888 lines
24 KiB
Groff
888 lines
24 KiB
Groff
.\" $NetBSD: inetd.8,v 1.67 2021/10/12 22:47:18 rillig Exp $
|
|
.\"
|
|
.\" Copyright (c) 1998 The NetBSD Foundation, Inc.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to The NetBSD Foundation
|
|
.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility,
|
|
.\" NASA Ames Research Center.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
|
|
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
|
|
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
|
|
.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
|
|
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
.\" POSSIBILITY OF SUCH DAMAGE.
|
|
.\"
|
|
.\" Copyright (c) 1985, 1991 The Regents of the University of California.
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 3. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" from: @(#)inetd.8 8.4 (Berkeley) 6/1/94
|
|
.\"
|
|
.Dd October 12, 2021
|
|
.Dt INETD 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm inetd ,
|
|
.Nm inetd.conf
|
|
.Nd internet
|
|
.Dq super-server
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl d
|
|
.Op Fl l
|
|
.Op Ar configuration file
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
should be run at boot time by
|
|
.Pa /etc/rc
|
|
(see
|
|
.Xr rc 8 ) .
|
|
It then opens sockets according to its configuration and listens
|
|
for connections.
|
|
When a connection is found on one of its sockets, it decides what
|
|
service the socket corresponds to, and invokes a program to service
|
|
the request.
|
|
After the program is finished, it continues to listen on the socket
|
|
(except in some cases which will be described below).
|
|
Essentially,
|
|
.Nm
|
|
allows running one daemon to invoke several others,
|
|
reducing load on the system.
|
|
.Pp
|
|
The options available for
|
|
.Nm :
|
|
.Bl -tag -width Ds
|
|
.It Fl d
|
|
Turns on debugging and runs
|
|
.Nm
|
|
in the foreground.
|
|
.It Fl f
|
|
Runs
|
|
.Nm
|
|
in the foreground.
|
|
.It Fl l
|
|
Turns on libwrap connection logging.
|
|
.El
|
|
.Pp
|
|
Upon execution,
|
|
.Nm
|
|
reads its configuration information from a configuration
|
|
file which, by default, is
|
|
.Pa /etc/inetd.conf .
|
|
The path given for this configuration file must be absolute, unless
|
|
the
|
|
.Fl d
|
|
option is also given on the command line.
|
|
.Pp
|
|
Services can be specified using the legacy `positional' notation or the
|
|
`key-values' notation described in the sections
|
|
.Sx Positional Notation
|
|
and
|
|
.Sx Key-Values Notation
|
|
below.
|
|
.Ss Positional Notation
|
|
There must be an entry for each field of the configuration
|
|
file, with entries for each field separated by a tab or
|
|
a space.
|
|
Comments are denoted by a ``#'' at the beginning of a line (see subsection
|
|
.Sx Key-Values Notation
|
|
for defining comments in key-values definitions).
|
|
There must be an entry for each field (except for one
|
|
special case, described below).
|
|
A positional definition is terminated by a newline.
|
|
The fields of the configuration file are as follows:
|
|
.Pp
|
|
.Bd -unfilled -offset indent -compact
|
|
[listen-addr:]service-spec
|
|
socket-type[:accept-filter]
|
|
protocol[,sndbuf=size][,rcvbuf=size]
|
|
wait/nowait[:max]
|
|
user[:group]
|
|
server-program
|
|
server program arguments
|
|
.Ed
|
|
.Pp
|
|
The
|
|
.Em listen-addr
|
|
parameter specifies the local address
|
|
.Nm
|
|
should use when listening.
|
|
The single character
|
|
.Dq \&*
|
|
means
|
|
.Dv INADDR_ANY :
|
|
all local addresses.
|
|
The
|
|
.Em listen-addr
|
|
parameter may be a host name, which will be resolved once, when the service
|
|
definition is read from the config file.
|
|
.Pp
|
|
Note that restricted listen addresses are meaningless and ignored for
|
|
UNIX-domain services, and are not supported for
|
|
.Em Sun-RPC
|
|
services.
|
|
All
|
|
.Em Sun-RPC
|
|
services always listen on all interfaces.
|
|
.Pp
|
|
The form of the
|
|
.Em service-spec
|
|
parameter varies with the service type.
