calloc(1,
+		sizeof(struct cache_lfu_policy_));
+	assert(retval != NULL);
+
+	retval->parent_data.create_item_func = cache_lfu_policy_create_item;
+	retval->parent_data.destroy_item_func = cache_lfu_policy_destroy_item;
+
+	retval->parent_data.add_item_func = cache_lfu_policy_add_item;
+	retval->parent_data.update_item_func = cache_lfu_policy_update_item;
+	retval->parent_data.remove_item_func = cache_lfu_policy_remove_item;
+
+	retval->parent_data.get_first_item_func =
+		cache_lfu_policy_get_first_item;
+	retval->parent_data.get_last_item_func =
+		cache_lfu_policy_get_last_item;
+	retval->parent_data.get_next_item_func =
+		cache_lfu_policy_get_next_item;
+	retval->parent_data.get_prev_item_func =
+		cache_lfu_policy_get_prev_item;
+
+	for (i = 0; i < CACHELIB_MAX_FREQUENCY; ++i)
+		TAILQ_INIT(&(retval->groups[i]));
+
+	TRACE_OUT(init_cache_lfu_policy);
+	return ((struct cache_policy_ *)retval);
+}
+
+void
+destroy_cache_lfu_policy(struct cache_policy_ *policy)
+{
+	int i;
+	struct cache_lfu_policy_ *lfu_policy;
+	struct cache_lfu_policy_item_ *lfu_item;
+
+	TRACE_IN(destroy_cache_lfu_policy);
+	lfu_policy = (struct cache_lfu_policy_ *)policy;
+	for (i = 0; i < CACHELIB_MAX_FREQUENCY; ++i) {
+		while (!TAILQ_EMPTY(&(lfu_policy->groups[i]))) {
+			lfu_item = TAILQ_FIRST(&(lfu_policy->groups[i]));
+			TAILQ_REMOVE(&(lfu_policy->groups[i]), lfu_item,
+				entries);
+			cache_lfu_policy_destroy_item(
+				(struct cache_policy_item_ *)lfu_item);
+		}
+	}
+	free(policy);
+	TRACE_OUT(destroy_cache_lfu_policy);
+}
diff --git a/usr.sbin/nscd/cacheplcs.h b/usr.sbin/nscd/cacheplcs.h
new file mode 100644
index 0000000000..11583e8480
--- /dev/null
+++ b/usr.sbin/nscd/cacheplcs.h
@@ -0,0 +1,137 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/cacheplcs.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#ifndef __NSCD_CACHEPLCS_H__
+#define __NSCD_CACHEPLCS_H__
+
+#include <sys/queue.h>
+#include <sys/time.h>
+#include <stdlib.h>
+
+/* common policy definitions */
+#define CACHELIB_MAX_FREQUENCY 100
+
+/*
+ * cache_policy_item_ represents some abstract cache element in the policy
+ * queue. connected_item pointers to the corresponding cache_policy_item_ in
+ * another policy queue.
+ */
+struct cache_policy_item_
+{
+	char	*key;
+	size_t	key_size;
+
+	size_t	request_count;
+	struct timeval last_request_time;
+	struct timeval creation_time;
+
+	struct cache_policy_item_ *connected_item;
+};
+
+/*
+ * cache_policy_ represents an abstract policy queue. It can be customized by
+ * setting appropriate function pointers
+ */
+struct cache_policy_
+{
+	struct cache_policy_item_* (*create_item_func)(void);
+	void (*destroy_item_func)(struct cache_policy_item_ *);
+
+	void (*add_item_func)(struct cache_policy_ *,
+		struct cache_policy_item_ *);
+	void (*remove_item_func)(struct cache_policy_ *,
+		struct cache_policy_item_ *);
+	void (*update_item_func)(struct cache_policy_ *,
+		struct cache_policy_item_ *);
+
+	struct cache_policy_item_ *(*get_first_item_func)(
+		struct cache_policy_ *);
+	struct cache_policy_item_ *(*get_last_item_func)(
+		struct cache_policy_ *);
+	struct cache_policy_item_ *(*get_next_item_func)(
+		struct cache_policy_ *, struct cache_policy_item_ *);
+	struct cache_policy_item_ *(*get_prev_item_func)(
+		struct cache_policy_ *, struct cache_policy_item_ *);
+};
+
+/*
+ * LFU cache policy item "inherited" from cache_policy_item_ structure
+ */
+struct cache_lfu_policy_item_
+{
+	struct cache_policy_item_ parent_data;
+	int	frequency;
+
+	TAILQ_ENTRY(cache_lfu_policy_item_) entries;
+};
+
+TAILQ_HEAD(cache_lfu_policy_group_, cache_lfu_policy_item_);
+
+/*
+ * LFU policy queue "inherited" from cache_policy_.
+ */
+struct cache_lfu_policy_
+{
+	struct cache_policy_ parent_data;
+	struct cache_lfu_policy_group_ groups[CACHELIB_MAX_FREQUENCY];
+};
+
+/*
+ * LRU and FIFO policies item "inherited" from cache_policy_item_
+ */
+struct cache_queue_policy_item_
+{
+	struct cache_policy_item_ parent_data;
+	TAILQ_ENTRY(cache_queue_policy_item_) entries;
+};
+
+/*
+ * LRU and FIFO policies "inherited" from cache_policy_
+ */
+struct cache_queue_policy_
+{
+	struct cache_policy_ parent_data;
+	TAILQ_HEAD(cache_queue_policy_head_, cache_queue_policy_item_) head;
+};
+
+typedef struct cache_queue_policy_ cache_fifo_policy_;
+typedef struct cache_queue_policy_ cache_lru_policy_;
+
+/* fifo policy routines */
+extern struct cache_policy_ *init_cache_fifo_policy(void);
+extern void destroy_cache_fifo_policy(struct cache_policy_ *);
+
+/* lru policy routines */
+extern struct cache_policy_ *init_cache_lru_policy(void);
+extern void destroy_cache_lru_policy(struct cache_policy_ *);
+
+/* lfu policy routines */
+extern struct cache_policy_ *init_cache_lfu_policy(void);
+extern void destroy_cache_lfu_policy(struct cache_policy_ *);
+
+#endif
diff --git a/usr.sbin/nscd/config.c b/usr.sbin/nscd/config.c
new file mode 100644
index 0000000000..2ee648aeb7
--- /dev/null
+++ b/usr.sbin/nscd/config.c
@@ -0,0 +1,577 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/config.c,v 1.3 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#include <assert.h>
+#include <math.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "config.h"
+#include "debug.h"
+#include "log.h"
+
+/*
+ * Default entries, which always exist in the configuration
+ */
+const char *c_default_entries[6] = {
+	NSDB_PASSWD,
+	NSDB_GROUP,
+	NSDB_HOSTS,
+	NSDB_SERVICES,
+	NSDB_PROTOCOLS,
+	NSDB_RPC
+	};
+
+static int configuration_entry_cmp(const void *, const void *);
+static int configuration_entry_sort_cmp(const void *, const void *);
+static int configuration_entry_cache_mp_sort_cmp(const void *, const void *);
+static int configuration_entry_cache_mp_cmp(const void *, const void *);
+static int configuration_entry_cache_mp_part_cmp(const void *, const void *);
+static struct configuration_entry *create_configuration_entry(const char *,
+	struct timeval const *, struct timeval const *,
+	struct common_cache_entry_params const *,
+	struct common_cache_entry_params const *,
+	struct mp_cache_entry_params const *);
+
+static int
+configuration_entry_sort_cmp(const void *e1, const void *e2)
+{
+	return (strcmp((*((struct configuration_entry **)e1))->name,
+		(*((struct configuration_entry **)e2))->name
+		));
+}
+
+static int
+configuration_entry_cmp(const void *e1, const void *e2)
+{
+	return (strcmp((const char *)e1,
+		(*((struct configuration_entry **)e2))->name
+		));
+}
+
+static int
+configuration_entry_cache_mp_sort_cmp(const void *e1, const void *e2)
+{
+	return (strcmp((*((cache_entry *)e1))->params->entry_name,
+		(*((cache_entry *)e2))->params->entry_name
+		));
+}
+
+static int
+configuration_entry_cache_mp_cmp(const void *e1, const void *e2)
+{
+	return (strcmp((const char *)e1,
+		(*((cache_entry *)e2))->params->entry_name
+		));
+}
+
+static int
+configuration_entry_cache_mp_part_cmp(const void *e1, const void *e2)
+{
+	return (strncmp((const char *)e1,
+		(*((cache_entry *)e2))->params->entry_name,
+		strlen((const char *)e1)
+		));
+}
+
+static struct configuration_entry *
+create_configuration_entry(const char *name,
+	struct timeval const *common_timeout,
+	struct timeval const *mp_timeout,
+	struct common_cache_entry_params const *positive_params,
+	struct common_cache_entry_params const *negative_params,
+	struct mp_cache_entry_params const *mp_params)
+{
+	struct configuration_entry *retval;
+	size_t	size;
+	int res;
+
+	TRACE_IN(create_configuration_entry);
+	assert(name != NULL);
+	assert(positive_params != NULL);
+	assert(negative_params != NULL);
+	assert(mp_params != NULL);
+
+	retval = (struct configuration_entry *)calloc(1,
+		sizeof(struct configuration_entry));
+	assert(retval != NULL);
+
+	res = pthread_mutex_init(&retval->positive_cache_lock, NULL);
+	if (res != 0) {
+		free(retval);
+		LOG_ERR_2("create_configuration_entry",
+			"can't create positive cache lock");
+		TRACE_OUT(create_configuration_entry);
+		return (NULL);
+	}
+
+	res = pthread_mutex_init(&retval->negative_cache_lock, NULL);
+	if (res != 0) {
+		pthread_mutex_destroy(&retval->positive_cache_lock);
+		free(retval);
+		LOG_ERR_2("create_configuration_entry",
+			"can't create negative cache lock");
+		TRACE_OUT(create_configuration_entry);
+		return (NULL);
+	}
+
+	res = pthread_mutex_init(&retval->mp_cache_lock, NULL);
+	if (res != 0) {
+		pthread_mutex_destroy(&retval->positive_cache_lock);
+		pthread_mutex_destroy(&retval->negative_cache_lock);
+		free(retval);
+		LOG_ERR_2("create_configuration_entry",
+			"can't create negative cache lock");
+		TRACE_OUT(create_configuration_entry);
+		return (NULL);
+	}
+
+	memcpy(&retval->positive_cache_params, positive_params,
+		sizeof(struct common_cache_entry_params));
+	memcpy(&retval->negative_cache_params, negative_params,
+		sizeof(struct common_cache_entry_params));
+	memcpy(&retval->mp_cache_params, mp_params,
+		sizeof(struct mp_cache_entry_params));
+
+	size = strlen(name);
+	retval->name = (char *)calloc(1, size + 1);
+	assert(retval->name != NULL);
+	memcpy(retval->name, name, size);
+
+	memcpy(&retval->common_query_timeout, common_timeout,
+		sizeof(struct timeval));
+	memcpy(&retval->mp_query_timeout, mp_timeout,
+		sizeof(struct timeval));
+
+	asprintf(&retval->positive_cache_params.entry_name, "%s+", name);
+	assert(retval->positive_cache_params.entry_name != NULL);
+
+	asprintf(&retval->negative_cache_params.entry_name, "%s-", name);
+	assert(retval->negative_cache_params.entry_name != NULL);
+
+	asprintf(&retval->mp_cache_params.entry_name, "%s*", name);
+	assert(retval->mp_cache_params.entry_name != NULL);
+
+	TRACE_OUT(create_configuration_entry);
+	return (retval);
+}
+
+/*
+ * Creates configuration entry and fills it with default values
+ */
+struct configuration_entry *
+create_def_configuration_entry(const char *name)
+{
+	struct common_cache_entry_params positive_params, negative_params;
+	struct mp_cache_entry_params mp_params;
+	struct timeval default_common_timeout, default_mp_timeout;
+
+	struct configuration_entry *res = NULL;
+
+	TRACE_IN(create_def_configuration_entry);
+	memset(&positive_params, 0,
+		sizeof(struct common_cache_entry_params));
+	positive_params.entry_type = CET_COMMON;
+	positive_params.cache_entries_size = DEFAULT_CACHE_HT_SIZE;
+	positive_params.max_elemsize = DEFAULT_POSITIVE_ELEMENTS_SIZE;
+	positive_params.satisf_elemsize = DEFAULT_POSITIVE_ELEMENTS_SIZE / 2;
+	positive_params.max_lifetime.tv_sec = DEFAULT_POSITIVE_LIFETIME;
+	positive_params.policy = CPT_LRU;
+
+	memcpy(&negative_params, &positive_params,
+		sizeof(struct common_cache_entry_params));
+	negative_params.max_elemsize = DEFAULT_NEGATIVE_ELEMENTS_SIZE;
+	negative_params.satisf_elemsize = DEFAULT_NEGATIVE_ELEMENTS_SIZE / 2;
+	negative_params.max_lifetime.tv_sec = DEFAULT_NEGATIVE_LIFETIME;
+	negative_params.policy = CPT_FIFO;
+
+	memset(&default_common_timeout, 0, sizeof(struct timeval));
+	default_common_timeout.tv_sec = DEFAULT_COMMON_ENTRY_TIMEOUT;
+
+	memset(&default_mp_timeout, 0, sizeof(struct timeval));
+	default_mp_timeout.tv_sec = DEFAULT_MP_ENTRY_TIMEOUT;
+
+	memset(&mp_params, 0,
+		sizeof(struct mp_cache_entry_params));
+	mp_params.entry_type = CET_MULTIPART;
+	mp_params.max_elemsize = DEFAULT_MULTIPART_ELEMENTS_SIZE;
+	mp_params.max_sessions = DEFAULT_MULITPART_SESSIONS_SIZE;
+	mp_params.max_lifetime.tv_sec = DEFAULT_MULITPART_LIFETIME;
+
+	res = create_configuration_entry(name, &default_common_timeout,
+		&default_mp_timeout, &positive_params, &negative_params,
+		&mp_params);
+
+	TRACE_OUT(create_def_configuration_entry);
+	return (res);
+}
+
+void
+destroy_configuration_entry(struct configuration_entry *entry)
+{
+	TRACE_IN(destroy_configuration_entry);
+	assert(entry != NULL);
+	pthread_mutex_destroy(&entry->positive_cache_lock);
+	pthread_mutex_destroy(&entry->negative_cache_lock);
+	pthread_mutex_destroy(&entry->mp_cache_lock);
+	free(entry->name);
+	free(entry->positive_cache_params.entry_name);
+	free(entry->negative_cache_params.entry_name);
+	free(entry->mp_cache_params.entry_name);
+	free(entry->mp_cache_entries);
+	free(entry);
+	TRACE_OUT(destroy_configuration_entry);
+}
+
+int
+add_configuration_entry(struct configuration *config,
+	struct configuration_entry *entry)
+{
+	TRACE_IN(add_configuration_entry);
+	assert(entry != NULL);
+	assert(entry->name != NULL);
+	if (configuration_find_entry(config, entry->name) != NULL) {
+		TRACE_OUT(add_configuration_entry);
+		return (-1);
+	}
+
+	if (config->entries_size == config->entries_capacity) {
+		struct configuration_entry **new_entries;
+
+		config->entries_capacity *= 2;
+		new_entries = (struct configuration_entry **)calloc(1,
+			sizeof(struct configuration_entry *) *
+			config->entries_capacity);
+		assert(new_entries != NULL);
+		memcpy(new_entries, config->entries,
+			sizeof(struct configuration_entry *) *
+		        config->entries_size);
+
+		free(config->entries);
+		config->entries = new_entries;
+	}
+
+	config->entries[config->entries_size++] = entry;
+	qsort(config->entries, config->entries_size,
+		sizeof(struct configuration_entry *),
+		configuration_entry_sort_cmp);
+
+	TRACE_OUT(add_configuration_entry);
+	return (0);
+}
+
+size_t
+configuration_get_entries_size(struct configuration *config)
+{
+	TRACE_IN(configuration_get_entries_size);
+	assert(config != NULL);
+	TRACE_OUT(configuration_get_entries_size);
+	return (config->entries_size);
+}
+
+struct configuration_entry *
+configuration_get_entry(struct configuration *config, size_t index)
+{
+	TRACE_IN(configuration_get_entry);
+	assert(config != NULL);
+	assert(index < config->entries_size);
+	TRACE_OUT(configuration_get_entry);
+	return (config->entries[index]);
+}
+
+struct configuration_entry *
+configuration_find_entry(struct configuration *config,
+	const char *name)
+{
+	struct configuration_entry	**retval;
+
+	TRACE_IN(configuration_find_entry);
+
+	retval = bsearch(name, config->entries, config->entries_size,
+		sizeof(struct configuration_entry *), configuration_entry_cmp);
+	TRACE_OUT(configuration_find_entry);
+
+	return ((retval != NULL) ? *retval : NULL);
+}
+
+/*
+ * All multipart cache entries are stored in the configuration_entry in the
+ * sorted array (sorted by names). The 3 functions below manage this array.
+ */
+
+int
+configuration_entry_add_mp_cache_entry(struct configuration_entry *config_entry,
+	cache_entry c_entry)
+{
+	cache_entry *new_mp_entries, *old_mp_entries;
+
+	TRACE_IN(configuration_entry_add_mp_cache_entry);
+	++config_entry->mp_cache_entries_size;
+	new_mp_entries = (cache_entry *)malloc(sizeof(cache_entry) *
+		config_entry->mp_cache_entries_size);
+	assert(new_mp_entries != NULL);
+	new_mp_entries[0] = c_entry;
+
+	if (config_entry->mp_cache_entries_size - 1 > 0) {
+		memcpy(new_mp_entries + 1,
+		    config_entry->mp_cache_entries,
+		    (config_entry->mp_cache_entries_size - 1) *
+		    sizeof(cache_entry));
+	}
+
+	old_mp_entries = config_entry->mp_cache_entries;
+	config_entry->mp_cache_entries = new_mp_entries;
+	free(old_mp_entries);
+
+	qsort(config_entry->mp_cache_entries,
+		config_entry->mp_cache_entries_size,
+		sizeof(cache_entry),
+		configuration_entry_cache_mp_sort_cmp);
+
+	TRACE_OUT(configuration_entry_add_mp_cache_entry);
+	return (0);
+}
+
+cache_entry
+configuration_entry_find_mp_cache_entry(
+	struct configuration_entry *config_entry, const char *mp_name)
+{
+	cache_entry *result;
+
+	TRACE_IN(configuration_entry_find_mp_cache_entry);
+	result = bsearch(mp_name, config_entry->mp_cache_entries,
+		config_entry->mp_cache_entries_size,
+		sizeof(cache_entry), configuration_entry_cache_mp_cmp);
+
+	if (result == NULL) {
+		TRACE_OUT(configuration_entry_find_mp_cache_entry);
+		return (NULL);
+	} else {
+		TRACE_OUT(configuration_entry_find_mp_cache_entry);
+		return (*result);
+	}
+}
+
+/*
+ * Searches for all multipart entries with names starting with mp_name.
+ * Needed for cache flushing.
+ */
+int
+configuration_entry_find_mp_cache_entries(
+	struct configuration_entry *config_entry, const char *mp_name,
+	cache_entry **start, cache_entry **finish)
+{
+	cache_entry *result;
+
+	TRACE_IN(configuration_entry_find_mp_cache_entries);
+	result = bsearch(mp_name, config_entry->mp_cache_entries,
+		config_entry->mp_cache_entries_size,
+		sizeof(cache_entry), configuration_entry_cache_mp_part_cmp);
+
+	if (result == NULL) {
+		TRACE_OUT(configuration_entry_find_mp_cache_entries);
+		return (-1);
+	}
+
+	*start = result;
+	*finish = result + 1;
+
+	while (*start != config_entry->mp_cache_entries) {
+	    if (configuration_entry_cache_mp_part_cmp(mp_name, *start - 1) == 0)
+		*start = *start - 1;
+	    else
+		break;
+	}
+
+	while (*finish != config_entry->mp_cache_entries +
+		config_entry->mp_cache_entries_size) {
+
+	    if (configuration_entry_cache_mp_part_cmp(
+		mp_name, *finish) == 0)
+		*finish = *finish + 1;
+	    else
+		break;
+	}
+
+	TRACE_OUT(configuration_entry_find_mp_cache_entries);
+	return (0);
+}
+
+/*
+ * Configuration entry uses rwlock to handle access to its fields.
+ */
+void
+configuration_lock_rdlock(struct configuration *config)
+{
+    TRACE_IN(configuration_lock_rdlock);
+    pthread_rwlock_rdlock(&config->rwlock);
+    TRACE_OUT(configuration_lock_rdlock);
+}
+
+void
+configuration_lock_wrlock(struct configuration *config)
+{
+    TRACE_IN(configuration_lock_wrlock);
+    pthread_rwlock_wrlock(&config->rwlock);
+    TRACE_OUT(configuration_lock_wrlock);
+}
+
+void
+configuration_unlock(struct configuration *config)
+{
+    TRACE_IN(configuration_unlock);
+    pthread_rwlock_unlock(&config->rwlock);
+    TRACE_OUT(configuration_unlock);
+}
+
+/*
+ * Configuration entry uses 3 mutexes to handle cache operations. They are
+ * acquired by configuration_lock_entry and configuration_unlock_entry
+ * functions.
+ */
+void
+configuration_lock_entry(struct configuration_entry *entry,
+	enum config_entry_lock_type lock_type)
+{
+	TRACE_IN(configuration_lock_entry);
+	assert(entry != NULL);
+
+	switch (lock_type) {
+	case CELT_POSITIVE:
+		pthread_mutex_lock(&entry->positive_cache_lock);
+		break;
+	case CELT_NEGATIVE:
+		pthread_mutex_lock(&entry->negative_cache_lock);
+		break;
+	case CELT_MULTIPART:
+		pthread_mutex_lock(&entry->mp_cache_lock);
+		break;
+	default:
+		/* should be unreachable */
+		break;
+	}
+	TRACE_OUT(configuration_lock_entry);
+}
+
+void
+configuration_unlock_entry(struct configuration_entry *entry,
+	enum config_entry_lock_type lock_type)
+{
+	TRACE_IN(configuration_unlock_entry);
+	assert(entry != NULL);
+
+	switch (lock_type) {
+	case CELT_POSITIVE:
+		pthread_mutex_unlock(&entry->positive_cache_lock);
+		break;
+	case CELT_NEGATIVE:
+		pthread_mutex_unlock(&entry->negative_cache_lock);
+		break;
+	case CELT_MULTIPART:
+		pthread_mutex_unlock(&entry->mp_cache_lock);
+		break;
+	default:
+		/* should be unreachable */
+		break;
+	}
+	TRACE_OUT(configuration_unlock_entry);
+}
+
+struct configuration *
+init_configuration(void)
+{
+	struct configuration	*retval;
+
+	TRACE_IN(init_configuration);
+	retval = (struct configuration *)calloc(1, sizeof(struct configuration));
+	assert(retval != NULL);
+
+	retval->entries_capacity = INITIAL_ENTRIES_CAPACITY;
+	retval->entries = (struct configuration_entry **)calloc(1,
+		sizeof(struct configuration_entry *) *
+		retval->entries_capacity);
+	assert(retval->entries != NULL);
+
+	pthread_rwlock_init(&retval->rwlock, NULL);
+
+	TRACE_OUT(init_configuration);
+	return (retval);
+}
+
+void
+fill_configuration_defaults(struct configuration *config)
+{
+	size_t	len, i;
+
+	TRACE_IN(fill_configuration_defaults);
+	assert(config != NULL);
+
+	if (config->socket_path != NULL)
+		free(config->socket_path);
+
+	len = strlen(DEFAULT_SOCKET_PATH);
+	config->socket_path = (char *)calloc(1, len + 1);
+	assert(config->socket_path != NULL);
+	memcpy(config->socket_path, DEFAULT_SOCKET_PATH, len);
+
+	len = strlen(DEFAULT_PIDFILE_PATH);
+	config->pidfile_path = (char *)calloc(1, len + 1);
+	assert(config->pidfile_path != NULL);
+	memcpy(config->pidfile_path, DEFAULT_PIDFILE_PATH, len);
+
+	config->socket_mode =  S_IFSOCK | S_IRUSR | S_IWUSR |
+		S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH;
+	config->force_unlink = 1;
+
+	config->query_timeout = DEFAULT_QUERY_TIMEOUT;
+	config->threads_num = DEFAULT_THREADS_NUM;
+
+	for (i = 0; i < config->entries_size; ++i)
+		destroy_configuration_entry(config->entries[i]);
+	config->entries_size = 0;
+
+	TRACE_OUT(fill_configuration_defaults);
+}
+
+void
+destroy_configuration(struct configuration *config)
+{
+	int	i;
+	TRACE_IN(destroy_configuration);
+	assert(config != NULL);
+	free(config->pidfile_path);
+	free(config->socket_path);
+
+	for (i = 0; i < config->entries_size; ++i)
+		destroy_configuration_entry(config->entries[i]);
+	free(config->entries);
+
+	pthread_rwlock_destroy(&config->rwlock);
+	free(config);
+	TRACE_OUT(destroy_configuration);
+}
diff --git a/usr.sbin/nscd/config.h b/usr.sbin/nscd/config.h
new file mode 100644
index 0000000000..0e02f1f879
--- /dev/null
+++ b/usr.sbin/nscd/config.h
@@ -0,0 +1,156 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/config.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#ifndef __NSCD_CONFIG_H__
+#define __NSCD_CONFIG_H__
+
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <pthread.h>
+#include <nsswitch.h>
+#include <unistd.h>
+#include "cachelib.h"
+
+#define DEFAULT_QUERY_TIMEOUT		8
+#define DEFAULT_THREADS_NUM		8
+
+#define DEFAULT_COMMON_ENTRY_TIMEOUT	10
+#define DEFAULT_MP_ENTRY_TIMEOUT	60
+#define DEFAULT_CACHE_HT_SIZE		257
+
+#define INITIAL_ENTRIES_CAPACITY	8
+#define DEFAULT_SOCKET_PATH		"/var/run/nscd"
+#define DEFAULT_PIDFILE_PATH		"/var/run/nscd.pid"
+
+#define DEFAULT_POSITIVE_ELEMENTS_SIZE	(2048)
+#define DEFAULT_POSITIVE_LIFETIME 	(3600)
+
+#define DEFAULT_NEGATIVE_ELEMENTS_SIZE	(2048)
+#define DEFAULT_NEGATIVE_LIFETIME	(60)
+
+#define DEFAULT_MULTIPART_ELEMENTS_SIZE	(1024 * 8)
+#define DEFAULT_MULITPART_SESSIONS_SIZE	(1024)
+#define DEFAULT_MULITPART_LIFETIME	(3600)
+
+extern const char *c_default_entries[6];
+
+/*
+ * Configuration entry represents the details of each cache entry in the
+ * config file (i.e. passwd or group). Its purpose also is to acquire locks
+ * of three different types (for usual read/write caching, for multipart
+ * caching and for caching of the negative results) for that cache entry.
+ */
+struct configuration_entry {
+	struct common_cache_entry_params positive_cache_params;
+	struct common_cache_entry_params negative_cache_params;
+	struct mp_cache_entry_params mp_cache_params;
+
+	/*
+	 * configuration_entry holds pointers for all actual cache_entries,
+	 * which are used for it. There is one for positive caching, one for
+	 * for negative caching, and several (one per each euid/egid) for
+	 * multipart caching.
+	 */
+	cache_entry positive_cache_entry;
+	cache_entry negative_cache_entry;
+
+	cache_entry *mp_cache_entries;
+	size_t mp_cache_entries_size;
+
+	struct timeval common_query_timeout;
+	struct timeval mp_query_timeout;
+
+	char	*name;
+	pthread_mutex_t positive_cache_lock;
+	pthread_mutex_t negative_cache_lock;
+	pthread_mutex_t mp_cache_lock;
+
+	int	perform_actual_lookups;
+	int	enabled;
+};
+
+/*
+ * Contains global configuration options and array of all configuration entries
+ */
+struct configuration {
+	char	*pidfile_path;
+	char	*socket_path;
+
+	struct configuration_entry **entries;
+	size_t	entries_capacity;
+	size_t	entries_size;
+
+	pthread_rwlock_t rwlock;
+
+	mode_t	socket_mode;
+	int	force_unlink;
+	int	query_timeout;
+
+	int	threads_num;
+};
+
+enum config_entry_lock_type {
+	CELT_POSITIVE,
+	CELT_NEGATIVE,
+	CELT_MULTIPART
+};
+
+extern struct configuration *init_configuration(void);
+extern void destroy_configuration(struct configuration *);
+extern void fill_configuration_defaults(struct configuration *);
+
+extern int add_configuration_entry(struct configuration *,
+	struct configuration_entry *);
+extern struct configuration_entry *create_def_configuration_entry(
+	const char *);
+extern void destroy_configuration_entry(struct configuration_entry *);
+extern size_t configuration_get_entries_size(struct configuration *);
+extern struct configuration_entry *configuration_get_entry(
+	struct configuration *, size_t);
+extern struct configuration_entry *configuration_find_entry(
+	struct configuration *, const char *);
+
+extern int configuration_entry_add_mp_cache_entry(struct configuration_entry *,
+	cache_entry);
+extern cache_entry configuration_entry_find_mp_cache_entry(
+	struct configuration_entry *,
+	const char *);
+extern int configuration_entry_find_mp_cache_entries(
+	struct configuration_entry *, const char *, cache_entry **,
+	cache_entry **);
+
+extern void configuration_lock_rdlock(struct configuration *config);
+extern void configuration_lock_wrlock(struct configuration *config);
+extern void configuration_unlock(struct configuration *config);
+
+extern void configuration_lock_entry(struct configuration_entry *,
+	enum config_entry_lock_type);
+extern void configuration_unlock_entry(struct configuration_entry *,
+	enum config_entry_lock_type);
+
+#endif
diff --git a/usr.sbin/nscd/debug.c b/usr.sbin/nscd/debug.c
new file mode 100644
index 0000000000..ccb7bede70
--- /dev/null
+++ b/usr.sbin/nscd/debug.c
@@ -0,0 +1,147 @@
+/*-
+ * Copyright (c) 2004 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/debug.c,v 1.2 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#include <stdio.h>
+#include "debug.h"
+
+static	int	trace_level = 0;
+static	int	trace_level_bk = 0;
+
+void
+__trace_in(const char *s, const char *f, int l)
+{
+	int i;
+	if (trace_level < TRACE_WANTED)
+	{
+		for (i = 0; i < trace_level; ++i)
+			printf("\t");
+
+		printf("=> %s\n", s);
+	}
+
+	++trace_level;
+}
+
+void
+__trace_point(const char *f, int l)
+{
+	int i;
+
+	if (trace_level < TRACE_WANTED)
+	{
+		for (i = 0; i < trace_level - 1; ++i)
+			printf("\t");
+
+		printf("= %s: %d\n", f, l);
+	}
+}
+
+void
+__trace_msg(const char *msg, const char *f, int l)
+{
+	int i;
+
+	if (trace_level < TRACE_WANTED)
+	{
+		for (i = 0; i < trace_level - 1; ++i)
+			printf("\t");
+
+		printf("= MSG %s, %s: %d\n", msg, f, l);
+	}
+}
+
+void
+__trace_ptr(const char *desc, const void *p, const char *f, int l)
+{
+	int i;
+
+	if (trace_level < TRACE_WANTED)
+	{
+		for (i = 0; i < trace_level - 1; ++i)
+			printf("\t");
+
+		printf("= PTR %s: %p, %s: %d\n", desc, p, f, l);
+	}
+}
+
+void
+__trace_int(const char *desc, int i, const char *f, int l)
+{
+	int j;
+
+	if (trace_level < TRACE_WANTED)
+	{
+		for (j = 0; j < trace_level - 1; ++j)
+			printf("\t");
+
+		printf("= INT %s: %i, %s: %d\n",desc, i, f, l);
+	}
+}
+
+void
+__trace_str(const char *desc, const char *s, const char *f, int l)
+{
+	int i;
+
+	if (trace_level < TRACE_WANTED)
+	{
+		for (i = 0; i < trace_level - 1; ++i)
+			printf("\t");
+
+		printf("= STR %s: '%s', %s: %d\n", desc, s, f, l);
+	}
+}
+
+void
+__trace_out(const char *s, const char *f, int l)
+{
+	int i;
+
+	--trace_level;
+	if (trace_level < TRACE_WANTED)
+	{
+		for (i = 0; i < trace_level; ++i)
+			printf("\t");
+
+		printf("<= %s\n", s);
+	}
+}
+
+void
+__trace_on(void)
+{
+	trace_level = trace_level_bk;
+	trace_level_bk = 0;
+}
+
+void
+__trace_off(void)
+{
+	trace_level_bk = trace_level;
+	trace_level = 1024;
+}
diff --git a/usr.sbin/nscd/debug.h b/usr.sbin/nscd/debug.h
new file mode 100644
index 0000000000..d2399fd9a0
--- /dev/null
+++ b/usr.sbin/nscd/debug.h
@@ -0,0 +1,67 @@
+/*-
+ * Copyright (c) 2004 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/debug.h,v 1.2 2007/08/09 13:06:11 bushman Exp $
+ */
+
+#ifndef __NSCD_DEBUG_H__
+#define __NSCD_DEBUG_H__
+
+#define TRACE_WANTED 32
+
+/* #ifndef NDEBUG */
+#if 0
+#define TRACE_IN(x)	__trace_in(#x, __FILE__, __LINE__)
+#define TRACE_POINT()	__trace_point(__FILE__, __LINE__)
+#define TRACE_MSG(x)	__trace_msg(x, __FILE__, __LINE__)
+#define TRACE_PTR(p)	__trace_ptr(#p, p, __FILE__, __LINE__)
+#define TRACE_INT(i)	__trace_int(#i, i, __FILE__, __LINE__)
+#define TRACE_STR(s)	__trace_str(#s, s, __FILE__, __LINE__)
+#define TRACE_OUT(x)	__trace_out(#x, __FILE__, __LINE__)
+#define TRACE_ON()	__trace_on()
+#define TRACE_OFF()	__trace_off()
+#else
+#define TRACE_IN(x)
+#define TRACE_POINT()
+#define TRACE_MSG(x)
+#define TRACE_PTR(p)
+#define TRACE_INT(i)
+#define TRACE_STR(s)
+#define TRACE_OUT(x)
+#define TRACE_ON()
+#define TRACE_OFF()
+#endif
+
+extern void __trace_in(const char *, const char *, int);
+extern void __trace_point(const char *, int);
+extern void __trace_msg(const char *, const char *, int);
+extern void __trace_ptr(const char *, const void *, const char *, int);
+extern void __trace_int(const char *, int, const char *, int);
+extern void __trace_str(const char *, const char *, const char *, int);
+extern void __trace_out(const char *, const char *, int);
+extern void __trace_on();
+extern void __trace_off();
+
+#endif
diff --git a/usr.sbin/nscd/hashtable.h b/usr.sbin/nscd/hashtable.h
new file mode 100644
index 0000000000..ad2df80260
--- /dev/null
+++ b/usr.sbin/nscd/hashtable.h
@@ -0,0 +1,216 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/hashtable.h,v 1.3 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#ifndef __CACHELIB_HASHTABLE_H__
+#define __CACHELIB_HASHTABLE_H__
+
+#include <search.h>
+#include <string.h>
+
+#define HASHTABLE_INITIAL_ENTRIES_CAPACITY 8
+typedef int hashtable_index_t;
+
+/*
+ * This file contains queue.h-like macro definitions for hash tables.
+ * Hash table is organized as an array of the specified size of the user
+ * defined (with HASTABLE_ENTRY_HEAD) structures. Each hash table
+ * entry (user defined structure) stores its elements in the sorted array.
+ * You can place elements into the hash table, retrieve elements with
+ * specified key, traverse through all elements, and delete them.
+ * New elements are placed into the hash table by using the compare and
+ * hashing functions, provided by the user.
+ */
+
+/*
+ * Defines the hash table entry structure, that uses specified type of
+ * elements.
+ */
+#define HASHTABLE_ENTRY_HEAD(name, type) struct name {			\
+	type	*values;						\
+	size_t capacity;						\
+	size_t size;							\
+}
+
+/*
+ * Defines the hash table structure, which uses the specified type of entries.
+ * The only restriction for entries is that is that they should have the field,
+ * defined with HASHTABLE_ENTRY_HEAD macro.
+ */
+#define HASHTABLE_HEAD(name, entry) struct name {			\
+	struct entry	*entries;					\
+	size_t		entries_size;					\
+}
+
+#define HASHTABLE_ENTRIES_COUNT(table) ((table)->entries_size)
+
+/*
+ * Unlike most of queue.h data types, hash tables can not be initialized
+ * statically - so there is no HASHTABLE_HEAD_INITIALIZED macro.
+ */
+#define HASHTABLE_INIT(table, type, field, _entries_size)		\
+	do {								\
+		hashtable_index_t var;					\
+		(table)->entries = (void *)calloc(1,			\
+			sizeof(*(table)->entries) * (_entries_size));	\
+		(table)->entries_size = (_entries_size);		\
+		for (var = 0; var < HASHTABLE_ENTRIES_COUNT(table); ++var) {\
+			(table)->entries[var].field.capacity = 		\
+				HASHTABLE_INITIAL_ENTRIES_CAPACITY;	\
+			(table)->entries[var].field.size = 0;		\
+			(table)->entries[var].field.values = (type *)malloc(\
+				sizeof(type) * 				\
+				HASHTABLE_INITIAL_ENTRIES_CAPACITY);	\
+			assert((table)->entries[var].field.values != NULL);\
+		}							\
+	} while (0)
+
+/*
+ * All initialized hashtables should be destroyed with this macro.
+ */
+#define HASHTABLE_DESTROY(table, field)					\
+	do {								\
+		hashtable_index_t var;					\
+		for (var = 0; var < HASHTABLE_ENTRIES_COUNT(table); ++var) {\
+			free((table)->entries[var].field.values);	\
+		}							\
+	} while (0)
+
+#define HASHTABLE_GET_ENTRY(table, hash)	(&((table)->entries[hash]))
+
+/*
+ * Traverses through all hash table entries
+ */
+#define HASHTABLE_FOREACH(table, var)					\
+	for ((var) = &((table)->entries[0]);				\
+		(var) < &((table)->entries[HASHTABLE_ENTRIES_COUNT(table)]);\
+		++(var))
+
+/*
+ * Traverses through all elements of the specified hash table entry
+ */
+#define HASHTABLE_ENTRY_FOREACH(entry, field, var)			\
+	for ((var) = &((entry)->field.values[0]);			\
+		(var) < &((entry)->field.values[(entry)->field.size]);	\
+		++(var))
+
+#define HASHTABLE_ENTRY_CLEAR(entry, field)				\
+	((entry)->field.size = 0)
+
+#define HASHTABLE_ENTRY_SIZE(entry, field)				\
+	((entry)->field.size)
+
+#define HASHTABLE_ENTRY_CAPACITY(entry, field)				\
+	((entry)->field.capacity)
+
+#define HASHTABLE_ENTRY_CAPACITY_INCREASE(entry, field, type)		\
+	(entry)->field.capacity *= 2;					\
+	(entry)->field.values = (type *)realloc((entry)->field.values, 	\
+		(entry)->field.capacity * sizeof(type));
+
+#define HASHTABLE_ENTRY_CAPACITY_DECREASE(entry, field, type)		\
+	(entry)->field.capacity /= 2;					\
+	(entry)->field.values = (type *)realloc((entry)->field.values, 	\
+		(entry)->field.capacity * sizeof(type));
+
+/*
+ * Generates prototypes for the hash table functions
+ */
+#define HASHTABLE_PROTOTYPE(name, entry_, type)				\
+hashtable_index_t name##_CALCULATE_HASH(struct name *, type *);		\
+void name##_ENTRY_STORE(struct entry_*, type *);			\
+type *name##_ENTRY_FIND(struct entry_*, type *);			\
+type *name##_ENTRY_FIND_SPECIAL(struct entry_ *, type *,		\
+	int (*) (const void *, const void *));				\
+void name##_ENTRY_REMOVE(struct entry_*, type *);
+
+/*
+ * Generates implementations of the hash table functions
+ */
+#define HASHTABLE_GENERATE(name, entry_, type, field, HASH, CMP)	\
+hashtable_index_t name##_CALCULATE_HASH(struct name *table, type *data)	\
+{									\
+									\
+	return HASH(data, table->entries_size);				\
+}									\
+									\
+void name##_ENTRY_STORE(struct entry_ *the_entry, type *data)		\
+{									\
+									\
+	if (the_entry->field.size == the_entry->field.capacity)		\
+		HASHTABLE_ENTRY_CAPACITY_INCREASE(the_entry, field, type);\
+									\
+	memcpy(&(the_entry->field.values[the_entry->field.size++]),	\
+		data,							\
+		sizeof(type));						\
+	qsort(the_entry->field.values, the_entry->field.size, 		\
+		sizeof(type), CMP);					\
+}									\
+									\
+type *name##_ENTRY_FIND(struct entry_ *the_entry, type *key)		\
+{									\
+									\
+	return ((type *)bsearch(key, the_entry->field.values,	 	\
+		the_entry->field.size, sizeof(type), CMP));		\
+}									\
+									\
+type *name##_ENTRY_FIND_SPECIAL(struct entry_ *the_entry, type *key,	\
+	int (*compar) (const void *, const void *))			\
+{									\
+	return ((type *)bsearch(key, the_entry->field.values,	 	\
+		the_entry->field.size, sizeof(type), compar));		\
+}									\
+									\
+void name##_ENTRY_REMOVE(struct entry_ *the_entry, type *del_elm)	\
+{									\
+									\
+	memmove(del_elm, del_elm + 1, 					\
+		(&the_entry->field.values[--the_entry->field.size] - del_elm) *\
+		sizeof(type));						\
+}
+
+/*
+ * Macro definitions below wrap the functions, generaed with
+ * HASHTABLE_GENERATE macro. You should use them and avoid using generated
+ * functions directly.
+ */
+#define HASHTABLE_CALCULATE_HASH(name, table, data)			\
+	(name##_CALCULATE_HASH((table), data))
+
+#define HASHTABLE_ENTRY_STORE(name, entry, data)			\
+	name##_ENTRY_STORE((entry), data)
+
+#define HASHTABLE_ENTRY_FIND(name, entry, key)				\
+	(name##_ENTRY_FIND((entry), (key)))
+
+#define HASHTABLE_ENTRY_FIND_SPECIAL(name, entry, key, cmp)		\
+	(name##_ENTRY_FIND_SPECIAL((entry), (key), (cmp)))
+
+#define HASHTABLE_ENTRY_REMOVE(name, entry, del_elm)			\
+	name##_ENTRY_REMOVE((entry), (del_elm))
+
+#endif
diff --git a/usr.sbin/nscd/log.c b/usr.sbin/nscd/log.c
new file mode 100644
index 0000000000..d0fe8eb5a6
--- /dev/null
+++ b/usr.sbin/nscd/log.c
@@ -0,0 +1,76 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/log.c,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#include <assert.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <syslog.h>
+#include "log.h"
+
+void
+__log_msg(int level, const char *sender, const char *message, ...)
+{
+	va_list ap;
+	char	*fmessage;
+
+	fmessage = NULL;
+	va_start(ap, message);
+	vasprintf(&fmessage, message, ap);
+	va_end(ap);
+	assert(fmessage != NULL);
+
+	printf("M%d from %s: %s\n", level, sender, fmessage);
+#ifndef NO_SYSLOG
+	if (level == 0)
+		syslog(LOG_INFO, "nscd message (from %s): %s", sender,
+		fmessage);
+#endif
+	free(fmessage);
+}
+
+void
+__log_err(int level, const char *sender, const char *error, ...)
+{
+	va_list ap;
+	char	*ferror;
+
+	ferror = NULL;
+	va_start(ap, error);
+	vasprintf(&ferror, error, ap);
+	va_end(ap);
+	assert(ferror != NULL);
+
+	printf("E%d from %s: %s\n", level, sender, ferror);
+
+#ifndef NO_SYSLOG
+	if (level == 0)
+		syslog(LOG_ERR, "nscd error (from %s): %s", sender, ferror);
+#endif
+	free(ferror);
+}
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/log.h
similarity index 54%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/log.h
index e0a0085c50..484d7a3726 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/log.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,21 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/log.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
  */
 
