1nbdkit-ip-filter(1) NBDKIT nbdkit-ip-filter(1)
2
3
4
6 nbdkit-ip-filter - filter clients by IP address, process ID, user ID or
7 group ID
8
10 nbdkit --filter=ip PLUGIN [allow=addr[,addr...]]
11 [deny=addr[,addr...]]
12
14 "nbdkit-ip-filter" can allow or deny client connections by their IP
15 address. Usually it is better to control this outside nbdkit, for
16 example using TCP wrappers or a firewall, but this filter can be used
17 if these are not available.
18
19 nbdkit ≥ 1.24 added the ability to filter clients connecting over Unix
20 domain sockets by client process ID, user ID and group ID. Also this
21 version added support for filtering "AF_VSOCK" sockets by peer CID or
22 port.
23
25 Filter by IP address
26 nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all
27
28 Allow clients to connect on the loopback IPv4 or loopback IPv6 address,
29 deny all other clients.
30
31 nbdkit --filter=ip [...] deny=8.0.0.0/8
32
33 Allow any client except connections from the IPv4 "8.0.0.0/8" network.
34
35 nbdkit --filter=ip [...] allow=anyipv6 deny=all
36
37 Allow IPv6 clients to connect from anywhere, deny all other sources.
38
39 Filter by Unix domain socket peer
40 nbdkit -U $tmpdir/sock --filter=ip [...] allow=uid:`id -u` deny=all
41
42 Only allow the current user ("id -u") to connect over the socket.
43
44 Layer extra security by creating the socket inside a temporary
45 directory only accessible by the user.
46
47 nbdkit -U $tmpdir/sock --filter=ip [...] allow=gid:`id -g` deny=all
48
49 Allow anyone in the same group as the current user to connect to the
50 Unix domain socket.
51
52 As in the previous example, layer extra security by creating the socket
53 inside a temporary directory only accessible by the group.
54
56 When a client connects, this filter checks its source address against
57 the allow and deny lists as follows:
58
59 1. If the address matches any in the allow list, permission is
60 granted.
61
62 2. If the address matches any in the deny list, permission is denied.
63
64 3. Otherwise permission is granted.
65
66 If either the "allow" or "deny" parameter is not present then it is
67 assumed to be an empty list. The order in which the parameters appear
68 on the command line does not matter; the allow list is always processed
69 first and the deny list second.
70
71 The "allow" and "deny" parameters each contain a comma-separated list
72 of any of the following:
73
74 all
75 any These keywords (which both have the same meaning) match any source.
76
77 allipv4
78 anyipv4
79 These keywords match any IPv4 address.
80
81 allipv6
82 anyipv6
83 These keywords match any IPv6 address.
84
85 allunix
86 anyunix
87 These keywords match any connection over a Unix domain socket.
88
89 allvsock
90 anyvsock
91 These keywords match any connection over an "AF_VSOCK" socket.
92
93 A.B.C.D
94 This matches the single IPv4 address "A.B.C.D", for example
95 127.0.0.1.
96
97 A.B.C.D/NN
98 This matches the range of IPv4 addresses "A.B.C.D/NN", for example
99 "192.168.2.0/24" or "10.0.0.0/8".
100
101 A:B:...
102 This matches the single IPv6 address "A:B:...". The usual IPv6
103 address representations can be used (see RFC 5952).
104
105 A:B:.../NN
106 This matches a range of IPv6 addresses "A:B:.../NN".
107
108 pid:PID
109 (nbdkit ≥ 1.24, Linux only)
110
111 This matches the process ID "PID", if the client connects over a
112 Unix domain socket.
113
114 Note that process IDs are recycled so this alone is not secure
115 enough to ensure that only a single desired process can connect.
116 However you could use it as an additional check.
117
118 uid:UID
119 (nbdkit ≥ 1.24)
120
121 This matches the numeric user ID "UID", if the client connects over
122 a Unix domain socket.
123
124 gid:GID
125 (nbdkit ≥ 1.24)
126
127 This matches the numeric group ID "GID", if the client connects
128 over a Unix domain socket.
129
130 vsock-cid:CID
131 vsock-port:PORT
132 (nbdkit ≥ 1.24)
133
134 These match the CID or port number for "AF_VSOCK" sockets.
135
136 Not filtered
137 If neither the "allow" nor the "deny" parameter is given the filter
138 does nothing.
139
140 Unix domain sockets and "AF_VSOCK" sockets were always unfiltered in
141 nbdkit ≤ 1.22. In nbdkit ≥ 1.24 the ability to filter them was added.
142
143 Common patterns of usage
144 Permit known good connections and deny everything else:
145
146 nbdkit --filter=ip ... allow=good1,good2,... deny=all
147
148 Block troublemakers but allow everything else:
149
150 nbdkit --filter=ip ... deny=bad1,bad2,...
151
153 allow=addr[,...]
154 Set list of allow rules. This parameter is optional, if omitted
155 the allow list is empty.
156
157 deny=addr[,...]
158 Set list of deny rules. This parameter is optional, if omitted the
159 deny list is empty.
160
162 $filterdir/nbdkit-ip-filter.so
163 The filter.
164
165 Use "nbdkit --dump-config" to find the location of $filterdir.
166
168 "nbdkit-ip-filter" first appeared in nbdkit 1.18.
169
171 nbdkit(1), nbdkit-exitlast-filter(1), nbdkit-exitwhen-filter(1),
172 nbdkit-limit-filter(1), nbdkit-filter(3).
173
175 Richard W.M. Jones
176
178 Copyright (C) 2019-2020 Red Hat Inc.
179
181 Redistribution and use in source and binary forms, with or without
182 modification, are permitted provided that the following conditions are
183 met:
184
185 • Redistributions of source code must retain the above copyright
186 notice, this list of conditions and the following disclaimer.
187
188 • Redistributions in binary form must reproduce the above copyright
189 notice, this list of conditions and the following disclaimer in the
190 documentation and/or other materials provided with the
191 distribution.
192
193 • Neither the name of Red Hat nor the names of its contributors may
194 be used to endorse or promote products derived from this software
195 without specific prior written permission.
196
197 THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY
198 EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
199 IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
200 PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE
201 LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
202 CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
203 SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
204 BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
205 WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
206 OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
207 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
208
209
210
211nbdkit-1.30.7 2022-07-10 nbdkit-ip-filter(1)