UCSPI-TCP6

tcpserver - accept incoming IPv4/IPv6 TCP connections and invoke application

Purpose

tcpserver allows applications to accept TCP connections in a chroot environment. Unlike inetd or xinetd it is not a `super daemon` but works for individual connections in the user space.

tcpserver can listen to any IPv4/IPv6 address and any port. It also supports binding to all local IPv4 and IPv6 addresses (simultaneously).

Reversely, incoming IP/TCP connections are usually under control of tcprules allowing filtering on IP addresses and DNS informations. Remote clients thus can be qualified prior of accepting a TCP session which could be understood as user-level firewall.

Application support

Applications are enabled by means of tcpserver to communication with the network via the standard file descriptors

FD 0: Reading from the network.
FD 1: Writing to the network.

Application may be supplied with any arguments on call.

While typically tcpserver is invoked by root, the application is executed in a chroot enviroment with restricted permissons only. Therefore, one sets

-u uid and
-g gid

upon calling tcpserver.

tcpserver spawns and instantiates a new copy of application whose concurrent number can be limited providing -c limit.

The application may be fed with several connection relevant informations pushed in its environment for further usage.

Local binding

tcpserver usually uses the host's primary IP address, but can otherwise bind to any IPv4 and/or IPv6 address of the system and to any port (given the required permissions) as defined by

host (or the IPv4, the IPv6 address; or 0, ::, :0);
port (if port equals '0', a free port is chosen),
-I ifname

Here,

0 are all available IPv4 addresses (upon invocation),
:: are all available IPv6 addresses (upon invocation), or
:0 providing IPv4/IPv6 dual-stack binding.

tcpserver will allow to bind to IPv6 LLU addresses, in case additionally the interface name is provided. Beware, that LLU address are in particular subject of SLAAC changes.

Name resolution

tcpserver reads the environment variable DNSCACHEIP which can be used to specify the recursive DNS Resolver.

If not given, tcpserver uses the nameserver entries provided in /etc/resolv.conf.

Network settings and connections from the remote client

Prior to spawning the application and forking new instance of tcpserver the parent can be advised to evaluate several IP and DNS connection conditions which are subject of the client's IP and potentially the evaluated DNS and IDENT informations:

IP-based:

A TCP session given by its undoubtful IPv4/IPv6 address can be accepted or denied.
The IP addresses (given in CIDR notation) can be whiteliested (IP:accecpt) or blacklisted (IP:deny according to the information in a Constant Data Base (CDB) which is consulted on the fly and of course prior to accept the TCP session.
The IP address for accepted session is visible by the applicated and may be given in the environment variable TCP(6)REMOTEIP and TCP(6)REMOTEPORT.

DNS-based:

-h
Query the inverse IP-name via i6.arpa or in-addr.arpa and the authoritative Name Server followed by a query of the remotehost name via a PTR lookup (default).
-p
Require that the incoming IP address matches those from the A/AAAA DNS lookup of the authoritative Name Server (paranoid) .
>Now, TCP(6)REMOTEHOST is correctly populated and available by the invoked application.

User-based:

-r
IDENT/TAP lookup applying a -t timeout (default: 26 secs).
-R
IDENT/TAP lookup disabled (default).

IDENT/TP lookup are disabled by default; in the current Internet they are mostly obsolete.

Apart from those possibilities, some unusual settings are available:

-B banner
Send 'banner' as greeting string to the remote client.
-b backlog
Allow backlog simultaneous SYNs received.
-o
Allow source routing of IP packets (default: no).
-d
Delay sending of data for a fraction of a second (default: no).

Controlling remote connection behavior via tcprules

tcpserver can be advised to read one or more cdb's prior to accepting a TCP connection including additional policy informations how to handle a connection and which environment variables to be exported to the application:

-y iprules.cdb
Early evaluation of the IP information according to iprules.cdb happening prior of the DNS lookup.
-x tcprules.cdb
Require a file tcprules.cdb, read and follow its instructions.
-X Don't reqiure neither iprules.cdb nor tcprules.cdb to exist, but read its content if given.
iprules.cdb and tcprules.cdb can be identical.

In order to operate successfully, tcpserver supplies tcprules with the following data to be compared against a database (cdb):

The IP address of the remote client (always),
the hostname (given a DNS lookup),
the identity of the remote caller (given a IDENT lookup).

tcprules allows to include (line-by-line) IP addresses:

Single IPv4 addresses: 127.0.0.1.
IPv4 addresses ranges: 127.0.0.1-14.
IPv4 nets: 127.0.0. Default IP net masks are irrelevant here.
IPv4 addresses in CDIR notation: 127./8. Here, the given values (before the slash '/'), has to have a bit length matching at least the length of the network prefix.
IPv6 addresses are given in ther compactified format: 2001:470:1f0a:58c::2.
IPv6 CIDR addresses are respected as well: 2001:470/28.

tcprules supports DNS names as well, which are distinguished from IP adresses by a leading equal sign ('='):

The full FQDN of a host: =host.example.com.
A network address: =.outlook.com.
All hosts with a DNS name successfully looked up: =.

These keys are evaluated in 'best matching order': More precise matches have precedence over weaker matches. The key is followed by a colon ':' to enable ...

Binary rules can be set up:

deny a connection,
allow a connection and provide additional environment variables for the application.

Additional parameters given:

Given a allow additional parameters can be given to the called application:

The parameter list introduced and separated by a comma: PARM1,PARM2,PARM3, ....
The parameters are typically given in upper case and provided a (unset) environment variables.
The parmeters can be enhanced by values following the equal signe ('=') and the values are typically enclosed in single or double apostrophes: PARM1="undefied",PARM2='10',PARM3="no particular value" and those values are now present in the environment.

TCP connection management and spawning

Upon invocation from an accepted TCP client tcpserver spawns a new instance while setting up the environment and invoking the application.

TCP connections can be restricted by

(global) -c n, where n is the number of active concurrent tcpserver instances and thus called applications. The default is 40.
(gobal) $MAXCONIP is the number of maximum TCP connections from one single IPv4/IPv6 source given as environment variable resulting to limit the number of children for each uniqe IP address.
(restricted) $MAXCONIP to be provided within a cdb to define a (typically small) value for a given network range or single IP address to be used now as limit to accepted TCP connections from that range for each unique IP address.

In the last case, tcpserver can limit the number of concurrent connections from a single source (or a network range) to 'n' instances prior of calling application and thus preventing a denial of service (DoS) attack. In order to work and trigger the MACONIP feature, an initial (global) value of $MAXCONIP is required. These may be overruled by the settings given according to tcprules which don't require a new start of tcpserver.

Environment variables set

tcpserver sets up several environment variables available for the application, as described in tcp-environ:

PROTO is either TCP or TCP6.
The interface name for IPv6 connections: TCP6INTERFACE.
The local information: TCPLOCALIP, TCP6LOCALIP, TCPLOCALPORT, TCP6LOCALPORT, TCPLOCALHOST, TCP6LOCALHOST.
The remote IP/TCP data for the connection: TCPREMOTEIP, TCP6REMOTEIP together with TCPREMOTEPORT and TCP6REMOTEPORT.

DNS (TCPREMOTEHOST, TCP6REMOTEHOST) and the IDENT (TCPREMOTEINFO) informations are optional and depending on the arguments supplied.

Logging

Invoking tcpserver with the options

-v and optionally
-l localname

will provide a logging of the session on FD=2 including (if possible) the hostname, as well as the used IP addresses and ports of the peers. A DNS lookup for the localhost can be avoided and substitued by a generic name. The displayed IP addresses are shown either as generic IPv4 or as compactified IPv6 addresses.