dh_testdir -a
dh_testroot -a
dh_compress -a
- dh_installdocs -a
+ dh_installdocs -a grammar
dh_strip -a
dh_shlibdeps -a
dh_gencontrol -a
.\" -*-nroff-*-
.\"
-.\" $Id: fw.1,v 1.15 2003/01/24 20:13:04 mdw Exp $
+.\" $Id: fw.1,v 1.16 2003/11/25 14:46:50 mdw Exp $
.\"
.\" Manual page for fw
.\"
.\" ---- Revision history ---------------------------------------------------
.\"
.\" $Log: fw.1,v $
+.\" Revision 1.16 2003/11/25 14:46:50 mdw
+.\" Update docco for new options.
+.\"
.\" Revision 1.15 2003/01/24 20:13:04 mdw
.\" Fix bogus examples. Explain quoting rules for `exec' endpoints.
.\"
.B inet
source address accepts the following options:
.OS "Socket options"
-.BR socket.inet. [ allow | deny ]
-.RB [ from ]
-.I address
+.B socket.inet.source.addr
+.RB [ = ]
+.RR any | \c
+.I addr
+.OD
+Specify the IP address on which to listen for incoming connections. The
+default is
+.BR any ,
+which means to listen on all addresses, though it may be useful to
+specify this explicitly, if the global setting is different.
+.OE
+.OS "Socket options"
+.BR socket.inet.source. [ allow | deny ]
+.RB [ host ]
+.I addr
.RB [ /
-.IR address ]
+.IR addr ]
.OD
Adds an entry to the source's access control list. If only one
.I address
mean the same), and the entry applies to any address which, when masked
by the netmask, is equal to the masked network address.
.OE
+.OS "Socket options"
+.BR socket.inet.source. [ allow | deny ]
+.B priv-port
+.OD
+Accept or reject connections from low-numbered `privileged' ports, in
+the range 0--1023.
+.OE
+.OS "Socket options"
+.B socket.inet.dest.addr
+.RB [ = ]
+.RR any | \c
+.I addr
+.OD
+Specify the IP address to bind the local socket to when making an
+outbound connection. The default is
+.BR any ,
+which means to use whichever address the kernel thinks is most
+convenient. This option is useful if the destination is doing
+host-based access control and your server is multi-homed.
+.OE
.PP
The access control rules are examined in the order: local entries first,
then global ones, each in the order given in the configuration file.
.RB [ = ]
.BR yes | no
.PP
-.BR socket.inet. [ allow | deny ]
-.RB [ from ]
-.I address
+.BR socket.inet.source. [ allow | deny ]
+.RB [ host ]
+.I addr
.RB [ /
-.IR address ]
+.IR addr ]
+.br
+.BR socket.inet.source. [ allow | deny ]
+.B priv-port
+.br
+.B socket.inet.source.addr
+.RB [ = ]
+.BR any | \c
+.I addr
+.br
+.B socket.inet.dest.addr
+.RB [ = ]
+.BR any | \c
+.I addr
.PP
.BR socket.unix.fattr. *
.
/* -*-c-*-
*
- * $Id: fw.c,v 1.14 2003/01/24 20:12:40 mdw Exp $
+ * $Id: fw.c,v 1.15 2003/11/25 14:46:50 mdw Exp $
*
* Port forwarding thingy
*
/*----- Revision history --------------------------------------------------*
*
* $Log: fw.c,v $
+ * Revision 1.15 2003/11/25 14:46:50 mdw
+ * Update docco for new options.
+ *
* Revision 1.14 2003/01/24 20:12:40 mdw
* Correctly cast uid and gid sentinel values.
