1nbdkit-ip-filter(1)                 NBDKIT                 nbdkit-ip-filter(1)
2
3
4

NAME

6       nbdkit-ip-filter - filter clients by IP address
7

SYNOPSIS

9        nbdkit --filter=ip PLUGIN [allow=addr[,addr...]]
10                                  [deny=addr[,addr...]]
11

DESCRIPTION

13       "nbdkit-ip-filter" can whitelist or blacklist clients by their IP
14       address.  Usually it is better to control this outside nbdkit, for
15       example using TCP wrappers or a firewall, but this filter can be used
16       if these are not available.
17

EXAMPLES

19        nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
20
21       Allow clients to connect on the loopback IPv4 or loopback IPv6 address,
22       deny all other clients.
23
24        nbdkit --filter=ip [...] deny=8.0.0.0/8
25
26       Allow any client except connections from the IPv4 "8.0.0.0/8" network.
27
28        nbdkit --filter=ip [...] allow=anyipv6 deny=all
29
30       Allow IPv6 clients to connect from anywhere, deny all IPv4 connections.
31

RULES

33       When a client connects, this filter checks its IP address against the
34       allow and deny lists as follows:
35
36       1.  If the address matches any in the allow list, permission is
37           granted.
38
39       2.  If the address matches any in the deny list, permission is denied.
40
41       3.  Otherwise permission is granted.
42
43       If either the "allow" or "deny" parameter is not present then it is
44       assumed to be an empty list.  The order in which the parameters appear
45       on the command line does not matter; the allow list is always processed
46       first and the deny list second.
47
48       The "allow" and "deny" parameters each contain a comma-separated list
49       of any of the following:
50
51       all
52       any These keywords (which both have the same meaning) match any IP
53           address.
54
55       allipv4
56       anyipv4
57           These keywords match any IPv4 address.
58
59       allipv6
60       anyipv6
61           These keywords match any IPv6 address.
62
63       A.B.C.D
64           This matches the single IPv4 address "A.B.C.D", for example
65           127.0.0.1.
66
67       A.B.C.D/NN
68           This matches the range of IPv4 addresses "A.B.C.D/NN", for example
69           "192.168.2.0/24" or "10.0.0.0/8".
70
71       A:B:...
72           This matches the single IPv6 address "A:B:...".  The usual IPv6
73           address representations can be used (see RFC 5952).
74
75       A:B:.../NN
76           This matches a range of IPv6 addresses "A:B:.../NN".
77
78   Not filtered
79       If neither the "allow" nor the "deny" parameter is given the filter
80       does nothing.
81
82       The filter permits non-IP connections, such as Unix domain sockets or
83       AF_VSOCK.
84

PARAMETERS

86       allow=addr[,...]
87           Set list of allow rules.  This parameter is optional, if omitted
88           the allow list is empty.
89
90       deny=addr[,...]
91           Set list of deny rules.  This parameter is optional, if omitted the
92           deny list is empty.
93

FILES

95       $filterdir/nbdkit-ip-filter.so
96           The filter.
97
98           Use "nbdkit --dump-config" to find the location of $filterdir.
99

VERSION

101       "nbdkit-ip-filter" first appeared in nbdkit 1.18.
102

SEE ALSO

104       nbdkit(1), nbdkit-filter(3).
105

AUTHORS

107       Richard W.M. Jones
108

COPYRIGHT

110       Copyright (C) 2019 Red Hat Inc.
111

LICENSE

113       Redistribution and use in source and binary forms, with or without
114       modification, are permitted provided that the following conditions are
115       met:
116
117       ·   Redistributions of source code must retain the above copyright
118           notice, this list of conditions and the following disclaimer.
119
120       ·   Redistributions in binary form must reproduce the above copyright
121           notice, this list of conditions and the following disclaimer in the
122           documentation and/or other materials provided with the
123           distribution.
124
125       ·   Neither the name of Red Hat nor the names of its contributors may
126           be used to endorse or promote products derived from this software
127           without specific prior written permission.
128
129       THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY
130       EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
131       IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
132       PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE
133       LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
134       CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
135       SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
136       BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
137       WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
138       OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
139       ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
140
141
142
143nbdkit-1.18.4                     2020-04-16               nbdkit-ip-filter(1)