Import NetBSD inetd(8)

Do not start it by default just yet.

Change-Id: Id8d2dd33eb67ae74b3ef3060638e20c781e8e37d

distrib/sets/lists/minix-base/mi

@@ -102,6 +102,7 @@
 ./etc/hostname.file                                     minix-base
 ./etc/hosts                                             minix-base
 ./etc/inet.conf                                         minix-base      obsolete
+./etc/inetd.conf                                        minix-base
 ./etc/kyua                                              minix-tests     kyua
 ./etc/man.conf                                          minix-base
 ./etc/master.passwd                                     minix-base
@@ -135,6 +136,7 @@
 ./etc/rc.d/bootconf.sh                                  minix-base
 ./etc/rc.d/fsck                                         minix-base
 ./etc/rc.d/ftpd                                         minix-base
+./etc/rc.d/inetd                                        minix-base
 ./etc/rc.d/ipfilter                                     minix-base
 ./etc/rc.d/ipsec                                        minix-base
 ./etc/rc.d/local                                        minix-base
@@ -1029,6 +1031,7 @@
 ./usr/sbin/groupinfo                                    minix-base
 ./usr/sbin/groupmod                                     minix-base
 ./usr/sbin/i2cscan                                      minix-base
+./usr/sbin/inetd                                        minix-base
 ./usr/sbin/installboot_nbsd                             minix-base
 ./usr/sbin/kernel                                       minix-base
 ./usr/sbin/link                                         minix-base

distrib/sets/lists/minix-debug/mi

@@ -601,6 +601,7 @@
 ./usr/libdata/debug/usr/sbin/diskctl.debug              minix-debug     debug
 ./usr/libdata/debug/usr/sbin/fbdctl.debug               minix-debug     debug
 ./usr/libdata/debug/usr/sbin/i2cscan.debug              minix-debug     debug
+./usr/libdata/debug/usr/sbin/inetd.debug                minix-debug     debug
 ./usr/libdata/debug/usr/sbin/installboot_nbsd.debug     minix-debug     debug
 ./usr/libdata/debug/usr/sbin/kernel.debug               minix-debug     debug
 ./usr/libdata/debug/usr/sbin/link.debug                 minix-debug     debug

distrib/sets/lists/minix-man/mi

@@ -3297,6 +3297,7 @@
 ./usr/man/man5/hosts_options.5                          minix-man
 ./usr/man/man5/http_status.5                            minix-man       obsolete
 ./usr/man/man5/httpd.conf.5                             minix-man       obsolete
+./usr/man/man5/inetd.conf.5                             minix-man
 ./usr/man/man5/info.5                                   minix-man
 ./usr/man/man5/keymap.5                                 minix-man
 ./usr/man/man5/kyua-tester-list.5                       minix-man       kyua
@@ -3415,6 +3416,7 @@
 ./usr/man/man8/ifconfig.8                               minix-man
 ./usr/man/man8/in.httpd.8                               minix-man       obsolete
 ./usr/man/man8/inet.8                                   minix-man       obsolete
+./usr/man/man8/inetd.8                                  minix-man
 ./usr/man/man8/init.8                                   minix-man
 ./usr/man/man8/installboot_nbsd.8                       minix-man
 ./usr/man/man8/intr.8                                   minix-man

etc/Makefile

@@ -321,6 +321,7 @@ install-etc-files: .PHONY .MAKE check_DESTDIR MAKEDEV
 		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ group \
 		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ hostname.file \
 		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ hosts \
+		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ inetd.conf \
 		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ mk.conf \
 		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ motd \
 		${BINOWN} ${BINGRP}	${BINMODE}	${NETBSDSRCDIR}/etc/ ${DESTDIR}/etc/ nsswitch.conf \

etc/defaults/minix.rc.conf

@@ -2,7 +2,7 @@
 
 # Override settings in NetBSD's default rc.conf with different default settings
 # for MINIX here, typically to disable scripts that NetBSD enables by default.
-#(nothing yet)
+inetd=NO
 
