tcprules - compiles rules for tcpserver


tcpserver optionally follows rules to decide whether a TCP connection is acceptable.

IPv4 Addresses

For example, the rule

prohibits connections from IP address Ranges of IPv4 addresses can defined in a class-dependend manner


or by means of a range of contiguous addresses

In addition, a CIDR notation can be used instead. The rule


accepts any connections from the loopback net.

The bit-length of the given IP address (after expansion) has at least to match number of net-prefix bits. Otherwise, a syntax error is displayed.

Note: Always IP addresses with the longest matching prefix are considered.

IPv6 Addresses

tcprules understands compactified IPv6 addresses in standard CIDR notation. The rule


rejects any IPv6 packet from a single host while


can be used to block an entire IPv6 (sub-)net, in case the net-prefix (here: /48) is provided.

Note: Since the IPv6 address on input is evaluated in it's compactified format, simply include the final '::' for convenience. The resulting address is truncated to the number of provided prefix bits.


tcprules reads rules from its standard input and writes them into cdb in a binary format suited for quick access by tcpserver. Typically

tcprules rules.cdb rules.tmp < rules.txt

tcprules can be used while tcpserver is running. It ensures that cdb is updated atomically. It does this by first writing the rules to tmp and then moving tmp on top of cdb. If tmp already exists, it is destroyed. The directories containing cdb and tmp # must be writable to tcprules; they must also be on the same filesystem.

If there is a problem with the input or with tmp, tcprules complains and leaves cdb alone.

The binary cdb format is portable across machines.

Rule Format

A rule is one line. A file containing rules may also contain comments: lines beginning with # are ignored.

Each rule contains an address, a colon, and a list of instructions, with no extra spaces. When receives a connection from that address, it follows the instructions.


tcpserver looks for rules with various addresses:

  5. shorter and shorter prefixes of $TCPREMOTEIP ending with a dot;
  6. $TCPREMOTEIP/PREFIX where $TCPREMOTEIP considering in order the longest matching provided PREFIX;
  7. shorter and shorter suffixes of $TCPREMOTEHOST starting with a dot, preceded by =, if $TCPREMOTEHOST is set;
  8. =, if $TCPREMOTEHOST is set; and finally
  9. the empty string.

tcpserver uses the first rule it finds. You should use the -p option to tcpserver if you rely on $TCPREMOTEHOST here.

For example, here are some rules:


If $TCPREMOTEIP is, tcpserver will follow the third instructions.

If $TCPREMOTEIP is, tcpserver will follow the second instructions.

If $TCPREMOTEIP is and $TCPREMOTEINFO is bill, tcpserver will follow the fourth instructions.

If $TCPREMOTEIP is and $TCPREMOTEINFO is joe, tcpserver will follow the first instructions.

You can use tcprulescheck to see how tcpserver will interpret rules in cdb.


The instructions in a rule must begin with either allow or deny. deny tells to drop the connection without running anything. For example, the rule


tells tcpserver to drop all connections that aren't handled by more specific rules.

The instructions may continue with some environment variables, in the form var="x". tcpserver adds an environment variable $varx. For example,


adds an environment variable $RELAYCLIENT with value The quotes may be replaced by any repeated character:


Any number of variables may be listed:,RELAYCLIENT="",TCPLOCALHOST=""

See Also

tcpserver(1), tcprulescheck(1), argv0(1), fixcrio(1), recordio(1), rblsmtpd(1), tcpclient(1), who@(1), date@(1), finger@(1), http@(1), tcpcat(1), mconnect(1), tcp-environ(5)