*
Grammar summary\n\
\n\
Basic syntax\n\
- file ::= empty | file stmt [`;']\n\
- stmt ::= option-stmt | fw-stmt\n\
- fw-stmt ::= `fw' source options [`to'|`->'] target options\n\
- options ::= `{' option-seq `}'\n\
- option-seq ::= empty | option-stmt [`;'] option-seq\n\
+ FILE ::= EMPTY | FILE STMT [`;']\n\
+ STMT ::= OPTION-STMT | FW-STMT\n\
+ FW-STMT ::= `fw' SOURCE OPTIONS [`to'|`->'] TARGET OPTIONS\n\
+ OPTIONS ::= `{' OPTION-SEQ `}'\n\
+ OPTION-SEQ ::= EMPTY | OPTION-STMT [`;'] OPTION-SEQ\n\
\n\
Option syntax\n\
- option-stmt ::= q-option\n\
- q-option ::= option\n\
- | prefix `.' q-option\n\
- | prefix `{' option-seq `}'\n\
- prefix ::= word\n\
+ OPTION-STMT ::= Q-OPTION\n\
+ Q-OPTION ::= OPTION\n\
+ | PREFIX `.' Q-OPTION\n\
+ | PREFIX `{' OPTION-SEQ `}'\n\
+ PREFIX ::= WORD\n\
\n\
File source and target\n\
- source ::= file\n\
- target ::= file\n\
- file ::= `file' [`.'] fspec [`,' fspec]\n\
- fspec ::= fd-spec | name-spec | null-spec\n\
- fd-spec ::= [[`:']`fd'[`:']] number|`stdin'|`stdout'\n\
- name-spec ::= [[`:']`file'[`:']] file-name\n\
- file-name ::= path-seq | [ path-seq ]\n\
- path-seq ::= path-elt | path-seq path-elt\n\
- path-elt ::= `/' | word\n\
- null-spec ::= [`:']`null'[`:']\n\
+ SOURCE ::= FILE\n\
+ TARGET ::= FILE\n\
+ FILE ::= `file' [`.'] FSPEC [`,' FSPEC]\n\
+ FSPEC ::= FD-SPEC | NAME-SPEC | NULL-SPEC\n\
+ FD-SPEC ::= [[`:']`fd'[`:']] NUMBER|`stdin'|`stdout'\n\
+ NAME-SPEC ::= [[`:']`file'[`:']] FILE-NAME\n\
+ FILE-NAME ::= PATH-SEQ | [ PATH-SEQ ]\n\
+ PATH-SEQ ::= PATH-ELT | PATH-SEQ PATH-ELT\n\
+ PATH-ELT ::= `/' | WORD\n\
+ NULL-SPEC ::= [`:']`null'[`:']\n\
\n\
Exec source and target\n\
- source ::= exec\n\
- target ::= exec\n\
- exec ::= `exec' [`.'] cmd-spec\n\
- cmd-spec ::= shell-cmd | [prog-name] `[' argv0 arg-seq `]'\n\
- arg-seq ::= word | arg-seq word\n\
- shell-cmd ::= word\n\
- argv0 ::= word\n\
+ SOURCE ::= EXEC\n\
+ TARGET ::= EXEC\n\
+ EXEC ::= `exec' [`.'] CMD-SPEC\n\
+ CMD-SPEC ::= SHELL-CMD | [PROG-NAME] `[' ARGV0 ARG-SEQ `]'\n\
+ ARG-SEQ ::= WORD | ARG-SEQ WORD\n\
+ SHELL-CMD ::= WORD\n\
+ ARGV0 ::= WORD\n\
\n\
Socket source and target\n\
- source ::= socket-source\n\
- target ::= socket-target\n\
- socket-source ::= [`socket'[`.']] [[`:']addr-type[`:']] source-addr\n\
- socket-target ::= [`socket'[`.']] [[`:']addr-type[`:']] target-addr\n\
+ SOURCE ::= SOCKET-SOURCE\n\
+ TARGET ::= SOCKET-TARGET\n\
+ SOCKET-SOURCE ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] SOURCE-ADDR\n\
+ SOCKET-TARGET ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] TARGET-ADDR\n\
\n\
- inet-source-addr ::= [port] port\n\
- inet-target-addr ::= address [`:'] port\n\
- address ::= addr-elt | address addr-elt\n\
- addr-elt ::= `.' | word\n\