 # Where to find servers/drivers binaries
 PKG_SERVICE_DIR=/usr/pkg/service

etc/inetd.conf

@@ -0,0 +1,86 @@
+#	$NetBSD: inetd.conf,v 1.58 2007/10/16 02:47:14 tls Exp $
+#
+# Internet server configuration database
+#
+#	@(#)inetd.conf	8.2 (Berkeley) 3/18/94
+#
+#http		stream	tcp	nowait:600	_httpd	/usr/libexec/httpd	httpd /var/www
+#http		stream	tcp6	nowait:600	_httpd	/usr/libexec/httpd	httpd /var/www
+#ftp		stream	tcp	nowait	root	/usr/libexec/ftpd	ftpd -ll
+#ftp		stream	tcp6	nowait	root	/usr/libexec/ftpd	ftpd -ll
+#telnet		stream	tcp	nowait	root	/usr/libexec/telnetd	telnetd -a valid
+#telnet		stream	tcp6	nowait	root	/usr/libexec/telnetd	telnetd -a valid
+#shell		stream	tcp	nowait	root	/usr/libexec/rshd	rshd -L
+#shell		stream	tcp6	nowait	root	/usr/libexec/rshd	rshd -L
+#login		stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -L
+#login		stream	tcp6	nowait	root	/usr/libexec/rlogind	rlogind -L
+#exec		stream	tcp	nowait	root	/usr/libexec/rexecd	rexecd
+#exec		stream	tcp6	nowait	root	/usr/libexec/rexecd	rexecd
+#finger		stream	tcp	nowait	nobody	/usr/libexec/fingerd	fingerd -lsmu
+#finger		stream	tcp6	nowait	nobody	/usr/libexec/fingerd	fingerd -lsmu
+#ident		stream	tcp	nowait	nobody	/usr/libexec/identd	identd -l -o OTHER -e -N
+#ident		stream	tcp6	nowait	nobody	/usr/libexec/identd	identd -l -o OTHER -e -N
+#tftp		dgram	udp	wait	root	/usr/libexec/tftpd	tftpd -l -s /tftpboot
+#tftp		dgram	udp6	wait	root	/usr/libexec/tftpd	tftpd -l -s /tftpboot
+#comsat		dgram	udp	wait	root	/usr/libexec/comsat	comsat
+#comsat		dgram	udp6	wait	root	/usr/libexec/comsat	comsat
+#ntalk		dgram	udp	wait	nobody:tty	/usr/libexec/ntalkd	ntalkd
+#bootps		dgram	udp	wait	root	/usr/sbin/bootpd	bootpd
+#
+#	Games
+#
+#hunt		dgram	udp	wait	nobody	/usr/games/huntd	huntd
+#
+#	Internal services
+#
+#tcpmux		stream	tcp	nowait	root	internal
+#echo		stream	tcp	nowait	nobody	internal
+#echo		stream	tcp6	nowait	nobody	internal
+#discard	stream	tcp	nowait	nobody	internal
+#discard	stream	tcp6	nowait	nobody	internal
+#chargen	stream	tcp	nowait	nobody	internal
+#chargen	stream	tcp6	nowait	nobody	internal
+#daytime	stream	tcp	nowait	nobody	internal
+#daytime	stream	tcp6	nowait	nobody	internal
+#time		stream	tcp	nowait	nobody	internal
+#time		stream	tcp6	nowait	nobody	internal
+#echo		dgram	udp	wait	nobody	internal
+#echo		dgram	udp6	wait	nobody	internal
+#discard	dgram	udp	wait	nobody	internal
+#discard	dgram	udp6	wait	nobody	internal
+#chargen	dgram	udp	wait	nobody	internal
+#chargen	dgram	udp6	wait	nobody	internal
+#daytime	dgram	udp	wait	nobody	internal
+#daytime	dgram	udp6	wait	nobody	internal
+#time		dgram	udp	wait	nobody	internal
+#time		dgram	udp6	wait	nobody	internal
+#qotd		stream	tcp	nowait	nobody	/usr/games/fortune	fortune
+#qotd		stream	tcp6	nowait	nobody	/usr/games/fortune	fortune
+#
+#	Kerberos authenticated services
+#
+#klogin		stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k
+#eklogin	stream	tcp	nowait	root	/usr/libexec/rlogind	rlogind -k -x
+#kshell		stream	tcp	nowait	root	/usr/libexec/rshd 	rshd -k
+#
+#	Services run ONLY on the Kerberos server
+#
+#kerberos-adm	stream	tcp	nowait	root	/usr/libexec/kadmind	kadmind
+#kerberos-adm	stream	tcp6	nowait	root	/usr/libexec/kadmind	kadmind
+#kpasswd	dgram	udp	wait	root	/usr/libexec/kpasswdd	kpasswdd
+#kpasswd	dgram	udp6	wait	root	/usr/libexec/kpasswdd	kpasswdd
+#
+# The hprop service is run on slave KDCs to receive the database from
+# the master KDC.
+#hprop		stream	tcp	nowait	root	/usr/libexec/hpropd	hpropd
+#hprop		stream	tcp6	nowait	root	/usr/libexec/hpropd	hpropd
+#
+#	RPC based services
+#
+#rstatd/1-3	dgram	rpc/udp	wait:100 nobody:kmem /usr/libexec/rpc.rstatd rpc.rstatd
+#rstatd/1-3	dgram	rpc/udp6 wait:100 nobody:kmem /usr/libexec/rpc.rstatd rpc.rstatd
+#rusersd/2-3	dgram	rpc/udp	wait:100 nobody	/usr/libexec/rpc.rusersd rpc.rusersd
+#rusersd/2-3	dgram	rpc/udp6 wait:100 nobody /usr/libexec/rpc.rusersd rpc.rusersd
+#walld/1	dgram	rpc/udp	wait	nobody:tty /usr/libexec/rpc.rwalld rpc.rwalld
+#sprayd/1	dgram	rpc/udp	wait	nobody	/usr/libexec/rpc.sprayd	rpc.sprayd
+#rquotad/1-2	dgram	rpc/udp	wait	root	/usr/libexec/rpc.rquotad rpc.rquotad

