From e0fc82203d677a6f1e808e9a1a46176c109d89be Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Mon, 15 Dec 2014 23:08:59 +0000 Subject: Initial commit --- doc/s6-tcpserver-access.html | 239 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 239 insertions(+) create mode 100644 doc/s6-tcpserver-access.html (limited to 'doc/s6-tcpserver-access.html') diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html new file mode 100644 index 0000000..7bf15a0 --- /dev/null +++ b/doc/s6-tcpserver-access.html @@ -0,0 +1,239 @@ + + + + + s6-networking: the s6-tcpserver-access program + + + + + + +

+s6-networking
+Software
+skarnet.org +

+ +

The s6-tcpserver-access program

+ +

+s6-tcpserver-access is a command-line TCP access +control tool, and additionally performs some fine-tuning on a +TCP socket. It is meant to be run after +s6-tcpserver and before +the application program on the s6-tcpserver command line, +just like tcpwrappers' tcpd program. +

+ +

Interface

+ +
+     s6-tcpserver-access [ -v verbosity ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ] prog...
+
+ + + +

Environment variables

+ +

+s6-tcpserver-access expects to inherit some environment variables from +its parent: +

+ + + +

+ Additionally, it exports the following variables before executing into +prog...: +

+ + + +

+ Also, the access rules database can instruct s6-tcpserver-access to set +up, or unset, more environment variables, depending on the client address. +

+ +

Options

+ + + +

Access rule checking

+ +

+ s6-tcpserver-access checks its client connection against +a ruleset. This ruleset can be implemented: +

+ + + +

+ The exact format of the ruleset is described on the +s6-accessrules-cdb-from-fs page. +

+ +

+s6-tcpserver-access first gets the remote address ip of the +client and converts it to canonical form. Then it checks it with the +s6net_accessrules_keycheck_ip46() +function. In other words, it tries to match broader and broader network +prefixes of ip, from ip4/ip_32 to +ip4/0.0.0.0_0 if ip is v4, or from +ip6/ip/128 to ip6/::_0 if ip +is v6. If the result is: +

+ +
  • S6NET_ACCESSRULES_ERROR: it immediately exits 111.
  • +
  • S6NET_ACCESSRULES_DENY: it immediately exits 1.
  • +
  • S6NET_ACCESSRULES_ALLOW: it grants access.
  • +
  • S6NET_ACCESSRULES_NOTFOUND: more information is needed.
  • + + +

    + In the last case, if DNS lookups have been deactivated (-H) then access +is denied. But if s6-tcpserver-access is authorized to perform DNS lookups, +then it gets the remote name of the client, remotehost, and +checks it with the +s6net_accessrules_keycheck_reversedns() +function. In other words, it tries to match shorter and shorter suffixes +of remotehost, from reversedns/remotehost to +reversedns/@. +This time, the connection is denied is the result is anything else than +S6NET_ACCESSRULES_ALLOW. +

    + +

    + Note that even if the access check succeeds, the connection can still be +denied if paranoid mode has been required (-p) and a forward DNS query +on remotehost does not match ip. +

    + +

    Environment and executable modifications

    + +

    + s6-tcpserver-access interprets non-empty env subdirectories +and exec files +it finds in the matching rule of the ruleset, as explained +in the s6-accessrules-cdb-from-fs +page. +

    + + + +

    Notes

    + + + + + -- cgit v1.3.1