Intructions are allow and deny.
Note: Always IP addresses with the longest matching prefix are considered.
Note: Since the IPv6 address on input is evaluated in its compactified format, simply include the final '::' for convenience. The resulting address is truncated to the specified number of prefix bits. tcprules currently does not understand IPv6 mapped IPv4 addresses
tcprules can be used while tcpserver or sslserver is running. It ensures that cdb is updated atomically. It does this by first writing the rules to tmp and then moving tmp on top of cdb. If tmp already exists, it is destroyed. The directories containing cdb and tmp must be writable to tcprules; they must also be on the same filesystem.
If there is a problem with the input or with tmp, tcprules complains and leaves cdb alone.
The binary cdb format is portable across machines.
Each rule contains an address, a colon, an instruction, and optionally a comma-separated list of expressions, with no extra spaces. When tcpserver receives a connection from that address, it follows the instruction and evaluates the expressions.
For example, here are some rules:
joe@127.0.0.1:first
18.23.0.32:second
:third
127.:fourth
If $TCPREMOTEIP is 10.119.75.38, tcpserver will follow the third instruction.
If $TCPREMOTEIP is 18.23.0.32, tcpserver will follow the second instruction.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is bill, tcpserver will follow the fourth instruction.
If $TCPREMOTEIP is 127.0.0.1 and $TCPREMOTEINFO is joe, tcpserver will follow the first instruction.
You can use tcprulescheck to see how tcpserver will interpret rules in cdb.
The rule may continue with further expressions used as environment variables, in the form var=x. tcpserver and sslserver adds an environment variable $var with value x. For example,