+ INET-SOURCE-ADDR ::= [`port'] PORT\n\
+ INET-TARGET-ADDR ::= ADDRESS [`:'] PORT\n\
+ ADDRESS ::= ADDR-ELT | ADDRESS ADDR-ELT\n\
+ ADDR-ELT ::= `.' | WORD\n\
\n\
- unix-source-addr ::= file-name\n\
- unix-target-addr ::= file-name\n\
+ UNIX-SOURCE-ADDR ::= FILE-NAME\n\
+ UNIX-TARGET-ADDR ::= FILE-NAME\n\
");
}
Options summary\n\
\n\
File attributes (`fattr')\n\
- prefix.fattr.mode [=] mode\n\
- prefix.fattr.owner [=] user\n\
- prefix.fattr.group [=] group\n\
+ prefix.FATTR.MODE [=] MODE\n\
+ prefix.FATTR.OWNER [=] USER\n\
+ prefix.FATTR.GROUP [=] GROUP\n\
\n\
File options\n\
file.create [=] yes|no\n\
\n\
Exec options\n\
exec.logging [=] yes|no\n\
- exec.dir [=] file-name\n\
- exec.root [=] file-name\n\
- exec.user [=] user\n\
- exec.group [=] group\n\
- exec.rlimit.limit[.hard|.soft] [=] value\n\
+ exec.dir [=] FILE-NAME\n\
+ exec.root [=] FILE-NAME\n\
+ exec.user [=] USER\n\
+ exec.group [=] GROUP\n\
+ exec.rlimit.LIMIT[.hard|.soft] [=] VALUE\n\
exec.env.clear\n\
- exec.env.unset var\n\
- exec.env.[set] var [=] value\n\
+ exec.env.unset VAR\n\
+ exec.env.[set] VAR [=] VALUE\n\
\n\
Socket options\n\
- socket.conn [=] number|unlimited|one-shot\n\
- socket.listen [=] number\n\
+ socket.conn [=] NUMBER|unlimited|one-shot\n\
+ socket.listen [=] NUMBER\n\
socket.logging [=] yes|no\n\
\n\
- socket.inet.[allow|deny] [from] address [/ address]\n\
+ socket.inet.source.[allow|deny] [host] ADDR [/ ADDR]\n\
+ socket.inet.source.[allow|deny] priv-port\n\
+ socket.inet.source.addr [=] any|ADDR\n\
+ socket.inet.dest.addr [=] any|ADDR\n\
\n\
socket.unix.fattr.*\n\
");
Basic syntax
- file ::= empty | file stmt [`;']
- stmt ::= option-stmt | fw-stmt
- fw-stmt ::= `fw' source options [`to'|`->'] target options
- options ::= `{' option-seq `}'
- option-seq ::= empty | option-stmt [`;'] option-seq
+ FILE ::= EMPTY | FILE STMT [`;']
+ STMT ::= OPTION-STMT | FW-STMT
+ FW-STMT ::= `fw' SOURCE OPTIONS [`to'|`->'] TARGET OPTIONS
+ OPTIONS ::= `{' OPTION-SEQ `}'
+ OPTION-SEQ ::= EMPTY | OPTION-STMT [`;'] OPTION-SEQ
Option syntax
- option-stmt ::= q-option
- q-option ::= option
- | prefix `.' q-option
- | prefix `{' option-seq `}'
- prefix ::= word
+ OPTION-STMT ::= Q-OPTION
+ Q-OPTION ::= OPTION
+ | PREFIX `.' Q-OPTION
+ | PREFIX `{' OPTION-SEQ `}'
+ PREFIX ::= WORD
File source and target
- source ::= file
- target ::= file
- file ::= `file' [`.'] fspec [`,' fspec]
- fspec ::= fd-spec | name-spec | null-spec
- fd-spec ::= [[`:']`fd'[`:']] number|`stdin'|`stdout'
- name-spec ::= [[`:']`file'[`:']] file-name
- file-name ::= path-seq | [ path-seq ]
- path-seq ::= path-elt | path-seq path-elt
- path-elt ::= `/' | word
- null-spec ::= [`:']`null'[`:']
+ SOURCE ::= FILE
+ TARGET ::= FILE