|
|
For Internet services, the
|
|
.Em service-spec
|
|
parameter can be either the name of a service from
|
|
.Pa /etc/services
|
|
or a decimal port number.
|
|
For
|
|
.Dq internal
|
|
services (discussed below), the service name
|
|
.Em must
|
|
be the official name of the service (that is, the first entry in
|
|
.Pa /etc/services )
|
|
and not an alias for it.
|
|
.Pp
|
|
For
|
|
.Em Sun-RPC
|
|
based services, the
|
|
.Em service-spec
|
|
parameter has the form
|
|
.Em service-name Ns Li / Ns Em version .
|
|
The service name must be a valid RPC service name from
|
|
the file
|
|
.Pa /etc/rpc .
|
|
The
|
|
.Em version
|
|
on the right of the
|
|
.Dq /
|
|
is the RPC version number.
|
|
This can simply be a single numeric argument or a range of versions.
|
|
A range is bounded by the low version to the high version, e.g.
|
|
.Dq rusers/1-3 .
|
|
.Pp
|
|
For UNIX-domain (local) services, the
|
|
.Em service-spec
|
|
parameter is the path name to listen on.
|
|
.Pp
|
|
The
|
|
.Em service-spec
|
|
parameter must not begin with a dot.
|
|
See
|
|
.Sx Directives .
|
|
.Pp
|
|
The
|
|
.Em socket-type
|
|
parameter should be one of
|
|
.Dq stream ,
|
|
.Dq dgram ,
|
|
.Dq raw ,
|
|
.Dq rdm ,
|
|
or
|
|
.Dq seqpacket ,
|
|
depending on whether the socket is a stream, datagram, raw,
|
|
reliably delivered message, or sequenced packet socket.
|
|
.Pp
|
|
Optionally, for Internet services, an accept filter
|
|
(see
|
|
.Xr accept_filter 9 )
|
|
can be specified by appending a colon to
|
|
.Em socket-type ,
|
|
followed by the name of the desired accept filter.
|
|
In this case
|
|
.Nm
|
|
will not see new connections for the specified service until the accept
|
|
filter decides they are ready to be handled.
|
|
.\" XXX: do accept filters work for AF_UNIX sockets? nobody probably
|
|
.\" cares, but...
|
|
.Pp
|
|
The
|
|
.Em protocol
|
|
parameter must be a valid protocol as given in
|
|
.Pa /etc/protocols
|
|
or (for UNIX-domain services) the string
|
|
.Dq unix .
|
|
The most common are
|
|
.Dq tcp
|
|
and
|
|
.Dq udp .
|
|
For TCP and UDP, the IP version (4 or 6) may be specified explicitly
|
|
by appending 4 or 6 to the protocol name.
|
|
Otherwise the default version (IPv4) is used.
|
|
For
|
|
.Em Sun-RPC
|
|
the string
|
|
.Dq rpc
|
|
and a slash should be prepended:
|
|
.Dq rpc/tcp
|
|
or
|
|
.Dq rpc/udp .
|
|
If you would like to enable special support for
|
|
.Xr faithd 8 ,
|
|
prepend the string
|
|
.Dq faith
|
|
and a slash:
|
|
.Dq faith/tcp6 .
|
|
.Pp
|
|
In addition to the protocol, the configuration file may specify the
|
|
send and receive socket buffer sizes for the listening socket.
|
|
This is especially useful for
|
|
.Tn TCP :
|
|
the window scale factor, which is based on the receive socket
|
|
buffer size, is advertised when the connection handshake occurs
|
|
and thus the socket buffer size must be set on the listen socket.
|
|
By increasing the socket buffer sizes, better
|
|
.Tn TCP
|
|
performance may be realized in some situations.
|
|
The socket buffer sizes are specified by appending their values to
|
|
the protocol specification as follows:
|
|
.Bd -literal -offset indent
|
|
tcp,rcvbuf=16384
|
|
tcp,sndbuf=64k
|
|
tcp,rcvbuf=64k,sndbuf=1m
|
|
.Ed
|
|
.Pp
|
|
A literal value may be specified, or modified using
|
|
.Sq k
|
|
to indicate kibibytes or
|
|
.Sq m
|
|
to indicate mebibytes.
|
|
Socket buffer sizes may be specified for all
|
|
services and protocols except for tcpmux services.
