Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
INETD(8) System Manager's Manual INETD(8)
NAME
inetd, inetd.conf - internet "super-server"
SYNOPSIS
inetd [-d] [-l] [configuration file]
DESCRIPTION
inetd should be run at boot time by /etc/rc (see rc(8)). It then opens
sockets according to its configuration and listens for connections. When
a connection is found on one of its sockets, it decides what service the
socket corresponds to, and invokes a program to service the request.
After the program is finished, it continues to listen on the socket
(except in some cases which will be described below). Essentially, inetd
allows running one daemon to invoke several others, reducing load on the
system.
The options available for inetd:
-d Turns on debugging and runs inetd in the foreground.
-f Runs inetd in the foreground.
-l Turns on libwrap connection logging.
Upon execution, inetd reads its configuration information from a
configuration file which, by default, is /etc/inetd.conf. The path given
for this configuration file must be absolute, unless the -d option is
also given on the command line.
Services can be specified using the legacy `positional' notation or the
`key-values' notation described in the sections Positional Notation and
Key-Values Notation below.
Positional Notation
There must be an entry for each field of the configuration file, with
entries for each field separated by a tab or a space. Comments are
denoted by a ``#'' at the beginning of a line (see subsection Key-Values
Notation for defining comments in key-values definitions). There must be
an entry for each field (except for one special case, described below).
A positional definition is terminated by a newline. The fields of the
configuration file are as follows:
[listen-addr:]service-spec
socket-type[:accept-filter]
protocol[,sndbuf=size][,rcvbuf=size]
wait/nowait[:max]
user[:group]
server-program
server program arguments
The listen-addr parameter specifies the local address inetd should use
when listening. The single character "*" means INADDR_ANY: all local
addresses. The listen-addr parameter may be a host name, which will be
resolved once, when the service definition is read from the config file.
Note that restricted listen addresses are meaningless and ignored for
UNIX-domain services, and are not supported for Sun-RPC services. All
Sun-RPC services always listen on all interfaces.
The form of the service-spec parameter varies with the service type. For
Internet services, the service-spec parameter can be either the name of a
service from /etc/services or a decimal port number. For "internal"
services (discussed below), the service name must be the official name of
the service (that is, the first entry in /etc/services) and not an alias
for it.
For Sun-RPC based services, the service-spec parameter has the form
service-name/version. The service name must be a valid RPC service name
from the file /etc/rpc. The version on the right of the "/" is the RPC
version number. This can simply be a single numeric argument or a range
of versions. A range is bounded by the low version to the high version,
e.g. "rusers/1-3".
For UNIX-domain (local) services, the service-spec parameter is the path
name to listen on.
The service-spec parameter must not begin with a dot. See Directives.
The socket-type parameter should be one of "stream", "dgram", "raw",
"rdm", or "seqpacket", depending on whether the socket is a stream,
datagram, raw, reliably delivered message, or sequenced packet socket.
Optionally, for Internet services, an accept filter (see
accept_filter(9)) can be specified by appending a colon to socket-type,
followed by the name of the desired accept filter. In this case inetd
will not see new connections for the specified service until the accept
filter decides they are ready to be handled.
The protocol parameter must be a valid protocol as given in
/etc/protocols or (for UNIX-domain services) the string "unix". The most
common are "tcp" and "udp". For TCP and UDP, the IP version (4 or 6) may
be specified explicitly by appending 4 or 6 to the protocol name.
Otherwise the default version (IPv4) is used. For Sun-RPC the string
"rpc" and a slash should be prepended: "rpc/tcp" or "rpc/udp". If you
would like to enable special support for faithd(8), prepend the string
"faith" and a slash: "faith/tcp6".
In addition to the protocol, the configuration file may specify the send
and receive socket buffer sizes for the listening socket. This is
especially useful for TCP: the window scale factor, which is based on the
receive socket buffer size, is advertised when the connection handshake
occurs and thus the socket buffer size must be set on the listen socket.
By increasing the socket buffer sizes, better TCP performance may be
realized in some situations. The socket buffer sizes are specified by
appending their values to the protocol specification as follows:
tcp,rcvbuf=16384
tcp,sndbuf=64k
tcp,rcvbuf=64k,sndbuf=1m
A literal value may be specified, or modified using `k' to indicate
kibibytes or `m' to indicate mebibytes. Socket buffer sizes may be
specified for all services and protocols except for tcpmux services.
