inetd.conf(5)
- NetBSD Manual Pages
INETD(8) NetBSD System Manager's Manual INETD(8)
NAME
inetd, inetd.conf - internet ``super-server''
SYNOPSIS
inetd [-d] [-l] [configuration file]
DESCRIPTION
inetd should be run at boot time by /etc/rc (see rc(8)). It then listens
for connections on certain internet sockets. When a connection is found
on one of its sockets, it decides what service the socket corresponds to,
and invokes a program to service the request. After the program is fin-
ished, it continues to listen on the socket (except in some cases which
will be described below). Essentially, inetd allows running one daemon
to invoke several others, reducing load on the system.
The options available for inetd:
-d Turns on debugging.
-l Turns on libwrap connection logging.
Upon execution, inetd reads its configuration information from a configu-
ration file which, by default, is /etc/inetd.conf. There must be an en-
try for each field of the configuration file, with entries for each field
separated by a tab or a space. Comments are denoted by a ``#'' at the
beginning of a line. There must be an entry for each field (except for
one special case, described below). The fields of the configuration file
are as follows:
[addr:]service-name
socket-type
protocol[,sndbuf=size][,rcvbuf=size]
wait/nowait[:max]
user[:group]
server-program
server program arguments
To specify an Sun-RPC based service, the entry would contain these
fields.
service-name/version
socket-type
rpc/protocol[,sndbuf=size][,rcvbuf=size]
wait/nowait[:max]
user[:group]
server-program
server program arguments
For Internet services, the first field of the line may also have a host
address specifier prefixed to it, separated from the service name by a
colon. If this is done, the string before the colon in the first field
indicates what local address inetd should use when listening for that
service, or the single character ``*'' to indicate INADDR_ANY, meaning
`all local addresses'. To avoid repeating an address that occurs fre-
quently, a line with a host address specifier and colon, but no further
fields, causes the host address specifier to be remembered and used for
all further lines with no explicit host specifier (until another such
line or the end of the file). A line
*:
is implicitly provided at the top of the file; thus, traditional configu-
ration files (which have no host address specifiers) will be interpreted
in the traditional manner, with all services listened for on all local
addresses.
The service-name entry is the name of a valid service in the file
/etc/services. For ``internal'' services (discussed below), the service
name must be the official name of the service (that is, the first entry
in /etc/services). When used to specify a Sun-RPC based service, this
field is a valid RPC service name in the file /etc/rpc. The part on the
right of the ``/'' is the RPC version number. This can simply be a single
numeric argument or a range of versions. A range is bounded by the low
version to the high version - ``rusers/1-3''.
The socket-type should be one of ``stream'', ``dgram'', ``raw'', ``rdm'',
or ``seqpacket'', depending on whether the socket is a stream, datagram,
raw, reliably delivered message, or sequenced packet socket.
The protocol must be a valid protocol as given in /etc/protocols. Exam-
ples might be ``tcp'' and ``udp''. Rpc based services are specified with
the ``rpc/tcp'' or ``rpc/udp'' service type. ``tcp'' and ``udp'' will be
recognized as ``TCP or UDP over default IP version''. It is currently
IPv4, but in the future it will be IPv6. If you need to specify IPv4 or
IPv6 explicitly, use something like ``tcp4'' or ``udp6''.
In addition to the protocol, the configuration file may specify the send
and receive socket buffer sizes for the listening socket. This is espe-
cially useful for TCP as the window scale factor, which is based on the
receive socket buffer size, is advertised when the connection handshake
occurs, thus the socket buffer size for the server must be set on the
listen socket. By increasing the socket buffer sizes, better TCP perfor-
mance may be realized in some situations. The socket buffer sizes are
specified by appending their values to the protocol specification as fol-
lows:
tcp,rcvbuf=16384
tcp,sndbuf=64k
tcp,rcvbuf=64k,sndbuf=1m
A literal value may be specified, or modified using `k' to indicate kilo-
bytes or `m' to indicate megabytes. Socket buffer sizes may be specified
for all services and protocols except for tcpmux services.
The wait/nowait entry is used to tell inetd if it should wait for the
server program to return, or continue processing connections on the sock-
et. If a datagram server connects to its peer, freeing the socket so in-
etd can receive further messages on the socket, it is said to be a
``multi-threaded'' server, and should use the ``nowait'' entry. For
datagram servers which process all incoming datagrams on a socket and
eventually time out, the server is said to be ``single-threaded'' and
should use a ``wait'' entry. comsat(8) (biff(1)) and talkd(8) are both
examples of the latter type of datagram server. tftpd(8) is an excep-
tion; it is a datagram server that establishes pseudo-connections. It
must be listed as ``wait'' in order to avoid a race; the server reads the
first packet, creates a new socket, and then forks and exits to allow in-
etd to check for new service requests to spawn new servers. The optional
``max'' suffix (separated from ``wait'' or ``nowait'' by a dot or a
colon) specifies the maximum number of server instances that may be
spawned from inetd within an interval of 60 seconds. When omitted,
``max'' defaults to 40.
