3 nbdkit-ip-filter - filter clients by IP address, process ID, user ID
8 nbdkit --filter=ip PLUGIN [allow=addr[,addr...]]
13 C<nbdkit-ip-filter> can allow or deny client connections by their IP
14 address. Usually it is better to control this outside nbdkit, for
15 example using TCP wrappers or a firewall, but this filter can be used
16 if these are not available.
18 nbdkit E<ge> 1.24 added the ability to filter clients connecting over
19 Unix domain sockets by client process ID, user ID and group ID. Also
20 this version added support for filtering C<AF_VSOCK> sockets by peer
25 =head2 Filter by IP address
27 nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
29 Allow clients to connect on the loopback IPv4 or loopback IPv6
30 address, deny all other clients.
32 nbdkit --filter=ip [...] deny=8.0.0.0/8
34 Allow any client except connections from the IPv4 C<8.0.0.0/8>
37 nbdkit --filter=ip [...] allow=anyipv6 deny=all
39 Allow IPv6 clients to connect from anywhere, deny all other sources.
41 =head2 Filter by Unix domain socket peer
43 nbdkit -U $tmpdir/sock --filter=ip [...] allow=uid:`id -u` deny=all
45 Only allow the current user (S<C<id -u>>) to connect over the socket.
47 Layer extra security by creating the socket inside a temporary
48 directory only accessible by the user.
50 nbdkit -U $tmpdir/sock --filter=ip [...] allow=gid:`id -g` deny=all
52 Allow anyone in the same group as the current user to connect to the
55 As in the previous example, layer extra security by creating the
56 socket inside a temporary directory only accessible by the group.
60 When a client connects, this filter checks its source address against
61 the allow and deny lists as follows:
67 If the address matches any in the allow list, permission is granted.
71 If the address matches any in the deny list, permission is denied.
75 Otherwise permission is granted.
79 If either the C<allow> or C<deny> parameter is not present then it is
80 assumed to be an empty list. The order in which the parameters appear
81 on the command line does not matter; the allow list is always
82 processed first and the deny list second.
84 The C<allow> and C<deny> parameters each contain a comma-separated
85 list of any of the following:
93 These keywords (which both have the same meaning) match any source.
99 These keywords match any IPv4 address.
105 These keywords match any IPv6 address.
111 These keywords match any connection over a Unix domain socket.
117 These keywords match any connection over an C<AF_VSOCK> socket.
119 =item AB<.>BB<.>CB<.>D
121 This matches the single IPv4 address C<A.B.C.D>, for example
124 =item AB<.>BB<.>CB<.>DB</>NN
126 This matches the range of IPv4 addresses C<A.B.C.D/NN>, for example
127 C<192.168.2.0/24> or C<10.0.0.0/8>.
131 This matches the single IPv6 address C<A:B:...>. The usual IPv6
132 address representations can be used (see S<RFC 5952>).
134 =item AB<:>BB<:>...B</>NN
136 This matches a range of IPv6 addresses C<A:B:.../NN>.
140 (nbdkit E<ge> 1.24, Linux only)
142 This matches the process ID C<PID>, if the client connects over a Unix
145 Note that process IDs are recycled so this alone is not secure enough
146 to ensure that only a single desired process can connect. However you
147 could use it as an additional check.
153 This matches the numeric user ID C<UID>, if the client connects over a
160 This matches the numeric group ID C<GID>, if the client connects over
161 a Unix domain socket.
163 =item B<vsock-cid:>CID
165 =item B<vsock-port:>PORT
169 These match the CID or port number for C<AF_VSOCK> sockets.
175 If neither the C<allow> nor the C<deny> parameter is given the filter
178 Unix domain sockets and C<AF_VSOCK> sockets were always unfiltered in
179 S<nbdkit E<le> 1.22>. In S<nbdkit E<ge> 1.24> the ability to filter
182 =head2 Common patterns of usage
184 Permit known good connections and deny everything else:
186 nbdkit --filter=ip ... allow=good1,good2,... deny=all
188 Block troublemakers but allow everything else:
190 nbdkit --filter=ip ... deny=bad1,bad2,...
196 =item B<allow=>addr[B<,>...]
198 Set list of allow rules. This parameter is optional, if omitted the
201 =item B<deny=>addr[B<,>...]
203 Set list of deny rules. This parameter is optional, if omitted the
212 =item F<$filterdir/nbdkit-ip-filter.so>
216 Use C<nbdkit --dump-config> to find the location of C<$filterdir>.
222 C<nbdkit-ip-filter> first appeared in nbdkit 1.18.
227 L<nbdkit-exitlast-filter(1)>,
228 L<nbdkit-exitwhen-filter(1)>,
229 L<nbdkit-limit-filter(1)>,