1nbdkit-ip-filter(1) NBDKIT nbdkit-ip-filter(1)
2
3
4
6 nbdkit-ip-filter - filter clients by IP address
7
9 nbdkit --filter=ip PLUGIN [allow=addr[,addr...]]
10 [deny=addr[,addr...]]
11
13 "nbdkit-ip-filter" can whitelist or blacklist clients by their IP
14 address. Usually it is better to control this outside nbdkit, for
15 example using TCP wrappers or a firewall, but this filter can be used
16 if these are not available.
17
19 nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
20
21 Allow clients to connect on the loopback IPv4 or loopback IPv6 address,
22 deny all other clients.
23
24 nbdkit --filter=ip [...] deny=8.0.0.0/8
25
26 Allow any client except connections from the IPv4 "8.0.0.0/8" network.
27
28 nbdkit --filter=ip [...] allow=anyipv6 deny=all
29
30 Allow IPv6 clients to connect from anywhere, deny all IPv4 connections.
31
33 When a client connects, this filter checks its IP address against the
34 allow and deny lists as follows:
35
36 1. If the address matches any in the allow list, permission is
37 granted.
38
39 2. If the address matches any in the deny list, permission is denied.
40
41 3. Otherwise permission is granted.
42
43 If either the "allow" or "deny" parameter is not present then it is
44 assumed to be an empty list. The order in which the parameters appear
45 on the command line does not matter; the allow list is always processed
46 first and the deny list second.
47
48 The "allow" and "deny" parameters each contain a comma-separated list
49 of any of the following:
50
51 all
52 any These keywords (which both have the same meaning) match any IP
53 address.
54
55 allipv4
56 anyipv4
57 These keywords match any IPv4 address.
58
59 allipv6
60 anyipv6
61 These keywords match any IPv6 address.
62
63 A.B.C.D
64 This matches the single IPv4 address "A.B.C.D", for example
65 127.0.0.1.
66
67 A.B.C.D/NN
68 This matches the range of IPv4 addresses "A.B.C.D/NN", for example
69 "192.168.2.0/24" or "10.0.0.0/8".
70
71 A:B:...
72 This matches the single IPv6 address "A:B:...". The usual IPv6
73 address representations can be used (see RFC 5952).
74
75 A:B:.../NN
76 This matches a range of IPv6 addresses "A:B:.../NN".
77
78 Not filtered
79 If neither the "allow" nor the "deny" parameter is given the filter
80 does nothing.
81
82 The filter permits non-IP connections, such as Unix domain sockets or
83 AF_VSOCK.
84
86 allow=addr[,...]
87 Set list of allow rules. This parameter is optional, if omitted
88 the allow list is empty.
89
90 deny=addr[,...]
91 Set list of deny rules. This parameter is optional, if omitted the
92 deny list is empty.
93
95 $filterdir/nbdkit-ip-filter.so
96 The filter.
97
98 Use "nbdkit --dump-config" to find the location of $filterdir.
99
101 "nbdkit-ip-filter" first appeared in nbdkit 1.18.
102
104 nbdkit(1), nbdkit-filter(3).
105
107 Richard W.M. Jones
108
110 Copyright (C) 2019 Red Hat Inc.
111
113 Redistribution and use in source and binary forms, with or without
114 modification, are permitted provided that the following conditions are
115 met:
116
117 · Redistributions of source code must retain the above copyright
118 notice, this list of conditions and the following disclaimer.
119
120 · Redistributions in binary form must reproduce the above copyright
121 notice, this list of conditions and the following disclaimer in the
122 documentation and/or other materials provided with the
123 distribution.
124
125 · Neither the name of Red Hat nor the names of its contributors may
126 be used to endorse or promote products derived from this software
127 without specific prior written permission.
128
129 THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY
130 EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
131 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
132 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE
133 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
134 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
135 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
136 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
137 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
138 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
139 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
140
141
142
143nbdkit-1.18.4 2020-04-16 nbdkit-ip-filter(1)