-#include <netdb.h>
+#ifndef __NSCD_LOG_H__
+#define __NSCD_LOG_H__
 
-extern int _proto_stayopen;
+#define LOG_MSG_1(sender, msg, ...) __log_msg(1, sender, msg, ##__VA_ARGS__)
+#define LOG_MSG_2(sender, msg, ...) __log_msg(2, sender, msg, ##__VA_ARGS__)
+#define LOG_MSG_3(sender, msg, ...) __log_msg(3, sedner, msg, ##__VA_ARGS__)
 
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
+#define LOG_ERR_1(sender, err, ...) __log_err(1, sender, err, ##__VA_ARGS__)
+#define LOG_ERR_2(sender, err, ...) __log_err(2, sender, err, ##__VA_ARGS__)
+#define LOG_ERR_3(sender, err, ...) __log_err(3, sender, err, ##__VA_ARGS__)
 
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+extern void __log_msg(int, const char *, const char *, ...);
+extern void __log_err(int, const char *, const char *, ...);
+
+#endif
diff --git a/usr.sbin/nscd/mp_rs_query.c b/usr.sbin/nscd/mp_rs_query.c
new file mode 100644
index 0000000000..0ac1b68372
--- /dev/null
+++ b/usr.sbin/nscd/mp_rs_query.c
@@ -0,0 +1,533 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/mp_rs_query.c,v 1.4 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/event.h>
+#include <assert.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "cachelib.h"
+#include "config.h"
+#include "debug.h"
+#include "log.h"
+#include "query.h"
+#include "mp_rs_query.h"
+#include "mp_ws_query.h"
+#include "singletons.h"
+
+static int on_mp_read_session_close_notification(struct query_state *);
+static void on_mp_read_session_destroy(struct query_state *);
+static int on_mp_read_session_mapper(struct query_state *);
+/* int on_mp_read_session_request_read1(struct query_state *); */
+static int on_mp_read_session_request_read2(struct query_state *);
+static int on_mp_read_session_request_process(struct query_state *);
+static int on_mp_read_session_response_write1(struct query_state *);
+static int on_mp_read_session_read_request_process(struct query_state *);
+static int on_mp_read_session_read_response_write1(struct query_state *);
+static int on_mp_read_session_read_response_write2(struct query_state *);
+
+/*
+ * This function is used as the query_state's destroy_func to make the
+ * proper cleanup in case of errors.
+ */
+static void
+on_mp_read_session_destroy(struct query_state *qstate)
+{
+	TRACE_IN(on_mp_read_session_destroy);
+	finalize_comm_element(&qstate->request);
+	finalize_comm_element(&qstate->response);
+
+	if (qstate->mdata != NULL) {
+		configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+		close_cache_mp_read_session(
+			(cache_mp_read_session)qstate->mdata);
+		configuration_unlock_entry(qstate->config_entry,
+			CELT_MULTIPART);
+	}
+	TRACE_OUT(on_mp_read_session_destroy);
+}
+
+/*
+ * The functions below are used to process multipart read session initiation
+ * requests.
+ * - on_mp_read_session_request_read1 and on_mp_read_session_request_read2 read
+ *   the request itself
+ * - on_mp_read_session_request_process processes it
+ * - on_mp_read_session_response_write1 sends the response
+ */
+int
+on_mp_read_session_request_read1(struct query_state *qstate)
+{
+	struct cache_mp_read_session_request	*c_mp_rs_request;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_read_session_request_read1);
+	if (qstate->kevent_watermark == 0)
+		qstate->kevent_watermark = sizeof(size_t);
+	else {
+		init_comm_element(&qstate->request,
+			CET_MP_READ_SESSION_REQUEST);
+		c_mp_rs_request = get_cache_mp_read_session_request(
+			&qstate->request);
+
+		result = qstate->read_func(qstate,
+			&c_mp_rs_request->entry_length, sizeof(size_t));
+
+		if (result != sizeof(size_t)) {
+			TRACE_OUT(on_mp_read_session_request_read1);
+			return (-1);
+		}
+
+		if (BUFSIZE_INVALID(c_mp_rs_request->entry_length)) {
+			TRACE_OUT(on_mp_read_session_request_read1);
+			return (-1);
+		}
+
+		c_mp_rs_request->entry = (char *)calloc(1,
+			c_mp_rs_request->entry_length + 1);
+		assert(c_mp_rs_request->entry != NULL);
+
+		qstate->kevent_watermark = c_mp_rs_request->entry_length;
+		qstate->process_func = on_mp_read_session_request_read2;
+	}
+	TRACE_OUT(on_mp_read_session_request_read1);
+	return (0);
+}
+
+static int
+on_mp_read_session_request_read2(struct query_state *qstate)
+{
+	struct cache_mp_read_session_request	*c_mp_rs_request;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_read_session_request_read2);
+	c_mp_rs_request = get_cache_mp_read_session_request(&qstate->request);
+
+	result = qstate->read_func(qstate, c_mp_rs_request->entry,
+		c_mp_rs_request->entry_length);
+
+	if (result != qstate->kevent_watermark) {
+		LOG_ERR_3("on_mp_read_session_request_read2",
+			"read failed");
+		TRACE_OUT(on_mp_read_session_request_read2);
+		return (-1);
+	}
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = on_mp_read_session_request_process;
+	TRACE_OUT(on_mp_read_session_request_read2);
+	return (0);
+}
+
+static int
+on_mp_read_session_request_process(struct query_state *qstate)
+{
+	struct cache_mp_read_session_request	*c_mp_rs_request;
+	struct cache_mp_read_session_response	*c_mp_rs_response;
+	cache_mp_read_session	rs;
+	cache_entry	c_entry;
+	char	*dec_cache_entry_name;
+
+	char *buffer;
+	size_t buffer_size;
+	cache_mp_write_session ws;
+	struct agent	*lookup_agent;
+	struct multipart_agent *mp_agent;
+	void *mdata;
+	int res;
+
+	TRACE_IN(on_mp_read_session_request_process);
+	init_comm_element(&qstate->response, CET_MP_READ_SESSION_RESPONSE);
+	c_mp_rs_response = get_cache_mp_read_session_response(
+		&qstate->response);
+	c_mp_rs_request = get_cache_mp_read_session_request(&qstate->request);
+
+	qstate->config_entry = configuration_find_entry(
+		s_configuration, c_mp_rs_request->entry);
+	if (qstate->config_entry == NULL) {
+		c_mp_rs_response->error_code = ENOENT;
+
+		LOG_ERR_2("read_session_request",
+			"can't find configuration entry '%s'."
+			" aborting request", c_mp_rs_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->enabled == 0) {
+		c_mp_rs_response->error_code = EACCES;
+
+		LOG_ERR_2("read_session_request",
+			"configuration entry '%s' is disabled",
+			c_mp_rs_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->perform_actual_lookups != 0)
+		dec_cache_entry_name = strdup(
+			qstate->config_entry->mp_cache_params.entry_name);
+	else {
+#ifdef NS_NSCD_EID_CHECKING
+		if (check_query_eids(qstate) != 0) {
+			c_mp_rs_response->error_code = EPERM;
+			goto fin;
+		}
+#endif
+
+		asprintf(&dec_cache_entry_name, "%s%s", qstate->eid_str,
+			qstate->config_entry->mp_cache_params.entry_name);
+	}
+
+	assert(dec_cache_entry_name != NULL);
+
+	configuration_lock_rdlock(s_configuration);
+	c_entry = find_cache_entry(s_cache, dec_cache_entry_name);
+	configuration_unlock(s_configuration);
+
+	if ((c_entry == INVALID_CACHE) &&
+	   (qstate->config_entry->perform_actual_lookups != 0))
+		c_entry = register_new_mp_cache_entry(qstate,
+			dec_cache_entry_name);
+
+	free(dec_cache_entry_name);
+
+	if (c_entry != INVALID_CACHE_ENTRY) {
+		configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+		rs = open_cache_mp_read_session(c_entry);
+		configuration_unlock_entry(qstate->config_entry,
+			CELT_MULTIPART);
+
+		if ((rs == INVALID_CACHE_MP_READ_SESSION) &&
+		   (qstate->config_entry->perform_actual_lookups != 0)) {
+			lookup_agent = find_agent(s_agent_table,
+				c_mp_rs_request->entry, MULTIPART_AGENT);
+
+			if ((lookup_agent != NULL) &&
+			(lookup_agent->type == MULTIPART_AGENT)) {
+				mp_agent = (struct multipart_agent *)
+					lookup_agent;
+				mdata = mp_agent->mp_init_func();
+
+				/*
+				 * Multipart agents read the whole snapshot
+				 * of the data at one time.
+				 */
+				configuration_lock_entry(qstate->config_entry,
+					CELT_MULTIPART);
+				ws = open_cache_mp_write_session(c_entry);
+				configuration_unlock_entry(qstate->config_entry,
+					CELT_MULTIPART);
+				if (ws != NULL) {
+				    do {
+					buffer = NULL;
+					res = mp_agent->mp_lookup_func(&buffer,
+						&buffer_size,
+						mdata);
+
+					if ((res & NS_TERMINATE) &&
+					   (buffer != NULL)) {
+						configuration_lock_entry(
+							qstate->config_entry,
+							CELT_MULTIPART);
+						if (cache_mp_write(ws, buffer,
+						    buffer_size) != 0) {
+							abandon_cache_mp_write_session(ws);
+							ws = NULL;
+						}
+						configuration_unlock_entry(
+							qstate->config_entry,
+							CELT_MULTIPART);
+
+						free(buffer);
+						buffer = NULL;
+					} else {
+						configuration_lock_entry(
+							qstate->config_entry,
+							CELT_MULTIPART);
+						close_cache_mp_write_session(ws);
+						configuration_unlock_entry(
+							qstate->config_entry,
+							CELT_MULTIPART);
+
+						free(buffer);
+						buffer = NULL;
+					}
+				    } while ((res & NS_TERMINATE) &&
+					    (ws != NULL));
+				}
+
+				configuration_lock_entry(qstate->config_entry,
+					CELT_MULTIPART);
+				rs = open_cache_mp_read_session(c_entry);
+				configuration_unlock_entry(qstate->config_entry,
+					CELT_MULTIPART);
+			}
+		}
+
+		if (rs == INVALID_CACHE_MP_READ_SESSION)
+			c_mp_rs_response->error_code = -1;
+		else {
+		    qstate->mdata = rs;
+		    qstate->destroy_func = on_mp_read_session_destroy;
+
+		    configuration_lock_entry(qstate->config_entry,
+			CELT_MULTIPART);
+		    if ((qstate->config_entry->mp_query_timeout.tv_sec != 0) ||
+		    (qstate->config_entry->mp_query_timeout.tv_usec != 0))
+			memcpy(&qstate->timeout,
+			    &qstate->config_entry->mp_query_timeout,
+			    sizeof(struct timeval));
+		    configuration_unlock_entry(qstate->config_entry,
+			CELT_MULTIPART);
+		}
+	} else
+		c_mp_rs_response->error_code = -1;
+
+fin:
+	qstate->process_func = on_mp_read_session_response_write1;
+	qstate->kevent_watermark = sizeof(int);
+	qstate->kevent_filter = EVFILT_WRITE;
+
+	TRACE_OUT(on_mp_read_session_request_process);
+	return (0);
+}
+
+static int
+on_mp_read_session_response_write1(struct query_state *qstate)
+{
+	struct cache_mp_read_session_response	*c_mp_rs_response;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_read_session_response_write1);
+	c_mp_rs_response = get_cache_mp_read_session_response(
+		&qstate->response);
+	result = qstate->write_func(qstate, &c_mp_rs_response->error_code,
+		sizeof(int));
+
+	if (result != sizeof(int)) {
+		LOG_ERR_3("on_mp_read_session_response_write1",
+			"write failed");
+		TRACE_OUT(on_mp_read_session_response_write1);
+		return (-1);
+	}
+
+	if (c_mp_rs_response->error_code == 0) {
+		qstate->kevent_watermark = sizeof(int);
+		qstate->process_func = on_mp_read_session_mapper;
+		qstate->kevent_filter = EVFILT_READ;
+	} else {
+		qstate->kevent_watermark = 0;
+		qstate->process_func = NULL;
+	}
+	TRACE_OUT(on_mp_read_session_response_write1);
+	return (0);
+}
+
+/*
+ * Mapper function is used to avoid multiple connections for each session
+ * write or read requests. After processing the request, it does not close
+ * the connection, but waits for the next request.
+ */
+static int
+on_mp_read_session_mapper(struct query_state *qstate)
+{
+	ssize_t	result;
+	int elem_type;
+
+	TRACE_IN(on_mp_read_session_mapper);
+	if (qstate->kevent_watermark == 0) {
+		qstate->kevent_watermark = sizeof(int);
+	} else {
+		result = qstate->read_func(qstate, &elem_type, sizeof(int));
+		if (result != sizeof(int)) {
+			LOG_ERR_3("on_mp_read_session_mapper",
+				"read failed");
+			TRACE_OUT(on_mp_read_session_mapper);
+			return (-1);
+		}
+
+		switch (elem_type) {
+		case CET_MP_READ_SESSION_READ_REQUEST:
+			qstate->kevent_watermark = 0;
+			qstate->process_func =
+				on_mp_read_session_read_request_process;
+			break;
+		case CET_MP_READ_SESSION_CLOSE_NOTIFICATION:
+			qstate->kevent_watermark = 0;
+			qstate->process_func =
+				on_mp_read_session_close_notification;
+			break;
+		default:
+			qstate->kevent_watermark = 0;
+			qstate->process_func = NULL;
+			LOG_ERR_3("on_mp_read_session_mapper",
+				"unknown element type");
+			TRACE_OUT(on_mp_read_session_mapper);
+			return (-1);
+		}
+	}
+	TRACE_OUT(on_mp_read_session_mapper);
+	return (0);
+}
+
+/*
+ * The functions below are used to process multipart read sessions read
+ * requests. User doesn't have to pass any kind of data, besides the
+ * request identificator itself. So we don't need any XXX_read functions and
+ * start with the XXX_process function.
+ * - on_mp_read_session_read_request_process processes it
+ * - on_mp_read_session_read_response_write1 and
+ *   on_mp_read_session_read_response_write2 sends the response
+ */
+static int
+on_mp_read_session_read_request_process(struct query_state *qstate)
+{
+	struct cache_mp_read_session_read_response	*read_response;
+
+	TRACE_IN(on_mp_read_session_response_process);
+	init_comm_element(&qstate->response, CET_MP_READ_SESSION_READ_RESPONSE);
+	read_response = get_cache_mp_read_session_read_response(
+		&qstate->response);
+
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+	read_response->error_code = cache_mp_read(
+		(cache_mp_read_session)qstate->mdata, NULL,
+		&read_response->data_size);
+
+	if (read_response->error_code == 0) {
+		read_response->data = (char *)malloc(read_response->data_size);
+		assert(read_response != NULL);
+		read_response->error_code = cache_mp_read(
+			(cache_mp_read_session)qstate->mdata,
+			read_response->data,
+			&read_response->data_size);
+	}
+	configuration_unlock_entry(qstate->config_entry, CELT_MULTIPART);
+
+	if (read_response->error_code == 0)
+		qstate->kevent_watermark = sizeof(size_t) + sizeof(int);
+	else
+		qstate->kevent_watermark = sizeof(int);
+	qstate->process_func = on_mp_read_session_read_response_write1;
+	qstate->kevent_filter = EVFILT_WRITE;
+
+	TRACE_OUT(on_mp_read_session_response_process);
+	return (0);
+}
+
+static int
+on_mp_read_session_read_response_write1(struct query_state *qstate)
+{
+	struct cache_mp_read_session_read_response	*read_response;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_read_session_read_response_write1);
+	read_response = get_cache_mp_read_session_read_response(
+		&qstate->response);
+
+	result = qstate->write_func(qstate, &read_response->error_code,
+		sizeof(int));
+	if (read_response->error_code == 0) {
+		result += qstate->write_func(qstate, &read_response->data_size,
+			sizeof(size_t));
+		if (result != qstate->kevent_watermark) {
+			TRACE_OUT(on_mp_read_session_read_response_write1);
+			LOG_ERR_3("on_mp_read_session_read_response_write1",
+				"write failed");
+			return (-1);
+		}
+
+		qstate->kevent_watermark = read_response->data_size;
+		qstate->process_func = on_mp_read_session_read_response_write2;
+	} else {
+		if (result != qstate->kevent_watermark) {
+			LOG_ERR_3("on_mp_read_session_read_response_write1",
+				"write failed");
+			TRACE_OUT(on_mp_read_session_read_response_write1);
+			return (-1);
+		}
+
+		qstate->kevent_watermark = 0;
+		qstate->process_func = NULL;
+	}
+
+	TRACE_OUT(on_mp_read_session_read_response_write1);
+	return (0);
+}
+
+static int
+on_mp_read_session_read_response_write2(struct query_state *qstate)
+{
+	struct cache_mp_read_session_read_response *read_response;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_read_session_read_response_write2);
+	read_response = get_cache_mp_read_session_read_response(
+		&qstate->response);
+	result = qstate->write_func(qstate, read_response->data,
+		read_response->data_size);
+	if (result != qstate->kevent_watermark) {
+		LOG_ERR_3("on_mp_read_session_read_response_write2",
+			"write failed");
+		TRACE_OUT(on_mp_read_session_read_response_write2);
+		return (-1);
+	}
+
+	finalize_comm_element(&qstate->request);
+	finalize_comm_element(&qstate->response);
+
+	qstate->kevent_watermark = sizeof(int);
+	qstate->process_func = on_mp_read_session_mapper;
+	qstate->kevent_filter = EVFILT_READ;
+
+	TRACE_OUT(on_mp_read_session_read_response_write2);
+	return (0);
+}
+
+/*
+ * Handles session close notification by calling close_cache_mp_read_session
+ * function.
+ */
+static int
+on_mp_read_session_close_notification(struct query_state *qstate)
+{
+
+	TRACE_IN(on_mp_read_session_close_notification);
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+	close_cache_mp_read_session((cache_mp_read_session)qstate->mdata);
+	configuration_unlock_entry(qstate->config_entry, CELT_MULTIPART);
+	qstate->mdata = NULL;
+	qstate->kevent_watermark = 0;
+	qstate->process_func = NULL;
+	TRACE_OUT(on_mp_read_session_close_notification);
+	return (0);
+}
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/mp_rs_query.h
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/mp_rs_query.h
index e0a0085c50..76f2b65b2f 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/mp_rs_query.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,12 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/mp_rs_query.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
  */
 
-#include <netdb.h>
+#ifndef __NSCD_MP_RS_QUERY_H__
+#define __NSCD_MP_RS_QUERY_H__
 
-extern int _proto_stayopen;
+extern int on_mp_read_session_request_read1(struct query_state *);
 
