tcprules - compile rules for tcpserver and sslserver
tcprules cdb tmp
tcpserver and sslserver optionally follow rules to decide whether a TCP
connection is acceptable. A 'rule' typially consists of the tokens
'address', 'instruction', and 'expression' telling for which 'address'
a 'instruction' is provided following a set of expressions, providing
some environment variables. The 'address' token can be given as
IPv4/IPv6 address in CIDR format, or - if prepended with a equal sign
(=) - a hostname/FQDN, to be subject of DNS qualification.
Additionally, environment variables can be provided and are promoted
for a particular connection. Environment variables may include ':'
Intructions are allow and deny.
IPv4 ADDRESSES BASED RULES
For example, the rule
prohibits connections from IP address 126.96.36.199. Ranges of IPv4
addresses can defined in a class-dependend manner
or by means of a range of contiguous addresses
Rather a CIDR notation can be used instead. The rule
accepts any connections from the loopback net. The number of digits
given shall approximately match the length of the subnet bits and
should not be less.
The bit-lenth of the given IP address has at least to match number of
net-prefix bits. Otherwise, a syntax error is displayed.
Note: Always IP addresses with the longest matching prefix are
IPv6 ADDRESSES BASED RULES
tcprules understands compactified IPv6 addresses in standard CIDR
notation. The rule
rejects any IPv6 packet from a single host while
is the mapped IPv4 addresses.
tcprules reads rules from it's standard input and writes them into cdb
in a binary format suited for quick access by tcpserver. Typically
tcprules rules.cdb rules.tmp < rules.txt
tcprules can be used while tcpserver or sslserver is running. It
ensures that cdb is updated atomically. It does this by first writing
the rules to tmp and then moving tmp on top of cdb. If tmp already
exists, it is destroyed. The directories containing cdb and tmp must be
writable to tcprules; they must also be on the same filesystem.
If there is a problem with the input or with tmp, tcprules complains
and leaves cdb alone.
The binary cdb format is portable across machines.
A rule is one line. A file containing rules may also contain comments:
lines beginning with # are ignored.
Each rule contains an address, a question mark, an instruction, and
optionally a list of expressions, with no extra spaces. When tcpserver
receives a connection from that address, it follows the instruction and
evaluates the expressions.
tcpserver looks for rules with various addresses:
1. $TCPREMOTEINFO@$TCPREMOTEIP, if $TCPREMOTEINFO is set;
2. $TCPREMOTEINFO@=$TCPREMOTEHOST, if $TCPREMOTEINFO is set and
$TCPREMOTEHOST is set;
4. =$TCPREMOTEHOST, if $TCPREMOTEHOST is set;
5. shorter and shorter prefixes of $TCPREMOTEIP ending with a dot;
6. $TCPREMOTEIP/PREFIX considering in order the longest matching
7. shorter and shorter suffixes of $TCPREMOTEHOST starting with a
dot, preceded by =, if $TCPREMOTEHOST is set;
If $TCPREMOTEIP is 10.119.75.38, tcpserver will follow the third
If $TCPREMOTEIP is 188.8.131.52, tcpserver will follow the second
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is bill, tcpserver will
follow the fourth instructions.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is joe, tcpserver will
follow the first instructions.
You can use tcprulescheck to see how tcpserver will interpret rules in
The instructions in a rule must begin with either allow or deny. deny
tells tcpserver to drop the connection without running anything. For
example, the rule
tells tcpserver to drop all connections that aren't handled by more
The instructions may continue with further expressions used as
environment variables, in the form var="x". tcpserver and sslserver
adds an environment variable $var with value x. For example,
adds an environment variable $RELAYCLIENT with value @fix.me. The
quotes may be replaced by any repeated character:
Any number of variables may be listed:
tcpserver(1), tcprulescheck(1), argv0(1), fixcrio(1), recordio(1),
rblsmtpd(1), tcpclient(1), who@(1), date@(1), finger@(1), http@(1),
tcpcat(1), mconnect(1), tcp-environ(5)
Man(1) output converted with