etc/rc.d/Makefile

@@ -34,7 +34,7 @@ CONFIGFILES=\
 		fsck ftpd \
 		\
 		\
-		ipfilter ipsec \
+		inetd ipfilter ipsec \
 		\
 		\
 		local \

etc/rc.d/inetd

@@ -0,0 +1,20 @@
+#!/bin/sh
+#
+# $NetBSD: inetd,v 1.7 2004/08/13 18:08:03 mycroft Exp $
+#
+
+# PROVIDE: inetd
+# REQUIRE: DAEMON LOGIN
+# KEYWORD: shutdown
+
+$_rc_subr_loaded . /etc/rc.subr
+
+name="inetd"
+rcvar=$name
+command="/usr/sbin/${name}"
+pidfile="/var/run/${name}.pid"
+required_files="/etc/${name}.conf"
+extra_commands="reload"
+
+load_rc_config $name
+run_rc_command "$1"

usr.sbin/Makefile

@@ -11,7 +11,7 @@ SUBDIR= arp \
 	\
 	\
 	\
-	i2cscan installboot \
+	i2cscan inetd installboot \
 	\
 	\
 	link \

usr.sbin/inetd/Makefile

@@ -0,0 +1,32 @@
+#	from: @(#)Makefile	8.1 (Berkeley) 6/6/93
+#	$NetBSD: Makefile,v 1.23 2009/10/22 22:50:35 tsarna Exp $
+
+.include <bsd.own.mk>
+
+USE_FORT?= yes	# network server
+
+PROG=	inetd
+SRCS=	inetd.c
+MAN=	inetd.8
+MLINKS=	inetd.8 inetd.conf.5
+
+CPPFLAGS+=-DLIBWRAP
+# Use LIBWRAP_INTERNAL for libwrap checking of inetd's `internal' services.
+#CPPFLAGS+=-DLIBWRAP_INTERNAL
+LDADD+= -lwrap -lutil
+DPADD+= ${LIBWRAP} ${LIBUTIL}
+
+.if (${USE_INET6} != "no")
+CPPFLAGS+=-DINET6
+.endif
+
+.if !defined(__MINIX)
+CPPFLAGS+=-DIPSEC
+SRCS+=	ipsec.c
+LDADD+= -lipsec
+DPADD+=	${LIBIPSEC}
+.else # defined(__MINIX)
+CPPFLAGS+=-DNO_RPC
+.endif # defined(__MINIX)
+
+.include <bsd.prog.mk>