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+#endif
diff --git a/usr.sbin/nscd/mp_ws_query.c b/usr.sbin/nscd/mp_ws_query.c
new file mode 100644
index 0000000000..522763364c
--- /dev/null
+++ b/usr.sbin/nscd/mp_ws_query.c
@@ -0,0 +1,543 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/mp_ws_query.c,v 1.4 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/types.h>
+#include <sys/event.h>
+#include <assert.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+
+#include "cachelib.h"
+#include "config.h"
+#include "debug.h"
+#include "log.h"
+#include "query.h"
+#include "mp_ws_query.h"
+#include "singletons.h"
+
+static int on_mp_write_session_abandon_notification(struct query_state *);
+static int on_mp_write_session_close_notification(struct query_state *);
+static void on_mp_write_session_destroy(struct query_state *);
+static int on_mp_write_session_mapper(struct query_state *);
+/* int on_mp_write_session_request_read1(struct query_state *); */
+static int on_mp_write_session_request_read2(struct query_state *);
+static int on_mp_write_session_request_process(struct query_state *);
+static int on_mp_write_session_response_write1(struct query_state *);
+static int on_mp_write_session_write_request_read1(struct query_state *);
+static int on_mp_write_session_write_request_read2(struct query_state *);
+static int on_mp_write_session_write_request_process(struct query_state *);
+static int on_mp_write_session_write_response_write1(struct query_state *);
+
+/*
+ * This function is used as the query_state's destroy_func to make the
+ * proper cleanup in case of errors.
+ */
+static void
+on_mp_write_session_destroy(struct query_state *qstate)
+{
+
+	TRACE_IN(on_mp_write_session_destroy);
+	finalize_comm_element(&qstate->request);
+	finalize_comm_element(&qstate->response);
+
+	if (qstate->mdata != NULL) {
+		configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+		abandon_cache_mp_write_session(
+			(cache_mp_write_session)qstate->mdata);
+		configuration_unlock_entry(qstate->config_entry,
+			CELT_MULTIPART);
+	}
+	TRACE_OUT(on_mp_write_session_destroy);
+}
+
+/*
+ * The functions below are used to process multipart write session initiation
+ * requests.
+ * - on_mp_write_session_request_read1 and on_mp_write_session_request_read2
+ *   read the request itself
+ * - on_mp_write_session_request_process processes it
+ * - on_mp_write_session_response_write1 sends the response
+ */
+int
+on_mp_write_session_request_read1(struct query_state *qstate)
+{
+	struct cache_mp_write_session_request	*c_mp_ws_request;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_write_session_request_read1);
+	if (qstate->kevent_watermark == 0)
+		qstate->kevent_watermark = sizeof(size_t);
+	else {
+		init_comm_element(&qstate->request,
+			CET_MP_WRITE_SESSION_REQUEST);
+		c_mp_ws_request = get_cache_mp_write_session_request(
+			&qstate->request);
+
+		result = qstate->read_func(qstate,
+			&c_mp_ws_request->entry_length, sizeof(size_t));
+
+		if (result != sizeof(size_t)) {
+			LOG_ERR_3("on_mp_write_session_request_read1",
+				"read failed");
+			TRACE_OUT(on_mp_write_session_request_read1);
+			return (-1);
+		}
+
+		if (BUFSIZE_INVALID(c_mp_ws_request->entry_length)) {
+			LOG_ERR_3("on_mp_write_session_request_read1",
+				"invalid entry_length value");
+			TRACE_OUT(on_mp_write_session_request_read1);
+			return (-1);
+		}
+
+		c_mp_ws_request->entry = (char *)calloc(1,
+			c_mp_ws_request->entry_length + 1);
+		assert(c_mp_ws_request->entry != NULL);
+
+		qstate->kevent_watermark = c_mp_ws_request->entry_length;
+		qstate->process_func = on_mp_write_session_request_read2;
+	}
+	TRACE_OUT(on_mp_write_session_request_read1);
+	return (0);
+}
+
+static int
+on_mp_write_session_request_read2(struct query_state *qstate)
+{
+	struct cache_mp_write_session_request	*c_mp_ws_request;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_write_session_request_read2);
+	c_mp_ws_request = get_cache_mp_write_session_request(&qstate->request);
+
+	result = qstate->read_func(qstate, c_mp_ws_request->entry,
+		c_mp_ws_request->entry_length);
+
+	if (result != qstate->kevent_watermark) {
+		LOG_ERR_3("on_mp_write_session_request_read2",
+			"read failed");
+		TRACE_OUT(on_mp_write_session_request_read2);
+		return (-1);
+	}
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = on_mp_write_session_request_process;
+
+	TRACE_OUT(on_mp_write_session_request_read2);
+	return (0);
+}
+
+static int
+on_mp_write_session_request_process(struct query_state *qstate)
+{
+	struct cache_mp_write_session_request	*c_mp_ws_request;
+	struct cache_mp_write_session_response	*c_mp_ws_response;
+	cache_mp_write_session	ws;
+	cache_entry	c_entry;
+	char	*dec_cache_entry_name;
+
+	TRACE_IN(on_mp_write_session_request_process);
+	init_comm_element(&qstate->response, CET_MP_WRITE_SESSION_RESPONSE);
+	c_mp_ws_response = get_cache_mp_write_session_response(
+		&qstate->response);
+	c_mp_ws_request = get_cache_mp_write_session_request(&qstate->request);
+
+	qstate->config_entry = configuration_find_entry(
+		s_configuration, c_mp_ws_request->entry);
+	if (qstate->config_entry == NULL) {
+		c_mp_ws_response->error_code = ENOENT;
+
+		LOG_ERR_2("write_session_request",
+			"can't find configuration entry '%s'. "
+			"aborting request", c_mp_ws_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->enabled == 0) {
+		c_mp_ws_response->error_code = EACCES;
+
+		LOG_ERR_2("write_session_request",
+			"configuration entry '%s' is disabled",
+			c_mp_ws_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->perform_actual_lookups != 0) {
+		c_mp_ws_response->error_code = EOPNOTSUPP;
+
+		LOG_ERR_2("write_session_request",
+			"entry '%s' performs lookups by itself: "
+			"can't write to it", c_mp_ws_request->entry);
+		goto fin;
+	} else {
+#ifdef NS_NSCD_EID_CHECKING
+		if (check_query_eids(qstate) != 0) {
+			c_mp_ws_response->error_code = EPERM;
+			goto fin;
+		}
+#endif
+	}
+
+	/*
+	 * All multipart entries are separated by their name decorations.
+	 * For one configuration entry there will be a lot of multipart
+	 * cache entries - each with its own decorated name.
+	 */
+	asprintf(&dec_cache_entry_name, "%s%s", qstate->eid_str,
+		qstate->config_entry->mp_cache_params.entry_name);
+	assert(dec_cache_entry_name != NULL);
+
+	configuration_lock_rdlock(s_configuration);
+	c_entry = find_cache_entry(s_cache,
+		dec_cache_entry_name);
+	configuration_unlock(s_configuration);
+
+	if (c_entry == INVALID_CACHE_ENTRY)
+		c_entry = register_new_mp_cache_entry(qstate,
+			dec_cache_entry_name);
+
+	free(dec_cache_entry_name);
+
+	assert(c_entry != NULL);
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+	ws = open_cache_mp_write_session(c_entry);
+	if (ws == INVALID_CACHE_MP_WRITE_SESSION)
+		c_mp_ws_response->error_code = -1;
+	else {
+		qstate->mdata = ws;
+		qstate->destroy_func = on_mp_write_session_destroy;
+
+		if ((qstate->config_entry->mp_query_timeout.tv_sec != 0) ||
+		    (qstate->config_entry->mp_query_timeout.tv_usec != 0))
+			memcpy(&qstate->timeout,
+				&qstate->config_entry->mp_query_timeout,
+				sizeof(struct timeval));
+	}
+	configuration_unlock_entry(qstate->config_entry, CELT_MULTIPART);
+
+fin:
+	qstate->process_func = on_mp_write_session_response_write1;
+	qstate->kevent_watermark = sizeof(int);
+	qstate->kevent_filter = EVFILT_WRITE;
+
+	TRACE_OUT(on_mp_write_session_request_process);
+	return (0);
+}
+
+static int
+on_mp_write_session_response_write1(struct query_state *qstate)
+{
+	struct cache_mp_write_session_response	*c_mp_ws_response;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_write_session_response_write1);
+	c_mp_ws_response = get_cache_mp_write_session_response(
+		&qstate->response);
+	result = qstate->write_func(qstate, &c_mp_ws_response->error_code,
+		sizeof(int));
+	if (result != sizeof(int)) {
+		LOG_ERR_3("on_mp_write_session_response_write1",
+			"write failed");
+		TRACE_OUT(on_mp_write_session_response_write1);
+		return (-1);
+	}
+
+	if (c_mp_ws_response->error_code == 0) {
+		qstate->kevent_watermark = sizeof(int);
+		qstate->process_func = on_mp_write_session_mapper;
+		qstate->kevent_filter = EVFILT_READ;
+	} else {
+		qstate->kevent_watermark = 0;
+		qstate->process_func = NULL;
+	}
+	TRACE_OUT(on_mp_write_session_response_write1);
+	return (0);
+}
+
+/*
+ * Mapper function is used to avoid multiple connections for each session
+ * write or read requests. After processing the request, it does not close
+ * the connection, but waits for the next request.
+ */
+static int
+on_mp_write_session_mapper(struct query_state *qstate)
+{
+	ssize_t	result;
+	int		elem_type;
+
+	TRACE_IN(on_mp_write_session_mapper);
+	if (qstate->kevent_watermark == 0) {
+		qstate->kevent_watermark = sizeof(int);
+	} else {
+		result = qstate->read_func(qstate, &elem_type, sizeof(int));
+		if (result != sizeof(int)) {
+			LOG_ERR_3("on_mp_write_session_mapper",
+				"read failed");
+			TRACE_OUT(on_mp_write_session_mapper);
+			return (-1);
+		}
+
+		switch (elem_type) {
+		case CET_MP_WRITE_SESSION_WRITE_REQUEST:
+			qstate->kevent_watermark = sizeof(size_t);
+			qstate->process_func =
+				on_mp_write_session_write_request_read1;
+			break;
+		case CET_MP_WRITE_SESSION_ABANDON_NOTIFICATION:
+			qstate->kevent_watermark = 0;
+			qstate->process_func =
+				on_mp_write_session_abandon_notification;
+			break;
+		case CET_MP_WRITE_SESSION_CLOSE_NOTIFICATION:
+			qstate->kevent_watermark = 0;
+			qstate->process_func =
+				on_mp_write_session_close_notification;
+			break;
+		default:
+			qstate->kevent_watermark = 0;
+			qstate->process_func = NULL;
+			LOG_ERR_2("on_mp_write_session_mapper",
+				"unknown element type");
+			TRACE_OUT(on_mp_write_session_mapper);
+			return (-1);
+		}
+	}
+	TRACE_OUT(on_mp_write_session_mapper);
+	return (0);
+}
+
+/*
+ * The functions below are used to process multipart write sessions write
+ * requests.
+ * - on_mp_write_session_write_request_read1 and
+ *   on_mp_write_session_write_request_read2 read the request itself
+ * - on_mp_write_session_write_request_process processes it
+ * - on_mp_write_session_write_response_write1 sends the response
+ */
+static int
+on_mp_write_session_write_request_read1(struct query_state *qstate)
+{
+	struct cache_mp_write_session_write_request	*write_request;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_write_session_write_request_read1);
+	init_comm_element(&qstate->request,
+		CET_MP_WRITE_SESSION_WRITE_REQUEST);
+	write_request = get_cache_mp_write_session_write_request(
+		&qstate->request);
+
+	result = qstate->read_func(qstate, &write_request->data_size,
+		sizeof(size_t));
+
+	if (result != sizeof(size_t)) {
+		LOG_ERR_3("on_mp_write_session_write_request_read1",
+			"read failed");
+		TRACE_OUT(on_mp_write_session_write_request_read1);
+		return (-1);
+	}
+
+	if (BUFSIZE_INVALID(write_request->data_size)) {
+		LOG_ERR_3("on_mp_write_session_write_request_read1",
+			"invalid data_size value");
+		TRACE_OUT(on_mp_write_session_write_request_read1);
+		return (-1);
+	}
+
+	write_request->data = (char *)calloc(1, write_request->data_size);
+	assert(write_request->data != NULL);
+
+	qstate->kevent_watermark = write_request->data_size;
+	qstate->process_func = on_mp_write_session_write_request_read2;
+	TRACE_OUT(on_mp_write_session_write_request_read1);
+	return (0);
+}
+
+static int
+on_mp_write_session_write_request_read2(struct query_state *qstate)
+{
+	struct cache_mp_write_session_write_request	*write_request;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_write_session_write_request_read2);
+	write_request = get_cache_mp_write_session_write_request(
+		&qstate->request);
+
+	result = qstate->read_func(qstate, write_request->data,
+		write_request->data_size);
+
+	if (result != qstate->kevent_watermark) {
+		LOG_ERR_3("on_mp_write_session_write_request_read2",
+			"read failed");
+		TRACE_OUT(on_mp_write_session_write_request_read2);
+		return (-1);
+	}
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = on_mp_write_session_write_request_process;
+	TRACE_OUT(on_mp_write_session_write_request_read2);
+	return (0);
+}
+
+static int
+on_mp_write_session_write_request_process(struct query_state *qstate)
+{
+	struct cache_mp_write_session_write_request	*write_request;
+	struct cache_mp_write_session_write_response	*write_response;
+
+	TRACE_IN(on_mp_write_session_write_request_process);
+	init_comm_element(&qstate->response,
+		CET_MP_WRITE_SESSION_WRITE_RESPONSE);
+	write_response = get_cache_mp_write_session_write_response(
+		&qstate->response);
+	write_request = get_cache_mp_write_session_write_request(
+		&qstate->request);
+
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+	write_response->error_code = cache_mp_write(
+		(cache_mp_write_session)qstate->mdata,
+		write_request->data,
+		write_request->data_size);
+	configuration_unlock_entry(qstate->config_entry, CELT_MULTIPART);
+
+	qstate->kevent_watermark = sizeof(int);
+	qstate->process_func = on_mp_write_session_write_response_write1;
+	qstate->kevent_filter = EVFILT_WRITE;
+
+	TRACE_OUT(on_mp_write_session_write_request_process);
+	return (0);
+}
+
+static int
+on_mp_write_session_write_response_write1(struct query_state *qstate)
+{
+	struct cache_mp_write_session_write_response	*write_response;
+	ssize_t	result;
+
+	TRACE_IN(on_mp_write_session_write_response_write1);
+	write_response = get_cache_mp_write_session_write_response(
+		&qstate->response);
+	result = qstate->write_func(qstate, &write_response->error_code,
+		sizeof(int));
+	if (result != sizeof(int)) {
+		LOG_ERR_3("on_mp_write_session_write_response_write1",
+			"write failed");
+		TRACE_OUT(on_mp_write_session_write_response_write1);
+		return (-1);
+	}
+
+	if (write_response->error_code == 0) {
+		finalize_comm_element(&qstate->request);
+		finalize_comm_element(&qstate->response);
+
+		qstate->kevent_watermark = sizeof(int);
+		qstate->process_func = on_mp_write_session_mapper;
+		qstate->kevent_filter = EVFILT_READ;
+	} else {
+		qstate->kevent_watermark = 0;
+		qstate->process_func = 0;
+	}
+
+	TRACE_OUT(on_mp_write_session_write_response_write1);
+	return (0);
+}
+
+/*
+ * Handles abandon notifications. Destroys the session by calling the
+ * abandon_cache_mp_write_session.
+ */
+static int
+on_mp_write_session_abandon_notification(struct query_state *qstate)
+{
+	TRACE_IN(on_mp_write_session_abandon_notification);
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+	abandon_cache_mp_write_session((cache_mp_write_session)qstate->mdata);
+	configuration_unlock_entry(qstate->config_entry, CELT_MULTIPART);
+	qstate->mdata = INVALID_CACHE_MP_WRITE_SESSION;
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = NULL;
+	TRACE_OUT(on_mp_write_session_abandon_notification);
+	return (0);
+}
+
+/*
+ * Handles close notifications. Commits the session by calling
+ * the close_cache_mp_write_session.
+ */
+static int
+on_mp_write_session_close_notification(struct query_state *qstate)
+{
+	TRACE_IN(on_mp_write_session_close_notification);
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+	close_cache_mp_write_session((cache_mp_write_session)qstate->mdata);
+	configuration_unlock_entry(qstate->config_entry, CELT_MULTIPART);
+	qstate->mdata = INVALID_CACHE_MP_WRITE_SESSION;
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = NULL;
+	TRACE_OUT(on_mp_write_session_close_notification);
+	return (0);
+}
+
+cache_entry register_new_mp_cache_entry(struct query_state *qstate,
+	const char *dec_cache_entry_name)
+{
+	cache_entry c_entry;
+	char *en_bkp;
+
+	TRACE_IN(register_new_mp_cache_entry);
+	c_entry = INVALID_CACHE_ENTRY;
+	configuration_lock_entry(qstate->config_entry, CELT_MULTIPART);
+
+	configuration_lock_wrlock(s_configuration);
+	en_bkp = qstate->config_entry->mp_cache_params.entry_name;
+	qstate->config_entry->mp_cache_params.entry_name =
+		(char *)dec_cache_entry_name;
+	register_cache_entry(s_cache, (struct cache_entry_params *)
+		&qstate->config_entry->mp_cache_params);
+	qstate->config_entry->mp_cache_params.entry_name = en_bkp;
+	configuration_unlock(s_configuration);
+
+	configuration_lock_rdlock(s_configuration);
+	c_entry = find_cache_entry(s_cache,
+		dec_cache_entry_name);
+	configuration_unlock(s_configuration);
+
+	configuration_entry_add_mp_cache_entry(qstate->config_entry,
+		c_entry);
+
+	configuration_unlock_entry(qstate->config_entry,
+		CELT_MULTIPART);
+
+	TRACE_OUT(register_new_mp_cache_entry);
+	return (c_entry);
+}
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/mp_ws_query.h
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/mp_ws_query.h
index e0a0085c50..b36d5c0feb 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/mp_ws_query.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,14 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/mp_ws_query.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
  */
 
-#include <netdb.h>
+#ifndef __NSCD_MP_WS_QUERY_H__
+#define __NSCD_MP_WS_QUERY_H__
 
-extern int _proto_stayopen;
+extern int on_mp_write_session_request_read1(struct query_state *);
+extern cache_entry register_new_mp_cache_entry(struct query_state *,
+	const char *);
 