The wait/nowait entry is used to tell inetd if it should wait for the
server program to return, or continue processing connections on the
socket. If a datagram server reads a single datagram and connects to its
peer through a different socket, freeing the service's socket so inetd
can receive further messages on the socket, it is said to be a
"multi-threaded" server, and should use the "nowait" entry. For datagram
servers which process all incoming datagrams on a socket and eventually
time out, the server is said to be "single-threaded" and should use a
"wait" entry. comsat(8) (biff(1)) and ntalkd(8) are both examples of the
latter type of datagram server. tftpd(8) is an exception; it is a
datagram server that establishes pseudo-connections. It must be listed
as "wait" in order to avoid a race; the server reads the first packet,
creates a new socket, and then forks and exits to allow inetd to check
for new service requests to spawn new servers. The optional "max" suffix
(separated from "wait" or "nowait" by a dot or a colon) specifies the
maximum number of server instances that may be spawned from inetd within
an interval of 60 seconds. When omitted, "max" defaults to 40. If it
reaches this maximum spawn rate, inetd will log the problem (via the
syslogger using the LOG_DAEMON facility and LOG_ERR level) and stop
handling the specific service for ten minutes.
Stream servers are usually marked as "nowait" but if a single server
process is to handle multiple connections, it may be marked as "wait".
The master socket will then be passed as fd 0 to the server, which will
then need to accept the incoming connection. The server should
eventually time out and exit when no more connections are active. inetd
will continue to listen on the master socket for connections, so the
server should not close it when it exits. identd(8) is usually the only
stream server marked as wait.
The user entry should contain the user name of the user as whom the
server should run. This allows for servers to be given less permission
than root. Optionally, a group can be specified by appending a colon to
the user name, followed by the group name (it is possible to use a dot
(``.'') in lieu of a colon, however this feature is provided only for
backward compatibility). This allows for servers to run with a different
(primary) group id than specified in the password file. If a group is
specified and user is not root, the supplementary groups associated with
that user will still be set.
The server-program entry should contain the pathname of the program which
is to be executed by inetd when a request is found on its socket. If
inetd provides this service internally, this entry should be "internal".
The server program arguments should be just as arguments normally are,
starting with argv[0], which is the name of the program. If the service
is provided internally, the word "internal" should take the place of this
entry. It is possible to quote an argument using either single or double
quotes. This allows you to have, e.g., spaces in paths and parameters.
Key-Values Notation
In key-values notation, keys are separated from their associated values
by `=', values are separated by whitespace, and key-values options are
separated by commas. A service definition is terminated by a semicolon.
Multiple definitions may exist on a single line (and a line may end with
a positional definition. A key-values definition has the following form:
[listen-addr:]service-spec {on|off} <option> = [value1], <option> =
[value1] [value2] ..., <option> =, ...;
Values may be in quotes, and support the following escape sequences.
\\ Backslash.
\n Line feed.
\t Tab.
\r Carriage return.
\' Single quote.
\" Double quote.
\xXX Hexadecimal byte value, replace XX.
[listen-addr:]service-spec has the same form as in positional notation.
If service-spec is followed by on then the service definition is active
by default. If service-spec is followed by off then the service
definition is parsed and errors are output to the system log, but the
service is not active and no sockets are created.
Comments that exist between the initial on/off directive and the closing
semicolon may begin in any column and may exist on the same line as non-
comment text. Note: editor syntax highlighting may be misleading!
Syntax and semantic error detection is performed on a best-effort basis.
If an error with a service definition is easily detectable, it will log
the error using syslog(3) and continue reading the configuration file if
possible, skipping the erroneous definition or file. Otherwise, it is up
to the user to write definitions that conform to the documentation.
Errors may be worded differently depending on the ordering of options in
the service definition.