Stream servers are usually marked as ``nowait'' but if a single server
process is to handle multiple connections, it may be marked as ``wait''.
The master socket will then be passed as fd 0 to the server, which will
then need to accept the incoming connection. The server should eventual-
ly time out and exit when no more connections are active. inetd will
continue to listen on the master socket for connections, so the server
should not close it when it exits. identd(8) is usually the only stream
server marked as wait.
The user entry should contain the user name of the user as whom the serv-
er should run. This allows for servers to be given less permission than
root. An optional group name can be specified by appending a colon to the
user name followed by the group name (it is possible to use a dot in lieu
of a colon, however this feature is provided only for backward compati-
bility). This allows for servers to run with a different (primary) group
id than specified in the password file. If a group is specified and user
is not root, the supplementary groups associated with that user will
still be set.
The server-program entry should contain the pathname of the program which
is to be executed by inetd when a request is found on its socket. If in-
etd provides this service internally, this entry should be ``internal''.
The server program arguments should be just as arguments normally are,
starting with argv[0], which is the name of the program. If the service
is provided internally, the word ``internal'' should take the place of
this entry.
inetd provides several ``trivial'' services internally by use of routines
within itself. These services are ``echo'', ``discard'', ``chargen''
(character generator), ``daytime'' (human readable time), and ``time''
(machine readable time, in the form of the number of seconds since mid-
night, January 1, 1900). For details of these services, consult the ap-
propriate RFC from the Network Information Center.
inetd rereads its configuration file when it receives a hangup signal,
SIGHUP. Services may be added, deleted or modified when the configura-
tion file is reread. inetd creates a file /var/run/inetd.pid that con-
tains its process identifier.
IPsec
The implementation includes tiny hack to support IPsec policy setting for
each of the socket. A special form of comment line, starting with
``#@'', will work as policy specifier. The content of the above comment
line will be treated as IPsec policy string, as described in
ipsec_set_policy(3). You can specify multiple IPsec policy string by us-
ing semicolon as separator. If conflicting strings are found in a single
line, the last string will take effect. A #@ line will affect all the
following lines in inetd.conf, so you may want to reset IPsec policy by
using a comment line with #@ only (with no policy string).
If invalid IPsec policy string appears on inetd.conf, inetd will leave
error message using syslog(3), and terminates itself.
IPv6 TCP/UDP behavior
If you wish to run a server for IPv4 and IPv6 traffic, you'll need to run
two separate process for the same server program, specified as two sepa-
rate lines on inetd.conf, for ``tcp4'' and ``tcp6''.
Under various combination of IPv4/v6 daemon settings, inetd will behave
as follows:
+ If you have only one server on ``tcp4'', IPv4 traffic will be routed
to the server. IPv6 traffic will not be accepted.
+ If you have two servers on ``tcp4'' and ``tcp6'', IPv4 traffic will
be routed to the server on ``tcp4'', and IPv6 traffic will go to
server on ``tcp6''.
+ If you have only one server on ``tcp6'', only IPv6 traffic will be
routed to the server. The kernel may route to the server IPv4 traf-
fic as well, under certain configuration. See ip6(4) for details.
BUGS
Host address specifiers, while they make conceptual sense for RPC ser-
vices, do not work entirely correctly. This is largely because the
portmapper interface does not provide a way to register different ports
for the same service on different local addresses. Provided you never
have more than one entry for a given RPC service, everything should work
correctly. (Note that default host address specifiers do apply to RPC
lines with no explicit specifier.)
``tcpmux'' on IPv6 is not tested enough.
SEE ALSO
comsat(8), fingerd(8), ftpd(8), rexecd(8), rlogind(8), rshd(8),
telnetd(8), tftpd(8), hosts_access(5), hosts_options(5)
HISTORY
The inetd command appeared in 4.3BSD. Support for Sun-RPC based services
is modeled after that provided by SunOS 4.1. Support for specifying the
socket buffer sizes was added in NetBSD 1.4. IPv6 support and IPsec hack
was made by KAME project, in 1999.
SECURITY CONSIDERATIONS
Enabling the ``echo'', ``discard'', and ``chargen'' built-in trivial ser-
vices is not recommended because remote users may abuse these to cause a
denial of network service to or from the local host.
NetBSD 1.5 March 16, 1991 4
Powered by man-cgi (2024-03-20).
Maintained for NetBSD
by Kimmo Suominen.
Based on man-cgi by Panagiotis Christias.