usr.sbin/inetd/inetd.8

@@ -0,0 +1,650 @@
+.\"	$NetBSD: inetd.8,v 1.57 2011/04/25 22:12:05 wiz Exp $
+.\"
+.\" Copyright (c) 1998 The NetBSD Foundation, Inc.
+.\" All rights reserved.
+.\"
+.\" This code is derived from software contributed to The NetBSD Foundation
+.\" by Jason R. Thorpe of the Numerical Aerospace Simulation Facility,
+.\" NASA Ames Research Center.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+.\" POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Copyright (c) 1985, 1991 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     from: @(#)inetd.8       8.4 (Berkeley) 6/1/94
+.\"
+.Dd August 27, 2008
+.Dt INETD 8
+.Os
+.Sh NAME
+.Nm inetd ,
+.Nm inetd.conf
+.Nd internet
+.Dq super-server
+.Sh SYNOPSIS
+.Nm
+.Op Fl d
+.Op Fl l
+.Op Ar configuration file
+.Sh DESCRIPTION
+.Nm
+should be run at boot time by
+.Pa /etc/rc
+(see
+.Xr rc 8 ) .
+It then opens sockets according to its configuration and listens
+for connections.
+When a connection is found on one of its sockets, it decides what
+service the socket corresponds to, and invokes a program to service
+the request.
+After the program is finished, it continues to listen on the socket
+(except in some cases which will be described below).
+Essentially,
+.Nm
+allows running one daemon to invoke several others,
+reducing load on the system.
+.Pp
+The options available for
+.Nm :
+.Bl -tag -width Ds
+.It Fl d
+Turns on debugging.
+.It Fl l
+Turns on libwrap connection logging.
+.El
+.Pp
+Upon execution,
+.Nm
+reads its configuration information from a configuration
+file which, by default, is
+.Pa /etc/inetd.conf .
+The path given for this configuration file must be absolute, unless
+the
+.Fl d
+option is also given on the command line.
+There must be an entry for each field of the configuration
+file, with entries for each field separated by a tab or
+a space.
+Comments are denoted by a ``#'' at the beginning of a line.
+There must be an entry for each field (except for one
+special case, described below).
+The fields of the configuration file are as follows:
+.Pp
+.Bd -unfilled -offset indent -compact
+[addr:]service-name
+socket-type[:accept_filter]
+protocol[,sndbuf=size][,rcvbuf=size]
+wait/nowait[:max]
+user[:group]
+server-program
+server program arguments
+.Ed
+.Pp
+To specify an
+.Em Sun-RPC
+based service, the entry would contain these fields:
+.Pp
+.Bd -unfilled -offset indent -compact
+service-name/version
+socket-type
+rpc/protocol[,sndbuf=size][,rcvbuf=size]
+wait/nowait[:max]
+user[:group]
+server-program
+server program arguments
+.Ed
+.Pp
+To specify a UNIX-domain (local) socket, the entry would contain
+these fields:
+.Pp
+.Bd -unfilled -offset indent -compact
+path
+socket-type
+unix[,sndbuf=size][,rcvbuf=size]
+wait/nowait[:max]
+user[:group]
+server-program
+server program arguments
+.Ed
+.Pp
+For Internet services, the first field of the line may also have a host
+address specifier prefixed to it, separated from the service name by a colon.
+If this is done, the string before the colon in the first field
+indicates what local address
+.Nm
+should use when listening for that service, or the single character
+.Dq \&*
+to indicate
+.Dv INADDR_ANY ,
+meaning
+.Sq all local addresses .
+To avoid repeating an address that occurs frequently, a line with a
+host address specifier and colon, but no further fields, causes the
+host address specifier to be remembered and used for all further lines
+with no explicit host specifier (until another such line or the end of
+the file).
+A line
+.Dl *:
+is implicitly provided at the top of the file; thus, traditional
+configuration files (which have no host address specifiers) will be
+interpreted in the traditional manner, with all services listened for
+on all local addresses.
+.Pp
+The
+.Em service-name
+entry is the name of a valid service in
+the file
+.Pa /etc/services .
+For
+.Dq internal
+services (discussed below), the service
+name
+.Em must
+be the official name of the service (that is, the first entry in
