From ebfd0ba17e0d4b220725018d16e294e8e22a1745 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Thu, 15 Jan 2015 20:51:39 +0000 Subject: Move Unix domain socket and access control stuff to s6. Move seekablepipe to s6-portable-utils. Version: 2.0.1.0, release candidate --- doc/s6-tcpserver-access.html | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'doc/s6-tcpserver-access.html') diff --git a/doc/s6-tcpserver-access.html b/doc/s6-tcpserver-access.html index a89d9e3..435c92d 100644 --- a/doc/s6-tcpserver-access.html +++ b/doc/s6-tcpserver-access.html @@ -163,13 +163,13 @@ needed to perform searches in a CDB than in the filesystem.

The exact format of the ruleset is described on the -s6-accessrules-cdb-from-fs page. +s6-accessrules-cdb-from-fs page.

s6-tcpserver-access first gets the remote address ip of the client and converts it to canonical form. Then it checks it with the -s6net_accessrules_keycheck_ip46() +s6_accessrules_keycheck_ip46() function. In other words, it tries to match broader and broader network prefixes of ip, from ip4/ip_32 to ip4/0.0.0.0_0 if ip is v4, or from @@ -177,10 +177,10 @@ prefixes of ip, from ip4/ip_32 to is v6. If the result is:

-
  • S6NET_ACCESSRULES_ERROR: it immediately exits 111.
  • -
  • S6NET_ACCESSRULES_DENY: it immediately exits 1.
  • -
  • S6NET_ACCESSRULES_ALLOW: it grants access.
  • -
  • S6NET_ACCESSRULES_NOTFOUND: more information is needed.
  • +
  • S6_ACCESSRULES_ERROR: it immediately exits 111.
  • +
  • S6_ACCESSRULES_DENY: it immediately exits 1.
  • +
  • S6_ACCESSRULES_ALLOW: it grants access.
  • +
  • S6_ACCESSRULES_NOTFOUND: more information is needed.
  • @@ -188,12 +188,12 @@ is v6. If the result is: is denied. But if s6-tcpserver-access is authorized to perform DNS lookups, then it gets the remote name of the client, remotehost, and checks it with the -s6net_accessrules_keycheck_reversedns() +s6_accessrules_keycheck_reversedns() function. In other words, it tries to match shorter and shorter suffixes of remotehost, from reversedns/remotehost to reversedns/@. This time, the connection is denied is the result is anything else than -S6NET_ACCESSRULES_ALLOW. +S6_ACCESSRULES_ALLOW.

    @@ -208,7 +208,7 @@ query on remotehost does not match ip. s6-tcpserver-access interprets non-empty env subdirectories and exec files it finds in the matching rule of the ruleset, as explained -in the s6-accessrules-cdb-from-fs +in the s6-accessrules-cdb-from-fs page.

    -- cgit v1.2.3