Provided by: ucspi-tcp-ipv6_0.88-3_amd64 bug

NAME

       tcprules - compile rules for tcpserver

SYNOPSIS

       tcprules rules.cdb rules.tmp

OVERVIEW

       tcpserver  optionally follows rules to decide whether a TCP connection is acceptable.  For
       example, a rule of

          18.23.0.32:deny

       prohibits connections from IP address 18.23.0.32.

       tcprules reads rules from its standard input and writes them into rules.cdb  in  a  binary
       format suited for quick access by tcpserver.

       tcprules  can  be  used  while  tcpserver is running: it ensures that rules.cdb is updated
       atomically.  It does this by  first  writing  the  rules  to  rules.tmp  and  then  moving
       rules.tmp  on  top  of  rules.cdb.   If  rules.tmp  already  exists, it is destroyed.  The
       directories containing rules.cdb and rules.tmp must be writable  to  tcprules;  they  must
       also be on the same filesystem.

       If there is a problem with the input, tcprules complains and leaves rules.cdb alone.

       The binary rules.cdb format is portable across machines.

RULE FORMAT

       A  rule  takes  up  one  line.   A  file containing rules may also contain comments: lines
       beginning with # are ignored.

       Each rule contains an address, a colon, and a list of instructions, with no extra  spaces.
       When tcpserver receives a connection from that address, it follows the instructions.

ADDRESSES

       tcpserver  starts  by  looking  for  a rule with address TCPREMOTEINFO@TCPREMOTEIP.  If it
       doesn't find one, or if TCPREMOTEINFO is not set, it tries the  address  TCPREMOTEIP.   If
       that doesn't work, it tries shorter and shorter prefixes of TCPREMOTEIP ending with a dot.
       If none of them work, it tries the empty string.

       For example, here are some rules:

          joe@127.0.0.1:first
          18.23.0.32:second
          127.:third
          :fourth
          ::1:fifth

       If TCPREMOTEIP is 10.119.75.38, tcpserver will follow the fourth instructions.

       If TCPREMOTEIP is ::1, tcpserver will follow the fifth instructions.  Note that you cannot
       detect IPv4 mapped addresses by matching "::ffff", as those addresses will be converted to
       IPv4 before looking at the rules.

       If TCPREMOTEIP is 18.23.0.32, tcpserver will follow the second instructions.

       If TCPREMOTEINFO is bill and TCPREMOTEIP is 127.0.0.1, tcpserver  will  follow  the  third
       instructions.

       If  TCPREMOTEINFO  is  joe  and  TCPREMOTEIP is 127.0.0.1, tcpserver will follow the first
       instructions.

ADDRESS RANGES

       tcprules  treats  1.2.3.37-53:ins  as  an  abbreviation  for   the   rules   1.2.3.37:ins,
       1.2.3.38:ins,   and   so  on  up  through  1.2.3.53:ins.   Similarly,  10.2-3.:ins  is  an
       abbreviation for 10.2.:ins and 10.3.:ins.

INSTRUCTIONS

       The instructions in a rule must begin with either allow or deny.  deny tells tcpserver  to
       drop the connection without running anything.  For example, the rule

          :deny

       tells tcpserver to drop all connections that aren't handled by more specific rules.

       The instructions may continue with some environment variables, in the format ,VAR="VALUE".
       tcpserver adds VAR=VALUE to the current environment.  For example,

          10.0.:allow,RELAYCLIENT="@fix.me"

       adds RELAYCLIENT=@fix.me to the environment.  The quotes  here  may  be  replaced  by  any
       repeated character:

          10.0.:allow,RELAYCLIENT=/@fix.me/

       Any number of variables may be listed:

          127.0.0.1:allow,RELAYCLIENT="",TCPLOCALHOST="movie.edu"

SEE ALSO

       tcprulescheck(1), tcpserver(1), tcp-environ(5)

                                                                                      tcprules(1)