|
|
.Pp
|
|
The
|
|
.Em wait/nowait
|
|
entry is used to tell
|
|
.Nm
|
|
if it should wait for the server program to return,
|
|
or continue processing connections on the socket.
|
|
If a datagram server reads a single datagram and connects
|
|
to its peer through a different socket, freeing the service's socket so
|
|
.Nm
|
|
can receive further messages on the socket, it is said to be
|
|
a
|
|
.Dq multi-threaded
|
|
server, and should use the
|
|
.Dq nowait
|
|
entry.
|
|
For datagram servers which process all incoming datagrams
|
|
on a socket and eventually time out, the server is said to be
|
|
.Dq single-threaded
|
|
and should use a
|
|
.Dq wait
|
|
entry.
|
|
.Xr comsat 8
|
|
.Pq Xr biff 1
|
|
and
|
|
.Xr ntalkd 8
|
|
are both examples of the latter type of
|
|
datagram server.
|
|
.Xr tftpd 8
|
|
is an exception; it is a datagram server that establishes pseudo-connections.
|
|
It must be listed as
|
|
.Dq wait
|
|
in order to avoid a race;
|
|
the server reads the first packet, creates a new socket,
|
|
and then forks and exits to allow
|
|
.Nm
|
|
to check for new service requests to spawn new servers.
|
|
The optional
|
|
.Dq max
|
|
suffix (separated from
|
|
.Dq wait
|
|
or
|
|
.Dq nowait
|
|
by a dot or a colon) specifies the maximum number of server instances that may
|
|
be spawned from
|
|
.Nm
|
|
within an interval of 60 seconds.
|
|
When omitted,
|
|
.Dq max
|
|
defaults to 40.
|
|
If it reaches this maximum spawn rate,
|
|
.Nm
|
|
will log the problem (via the syslogger using the
|
|
.Dv LOG_DAEMON
|
|
facility and
|
|
.Dv LOG_ERR
|
|
level)
|
|
and stop handling the specific service for ten minutes.
|
|
.Pp
|
|
Stream servers are usually marked as
|
|
.Dq nowait
|
|
but if a single server process is to handle multiple connections, it may be
|
|
marked as
|
|
.Dq wait .
|
|
The master socket will then be passed as fd 0 to the server, which will then
|
|
need to accept the incoming connection.
|
|
The server should eventually time
|
|
out and exit when no more connections are active.
|
|
.Nm
|
|
will continue to
|
|
listen on the master socket for connections, so the server should not close
|
|
it when it exits.
|
|
.Xr identd 8
|
|
is usually the only stream server marked as wait.
|
|
.Pp
|
|
The
|
|
.Em user
|
|
entry should contain the user name of the user as whom the server should run.
|
|
This allows for servers to be given less permission than root.
|
|
Optionally, a group can be specified by appending a colon to the user name,
|
|
followed by the group name (it is possible to use a dot (``.'') in lieu of a
|
|
colon, however this feature is provided only for backward compatibility).
|
|
This allows for servers to run with a different (primary) group id than
|
|
specified in the password file.
|
|
If a group is specified and
|
|
.Em user
|
|
is not root, the supplementary groups associated with that user will still be
|
|
set.
|
|
.Pp
|
|
The
|
|
.Em server-program
|
|
entry should contain the pathname of the program which is to be
|
|
executed by
|
|
.Nm
|
|
when a request is found on its socket.
|
|
If
|
|
.Nm
|
|
provides this service internally, this entry should
|
|
be
|
|
.Dq internal .
|
|
.Pp
|
|
The
|
|
.Em server program arguments
|
|
should be just as arguments
|
|
normally are, starting with argv[0], which is the name of
|
|
the program.
|
|
If the service is provided internally, the
|
|
word
|
|
.Dq internal
|
|
should take the place of this entry.
|
|
It is possible to quote an argument using either single or double quotes.
|
|
This allows you to have, e.g., spaces in paths and parameters.
|
|
.Ss Key-Values Notation
|
|
In key-values notation, keys are separated from their associated values by `=',
|
|
values are separated by whitespace, and key-values options are separated by
|
|
commas.
|
|
A service definition is terminated by a semicolon.
|
|
Multiple definitions may exist on a single line (and a line may
|
|
end with a positional definition.