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+#endif
diff --git a/usr.sbin/nscd/nscd.8 b/usr.sbin/nscd/nscd.8
new file mode 100644
index 0000000000..176c09b997
--- /dev/null
+++ b/usr.sbin/nscd/nscd.8
@@ -0,0 +1,165 @@
+.\" Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/usr.sbin/nscd/nscd.8,v 1.10 2007/09/27 12:30:11 bushman Exp $
+.\"
+.Dd October 20, 2005
+.Dt NSCD 8
+.Os
+.Sh NAME
+.Nm nscd
+.Nd "name service caching daemon"
+.Sh SYNOPSIS
+.Nm
+.Op Fl dnst
+.Op Fl i Ar cachename
+.Op Fl I Ar cachename
+.Sh DESCRIPTION
+The
+.Nm
+utility
+is the system caching daemon.
+It can cache almost all types of data and is basically intended to be used
+with the
+.Nm nsswitch
+subsystem.
+The cache is actually per-user.
+This means that each user can work only with the
+cached data that were cached by themselves, and cannot poison the
+cache of other users.
+The
+.Nm
+utility supports two types of caching:
+.Bl -tag -width ".Sy Type"
+.It Sy Type
+.Sy Description
+.It Common caching
+Each cached element is the key+value pair.
+This type of caching supports policies which are applied when maximum
+number of cached elements is exceeded.
+Three policies are available:
+.Cm FIFO
+(first in - first out),
+.Cm LRU
+(least recently used) and
+.Cm LFU
+(least frequently used).
+This type of caching is used with the
+.Fn getXXXbyname
+family of functions.
+.It Multipart caching
+Each cached element is the part of the elements sequence.
+This type of caching is intended to be used with the
+.Fn getXXXent
+family of functions.
+.El
+.Pp
+The
+.Nm
+utility is able not only to cache elements, but to perform the actual nsswitch
+lookups by itself.
+To enable this feature, use the
+.Va perform-actual-lookups
+parameter in
+.Xr nscd.conf 5 .
+.Pp
+The
+.Nm
+utility recognizes the following runtime options:
+.Bl -tag -width indent
+.\" .It Fl d
+.\" XXX Document me!
+.It Fl n
+Do not daemonize;
+.Nm
+will not fork or disconnect itself from the terminal.
+.It Fl s
+Single-threaded mode.
+Forces using only one thread for all processing purposes (it overrides
+the
+.Va threads
+parameter in the
+.Xr nscd.conf 5
+file).
+.It Fl t
+Trace mode.
+All trace messages will be written to stdout.
+This mode is usually used with
+.Fl n
+and
+.Fl s
+flags are used for debugging purposes.
+.It Fl i Ar cachename
+Invalidates personal cache.
+When specified,
+.Nm
+acts as the administration tool.
+It asks the already running
+.Nm
+to invalidate the specified part of the cache of the
+calling user.
+For example, sometimes you may want to invalidate your
+.Dq Li hosts
+cache.
+You can specify
+.Dq Li all
+as the
+.Ar cachename
+to invalidate your personal cache as a whole.
+You cannot use this option for the
+.Ar cachename
+for which the
+.Va perform-actual-lookups
+option is enabled.
+.It Fl I Ar cachename
+Invalidates the cache for every user.
+When specified,
+.Nm
+acts as the administration tool.
+It asks the already
+running
+.Nm
+to invalidate the specified part of the cache for
+every user.
+You can specify
+.Dq Li all
+as the
+.Ar cachename
+to invalidate the whole cache.
+Only the root can use this option.
+.El
+.Sh FILES
+.Bl -tag -width ".Pa /etc/nscd.conf" -compact
+.It Pa /etc/nscd.conf
+The default configuration file.
+.El
+.Sh SEE ALSO
+.Xr nsdispatch 3 ,
+.Xr nscd.conf 5 ,
+.Xr nsswitch.conf 5
+.Sh AUTHORS
+.An Michael Bushkov Aq bushman@freebsd.org
+.Sh BUGS
+Please send bug reports and suggestions to
+.Aq bushman@freebsd.org .
diff --git a/usr.sbin/nscd/nscd.c b/usr.sbin/nscd/nscd.c
new file mode 100644
index 0000000000..ec18f23bbb
--- /dev/null
+++ b/usr.sbin/nscd/nscd.c
@@ -0,0 +1,867 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in thereg
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/nscd.c,v 1.7 2008/10/23 00:27:35 delphij Exp $
+ */
+
+#include <sys/types.h>
+#include <sys/event.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/param.h>
+#include <sys/un.h>
+#include <assert.h>
+#include <err.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <libutil.h>
+#include <pthread.h>
+#include <signal.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "agents/passwd.h"
+#include "agents/group.h"
+#include "agents/services.h"
+#include "cachelib.h"
+#include "config.h"
+#include "debug.h"
+#include "log.h"
+#include "nscdcli.h"
+#include "parser.h"
+#include "query.h"
+#include "singletons.h"
+
+#ifndef CONFIG_PATH
+#define CONFIG_PATH "/etc/nscd.conf"
+#endif
+#define DEFAULT_CONFIG_PATH	"nscd.conf"
+
+#define MAX_SOCKET_IO_SIZE	4096
+
+struct processing_thread_args {
+	cache	the_cache;
+	struct configuration	*the_configuration;
+	struct runtime_env		*the_runtime_env;
+};
+
+static void accept_connection(struct kevent *, struct runtime_env *,
+	struct configuration *);
+static void destroy_cache_(cache);
+static void destroy_runtime_env(struct runtime_env *);
+static cache init_cache_(struct configuration *);
+static struct runtime_env *init_runtime_env(struct configuration *);
+static void processing_loop(cache, struct runtime_env *,
+	struct configuration *);
+static void process_socket_event(struct kevent *, struct runtime_env *,
+	struct configuration *);
+static void process_timer_event(struct kevent *, struct runtime_env *,
+	struct configuration *);
+static void *processing_thread(void *);
+static void usage(void);
+
+void get_time_func(struct timeval *);
+
+static void
+usage(void)
+{
+	fprintf(stderr,
+	    "usage: nscd [-dnst] [-i cachename] [-I cachename]\n");
+	exit(1);
+}
+
+static cache
+init_cache_(struct configuration *config)
+{
+	struct cache_params params;
+	cache retval;
+
+	struct configuration_entry *config_entry;
+	size_t	size, i;
+	int res;
+
+	TRACE_IN(init_cache_);
+
+	memset(&params, 0, sizeof(struct cache_params));
+	params.get_time_func = get_time_func;
+	retval = init_cache(&params);
+
+	size = configuration_get_entries_size(config);
+	for (i = 0; i < size; ++i) {
+		config_entry = configuration_get_entry(config, i);
+		/*
+		 * We should register common entries now - multipart entries
+		 * would be registered automatically during the queries.
+		 */
+		res = register_cache_entry(retval, (struct cache_entry_params *)
+			&config_entry->positive_cache_params);
+		config_entry->positive_cache_entry = find_cache_entry(retval,
+			config_entry->positive_cache_params.entry_name);
+		assert(config_entry->positive_cache_entry !=
+			INVALID_CACHE_ENTRY);
+
+		res = register_cache_entry(retval, (struct cache_entry_params *)
+			&config_entry->negative_cache_params);
+		config_entry->negative_cache_entry = find_cache_entry(retval,
+			config_entry->negative_cache_params.entry_name);
+		assert(config_entry->negative_cache_entry !=
+			INVALID_CACHE_ENTRY);
+	}
+
+	LOG_MSG_2("cache", "cache was successfully initialized");
+	TRACE_OUT(init_cache_);
+	return (retval);
+}
+
+static void
+destroy_cache_(cache the_cache)
+{
+	TRACE_IN(destroy_cache_);
+	destroy_cache(the_cache);
+	TRACE_OUT(destroy_cache_);
+}
+
+/*
+ * Socket and kqueues are prepared here. We have one global queue for both
+ * socket and timers events.
+ */
+static struct runtime_env *
+init_runtime_env(struct configuration *config)
+{
+	int serv_addr_len;
+	struct sockaddr_un serv_addr;
+
+	struct kevent eventlist;
+	struct timespec timeout;
+
+	struct runtime_env *retval;
+
+	TRACE_IN(init_runtime_env);
+	retval = (struct runtime_env *)calloc(1, sizeof(struct runtime_env));
+	assert(retval != NULL);
+
+	retval->sockfd = socket(PF_LOCAL, SOCK_STREAM, 0);
+
+	if (config->force_unlink == 1)
+		unlink(config->socket_path);
+
+	memset(&serv_addr, 0, sizeof(struct sockaddr_un));
+	serv_addr.sun_family = PF_LOCAL;
+	strlcpy(serv_addr.sun_path, config->socket_path,
+		sizeof(serv_addr.sun_path));
+	serv_addr_len = sizeof(serv_addr.sun_family) +
+		strlen(serv_addr.sun_path) + 1;
+
+	if (bind(retval->sockfd, (struct sockaddr *)&serv_addr,
+		serv_addr_len) == -1) {
+		close(retval->sockfd);
+		free(retval);
+
+		LOG_ERR_2("runtime environment", "can't bind socket to path: "
+			"%s", config->socket_path);
+		TRACE_OUT(init_runtime_env);
+		return (NULL);
+	}
+	LOG_MSG_2("runtime environment", "using socket %s",
+		config->socket_path);
+
+	/*
+	 * Here we're marking socket as non-blocking and setting its backlog
+	 * to the maximum value
+	 */
+	chmod(config->socket_path, config->socket_mode);
+	listen(retval->sockfd, -1);
+	fcntl(retval->sockfd, F_SETFL, O_NONBLOCK);
+
+	retval->queue = kqueue();
+	assert(retval->queue != -1);
+
+	EV_SET(&eventlist, retval->sockfd, EVFILT_READ, EV_ADD | EV_ONESHOT,
+		0, 0, 0);
+	memset(&timeout, 0, sizeof(struct timespec));
+	kevent(retval->queue, &eventlist, 1, NULL, 0, &timeout);
+
+	LOG_MSG_2("runtime environment", "successfully initialized");
+	TRACE_OUT(init_runtime_env);
+	return (retval);
+}
+
+static void
+destroy_runtime_env(struct runtime_env *env)
+{
+	TRACE_IN(destroy_runtime_env);
+	close(env->queue);
+	close(env->sockfd);
+	free(env);
+	TRACE_OUT(destroy_runtime_env);
+}
+
+static void
+accept_connection(struct kevent *event_data, struct runtime_env *env,
+	struct configuration *config)
+{
+	struct kevent	eventlist[2];
+	struct timespec	timeout;
+	struct query_state	*qstate;
+
+	int	fd;
+	int	res;
+
+	uid_t	euid;
+	gid_t	egid;
+
+	TRACE_IN(accept_connection);
+	fd = accept(event_data->ident, NULL, NULL);
+	if (fd == -1) {
+		LOG_ERR_2("accept_connection", "error %d during accept()",
+		    errno);
+		TRACE_OUT(accept_connection);
+		return;
+	}
+
+	if (getpeereid(fd, &euid, &egid) != 0) {
+		LOG_ERR_2("accept_connection", "error %d during getpeereid()",
+			errno);
+		TRACE_OUT(accept_connection);
+		return;
+	}
+
+	qstate = init_query_state(fd, sizeof(int), euid, egid);
+	if (qstate == NULL) {
+		LOG_ERR_2("accept_connection", "can't init query_state");
+		TRACE_OUT(accept_connection);
+		return;
+	}
+
+	memset(&timeout, 0, sizeof(struct timespec));
+	EV_SET(&eventlist[0], fd, EVFILT_TIMER, EV_ADD | EV_ONESHOT,
+		0, qstate->timeout.tv_sec * 1000, qstate);
+	EV_SET(&eventlist[1], fd, EVFILT_READ, EV_ADD | EV_ONESHOT,
+		NOTE_LOWAT, qstate->kevent_watermark, qstate);
+	res = kevent(env->queue, eventlist, 2, NULL, 0, &timeout);
+	if (res < 0)
+		LOG_ERR_2("accept_connection", "kevent error");
+
+	TRACE_OUT(accept_connection);
+}
+
+static void
+process_socket_event(struct kevent *event_data, struct runtime_env *env,
+	struct configuration *config)
+{
+	struct kevent	eventlist[2];
+	struct timeval	query_timeout;
+	struct timespec	kevent_timeout;
+	int	nevents;
+	int	eof_res, res;
+	ssize_t	io_res;
+	struct query_state *qstate;
+
+	TRACE_IN(process_socket_event);
+	eof_res = event_data->flags & EV_EOF ? 1 : 0;
+	res = 0;
+
+	memset(&kevent_timeout, 0, sizeof(struct timespec));
+	EV_SET(&eventlist[0], event_data->ident, EVFILT_TIMER, EV_DELETE,
+		0, 0, NULL);
+	nevents = kevent(env->queue, eventlist, 1, NULL, 0, &kevent_timeout);
+	if (nevents == -1) {
+		if (errno == ENOENT) {
+			/* the timer is already handling this event */
+			TRACE_OUT(process_socket_event);
+			return;
+		} else {
+			/* some other error happened */
+			LOG_ERR_2("process_socket_event", "kevent error, errno"
+				" is %d", errno);
+			TRACE_OUT(process_socket_event);
+			return;
+		}
+	}
+	qstate = (struct query_state *)event_data->udata;
+
+	/*
+	 * If the buffer that is to be send/received is too large,
+	 * we send it implicitly, by using query_io_buffer_read and
+	 * query_io_buffer_write functions in the query_state. These functions
+	 * use the temporary buffer, which is later send/received in parts.
+	 * The code below implements buffer splitting/mergind for send/receive
+	 * operations. It also does the actual socket IO operations.
+	 */
+	if (((qstate->use_alternate_io == 0) &&
+		(qstate->kevent_watermark <= event_data->data)) ||
+		((qstate->use_alternate_io != 0) &&
+		(qstate->io_buffer_watermark <= event_data->data))) {
+		if (qstate->use_alternate_io != 0) {
+			switch (qstate->io_buffer_filter) {
+			case EVFILT_READ:
+				io_res = query_socket_read(qstate,
+					qstate->io_buffer_p,
+					qstate->io_buffer_watermark);
+				if (io_res < 0) {
+					qstate->use_alternate_io = 0;
+					qstate->process_func = NULL;
+				} else {
+					qstate->io_buffer_p += io_res;
+					if (qstate->io_buffer_p ==
+						qstate->io_buffer +
+						qstate->io_buffer_size) {
+						qstate->io_buffer_p =
+						    qstate->io_buffer;
+						qstate->use_alternate_io = 0;
+					}
+				}
+			break;
+			default:
+			break;
+			}
+		}
+
+		if (qstate->use_alternate_io == 0) {
+			do {
+				res = qstate->process_func(qstate);
+			} while ((qstate->kevent_watermark == 0) &&
+					(qstate->process_func != NULL) &&
+					(res == 0));
+
+			if (res != 0)
+				qstate->process_func = NULL;
+		}
+
+		if ((qstate->use_alternate_io != 0) &&
+			(qstate->io_buffer_filter == EVFILT_WRITE)) {
+			io_res = query_socket_write(qstate, qstate->io_buffer_p,
+				qstate->io_buffer_watermark);
+			if (io_res < 0) {
+				qstate->use_alternate_io = 0;
+				qstate->process_func = NULL;
+			} else
+				qstate->io_buffer_p += io_res;
+		}
+	} else {
+		/* assuming that socket was closed */
+		qstate->process_func = NULL;
+		qstate->use_alternate_io = 0;
+	}
+
+	if (((qstate->process_func == NULL) &&
+		(qstate->use_alternate_io == 0)) ||
+		(eof_res != 0) || (res != 0)) {
+		destroy_query_state(qstate);
+		close(event_data->ident);
+		TRACE_OUT(process_socket_event);
+		return;
+	}
+
+	/* updating the query_state lifetime variable */
+	get_time_func(&query_timeout);
+	query_timeout.tv_usec = 0;
+	query_timeout.tv_sec -= qstate->creation_time.tv_sec;
+	if (query_timeout.tv_sec > qstate->timeout.tv_sec)
+		query_timeout.tv_sec = 0;
+	else
+		query_timeout.tv_sec = qstate->timeout.tv_sec -
+			query_timeout.tv_sec;
+
+	if ((qstate->use_alternate_io != 0) && (qstate->io_buffer_p ==
+		qstate->io_buffer + qstate->io_buffer_size))
+		qstate->use_alternate_io = 0;
+
+	if (qstate->use_alternate_io == 0) {
+		/*
+		 * If we must send/receive the large block of data,
+		 * we should prepare the query_state's io_XXX fields.
+		 * We should also substitute its write_func and read_func
+		 * with the query_io_buffer_write and query_io_buffer_read,
+		 * which will allow us to implicitly send/receive this large
+		 * buffer later (in the subsequent calls to the
+		 * process_socket_event).
+		 */
+		if (qstate->kevent_watermark > MAX_SOCKET_IO_SIZE) {
+			if (qstate->io_buffer != NULL)
+				free(qstate->io_buffer);
+
+			qstate->io_buffer = (char *)calloc(1,
+				qstate->kevent_watermark);
+			assert(qstate->io_buffer != NULL);
+
+			qstate->io_buffer_p = qstate->io_buffer;
+			qstate->io_buffer_size = qstate->kevent_watermark;
+			qstate->io_buffer_filter = qstate->kevent_filter;
+
+			qstate->write_func = query_io_buffer_write;
+			qstate->read_func = query_io_buffer_read;
+
+			if (qstate->kevent_filter == EVFILT_READ)
+				qstate->use_alternate_io = 1;
+
+			qstate->io_buffer_watermark = MAX_SOCKET_IO_SIZE;
+			EV_SET(&eventlist[1], event_data->ident,
+				qstate->kevent_filter, EV_ADD | EV_ONESHOT,
+				NOTE_LOWAT, MAX_SOCKET_IO_SIZE, qstate);
+		} else {
+			EV_SET(&eventlist[1], event_data->ident,
+				qstate->kevent_filter, EV_ADD | EV_ONESHOT,
+				NOTE_LOWAT, qstate->kevent_watermark, qstate);
+		}
+	} else {
+		if (qstate->io_buffer + qstate->io_buffer_size -
+			qstate->io_buffer_p <
+			MAX_SOCKET_IO_SIZE) {
+			qstate->io_buffer_watermark = qstate->io_buffer +
+				qstate->io_buffer_size - qstate->io_buffer_p;
+			EV_SET(&eventlist[1], event_data->ident,
+				qstate->io_buffer_filter,
+				EV_ADD | EV_ONESHOT, NOTE_LOWAT,
+				qstate->io_buffer_watermark,
+				qstate);
+		} else {
+			qstate->io_buffer_watermark = MAX_SOCKET_IO_SIZE;
+			EV_SET(&eventlist[1], event_data->ident,
+				qstate->io_buffer_filter, EV_ADD | EV_ONESHOT,
+				NOTE_LOWAT, MAX_SOCKET_IO_SIZE, qstate);
+		}
+	}
+	EV_SET(&eventlist[0], event_data->ident, EVFILT_TIMER,
+		EV_ADD | EV_ONESHOT, 0, query_timeout.tv_sec * 1000, qstate);
+	kevent(env->queue, eventlist, 2, NULL, 0, &kevent_timeout);
+
+	TRACE_OUT(process_socket_event);
+}
+
+/*
+ * This routine is called if timer event has been signaled in the kqueue. It
+ * just closes the socket and destroys the query_state.
+ */
+static void
+process_timer_event(struct kevent *event_data, struct runtime_env *env,
+	struct configuration *config)
+{
+	struct query_state	*qstate;
+
+	TRACE_IN(process_timer_event);
+	qstate = (struct query_state *)event_data->udata;
+	destroy_query_state(qstate);
+	close(event_data->ident);
+	TRACE_OUT(process_timer_event);
+}
+
+/*
+ * Processing loop is the basic processing routine, that forms a body of each
+ * procssing thread
+ */
+static void
+processing_loop(cache the_cache, struct runtime_env *env,
+	struct configuration *config)
+{
+	struct timespec timeout;
+	const int eventlist_size = 1;
+	struct kevent eventlist[eventlist_size];
+	int nevents, i;
+
+	TRACE_MSG("=> processing_loop");
+	memset(&timeout, 0, sizeof(struct timespec));
+	memset(&eventlist, 0, sizeof(struct kevent) * eventlist_size);
+
+	for (;;) {
+		nevents = kevent(env->queue, NULL, 0, eventlist,
+			eventlist_size, NULL);
+		/*
+		 * we can only receive 1 event on success
+		 */
+		if (nevents == 1) {
+			struct kevent *event_data;
+			event_data = &eventlist[0];
+
+			if (event_data->ident == env->sockfd) {
+				for (i = 0; i < event_data->data; ++i)
+				    accept_connection(event_data, env, config);
+
+				EV_SET(eventlist, s_runtime_env->sockfd,
+				    EVFILT_READ, EV_ADD | EV_ONESHOT,
+				    0, 0, 0);
+				memset(&timeout, 0,
+				    sizeof(struct timespec));
+				kevent(s_runtime_env->queue, eventlist,
+				    1, NULL, 0, &timeout);
+
+			} else {
+				switch (event_data->filter) {
+				case EVFILT_READ:
+				case EVFILT_WRITE:
+					process_socket_event(event_data,
+						env, config);
+					break;
+				case EVFILT_TIMER:
+					process_timer_event(event_data,
+						env, config);
+					break;
+				default:
+					break;
+				}
+			}
+		} else {
+			/* this branch shouldn't be currently executed */
+		}
+	}
+
+	TRACE_MSG("<= processing_loop");
+}
+
+/*
+ * Wrapper above the processing loop function. It sets the thread signal mask
+ * to avoid SIGPIPE signals (which can happen if the client works incorrectly).
+ */
+static void *
+processing_thread(void *data)
+{
+	struct processing_thread_args	*args;
+	sigset_t new;
+
+	TRACE_MSG("=> processing_thread");
+	args = (struct processing_thread_args *)data;
+
+	sigemptyset(&new);
+	sigaddset(&new, SIGPIPE);
+	if (pthread_sigmask(SIG_BLOCK, &new, NULL) != 0)
+		LOG_ERR_1("processing thread",
+			"thread can't block the SIGPIPE signal");
+
+	processing_loop(args->the_cache, args->the_runtime_env,
+		args->the_configuration);
+	free(args);
+	TRACE_MSG("<= processing_thread");
+
+	return (NULL);
+}
+
+void
+get_time_func(struct timeval *time)
+{
+	struct timespec res;
+	memset(&res, 0, sizeof(struct timespec));
+	clock_gettime(CLOCK_MONOTONIC, &res);
+
+	time->tv_sec = res.tv_sec;
+	time->tv_usec = 0;
+}
+
+/*
+ * The idea of _nss_cache_cycle_prevention_function is that nsdispatch will
+ * search for this symbol in the executable. This symbol is the attribute of
+ * the caching daemon. So, if it exists, nsdispatch won't try to connect to
+ * the caching daemon and will just ignore the 'cache' source in the
+ * nsswitch.conf. This method helps to avoid cycles and organize
+ * self-performing requests.
+ */
+void
+_nss_cache_cycle_prevention_function(void)
+{
+}
+
+int
+main(int argc, char *argv[])
+{
+	struct processing_thread_args *thread_args;
+	pthread_t *threads;
+
+	struct pidfh *pidfile;
+	pid_t pid;
+
+	char const *config_file;
+	char const *error_str;
+	int error_line;
+	int i, res;
+
+	int trace_mode_enabled;
+	int force_single_threaded;
+	int do_not_daemonize;
+	int clear_user_cache_entries, clear_all_cache_entries;
+	char *user_config_entry_name, *global_config_entry_name;
+	int show_statistics;
+	int daemon_mode, interactive_mode;
+
+
+	/* by default all debug messages are omitted */
+	TRACE_OFF();
+
+	/* parsing command line arguments */
+	trace_mode_enabled = 0;
+	force_single_threaded = 0;
+	do_not_daemonize = 0;
+	clear_user_cache_entries = 0;
+	clear_all_cache_entries = 0;
+	show_statistics = 0;
+	user_config_entry_name = NULL;
+	global_config_entry_name = NULL;
+	while ((res = getopt(argc, argv, "nstdi:I:")) != -1) {
+		switch (res) {
+		case 'n':
+			do_not_daemonize = 1;
+			break;
+		case 's':
+			force_single_threaded = 1;
+			break;
+		case 't':
+			trace_mode_enabled = 1;
+			break;
+		case 'i':
+			clear_user_cache_entries = 1;
+			if (optarg != NULL)
+				if (strcmp(optarg, "all") != 0)
+					user_config_entry_name = strdup(optarg);
+			break;
+		case 'I':
+			clear_all_cache_entries = 1;
+			if (optarg != NULL)
+				if (strcmp(optarg, "all") != 0)
+					global_config_entry_name =
+						strdup(optarg);
+			break;
+		case 'd':
+			show_statistics = 1;
+			break;
+		case '?':
+		default:
+			usage();
+			/* NOT REACHED */
+		}
+	}
+
+	daemon_mode = do_not_daemonize | force_single_threaded |
+		trace_mode_enabled;
+	interactive_mode = clear_user_cache_entries | clear_all_cache_entries |
+		show_statistics;
+
+	if ((daemon_mode != 0) && (interactive_mode != 0)) {
+		LOG_ERR_1("main", "daemon mode and interactive_mode arguments "
+			"can't be used together");
+		usage();
+	}
+
+	if (interactive_mode != 0) {
+		FILE *pidfin = fopen(DEFAULT_PIDFILE_PATH, "r");
+		char pidbuf[256];
+
+		struct nscd_connection_params connection_params;
+		nscd_connection connection;
+
+		int result;
+
+		if (pidfin == NULL)
+			errx(EXIT_FAILURE, "There is no daemon running.");
+
+		memset(pidbuf, 0, sizeof(pidbuf));
+		fread(pidbuf, sizeof(pidbuf) - 1, 1, pidfin);
+		fclose(pidfin);
+
+		if (ferror(pidfin) != 0)
+			errx(EXIT_FAILURE, "Can't read from pidfile.");
+
+		if (sscanf(pidbuf, "%d", &pid) != 1)
+			errx(EXIT_FAILURE, "Invalid pidfile.");
+		LOG_MSG_1("main", "daemon PID is %d", pid);
+
+
+		memset(&connection_params, 0,
+			sizeof(struct nscd_connection_params));
+		connection_params.socket_path = DEFAULT_SOCKET_PATH;
+		connection = open_nscd_connection__(&connection_params);
+		if (connection == INVALID_NSCD_CONNECTION)
+			errx(EXIT_FAILURE, "Can't connect to the daemon.");
+
+		if (clear_user_cache_entries != 0) {
+			result = nscd_transform__(connection,
+				user_config_entry_name, TT_USER);
+			if (result != 0)
+				LOG_MSG_1("main",
+					"user cache transformation failed");
+			else
+				LOG_MSG_1("main",
+					"user cache_transformation "
+					"succeeded");
+		}
+
+		if (clear_all_cache_entries != 0) {
+			if (geteuid() != 0)
+				errx(EXIT_FAILURE, "Only root can initiate "
+					"global cache transformation.");
+
+			result = nscd_transform__(connection,
+				global_config_entry_name, TT_ALL);
+			if (result != 0)
+				LOG_MSG_1("main",
+					"global cache transformation "
+					"failed");
+			else
+				LOG_MSG_1("main",
+					"global cache transformation "
+					"succeeded");
+		}
+
+		close_nscd_connection__(connection);
+
+		free(user_config_entry_name);
+		free(global_config_entry_name);
+		return (EXIT_SUCCESS);
+	}
+
+	pidfile = pidfile_open(DEFAULT_PIDFILE_PATH, 0644, &pid);
+	if (pidfile == NULL) {
+		if (errno == EEXIST)
+			errx(EXIT_FAILURE, "Daemon already running, pid: %d.",
+				pid);
+		warn("Cannot open or create pidfile");
+	}
+
+	if (trace_mode_enabled == 1)
+		TRACE_ON();
+
+	/* blocking the main thread from receiving SIGPIPE signal */
+	sigblock(sigmask(SIGPIPE));
+
+	/* daemonization */
+	if (do_not_daemonize == 0) {
+		res = daemon(0, trace_mode_enabled == 0 ? 0 : 1);
+		if (res != 0) {
+			LOG_ERR_1("main", "can't daemonize myself: %s",
+				strerror(errno));
+			pidfile_remove(pidfile);
+			goto fin;
+		} else
+			LOG_MSG_1("main", "successfully daemonized");
+	}
+
+	pidfile_write(pidfile);
+
+	s_agent_table = init_agent_table();
+	register_agent(s_agent_table, init_passwd_agent());
+	register_agent(s_agent_table, init_passwd_mp_agent());
+	register_agent(s_agent_table, init_group_agent());
+	register_agent(s_agent_table, init_group_mp_agent());
+	register_agent(s_agent_table, init_services_agent());
+	register_agent(s_agent_table, init_services_mp_agent());
+	LOG_MSG_1("main", "request agents registered successfully");
+
+	/*
+	 * Hosts agent can't work properly until we have access to the
+	 * appropriate dtab structures, which are used in nsdispatch
+	 * calls
+	 *
+	 register_agent(s_agent_table, init_hosts_agent());
+	*/
+
+	/* configuration initialization */
+	s_configuration = init_configuration();
+	fill_configuration_defaults(s_configuration);
+
+	error_str = NULL;
+	error_line = 0;
+	config_file = CONFIG_PATH;
+
+	res = parse_config_file(s_configuration, config_file, &error_str,
+		&error_line);
+	if ((res != 0) && (error_str == NULL)) {
+		config_file = DEFAULT_CONFIG_PATH;
+		res = parse_config_file(s_configuration, config_file,
+			&error_str, &error_line);
+	}
+
+	if (res != 0) {
+		if (error_str != NULL) {
+		LOG_ERR_1("main", "error in configuration file(%s, %d): %s\n",
+			config_file, error_line, error_str);
+		} else {
+		LOG_ERR_1("main", "no configuration file found "
+			"- was looking for %s and %s",
+			CONFIG_PATH, DEFAULT_CONFIG_PATH);
+		}
+		destroy_configuration(s_configuration);
+		return (-1);
+	}
+
+	if (force_single_threaded == 1)
+		s_configuration->threads_num = 1;
+
+	/* cache initialization */
+	s_cache = init_cache_(s_configuration);
+	if (s_cache == NULL) {
+		LOG_ERR_1("main", "can't initialize the cache");
+		destroy_configuration(s_configuration);
+		return (-1);
+	}
+
+	/* runtime environment initialization */
+	s_runtime_env = init_runtime_env(s_configuration);
+	if (s_runtime_env == NULL) {
+		LOG_ERR_1("main", "can't initialize the runtime environment");
+		destroy_configuration(s_configuration);
+		destroy_cache_(s_cache);
+		return (-1);
+	}
+
+	if (s_configuration->threads_num > 1) {
+		threads = (pthread_t *)calloc(1, sizeof(pthread_t) *
+			s_configuration->threads_num);
+		for (i = 0; i < s_configuration->threads_num; ++i) {
+			thread_args = (struct processing_thread_args *)malloc(
+				sizeof(struct processing_thread_args));
+			thread_args->the_cache = s_cache;
+			thread_args->the_runtime_env = s_runtime_env;
+			thread_args->the_configuration = s_configuration;
+
+			LOG_MSG_1("main", "thread #%d was successfully created",
+				i);
+			pthread_create(&threads[i], NULL, processing_thread,
+				thread_args);
+
+			thread_args = NULL;
+		}
+
+		for (i = 0; i < s_configuration->threads_num; ++i)
+			pthread_join(threads[i], NULL);
+	} else {
+		LOG_MSG_1("main", "working in single-threaded mode");
+		processing_loop(s_cache, s_runtime_env, s_configuration);
+	}
+
+fin:
+	/* runtime environment destruction */
+	destroy_runtime_env(s_runtime_env);
+
+	/* cache destruction */
+	destroy_cache_(s_cache);
+
+	/* configuration destruction */
+	destroy_configuration(s_configuration);
+
+	/* agents table destruction */
+	destroy_agent_table(s_agent_table);
+
+	pidfile_remove(pidfile);
+	return (EXIT_SUCCESS);
+}
diff --git a/usr.sbin/nscd/nscd.conf.5 b/usr.sbin/nscd/nscd.conf.5
new file mode 100644
index 0000000000..f58ceca1ea
--- /dev/null
+++ b/usr.sbin/nscd/nscd.conf.5
@@ -0,0 +1,148 @@
+.\" Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $FreeBSD: src/usr.sbin/nscd/nscd.conf.5,v 1.6 2007/09/27 12:30:11 bushman Exp $
+.\"
+.Dd April 30, 2006
+.Dt NSCD.CONF 5
+.Os
+.Sh NAME
+.Nm nscd.conf
+.Nd "nscd configuration file"
+.Sh DESCRIPTION
+The
+.Nm
+file
+is used by the
+.Xr nscd 8
+daemon and is read on its startup.
+Its syntax is mostly similar to the
+.Pa nscd.conf
+syntax in
+.Tn Linux
+and
+.Tn Solaris .
+It has some differences, though \[em] see them below.
+.Pp
+Each line specifies either an attribute and a
+.Ar value ,
+or an attribute, a
+.Ar cachename
+and a
+.Ar value .
+Usual cachenames are
+.Dq Li passwd ,
+.Dq Li groups ,
+.Dq Li hosts ,
+.Dq Li services ,
+.Dq Li protocols
+and
+.Dq Li rpc .
+You can also use any other
+.Ar cachename
+(for example, if some third-party
+application uses nsswitch).
+.Bl -tag -width indent
+.It Va threads Op Ar value
+Number of threads, which would listen for connections and process requests.
+The minimum is 1.
+The default value is 8.
+.It Va enable-cache Oo Ar cachename Oc Op Cm yes | no
+Enables or disables the cache for specified
+.Ar cachename .
+.It Va positive-time-to-live Oo Ar cachename Oc Op Ar value
+Sets the TTL (time-to-live) for the specified cache in seconds.
+Larger values can increase system's performance, but they also can affect
+the cache coherence.
+The default value is 3600.
+.It Va positive-policy Oo Ar cachename Oc Op Cm fifo | lru | lfu
+The policy that is applied to erase some of the cache elements, when the
+size limit of the given
+.Ar cachename
+is exceeded.
+Possible policies are:
+.Cm fifo
+(first-in-first-out),
+.Cm lru
+(least-recently-used), and
+.Cm lfu
+(least-frequently-used).
+The default policy is
+.Cm lru .
+.It Va negative-time-to-live Oo Ar cachename Oc Op Ar value
+The TTL of the negative cached elements in seconds.
+The larger values can significantly increase system performance in some
+environments (when dealing with files with UIDs, which are not in system
+databases, for example).
+This number should be kept low to avoid the cache coherence problems.
+The default value is 60.
+.It Va negative-policy Oo Ar cachename Oc Op Cm fifo | lru | lfu
+The same as the positive-policy, but this one is applied to the negative
+elements of the given
+.Ar cachename .
+The default policy is fifo.
+.It Va suggested-size Oo Ar cachename Oc Op Ar value
+This is the internal hash table size.
+The value should be a prime number for optimum performance.
+You should only change this value when the number of cached elements is
+significantly (in 5-10 times) greater then the default hash table size (255).
+.It Va keep-hot-count Oo Ar cachename Oc Op Ar value
+The size limit of the cache with the given
+.Ar cachename .
+When it is exceeded, the policy will be applied.
+The default value is 2048.
+.It Va perform-actual-lookups Oo Ar cachename Oc Op Cm yes | no
+If enabled, the
+.Xr nscd 8
+does not simply receive and cache the NSS-requests results, but performs
+all the lookups by itself and only returns the responses.
+If this feature is enabled, then for the given
+.Ar cachename
+.Xr nscd 8
+will act similarly to the NSCD.
+.Pp
+.Sy NOTE :
+this feature is currently experimental \[em] it supports only
+.Dq Li passwd ,
+.Dq Li groups
+and
+.Dq Li services
+cachenames.
+.El
+.Sh NOTES
+You can use the
+.Ql #
+symbol at the beginning of the line for comments.
+.Sh FILES
+.Bl -tag -width ".Pa /etc/nscd.conf" -compact
+.It Pa /etc/nscd.conf
+.El
+.Sh SEE ALSO
+.Xr nscd 8
+.Sh AUTHORS
+.An Michael Bushkov
+.Aq bushman@freebsd.org
+.Sh BUGS
+Please send bug reports and suggestions to
+.Aq bushman@freebsd.org .
diff --git a/usr.sbin/nscd/nscdcli.c b/usr.sbin/nscd/nscdcli.c
new file mode 100644
index 0000000000..b04389f618
--- /dev/null
+++ b/usr.sbin/nscd/nscdcli.c
@@ -0,0 +1,281 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/nscdcli.c,v 1.5 2008/10/23 00:28:21 delphij Exp $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/event.h>
+#include <sys/uio.h>
+#include <sys/un.h>
+#include <assert.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "debug.h"
+#include "nscdcli.h"
+#include "protocol.h"
+
+#define DEFAULT_NSCD_IO_TIMEOUT	4
+
+static int safe_write(struct nscd_connection_ *, const void *, size_t);
+static int safe_read(struct nscd_connection_ *, void *, size_t);
+static int send_credentials(struct nscd_connection_ *, int);
+
+static int
+safe_write(struct nscd_connection_ *connection, const void *data,
+	size_t data_size)
+{
+	struct kevent eventlist;
+	int	nevents;
+	size_t result;
+	ssize_t s_result;
+	struct timespec	timeout;
+
+	if (data_size == 0)
+		return (0);
+
+	timeout.tv_sec = DEFAULT_NSCD_IO_TIMEOUT;
+	timeout.tv_nsec = 0;
+	result = 0;
+	do {
+		nevents = kevent(connection->write_queue, NULL, 0, &eventlist,
+			1, &timeout);
+		if ((nevents == 1) && (eventlist.filter == EVFILT_WRITE)) {
+			s_result = write(connection->sockfd, data + result,
+				eventlist.data < data_size - result ?
+				eventlist.data : data_size - result);
+			if (s_result == -1)
+				return (-1);
+			else
+				result += s_result;
+
+			if (eventlist.flags & EV_EOF)
+				return (result < data_size ? -1 : 0);
+		} else
+			return (-1);
+	} while (result < data_size);
+
+	return (0);
+}
+
+static int
+safe_read(struct nscd_connection_ *connection, void *data, size_t data_size)
+{
+	struct kevent eventlist;
+	size_t result;
+	ssize_t s_result;
+	struct timespec timeout;
+	int nevents;
+
+	if (data_size == 0)
+		return (0);
+
+	timeout.tv_sec = DEFAULT_NSCD_IO_TIMEOUT;
+	timeout.tv_nsec = 0;
+	result = 0;
+	do {
+		nevents = kevent(connection->read_queue, NULL, 0, &eventlist, 1,
+			&timeout);
+		if ((nevents == 1) && (eventlist.filter == EVFILT_READ)) {
+			s_result = read(connection->sockfd, data + result,
+			eventlist.data <= data_size - result ? eventlist.data :
+				data_size - result);
+			if (s_result == -1)
+				return (-1);
+			else
+				result += s_result;
+
+			if (eventlist.flags & EV_EOF)
+				return (result < data_size ? -1 : 0);
+		} else
+			return (-1);
+	} while (result < data_size);
+
+	return (0);
+}
+
+static int
+send_credentials(struct nscd_connection_ *connection, int type)
+{
+	struct kevent eventlist;
+	int nevents;
+	ssize_t result;
+	int res;
+
+	struct msghdr	cred_hdr;
+	struct iovec	iov;
+
+	struct {
+		struct cmsghdr	hdr;
+		struct cmsgcred	creds;
+	} cmsg;
+
+	TRACE_IN(send_credentials);
+	memset(&cmsg, 0, sizeof(cmsg));
+	cmsg.hdr.cmsg_len = sizeof(cmsg);
+	cmsg.hdr.cmsg_level = SOL_SOCKET;
+	cmsg.hdr.cmsg_type = SCM_CREDS;
+
+	memset(&cred_hdr, 0, sizeof(struct msghdr));
+	cred_hdr.msg_iov = &iov;
+	cred_hdr.msg_iovlen = 1;
+	cred_hdr.msg_control = &cmsg;
+	cred_hdr.msg_controllen = sizeof(cmsg);
+
+	iov.iov_base = &type;
+	iov.iov_len = sizeof(int);
+
+	EV_SET(&eventlist, connection->sockfd, EVFILT_WRITE, EV_ADD,
+		NOTE_LOWAT, sizeof(int), NULL);
+	res = kevent(connection->write_queue, &eventlist, 1, NULL, 0, NULL);
+
+	nevents = kevent(connection->write_queue, NULL, 0, &eventlist, 1, NULL);
+	if ((nevents == 1) && (eventlist.filter == EVFILT_WRITE)) {
+		result = (sendmsg(connection->sockfd, &cred_hdr, 0) == -1) ? -1
+			: 0;
+		EV_SET(&eventlist, connection->sockfd, EVFILT_WRITE, EV_ADD,
+			0, 0, NULL);
+		kevent(connection->write_queue, &eventlist, 1, NULL, 0, NULL);
+		TRACE_OUT(send_credentials);
+		return (result);
+	} else {
+		TRACE_OUT(send_credentials);
+		return (-1);
+	}
+}
+
+struct nscd_connection_ *
+open_nscd_connection__(struct nscd_connection_params const *params)
+{
+	struct nscd_connection_ *retval;
+	struct kevent eventlist;
+	struct sockaddr_un	client_address;
+	int client_address_len, client_socket;
+	int res;
+
+	TRACE_IN(open_nscd_connection);
+	assert(params != NULL);
+
+	client_socket = socket(PF_LOCAL, SOCK_STREAM, 0);
+	client_address.sun_family = PF_LOCAL;
+	strlcpy(client_address.sun_path, params->socket_path,
+		sizeof(client_address.sun_path));
+	client_address_len = sizeof(client_address.sun_family) +
+		strlen(client_address.sun_path) + 1;
+
+	res = connect(client_socket, (struct sockaddr *)&client_address,
+		client_address_len);
+	if (res == -1) {
+		close(client_socket);
+		TRACE_OUT(open_nscd_connection);
+		return (NULL);
+	}
+	fcntl(client_socket, F_SETFL, O_NONBLOCK);
+
+	retval = calloc(1, sizeof(struct nscd_connection_));
+	assert(retval != NULL);
+
+	retval->sockfd = client_socket;
+
+	retval->write_queue = kqueue();
+	assert(retval->write_queue != -1);
+
+	EV_SET(&eventlist, retval->sockfd, EVFILT_WRITE, EV_ADD,
+		0, 0, NULL);
+	res = kevent(retval->write_queue, &eventlist, 1, NULL, 0, NULL);
+
+	retval->read_queue = kqueue();
+	assert(retval->read_queue != -1);
+
+	EV_SET(&eventlist, retval->sockfd, EVFILT_READ, EV_ADD,
+		0, 0, NULL);
+	res = kevent(retval->read_queue, &eventlist, 1, NULL, 0, NULL);
+
+	TRACE_OUT(open_nscd_connection);
+	return (retval);
+}
+
+void
+close_nscd_connection__(struct nscd_connection_ *connection)
+{
+
+	TRACE_IN(close_nscd_connection);
+	assert(connection != NULL);
+
+	close(connection->sockfd);
+	close(connection->read_queue);
+	close(connection->write_queue);
+	free(connection);
+	TRACE_OUT(close_nscd_connection);
+}
+
+int
+nscd_transform__(struct nscd_connection_ *connection,
+	const char *entry_name, int transformation_type)
+{
+	size_t name_size;
+	int error_code;
+	int result;
+
+	TRACE_IN(nscd_transform);
+
+	error_code = -1;
+	result = 0;
+	result = send_credentials(connection, CET_TRANSFORM_REQUEST);
+	if (result != 0)
+		goto fin;
+
+	if (entry_name != NULL)
+		name_size = strlen(entry_name);
+	else
+		name_size = 0;
+
+	result = safe_write(connection, &name_size, sizeof(size_t));
+	if (result != 0)
+		goto fin;
+
+	result = safe_write(connection, &transformation_type, sizeof(int));
+	if (result != 0)
+		goto fin;
+
+	if (entry_name != NULL) {
+		result = safe_write(connection, entry_name, name_size);
+		if (result != 0)
+			goto fin;
+	}
+
+	result = safe_read(connection, &error_code, sizeof(int));
+	if (result != 0)
+		error_code = -1;
+
+fin:
+	TRACE_OUT(nscd_transform);
+	return (error_code);
+}
diff --git a/usr.sbin/pwd_mkdb/pw_scan.h b/usr.sbin/nscd/nscdcli.h
similarity index 52%
rename from usr.sbin/pwd_mkdb/pw_scan.h
rename to usr.sbin/nscd/nscdcli.h
index 8c2374f065..448baa82f2 100644
--- a/usr.sbin/pwd_mkdb/pw_scan.h
+++ b/usr.sbin/nscd/nscdcli.h
@@ -1,6 +1,6 @@
 /*-
- * Copyright (c) 1994
- *	The Regents of the University of California.  All rights reserved.
+ * Copyright (c) 2004 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,18 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -30,12 +23,35 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	@(#)pw_scan.h	8.1 (Berkeley) 4/1/94
- *
- *	$FreeBSD: src/usr.sbin/pwd_mkdb/pw_scan.h,v 1.2 1999/11/15 16:45:37 sheldonh Exp $
- *	$DragonFly: src/usr.sbin/pwd_mkdb/pw_scan.h,v 1.3 2003/11/03 19:31:41 eirikn Exp $
+ * $FreeBSD: src/usr.sbin/nscd/nscdcli.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
  */
 
-extern int	pw_big_ids_warning;
+#ifndef __NSCD_NSCDCLI_H__
+#define __NSCD_NSCDCLI_H__
+
+struct nscd_connection_params {
+	char	*socket_path;
+	struct	timeval	timeout;
+};
+
+struct nscd_connection_ {
+	int	sockfd;
+	int read_queue;
+	int write_queue;
+};
+
+/* simple abstractions for not to write "struct" every time */
+typedef struct nscd_connection_		*nscd_connection;
+typedef struct nscd_connection_		*nscd_mp_write_session;
+typedef struct nscd_connection_		*nscd_mp_read_session;
+
+#define	INVALID_NSCD_CONNECTION	(NULL)
+
+/* initialization/destruction routines */
+extern	nscd_connection	open_nscd_connection__(
+	struct nscd_connection_params const *);
+extern	void	close_nscd_connection__(nscd_connection);
+
+extern	int nscd_transform__(nscd_connection, const char *, int);
 
