In case you're not familiar with it, tcpd is a wrapper for TCP servers, written by Wietse Venema, which performs access control checks based on the client's IP address, and other information. tcpd can be used by services started from inetd by making inetd start the wrapper first, which does the access checks, and then executes the real server program if the client is allowed to connect. Access control is defined via two files, /etc/hosts.allow and /etc/hosts.deny.
Sometimes, it's handy to use this kind of access control in network servers that are not TCP, or not started via inetd. For instance, it is useful to restrict access to your portmapper to trusted hosts only.
To support cases like this, Wietse's tcp_wrapper package comes with a library called libwrap that contains functions for tcpd style access control. The one you most likely want to use is hosts_ctl, which takes as its arguments the service name, the client's hostname, the client's address (in string representation), and the client's user name. If any of these are unknown, you should use STRING_UNKNOWN:
int hosts_ctl(const char *daemon,
const char *client_name,
const char *client_addr,
const char *client_user);
The function returns zero if access should be denied.
The benefit of using this library is that you have one common interface, rather than having to code a new one for each application. However there are also several problems you should be aware of.
The first is that the current implementation is somewhat slow. Every time you check a client, it loads and parses both configuration files. Implementing a small cache of say the N most recently checked clients helps, N of course depending on the load you expect for your server.
The second is that sometimes the sender's IP address cannot be relied upon. Similarly, you cannot always trust DNS information. This problem is not specific to Wietse's code, it's a general one. Address based access control works only in environments where you can trust that nobody is doing IP of DNS spoofing. As a rule of thumb, you should therefore use this type of access control to turn away unwanted clients, not as a substitute for authentication.