|
|
A key-values definition has the following form:
|
|
.Bd -filled -offset indent
|
|
[listen-addr:]service-spec {on|off} <option> = [value1],
|
|
<option> = [value1] [value2] ..., <option> =, ...;
|
|
.Ed
|
|
.Pp
|
|
Values may be in quotes, and support the following escape sequences.
|
|
.Bl -hang -width "\xXX" -offset indent
|
|
.It Sy \e\e
|
|
Backslash.
|
|
.It Sy \en
|
|
Line feed.
|
|
.It Sy \et
|
|
Tab.
|
|
.It Sy \er
|
|
Carriage return.
|
|
.It Sy \e'
|
|
Single quote.
|
|
.It Sy \e"
|
|
Double quote.
|
|
.It Sy \exXX
|
|
Hexadecimal byte value, replace XX.
|
|
.El
|
|
.Pp
|
|
.Em [listen-addr:]service-spec
|
|
has the same form as in positional notation. If
|
|
.Em service-spec
|
|
is followed by
|
|
.Em on
|
|
then the service definition is active by default.
|
|
If
|
|
.Em service-spec
|
|
is followed by
|
|
.Em off
|
|
then the service definition is parsed and errors are output to
|
|
the system log, but the service is not active and no sockets are created.
|
|
.Pp
|
|
Comments that exist between the initial on/off directive
|
|
and the closing semicolon may begin in any column and may exist on the same line
|
|
as non-comment text.
|
|
Note: editor syntax highlighting may be misleading!
|
|
.Pp
|
|
Syntax and semantic error detection is performed on a best-effort basis.
|
|
If an error with a service definition is easily detectable, it will
|
|
log the error using
|
|
.Xr syslog 3
|
|
and continue reading the configuration file if possible, skipping the erroneous
|
|
definition or file.
|
|
Otherwise, it is up to the user to write definitions that conform to the
|
|
documentation.
|
|
Errors may be worded differently depending on the ordering of
|
|
options in the service definition.
|
|
.Pp
|
|
The following are the available values for
|
|
.Em <option>:
|
|
.Bl -hang -width "acceptfilter"
|
|
.It Sy bind
|
|
Set the listen address for this service.
|
|
This can be an IPv4 or IPv6 address or a hostname.
|
|
.It Sy socktype
|
|
Equivalent to
|
|
.Em socket-type
|
|
in positional notation.
|
|
.Em socktype
|
|
is optional if
|
|
.Em protocol
|
|
is specified and is
|
|
.Li udp{4,6}
|
|
or
|
|
.Li tcp{4,6} .
|
|
.It Sy acceptfilter
|
|
An accept filter, equivalent to
|
|
.Em accept
|
|
in positional notation (see
|
|
.Xr accept_filter 9
|
|
and
|
|
.Dv SO_ACCEPTFITLER
|
|
in
|
|
.Xr setsockopt 2 ) .
|
|
.It Sy protocol
|
|
Equivalent to
|
|
.Em protocol
|
|
in positional notation.
|
|
If specified as
|
|
.Li tcp
|
|
or
|
|
.Li udp
|
|
with no version specifier, the associated hostname or
|
|
.Em bind
|
|
value is used to determine the IP version.
|
|
If the version is not specified and the hostname string or
|
|
.Em bind
|
|
value is not an IPv4 or IPv6 address, the service definition is
|
|
invalid.
|
|
.It Sy sndbuf
|
|
Equivalent to
|
|
.Em sndbuf
|
|
in positional notation.
|
|
.It Sy recvbuf
|
|
Equivalent to
|
|
.Em recvbuf
|
|
in positional notation.
|
|
.It Sy wait
|
|
The value
|
|
.Li yes
|
|
or
|
|
.Li no .
|
|
Equivalent to
|
|
.Em wait/nowait
|
|
in positional notation.
|
|
This option is automatically determined for internal
|
|
services, and is mandatory for all others.
|
|
.It Sy service_max
|
|
Equivalent to
|
|
.Em max
|
|
in positional notation.
|
|
Defaults to 40 if not specified.
|
|
.It Sy ip_max
|
|
Specifies the maximum number of server instances that may be spawned from
|
|
.Nm
|
|
within an interval of 60 seconds for a given IP address.
|
|
Other address types may also work if supported by
|
|
.Xr getnameinfo 3 ,
|
|
test thoroughly using
|
|
.Fl d .
|
|
For example, connections from unnamed Unix sockets
|
|
do not work, but connections from named Unix sockets may work.