-extern int	pw_scan(char *, struct passwd *);
+#endif
diff --git a/usr.sbin/nscd/parser.c b/usr.sbin/nscd/parser.c
new file mode 100644
index 0000000000..2134303cf4
--- /dev/null
+++ b/usr.sbin/nscd/parser.c
@@ -0,0 +1,472 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/parser.c,v 1.2 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#include <assert.h>
+#include <stdio.h>
+#include <string.h>
+#include "config.h"
+#include "debug.h"
+#include "log.h"
+#include "parser.h"
+
+static void enable_cache(struct configuration *,const char *, int);
+static struct configuration_entry *find_create_entry(struct configuration *,
+	const char *);
+static int get_number(const char *, int, int);
+static enum cache_policy_t get_policy(const char *);
+static int get_yesno(const char *);
+static int check_cachename(const char *);
+static void check_files(struct configuration *, const char *, int);
+static void set_keep_hot_count(struct configuration *, const char *, int);
+static void set_negative_policy(struct configuration *, const char *,
+	enum cache_policy_t);
+static void set_negative_time_to_live(struct configuration *,
+	const char *, int);
+static void set_positive_policy(struct configuration *, const char *,
+	enum cache_policy_t);
+static void set_perform_actual_lookups(struct configuration *, const char *,
+	int);
+static void set_positive_time_to_live(struct configuration *,
+	const char *, int);
+static void set_suggested_size(struct configuration *, const char *,
+	int size);
+static void set_threads_num(struct configuration *, int);
+static int strbreak(char *, char **, int);
+
+static int
+strbreak(char *str, char **fields, int fields_size)
+{
+	char	*c = str;
+	int	i, num;
+
+	TRACE_IN(strbreak);
+	num = 0;
+	for (i = 0;
+	     ((*fields =
+		strsep(i < fields_size ? &c : NULL, "\n\t ")) != NULL);
+	     ++i)
+		if ((*(*fields)) != '\0') {
+			++fields;
+			++num;
+		}
+
+	TRACE_OUT(strbreak);
+	return (num);
+}
+
+/*
+ * Tries to find the configuration entry with the specified name. If search
+ * fails, the new entry with the default parameters will be created.
+ */
+static struct configuration_entry *
+find_create_entry(struct configuration *config,
+	const char *entry_name)
+{
+	struct configuration_entry *entry = NULL;
+	int res;
+
+	TRACE_IN(find_create_entry);
+	entry = configuration_find_entry(config, entry_name);
+	if (entry == NULL) {
+		entry = create_def_configuration_entry(entry_name);
+		assert( entry != NULL);
+		res = add_configuration_entry(config, entry);
+		assert(res == 0);
+	}
+
+	TRACE_OUT(find_create_entry);
+	return (entry);
+}
+
+/*
+ * The vast majority of the functions below corresponds to the particular
+ * keywords in the configuration file.
+ */
+static void
+enable_cache(struct configuration *config, const char *entry_name, int flag)
+{
+	struct configuration_entry	*entry;
+
+	TRACE_IN(enable_cache);
+	entry = find_create_entry(config, entry_name);
+	entry->enabled = flag;
+	TRACE_OUT(enable_cache);
+}
+
+static void
+set_positive_time_to_live(struct configuration *config,
+	const char *entry_name, int ttl)
+{
+	struct configuration_entry *entry;
+	struct timeval lifetime;
+
+	TRACE_IN(set_positive_time_to_live);
+	assert(ttl >= 0);
+	assert(entry_name != NULL);
+	memset(&lifetime, 0, sizeof(struct timeval));
+	lifetime.tv_sec = ttl;
+
+	entry = find_create_entry(config, entry_name);
+	memcpy(&entry->positive_cache_params.max_lifetime,
+		&lifetime, sizeof(struct timeval));
+	memcpy(&entry->mp_cache_params.max_lifetime,
+		&lifetime, sizeof(struct timeval));
+
+	TRACE_OUT(set_positive_time_to_live);
+}
+
+static void
+set_negative_time_to_live(struct configuration *config,
+	const char *entry_name, int nttl)
+{
+	struct configuration_entry *entry;
+	struct timeval lifetime;
+
+	TRACE_IN(set_negative_time_to_live);
+	assert(nttl > 0);
+	assert(entry_name != NULL);
+	memset(&lifetime, 0, sizeof(struct timeval));
+	lifetime.tv_sec = nttl;
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	memcpy(&entry->negative_cache_params.max_lifetime,
+		&lifetime, sizeof(struct timeval));
+
+	TRACE_OUT(set_negative_time_to_live);
+}
+
+/*
+ * Hot count is actually the elements size limit.
+ */
+static void
+set_keep_hot_count(struct configuration *config,
+	const char *entry_name, int count)
+{
+	struct configuration_entry *entry;
+
+	TRACE_IN(set_keep_hot_count);
+	assert(count >= 0);
+	assert(entry_name != NULL);
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	entry->positive_cache_params.max_elemsize = count;
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	entry->negative_cache_params.max_elemsize = count;
+
+	TRACE_OUT(set_keep_hot_count);
+}
+
+static void
+set_positive_policy(struct configuration *config,
+	const char *entry_name, enum cache_policy_t policy)
+{
+	struct configuration_entry *entry;
+
+	TRACE_IN(set_positive_policy);
+	assert(entry_name != NULL);
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	entry->positive_cache_params.policy = policy;
+
+	TRACE_OUT(set_positive_policy);
+}
+
+static void
+set_negative_policy(struct configuration *config,
+	const char *entry_name, enum cache_policy_t policy)
+{
+	struct configuration_entry *entry;
+
+	TRACE_IN(set_negative_policy);
+	assert(entry_name != NULL);
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	entry->negative_cache_params.policy = policy;
+
+	TRACE_OUT(set_negative_policy);
+}
+
+static void
+set_perform_actual_lookups(struct configuration *config,
+	const char *entry_name, int flag)
+{
+	struct configuration_entry *entry;
+
+	TRACE_IN(set_perform_actual_lookups);
+	assert(entry_name != NULL);
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	entry->perform_actual_lookups = flag;
+
+	TRACE_OUT(set_perform_actual_lookups);
+}
+
+static void
+set_suggested_size(struct configuration *config,
+	const char *entry_name, int size)
+{
+	struct configuration_entry	*entry;
+
+	TRACE_IN(set_suggested_size);
+	assert(config != NULL);
+	assert(entry_name != NULL);
+	assert(size > 0);
+
+	entry = find_create_entry(config, entry_name);
+	assert(entry != NULL);
+	entry->positive_cache_params.cache_entries_size = size;
+	entry->negative_cache_params.cache_entries_size = size;
+
+	TRACE_OUT(set_suggested_size);
+}
+
+static void
+check_files(struct configuration *config, const char *entry_name, int flag)
+{
+
+	TRACE_IN(check_files);
+	assert(entry_name != NULL);
+	TRACE_OUT(check_files);
+}
+
+static int
+get_yesno(const char *str)
+{
+
+	if (strcmp(str, "yes") == 0)
+		return (1);
+	else if (strcmp(str, "no") == 0)
+		return (0);
+	else
+		return (-1);
+}
+
+static int
+get_number(const char *str, int low, int max)
+{
+
+	char *end = NULL;
+	int res = 0;
+
+	if (str[0] == '\0')
+		return (-1);
+
+	res = strtol(str, &end, 10);
+	if (*end != '\0')
+		return (-1);
+	else
+		if (((res >= low) || (low == -1)) &&
+			((res <= max) || (max == -1)))
+			return (res);
+		else
+			return (-2);
+}
+
+static enum cache_policy_t
+get_policy(const char *str)
+{
+
+	if (strcmp(str, "fifo") == 0)
+		return (CPT_FIFO);
+	else if (strcmp(str, "lru") == 0)
+		return (CPT_LRU);
+	else if (strcmp(str, "lfu") == 0)
+		return (CPT_LFU);
+
+	return (-1);
+}
+
+static int
+check_cachename(const char *str)
+{
+
+	assert(str != NULL);
+	return ((strlen(str) > 0) ? 0 : -1);
+}
+
+static void
+set_threads_num(struct configuration *config, int value)
+{
+
+	assert(config != NULL);
+	config->threads_num = value;
+}
+
+/*
+ * The main configuration routine. Its implementation is hugely inspired by the
+ * the same routine implementation in Solaris NSCD.
+ */
+int
+parse_config_file(struct configuration *config,
+	const char *fname, char const **error_str, int *error_line)
+{
+	FILE	*fin;
+	char	buffer[255];
+	char	*fields[128];
+	int	field_count, line_num, value;
+	int	res;
+
+	TRACE_IN(parse_config_file);
+	assert(config != NULL);
+	assert(fname != NULL);
+
+	fin = fopen(fname, "r");
+	if (fin == NULL) {
+		TRACE_OUT(parse_config_file);
+		return (-1);
+	}
+
+	res = 0;
+	line_num = 0;
+	memset(buffer, 0, sizeof(buffer));
+	while ((res == 0) && (fgets(buffer, sizeof(buffer) - 1, fin) != NULL)) {
+		field_count = strbreak(buffer, fields, sizeof(fields));
+		++line_num;
+
+		if (field_count == 0)
+			continue;
+
+		switch (fields[0][0]) {
+		case '#':
+		case '\0':
+			continue;
+		case 'e':
+			if ((field_count == 3) &&
+			(strcmp(fields[0], "enable-cache") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_yesno(fields[2])) != -1)) {
+				enable_cache(config, fields[1], value);
+				continue;
+			}
+			break;
+		case 'd':
+			if ((field_count == 2) &&
+			(strcmp(fields[0], "debug-level") == 0) &&
+			((value = get_number(fields[1], 0, 10)) != -1)) {
+				continue;
+			}
+			break;
+		case 'p':
+			if ((field_count == 3) &&
+			(strcmp(fields[0], "positive-time-to-live") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_number(fields[2], 0, -1)) != -1)) {
+				set_positive_time_to_live(config,
+					fields[1], value);
+				continue;
+			} else if ((field_count == 3) &&
+			(strcmp(fields[0], "positive-policy") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_policy(fields[2])) != -1)) {
+				set_positive_policy(config, fields[1], value);
+				continue;
+			} else if ((field_count == 3) &&
+			(strcmp(fields[0], "perform-actual-lookups") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_yesno(fields[2])) != -1)) {
+				set_perform_actual_lookups(config, fields[1],
+					value);
+				continue;
+			}
+			break;
+		case 'n':
+			if ((field_count == 3) &&
+			(strcmp(fields[0], "negative-time-to-live") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_number(fields[2], 0, -1)) != -1)) {
+				set_negative_time_to_live(config,
+					fields[1], value);
+				continue;
+			} else if ((field_count == 3) &&
+			(strcmp(fields[0], "negative-policy") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_policy(fields[2])) != -1)) {
+				set_negative_policy(config,
+					fields[1], value);
+				continue;
+			}
+			break;
+		case 's':
+			if ((field_count == 3) &&
+			(strcmp(fields[0], "suggested-size") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_number(fields[2], 1, -1)) != -1)) {
+				set_suggested_size(config, fields[1], value);
+				continue;
+			}
+			break;
+		case 't':
+			if ((field_count == 2) &&
+			(strcmp(fields[0], "threads") == 0) &&
+			((value = get_number(fields[1], 1, -1)) != -1)) {
+				set_threads_num(config, value);
+				continue;
+			}
+			break;
+		case 'k':
+			if ((field_count == 3) &&
+			(strcmp(fields[0], "keep-hot-count") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_number(fields[2], 0, -1)) != -1)) {
+				set_keep_hot_count(config,
+					fields[1], value);
+				continue;
+			}
+			break;
+		case 'c':
+			if ((field_count == 3) &&
+			(strcmp(fields[0], "check-files") == 0) &&
+			(check_cachename(fields[1]) == 0) &&
+			((value = get_yesno(fields[2])) != -1)) {
+				check_files(config,
+					fields[1], value);
+				continue;
+			}
+			break;
+		default:
+			break;
+		}
+
+		LOG_ERR_2("config file parser", "error in file "
+			"%s on line %d", fname, line_num);
+		*error_str = "syntax error";
+		*error_line = line_num;
+		res = -1;
+	}
+	fclose(fin);
+
+	TRACE_OUT(parse_config_file);
+	return (res);
+}
diff --git a/lib/libc/net/getservbyport.c b/usr.sbin/nscd/parser.h
similarity index 50%
rename from lib/libc/net/getservbyport.c
rename to usr.sbin/nscd/parser.h
index a580702d58..b607219dff 100644
--- a/lib/libc/net/getservbyport.c
+++ b/usr.sbin/nscd/parser.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,42 +23,13 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getservbyport.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getservbyport.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/parser.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
  */
 
-#include <netdb.h>
-#include <string.h>
+#ifndef __NSCD_PARSER_H__
+#define __NSCD_PARSER_H__
 
-extern int _serv_stayopen;
+extern int parse_config_file(struct configuration *,
+	const char *, char const **, int *);
 