+ FILE ::= `file' [`.'] FSPEC [`,' FSPEC]
+ FSPEC ::= FD-SPEC | NAME-SPEC | NULL-SPEC
+ FD-SPEC ::= [[`:']`fd'[`:']] NUMBER|`stdin'|`stdout'
+ NAME-SPEC ::= [[`:']`file'[`:']] FILE-NAME
+ FILE-NAME ::= PATH-SEQ | [ PATH-SEQ ]
+ PATH-SEQ ::= PATH-ELT | PATH-SEQ PATH-ELT
+ PATH-ELT ::= `/' | WORD
+ NULL-SPEC ::= [`:']`null'[`:']
Exec source and target
- source ::= exec
- target ::= exec
- exec ::= `exec' [`.'] cmd-spec
- cmd-spec ::= shell-cmd | [prog-name] `[' argv0 arg-seq `]'
- arg-seq ::= word | arg-seq word
- shell-cmd ::= word
- argv0 ::= word
+ SOURCE ::= EXEC
+ TARGET ::= EXEC
+ EXEC ::= `exec' [`.'] CMD-SPEC
+ CMD-SPEC ::= SHELL-CMD | [PROG-NAME] `[' ARGV0 ARG-SEQ `]'
+ ARG-SEQ ::= WORD | ARG-SEQ WORD
+ SHELL-CMD ::= WORD
+ ARGV0 ::= WORD
Socket source and target
- source ::= socket-source
- target ::= socket-target
- socket-source ::= [`socket'[`.']] [[`:']addr-type[`:']] source-addr
- socket-target ::= [`socket'[`.']] [[`:']addr-type[`:']] target-addr
+ SOURCE ::= SOCKET-SOURCE
+ TARGET ::= SOCKET-TARGET
+ SOCKET-SOURCE ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] SOURCE-ADDR
+ SOCKET-TARGET ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] TARGET-ADDR
- inet-source-addr ::= [port] port
- inet-target-addr ::= address [`:'] port
- address ::= addr-elt | address addr-elt
- addr-elt ::= `.' | word
+ INET-SOURCE-ADDR ::= [`port'] PORT
+ INET-TARGET-ADDR ::= ADDRESS [`:'] PORT
+ ADDRESS ::= ADDR-ELT | ADDRESS ADDR-ELT
+ ADDR-ELT ::= `.' | WORD
- unix-source-addr ::= file-name
- unix-target-addr ::= file-name
+ UNIX-SOURCE-ADDR ::= FILE-NAME
+ UNIX-TARGET-ADDR ::= FILE-NAME
File attributes (`fattr')
- prefix.fattr.mode [=] mode
- prefix.fattr.owner [=] user
- prefix.fattr.group [=] group
+ PREFIX.fattr.mode [=] MODE
+ PREFIX.fattr.owner [=] USER
+ PREFIX.fattr.group [=] GROUP
File options
file.create [=] yes|no
Exec options
exec.logging [=] yes|no
- exec.dir [=] file-name
- exec.root [=] file-name
- exec.user [=] user
- exec.group [=] group
- exec.rlimit.limit[.hard|.soft] [=] value
+ exec.dir [=] FILE-NAME
+ exec.root [=] FILE-NAME
+ exec.user [=] USER
+ exec.group [=] GROUP
+ exec.rlimit.LIMIT[.hard|.soft] [=] VALUE
exec.env.clear
- exec.env.unset var
- exec.env.[set] var [=] value
+ exec.env.unset VAR
+ exec.env.[set] VAR [=] VALUE
Socket options
- socket.conn [=] number|unlimited|one-shot
+ socket.conn [=] NUMBER|unlimited|one-shot
socket.logging [=] yes|no
- socket.inet.[allow|deny] [from] address [/ address]
- socket.unix.fattr.*
+
+ socket.inet.source.[allow|deny] priv-port
+ socket.inet.source.[allow|deny] [host] ADDR [/ ADDR]
+ socket.inet.source.addr [=] any|ADDR
+ socket.inet.dest.addr [=] any|ADDR
+
+ socket.unix.source.fattr.*