|
|
However, there is no way to only accept named Unix sockets.
|
|
.It Sy user
|
|
The user to run the program as.
|
|
Equivalent to
|
|
.Em user
|
|
in positional notation.
|
|
.It Sy group
|
|
The primary group to run the program as.
|
|
Equivalent to
|
|
.Em group
|
|
in positional notation.
|
|
.It Sy exec
|
|
The path to the program's executable or
|
|
.Dq internal
|
|
for a built-in service.
|
|
If not specified, this will be assumed to be
|
|
.Dq internal
|
|
(and will fail if
|
|
.Em socktype
|
|
is not specified).
|
|
.It Sy args
|
|
The program arguments.
|
|
By convention, the first argument should be the name of the program.
|
|
.It Sy ipsec
|
|
An IPsec policy string.
|
|
Defaults to the global default setting.
|
|
If specified without a value (i.e.,
|
|
.Dq ipsec=, ) ,
|
|
IPsec will be disabled for this service.
|
|
See the
|
|
.Sx Directives
|
|
section for details.
|
|
Currently only one value is allowed, so all IPsec policies
|
|
should be in a quoted string, separated by semicolons.
|
|
.El
|
|
.Ss Directives
|
|
<listen-addr>:
|
|
.Pp
|
|
To avoid the need to repeat listen addresses over and over again,
|
|
listen addresses are inherited from line to line, and the listen
|
|
address can be changed without defining a service by including a line
|
|
containing just a
|
|
.Em listen-addr
|
|
followed by a colon.
|
|
The default (compatible with historical configuration files) is \&*.
|
|
To return to this behavior after configuring some services with
|
|
specific listen addresses, give \&* explicitly.
|
|
.Pp
|
|
.Li "#@"
|
|
[<IPsec policy>] [; [<IPsec policy>]] ...
|
|
.Pp
|
|
The implementation includes a tiny hack to support IPsec policy settings for
|
|
each socket.
|
|
A special form of the comment line, starting with
|
|
.Dq Li "#@" ,
|
|
is used as a policy specifier.
|
|
The content of the above comment line will be treated as a IPsec policy string,
|
|
as described in
|
|
.Xr ipsec_set_policy 3 .
|
|
Multiple IPsec policy strings may be specified by using a semicolon
|
|
as a separator.
|
|
If conflicting policy strings are found in a single line,
|
|
the last string will take effect.
|
|
IPsec policy strings are not parsed in
|
|
comments within a key-values service definition.
|
|
A
|
|
.Li "#@"
|
|
line affects all of the subsequent lines in the same config file,
|
|
so you may want to reset the IPsec policy by using a comment line containing
|
|
only
|
|
.Li "#@"
|
|
.Pq with no policy string .
|
|
.Pp
|
|
If an invalid IPsec policy string appears in a config file,
|
|
.Nm
|
|
logs an error message using
|
|
.Xr syslog 3
|
|
and stops reading the current config file, but may continue reading
|
|
from other files not affected by the IPsec directive.
|
|
.Pp
|
|
\&.include <glob-path>
|
|
.Pp
|
|
Other files can be read by inetd by specifying an include directive in an inetd
|
|
config file.
|
|
.Em glob-path
|
|
is an
|
|
absolute path or a path relative (including parent directories) to the directory
|
|
containing the current config
|
|
file, and may contain glob patterns as specified by
|
|
.Xr glob 7 .
|
|
.Pp
|
|
To include a specific file, include the relative or absolute path of the file.
|
|
To include all files in a directory,
|
|
.Em glob-path
|
|
should be the directory of the files to include followed by "/*".
|
|
.Pp
|
|
The listening address and IPsec configuration strings of the current config file
|
|
are inherited by files included by this directive.
|
|
.Pp
|
|
Files included by this directive using a glob path match are not read in a
|
|
specific order.
|
|
If a specific order is desired, files or directories should be
|
|
included individually without the use of glob patterns.
|
|
Behavior is undefined if
|
|
multiple include directives include the same file and
|
|
this should be avoided.
|
|
Circular references are caught by
|
|
.Nm .
|
|
Anything after
|
|
.Em glob-path
|
|
on the same line is ignored.
|
|
.Em glob-path
|
|
may be in quotes.
