tcprules — compiles rules for tcpserver(1)
tcprules
{cdb
} {tmp
}
tcpserver(1) optionally follows rules to decide whether a TCP connection is acceptable.
For example, the rule
18.23.0.32:deny
prohibits connections from IP address 18.23.0.32.
tcprules reads rules from its standard input and writes them into
in a binary format suited for quick access by tcpserver(1).
cdb
tcprules can be used while tcpserver(1) is running.
It ensures that
is updated atomically.
It does this by first writing the rules to cdb
and then moving tmp
on top of tmp
.
If cdb
already exists, it is destroyed.
The directories containing tmp
and cdb
must be writable to tcprules; they must also be on the same filesystem.
tmp
If there is a problem with the input or with
, tcprules complains and leaves tmp
alone.
cdb
The binary
format is portable across machines.
cdb
A rule is one line. A file containing rules may also contain comments: lines beginning with # are ignored.
Each rule contains an address, a colon, and a list of instructions, with no extra spaces. When tcpserver(1) receives a connection from that address, it follows the instructions.
tcpserver(1) looks for rules with various addresses:
TCPREMOTEINFO
@TCPREMOTEIP
, if TCPREMOTEINFO
is set;
TCPREMOTEINFO
@=TCPREMOTEHOST
, if TCPREMOTEINFO
is set and TCPREMOTEHOST
is set;
TCPREMOTEIP
;
=TCPREMOTEHOST
, if TCPREMOTEHOST
is set;
shorter and shorter prefixes of TCPREMOTEIP
ending with a dot;
shorter and shorter suffixes of TCPREMOTEHOST
starting with a dot, preceded by =, if TCPREMOTEHOST
is set;
=, if TCPREMOTEHOST
is set; and finally
the empty string.
tcpserver(1) uses the first rule it finds. You should use the [-p] option to tcpserver(1) if you rely on TCPREMOTEHOST
here.
For example, here are some rules:
joe@127.0.0.1:first 18.23.0.32:second :third 127.:fourth
If TCPREMOTEIP
is 10.119.75.38, tcpserver(1) will follow the third instructions.
If TCPREMOTEIP
is 18.23.0.32, tcpserver(1) will follow the second instructions.
If TCPREMOTEIP
is 127.0.0.1 and TCPREMOTEINFO
is bill, tcpserver(1) will follow the fourth instructions.
If TCPREMOTEIP
is 127.0.0.1 and TCPREMOTEINFO
is joe, tcpserver(1) will follow the first instructions.
You can use tcprulescheck(1) to see how tcpserver will interpret rules in cdb
.
tcprules treats 1.2.3.37-53:ins
as an abbreviation for the rules 1.2.3.37:ins
, 1.2.3.38:ins
, and so on up through 1.2.3.53:ins
.
Similarly, 10.2-3.:ins
is an abbreviation for 10.2.:ins
and 10.3.:ins
.
The instructions in a rule must begin with either allow
or deny
.
deny
tells tcpserver(1) to drop the connection without running anything.
For example, the rule
:deny
tells tcpserver(1) to drop all connections that aren't handled by more specific rules.
The instructions may continue with some environment variables, in the form var="x"
.
tcpserver(1) adds an environment variable var
with value x
.
For example,
10.0.:allow,RELAYCLIENT="@fix.me"
adds an environment variable RELAYCLIENT
with value @fix.me
.
The quotes may be replaced by any repeated character:
10.0.:allow,RELAYCLIENT=/@fix.me/
Any number of variables may be listed:
127.0.0.1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu"