Update Red Hat Copyright Notices

[nbdkit.git] / filters / ip / nbdkit-ip-filter.pod

=head1 NAME

nbdkit-ip-filter - filter clients by IP address, process ID, user ID
or group ID

=head1 SYNOPSIS

 nbdkit --filter=ip PLUGIN [allow=addr[,addr...]]
                           [deny=addr[,addr...]]

=head1 DESCRIPTION

C<nbdkit-ip-filter> can allow or deny client connections by their IP
address.  Usually it is better to control this outside nbdkit, for
example using TCP wrappers or a firewall, but this filter can be used
if these are not available.

nbdkit E<ge> 1.24 added the ability to filter clients connecting over
Unix domain sockets by client process ID, user ID and group ID.  Also
this version added support for filtering C<AF_VSOCK> sockets by peer
CID or port.

=head1 EXAMPLES

=head2 Filter by IP address

 nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all

Allow clients to connect on the loopback IPv4 or loopback IPv6
address, deny all other clients.

 nbdkit --filter=ip [...] deny=8.0.0.0/8

Allow any client except connections from the IPv4 C<8.0.0.0/8>
network.

 nbdkit --filter=ip [...] allow=anyipv6 deny=all

Allow IPv6 clients to connect from anywhere, deny all other sources.

=head2 Filter by Unix domain socket peer

 nbdkit -U $tmpdir/sock --filter=ip [...] allow=uid:`id -u` deny=all

Only allow the current user (S<C<id -u>>) to connect over the socket.

Layer extra security by creating the socket inside a temporary
directory only accessible by the user.

 nbdkit -U $tmpdir/sock --filter=ip [...] allow=gid:`id -g` deny=all

Allow anyone in the same group as the current user to connect to the
Unix domain socket.

As in the previous example, layer extra security by creating the
socket inside a temporary directory only accessible by the group.

=head1 RULES

When a client connects, this filter checks its source address against
the allow and deny lists as follows:

=over 4

=item 1

If the address matches any in the allow list, permission is granted.

=item 2

If the address matches any in the deny list, permission is denied.

=item 3

Otherwise permission is granted.

=back

If either the C<allow> or C<deny> parameter is not present then it is
assumed to be an empty list.  The order in which the parameters appear
on the command line does not matter; the allow list is always
processed first and the deny list second.

The C<allow> and C<deny> parameters each contain a comma-separated
list of any of the following:

=over 4

=item B<all>

=item B<any>

These keywords (which both have the same meaning) match any source.

=item B<allipv4>

=item B<anyipv4>

These keywords match any IPv4 address.

=item B<allipv6>

=item B<anyipv6>

These keywords match any IPv6 address.

=item B<allunix>

=item B<anyunix>

These keywords match any connection over a Unix domain socket.

=item B<allvsock>

=item B<anyvsock>

These keywords match any connection over an C<AF_VSOCK> socket.

=item AB<.>BB<.>CB<.>D

This matches the single IPv4 address C<A.B.C.D>, for example
C<127.0.0.1>.

=item AB<.>BB<.>CB<.>DB</>NN

This matches the range of IPv4 addresses C<A.B.C.D/NN>, for example
C<192.168.2.0/24> or C<10.0.0.0/8>.

=item AB<:>BB<:>...

This matches the single IPv6 address C<A:B:...>.  The usual IPv6
address representations can be used (see S<RFC 5952>).

=item AB<:>BB<:>...B</>NN

This matches a range of IPv6 addresses C<A:B:.../NN>.

=item B<pid:>PID

(nbdkit E<ge> 1.24, Linux only)

This matches the process ID C<PID>, if the client connects over a Unix
domain socket.

Note that process IDs are recycled so this alone is not secure enough
to ensure that only a single desired process can connect.  However you
could use it as an additional check.

=item B<uid:>UID

(nbdkit E<ge> 1.24)

This matches the numeric user ID C<UID>, if the client connects over a
Unix domain socket.

=item B<gid:>GID

(nbdkit E<ge> 1.24)

This matches the numeric group ID C<GID>, if the client connects over
a Unix domain socket.

=item B<vsock-cid:>CID

=item B<vsock-port:>PORT

(nbdkit E<ge> 1.24)

These match the CID or port number for C<AF_VSOCK> sockets.

=back

=head2 Not filtered

If neither the C<allow> nor the C<deny> parameter is given the filter
does nothing.

Unix domain sockets and C<AF_VSOCK> sockets were always unfiltered in
S<nbdkit E<le> 1.22>.  In S<nbdkit E<ge> 1.24> the ability to filter
them was added.

=head2 Common patterns of usage

Permit known good connections and deny everything else:

 nbdkit --filter=ip ... allow=good1,good2,... deny=all

Block troublemakers but allow everything else:

 nbdkit --filter=ip ... deny=bad1,bad2,...

=head1 PARAMETERS

=over 4

=item B<allow=>addr[B<,>...]

Set list of allow rules.  This parameter is optional, if omitted the
allow list is empty.

=item B<deny=>addr[B<,>...]

Set list of deny rules.  This parameter is optional, if omitted the
deny list is empty.

=back

=head1 FILES

=over 4

=item F<$filterdir/nbdkit-ip-filter.so>

The filter.

Use C<nbdkit --dump-config> to find the location of C<$filterdir>.

=back

=head1 VERSION

C<nbdkit-ip-filter> first appeared in nbdkit 1.18.

=head1 SEE ALSO

L<nbdkit(1)>,
L<nbdkit-exitlast-filter(1)>,
L<nbdkit-exitwhen-filter(1)>,
L<nbdkit-limit-filter(1)>,
L<nbdkit-filter(3)>.

=head1 AUTHORS

Richard W.M. Jones

=head1 COPYRIGHT

Copyright Red Hat