INETD(8) | System Manager's Manual | INETD(8) |
inetd
, inetd.conf
—
inetd |
[-d ] [-l ]
[configuration file] |
inetd
should be run at boot time by
/etc/rc (see
rc(8)). It then opens sockets
according to its configuration and listens for connections. When a connection
is found on one of its sockets, it decides what service the socket corresponds
to, and invokes a program to service the request. After the program is
finished, it continues to listen on the socket (except in some cases which
will be described below). Essentially, inetd
allows
running one daemon to invoke several others, reducing load on the system.
The options available for inetd
:
-d
inetd
in the
foreground.-f
inetd
in the foreground.-l
Upon execution, inetd
reads its
configuration information from a configuration file which, by default, is
/etc/inetd.conf. The path given for this
configuration file must be absolute, unless the -d
option is also given on the command line.
Services can be specified using the legacy `positional' notation or the `key-values' notation described in the sections Positional Notation and Key-Values Notation below.
[listen-addr:]service-spec socket-type[:accept-filter] protocol[,sndbuf=size][,rcvbuf=size] wait/nowait[:max] user[:group] server-program server program arguments
The listen-addr parameter specifies the local
address inetd
should use when listening. The single
character “*” means INADDR_ANY
: all
local addresses. The listen-addr parameter may be a host
name, which will be resolved once, when the service definition is read from
the config file.
Note that restricted listen addresses are meaningless and ignored for UNIX-domain services, and are not supported for Sun-RPC services. All Sun-RPC services always listen on all interfaces.
The form of the service-spec parameter varies with the service type. For Internet services, the service-spec parameter can be either the name of a service from /etc/services or a decimal port number. For “internal” services (discussed below), the service name must be the official name of the service (that is, the first entry in /etc/services) and not an alias for it.
For Sun-RPC based services, the
service-spec parameter has the form
service-name/
version.
The service name must be a valid RPC service name from the file
/etc/rpc. The version on the right
of the “/” is the RPC version number. This can simply be a
single numeric argument or a range of versions. A range is bounded by the
low version to the high version, e.g. “rusers/1-3”.
For UNIX-domain (local) services, the service-spec parameter is the path name to listen on.
The service-spec parameter must not begin with a dot. See Directives.
The socket-type parameter should be one of “stream”, “dgram”, “raw”, “rdm”, or “seqpacket”, depending on whether the socket is a stream, datagram, raw, reliably delivered message, or sequenced packet socket.
Optionally, for Internet services, an accept filter (see
accept_filter(9)) can
be specified by appending a colon to socket-type, followed
by the name of the desired accept filter. In this case
inetd
will not see new connections for the specified
service until the accept filter decides they are ready to be handled.
The protocol parameter must be a valid protocol as given in /etc/protocols or (for UNIX-domain services) the string “unix”. The most common are “tcp” and “udp”. For TCP and UDP, the IP version (4 or 6) may be specified explicitly by appending 4 or 6 to the protocol name. Otherwise the default version (IPv4) is used. For Sun-RPC the string “rpc” and a slash should be prepended: “rpc/tcp” or “rpc/udp”. If you would like to enable special support for faithd(8), prepend the string “faith” and a slash: “faith/tcp6”.
In addition to the protocol, the configuration file may specify the send and receive socket buffer sizes for the listening socket. This is especially useful for TCP: the window scale factor, which is based on the receive socket buffer size, is advertised when the connection handshake occurs and thus the socket buffer size must be set on the listen socket. By increasing the socket buffer sizes, better TCP performance may be realized in some situations. The socket buffer sizes are specified by appending their values to the protocol specification as follows:
tcp,rcvbuf=16384 tcp,sndbuf=64k tcp,rcvbuf=64k,sndbuf=1m
A literal value may be specified, or modified using ‘k’ to indicate kibibytes or ‘m’ to indicate mebibytes. Socket buffer sizes may be specified for all services and protocols except for tcpmux services.
The wait/nowait entry is used to tell
inetd
if it should wait for the server program to
return, or continue processing connections on the socket. If a datagram
server reads a single datagram and connects to its peer through a different
socket, freeing the service's socket so inetd
can
receive further messages on the socket, it is said to be a
“multi-threaded” server, and should use the
“nowait” entry. For datagram servers which process all
incoming datagrams on a socket and eventually time out, the server is said
to be “single-threaded” and should use a “wait”
entry. comsat(8)
(biff(1)) and
ntalkd(8) are both examples of
the latter type of datagram server.
tftpd(8) is an exception; it is
a datagram server that establishes pseudo-connections. It must be listed as
“wait” in order to avoid a race; the server reads the first
packet, creates a new socket, and then forks and exits to allow
inetd
to check for new service requests to spawn new
servers. The optional “max” suffix (separated from
“wait” or “nowait” by a dot or a colon)
specifies the maximum number of server instances that may be spawned from
inetd
within an interval of 60 seconds. When
omitted, “max” defaults to 40. If it reaches this maximum
spawn rate, inetd
will log the problem (via the
syslogger using the LOG_DAEMON
facility and
LOG_ERR
level) and stop handling the specific
service for ten minutes.
Stream servers are usually marked as “nowait” but if
a single server process is to handle multiple connections, it may be marked
as “wait”. The master socket will then be passed as fd 0 to
the server, which will then need to accept the incoming connection. The
server should eventually time out and exit when no more connections are
active. inetd
will continue to listen on the master
socket for connections, so the server should not close it when it exits.
identd(8) is usually the only
stream server marked as wait.
The user entry should contain the user name of the user as whom the server should run. This allows for servers to be given less permission than root. Optionally, a group can be specified by appending a colon to the user name, followed by the group name (it is possible to use a dot (``.'') in lieu of a colon, however this feature is provided only for backward compatibility). This allows for servers to run with a different (primary) group id than specified in the password file. If a group is specified and user is not root, the supplementary groups associated with that user will still be set.
The server-program entry should contain the
pathname of the program which is to be executed by
inetd
when a request is found on its socket. If
inetd
provides this service internally, this entry
should be “internal”.
The server program arguments should be just as arguments normally are, starting with argv[0], which is the name of the program. If the service is provided internally, the word “internal” should take the place of this entry. It is possible to quote an argument using either single or double quotes. This allows you to have, e.g., spaces in paths and parameters.
Values may be in quotes, and support the following escape sequences.
[listen-addr:]service-spec has the same form as in positional notation. If service-spec is followed by on then the service definition is active by default. If service-spec is followed by off then the service definition is parsed and errors are output to the system log, but the service is not active and no sockets are created.
Comments that exist between the initial on/off directive and the closing semicolon may begin in any column and may exist on the same line as non-comment text. Note: editor syntax highlighting may be misleading!
Syntax and semantic error detection is performed on a best-effort basis. If an error with a service definition is easily detectable, it will log the error using syslog(3) and continue reading the configuration file if possible, skipping the erroneous definition or file. Otherwise, it is up to the user to write definitions that conform to the documentation. Errors may be worded differently depending on the ordering of options in the service definition.
The following are the available values for <option>:
udp{4,6}
or
tcp{4,6}
.SO_ACCEPTFITLER
in
setsockopt(2)).tcp
or udp
with no version specifier, the associated hostname or
bind value is used to determine the IP version. If the
version is not specified and the hostname string or bind
value is not an IPv4 or IPv6 address, the service definition is
invalid.yes
or no
.
Equivalent to wait/nowait in positional notation. This
option is automatically determined for internal services, and is mandatory
for all others.inetd
within an interval of 60 seconds for a given
IP address. Other address types may also work if supported by
getnameinfo(3), test
thoroughly using -d
. For example, connections from
unnamed Unix sockets do not work, but connections from named Unix sockets
may work. However, there is no way to only accept named Unix sockets.To avoid the need to repeat listen addresses over and over again, listen addresses are inherited from line to line, and the listen address can be changed without defining a service by including a line containing just a listen-addr followed by a colon. The default (compatible with historical configuration files) is *. To return to this behavior after configuring some services with specific listen addresses, give * explicitly.
#@
[<IPsec policy>] [; [<IPsec
policy>]] ...
The implementation includes a tiny hack to support IPsec policy
settings for each socket. A special form of the comment line, starting with
“#@
”, is used as a policy specifier.
The content of the above comment line will be treated as a IPsec policy
string, as described in
ipsec_set_policy(3).