-struct servent *
-getservbyport(int port, const char *proto)
-{
-	struct servent *p;
-
-#ifdef YP
-	extern int ___getservbyport_yp;
-	extern char *___getservbyproto_yp;
-
-	___getservbyport_yp = port;
-	___getservbyproto_yp = (char *)proto;
-#endif
-
-	setservent(_serv_stayopen);
-	while ( (p = getservent()) ) {
-		if (p->s_port != port)
-			continue;
-		if (proto == 0 || strcmp(p->s_proto, proto) == 0)
-			break;
-	}
-	if (!_serv_stayopen)
-		endservent();
-
-#ifdef YP
-	___getservbyport_yp = 0;
-	___getservbyproto_yp = NULL;
 #endif
-
-	return (p);
-}
diff --git a/usr.sbin/nscd/protocol.c b/usr.sbin/nscd/protocol.c
new file mode 100644
index 0000000000..2cb8c661c4
--- /dev/null
+++ b/usr.sbin/nscd/protocol.c
@@ -0,0 +1,548 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/protocol.c,v 1.2 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#include <assert.h>
+#include <stdlib.h>
+#include <string.h>
+#include "debug.h"
+#include "log.h"
+#include "protocol.h"
+
+/*
+ * Initializes the comm_element with any given type of data
+ */
+void
+init_comm_element(struct comm_element *element, enum comm_element_t type)
+{
+
+	TRACE_IN(init_comm_element);
+	memset(element, 0, sizeof(struct comm_element));
+
+	switch (type) {
+	case CET_WRITE_REQUEST:
+		init_cache_write_request(&element->c_write_request);
+		break;
+	case CET_WRITE_RESPONSE:
+		init_cache_write_response(&element->c_write_response);
+		break;
+	case CET_READ_REQUEST:
+		init_cache_read_request(&element->c_read_request);
+		break;
+	case CET_READ_RESPONSE:
+		init_cache_read_response(&element->c_read_response);
+		break;
+	case CET_TRANSFORM_REQUEST:
+		init_cache_transform_request(&element->c_transform_request);
+		break;
+	case CET_TRANSFORM_RESPONSE:
+		init_cache_transform_response(&element->c_transform_response);
+		break;
+	case CET_MP_WRITE_SESSION_REQUEST:
+		init_cache_mp_write_session_request(&element->c_mp_ws_request);
+		break;
+	case CET_MP_WRITE_SESSION_RESPONSE:
+		init_cache_mp_write_session_response(&element->c_mp_ws_response);
+		break;
+	case CET_MP_WRITE_SESSION_WRITE_REQUEST:
+		init_cache_mp_write_session_write_request(
+			&element->c_mp_ws_write_request);
+		break;
+	case CET_MP_WRITE_SESSION_WRITE_RESPONSE:
+		init_cache_mp_write_session_write_response(
+			&element->c_mp_ws_write_response);
+		break;
+	case CET_MP_READ_SESSION_REQUEST:
+		init_cache_mp_read_session_request(&element->c_mp_rs_request);
+		break;
+	case CET_MP_READ_SESSION_RESPONSE:
+		init_cache_mp_read_session_response(&element->c_mp_rs_response);
+		break;
+	case CET_MP_READ_SESSION_READ_RESPONSE:
+		init_cache_mp_read_session_read_response(
+			&element->c_mp_rs_read_response);
+		break;
+	case CET_UNDEFINED:
+		break;
+	default:
+		LOG_ERR_2("init_comm_element", "invalid communication element");
+		TRACE_OUT(init_comm_element);
+	return;
+	}
+
+	element->type = type;
+	TRACE_OUT(init_comm_element);
+}
+
+void
+finalize_comm_element(struct comm_element *element)
+{
+
+	TRACE_IN(finalize_comm_element);
+	switch (element->type) {
+	case CET_WRITE_REQUEST:
+		finalize_cache_write_request(&element->c_write_request);
+		break;
+	case CET_WRITE_RESPONSE:
+		finalize_cache_write_response(&element->c_write_response);
+		break;
+	case CET_READ_REQUEST:
+		finalize_cache_read_request(&element->c_read_request);
+		break;
+	case CET_READ_RESPONSE:
+		finalize_cache_read_response(&element->c_read_response);
+		break;
+	case CET_TRANSFORM_REQUEST:
+		finalize_cache_transform_request(&element->c_transform_request);
+		break;
+	case CET_TRANSFORM_RESPONSE:
+		finalize_cache_transform_response(
+			&element->c_transform_response);
+		break;
+	case CET_MP_WRITE_SESSION_REQUEST:
+		finalize_cache_mp_write_session_request(
+			&element->c_mp_ws_request);
+		break;
+	case CET_MP_WRITE_SESSION_RESPONSE:
+		finalize_cache_mp_write_session_response(
+			&element->c_mp_ws_response);
+		break;
+	case CET_MP_WRITE_SESSION_WRITE_REQUEST:
+		finalize_cache_mp_write_session_write_request(
+			&element->c_mp_ws_write_request);
+		break;
+	case CET_MP_WRITE_SESSION_WRITE_RESPONSE:
+		finalize_cache_mp_write_session_write_response(
+			&element->c_mp_ws_write_response);
+		break;
+	case CET_MP_READ_SESSION_REQUEST:
+		finalize_cache_mp_read_session_request(
+			&element->c_mp_rs_request);
+		break;
+	case CET_MP_READ_SESSION_RESPONSE:
+		finalize_cache_mp_read_session_response(
+			&element->c_mp_rs_response);
+		break;
+	case CET_MP_READ_SESSION_READ_RESPONSE:
+		finalize_cache_mp_read_session_read_response(
+			&element->c_mp_rs_read_response);
+		break;
+	case CET_UNDEFINED:
+		break;
+	default:
+	break;
+	}
+
+	element->type = CET_UNDEFINED;
+	TRACE_OUT(finalize_comm_element);
+}
+
+void
+init_cache_write_request(struct cache_write_request *write_request)
+{
+
+	TRACE_IN(init_cache_write_request);
+	memset(write_request, 0, sizeof(struct cache_write_request));
+	TRACE_OUT(init_cache_write_request);
+}
+
+void
+finalize_cache_write_request(struct cache_write_request *write_request)
+{
+
+	TRACE_IN(finalize_cache_write_request);
+	free(write_request->entry);
+	free(write_request->cache_key);
+	free(write_request->data);
+	TRACE_OUT(finalize_cache_write_request);
+}
+
+struct cache_write_request *
+get_cache_write_request(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_write_request);
+	assert(element->type == CET_WRITE_REQUEST);
+	TRACE_OUT(get_cache_write_request);
+	return (&element->c_write_request);
+}
+
+void
+init_cache_write_response(struct cache_write_response *write_response)
+{
+
+	TRACE_IN(init_cache_write_response);
+	memset(write_response, 0, sizeof(struct cache_write_response));
+	TRACE_OUT(init_cache_write_response);
+}
+
+void
+finalize_cache_write_response(struct cache_write_response *write_response)
+{
+
+	TRACE_IN(finalize_cache_write_response);
+	TRACE_OUT(finalize_cache_write_response);
+}
+
+struct cache_write_response *
+get_cache_write_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_write_response);
+	assert(element->type == CET_WRITE_RESPONSE);
+	TRACE_OUT(get_cache_write_response);
+	return (&element->c_write_response);
+}
+
+void
+init_cache_read_request(struct cache_read_request *read_request)
+{
+
+	TRACE_IN(init_cache_read_request);
+	memset(read_request, 0, sizeof(struct cache_read_request));
+	TRACE_OUT(init_cache_read_request);
+}
+
+void
+finalize_cache_read_request(struct cache_read_request *read_request)
+{
+
+	TRACE_IN(finalize_cache_read_request);
+	free(read_request->entry);
+	free(read_request->cache_key);
+	TRACE_OUT(finalize_cache_read_request);
+}
+
+struct cache_read_request *
+get_cache_read_request(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_read_request);
+	assert(element->type == CET_READ_REQUEST);
+	TRACE_OUT(get_cache_read_request);
+	return (&element->c_read_request);
+}
+
+void
+init_cache_read_response(struct cache_read_response *read_response)
+{
+
+	TRACE_IN(init_cache_read_response);
+	memset(read_response, 0, sizeof(struct cache_read_response));
+	TRACE_OUT(init_cache_read_response);
+}
+
+void
+finalize_cache_read_response(struct cache_read_response *read_response)
+{
+
+	TRACE_IN(finalize_cache_read_response);
+	free(read_response->data);
+	TRACE_OUT(finalize_cache_read_response);
+}
+
+struct cache_read_response *
+get_cache_read_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_read_response);
+	assert(element->type == CET_READ_RESPONSE);
+	TRACE_OUT(get_cache_read_response);
+	return (&element->c_read_response);
+}
+
+void
+init_cache_transform_request(struct cache_transform_request *transform_request)
+{
+
+	TRACE_IN(init_cache_transform_request);
+	memset(transform_request, 0, sizeof(struct cache_transform_request));
+	TRACE_OUT(init_cache_transform_request);
+}
+
+void
+finalize_cache_transform_request(
+	struct cache_transform_request *transform_request)
+{
+
+	TRACE_IN(finalize_cache_transform_request);
+	free(transform_request->entry);
+	TRACE_OUT(finalize_cache_transform_request);
+}
+
+struct cache_transform_request *
+get_cache_transform_request(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_transform_request);
+	assert(element->type == CET_TRANSFORM_REQUEST);
+	TRACE_OUT(get_cache_transform_request);
+	return (&element->c_transform_request);
+}
+
+void
+init_cache_transform_response(
+	struct cache_transform_response *transform_response)
+{
+
+	TRACE_IN(init_cache_transform_request);
+	memset(transform_response, 0, sizeof(struct cache_transform_response));
+	TRACE_OUT(init_cache_transform_request);
+}
+
+void
+finalize_cache_transform_response(
+	struct cache_transform_response *transform_response)
+{
+
+	TRACE_IN(finalize_cache_transform_response);
+	TRACE_OUT(finalize_cache_transform_response);
+}
+
+struct cache_transform_response *
+get_cache_transform_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_transform_response);
+	assert(element->type == CET_TRANSFORM_RESPONSE);
+	TRACE_OUT(get_cache_transform_response);
+	return (&element->c_transform_response);
+}
+
+
+void
+init_cache_mp_write_session_request(
+	struct cache_mp_write_session_request *mp_ws_request)
+{
+
+	TRACE_IN(init_cache_mp_write_session_request);
+	memset(mp_ws_request, 0,
+		sizeof(struct cache_mp_write_session_request));
+	TRACE_OUT(init_cache_mp_write_session_request);
+}
+
+void
+finalize_cache_mp_write_session_request(
+	struct cache_mp_write_session_request *mp_ws_request)
+{
+
+	TRACE_IN(finalize_cache_mp_write_session_request);
+	free(mp_ws_request->entry);
+	TRACE_OUT(finalize_cache_mp_write_session_request);
+}
+
+struct cache_mp_write_session_request *
+get_cache_mp_write_session_request(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_write_session_request);
+	assert(element->type == CET_MP_WRITE_SESSION_REQUEST);
+	TRACE_OUT(get_cache_mp_write_session_request);
+	return (&element->c_mp_ws_request);
+}
+
+void
+init_cache_mp_write_session_response(
+	struct cache_mp_write_session_response *mp_ws_response)
+{
+
+	TRACE_IN(init_cache_mp_write_session_response);
+	memset(mp_ws_response, 0,
+		sizeof(struct cache_mp_write_session_response));
+	TRACE_OUT(init_cache_mp_write_session_response);
+}
+
+void
+finalize_cache_mp_write_session_response(
+	struct cache_mp_write_session_response *mp_ws_response)
+{
+
+	TRACE_IN(finalize_cache_mp_write_session_response);
+	TRACE_OUT(finalize_cache_mp_write_session_response);
+}
+
+struct cache_mp_write_session_response *
+get_cache_mp_write_session_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_write_session_response);
+	assert(element->type == CET_MP_WRITE_SESSION_RESPONSE);
+	TRACE_OUT(get_cache_mp_write_session_response);
+	return (&element->c_mp_ws_response);
+}
+
+void
+init_cache_mp_write_session_write_request(
+	struct cache_mp_write_session_write_request *mp_ws_write_request)
+{
+
+	TRACE_IN(init_cache_mp_write_session_write_request);
+	memset(mp_ws_write_request, 0,
+		sizeof(struct cache_mp_write_session_write_request));
+	TRACE_OUT(init_cache_mp_write_session_write_response);
+}
+
+void
+finalize_cache_mp_write_session_write_request(
+	struct cache_mp_write_session_write_request *mp_ws_write_request)
+{
+
+	TRACE_IN(finalize_cache_mp_write_session_write_request);
+	free(mp_ws_write_request->data);
+	TRACE_OUT(finalize_cache_mp_write_session_write_request);
+}
+
+struct cache_mp_write_session_write_request *
+get_cache_mp_write_session_write_request(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_write_session_write_request);
+	assert(element->type == CET_MP_WRITE_SESSION_WRITE_REQUEST);
+	TRACE_OUT(get_cache_mp_write_session_write_request);
+	return (&element->c_mp_ws_write_request);
+}
+
+void
+init_cache_mp_write_session_write_response(
+	struct cache_mp_write_session_write_response *mp_ws_write_response)
+{
+
+	TRACE_IN(init_cache_mp_write_session_write_response);
+	memset(mp_ws_write_response, 0,
+		sizeof(struct cache_mp_write_session_write_response));
+	TRACE_OUT(init_cache_mp_write_session_write_response);
+}
+
+void
+finalize_cache_mp_write_session_write_response(
+	struct cache_mp_write_session_write_response *mp_ws_write_response)
+{
+
+	TRACE_IN(finalize_cache_mp_write_session_write_response);
+	TRACE_OUT(finalize_cache_mp_write_session_write_response);
+}
+
+struct cache_mp_write_session_write_response *
+get_cache_mp_write_session_write_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_write_session_write_response);
+	assert(element->type == CET_MP_WRITE_SESSION_WRITE_RESPONSE);
+	TRACE_OUT(get_cache_mp_write_session_write_response);
+	return (&element->c_mp_ws_write_response);
+}
+
+void
+init_cache_mp_read_session_request(
+	struct cache_mp_read_session_request *mp_rs_request)
+{
+
+	TRACE_IN(init_cache_mp_read_session_request);
+	memset(mp_rs_request, 0, sizeof(struct cache_mp_read_session_request));
+	TRACE_OUT(init_cache_mp_read_session_request);
+}
+
+void
+finalize_cache_mp_read_session_request(
+	struct cache_mp_read_session_request *mp_rs_request)
+{
+
+	TRACE_IN(finalize_cache_mp_read_session_request);
+	free(mp_rs_request->entry);
+	TRACE_OUT(finalize_cache_mp_read_session_request);
+}
+
+struct cache_mp_read_session_request *
+get_cache_mp_read_session_request(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_read_session_request);
+	assert(element->type == CET_MP_READ_SESSION_REQUEST);
+	TRACE_OUT(get_cache_mp_read_session_request);
+	return (&element->c_mp_rs_request);
+}
+
+void
+init_cache_mp_read_session_response(
+	struct cache_mp_read_session_response *mp_rs_response)
+{
+
+	TRACE_IN(init_cache_mp_read_session_response);
+	memset(mp_rs_response, 0,
+		sizeof(struct cache_mp_read_session_response));
+	TRACE_OUT(init_cache_mp_read_session_response);
+}
+
+void
+finalize_cache_mp_read_session_response(
+	struct cache_mp_read_session_response *mp_rs_response)
+{
+
+	TRACE_IN(finalize_cache_mp_read_session_response);
+	TRACE_OUT(finalize_cache_mp_read_session_response);
+}
+
+struct cache_mp_read_session_response *
+get_cache_mp_read_session_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_read_session_response);
+	assert(element->type == CET_MP_READ_SESSION_RESPONSE);
+	TRACE_OUT(get_cache_mp_read_session_response);
+	return (&element->c_mp_rs_response);
+}
+
+void
+init_cache_mp_read_session_read_response(
+	struct cache_mp_read_session_read_response *mp_ws_read_response)
+{
+
+	TRACE_IN(init_cache_mp_read_session_read_response);
+	memset(mp_ws_read_response, 0,
+		sizeof(struct cache_mp_read_session_read_response));
+	TRACE_OUT(init_cache_mp_read_session_read_response);
+}
+
+void
+finalize_cache_mp_read_session_read_response(
+	struct cache_mp_read_session_read_response *mp_rs_read_response)
+{
+
+	TRACE_IN(finalize_cache_mp_read_session_read_response);
+	free(mp_rs_read_response->data);
+	TRACE_OUT(finalize_cache_mp_read_session_read_response);
+}
+
+struct cache_mp_read_session_read_response *
+get_cache_mp_read_session_read_response(struct comm_element *element)
+{
+
+	TRACE_IN(get_cache_mp_read_session_read_response);
+	assert(element->type == CET_MP_READ_SESSION_READ_RESPONSE);
+	TRACE_OUT(get_cache_mp_read_session_read_response);
+	return (&element->c_mp_rs_read_response);
+}
diff --git a/usr.sbin/nscd/protocol.h b/usr.sbin/nscd/protocol.h
new file mode 100644
index 0000000000..3d6760fa8d
--- /dev/null
+++ b/usr.sbin/nscd/protocol.h
@@ -0,0 +1,265 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/protocol.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#ifndef __NSCD_PROTOCOL_H__
+#define __NSCD_PROTOCOL_H__
+
+#include <stdlib.h>
+
+/* maximum buffer size to receive - larger buffers are not allowed */
+#define MAX_BUFFER_SIZE (1 << 20)
+
+/* buffer size correctness checking routine */
+#define BUFSIZE_CORRECT(x) (((x) > 0) && ((x) < MAX_BUFFER_SIZE))
+#define BUFSIZE_INVALID(x) (!BUFSIZE_CORRECT(x))
+
+/* structures below represent the data that are sent/received by the daemon */
+struct cache_write_request
+{
+	char	*entry;
+	char	*cache_key;
+	char	*data;
+
+	size_t	entry_length;
+	size_t	cache_key_size;
+	size_t	data_size;
+};
+
+struct cache_write_response
+{
+	int	error_code;
+};
+
+struct cache_read_request
+{
+	char	*entry;
+	char	*cache_key;
+
+	size_t	entry_length;
+	size_t	cache_key_size;
+};
+
+struct cache_read_response
+{
+	char	*data;			// ignored if error_code is not 0
+	size_t	data_size;		// ignored if error_code is not 0
+
+	int	error_code;
+};
+
+enum transformation_type {
+	TT_USER = 0,	// tranform only the entries of the caller
+	TT_ALL = 1	// transform all entries
+};
+
+struct cache_transform_request
+{
+	char	*entry;			// ignored if entry_length is 0
+	size_t	entry_length;
+
+	int	transformation_type;
+};
+
+struct cache_transform_response
+{
+	int	error_code;
+};
+
+struct cache_mp_write_session_request {
+	char	*entry;
+	size_t	entry_length;
+};
+
+struct cache_mp_write_session_response {
+	int	error_code;
+};
+
+struct cache_mp_write_session_write_request {
+	char	*data;
+	size_t	data_size;
+};
+
+struct cache_mp_write_session_write_response {
+	int	error_code;
+};
+
+struct cache_mp_read_session_request {
+	char	*entry;
+	size_t	entry_length;
+};
+
+struct cache_mp_read_session_response {
+	int	error_code;
+};
+
+struct cache_mp_read_session_read_response {
+	char	*data;
+	size_t	data_size;
+
+	int	error_code;
+};
+
+
+enum comm_element_t {
+	CET_UNDEFINED	= 0,
+	CET_WRITE_REQUEST = 1,
+	CET_WRITE_RESPONSE = 2,
+	CET_READ_REQUEST = 3,
+	CET_READ_RESPONSE = 4,
+	CET_TRANSFORM_REQUEST = 5,
+	CET_TRANSFORM_RESPONSE = 6,
+	CET_MP_WRITE_SESSION_REQUEST = 7,
+	CET_MP_WRITE_SESSION_RESPONSE = 8,
+	CET_MP_WRITE_SESSION_WRITE_REQUEST = 9,
+	CET_MP_WRITE_SESSION_WRITE_RESPONSE = 10,
+	CET_MP_WRITE_SESSION_CLOSE_NOTIFICATION = 11,
+	CET_MP_WRITE_SESSION_ABANDON_NOTIFICATION = 12,
+	CET_MP_READ_SESSION_REQUEST = 13,
+	CET_MP_READ_SESSION_RESPONSE = 14,
+	CET_MP_READ_SESSION_READ_REQUEST = 15,
+	CET_MP_READ_SESSION_READ_RESPONSE = 16,
+	CET_MP_READ_SESSION_CLOSE_NOTIFICATION = 17,
+	CET_MAX = 18
+};
+
+/*
+ * The comm_element is used as the holder of any known (defined above) data
+ * type that is to be sent/received.
+ */
+struct comm_element
+{
+	union {
+	struct cache_write_request c_write_request;
+	struct cache_write_response c_write_response;
+	struct cache_read_request c_read_request;
+	struct cache_read_response c_read_response;
+	struct cache_transform_request c_transform_request;
+	struct cache_transform_response c_transform_response;
+
+	struct cache_mp_write_session_request c_mp_ws_request;
+	struct cache_mp_write_session_response c_mp_ws_response;
+	struct cache_mp_write_session_write_request c_mp_ws_write_request;
+	struct cache_mp_write_session_write_response c_mp_ws_write_response;
+
+	struct cache_mp_read_session_request c_mp_rs_request;
+	struct cache_mp_read_session_response c_mp_rs_response;
+	struct cache_mp_read_session_read_response c_mp_rs_read_response;
+	};
+	enum comm_element_t type;
+};
+
+extern void init_comm_element(struct comm_element *, enum comm_element_t type);
+extern void finalize_comm_element(struct comm_element *);
+
+/*
+ * For each type of data, there is three functions (init/finalize/get), that
+ * used with comm_element structure
+ */
+extern void init_cache_write_request(struct cache_write_request *);
+extern void finalize_cache_write_request(struct cache_write_request *);
+extern struct cache_write_request *get_cache_write_request(
+	struct comm_element *);
+
+extern void init_cache_write_response(struct cache_write_response *);
+extern void finalize_cache_write_response(struct cache_write_response *);
+extern struct cache_write_response *get_cache_write_response(
+	struct comm_element *);
+
+extern void init_cache_read_request(struct cache_read_request *);
+extern void finalize_cache_read_request(struct cache_read_request *);
+extern struct cache_read_request *get_cache_read_request(
+	struct comm_element *);
+
+extern void init_cache_read_response(struct cache_read_response *);
+extern void finalize_cache_read_response(struct cache_read_response *);
+extern struct cache_read_response *get_cache_read_response(
+	struct comm_element *);
+
+extern void init_cache_transform_request(struct cache_transform_request *);
+extern void finalize_cache_transform_request(struct cache_transform_request *);
+extern struct cache_transform_request *get_cache_transform_request(
+	struct comm_element *);
+
+extern void init_cache_transform_response(struct cache_transform_response *);
+extern void finalize_cache_transform_response(
+	struct cache_transform_response *);
+extern struct cache_transform_response *get_cache_transform_response(
+	struct comm_element *);
+
+extern void init_cache_mp_write_session_request(
+	struct cache_mp_write_session_request *);
+extern void finalize_cache_mp_write_session_request(
+	struct cache_mp_write_session_request *);
+extern struct cache_mp_write_session_request *
+	get_cache_mp_write_session_request(
+	struct comm_element *);
+
+extern void init_cache_mp_write_session_response(
+	struct cache_mp_write_session_response *);
+extern void finalize_cache_mp_write_session_response(
+	struct cache_mp_write_session_response *);
+extern struct cache_mp_write_session_response *
+	get_cache_mp_write_session_response(struct comm_element *);
+
+extern void init_cache_mp_write_session_write_request(
+	struct cache_mp_write_session_write_request *);
+extern void finalize_cache_mp_write_session_write_request(
+	struct cache_mp_write_session_write_request *);
+extern struct cache_mp_write_session_write_request *
+	get_cache_mp_write_session_write_request(struct comm_element *);
+
+extern void init_cache_mp_write_session_write_response(
+	struct cache_mp_write_session_write_response *);
+extern void finalize_cache_mp_write_session_write_response(
+	struct cache_mp_write_session_write_response *);
+extern struct cache_mp_write_session_write_response *
+	get_cache_mp_write_session_write_response(struct comm_element *);
+
+extern void init_cache_mp_read_session_request(
+	struct cache_mp_read_session_request *);
+extern void finalize_cache_mp_read_session_request(
+	struct cache_mp_read_session_request *);
+extern struct cache_mp_read_session_request *get_cache_mp_read_session_request(
+	struct comm_element *);
+
+extern void init_cache_mp_read_session_response(
+	struct cache_mp_read_session_response *);
+extern void finalize_cache_mp_read_session_response(
+	struct cache_mp_read_session_response *);
+extern struct cache_mp_read_session_response *
+	get_cache_mp_read_session_response(
+	struct comm_element *);
+
+extern void init_cache_mp_read_session_read_response(
+	struct cache_mp_read_session_read_response *);
+extern void finalize_cache_mp_read_session_read_response(
+	struct cache_mp_read_session_read_response *);
+extern struct cache_mp_read_session_read_response *
+	get_cache_mp_read_session_read_response(struct comm_element *);
+
+#endif
diff --git a/usr.sbin/nscd/query.c b/usr.sbin/nscd/query.c
new file mode 100644
index 0000000000..ed9a2cb901
--- /dev/null
+++ b/usr.sbin/nscd/query.c
@@ -0,0 +1,1266 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/query.c,v 1.5 2008/10/12 00:44:27 delphij Exp $
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/event.h>
+#include <assert.h>
+#include <errno.h>
+#include <nsswitch.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "config.h"
+#include "debug.h"
+#include "query.h"
+#include "log.h"
+#include "mp_ws_query.h"
+#include "mp_rs_query.h"
+#include "singletons.h"
+
+static const char negative_data[1] = { 0 };
+
+extern	void get_time_func(struct timeval *);
+
+static	void clear_config_entry(struct configuration_entry *);
+static	void clear_config_entry_part(struct configuration_entry *,
+	const char *, size_t);
+
+static	int on_query_startup(struct query_state *);
+static	void on_query_destroy(struct query_state *);
+
+static	int on_read_request_read1(struct query_state *);
+static	int on_read_request_read2(struct query_state *);
+static	int on_read_request_process(struct query_state *);
+static	int on_read_response_write1(struct query_state *);
+static	int on_read_response_write2(struct query_state *);
+
+static	int on_rw_mapper(struct query_state *);
+
+static	int on_transform_request_read1(struct query_state *);
+static	int on_transform_request_read2(struct query_state *);
+static	int on_transform_request_process(struct query_state *);
+static	int on_transform_response_write1(struct query_state *);
+
+static	int on_write_request_read1(struct query_state *);
+static	int on_write_request_read2(struct query_state *);
+static	int on_negative_write_request_process(struct query_state *);
+static	int on_write_request_process(struct query_state *);
+static	int on_write_response_write1(struct query_state *);
+
+/*
+ * Clears the specified configuration entry (clears the cache for positive and
+ * and negative entries) and also for all multipart entries.
+ */
+static void
+clear_config_entry(struct configuration_entry *config_entry)
+{
+	size_t i;
+
+	TRACE_IN(clear_config_entry);
+	configuration_lock_entry(config_entry, CELT_POSITIVE);
+	if (config_entry->positive_cache_entry != NULL)
+		transform_cache_entry(
+			config_entry->positive_cache_entry,
+			CTT_CLEAR);
+	configuration_unlock_entry(config_entry, CELT_POSITIVE);
+
+	configuration_lock_entry(config_entry, CELT_NEGATIVE);
+	if (config_entry->negative_cache_entry != NULL)
+		transform_cache_entry(
+			config_entry->negative_cache_entry,
+			CTT_CLEAR);
+	configuration_unlock_entry(config_entry, CELT_NEGATIVE);
+
+	configuration_lock_entry(config_entry, CELT_MULTIPART);
+	for (i = 0; i < config_entry->mp_cache_entries_size; ++i)
+		transform_cache_entry(
+			config_entry->mp_cache_entries[i],
+			CTT_CLEAR);
+	configuration_unlock_entry(config_entry, CELT_MULTIPART);
+
+	TRACE_OUT(clear_config_entry);
+}
+
+/*
+ * Clears the specified configuration entry by deleting only the elements,
+ * that are owned by the user with specified eid_str.
+ */
+static void
+clear_config_entry_part(struct configuration_entry *config_entry,
+	const char *eid_str, size_t eid_str_length)
+{
+	cache_entry *start, *finish, *mp_entry;
+	TRACE_IN(clear_config_entry_part);
+	configuration_lock_entry(config_entry, CELT_POSITIVE);
+	if (config_entry->positive_cache_entry != NULL)
+		transform_cache_entry_part(
+			config_entry->positive_cache_entry,
+			CTT_CLEAR, eid_str, eid_str_length, KPPT_LEFT);
+	configuration_unlock_entry(config_entry, CELT_POSITIVE);
+
+	configuration_lock_entry(config_entry, CELT_NEGATIVE);
+	if (config_entry->negative_cache_entry != NULL)
+		transform_cache_entry_part(
+			config_entry->negative_cache_entry,
+			CTT_CLEAR, eid_str, eid_str_length, KPPT_LEFT);
+	configuration_unlock_entry(config_entry, CELT_NEGATIVE);
+
+	configuration_lock_entry(config_entry, CELT_MULTIPART);
+	if (configuration_entry_find_mp_cache_entries(config_entry,
+		eid_str, &start, &finish) == 0) {
+		for (mp_entry = start; mp_entry != finish; ++mp_entry)
+			transform_cache_entry(*mp_entry, CTT_CLEAR);
+	}
+	configuration_unlock_entry(config_entry, CELT_MULTIPART);
+
+	TRACE_OUT(clear_config_entry_part);
+}
+
+/*
+ * This function is assigned to the query_state structue on its creation.
+ * It's main purpose is to receive credentials from the client.
+ */
+static int
+on_query_startup(struct query_state *qstate)
+{
+	struct msghdr	cred_hdr;
+	struct iovec	iov;
+	struct cmsgcred *cred;
+	int elem_type;
+
+	struct {
+		struct cmsghdr	hdr;
+		char cred[CMSG_SPACE(sizeof(struct cmsgcred))];
+	} cmsg;
+
+	TRACE_IN(on_query_startup);
+	assert(qstate != NULL);
+
+	memset(&cred_hdr, 0, sizeof(struct msghdr));
+	cred_hdr.msg_iov = &iov;
+	cred_hdr.msg_iovlen = 1;
+	cred_hdr.msg_control = (caddr_t)&cmsg;
+	cred_hdr.msg_controllen = CMSG_LEN(sizeof(struct cmsgcred));
+
+	memset(&iov, 0, sizeof(struct iovec));
+	iov.iov_base = &elem_type;
+	iov.iov_len = sizeof(int);
+
+	if (recvmsg(qstate->sockfd, &cred_hdr, 0) == -1) {
+		TRACE_OUT(on_query_startup);
+		return (-1);
+	}
+
+	if (cmsg.hdr.cmsg_len < CMSG_LEN(sizeof(struct cmsgcred))
+		|| cmsg.hdr.cmsg_level != SOL_SOCKET
+		|| cmsg.hdr.cmsg_type != SCM_CREDS) {
+		TRACE_OUT(on_query_startup);
+		return (-1);
+	}
+
+	cred = (struct cmsgcred *)CMSG_DATA(&cmsg);
+	qstate->uid = cred->cmcred_uid;
+	qstate->gid = cred->cmcred_gid;
+
+#if defined(NS_NSCD_EID_CHECKING) || defined(NS_STRICT_NSCD_EID_CHECKING)
+/*
+ * This check is probably a bit redundant - per-user cache is always separated
+ * by the euid/egid pair
+ */
+	if (check_query_eids(qstate) != 0) {
+#ifdef NS_STRICT_NSCD_EID_CHECKING
+		TRACE_OUT(on_query_startup);
+		return (-1);
+#else
+		if ((elem_type != CET_READ_REQUEST) &&
+			(elem_type != CET_MP_READ_SESSION_REQUEST) &&
+			(elem_type != CET_WRITE_REQUEST) &&
+			(elem_type != CET_MP_WRITE_SESSION_REQUEST)) {
+			TRACE_OUT(on_query_startup);
+			return (-1);
+		}
+#endif
+	}
+#endif
+
+	switch (elem_type) {
+	case CET_WRITE_REQUEST:
+		qstate->process_func = on_write_request_read1;
+		break;
+	case CET_READ_REQUEST:
+		qstate->process_func = on_read_request_read1;
+		break;
+	case CET_TRANSFORM_REQUEST:
+		qstate->process_func = on_transform_request_read1;
+		break;
+	case CET_MP_WRITE_SESSION_REQUEST:
+		qstate->process_func = on_mp_write_session_request_read1;
+		break;
+	case CET_MP_READ_SESSION_REQUEST:
+		qstate->process_func = on_mp_read_session_request_read1;
+		break;
+	default:
+		TRACE_OUT(on_query_startup);
+		return (-1);
+	}
+
+	qstate->kevent_watermark = 0;
+	TRACE_OUT(on_query_startup);
+	return (0);
+}
+
+/*
+ * on_rw_mapper is used to process multiple read/write requests during
+ * one connection session. It's never called in the beginning (on query_state
+ * creation) as it does not process the multipart requests and does not
+ * receive credentials
+ */
+static int
+on_rw_mapper(struct query_state *qstate)
+{
+	ssize_t	result;
+	int	elem_type;
+
+	TRACE_IN(on_rw_mapper);
+	if (qstate->kevent_watermark == 0) {
+		qstate->kevent_watermark = sizeof(int);
+	} else {
+		result = qstate->read_func(qstate, &elem_type, sizeof(int));
+		if (result != sizeof(int)) {
+			TRACE_OUT(on_rw_mapper);
+			return (-1);
+		}
+
+		switch (elem_type) {
+		case CET_WRITE_REQUEST:
+			qstate->kevent_watermark = sizeof(size_t);
+			qstate->process_func = on_write_request_read1;
+		break;
+		case CET_READ_REQUEST:
+			qstate->kevent_watermark = sizeof(size_t);
+			qstate->process_func = on_read_request_read1;
+		break;
+		default:
+			TRACE_OUT(on_rw_mapper);
+			return (-1);
+		break;
+		}
+	}
+	TRACE_OUT(on_rw_mapper);
+	return (0);
+}
+
+/*
+ * The default query_destroy function
+ */
+static void
+on_query_destroy(struct query_state *qstate)
+{
+
+	TRACE_IN(on_query_destroy);
+	finalize_comm_element(&qstate->response);
+	finalize_comm_element(&qstate->request);
+	TRACE_OUT(on_query_destroy);
+}
+
+/*
+ * The functions below are used to process write requests.
+ * - on_write_request_read1 and on_write_request_read2 read the request itself
+ * - on_write_request_process processes it (if the client requests to
+ *    cache the negative result, the on_negative_write_request_process is used)
+ * - on_write_response_write1 sends the response
+ */
+static int
+on_write_request_read1(struct query_state *qstate)
+{
+	struct cache_write_request	*write_request;
+	ssize_t	result;
+
+	TRACE_IN(on_write_request_read1);
+	if (qstate->kevent_watermark == 0)
+		qstate->kevent_watermark = sizeof(size_t) * 3;
+	else {
+		init_comm_element(&qstate->request, CET_WRITE_REQUEST);
+		write_request = get_cache_write_request(&qstate->request);
+
+		result = qstate->read_func(qstate, &write_request->entry_length,
+			sizeof(size_t));
+		result += qstate->read_func(qstate,
+			&write_request->cache_key_size, sizeof(size_t));
+		result += qstate->read_func(qstate,
+			&write_request->data_size, sizeof(size_t));
+
+		if (result != sizeof(size_t) * 3) {
+			TRACE_OUT(on_write_request_read1);
+			return (-1);
+		}
+
+		if (BUFSIZE_INVALID(write_request->entry_length) ||
+			BUFSIZE_INVALID(write_request->cache_key_size) ||
+			(BUFSIZE_INVALID(write_request->data_size) &&
+			(write_request->data_size != 0))) {
+			TRACE_OUT(on_write_request_read1);
+			return (-1);
+		}
+
+		write_request->entry = (char *)calloc(1,
+			write_request->entry_length + 1);
+		assert(write_request->entry != NULL);
+
+		write_request->cache_key = (char *)calloc(1,
+			write_request->cache_key_size +
+			qstate->eid_str_length);
+		assert(write_request->cache_key != NULL);
+		memcpy(write_request->cache_key, qstate->eid_str,
+			qstate->eid_str_length);
+
+		if (write_request->data_size != 0) {
+			write_request->data = (char *)calloc(1,
+				write_request->data_size);
+			assert(write_request->data != NULL);
+		}
+
+		qstate->kevent_watermark = write_request->entry_length +
+			write_request->cache_key_size +
+			write_request->data_size;
+		qstate->process_func = on_write_request_read2;
+	}
+
+	TRACE_OUT(on_write_request_read1);
+	return (0);
+}
+
+static int
+on_write_request_read2(struct query_state *qstate)
+{
+	struct cache_write_request	*write_request;
+	ssize_t	result;
+
+	TRACE_IN(on_write_request_read2);
+	write_request = get_cache_write_request(&qstate->request);
+
+	result = qstate->read_func(qstate, write_request->entry,
+		write_request->entry_length);
+	result += qstate->read_func(qstate, write_request->cache_key +
+		qstate->eid_str_length, write_request->cache_key_size);
+	if (write_request->data_size != 0)
+		result += qstate->read_func(qstate, write_request->data,
+			write_request->data_size);
+
+	if (result != qstate->kevent_watermark) {
+		TRACE_OUT(on_write_request_read2);
+		return (-1);
+	}
+	write_request->cache_key_size += qstate->eid_str_length;
+
+	qstate->kevent_watermark = 0;
+	if (write_request->data_size != 0)
+		qstate->process_func = on_write_request_process;
+	else
+		qstate->process_func = on_negative_write_request_process;
+	TRACE_OUT(on_write_request_read2);
+	return (0);
+}
+
+static int
+on_write_request_process(struct query_state *qstate)
+{
+	struct cache_write_request	*write_request;
+	struct cache_write_response	*write_response;
+	cache_entry c_entry;
+
+	TRACE_IN(on_write_request_process);
+	init_comm_element(&qstate->response, CET_WRITE_RESPONSE);
+	write_response = get_cache_write_response(&qstate->response);
+	write_request = get_cache_write_request(&qstate->request);
+
+	qstate->config_entry = configuration_find_entry(
+		s_configuration, write_request->entry);
+
+	if (qstate->config_entry == NULL) {
+		write_response->error_code = ENOENT;
+
+		LOG_ERR_2("write_request", "can't find configuration"
+		    " entry '%s'. aborting request", write_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->enabled == 0) {
+		write_response->error_code = EACCES;
+
+		LOG_ERR_2("write_request",
+			"configuration entry '%s' is disabled",
+			write_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->perform_actual_lookups != 0) {
+		write_response->error_code = EOPNOTSUPP;
+
+		LOG_ERR_2("write_request",
+			"entry '%s' performs lookups by itself: "
+			"can't write to it", write_request->entry);
+		goto fin;
+	}
+
+	configuration_lock_rdlock(s_configuration);
+	c_entry = find_cache_entry(s_cache,
+		qstate->config_entry->positive_cache_params.entry_name);
+	configuration_unlock(s_configuration);
+	if (c_entry != NULL) {
+		configuration_lock_entry(qstate->config_entry, CELT_POSITIVE);
+		qstate->config_entry->positive_cache_entry = c_entry;
+		write_response->error_code = cache_write(c_entry,
+			write_request->cache_key,
+			write_request->cache_key_size,
+			write_request->data,
+			write_request->data_size);
+		configuration_unlock_entry(qstate->config_entry, CELT_POSITIVE);
+
+		if ((qstate->config_entry->common_query_timeout.tv_sec != 0) ||
+		    (qstate->config_entry->common_query_timeout.tv_usec != 0))
+			memcpy(&qstate->timeout,
+				&qstate->config_entry->common_query_timeout,
+				sizeof(struct timeval));
+
+	} else
+		write_response->error_code = -1;
+
+fin:
+	qstate->kevent_filter = EVFILT_WRITE;
+	qstate->kevent_watermark = sizeof(int);
+	qstate->process_func = on_write_response_write1;
+
+	TRACE_OUT(on_write_request_process);
+	return (0);
+}
+
+static int
+on_negative_write_request_process(struct query_state *qstate)
+{
+	struct cache_write_request	*write_request;
+	struct cache_write_response	*write_response;
+	cache_entry c_entry;
+
+	TRACE_IN(on_negative_write_request_process);
+	init_comm_element(&qstate->response, CET_WRITE_RESPONSE);
+	write_response = get_cache_write_response(&qstate->response);
+	write_request = get_cache_write_request(&qstate->request);
+
+	qstate->config_entry = configuration_find_entry(
+		s_configuration, write_request->entry);
+
+	if (qstate->config_entry == NULL) {
+		write_response->error_code = ENOENT;
+
+		LOG_ERR_2("negative_write_request",
+			"can't find configuration"
+			" entry '%s'. aborting request", write_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->enabled == 0) {
+		write_response->error_code = EACCES;
+
+		LOG_ERR_2("negative_write_request",
+			"configuration entry '%s' is disabled",
+			write_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->perform_actual_lookups != 0) {
+		write_response->error_code = EOPNOTSUPP;
+
+		LOG_ERR_2("negative_write_request",
+			"entry '%s' performs lookups by itself: "
+			"can't write to it", write_request->entry);
+		goto fin;
+	} else {
+#ifdef NS_NSCD_EID_CHECKING
+		if (check_query_eids(qstate) != 0) {
+			write_response->error_code = EPERM;
+			goto fin;
+		}
+#endif
+	}
+
+	configuration_lock_rdlock(s_configuration);
+	c_entry = find_cache_entry(s_cache,
+		qstate->config_entry->negative_cache_params.entry_name);
+	configuration_unlock(s_configuration);
+	if (c_entry != NULL) {
+		configuration_lock_entry(qstate->config_entry, CELT_NEGATIVE);
+		qstate->config_entry->negative_cache_entry = c_entry;
+		write_response->error_code = cache_write(c_entry,
+			write_request->cache_key,
+			write_request->cache_key_size,
+			negative_data,
+			sizeof(negative_data));
+		configuration_unlock_entry(qstate->config_entry, CELT_NEGATIVE);
+
+		if ((qstate->config_entry->common_query_timeout.tv_sec != 0) ||
+		    (qstate->config_entry->common_query_timeout.tv_usec != 0))
+			memcpy(&qstate->timeout,
+				&qstate->config_entry->common_query_timeout,
+				sizeof(struct timeval));
+	} else
+		write_response->error_code = -1;
+
+fin:
+	qstate->kevent_filter = EVFILT_WRITE;
+	qstate->kevent_watermark = sizeof(int);
+	qstate->process_func = on_write_response_write1;
+
+	TRACE_OUT(on_negative_write_request_process);
+	return (0);
+}
+
+static int
+on_write_response_write1(struct query_state *qstate)
+{
+	struct cache_write_response	*write_response;
+	ssize_t	result;
+
+	TRACE_IN(on_write_response_write1);
+	write_response = get_cache_write_response(&qstate->response);
+	result = qstate->write_func(qstate, &write_response->error_code,
+		sizeof(int));
+	if (result != sizeof(int)) {
+		TRACE_OUT(on_write_response_write1);
+		return (-1);
+	}
+
+	finalize_comm_element(&qstate->request);
+	finalize_comm_element(&qstate->response);
+
+	qstate->kevent_watermark = sizeof(int);
+	qstate->kevent_filter = EVFILT_READ;
+	qstate->process_func = on_rw_mapper;
+
+	TRACE_OUT(on_write_response_write1);
+	return (0);
+}
+
+/*
+ * The functions below are used to process read requests.
+ * - on_read_request_read1 and on_read_request_read2 read the request itself
+ * - on_read_request_process processes it
+ * - on_read_response_write1 and on_read_response_write2 send the response
+ */
+static int
+on_read_request_read1(struct query_state *qstate)
+{
+	struct cache_read_request *read_request;
+	ssize_t	result;
+
+	TRACE_IN(on_read_request_read1);
+	if (qstate->kevent_watermark == 0)
+		qstate->kevent_watermark = sizeof(size_t) * 2;
+	else {
+		init_comm_element(&qstate->request, CET_READ_REQUEST);
+		read_request = get_cache_read_request(&qstate->request);
+
+		result = qstate->read_func(qstate,
+			&read_request->entry_length, sizeof(size_t));
+		result += qstate->read_func(qstate,
+			&read_request->cache_key_size, sizeof(size_t));
+
+		if (result != sizeof(size_t) * 2) {
+			TRACE_OUT(on_read_request_read1);
+			return (-1);
+		}
+
+		if (BUFSIZE_INVALID(read_request->entry_length) ||
+			BUFSIZE_INVALID(read_request->cache_key_size)) {
+			TRACE_OUT(on_read_request_read1);
+			return (-1);
+		}
+
+		read_request->entry = (char *)calloc(1,
+			read_request->entry_length + 1);
+		assert(read_request->entry != NULL);
+
+		read_request->cache_key = (char *)calloc(1,
+			read_request->cache_key_size +
+			qstate->eid_str_length);
+		assert(read_request->cache_key != NULL);
+		memcpy(read_request->cache_key, qstate->eid_str,
+			qstate->eid_str_length);
+
+		qstate->kevent_watermark = read_request->entry_length +
+			read_request->cache_key_size;
+		qstate->process_func = on_read_request_read2;
+	}
+
+	TRACE_OUT(on_read_request_read1);
+	return (0);
+}
+
+static int
+on_read_request_read2(struct query_state *qstate)
+{
+	struct cache_read_request	*read_request;
+	ssize_t	result;
+
+	TRACE_IN(on_read_request_read2);
+	read_request = get_cache_read_request(&qstate->request);
+
+	result = qstate->read_func(qstate, read_request->entry,
+		read_request->entry_length);
+	result += qstate->read_func(qstate,
+		read_request->cache_key + qstate->eid_str_length,
+		read_request->cache_key_size);
+
+	if (result != qstate->kevent_watermark) {
+		TRACE_OUT(on_read_request_read2);
+		return (-1);
+	}
+	read_request->cache_key_size += qstate->eid_str_length;
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = on_read_request_process;
+
+	TRACE_OUT(on_read_request_read2);
+	return (0);
+}
+
+static int
+on_read_request_process(struct query_state *qstate)
+{
+	struct cache_read_request *read_request;
+	struct cache_read_response *read_response;
+	cache_entry	c_entry, neg_c_entry;
+
+	struct agent	*lookup_agent;
+	struct common_agent *c_agent;
+	int res;
+
+	TRACE_IN(on_read_request_process);
+	init_comm_element(&qstate->response, CET_READ_RESPONSE);
+	read_response = get_cache_read_response(&qstate->response);
+	read_request = get_cache_read_request(&qstate->request);
+
+	qstate->config_entry = configuration_find_entry(
+		s_configuration, read_request->entry);
+	if (qstate->config_entry == NULL) {
+		read_response->error_code = ENOENT;
+
+		LOG_ERR_2("read_request",
+			"can't find configuration "
+			"entry '%s'. aborting request", read_request->entry);
+		goto fin;
+	}
+
+	if (qstate->config_entry->enabled == 0) {
+		read_response->error_code = EACCES;
+
+		LOG_ERR_2("read_request",
+			"configuration entry '%s' is disabled",
+			read_request->entry);
+		goto fin;
+	}
+
+	/*
+	 * if we perform lookups by ourselves, then we don't need to separate
+	 * cache entries by euid and egid
+	 */
+	if (qstate->config_entry->perform_actual_lookups != 0)
+		memset(read_request->cache_key, 0, qstate->eid_str_length);
+	else {
+#ifdef NS_NSCD_EID_CHECKING
+		if (check_query_eids(qstate) != 0) {
+		/* if the lookup is not self-performing, we check for clients euid/egid */
+			read_response->error_code = EPERM;
+			goto fin;
+		}
+#endif
+	}
+
+	configuration_lock_rdlock(s_configuration);
+	c_entry = find_cache_entry(s_cache,
+		qstate->config_entry->positive_cache_params.entry_name);
+	neg_c_entry = find_cache_entry(s_cache,
+		qstate->config_entry->negative_cache_params.entry_name);
+	configuration_unlock(s_configuration);
+	if ((c_entry != NULL) && (neg_c_entry != NULL)) {
+		configuration_lock_entry(qstate->config_entry, CELT_POSITIVE);
+		qstate->config_entry->positive_cache_entry = c_entry;
+		read_response->error_code = cache_read(c_entry,
+			read_request->cache_key,
+			read_request->cache_key_size, NULL,
+			&read_response->data_size);
+
+		if (read_response->error_code == -2) {
+			read_response->data = (char *)malloc(
+				read_response->data_size);
+			assert(read_response != NULL);
+			read_response->error_code = cache_read(c_entry,
+				read_request->cache_key,
+				read_request->cache_key_size,
+				read_response->data,
+				&read_response->data_size);
+		}
+		configuration_unlock_entry(qstate->config_entry, CELT_POSITIVE);
+
+		configuration_lock_entry(qstate->config_entry, CELT_NEGATIVE);
+		qstate->config_entry->negative_cache_entry = neg_c_entry;
+		if (read_response->error_code == -1) {
+			read_response->error_code = cache_read(neg_c_entry,
+				read_request->cache_key,
+				read_request->cache_key_size, NULL,
+				&read_response->data_size);
+
+			if (read_response->error_code == -2) {
+				read_response->error_code = 0;
+				read_response->data = NULL;
+				read_response->data_size = 0;
+			}
+		}
+		configuration_unlock_entry(qstate->config_entry, CELT_NEGATIVE);
+
+		if ((read_response->error_code == -1) &&
+			(qstate->config_entry->perform_actual_lookups != 0)) {
+			free(read_response->data);
+			read_response->data = NULL;
+			read_response->data_size = 0;
+
+			lookup_agent = find_agent(s_agent_table,
+				read_request->entry, COMMON_AGENT);
+
+			if ((lookup_agent != NULL) &&
+			(lookup_agent->type == COMMON_AGENT)) {
+				c_agent = (struct common_agent *)lookup_agent;
+				res = c_agent->lookup_func(
+					read_request->cache_key +
+						qstate->eid_str_length,
+					read_request->cache_key_size -
+						qstate->eid_str_length,
+					&read_response->data,
+					&read_response->data_size);
+
+				if (res == NS_SUCCESS) {
+					read_response->error_code = 0;
+					configuration_lock_entry(
+						qstate->config_entry,
+						CELT_POSITIVE);
+					cache_write(c_entry,
+						read_request->cache_key,
+						read_request->cache_key_size,
+						read_response->data,
+						read_response->data_size);
+					configuration_unlock_entry(
+						qstate->config_entry,
+						CELT_POSITIVE);
+				} else if ((res == NS_NOTFOUND) ||
+					  (res == NS_RETURN)) {
+					configuration_lock_entry(
+						  qstate->config_entry,
+						  CELT_NEGATIVE);
+					cache_write(neg_c_entry,
+						read_request->cache_key,
+						read_request->cache_key_size,
+						negative_data,
+						sizeof(negative_data));
+					configuration_unlock_entry(
+						  qstate->config_entry,
+						  CELT_NEGATIVE);
+
+					read_response->error_code = 0;
+					read_response->data = NULL;
+					read_response->data_size = 0;
+				}
+			}
+		}
+
+		if ((qstate->config_entry->common_query_timeout.tv_sec != 0) ||
+		    (qstate->config_entry->common_query_timeout.tv_usec != 0))
+			memcpy(&qstate->timeout,
+				&qstate->config_entry->common_query_timeout,
+				sizeof(struct timeval));
+	} else
+		read_response->error_code = -1;
+
+fin:
+	qstate->kevent_filter = EVFILT_WRITE;
+	if (read_response->error_code == 0)
+		qstate->kevent_watermark = sizeof(int) + sizeof(size_t);
+	else
+		qstate->kevent_watermark = sizeof(int);
+	qstate->process_func = on_read_response_write1;
+
+	TRACE_OUT(on_read_request_process);
+	return (0);
+}
+
+static int
+on_read_response_write1(struct query_state *qstate)
+{
+	struct cache_read_response	*read_response;
+	ssize_t	result;
+
+	TRACE_IN(on_read_response_write1);
+	read_response = get_cache_read_response(&qstate->response);
+
+	result = qstate->write_func(qstate, &read_response->error_code,
+		sizeof(int));
+
+	if (read_response->error_code == 0) {
+		result += qstate->write_func(qstate, &read_response->data_size,
+			sizeof(size_t));
+		if (result != qstate->kevent_watermark) {
+			TRACE_OUT(on_read_response_write1);
+			return (-1);
+		}
+
+		qstate->kevent_watermark = read_response->data_size;
+		qstate->process_func = on_read_response_write2;
+	} else {
+		if (result != qstate->kevent_watermark) {
+			TRACE_OUT(on_read_response_write1);
+			return (-1);
+		}
+
+		qstate->kevent_watermark = 0;
+		qstate->process_func = NULL;
+	}
+
+	TRACE_OUT(on_read_response_write1);
+	return (0);
+}
+
+static int
+on_read_response_write2(struct query_state *qstate)
+{
+	struct cache_read_response	*read_response;
+	ssize_t	result;
+
+	TRACE_IN(on_read_response_write2);
+	read_response = get_cache_read_response(&qstate->response);
+	if (read_response->data_size > 0) {
+		result = qstate->write_func(qstate, read_response->data,
+			read_response->data_size);
+		if (result != qstate->kevent_watermark) {
+			TRACE_OUT(on_read_response_write2);
+			return (-1);
+		}
+	}
+
+	finalize_comm_element(&qstate->request);
+	finalize_comm_element(&qstate->response);
+
+	qstate->kevent_watermark = sizeof(int);
+	qstate->kevent_filter = EVFILT_READ;
+	qstate->process_func = on_rw_mapper;
+	TRACE_OUT(on_read_response_write2);
+	return (0);
+}
+
+/*
+ * The functions below are used to process write requests.
+ * - on_transform_request_read1 and on_transform_request_read2 read the
+ *   request itself
+ * - on_transform_request_process processes it
+ * - on_transform_response_write1 sends the response
+ */
+static int
+on_transform_request_read1(struct query_state *qstate)
+{
+	struct cache_transform_request *transform_request;
+	ssize_t	result;
+
+	TRACE_IN(on_transform_request_read1);
+	if (qstate->kevent_watermark == 0)
+		qstate->kevent_watermark = sizeof(size_t) + sizeof(int);
+	else {
+		init_comm_element(&qstate->request, CET_TRANSFORM_REQUEST);
+		transform_request =
+			get_cache_transform_request(&qstate->request);
+
+		result = qstate->read_func(qstate,
+			&transform_request->entry_length, sizeof(size_t));
+		result += qstate->read_func(qstate,
+			&transform_request->transformation_type, sizeof(int));
+
+		if (result != sizeof(size_t) + sizeof(int)) {
+			TRACE_OUT(on_transform_request_read1);
+			return (-1);
+		}
+
+		if ((transform_request->transformation_type != TT_USER) &&
+		    (transform_request->transformation_type != TT_ALL)) {
+			TRACE_OUT(on_transform_request_read1);
+			return (-1);
+		}
+
+		if (transform_request->entry_length != 0) {
+			if (BUFSIZE_INVALID(transform_request->entry_length)) {
+				TRACE_OUT(on_transform_request_read1);
+				return (-1);
+			}
+
+			transform_request->entry = (char *)calloc(1,
+				transform_request->entry_length + 1);
+			assert(transform_request->entry != NULL);
+
+			qstate->process_func = on_transform_request_read2;
+		} else
+			qstate->process_func = on_transform_request_process;
+
+		qstate->kevent_watermark = transform_request->entry_length;
+	}
+
+	TRACE_OUT(on_transform_request_read1);
+	return (0);
+}
+
+static int
+on_transform_request_read2(struct query_state *qstate)
+{
+	struct cache_transform_request	*transform_request;
+	ssize_t	result;
+
+	TRACE_IN(on_transform_request_read2);
+	transform_request = get_cache_transform_request(&qstate->request);
+
+	result = qstate->read_func(qstate, transform_request->entry,
+		transform_request->entry_length);
+
+	if (result != qstate->kevent_watermark) {
+		TRACE_OUT(on_transform_request_read2);
+		return (-1);
+	}
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = on_transform_request_process;
+
+	TRACE_OUT(on_transform_request_read2);
+	return (0);
+}
+
+static int
+on_transform_request_process(struct query_state *qstate)
+{
+	struct cache_transform_request *transform_request;
+	struct cache_transform_response *transform_response;
+	struct configuration_entry *config_entry;
+	size_t	i, size;
+
+	TRACE_IN(on_transform_request_process);
+	init_comm_element(&qstate->response, CET_TRANSFORM_RESPONSE);
+	transform_response = get_cache_transform_response(&qstate->response);
+	transform_request = get_cache_transform_request(&qstate->request);
+
+	switch (transform_request->transformation_type) {
+	case TT_USER:
+		if (transform_request->entry == NULL) {
+			size = configuration_get_entries_size(s_configuration);
+			for (i = 0; i < size; ++i) {
+			    config_entry = configuration_get_entry(
+				s_configuration, i);
+
+			    if (config_entry->perform_actual_lookups == 0)
+				clear_config_entry_part(config_entry,
+				    qstate->eid_str, qstate->eid_str_length);
+			}
+		} else {
+			qstate->config_entry = configuration_find_entry(
+				s_configuration, transform_request->entry);
+
+			if (qstate->config_entry == NULL) {
+				LOG_ERR_2("transform_request",
+					"can't find configuration"
+					" entry '%s'. aborting request",
+					transform_request->entry);
+				transform_response->error_code = -1;
+				goto fin;
+			}
+
+			if (qstate->config_entry->perform_actual_lookups != 0) {
+				LOG_ERR_2("transform_request",
+					"can't transform the cache entry %s"
+					", because it ised for actual lookups",
+					transform_request->entry);
+				transform_response->error_code = -1;
+				goto fin;
+			}
+
+			clear_config_entry_part(qstate->config_entry,
+				qstate->eid_str, qstate->eid_str_length);
+		}
+		break;
+	case TT_ALL:
+		if (qstate->euid != 0)
+			transform_response->error_code = -1;
+		else {
+			if (transform_request->entry == NULL) {
+				size = configuration_get_entries_size(
+					s_configuration);
+				for (i = 0; i < size; ++i) {
+				    clear_config_entry(
+					configuration_get_entry(
+						s_configuration, i));
+				}
+			} else {
+				qstate->config_entry = configuration_find_entry(
+					s_configuration,
+					transform_request->entry);
+
+				if (qstate->config_entry == NULL) {
+					LOG_ERR_2("transform_request",
+						"can't find configuration"
+						" entry '%s'. aborting request",
+						transform_request->entry);
+					transform_response->error_code = -1;
+					goto fin;
+				}
+
+				clear_config_entry(qstate->config_entry);
+			}
+		}
+		break;
+	default:
+		transform_response->error_code = -1;
+	}
+
+fin:
+	qstate->kevent_watermark = 0;
+	qstate->process_func = on_transform_response_write1;
+	TRACE_OUT(on_transform_request_process);
+	return (0);
+}
+
+static int
+on_transform_response_write1(struct query_state *qstate)
+{
+	struct cache_transform_response	*transform_response;
+	ssize_t	result;
+
+	TRACE_IN(on_transform_response_write1);
+	transform_response = get_cache_transform_response(&qstate->response);
+	result = qstate->write_func(qstate, &transform_response->error_code,
+		sizeof(int));
+	if (result != sizeof(int)) {
+		TRACE_OUT(on_transform_response_write1);
+		return (-1);
+	}
+
+	finalize_comm_element(&qstate->request);
+	finalize_comm_element(&qstate->response);
+
+	qstate->kevent_watermark = 0;
+	qstate->process_func = NULL;
+	TRACE_OUT(on_transform_response_write1);
+	return (0);
+}
+
+/*
+ * Checks if the client's euid and egid do not differ from its uid and gid.
+ * Returns 0 on success.
+ */
+int
+check_query_eids(struct query_state *qstate)
+{
+
+	return ((qstate->uid != qstate->euid) || (qstate->gid != qstate->egid) ? -1 : 0);
+}
+
+/*
+ * Uses the qstate fields to process an "alternate" read - when the buffer is
+ * too large to be received during one socket read operation
+ */
+ssize_t
+query_io_buffer_read(struct query_state *qstate, void *buf, size_t nbytes)
+{
+	ssize_t	result;
+
+	TRACE_IN(query_io_buffer_read);
+	if ((qstate->io_buffer_size == 0) || (qstate->io_buffer == NULL))
+		return (-1);
+
+	if (nbytes < qstate->io_buffer + qstate->io_buffer_size -
+			qstate->io_buffer_p)
+		result = nbytes;
+	else
+		result = qstate->io_buffer + qstate->io_buffer_size -
+			qstate->io_buffer_p;
+
+	memcpy(buf, qstate->io_buffer_p, result);
+	qstate->io_buffer_p += result;
+
+	if (qstate->io_buffer_p == qstate->io_buffer + qstate->io_buffer_size) {
+		free(qstate->io_buffer);
+		qstate->io_buffer = NULL;
+
+		qstate->write_func = query_socket_write;
+		qstate->read_func = query_socket_read;
+	}
+
+	TRACE_OUT(query_io_buffer_read);
+	return (result);
+}
+
+/*
+ * Uses the qstate fields to process an "alternate" write - when the buffer is
+ * too large to be sent during one socket write operation
+ */
+ssize_t
+query_io_buffer_write(struct query_state *qstate, const void *buf,
+	size_t nbytes)
+{
+	ssize_t	result;
+
+	TRACE_IN(query_io_buffer_write);
+	if ((qstate->io_buffer_size == 0) || (qstate->io_buffer == NULL))
+		return (-1);
+
+	if (nbytes < qstate->io_buffer + qstate->io_buffer_size -
+			qstate->io_buffer_p)
+		result = nbytes;
+	else
+		result = qstate->io_buffer + qstate->io_buffer_size -
+		qstate->io_buffer_p;
+
+	memcpy(qstate->io_buffer_p, buf, result);
+	qstate->io_buffer_p += result;
+
+	if (qstate->io_buffer_p == qstate->io_buffer + qstate->io_buffer_size) {
+		qstate->use_alternate_io = 1;
+		qstate->io_buffer_p = qstate->io_buffer;
+
+		qstate->write_func = query_socket_write;
+		qstate->read_func = query_socket_read;
+	}
+
+	TRACE_OUT(query_io_buffer_write);
+	return (result);
+}
+
+/*
+ * The default "read" function, which reads data directly from socket
+ */
+ssize_t
+query_socket_read(struct query_state *qstate, void *buf, size_t nbytes)
+{
+	ssize_t	result;
+
+	TRACE_IN(query_socket_read);
+	if (qstate->socket_failed != 0) {
+		TRACE_OUT(query_socket_read);
+		return (-1);
+	}
+
+	result = read(qstate->sockfd, buf, nbytes);
+	if ((result == -1) || (result < nbytes))
+		qstate->socket_failed = 1;
+
+	TRACE_OUT(query_socket_read);
+	return (result);
+}
+
+/*
+ * The default "write" function, which writes data directly to socket
+ */
+ssize_t
+query_socket_write(struct query_state *qstate, const void *buf, size_t nbytes)
+{
+	ssize_t	result;
+
+	TRACE_IN(query_socket_write);
+	if (qstate->socket_failed != 0) {
+		TRACE_OUT(query_socket_write);
+		return (-1);
+	}
+
+	result = write(qstate->sockfd, buf, nbytes);
+	if ((result == -1) || (result < nbytes))
+		qstate->socket_failed = 1;
+
+	TRACE_OUT(query_socket_write);
+	return (result);
+}
+
+/*
+ * Initializes the query_state structure by filling it with the default values.
+ */
+struct query_state *
+init_query_state(int sockfd, size_t kevent_watermark, uid_t euid, gid_t egid)
+{
+	struct query_state	*retval;
+
+	TRACE_IN(init_query_state);
+	retval = (struct query_state *)calloc(1, sizeof(struct query_state));
+	assert(retval != NULL);
+
+	retval->sockfd = sockfd;
+	retval->kevent_filter = EVFILT_READ;
+	retval->kevent_watermark = kevent_watermark;
+
+	retval->euid = euid;
+	retval->egid = egid;
+	retval->uid = retval->gid = -1;
+
+	if (asprintf(&retval->eid_str, "%d_%d_", retval->euid,
+		retval->egid) == -1) {
+		free(retval);
+		return (NULL);
+	}
+	retval->eid_str_length = strlen(retval->eid_str);
+
+	init_comm_element(&retval->request, CET_UNDEFINED);
+	init_comm_element(&retval->response, CET_UNDEFINED);
+	retval->process_func = on_query_startup;
+	retval->destroy_func = on_query_destroy;
+
+	retval->write_func = query_socket_write;
+	retval->read_func = query_socket_read;
+
+	get_time_func(&retval->creation_time);
+	memcpy(&retval->timeout, &s_configuration->query_timeout,
+		sizeof(struct timeval));
+
+	TRACE_OUT(init_query_state);
+	return (retval);
+}
+
+void
+destroy_query_state(struct query_state *qstate)
+{
+
+	TRACE_IN(destroy_query_state);
+	if (qstate->eid_str != NULL)
+	    free(qstate->eid_str);
+
+	if (qstate->io_buffer != NULL)
+		free(qstate->io_buffer);
+
+	qstate->destroy_func(qstate);
+	free(qstate);
+	TRACE_OUT(destroy_query_state);
+}
diff --git a/usr.sbin/nscd/query.h b/usr.sbin/nscd/query.h
new file mode 100644
index 0000000000..69bea7083e
--- /dev/null
+++ b/usr.sbin/nscd/query.h
@@ -0,0 +1,108 @@
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD: src/usr.sbin/nscd/query.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
+ */
+
+#ifndef __NSCD_QUERY_H__
+#define __NSCD_QUERY_H__
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include "cachelib.h"
+#include "config.h"
+#include "protocol.h"
+
+struct query_state;
+struct configuration;
+struct configuration_entry;
+
+typedef	int (*query_process_func)(struct query_state *);
+typedef void (*query_destroy_func)(struct query_state *);
+typedef ssize_t (*query_read_func)(struct query_state *, void *, size_t);
+typedef ssize_t (*query_write_func)(struct query_state *, const void *, size_t);
+
+/*
+ * The query state structure contains the information to process all types of
+ * requests and to send all types of responses.
+ */
+struct query_state {
+	struct timeval creation_time;
+	struct timeval timeout;
+
+	struct comm_element request;
+	struct comm_element response;
+	struct configuration_entry *config_entry;
+	void	*mdata;
+
+	query_process_func process_func;	/* called on each event */
+	query_destroy_func destroy_func;	/* called on destroy */
+
+	/*
+	 * By substituting these functions we can opaquely send and received
+	 * very large buffers
+	 */
+	query_write_func write_func;		/* data write function */
+	query_read_func read_func;		/* data read function */
+
+	char	*eid_str;	/* the user-identifying string (euid_egid_) */
+	size_t	eid_str_length;
+
+	uid_t	euid;	/* euid of the caller, received via getpeereid */
+	uid_t	uid;	/* uid of the caller, received via credentials */
+	gid_t	egid;	/* egid of the caller, received via getpeereid */
+	gid_t	gid;	/* gid of the caller received via credentials */
+
+	size_t	io_buffer_size;
+	size_t	io_buffer_watermark;
+	size_t	kevent_watermark;	/* bytes to be sent/received */
+	int	sockfd;			/* the unix socket to read/write */
+	int	kevent_filter;	/* EVFILT_READ or EVFILT_WRITE */
+	int socket_failed; /* set to 1 if the socket doesn't work correctly */
+
+	/*
+	 * These fields are used to opaquely proceed sending/receiving of
+	 * the large buffers
+	 */
+	char	*io_buffer;
+	char	*io_buffer_p;
+	int	io_buffer_filter;
+	int	use_alternate_io;
+};
+
+extern int check_query_eids(struct query_state *);
+
+extern ssize_t query_io_buffer_read(struct query_state *, void *, size_t);
+extern ssize_t query_io_buffer_write(struct query_state *, const void *,
+	size_t);
+
+extern ssize_t query_socket_read(struct query_state *, void *, size_t);
+extern ssize_t query_socket_write(struct query_state *, const void *, size_t);
+
+extern struct query_state *init_query_state(int, size_t, uid_t, gid_t);
+extern void destroy_query_state(struct query_state *);
+
+#endif
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/singletons.c
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/singletons.c
index e0a0085c50..65d313f593 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/singletons.c
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,12 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/singletons.c,v 1.2 2007/09/27 12:30:11 bushman Exp $
  */
 
