tcprules(1)tcprules(1)NAMEtcprules - compile rules for tcpserver
SYNOPSIStcprules rules.cdb rules.tmp
OVERVIEW
tcpserver optionally follows rules to decide whether a TCP connection
is acceptable. For example, a rule of
18.23.0.32:deny
prohibits connections from IP address 18.23.0.32.
tcprules reads rules from its standard input and writes them into
rules.cdb in a binary format suited for quick access by tcpserver.
tcprules can be used while tcpserver is running: it ensures that
rules.cdb is updated atomically. It does this by first writing the
rules to rules.tmp and then moving rules.tmp on top of rules.cdb. If
rules.tmp already exists, it is destroyed. The directories containing
rules.cdb and rules.tmp must be writable to tcprules; they must also be
on the same filesystem.
If there is a problem with the input, tcprules complains and leaves
rules.cdb alone.
The binary rules.cdb format is portable across machines.
RULE FORMAT
A rule takes up one line. A file containing rules may also contain
comments: lines beginning with # are ignored.
Each rule contains an address, a colon, and a list of instructions,
with no extra spaces. When tcpserver receives a connection from that
address, it follows the instructions.
ADDRESSES
tcpserver starts by looking for a rule with address TCPREMOTE‐
INFO@TCPREMOTEIP. If it doesn't find one, or if TCPREMOTEINFO is not
set, it tries the address TCPREMOTEIP. If that doesn't work, it tries
shorter and shorter prefixes of TCPREMOTEIP ending with a dot. If none
of them work, it tries the empty string.
For example, here are some rules:
joe@127.0.0.1:first
18.23.0.32:second
127.:third
:fourth
::1:fifth
If TCPREMOTEIP is 10.119.75.38, tcpserver will follow the fourth
instructions.
If TCPREMOTEIP is ::1, tcpserver will follow the fifth instructions.
Note that you cannot detect IPv4 mapped addresses by matching "::ffff",
as those addresses will be converted to IPv4 before looking at the
rules.
If TCPREMOTEIP is 18.23.0.32, tcpserver will follow the second instruc‐
tions.
If TCPREMOTEINFO is bill and TCPREMOTEIP is 127.0.0.1, tcpserver will
follow the third instructions.
If TCPREMOTEINFO is joe and TCPREMOTEIP is 127.0.0.1, tcpserver will
follow the first instructions.
ADDRESS RANGEStcprules treats 1.2.3.37-53:ins as an abbreviation for the rules
1.2.3.37:ins, 1.2.3.38:ins, and so on up through 1.2.3.53:ins. Simi‐
larly, 10.2-3.:ins is an abbreviation for 10.2.:ins and 10.3.:ins.
INSTRUCTIONS
The instructions in a rule must begin with either allow or deny. deny
tells tcpserver to drop the connection without running anything. For
example, the rule
:deny
tells tcpserver to drop all connections that aren't handled by more
specific rules.
The instructions may continue with some environment variables, in the
format ,VAR="VALUE". tcpserver adds VAR=VALUE to the current environ‐
ment. For example,
10.0.:allow,RELAYCLIENT="@fix.me"
adds RELAYCLIENT=@fix.me to the environment. The quotes here may be
replaced by any repeated character:
10.0.:allow,RELAYCLIENT=/@fix.me/
Any number of variables may be listed:
127.0.0.1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu"
SEE ALSOtcprulescheck(1), tcpserver(1), tcp-environ(5)tcprules(1)