+.Pa /etc/services ) .
+When used to specify a
+.Em Sun-RPC
+based service, this field is a valid RPC service name in
+the file
+.Pa /etc/rpc .
+The part on the right of the
+.Dq /
+is the RPC version number.
+This can simply be a single numeric argument or a range of versions.
+A range is bounded by the low version to the high version \-
+.Dq rusers/1-3 .
+.Pp
+The
+.Em socket-type
+should be one of
+.Dq stream ,
+.Dq dgram ,
+.Dq raw ,
+.Dq rdm ,
+or
+.Dq seqpacket ,
+depending on whether the socket is a stream, datagram, raw,
+reliably delivered message, or sequenced packet socket.
+.Pp
+Optionally, an
+.Xr accept_filter 9
+can be specified by appending a colon to the socket-type, followed by
+the name of the desired accept filter.
+In this case
+.Nm
+will not see new connections for the specified service until the accept
+filter decides they are ready to be handled.
+.Pp
+The
+.Em protocol
+must be a valid protocol as given in
+.Pa /etc/protocols
+or the string
+.Dq unix .
+Examples might be
+.Dq tcp
+and
+.Dq udp .
+Rpc based services are specified with the
+.Dq rpc/tcp
+or
+.Dq rpc/udp
+service type.
+.Dq tcp
+and
+.Dq udp
+will be recognized as
+.Dq TCP or UDP over default IP version .
+It is currently IPv4, but in the future it will be IPv6.
+If you need to specify IPv4 or IPv6 explicitly, use something like
+.Dq tcp4
+or
+.Dq udp6 .
+If you would like to enable special support for
+.Xr faithd 8 ,
+prepend a keyword
+.Dq faith
+into
+.Em protocol ,
+like
+.Dq faith/tcp6 .
+.Pp
+In addition to the protocol, the configuration file may specify the
+send and receive socket buffer sizes for the listening socket.
+This is especially useful for
+.Tn TCP
+as the window scale factor, which is based on the receive socket
+buffer size, is advertised when the connection handshake occurs,
+thus the socket buffer size for the server must be set on the listen socket.
+By increasing the socket buffer sizes, better
+.Tn TCP
+performance may be realized in some situations.
+The socket buffer sizes are specified by appending their values to
+the protocol specification as follows:
+.Bd -literal -offset indent
+tcp,rcvbuf=16384
+tcp,sndbuf=64k
+tcp,rcvbuf=64k,sndbuf=1m
+.Ed
+.Pp
+A literal value may be specified, or modified using
+.Sq k
+to indicate kilobytes or
+.Sq m
+to indicate megabytes.
+Socket buffer sizes may be specified for all
+services and protocols except for tcpmux services.
+.Pp
+The
+.Em wait/nowait
+entry is used to tell
+.Nm
+if it should wait for the server program to return,
+or continue processing connections on the socket.
+If a datagram server connects
+to its peer, freeing the socket so
+.Nm
+can receive further messages on the socket, it is said to be
+a
+.Dq multi-threaded
+server, and should use the
+.Dq nowait
+entry.
+For datagram servers which process all incoming datagrams
+on a socket and eventually time out, the server is said to be
+.Dq single-threaded
+and should use a
+.Dq wait
+entry.
+.Xr comsat 8
+.Pq Xr biff 1
+and
+.Xr ntalkd 8
+are both examples of the latter type of
+datagram server.
+.Xr tftpd 8
+is an exception; it is a datagram server that establishes pseudo-connections.
+It must be listed as
+.Dq wait
+in order to avoid a race;
+the server reads the first packet, creates a new socket,
+and then forks and exits to allow
+.Nm
+to check for new service requests to spawn new servers.
+The optional
+.Dq max
+suffix (separated from
+.Dq wait
+or
+.Dq nowait
+by a dot or a colon) specifies the maximum number of server instances that may
+be spawned from
+.Nm
+within an interval of 60 seconds.
+When omitted,
+.Dq max
+defaults to 40.
+If it reaches this maximum spawn rate,
+.Nm
+will log the problem (via the syslogger using the
+.Dv LOG_DAEMON
+facility and
+.Dv LOG_ERR
+level)
+and stop handling the specific service for ten minutes.
+.Pp
+Stream servers are usually marked as
+.Dq nowait
+but if a single server process is to handle multiple connections, it may be
+marked as
+.Dq wait .
+The master socket will then be passed as fd 0 to the server, which will then