-#include <netdb.h>
+#include "singletons.h"
 
-extern int _proto_stayopen;
-
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
-
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+struct configuration *s_configuration = NULL;
+cache s_cache = INVALID_CACHE;
+struct runtime_env *s_runtime_env = NULL;
+struct agent_table *s_agent_table = NULL;
diff --git a/lib/libc/net/getproto.c b/usr.sbin/nscd/singletons.h
similarity index 57%
copy from lib/libc/net/getproto.c
copy to usr.sbin/nscd/singletons.h
index e0a0085c50..9cbe66e111 100644
--- a/lib/libc/net/getproto.c
+++ b/usr.sbin/nscd/singletons.h
@@ -1,6 +1,6 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
+/*-
+ * Copyright (c) 2005 Michael Bushkov <bushman@rsu.ru>
+ * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -10,14 +10,11 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. Neither the name of the University nor the names of its contributors
- *    may be used to endorse or promote products derived from this software
- *    without specific prior written permission.
  *
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
@@ -26,24 +23,25 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- * @(#)getproto.c	8.1 (Berkeley) 6/4/93
- * $DragonFly: src/lib/libc/net/getproto.c,v 1.5 2005/11/13 02:04:47 swildner Exp $
+ * $FreeBSD: src/usr.sbin/nscd/singletons.h,v 1.3 2007/09/27 12:30:11 bushman Exp $
  */
 
-#include <netdb.h>
+#ifndef __NSCD_SINGLETONS_H__
+#define __NSCD_SINGLETONS_H__
 
-extern int _proto_stayopen;
+#include "cachelib.h"
+#include "config.h"
+#include "agent.h"
 
-struct protoent *
-getprotobynumber(int proto)
-{
-	struct protoent *p;
+struct runtime_env {
+	int	queue;
+	int	sockfd;
+	int	finished;	/* for future use */
+};
 
-	setprotoent(_proto_stayopen);
-	while ( (p = getprotoent()) )
-		if (p->p_proto == proto)
-			break;
-	if (!_proto_stayopen)
-		endprotoent();
-	return (p);
-}
+extern struct configuration *s_configuration;
+extern cache s_cache;
+extern struct runtime_env *s_runtime_env;
+extern struct agent_table *s_agent_table;
+
+#endif
diff --git a/usr.sbin/pwd_mkdb/Makefile b/usr.sbin/pwd_mkdb/Makefile
index 30483f8fd7..9944ad2967 100644
--- a/usr.sbin/pwd_mkdb/Makefile
+++ b/usr.sbin/pwd_mkdb/Makefile
@@ -1,9 +1,14 @@
-#	$FreeBSD: src/usr.sbin/pwd_mkdb/Makefile,v 1.4.2.1 2001/04/25 12:10:40 ru Exp $
-#	$DragonFly: src/usr.sbin/pwd_mkdb/Makefile,v 1.2 2003/06/17 04:30:02 dillon Exp $
 #	@(#)Makefile	8.1 (Berkeley) 6/6/93
+# $FreeBSD: src/usr.sbin/pwd_mkdb/Makefile,v 1.10 2003/04/04 17:49:17 obrien Exp $
+# $DragonFly: src/usr.sbin/pwd_mkdb/Makefile,v 1.2 2003/06/17 04:30:02 dillon Exp $
+
+.PATH: ${.CURDIR}/../../lib/libc/gen		# for pw_scan.c
 
 PROG=	pwd_mkdb
-SRCS=	pw_scan.c pwd_mkdb.c
 MAN=	pwd_mkdb.8
+SRCS=	pw_scan.c pwd_mkdb.c
+
+WARNS?=	4
+CFLAGS+= -I${.CURDIR}/../../lib/libc/gen		# for pw_scan.h
 
 .include <bsd.prog.mk>
diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.8 b/usr.sbin/pwd_mkdb/pwd_mkdb.8
index 153c93000e..c0e53824fd 100644
--- a/usr.sbin/pwd_mkdb/pwd_mkdb.8
+++ b/usr.sbin/pwd_mkdb/pwd_mkdb.8
@@ -9,10 +9,6 @@
 .\" 2. Redistributions in binary form must reproduce the above copyright
 .\"    notice, this list of conditions and the following disclaimer in the
 .\"    documentation and/or other materials provided with the distribution.
-.\" 3. All advertising materials mentioning features or use of this software
-.\"    must display the following acknowledgement:
-.\"	This product includes software developed by the University of
-.\"	California, Berkeley and its contributors.
 .\" 4. Neither the name of the University nor the names of its contributors
 .\"    may be used to endorse or promote products derived from this software
 .\"    without specific prior written permission.
@@ -30,10 +26,10 @@
 .\" SUCH DAMAGE.
 .\"
 .\"	@(#)pwd_mkdb.8	8.1 (Berkeley) 6/6/93
-.\" $FreeBSD: src/usr.sbin/pwd_mkdb/pwd_mkdb.8,v 1.15.2.4 2003/03/11 22:31:31 trhodes Exp $
+.\" $FreeBSD: src/usr.sbin/pwd_mkdb/pwd_mkdb.8,v 1.26 2005/02/28 21:05:30 ru Exp $
 .\" $DragonFly: src/usr.sbin/pwd_mkdb/pwd_mkdb.8,v 1.3 2006/02/17 19:40:22 swildner Exp $
 .\"
-.Dd June 6, 1993
+.Dd February 28, 2005
 .Dt PWD_MKDB 8
 .Os
 .Sh NAME
@@ -41,9 +37,7 @@
 .Nd "generate the password databases"
 .Sh SYNOPSIS
 .Nm
-.Op Fl C
-.Op Fl N
-.Op Fl p
+.Op Fl BCiLNp
 .Op Fl d Ar directory
 .Op Fl s Ar cachesize
 .Op Fl u Ar username
@@ -68,34 +62,53 @@ different from the historic Version 7 style format.
 .Pp
 The options are as follows:
 .Bl -tag -width flag
+.It Fl B
+Store data in big-endian format.
 .It Fl C
 Check if the password file is in the correct format.
 Do not
 change, add, or remove any files.
+.It Fl L
+Store data in little-endian format.
 .It Fl N
 Tell
 .Nm
-to exit with an error if it cannot obtain a lock on the file.  By default,
-we block waiting for a lock on the source file.  The lock is held through
+to exit with an error if it cannot obtain a lock on the file.
+By default,
+we block waiting for a lock on the source file.
+The lock is held through
 the rebuilding of the database.
 .It Fl p
 Create a Version 7 style password file and install it into
 .Pa /etc/passwd .
+.It Fl i
+Ignore locking failure of the
+.Pa master.passwd
+file.
+This option is intended to be used to build password files in
+the release process over NFS where no contention can happen.
+A non-default directory must also be specified with the
+.Fl d
+option for locking to be ignored.
+Other use of this option is strongly discouraged.
 .It Fl d Ar directory
 Store databases into specified destination directory instead of
 .Pa /etc .
 .It Fl u Ar username
-Only update the record for the specified user.  Utilities that
+Only update the record for the specified user.
+Utilities that
 operate on a single user can use this option to avoid the
 overhead of rebuilding the entire database.
 .It Fl s Ar cachesize
 Specify in megabytes the size of the memory cache used by the
-hashing library.  On systems with a large user base, a small cache
+hashing library.
+On systems with a large user base, a small cache
 size can lead to prohibitively long database file rebuild times.
 As a rough guide, the memory usage of
 .Nm
 in megabytes will be a little bit more than twice the figure
-specified here.  The default is 2 megabytes.
+specified here.
+The default is 2 megabytes.
 .El
 .Pp
 The two databases differ in that the secure version contains the user's
diff --git a/usr.sbin/pwd_mkdb/pwd_mkdb.c b/usr.sbin/pwd_mkdb/pwd_mkdb.c
index 30881afa04..8e0bdfa76c 100644
--- a/usr.sbin/pwd_mkdb/pwd_mkdb.c
+++ b/usr.sbin/pwd_mkdb/pwd_mkdb.c
@@ -10,10 +10,6 @@
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
  *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *	This product includes software developed by the University of
- *	California, Berkeley and its contributors.
  * 4. Neither the name of the University nor the names of its contributors
  *    may be used to endorse or promote products derived from this software
  *    without specific prior written permission.
@@ -32,12 +28,14 @@
  *
  * @(#) Copyright (c) 1991, 1993, 1994 The Regents of the University of California.  All rights reserved.
  * @(#)pwd_mkdb.c	8.5 (Berkeley) 4/20/94
- * $FreeBSD: src/usr.sbin/pwd_mkdb/pwd_mkdb.c,v 1.35 2000/03/09 18:11:16 paul Exp $
+ * $FreeBSD: src/usr.sbin/pwd_mkdb/pwd_mkdb.c,v 1.51 2005/06/15 10:13:04 dd Exp $
  * $DragonFly: src/usr.sbin/pwd_mkdb/pwd_mkdb.c,v 1.5 2005/12/05 02:40:27 swildner Exp $
  */
 
 #include <sys/param.h>
+#include <sys/endian.h>
 #include <sys/stat.h>
+#include <arpa/inet.h>
 
 #include <db.h>
 #include <err.h>
@@ -57,6 +55,8 @@
 #define	SECURE		2
 #define	PERM_INSECURE	(S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)
 #define	PERM_SECURE	(S_IRUSR|S_IWUSR)
+#define LEGACY_VERSION(x)  _PW_VERSIONED(x, 3)
+#define CURRENT_VERSION(x) _PW_VERSIONED(x, 4)
 
 HASHINFO openinfo = {
 	4096,		/* bsize */
@@ -64,7 +64,7 @@ HASHINFO openinfo = {
 	256,		/* nelem */
 	2048 * 1024,	/* cachesize */
 	NULL,		/* hash() */
-	0		/* lorder */
+	BYTE_ORDER	/* lorder */
 };
 
 static enum state { FILE_INSECURE, FILE_SECURE, FILE_ORIG } clean;
@@ -76,7 +76,7 @@ static int is_comment;	/* flag for comments */
 static char line[LINE_MAX];
 
 void	cleanup(void);
-void	error(char *);
+void	error(const char *);
 void	cp(char *, char *, mode_t mode);
 void	mv(char *, char *);
 int	scan(FILE *, struct passwd *);
@@ -85,32 +85,51 @@ static void	usage(void);
 int
 main(int argc, char *argv[])
 {
+	static char verskey[] = _PWD_VERSION_KEY;
+	char version = _PWD_CURRENT_VERSION;
 	DB *dp, *sdp, *pw_db;
 	DBT data, sdata, key;
 	FILE *fp, *oldfp;
 	sigset_t set;
-	int ch, cnt, ypcnt, len, makeold, tfd, yp_enabled = 0;
-	char *p, *t;
+	int ch, cnt, ypcnt, makeold, tfd, yp_enabled = 0;
+	unsigned int len;
+	uint32_t store;
+	const char *t;
+	char *p;
 	char buf[MAX(MAXPATHLEN, LINE_MAX * 2)], tbuf[1024];
 	char sbuf[MAX(MAXPATHLEN, LINE_MAX * 2)];
 	char buf2[MAXPATHLEN];
 	char sbuf2[MAXPATHLEN];
 	char *username;
 	u_int method, methoduid;
-	int Cflag;
+	int Cflag, dflag, iflag;
 	int nblock = 0;
 
-	Cflag = 0;
+	iflag = dflag = Cflag = 0;
 	strcpy(prefix, _PATH_PWD);
 	makeold = 0;
 	username = NULL;
-	while ((ch = getopt(argc, argv, "Cd:ps:u:vN")) != -1)
+	oldfp = NULL;
+	while ((ch = getopt(argc, argv, "BCLNd:ips:u:v")) != -1)
 		switch(ch) {
+		case 'B':			/* big-endian output */
+			openinfo.lorder = BIG_ENDIAN;
+			break;
 		case 'C':                       /* verify only */
 			Cflag = 1;
 			break;
+		case 'L':			/* little-endian output */
+			openinfo.lorder = LITTLE_ENDIAN;
+			break;
+		case 'N':			/* do not wait for lock	*/
+			nblock = LOCK_NB;	/* will fail if locked */
+			break;
 		case 'd':
-			strncpy(prefix, optarg, sizeof prefix - 1);
+			dflag++;
+			strlcpy(prefix, optarg, sizeof(prefix));
+			break;
+		case 'i':
+			iflag++;
 			break;
 		case 'p':			/* create V7 "file.orig" */
 			makeold = 1;
@@ -123,9 +142,6 @@ main(int argc, char *argv[])
 			break;
 		case 'v':                       /* backward compatible */
 			break;
-		case 'N':			/* do not wait for lock	*/
-			nblock = LOCK_NB;
-			break;
 		default:
 			usage();
 		}
@@ -159,14 +175,14 @@ main(int argc, char *argv[])
 	 *
 	 * This lock is necessary when someone runs pwd_mkdb manually, directly
 	 * on master.passwd, to handle the case where a user might try to
-	 * change his password while pwd_mkdb is running. 
+	 * change his password while pwd_mkdb is running.
 	 */
 	for (;;) {
 		struct stat st;
 
 		if (!(fp = fopen(pname, "r")))
 			error(pname);
-		if (flock(fileno(fp), LOCK_EX|nblock) < 0)
+		if (flock(fileno(fp), LOCK_EX|nblock) < 0 && !(dflag && iflag))
 			error("flock");
 		if (fstat(fileno(fp), &st) < 0)
 			error(pname);
@@ -186,6 +202,8 @@ main(int argc, char *argv[])
 	snprintf(buf, sizeof(buf), "%s/%s.tmp", prefix, _MP_DB);
 	snprintf(sbuf, sizeof(sbuf), "%s/%s.tmp", prefix, _SMP_DB);
 	if (username) {
+		int use_version;
+
 		snprintf(buf2, sizeof(buf2), "%s/%s", prefix, _MP_DB);
 		snprintf(sbuf2, sizeof(sbuf2), "%s/%s", prefix, _SMP_DB);
 
@@ -204,14 +222,21 @@ main(int argc, char *argv[])
 			error(sbuf);
 
 		/*
-		 * Do some trouble to check if we should store this users 
-		 * uid. Don't use getpwnam/getpwuid as that interferes 
+		 * Do some trouble to check if we should store this users
+		 * uid. Don't use getpwnam/getpwuid as that interferes
 		 * with NIS.
 		 */
 		pw_db = dbopen(_PATH_MP_DB, O_RDONLY, 0, DB_HASH, NULL);
 		if (!pw_db)
 			error(_MP_DB);
-		buf[0] = _PW_KEYBYNAME;
+
+		key.data = verskey;
+		key.size = sizeof(verskey)-1;
+		if ((pw_db->get)(pw_db, &key, &data, 0) == 0)
+			use_version = *(unsigned char *)data.data;
+		else
+			use_version = 3;
+		buf[0] = _PW_VERSIONED(_PW_KEYBYNAME, use_version);
 		len = strlen(username);
 
 		/* Only check that username fits in buffer */
@@ -227,10 +252,10 @@ main(int argc, char *argv[])
 			while (*p++)
 				;
 
-			buf[0] = _PW_KEYBYUID;
-			memmove(buf + 1, p, sizeof(int));
+			buf[0] = _PW_VERSIONED(_PW_KEYBYUID, use_version);
+			memmove(buf + 1, p, sizeof(store));
 			key.data = (u_char *)buf;
-			key.size = sizeof(int) + 1;
+			key.size = sizeof(store) + 1;
 
 			if ((pw_db->get)(pw_db, &key, &data, 0) == 0) {
 				/* First field of data.data holds pw_pwname */
@@ -292,6 +317,26 @@ main(int argc, char *argv[])
 	 * original file prepended by the _PW_KEYBYNUM character.  (The special
 	 * characters are prepended to ensure that the keys do not collide.)
 	 */
+	/* In order to transition this file into a machine-independent
+	 * form, we have to change the format of entries.  However, since
+	 * older binaries will still expect the old MD format entries, we
+	 * create those as usual and use versioned tags for the new entries.
+	 */
+	if (username == NULL) {
+		/* Do not add the VERSION tag when updating a single
+		 * user.  When operating on `old format' databases, this
+		 * would result in applications `seeing' only the updated
+		 * entries.
+		 */
+		key.data = verskey;
+		key.size = sizeof(verskey)-1;
+		data.data = &version;
+		data.size = 1;
+		if ((dp->put)(dp, &key, &data, 0) == -1)
+			error("put");
+		if ((dp->put)(sdp, &key, &data, 0) == -1)
+			error("put");
+	}
 	ypcnt = 1;
 	data.data = (u_char *)buf;
 	sdata.data = (u_char *)sbuf;
@@ -303,50 +348,140 @@ main(int argc, char *argv[])
 		if (is_comment)
 			--cnt;
 #define	COMPACT(e)	t = e; while ((*p++ = *t++));
+#define SCALAR(e)	store = htonl((uint32_t)(e));      \
+			memmove(p, &store, sizeof(store)); \
+			p += sizeof(store);
+#define	LSCALAR(e)	store = HTOL((uint32_t)(e));       \
+			memmove(p, &store, sizeof(store)); \
+			p += sizeof(store);
+#define	HTOL(e)		(openinfo.lorder == BYTE_ORDER ? \
+			(uint32_t)(e) : \
+			bswap32((uint32_t)(e)))
 		if (!is_comment && 
 		    (!username || (strcmp(username, pwd.pw_name) == 0))) {
 			/* Create insecure data. */
 			p = buf;
 			COMPACT(pwd.pw_name);
 			COMPACT("*");
-			memmove(p, &pwd.pw_uid, sizeof(pwd.pw_uid));
-			p += sizeof(int);
-			memmove(p, &pwd.pw_gid, sizeof(pwd.pw_gid));
-			p += sizeof(int);
-			memmove(p, &pwd.pw_change, sizeof(time_t));
-			p += sizeof(time_t);
+			SCALAR(pwd.pw_uid);
+			SCALAR(pwd.pw_gid);
+			SCALAR(pwd.pw_change);
 			COMPACT(pwd.pw_class);
 			COMPACT(pwd.pw_gecos);
 			COMPACT(pwd.pw_dir);
 			COMPACT(pwd.pw_shell);
-			memmove(p, &pwd.pw_expire, sizeof(time_t));
-			p += sizeof(time_t);
-			memmove(p, &pwd.pw_fields, sizeof pwd.pw_fields);
-			p += sizeof pwd.pw_fields;
+			SCALAR(pwd.pw_expire);
+			SCALAR(pwd.pw_fields);
 			data.size = p - buf;
 
 			/* Create secure data. */
 			p = sbuf;
 			COMPACT(pwd.pw_name);
 			COMPACT(pwd.pw_passwd);
-			memmove(p, &pwd.pw_uid, sizeof(pwd.pw_uid));
-			p += sizeof(int);
-			memmove(p, &pwd.pw_gid, sizeof(pwd.pw_gid));
-			p += sizeof(int);
-			memmove(p, &pwd.pw_change, sizeof(time_t));
-			p += sizeof(time_t);
+			SCALAR(pwd.pw_uid);
+			SCALAR(pwd.pw_gid);
+			SCALAR(pwd.pw_change);
+			COMPACT(pwd.pw_class);
+			COMPACT(pwd.pw_gecos);
+			COMPACT(pwd.pw_dir);
+			COMPACT(pwd.pw_shell);
+			SCALAR(pwd.pw_expire);
+			SCALAR(pwd.pw_fields);
+			sdata.size = p - sbuf;
+
+			/* Store insecure by name. */
+			tbuf[0] = CURRENT_VERSION(_PW_KEYBYNAME);
+			len = strlen(pwd.pw_name);
+			memmove(tbuf + 1, pwd.pw_name, len);
+			key.size = len + 1;
+			if ((dp->put)(dp, &key, &data, method) == -1)
+				error("put");
+
+			/* Store insecure by number. */
+			tbuf[0] = CURRENT_VERSION(_PW_KEYBYNUM);
+			store = htonl(cnt);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
+			if ((dp->put)(dp, &key, &data, method) == -1)
+				error("put");
+
+			/* Store insecure by uid. */
+			tbuf[0] = CURRENT_VERSION(_PW_KEYBYUID);
+			store = htonl(pwd.pw_uid);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
+			if ((dp->put)(dp, &key, &data, methoduid) == -1)
+				error("put");
+
+			/* Store secure by name. */
+			tbuf[0] = CURRENT_VERSION(_PW_KEYBYNAME);
+			len = strlen(pwd.pw_name);
+			memmove(tbuf + 1, pwd.pw_name, len);
+			key.size = len + 1;
+			if ((sdp->put)(sdp, &key, &sdata, method) == -1)
+				error("put");
+
+			/* Store secure by number. */
+			tbuf[0] = CURRENT_VERSION(_PW_KEYBYNUM);
+			store = htonl(cnt);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
+			if ((sdp->put)(sdp, &key, &sdata, method) == -1)
+				error("put");
+
+			/* Store secure by uid. */
+			tbuf[0] = CURRENT_VERSION(_PW_KEYBYUID);
+			store = htonl(pwd.pw_uid);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
+			if ((sdp->put)(sdp, &key, &sdata, methoduid) == -1)
+				error("put");
+
+			/* Store insecure and secure special plus and special minus */
+			if (pwd.pw_name[0] == '+' || pwd.pw_name[0] == '-') {
+				tbuf[0] = CURRENT_VERSION(_PW_KEYYPBYNUM);
+				store = htonl(ypcnt);
+				memmove(tbuf + 1, &store, sizeof(store));
+				ypcnt++;
+				key.size = sizeof(store) + 1;
+				if ((dp->put)(dp, &key, &data, method) == -1)
+					error("put");
+				if ((sdp->put)(sdp, &key, &sdata, method) == -1)
+					error("put");
+			}
+
+			/* Create insecure data. (legacy version) */
+			p = buf;
+			COMPACT(pwd.pw_name);
+			COMPACT("*");
+			LSCALAR(pwd.pw_uid);
+			LSCALAR(pwd.pw_gid);
+			LSCALAR(pwd.pw_change);
+			COMPACT(pwd.pw_class);
+			COMPACT(pwd.pw_gecos);
+			COMPACT(pwd.pw_dir);
+			COMPACT(pwd.pw_shell);
+			LSCALAR(pwd.pw_expire);
+			LSCALAR(pwd.pw_fields);
+			data.size = p - buf;
+
+			/* Create secure data. (legacy version) */
+			p = sbuf;
+			COMPACT(pwd.pw_name);
+			COMPACT(pwd.pw_passwd);
+			LSCALAR(pwd.pw_uid);
+			LSCALAR(pwd.pw_gid);
+			LSCALAR(pwd.pw_change);
 			COMPACT(pwd.pw_class);
 			COMPACT(pwd.pw_gecos);
 			COMPACT(pwd.pw_dir);
 			COMPACT(pwd.pw_shell);
-			memmove(p, &pwd.pw_expire, sizeof(time_t));
-			p += sizeof(time_t);
-			memmove(p, &pwd.pw_fields, sizeof pwd.pw_fields);
-			p += sizeof pwd.pw_fields;
+			LSCALAR(pwd.pw_expire);
+			LSCALAR(pwd.pw_fields);
 			sdata.size = p - sbuf;
 
 			/* Store insecure by name. */
-			tbuf[0] = _PW_KEYBYNAME;
+			tbuf[0] = LEGACY_VERSION(_PW_KEYBYNAME);
 			len = strlen(pwd.pw_name);
 			memmove(tbuf + 1, pwd.pw_name, len);
 			key.size = len + 1;
@@ -354,21 +489,23 @@ main(int argc, char *argv[])
 				error("put");
 
 			/* Store insecure by number. */
-			tbuf[0] = _PW_KEYBYNUM;
-			memmove(tbuf + 1, &cnt, sizeof(cnt));
-			key.size = sizeof(cnt) + 1;
+			tbuf[0] = LEGACY_VERSION(_PW_KEYBYNUM);
+			store = HTOL(cnt);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
 			if ((dp->put)(dp, &key, &data, method) == -1)
 				error("put");
 
 			/* Store insecure by uid. */
-			tbuf[0] = _PW_KEYBYUID;
-			memmove(tbuf + 1, &pwd.pw_uid, sizeof(pwd.pw_uid));
-			key.size = sizeof(pwd.pw_uid) + 1;
+			tbuf[0] = LEGACY_VERSION(_PW_KEYBYUID);
+			store = HTOL(pwd.pw_uid);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
 			if ((dp->put)(dp, &key, &data, methoduid) == -1)
 				error("put");
 
 			/* Store secure by name. */
-			tbuf[0] = _PW_KEYBYNAME;
+			tbuf[0] = LEGACY_VERSION(_PW_KEYBYNAME);
 			len = strlen(pwd.pw_name);
 			memmove(tbuf + 1, pwd.pw_name, len);
 			key.size = len + 1;
@@ -376,25 +513,28 @@ main(int argc, char *argv[])
 				error("put");
 
 			/* Store secure by number. */
-			tbuf[0] = _PW_KEYBYNUM;
-			memmove(tbuf + 1, &cnt, sizeof(cnt));
-			key.size = sizeof(cnt) + 1;
+			tbuf[0] = LEGACY_VERSION(_PW_KEYBYNUM);
+			store = HTOL(cnt);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
 			if ((sdp->put)(sdp, &key, &sdata, method) == -1)
 				error("put");
 