Multiple IPsec policy strings may be specified by using a semicolon as a
separator. If conflicting policy strings are found in a single line, the
last string will take effect. IPsec policy strings are not parsed in
comments within a key-values service definition. A
#@
line affects all of the subsequent lines in the
same config file, so you may want to reset the IPsec policy by using a
comment line containing only #@
(with no policy
string).
If an invalid IPsec policy string appears in a config file,
inetd
logs an error message using
syslog(3) and stops reading
the current config file, but may continue reading from other files not
affected by the IPsec directive.
.include <glob-path>
Other files can be read by inetd by specifying an include directive in an inetd config file. glob-path is an absolute path or a path relative (including parent directories) to the directory containing the current config file, and may contain glob patterns as specified by glob(7).
To include a specific file, include the relative or absolute path of the file. To include all files in a directory, glob-path should be the directory of the files to include followed by "/*".
The listening address and IPsec configuration strings of the current config file are inherited by files included by this directive.
Files included by this directive using a glob path match are not
read in a specific order. If a specific order is desired, files or
directories should be included individually without the use of glob
patterns. Behavior is undefined if multiple include directives include the
same file and this should be avoided. Circular references are caught by
inetd
. Anything after glob-path on
the same line is ignored. glob-path may be in quotes.
inetd
provides several “trivial” services
internally by use of routines within itself. These services are
“echo”, “discard”, “chargen”
(character generator), “daytime” (human readable time), and
“time” (machine readable time, in the form of the number of
seconds since midnight, January 1, 1900 GMT). For details of these services,
consult the appropriate RFC.
TCP services without official port numbers can be handled with the RFC1078-based tcpmux internal service. TCPmux listens on port 1 for requests. When a connection is made from a foreign host, the service name requested is passed to TCPmux, which performs a lookup in the service name table provided by /etc/inetd.conf and returns the proper entry for the service. TCPmux returns a negative reply if the service doesn't exist, otherwise the invoked server is expected to return the positive reply if the service type in /etc/inetd.conf file has the prefix “tcpmux/”. If the service type has the prefix “tcpmux/+”, TCPmux will return the positive reply for the process; this is for compatibility with older server code, and also allows you to invoke programs that use stdin/stdout without putting any special server code in them. Services that use TCPmux are “nowait” because they do not have a well-known port number and hence cannot listen for new requests.
inetd
rereads its configuration file when
it receives a hangup signal, SIGHUP
. Services may be
added, deleted or modified when the configuration file is reread.
inetd
creates a file
/var/run/inetd.pid that contains its process
identifier.
inetd
to
provide internal tcpd-like access control functionality. An external tcpd
program is not needed. You do not need to change the
/etc/inetd.conf server-program entry to enable this
capability. inetd
uses
/etc/hosts.allow and
/etc/hosts.deny for access control facility
configurations, as described in
hosts_access(5).
Nota Bene: TCP wrappers do not affect/restrict UDP or internal services.
Under various combination of IPv4/v6 daemon settings,
inetd
will behave as follows:
inetd
provided
servicesJ. Postel, Echo Protocol, RFC, 862, May 1983.
J. Postel, Discard Protocol, RFC, 863, May 1983.
J. Postel, Character Generator Protocol, RFC, 864, May 1983.
J. Postel, Daytime Protocol, RFC, 867, May 1983.
J. Postel and K. Harrenstien, Time Protocol, RFC, 868, May 1983.
M. Lottor, TCP port service Multiplexer (TCPMUX), RFC, 1078, November 1988.
inetd
command appeared in
4.3BSD. Support for Sun-RPC based
services is modeled after that provided by SunOS 4.1. Support for specifying
the socket buffer sizes was added in NetBSD 1.4. In
November 1996, libwrap support was added to provide internal tcpd-like access
control functionality; libwrap is based on Wietse Venema's tcp_wrappers. IPv6
support and IPsec hack was made by KAME project, in 1999.
tcpmux on IPv6 is not tested enough.
For automatic IP version detection in key-values syntax (see the protocol key), addresses with an interface specifier in the form <address>%<iface> are not currently supported, as addresses of that form are not parsed by inet_pton(3).
If a positional service definition has an invalid parameter and extends across multiple lines using tab characters, the subsequent lines after the error are treated as new service definitions.
October 12, 2021 | NetBSD 10.1 |