NAME

nbdkit-ip-filter - filter clients by IP address

SYNOPSIS

 nbdkit --filter=ip PLUGIN [allow=addr[,addr...]]
                           [deny=addr[,addr...]]

DESCRIPTION

"nbdkit-ip-filter" can whitelist or blacklist clients by their IP address. Usually it is better to control this outside nbdkit, for example using TCP wrappers or a firewall, but this filter can be used if these are not available.

EXAMPLES

 nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all

Allow clients to connect on the loopback IPv4 or loopback IPv6 address, deny all other clients.

 nbdkit --filter=ip [...] deny=8.0.0.0/8

Allow any client except connections from the IPv4 "8.0.0.0/8" network.

 nbdkit --filter=ip [...] allow=anyipv6 deny=all

Allow IPv6 clients to connect from anywhere, deny all IPv4 connections.

RULES

When a client connects, this filter checks its IP address against the allow and deny lists as follows:

1.: If the address matches any in the allow list, permission is granted.
2.: If the address matches any in the deny list, permission is denied.
3.: Otherwise permission is granted.

If either the "allow" or "deny" parameter is not present then it is assumed to be an empty list. The order in which the parameters appear on the command line does not matter; the allow list is always processed first and the deny list second.

The "allow" and "deny" parameters each contain a comma-separated list of any of the following:

all
any: These keywords (which both have the same meaning) match any IP address.
allipv4
anyipv4: These keywords match any IPv4 address.
allipv6
anyipv6: These keywords match any IPv6 address.
A.B.C.D: This matches the single IPv4 address "A.B.C.D", for example 127.0.0.1.
A.B.C.D/NN: This matches the range of IPv4 addresses "A.B.C.D/NN", for example "192.168.2.0/24" or "10.0.0.0/8".
A:B:...: This matches the single IPv6 address "A:B:...". The usual IPv6 address representations can be used (see RFC 5952).
A:B:.../NN: This matches a range of IPv6 addresses "A:B:.../NN".

Not filtered

If neither the "allow" nor the "deny" parameter is given the filter does nothing.

The filter permits non-IP connections, such as Unix domain sockets or AF_VSOCK.

PARAMETERS

allow=addr[,...]: Set list of allow rules. This parameter is optional, if omitted the allow list is empty.
deny=addr[,...]: Set list of deny rules. This parameter is optional, if omitted the deny list is empty.

FILES

$filterdir/nbdkit-ip-filter.so: The filter.
Use "nbdkit --dump-config" to find the location of $filterdir.

VERSION

"nbdkit-ip-filter" first appeared in nbdkit 1.18.

AUTHORS

Richard W.M. Jones

COPYRIGHT

LICENSE

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
Neither the name of Red Hat nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.