|
|
.Ss Internal Services
|
|
.Nm
|
|
provides several
|
|
.Qq trivial
|
|
services internally by use of routines within itself.
|
|
These services are
|
|
.Qq echo ,
|
|
.Qq discard ,
|
|
.Qq chargen
|
|
(character generator),
|
|
.Qq daytime
|
|
(human readable time), and
|
|
.Qq time
|
|
(machine readable time,
|
|
in the form of the number of seconds since midnight, January 1, 1900 GMT).
|
|
For details of these services, consult the appropriate
|
|
.Tn RFC .
|
|
.Pp
|
|
TCP services without official port numbers can be handled with the
|
|
RFC1078-based tcpmux internal service.
|
|
TCPmux listens on port 1 for requests.
|
|
When a connection is made from a foreign host, the service name
|
|
requested is passed to TCPmux, which performs a lookup in the
|
|
service name table provided by
|
|
.Pa /etc/inetd.conf
|
|
and returns the proper entry for the service.
|
|
TCPmux returns a negative reply if the service doesn't exist,
|
|
otherwise the invoked server is expected to return the positive
|
|
reply if the service type in
|
|
.Pa /etc/inetd.conf
|
|
file has the prefix
|
|
.Qq tcpmux/ .
|
|
If the service type has the
|
|
prefix
|
|
.Qq tcpmux/+ ,
|
|
TCPmux will return the positive reply for the
|
|
process; this is for compatibility with older server code, and also
|
|
allows you to invoke programs that use stdin/stdout without putting any
|
|
special server code in them.
|
|
Services that use TCPmux are
|
|
.Qq nowait
|
|
because they do not have a well-known port number and hence cannot listen
|
|
for new requests.
|
|
.Pp
|
|
.Nm
|
|
rereads its configuration file when it receives a hangup signal,
|
|
.Dv SIGHUP .
|
|
Services may be added, deleted or modified when the configuration file
|
|
is reread.
|
|
.Nm
|
|
creates a file
|
|
.Em /var/run/inetd.pid
|
|
that contains its process identifier.
|
|
.Ss libwrap
|
|
Support for
|
|
.Tn TCP
|
|
wrappers is included with
|
|
.Nm
|
|
to provide internal tcpd-like access control functionality.
|
|
An external tcpd program is not needed.
|
|
You do not need to change the
|
|
.Pa /etc/inetd.conf
|
|
server-program entry to enable this capability.
|
|
.Nm
|
|
uses
|
|
.Pa /etc/hosts.allow
|
|
and
|
|
.Pa /etc/hosts.deny
|
|
for access control facility configurations, as described in
|
|
.Xr hosts_access 5 .
|
|
.Pp
|
|
.Em Nota Bene :
|
|
.Tn TCP
|
|
wrappers do not affect/restrict
|
|
.Tn UDP
|
|
or internal services.
|
|
.Ss IPv6 TCP/UDP behavior
|
|
If you wish to run a server for both IPv4 and IPv6 traffic,
|
|
you will need to run two separate processes for the same server program,
|
|
specified as two separate lines in
|
|
.Pa /etc/inetd.conf
|
|
using
|
|
.Dq tcp4
|
|
and
|
|
.Dq tcp6
|
|
respectively.
|
|
In positional syntax, plain
|
|
.Dq tcp
|
|
means TCP on top of the current default IP version,
|
|
which is, at this moment, IPv4.
|
|
.Pp
|
|
Under various combination of IPv4/v6 daemon settings,
|
|
.Nm
|
|
will behave as follows:
|
|
.Bl -bullet -compact
|
|
.It
|
|
If you have only one server on
|
|
.Dq tcp4 ,
|
|
IPv4 traffic will be routed to the server.
|
|
IPv6 traffic will not be accepted.
|
|
.It
|
|
If you have two servers on
|
|
.Dq tcp4
|
|
and
|
|
.Dq tcp6 ,
|
|
IPv4 traffic will be routed to the server on
|
|
.Dq tcp4 ,
|
|
and IPv6 traffic will go to server on
|
|
.Dq tcp6 .
|
|
.It
|
|
If you have only one server on
|
|
.Dq tcp6 ,
|
|
only IPv6 traffic will be routed to the server.
|
|
The kernel may route to the server IPv4 traffic as well,
|
|
under certain configuration.