The following are the available values for <option>:
bind Set the listen address for this service. This can be an
IPv4 or IPv6 address or a hostname.
socktype Equivalent to socket-type in positional notation. socktype
is optional if protocol is specified and is udp{4,6} or
tcp{4,6}.
acceptfilter An accept filter, equivalent to accept in positional
notation (see accept_filter(9) and SO_ACCEPTFITLER in
setsockopt(2)).
protocol Equivalent to protocol in positional notation. If
specified as tcp or udp with no version specifier, the
associated hostname or bind value is used to determine the
IP version. If the version is not specified and the
hostname string or bind value is not an IPv4 or IPv6
address, the service definition is invalid.
sndbuf Equivalent to sndbuf in positional notation.
recvbuf Equivalent to recvbuf in positional notation.
wait The value yes or no. Equivalent to wait/nowait in
positional notation. This option is automatically
determined for internal services, and is mandatory for all
others.
service_max Equivalent to max in positional notation. Defaults to 40
if not specified.
ip_max Specifies the maximum number of server instances that may
be spawned from inetd within an interval of 60 seconds for
a given IP address. Other address types may also work if
supported by getnameinfo(3), test thoroughly using -d. For
example, connections from unnamed Unix sockets do not work,
but connections from named Unix sockets may work. However,
there is no way to only accept named Unix sockets.
user The user to run the program as. Equivalent to user in
positional notation.
group The primary group to run the program as. Equivalent to
group in positional notation.
exec The path to the program's executable or "internal" for a
built-in service. If not specified, this will be assumed
to be "internal" (and will fail if socktype is not
specified).
args The program arguments. By convention, the first argument
should be the name of the program.
ipsec An IPsec policy string. Defaults to the global default
setting. If specified without a value (i.e., "ipsec=,"),
IPsec will be disabled for this service. See the
Directives section for details. Currently only one value
is allowed, so all IPsec policies should be in a quoted
string, separated by semicolons.
Directives
<listen-addr>:
To avoid the need to repeat listen addresses over and over again, listen
addresses are inherited from line to line, and the listen address can be
changed without defining a service by including a line containing just a
listen-addr followed by a colon. The default (compatible with historical
configuration files) is *. To return to this behavior after configuring
some services with specific listen addresses, give * explicitly.
#@ [<IPsec policy>] [; [<IPsec policy>]] ...
The implementation includes a tiny hack to support IPsec policy settings
for each socket. A special form of the comment line, starting with "#@",
is used as a policy specifier. The content of the above comment line
will be treated as a IPsec policy string, as described in
ipsec_set_policy(3). Multiple IPsec policy strings may be specified by
using a semicolon as a separator. If conflicting policy strings are
found in a single line, the last string will take effect. IPsec policy
strings are not parsed in comments within a key-values service
definition. A #@ line affects all of the subsequent lines in the same
config file, so you may want to reset the IPsec policy by using a comment
line containing only #@ (with no policy string).
If an invalid IPsec policy string appears in a config file, inetd logs an
error message using syslog(3) and stops reading the current config file,
but may continue reading from other files not affected by the IPsec
directive.
.include <glob-path>
Other files can be read by inetd by specifying an include directive in an
inetd config file. glob-path is an absolute path or a path relative
(including parent directories) to the directory containing the current
config file, and may contain glob patterns as specified by glob(7).
To include a specific file, include the relative or absolute path of the
file. To include all files in a directory, glob-path should be the
directory of the files to include followed by "/*".
The listening address and IPsec configuration strings of the current
config file are inherited by files included by this directive.
Files included by this directive using a glob path match are not read in
a specific order. If a specific order is desired, files or directories
should be included individually without the use of glob patterns.
Behavior is undefined if multiple include directives include the same
file and this should be avoided. Circular references are caught by
inetd. Anything after glob-path on the same line is ignored. glob-path
may be in quotes.
Internal Services
inetd provides several "trivial" services internally by use of routines
within itself. These services are "echo", "discard", "chargen"
(character generator), "daytime" (human readable time), and "time"
(machine readable time, in the form of the number of seconds since
midnight, January 1, 1900 GMT). For details of these services, consult
the appropriate RFC.