+need to accept the incoming connection.
+The server should eventually time
+out and exit when no more connections are active.
+.Nm
+will continue to
+listen on the master socket for connections, so the server should not close
+it when it exits.
+.Xr identd 8
+is usually the only stream server marked as wait.
+.Pp
+The
+.Em user
+entry should contain the user name of the user as whom the server should run.
+This allows for servers to be given less permission than root.
+Optionally, a group can be specified by appending a colon to the user name,
+followed by the group name (it is possible to use a dot (``.'') in lieu of a
+colon, however this feature is provided only for backward compatibility).
+This allows for servers to run with a different (primary) group id than
+specified in the password file.
+If a group is specified and
+.Em user
+is not root, the supplementary groups associated with that user will still be
+set.
+.Pp
+The
+.Em server-program
+entry should contain the pathname of the program which is to be
+executed by
+.Nm
+when a request is found on its socket.
+If
+.Nm
+provides this service internally, this entry should
+be
+.Dq internal .
+.Pp
+The
+.Em server program arguments
+should be just as arguments
+normally are, starting with argv[0], which is the name of
+the program.
+If the service is provided internally, the
+word
+.Dq internal
+should take the place of this entry.
+It is possible to quote an argument using either single or double quotes.
+This allows you to have, e.g., spaces in paths and parameters.
+.Ss Internal Services
+.Nm
+provides several
+.Qq trivial
+services internally by use of routines within itself.
+These services are
+.Qq echo ,
+.Qq discard ,
+.Qq chargen
+(character generator),
+.Qq daytime
+(human readable time), and
+.Qq time
+(machine readable time,
+in the form of the number of seconds since midnight, January 1, 1900 GMT).
+For details of these services, consult the appropriate
+.Tn RFC .
+.Pp
+TCP services without official port numbers can be handled with the
+RFC1078-based tcpmux internal service.
+TCPmux listens on port 1 for requests.
+When a connection is made from a foreign host, the service name
+requested is passed to TCPmux, which performs a lookup in the
+service name table provided by
+.Pa /etc/inetd.conf
+and returns the proper entry for the service.
+TCPmux returns a negative reply if the service doesn't exist,
+otherwise the invoked server is expected to return the positive
+reply if the service type in
+.Pa /etc/inetd.conf
+file has the prefix
+.Qq tcpmux/ .
+If the service type has the
+prefix
+.Qq tcpmux/+ ,
+TCPmux will return the positive reply for the
+process; this is for compatibility with older server code, and also
+allows you to invoke programs that use stdin/stdout without putting any
+special server code in them.
+Services that use TCPmux are
+.Qq nowait
+because they do not have a well-known port number and hence cannot listen
+for new requests.
+.Pp
+.Nm
+rereads its configuration file when it receives a hangup signal,
+.Dv SIGHUP .
+Services may be added, deleted or modified when the configuration file
+is reread.
+.Nm
+creates a file
+.Em /var/run/inetd.pid
+that contains its process identifier.
+.Ss libwrap
+Support for
+.Tn TCP
+wrappers is included with
+.Nm
+to provide internal tcpd-like access control functionality.
+An external tcpd program is not needed.
+You do not need to change the
+.Pa /etc/inetd.conf
+server-program entry to enable this capability.
+.Nm
+uses
+.Pa /etc/hosts.allow
+and
+.Pa /etc/hosts.deny
+for access control facility configurations, as described in
+.Xr hosts_access 5 .
+.Pp
+.Em Nota Bene :
+.Tn TCP
+wrappers do not affect/restrict
+.Tn UDP
+or internal services.
+.Ss IPsec
+The implementation includes a tiny hack to support IPsec policy settings for
+each socket.
+A special form of the comment line, starting with
+.Dq Li "#@" ,
+is used as a policy specifier.
+The content of the above comment line will be treated as a IPsec policy string,