|
|
See
|
|
.Xr ip6 4
|
|
for details.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/hosts.allow -compact
|
|
.It Pa /etc/inetd.conf
|
|
configuration file for all
|
|
.Nm
|
|
provided services
|
|
.It Pa /etc/services
|
|
service name to protocol and port number mappings.
|
|
.It Pa /etc/protocols
|
|
protocol name to protocol number mappings
|
|
.It Pa /etc/rpc
|
|
.Tn Sun-RPC
|
|
service name to service number mappings.
|
|
.It Pa /etc/hosts.allow
|
|
explicit remote host access list.
|
|
.It Pa /etc/hosts.deny
|
|
explicit remote host denial of service list.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr hosts_access 5 ,
|
|
.Xr hosts_options 5 ,
|
|
.Xr protocols 5 ,
|
|
.Xr rpc 5 ,
|
|
.Xr services 5 ,
|
|
.Xr comsat 8 ,
|
|
.Xr fingerd 8 ,
|
|
.Xr ftpd 8 ,
|
|
.Xr rexecd 8 ,
|
|
.Xr rlogind 8 ,
|
|
.Xr rshd 8 ,
|
|
.Xr telnetd 8 ,
|
|
.Xr tftpd 8
|
|
.Rs
|
|
.%A J. Postel
|
|
.%R RFC
|
|
.%N 862
|
|
.%D May 1983
|
|
.%T "Echo Protocol"
|
|
.Re
|
|
.Rs
|
|
.%A J. Postel
|
|
.%R RFC
|
|
.%N 863
|
|
.%D May 1983
|
|
.%T "Discard Protocol"
|
|
.Re
|
|
.Rs
|
|
.%A J. Postel
|
|
.%R RFC
|
|
.%N 864
|
|
.%D May 1983
|
|
.%T "Character Generator Protocol"
|
|
.Re
|
|
.Rs
|
|
.%A J. Postel
|
|
.%R RFC
|
|
.%N 867
|
|
.%D May 1983
|
|
.%T "Daytime Protocol"
|
|
.Re
|
|
.Rs
|
|
.%A J. Postel
|
|
.%A K. Harrenstien
|
|
.%R RFC
|
|
.%N 868
|
|
.%D May 1983
|
|
.%T "Time Protocol"
|
|
.Re
|
|
.Rs
|
|
.%A M. Lottor
|
|
.%R RFC
|
|
.%N 1078
|
|
.%D November 1988
|
|
.%T "TCP port service Multiplexer (TCPMUX)"
|
|
.Re
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
command appeared in
|
|
.Bx 4.3 .
|
|
Support for
|
|
.Em Sun-RPC
|
|
based services is modeled after that
|
|
provided by SunOS 4.1.
|
|
Support for specifying the socket buffer sizes was added in
|
|
.Nx 1.4 .
|
|
In November 1996, libwrap support was added to provide
|
|
internal tcpd-like access control functionality;
|
|
libwrap is based on Wietse Venema's tcp_wrappers.
|
|
IPv6 support and IPsec hack was made by KAME project, in 1999.
|
|
.Sh BUGS
|
|
Host address specifiers, while they make conceptual sense for RPC
|
|
services, do not work entirely correctly.
|
|
This is largely because the portmapper interface does not provide
|
|
a way to register different ports for the same service on different
|
|
local addresses.
|
|
Provided you never have more than one entry for a given RPC service,
|
|
everything should work correctly (Note that default host address
|
|
specifiers do apply to RPC lines with no explicit specifier.)
|
|
.Pp
|
|
.Em tcpmux
|
|
on IPv6 is not tested enough.
|
|
.Pp
|
|
For automatic IP version detection in key-values syntax (see the
|
|
.Em protocol
|
|
key), addresses with an interface specifier in the form <address>%<iface>
|
|
are not currently supported, as addresses of that form are not parsed by
|
|
.Xr inet_pton 3 .
|
|
.Pp
|
|
If a positional service definition has an invalid parameter and extends
|
|
across multiple lines using tab characters, the subsequent lines after the
|
|
error are treated as new service definitions.
|
|
.Sh SECURITY CONSIDERATIONS
|
|
Enabling the
|
|
.Dq echo ,
|
|
.Dq discard ,
|
|
and
|
|
.Dq chargen
|
|
built-in trivial services is not recommended because remote
|
|
users may abuse these to cause a denial of network service to
|
|
or from the local host.
|