TCP services without official port numbers can be handled with the
RFC1078-based tcpmux internal service. TCPmux listens on port 1 for
requests. When a connection is made from a foreign host, the service
name requested is passed to TCPmux, which performs a lookup in the
service name table provided by /etc/inetd.conf and returns the proper
entry for the service. TCPmux returns a negative reply if the service
doesn't exist, otherwise the invoked server is expected to return the
positive reply if the service type in /etc/inetd.conf file has the prefix
"tcpmux/". If the service type has the prefix "tcpmux/+", TCPmux will
return the positive reply for the process; this is for compatibility with
older server code, and also allows you to invoke programs that use
stdin/stdout without putting any special server code in them. Services
that use TCPmux are "nowait" because they do not have a well-known port
number and hence cannot listen for new requests.
inetd rereads its configuration file when it receives a hangup signal,
SIGHUP. Services may be added, deleted or modified when the
configuration file is reread. inetd creates a file /var/run/inetd.pid
that contains its process identifier.
libwrap
Support for TCP wrappers is included with inetd to provide internal tcpd-
like access control functionality. An external tcpd program is not
needed. You do not need to change the /etc/inetd.conf server-program
entry to enable this capability. inetd uses /etc/hosts.allow and
/etc/hosts.deny for access control facility configurations, as described
in hosts_access(5).
Nota Bene: TCP wrappers do not affect/restrict UDP or internal services.
IPv6 TCP/UDP behavior
If you wish to run a server for both IPv4 and IPv6 traffic, you will need
to run two separate processes for the same server program, specified as
two separate lines in /etc/inetd.conf using "tcp4" and "tcp6"
respectively. In positional syntax, plain "tcp" means TCP on top of the
current default IP version, which is, at this moment, IPv4.
Under various combination of IPv4/v6 daemon settings, inetd will behave
as follows:
⊕ If you have only one server on "tcp4", IPv4 traffic will be routed to
the server. IPv6 traffic will not be accepted.
⊕ If you have two servers on "tcp4" and "tcp6", IPv4 traffic will be
routed to the server on "tcp4", and IPv6 traffic will go to server on
"tcp6".
⊕ If you have only one server on "tcp6", only IPv6 traffic will be
routed to the server. The kernel may route to the server IPv4
traffic as well, under certain configuration. See ip6(4) for
details.
FILES
/etc/inetd.conf configuration file for all inetd provided services
/etc/services service name to protocol and port number mappings.
/etc/protocols protocol name to protocol number mappings
/etc/rpc Sun-RPC service name to service number mappings.
/etc/hosts.allow explicit remote host access list.
/etc/hosts.deny explicit remote host denial of service list.
SEE ALSO
hosts_access(5), hosts_options(5), protocols(5), rpc(5), services(5),
comsat(8), fingerd(8), ftpd(8), rexecd(8), rlogind(8), rshd(8),
telnetd(8), tftpd(8)
J. Postel, Echo Protocol, RFC, 862, May 1983.
J. Postel, Discard Protocol, RFC, 863, May 1983.
J. Postel, Character Generator Protocol, RFC, 864, May 1983.
J. Postel, Daytime Protocol, RFC, 867, May 1983.
J. Postel and K. Harrenstien, Time Protocol, RFC, 868, May 1983.
M. Lottor, TCP port service Multiplexer (TCPMUX), RFC, 1078, November
1988.
HISTORY
The inetd command appeared in 4.3BSD. Support for Sun-RPC based services
is modeled after that provided by SunOS 4.1. Support for specifying the
socket buffer sizes was added in NetBSD 1.4. In November 1996, libwrap
support was added to provide internal tcpd-like access control
functionality; libwrap is based on Wietse Venema's tcp_wrappers. IPv6
support and IPsec hack was made by KAME project, in 1999.
BUGS
Host address specifiers, while they make conceptual sense for RPC
services, do not work entirely correctly. This is largely because the
portmapper interface does not provide a way to register different ports
for the same service on different local addresses. Provided you never
have more than one entry for a given RPC service, everything should work
correctly (Note that default host address specifiers do apply to RPC
lines with no explicit specifier.)
tcpmux on IPv6 is not tested enough.
For automatic IP version detection in key-values syntax (see the protocol
key), addresses with an interface specifier in the form <address>%<iface>
are not currently supported, as addresses of that form are not parsed by
inet_pton(3).
If a positional service definition has an invalid parameter and extends
across multiple lines using tab characters, the subsequent lines after
the error are treated as new service definitions.
SECURITY CONSIDERATIONS
Enabling the "echo", "discard", and "chargen" built-in trivial services
is not recommended because remote users may abuse these to cause a denial
of network service to or from the local host.
NetBSD 10.99 October 12, 2021 NetBSD 10.99