Viewing file:  edit_rule.html (5.54 KB) -rw-r--r--
Select action/file-type:
 (+) | (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
Patterns
The access control language implements the following patterns:
- A string that begins with a '.' character. A host name is matched if the last components of its name match the specified pattern. For example, the pattern '.tue.nl' matches the host name 'wzv.win.tue.nl'.
- A string that ends with a '.' character. A host address is matched if its first numeric fields match the given string. For example, the pattern '131.155.' matches the address of (almost) every host on the Eindhoven University network (131.155.x.x).
- A string that begins with an '@' character is treated as an NIS (formerly YP) netgroup name. A host name is matched if it is a host member of the specified netgroup. Netgroup matches are not supported for daemon process names or for client user names.
- An expression of the form 'n.n.n.n/m.m.m.m' is interpreted as a 'net/mask' pair. An IPv4 host address is matched if 'net' is equal to the bitwise AND of the address and the 'mask'. For example, the net/mask pattern '131.155.72.0/255.255.254.0' matches every address in the range '131.155.72.0' through '131.155.73.255'.
- An expression of the form '[n:n:n:n:n:n:n:n]/m' is interpreted as a '[net]/prefixlen' pair. An IPv6 host address is matched if 'prefixlen' bits of 'net' is equal to the 'prefixlen' bits of the address. For example, the [net]/prefixlen pattern '[3ffe:505:2:1::]/64' matches every address in the range '3ffe:505:2:1:'? through '3ffe:505:2:1:ffff:ffff:ffff:ffff'.
- A string that begins with a '/' character is treated as a file name. A host name or address is matched if it matches any host name or address pattern listed in the named file. The file format is zero or more lines with zero or more host name or address patterns separated by whitespace. A file name pattern can be used anywhere a host name or address pattern can be used.
- Wildcards '*' and '?' can be used to match hostnames or IP addresses. This method of matching cannot be used in conjunction with 'net/mask' matching, hostname matching beginning with '.' or IP address matching ending with '.'.
Wildcards
The access control language supports explicit wildcards:
| ALL | The universal wildcard, always matches. |
| LOCAL | Matches any host whose name does not contain a dot character. |
| UNKNOWN |
Matches any user whose name is unknown, and matches any host whose name or address are unknown. This pattern should be used with care: host names may be
unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is
talking to. |
| KNOWN | Matches any user whose name is known, and matches any host whose name and address are known. This pattern should be used with care: host names may be
unavailable due to temporary name server problems. A network address will be unavailable when the software cannot figure out what type of network it is
talking to. |
| PARANOID |
Matches any host whose name does not match its address. When tcpd is built with -DPARANOID (default mode), it drops requests from such clients even
before looking at the access control tables. Build without -DPARANOID when you want more control over such requests. |
Operators
EXCEPT Intended use is of the form: 'list_1 EXCEPT list_2'; this construct matches anything that matches list_1 unless it matches list_2. The EXCEPT operator
can be used in daemon_lists and in client_lists. The EXCEPT operator can be nested: if the control language would permit the use of parentheses, 'a EXCEPT
b EXCEPT c' would parse as '(a EXCEPT (b EXCEPT c))'.
Shell Commands
If the first-matched access control rule contains a shell command, that command is subjected to % substitutions (see next section). The result is exe-
cuted by a /bin/sh child process with standard input, output and error connected to /dev/null. Specify an '&' at the end of the command if you do not want to
wait until it has completed.
Shell commands should not rely on the PATH setting of the inetd. Instead, they should use absolute path names, or they should begin with an explicit PATH=what-
ever statement.
% Expansions
The following expansions are available within shell commands:
| %a (%A) | The client (server) host address. |
| %c | Client information: user@host, user@address, a host name, or just an address, depending on how much information is available. |
| %d | The daemon process name (argv[0] value). |
| %h (%H) | The client (server) host name or address, if the host name is unavailable. |
| %n (%N) | The client (server) host name (or "unknown" or "paranoid"). |
| %p | The daemon process id. |
| %s | Server information: daemon@host, daemon@address, or just a daemon name, depending on how much information is available. |
| %u | The client user name (or "unknown"). |
| %% | Expands to a single '%? character. |
Characters in % expansions that may confuse the shell are replaced by underscores.
|