 			/* Store secure by uid. */
-			tbuf[0] = _PW_KEYBYUID;
-			memmove(tbuf + 1, &pwd.pw_uid, sizeof(pwd.pw_uid));
-			key.size = sizeof(pwd.pw_uid) + 1;
+			tbuf[0] = LEGACY_VERSION(_PW_KEYBYUID);
+			store = HTOL(pwd.pw_uid);
+			memmove(tbuf + 1, &store, sizeof(store));
+			key.size = sizeof(store) + 1;
 			if ((sdp->put)(sdp, &key, &sdata, methoduid) == -1)
 				error("put");
 
 			/* Store insecure and secure special plus and special minus */
 			if (pwd.pw_name[0] == '+' || pwd.pw_name[0] == '-') {
-				tbuf[0] = _PW_KEYYPBYNUM;
-				memmove(tbuf + 1, &ypcnt, sizeof(cnt));
+				tbuf[0] = LEGACY_VERSION(_PW_KEYYPBYNUM);
+				store = HTOL(ypcnt);
+				memmove(tbuf + 1, &store, sizeof(store));
 				ypcnt++;
-				key.size = sizeof(cnt) + 1;
+				key.size = sizeof(store) + 1;
 				if ((dp->put)(dp, &key, &data, method) == -1)
 					error("put");
 				if ((sdp->put)(sdp, &key, &sdata, method) == -1)
@@ -423,7 +563,13 @@ main(int argc, char *argv[])
 	if (yp_enabled) {
 		buf[0] = yp_enabled + 2;
 		data.size = 1;
-		tbuf[0] = _PW_KEYYPENABLED;
+		key.size = 1;
+		tbuf[0] = CURRENT_VERSION(_PW_KEYYPENABLED);
+		if ((dp->put)(dp, &key, &data, method) == -1)
+			error("put");
+		if ((sdp->put)(sdp, &key, &data, method) == -1)
+			error("put");
+		tbuf[0] = LEGACY_VERSION(_PW_KEYYPENABLED);
 		key.size = 1;
 		if ((dp->put)(dp, &key, &data, method) == -1)
 			error("put");
@@ -478,9 +624,11 @@ int
 scan(FILE *fp, struct passwd *pw)
 {
 	static int lcnt;
+	size_t len;
 	char *p;
 
-	if (!fgets(line, sizeof(line), fp))
+	p = fgetln(fp, &len);
+	if (p == NULL)
 		return (0);
 	++lcnt;
 	/*
@@ -488,12 +636,14 @@ scan(FILE *fp, struct passwd *pw)
 	 * throat...''
 	 *	-- The Who
 	 */
-	if (!(p = strchr(line, '\n'))) {
-		warnx("line too long");
+	if (len > 0 && p[len - 1] == '\n')
+		len--;
+	if (len >= sizeof(line) - 1) {
+		warnx("line #%d too long", lcnt);
 		goto fmt;
-
 	}
-	*p = '\0';
+	memcpy(line, p, len);
+	line[len] = '\0';
 
 	/* 
 	 * Ignore comments: ^[ \t]*#
@@ -507,7 +657,7 @@ scan(FILE *fp, struct passwd *pw)
 	} else
 		is_comment = 0;
 
-	if (!pw_scan(line, pw)) {
+	if (!__pw_scan(line, pw, _PWSCAN_WARN|_PWSCAN_MASTER)) {
 		warnx("at line #%d", lcnt);
 fmt:		errno = EFTYPE;	/* XXX */
 		error(pname);
@@ -516,9 +666,9 @@ fmt:		errno = EFTYPE;	/* XXX */
 	return (1);
 }
 
-void                    
-cp(char *from, char *to, mode_t mode)              
-{               
+void
+cp(char *from, char *to, mode_t mode)
+{
 	static char buf[MAXBSIZE];
 	int from_fd, rcount, to_fd, wcount;
 
@@ -560,8 +710,9 @@ mv(char *from, char *to)
 }
 
 void
-error(char *name)
+error(const char *name)
 {
+
 	warn("%s", name);
 	cleanup();
 	exit(1);
@@ -592,6 +743,6 @@ usage(void)
 {
 
 	fprintf(stderr,
-"usage: pwd_mkdb [-C] [-N] [-p] [-d <dest dir>] [-s <cachesize>] [-u <local username>] file\n");
+"usage: pwd_mkdb [-BCiLNp] [-d directory] [-s cachesize] [-u username] file\n");
 	exit(1);
 }
diff --git a/usr.sbin/rarpd/Makefile b/usr.sbin/rarpd/Makefile
index 706d4169d3..7198e92a46 100644
--- a/usr.sbin/rarpd/Makefile
+++ b/usr.sbin/rarpd/Makefile
@@ -5,6 +5,4 @@
 PROG=	rarpd
 MAN=	rarpd.8
 
-CFLAGS+= -DTFTP_DIR=\"/tftpboot\"
-
 .include <bsd.prog.mk>
diff --git a/usr.sbin/rarpd/rarpd.8 b/usr.sbin/rarpd/rarpd.8
index 895c8ba807..9ea3ab0337 100644
--- a/usr.sbin/rarpd/rarpd.8
+++ b/usr.sbin/rarpd/rarpd.8
@@ -1,6 +1,3 @@
-.\" @(#) $FreeBSD: src/usr.sbin/rarpd/rarpd.8,v 1.9.2.5 2002/12/01 19:19:34 dwmalone Exp $ (LBL)
-.\" @(#) $DragonFly: src/usr.sbin/rarpd/rarpd.8,v 1.2 2003/06/17 04:30:02 dillon Exp $ (LBL)
-.\"
 .\" Copyright (c) 1990, 1991, 1993 The Regents of the University of
 .\" California. All rights reserved.
 .\"
@@ -9,10 +6,7 @@
 .\" retain the above copyright notice and this paragraph in its entirety, (2)
 .\" distributions including binary code include the above copyright notice and
 .\" this paragraph in its entirety in the documentation or other materials
-.\" provided with the distribution, and (3) all advertising materials mentioning
-.\" features or use of this software display the following acknowledgement:
-.\" ``This product includes software developed by the University of California,
-.\" Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
+.\" provided with the distribution.  Neither the name of
 .\" the University nor the names of its contributors may be used to endorse
 .\" or promote products derived from this software without specific prior
 .\" written permission.
@@ -20,6 +14,9 @@
 .\" WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
 .\" MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
 .\"
+.\" $FreeBSD: src/usr.sbin/rarpd/rarpd.8,v 1.22 2005/02/09 18:04:41 ru Exp $
+.\" $DragonFly: src/usr.sbin/rarpd/rarpd.8,v 1.2 2003/06/17 04:30:02 dillon Exp $
+.\"
 .Dd November 16, 2001
 .Dt RARPD 8
 .Os
@@ -28,9 +25,13 @@
 .Nd reverse ARP daemon
 .Sh SYNOPSIS
 .Nm
-.Op Fl adfsv
+.Fl a
+.Op Fl dfsv
+.Op Fl t Ar directory
+.Nm
+.Op Fl dfsv
 .Op Fl t Ar directory
-.Op Ar interface
+.Ar interface
 .Sh DESCRIPTION
 The
 .Nm
@@ -142,7 +143,7 @@ If this name is not in the DNS but is in
 .Pa /etc/hosts ,
 the DNS lookup can cause a delayed RARP response, so in this situation
 it is recommended to configure
-.Pa /etc/host.conf
+.Xr nsswitch.conf 5
 to read
 .Pa /etc/hosts
 first.
diff --git a/usr.sbin/rarpd/rarpd.c b/usr.sbin/rarpd/rarpd.c
index 5eb8971753..b52f410b54 100644
--- a/usr.sbin/rarpd/rarpd.c
+++ b/usr.sbin/rarpd/rarpd.c
@@ -7,27 +7,22 @@
  * retain the above copyright notice and this paragraph in its entirety, (2)
  * distributions including binary code include the above copyright notice and
  * this paragraph in its entirety in the documentation or other materials
- * provided with the distribution, and (3) all advertising materials mentioning
- * features or use of this software display the following acknowledgement:
- * ``This product includes software developed by the University of California,
- * Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
- * the University nor the names of its contributors may be used to endorse
- * or promote products derived from this software without specific prior
- * written permission.
+ * provided with the distribution
+ *
  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
  * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
  *
  * @(#) Copyright (c) 1990, 1991, 1992, 1993, 1996 The Regents of the University of California.  All rights reserved.
- * $FreeBSD: src/usr.sbin/rarpd/rarpd.c,v 1.23.2.4 2002/12/01 19:19:34 dwmalone Exp $
+ * $FreeBSD: src/usr.sbin/rarpd/rarpd.c,v 1.41 2004/08/07 04:28:54 imp Exp $
  * $DragonFly: src/usr.sbin/rarpd/rarpd.c,v 1.4 2004/12/18 22:48:05 swildner Exp $
  */
 
 /*
  * rarpd - Reverse ARP Daemon
  *
- * Usage:	rarpd -a [ -dfsv ] [-t directory] [ hostname ]
- *		rarpd [ -dfsv ] [-t directory] interface [ hostname ]
+ * Usage:	rarpd -a [-dfsv] [-t directory] [hostname]
+ *		rarpd [-dfsv] [-t directory] interface [hostname]
  *
  * 'hostname' is optional solely for backwards compatibility with Sun's rarpd.
  * Currently, the argument is ignored.
@@ -50,7 +45,9 @@
 
 #include <arpa/inet.h>
 
+#include <dirent.h>
 #include <errno.h>
+#include <ifaddrs.h>
 #include <netdb.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -59,59 +56,27 @@
 #include <stdlib.h>
 #include <unistd.h>
 
-#if defined(SUNOS4) || defined(__DragonFly__) /* XXX */
-#define HAVE_DIRENT_H
-#endif
-
-#ifdef HAVE_DIRENT_H
-#include <dirent.h>
-#else
-#include <sys/dir.h>
-#endif
-
-/* Cast a struct sockaddr to a structaddr_in */
+/* Cast a struct sockaddr to a struct sockaddr_in */
 #define SATOSIN(sa) ((struct sockaddr_in *)(sa))
 
 #ifndef TFTP_DIR
 #define TFTP_DIR "/tftpboot"
 #endif
 
-#if BSD >= 199200
 #define ARPSECS (20 * 60)		/* as per code in netinet/if_ether.c */
 #define REVARP_REQUEST ARPOP_REVREQUEST
 #define REVARP_REPLY ARPOP_REVREPLY
-#endif
-
-#ifndef ETHERTYPE_REVARP
-#define ETHERTYPE_REVARP 0x8035
-#define REVARP_REQUEST 3
-#define REVARP_REPLY 4
-#endif
-
-/*
- * Map field names in ether_arp struct.  What a pain in the neck.
- */
-#ifdef SUNOS3
-#undef arp_sha
-#undef arp_spa
-#undef arp_tha
-#undef arp_tpa
-#define arp_sha arp_xsha
-#define arp_spa arp_xspa
-#define arp_tha arp_xtha
-#define arp_tpa arp_xtpa
-#endif
 
 /*
  * The structure for each interface.
  */
 struct if_info {
-	struct	if_info *ii_next;
-	int	ii_fd;		/* BPF file descriptor */
-	u_long	ii_ipaddr;	/* IP address of this interface */
-	u_long	ii_netmask;	/* subnet or net mask */
-	u_char	ii_eaddr[6];	/* Ethernet address of this interface */
-	char ii_ifname[sizeof(((struct ifreq *)0)->ifr_name) + 1];
+	struct if_info	*ii_next;
+	int		ii_fd;			/* BPF file descriptor */
+	in_addr_t	ii_ipaddr;		/* IP address */
+	in_addr_t	ii_netmask;		/* subnet or net mask */
+	u_char		ii_eaddr[ETHER_ADDR_LEN];	/* ethernet address */
+	char		ii_ifname[IF_NAMESIZE];
 };
 
 /*
@@ -121,7 +86,6 @@ struct if_info {
 struct if_info *iflist;
 
 int verbose;			/* verbose messages */
-int s;				/* inet datagram socket */
 const char *tftp_dir = TFTP_DIR;	/* tftp directory */
 
 int dflag;			/* messages to stdout/stderr, not syslog(3) */
@@ -130,22 +94,22 @@ int sflag;			/* ignore /tftpboot */
 static	u_char zero[6];
 
 static int	bpf_open(void);
-static u_long	choose_ipaddr(u_long **, u_long, u_long);
+static in_addr_t	choose_ipaddr(in_addr_t **, in_addr_t, in_addr_t);
 static char	*eatoa(u_char *);
 static int	expand_syslog_m(const char *fmt, char **newfmt);
 static void	init(char *);
-static void	init_one(struct ifreq *, char *);
-static char	*intoa(u_long);
-static u_long	ipaddrtonetmask(u_long);
+static void	init_one(struct ifaddrs *, char *, int);
+static char	*intoa(in_addr_t);
+static in_addr_t	ipaddrtonetmask(in_addr_t);
 static void	logmsg(int, const char *, ...) __printflike(2, 3);
-static int	rarp_bootable(u_long);
+static int	rarp_bootable(in_addr_t);
 static int	rarp_check(u_char *, u_int);
 static void	rarp_loop(void);
 static int	rarp_open(char *);
 static void	rarp_process(struct if_info *, u_char *, u_int);
 static void	rarp_reply(struct if_info *, struct ether_header *,
-		u_long, u_int);
-static void	update_arptab(u_char *, u_long);
+		in_addr_t, u_int);
+static void	update_arptab(u_char *, in_addr_t);
 static void	usage(void);
 
 int
@@ -170,7 +134,7 @@ main(int argc, char *argv[])
 	openlog(name, LOG_PID | LOG_CONS, LOG_DAEMON);
 
 	opterr = 0;
-	while ((op = getopt(argc, argv, "adfst:v")) != -1) {
+	while ((op = getopt(argc, argv, "adfst:v")) != -1)
 		switch (op) {
 		case 'a':
 			++aflag;
@@ -200,16 +164,16 @@ main(int argc, char *argv[])
 			usage();
 			/* NOTREACHED */
 		}
-	}
-	ifname = argv[optind++];
-	hostname =  ifname ? argv[optind] : NULL;
+	argc -= optind;
+	argv += optind;
+
+	ifname = (aflag == 0) ? argv[0] : NULL;
+	hostname = ifname ? argv[1] : argv[0];
+
 	if ((aflag && ifname) || (!aflag && ifname == NULL))
 		usage();
 
-	if (aflag)
-		init(NULL);
-	else
-		init(ifname);
+	init(ifname);
 
 	if (!fflag) {
 		if (daemon(0,0)) {
@@ -224,49 +188,42 @@ main(int argc, char *argv[])
 /*
  * Add to the interface list.
  */
-void
-init_one(struct ifreq *ifrp, char *target)
+static void
+init_one(struct ifaddrs *ifa, char *target, int pass1)
 {
-	struct if_info *ii;
+	struct if_info *ii, *ii2;
 	struct sockaddr_dl *ll;
 	int family;
-	struct ifreq ifr;
 
-	family = ifrp->ifr_addr.sa_family;
+	family = ifa->ifa_addr->sa_family;
 	switch (family) {
-
 	case AF_INET:
-#if BSD >= 199100
+		if (pass1)
+			/* Consider only AF_LINK during pass1. */
+			return;
+		/* FALLTHROUGH */
 	case AF_LINK:
-#endif
-		strncpy(ifr.ifr_name, ifrp->ifr_name, sizeof(ifrp->ifr_name));
-		if (ioctl(s, SIOCGIFFLAGS, (char *)&ifr) == -1) {
-			logmsg(LOG_ERR,
-			    "SIOCGIFFLAGS: %.*s: %m",
-				(int)sizeof(ifrp->ifr_name), ifrp->ifr_name);
-			exit(1);
-		}
-		if ((ifr.ifr_flags & IFF_UP) == 0 ||
-		    (ifr.ifr_flags & (IFF_LOOPBACK | IFF_POINTOPOINT)) != 0)
+		if (!(ifa->ifa_flags & IFF_UP) ||
+		    (ifa->ifa_flags & (IFF_LOOPBACK | IFF_POINTOPOINT)))
 			return;
 		break;
-
-
 	default:
 		return;
 	}
 
 	/* Don't bother going any further if not the target interface */
-	if (target != NULL &&
-	    strncmp(ifrp->ifr_name, target, sizeof(ifrp->ifr_name)) != 0)
+	if (target != NULL && strcmp(ifa->ifa_name, target) != 0)
 		return;
 
 	/* Look for interface in list */
 	for (ii = iflist; ii != NULL; ii = ii->ii_next)
-		if (strncmp(ifrp->ifr_name, ii->ii_ifname,
-		    sizeof(ifrp->ifr_name)) == 0)
+		if (strcmp(ifa->ifa_name, ii->ii_ifname) == 0)
 			break;
 
+	if (pass1 && ii != NULL)
+		/* We've already seen that interface once. */
+		return;
+
 	/* Allocate a new one if not found */
 	if (ii == NULL) {
 		ii = (struct if_info *)malloc(sizeof(*ii));
@@ -276,90 +233,76 @@ init_one(struct ifreq *ifrp, char *target)
 		}
 		bzero(ii, sizeof(*ii));
 		ii->ii_fd = -1;
-		strncpy(ii->ii_ifname, ifrp->ifr_name, sizeof(ifrp->ifr_name));
-		ii->ii_ifname[sizeof(ii->ii_ifname) - 1] = '\0';
+		strlcpy(ii->ii_ifname, ifa->ifa_name, sizeof(ii->ii_ifname));
 		ii->ii_next = iflist;
 		iflist = ii;
+	} else if (!pass1 && ii->ii_ipaddr != 0) {
+		/*
+		 * Second AF_INET definition for that interface: clone
+		 * the existing one, and work on that cloned one.
+		 * This must be another IP address for this interface,
+		 * so avoid killing the previous configuration.
+		 */
+		ii2 = (struct if_info *)malloc(sizeof(*ii2));
+		if (ii2 == NULL) {
+			logmsg(LOG_ERR, "malloc: %m");
+			exit(1);
+		}
+		memcpy(ii2, ii, sizeof(*ii2));
+		ii2->ii_fd = -1;
+		ii2->ii_next = iflist;
+		iflist = ii2;
+
+		ii = ii2;
 	}
 
 	switch (family) {
-
 	case AF_INET:
-		if (ioctl(s, SIOCGIFADDR, (char *)&ifr) == -1) {
-			logmsg(LOG_ERR, "ipaddr SIOCGIFADDR: %s: %m",
-			    ii->ii_ifname);
-			exit(1);
-		}
-		ii->ii_ipaddr = SATOSIN(&ifr.ifr_addr)->sin_addr.s_addr;
-		if (ioctl(s, SIOCGIFNETMASK, (char *)&ifr) == -1) {
-			logmsg(LOG_ERR, "SIOCGIFNETMASK: %m");
-			exit(1);
-		}
-		ii->ii_netmask = SATOSIN(&ifr.ifr_addr)->sin_addr.s_addr;
+		ii->ii_ipaddr = SATOSIN(ifa->ifa_addr)->sin_addr.s_addr;
+		ii->ii_netmask = SATOSIN(ifa->ifa_netmask)->sin_addr.s_addr;
 		if (ii->ii_netmask == 0)
 			ii->ii_netmask = ipaddrtonetmask(ii->ii_ipaddr);
-		if (ii->ii_fd < 0) {
+		if (ii->ii_fd < 0)
 			ii->ii_fd = rarp_open(ii->ii_ifname);
-#if BSD < 199100
-			/* Use BPF descriptor to get ethernet address. */
-			if (ioctl(ii->ii_fd, SIOCGIFADDR, (char *)&ifr) == -1) {
-				logmsg(LOG_ERR, "eaddr SIOCGIFADDR: %s: %m",
-				    ii->ii_ifname);
-				exit(1);
-			}
-			bcopy(&ifr.ifr_addr.sa_data[0], ii->ii_eaddr, 6);
-#endif
-		}
 		break;
 
-#if BSD >= 199100
-		case AF_LINK:
-			ll = (struct sockaddr_dl *)&ifrp->ifr_addr;
-			if (ll->sdl_type == IFT_ETHER)
-				bcopy(LLADDR(ll), ii->ii_eaddr, 6);
-			break;
-#endif
-		}
+	case AF_LINK:
+		ll = (struct sockaddr_dl *)ifa->ifa_addr;
+		if (ll->sdl_type == IFT_ETHER)
+			bcopy(LLADDR(ll), ii->ii_eaddr, 6);
+		break;
+	}
 }
 /*
  * Initialize all "candidate" interfaces that are in the system
  * configuration list.  A "candidate" is up, not loopback and not
  * point to point.
  */
-void
+static void
 init(char *target)
 {
-	u_int n;
-	struct ifreq *ifrp, *ifend;
 	struct if_info *ii, *nii, *lii;
-	struct ifconf ifc;
-	struct ifreq ibuf[16];
+	struct ifaddrs *ifhead, *ifa;
+	int error;
 
-	if ((s = socket(AF_INET, SOCK_DGRAM, 0)) == -1) {
-		logmsg(LOG_ERR, "socket: %m");
-		exit(1);
-	}
-	ifc.ifc_len = sizeof ibuf;
-	ifc.ifc_buf = (caddr_t)ibuf;
-	if ((ioctl(s, SIOCGIFCONF, (char *)&ifc) == -1) ||
-	    ((u_int)ifc.ifc_len < sizeof(struct ifreq))) {
-		logmsg(LOG_ERR, "SIOCGIFCONF: %m");
+	error = getifaddrs(&ifhead);
+	if (error) {
+		logmsg(LOG_ERR, "getifaddrs: %m");
 		exit(1);
 	}
-	ifrp = ibuf;
-	ifend = (struct ifreq *)((char *)ibuf + ifc.ifc_len);
-	while (ifrp < ifend) {
-		init_one(ifrp, target);
-
-#if BSD >= 199100
-		n = ifrp->ifr_addr.sa_len + sizeof(ifrp->ifr_name);
-		if (n < sizeof(*ifrp))
-			n = sizeof(*ifrp);
-		ifrp = (struct ifreq *)((char *)ifrp + n);
-#else
-		++ifrp;
-#endif
-	}
+	/*
+	 * We make two passes over the list we have got.  In the first
+	 * one, we only collect AF_LINK interfaces, and initialize our
+	 * list of interfaces from them.  In the second pass, we
+	 * collect the actual IP addresses from the AF_INET
+	 * interfaces, and allow for the same interface name to appear
+	 * multiple times (in case of more than one IP address).
+	 */
+	for (ifa = ifhead; ifa != NULL; ifa = ifa->ifa_next)
+		init_one(ifa, target, 1);
+	for (ifa = ifhead; ifa != NULL; ifa = ifa->ifa_next)
+		init_one(ifa, target, 0);
+	freeifaddrs(ifhead);
 
 	/* Throw away incomplete interfaces */
 	lii = NULL;
@@ -382,19 +325,21 @@ init(char *target)
 	/* Verbose stuff */
 	if (verbose)
 		for (ii = iflist; ii != NULL; ii = ii->ii_next)
-			logmsg(LOG_DEBUG, "%s %s 0x%08lx %s",
+			logmsg(LOG_DEBUG, "%s %s 0x%08x %s",
 			    ii->ii_ifname, intoa(ntohl(ii->ii_ipaddr)),
-			    (u_long)ntohl(ii->ii_netmask), eatoa(ii->ii_eaddr));
+			    (in_addr_t)ntohl(ii->ii_netmask), eatoa(ii->ii_eaddr));
 }
 
-void
+static void
 usage(void)
 {
-	fprintf(stderr, "usage: rarpd [-adfsv] [-t directory] [interface]\n");
+	fprintf(stderr, "%s\n%s\n",
+	    "usage: rarpd -a [-dfsv] [-t directory]",
+	    "       rarpd [-dfsv] [-t directory] interface");
 	exit(1);
 }
 
-int
+static int
 bpf_open(void)
 {
 	int fd;
@@ -420,7 +365,7 @@ bpf_open(void)
  * Open a BPF file and attach it to the interface named 'device'.
  * Set immediate mode, and set a filter that accepts only RARP requests.
  */
-int
+static int
 rarp_open(char *device)
 {
 	int fd;
@@ -451,7 +396,7 @@ rarp_open(char *device)
 		logmsg(LOG_ERR, "BIOCIMMEDIATE: %m");
 		exit(1);
 	}
-	strncpy(ifr.ifr_name, device, sizeof ifr.ifr_name);
+	strlcpy(ifr.ifr_name, device, sizeof(ifr.ifr_name));
 	if (ioctl(fd, BIOCSETIF, (caddr_t)&ifr) == -1) {
 		logmsg(LOG_ERR, "BIOCSETIF: %m");
 		exit(1);
@@ -482,7 +427,7 @@ rarp_open(char *device)
  * Perform various sanity checks on the RARP request packet.  Return
  * false on failure and log the reason.
  */
-int
+static int
 rarp_check(u_char *p, u_int len)
 {
 	struct ether_header *ep = (struct ether_header *)p;
@@ -515,17 +460,11 @@ rarp_check(u_char *p, u_int len)
 	return 1;
 }
 
-#ifndef FD_SETSIZE
-#define FD_SET(n, fdp) ((fdp)->fds_bits[0] |= (1 << (n)))
-#define FD_ISSET(n, fdp) ((fdp)->fds_bits[0] & (1 << (n)))
-#define FD_ZERO(fdp) ((fdp)->fds_bits[0] = 0)
-#endif
-
 /*
  * Loop indefinitely listening for RARP requests on the
  * interfaces in 'iflist'.
  */
-void
+static void
 rarp_loop(void)
 {
 	u_char *buf, *bp, *ep;
@@ -576,22 +515,6 @@ rarp_loop(void)
 			/* Don't choke when we get ptraced */
 			if ((cc == -1) && (errno == EINTR))
 				goto again;
-#if defined(SUNOS3) || defined(SUNOS4)
-			/*
-			 * Due to a SunOS bug, after 2^31 bytes, the
-			 * file offset overflows and read fails with
-			 * EINVAL.  The lseek() to 0 will fix things.
-			 */
-			if (cc == -1) {
-				if (errno == EINVAL &&
-				    (long)(tell(fd) + bufsize) < 0) {
-					lseek(fd, 0, 0);
-					goto again;
-				}
-				logmsg(LOG_ERR, "read: %m");
-				exit(1);
-			}
-#endif
 
 			/* Loop through the packet(s) */
 #define bhp ((struct bpf_hdr *)bp)
@@ -616,19 +539,15 @@ rarp_loop(void)
  * This check is made by looking in the tftp directory for the
  * configuration file.
  */
-int
-rarp_bootable(u_long addr)
+static int
+rarp_bootable(in_addr_t addr)
 {
-#ifdef HAVE_DIRENT_H
 	struct dirent *dent;
-#else
-	struct direct *dent;
-#endif
 	DIR *d;
 	char ipname[9];
 	static DIR *dd = NULL;
 
-	sprintf(ipname, "%08lX", (u_long)ntohl(addr));
+	sprintf(ipname, "%08X", (in_addr_t)ntohl(addr));
 
 	/*
 	 * If directory is already open, rewind it.  Otherwise, open it.
@@ -658,8 +577,8 @@ rarp_bootable(u_long addr)
  * is on network 'net'; 'netmask' is a mask indicating the network portion
  * of the address.
  */
-u_long
-choose_ipaddr(u_long **alist, u_long net, u_long netmask)
+static in_addr_t
+choose_ipaddr(in_addr_t **alist, in_addr_t net, in_addr_t netmask)
 {
 	for (; *alist; ++alist)
 		if ((**alist & netmask) == net)
@@ -671,12 +590,12 @@ choose_ipaddr(u_long **alist, u_long net, u_long netmask)
  * Answer the RARP request in 'pkt', on the interface 'ii'.  'pkt' has
  * already been checked for validity.  The reply is overlaid on the request.
  */
-void
+static void
 rarp_process(struct if_info *ii, u_char *pkt, u_int len)
 {
 	struct ether_header *ep;
 	struct hostent *hp;
-	u_long target_ipaddr;
+	in_addr_t target_ipaddr;
 	char ename[256];
 
 	ep = (struct ether_header *)pkt;
@@ -700,7 +619,7 @@ rarp_process(struct if_info *ii, u_char *pkt, u_int len)
 								ename);
 		return;
 	}
-	target_ipaddr = choose_ipaddr((u_long **)hp->h_addr_list,
+	target_ipaddr = choose_ipaddr((in_addr_t **)hp->h_addr_list,
 				      ii->ii_ipaddr & ii->ii_netmask,
 				      ii->ii_netmask);
 	if (target_ipaddr == 0) {
@@ -723,7 +642,6 @@ rarp_process(struct if_info *ii, u_char *pkt, u_int len)
  * host (i.e. the guy running rarpd), won't try to ARP for the hardware
  * address of the guy being booted (he cannot answer the ARP).
  */
-#if BSD >= 199200
 struct sockaddr_inarp sin_inarp = {
 	sizeof(struct sockaddr_inarp), AF_INET, 0,
 	{0},
@@ -739,8 +657,8 @@ struct {
 	char rtspace[512];
 } rtmsg;
 
-void
-update_arptab(u_char *ep, u_long ipaddr)
+static void
+update_arptab(u_char *ep, in_addr_t ipaddr)
 {
 	int cc;
 	struct sockaddr_inarp *ar, *ar2;
@@ -794,7 +712,7 @@ update_arptab(u_char *ep, u_long ipaddr)
 		 * directly connected network (the family is AF_INET in
 		 * this case).
 		 */
-		logmsg(LOG_ERR, "bogus link family (%d) wrong net for %08lX?\n",
+		logmsg(LOG_ERR, "bogus link family (%d) wrong net for %08X?\n",
 		    ll2->sdl_family, ipaddr);
 		close(r);
 		return;
@@ -835,24 +753,6 @@ update_arptab(u_char *ep, u_long ipaddr)
 		return;
 	}
 }
-#else
-void
-update_arptab(u_char *ep, u_long ipaddr)
-{
-	struct arpreq request;
-	struct sockaddr_in *sin;
-
-	request.arp_flags = 0;
-	sin = (struct sockaddr_in *)&request.arp_pa;
-	sin->sin_family = AF_INET;
-	sin->sin_addr.s_addr = ipaddr;
-	request.arp_ha.sa_family = AF_UNSPEC;
-	bcopy((char *)ep, (char *)request.arp_ha.sa_data, 6);
-
-	if (ioctl(s, SIOCSARP, (caddr_t)&request) == -1)
-		logmsg(LOG_ERR, "SIOCSARP: %m");
-}
-#endif
 
 /*
  * Build a reverse ARP packet and sent it out on the interface.
@@ -887,8 +787,8 @@ update_arptab(u_char *ep, u_long ipaddr)
  * address pair (arp_spa, arp_sha) may eliminate the need for a subsequent
  * ARP request.
  */
-void
-rarp_reply(struct if_info *ii, struct ether_header *ep, u_long ipaddr,
+static void
+rarp_reply(struct if_info *ii, struct ether_header *ep, in_addr_t ipaddr,
 		u_int len)
 {
 	u_int n;
@@ -928,8 +828,8 @@ rarp_reply(struct if_info *ii, struct ether_header *ep, u_long ipaddr,
  * Get the netmask of an IP address.  This routine is used if
  * SIOCGIFNETMASK doesn't work.
  */
-u_long
-ipaddrtonetmask(u_long addr)
+static in_addr_t
+ipaddrtonetmask(in_addr_t addr)
 {
 	addr = ntohl(addr);
 	if (IN_CLASSA(addr))
@@ -938,15 +838,15 @@ ipaddrtonetmask(u_long addr)
 		return htonl(IN_CLASSB_NET);
 	if (IN_CLASSC(addr))
 		return htonl(IN_CLASSC_NET);
-	logmsg(LOG_DEBUG, "unknown IP address class: %08lX", addr);
+	logmsg(LOG_DEBUG, "unknown IP address class: %08X", addr);
 	return htonl(0xffffffff);
 }
 
 /*
  * A faster replacement for inet_ntoa().
  */
-char *
-intoa(u_long addr)
+static char *
+intoa(in_addr_t addr)
 {
 	char *cp;
 	u_int byte;
@@ -974,7 +874,7 @@ intoa(u_long addr)
 	return cp + 1;
 }
 
-char *
+static char *
 eatoa(u_char *ea)
 {
 	static char buf[sizeof("xx:xx:xx:xx:xx:xx")];
@@ -984,7 +884,7 @@ eatoa(u_char *ea)
 	return (buf);
 }
 
-void
+static void
 logmsg(int pri, const char *fmt, ...)
 {
 	va_list v;
@@ -1011,8 +911,9 @@ logmsg(int pri, const char *fmt, ...)
 	va_end(v);
 }
 
-int
-expand_syslog_m(const char *fmt, char **newfmt) {
+static int
+expand_syslog_m(const char *fmt, char **newfmt)
+{
 	const char *str, *m;
 	char *p, *np;
 
diff --git a/usr.sbin/ypserv/ypserv.8 b/usr.sbin/ypserv/ypserv.8
index 2bd476dae2..e8c3beaf3c 100644
--- a/usr.sbin/ypserv/ypserv.8
+++ b/usr.sbin/ypserv/ypserv.8
@@ -430,8 +430,8 @@ within the file system.
 the
 .Tn NIS
 maps
-.It Pa /etc/host.conf
-resolver configuration file
+.It Pa /etc/nsswitch.conf
+name switch configuration file
 .It Pa /var/yp/securenets
 host access control file
 .El
-- 
2.41.0