+as described in
+.Xr ipsec_set_policy 3 .
+Multiple IPsec policy strings may be specified by using a semicolon
+as a separator.
+If conflicting policy strings are found in a single line,
+the last string will take effect.
+A
+.Li "#@"
+line affects all of the following lines in
+.Pa /etc/inetd.conf ,
+so you may want to reset the IPsec policy by using a comment line containing
+only
+.Li "#@"
+.Pq with no policy string .
+.Pp
+If an invalid IPsec policy string appears in
+.Pa /etc/inetd.conf ,
+.Nm
+logs an error message using
+.Xr syslog 3
+and terminates itself.
+.Ss IPv6 TCP/UDP behavior
+If you wish to run a server for both IPv4 and IPv6 traffic,
+you will need to run two separate processes for the same server program,
+specified as two separate lines in
+.Pa /etc/inetd.conf
+using
+.Dq tcp4
+and
+.Dq tcp6
+respectively.
+Plain
+.Dq tcp
+means TCP on top of the current default IP version,
+which is, at this moment, IPv4.
+.Pp
+Under various combination of IPv4/v6 daemon settings,
+.Nm
+will behave as follows:
+.Bl -bullet -compact
+.It
+If you have only one server on
+.Dq tcp4 ,
+IPv4 traffic will be routed to the server.
+IPv6 traffic will not be accepted.
+.It
+If you have two servers on
+.Dq tcp4
+and
+.Dq tcp6 ,
+IPv4 traffic will be routed to the server on
+.Dq tcp4 ,
+and IPv6 traffic will go to server on
+.Dq tcp6 .
+.It
+If you have only one server on
+.Dq tcp6 ,
+only IPv6 traffic will be routed to the server.
+The kernel may route to the server IPv4 traffic as well,
+under certain configuration.
+See
+.Xr ip6 4
+for details.
+.El
+.Sh FILES
+.Bl -tag -width /etc/hosts.allow -compact
+.It Pa /etc/inetd.conf
+configuration file for all
+.Nm
+provided services
+.It Pa /etc/services
+service name to protocol and port number mappings.
+.It Pa /etc/protocols
+protocol name to protocol number mappings
+.It Pa /etc/rpc
+.Tn Sun-RPC
+service name to service number mappings.
+.It Pa /etc/hosts.allow
+explicit remote host access list.
+.It Pa /etc/hosts.deny
+explicit remote host denial of service list.
+.El
+.Sh SEE ALSO
+.Xr hosts_access 5 ,
+.Xr hosts_options 5 ,
+.Xr protocols 5 ,
+.Xr rpc 5 ,
+.Xr services 5 ,
+.Xr comsat 8 ,
+.Xr fingerd 8 ,
+.Xr ftpd 8 ,
+.Xr rexecd 8 ,
+.Xr rlogind 8 ,
+.Xr rshd 8 ,
+.Xr telnetd 8 ,
+.Xr tftpd 8
+.Rs
+.%A J. Postel
+.%R RFC
+.%N 862
+.%D May 1983
+.%T "Echo Protocol"
+.Re
+.Rs
+.%A J. Postel
+.%R RFC
+.%N 863
+.%D May 1983
+.%T "Discard Protocol"
+.Re
+.Rs
+.%A J. Postel
+.%R RFC
+.%N 864
+.%D May 1983
+.%T "Character Generator Protocol"
+.Re
+.Rs
+.%A J. Postel
+.%R RFC
+.%N 867
+.%D May 1983
+.%T "Daytime Protocol"
+.Re
+.Rs
+.%A J. Postel
+.%A K. Harrenstien
+.%R RFC
+.%N 868
+.%D May 1983
+.%T "Time Protocol"
+.Re
+.Rs
+.%A M. Lottor
+.%R RFC
+.%N 1078
+.%D November 1988
+.%T "TCP port service Multiplexer (TCPMUX)"
+.Re
+.Sh HISTORY
+The
+.Nm
+command appeared in
+.Bx 4.3 .
+Support for
+.Em Sun-RPC
+based services is modeled after that
+provided by SunOS 4.1.
+Support for specifying the socket buffer sizes was added in
+.Nx 1.4 .
+In November 1996, libwrap support was added to provide
+internal tcpd-like access control functionality;
+libwrap is based on Wietse Venema's tcp_wrappers.
+IPv6 support and IPsec hack was made by KAME project, in 1999.
+.Sh BUGS
+Host address specifiers, while they make conceptual sense for RPC
+services, do not work entirely correctly.
+This is largely because the portmapper interface does not provide
+a way to register different ports for the same service on different
+local addresses.
+Provided you never have more than one entry for a given RPC service,
+everything should work correctly (Note that default host address
+specifiers do apply to RPC lines with no explicit specifier.)
+.Pp
+.Dq tcpmux
+on IPv6 is not tested enough.
+.Sh SECURITY CONSIDERATIONS
+Enabling the
+.Dq echo ,
+.Dq discard ,
+and
+.Dq chargen
+built-in trivial services is not recommended because remote
+users may abuse these to cause a denial of network service to
+or from the local host.

usr.sbin/inetd/ipsec.c

@@ -0,0 +1,159 @@
+/*	$NetBSD: ipsec.c,v 1.4 2012/01/04 16:09:43 drochner Exp $	*/
+
+/*
+ * Copyright (C) 1999 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <ctype.h>
+
+#ifdef IPSEC
+#include <netipsec/ipsec.h>
+#ifndef IPSEC_POLICY_IPSEC	/* no ipsec support on old ipsec */
+#undef IPSEC
+#endif
+#endif
+
+#include "ipsec.h"
+
+#ifdef IPSEC
+int
+ipsecsetup(int af, int fd, const char *policy)
+{
+	char *p0, *p;
+	int error;
+
+	if (!policy || policy == '\0')
+		p0 = p = strdup("in entrust; out entrust");
+	else
+		p0 = p = strdup(policy);
+
+	error = 0;
+	for (;;) {
+		p = strtok(p, ";");
+		if (p == NULL)
+			break;
+		while (*p && isspace((unsigned char)*p))
+			p++;
+		if (!*p) {
+			p = NULL;
+			continue;
+		}
+		error = ipsecsetup0(af, fd, p, 1);
+		if (error < 0)
+			break;
+		p = NULL;
+	}
+
+	free(p0);
+	return error;
+}
+
+int
+ipsecsetup_test(const char *policy)
+{
+	char *p0, *p;
+	char *buf;
+	int error;
+
+	if (!policy)
+		return -1;
+	p0 = p = strdup(policy);
+	if (p == NULL)
+		return -1;
+
+	error = 0;
+	for (;;) {
+		p = strtok(p, ";");
+		if (p == NULL)
+			break;
+		while (*p && isspace((unsigned char)*p))
+			p++;
+		if (!*p) {
+			p = NULL;
+			continue;
+		}
+		buf = ipsec_set_policy(p, (int)strlen(p));
+		if (buf == NULL) {
+			error = -1;
+			break;
+		}
+		free(buf);
+		p = NULL;
+	}
+
+	free(p0);
+	return error;
+}
+
+int
+ipsecsetup0(int af, int fd, const char *policy, int commit)
+{
+	int level;
+	int opt;
+	char *buf;
+	int error;
+
+	switch (af) {
+	case AF_INET:
+		level = IPPROTO_IP;
+		opt = IP_IPSEC_POLICY;
+		break;
+#ifdef INET6
+	case AF_INET6:
+		level = IPPROTO_IPV6;
+		opt = IPV6_IPSEC_POLICY;
+		break;
+#endif
+	default:
+		return -1;
+	}
+
+	buf = ipsec_set_policy(policy, (int)strlen(policy));
+	if (buf != NULL) {
+		error = 0;
+		if (commit && setsockopt(fd, level, opt,
+		    buf, (socklen_t)ipsec_get_policylen(buf)) < 0) {
+			error = -1;
+		}
+		free(buf);
+	} else
+		error = -1;
+	return error;
+}
+#endif

usr.sbin/inetd/ipsec.h

@@ -0,0 +1,34 @@
+/*	$NetBSD: ipsec.h,v 1.1 2000/01/31 14:28:20 itojun Exp $	*/
+
+/*
+ * Copyright (C) 1999 WIDE Project.
+ * All rights reserved.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ * 
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+extern int ipsecsetup __P((int, int, const char *));
+extern int ipsecsetup_test __P((const char *));
+extern int ipsecsetup0 __P((int, int, const char *, int));

usr.sbin/inetd/pathnames.h

@@ -0,0 +1,36 @@
+/*	$NetBSD: pathnames.h,v 1.7 2003/08/07 11:25:22 agc Exp $	*/
+
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	from: @(#)pathnames.h	8.1 (Berkeley) 6/6/93
+ */
+
+#include <paths.h>
+
+#define	_PATH_INETDCONF	"/etc/inetd.conf"