From: mdw Date: Tue, 25 Nov 2003 14:46:50 +0000 (+0000) Subject: Update docco for new options. X-Git-Tag: 1.3.0~29 X-Git-Url: https://git.distorted.org.uk/~mdw/fwd/commitdiff_plain/1c2054c7558f523dec9d7c1f243a2ceddd81c781 Update docco for new options. --- diff --git a/debian/rules b/debian/rules index d592b5b..3970631 100755 --- a/debian/rules +++ b/debian/rules @@ -23,7 +23,7 @@ binary-arch: install dh_testdir -a dh_testroot -a dh_compress -a - dh_installdocs -a + dh_installdocs -a grammar dh_strip -a dh_shlibdeps -a dh_gencontrol -a diff --git a/fw.1 b/fw.1 index 4419f14..251aa5a 100644 --- a/fw.1 +++ b/fw.1 @@ -1,6 +1,6 @@ .\" -*-nroff-*- .\" -.\" $Id: fw.1,v 1.15 2003/01/24 20:13:04 mdw Exp $ +.\" $Id: fw.1,v 1.16 2003/11/25 14:46:50 mdw Exp $ .\" .\" Manual page for fw .\" @@ -28,6 +28,9 @@ .\" ---- Revision history --------------------------------------------------- .\" .\" $Log: fw.1,v $ +.\" Revision 1.16 2003/11/25 14:46:50 mdw +.\" Update docco for new options. +.\" .\" Revision 1.15 2003/01/24 20:13:04 mdw .\" Fix bogus examples. Explain quoting rules for `exec' endpoints. .\" @@ -1077,11 +1080,23 @@ The .B inet source address accepts the following options: .OS "Socket options" -.BR socket.inet. [ allow | deny ] -.RB [ from ] -.I address +.B socket.inet.source.addr +.RB [ = ] +.RR any | \c +.I addr +.OD +Specify the IP address on which to listen for incoming connections. The +default is +.BR any , +which means to listen on all addresses, though it may be useful to +specify this explicitly, if the global setting is different. +.OE +.OS "Socket options" +.BR socket.inet.source. [ allow | deny ] +.RB [ host ] +.I addr .RB [ / -.IR address ] +.IR addr ] .OD Adds an entry to the source's access control list. If only one .I address @@ -1094,6 +1109,26 @@ and mean the same), and the entry applies to any address which, when masked by the netmask, is equal to the masked network address. .OE +.OS "Socket options" +.BR socket.inet.source. [ allow | deny ] +.B priv-port +.OD +Accept or reject connections from low-numbered `privileged' ports, in +the range 0--1023. +.OE +.OS "Socket options" +.B socket.inet.dest.addr +.RB [ = ] +.RR any | \c +.I addr +.OD +Specify the IP address to bind the local socket to when making an +outbound connection. The default is +.BR any , +which means to use whichever address the kernel thinks is most +convenient. This option is useful if the destination is doing +host-based access control and your server is multi-homed. +.OE .PP The access control rules are examined in the order: local entries first, then global ones, each in the order given in the configuration file. @@ -1502,11 +1537,24 @@ exec .RB [ = ] .BR yes | no .PP -.BR socket.inet. [ allow | deny ] -.RB [ from ] -.I address +.BR socket.inet.source. [ allow | deny ] +.RB [ host ] +.I addr .RB [ / -.IR address ] +.IR addr ] +.br +.BR socket.inet.source. [ allow | deny ] +.B priv-port +.br +.B socket.inet.source.addr +.RB [ = ] +.BR any | \c +.I addr +.br +.B socket.inet.dest.addr +.RB [ = ] +.BR any | \c +.I addr .PP .BR socket.unix.fattr. * . diff --git a/fw.c b/fw.c index b0eed70..5a5db0f 100644 --- a/fw.c +++ b/fw.c @@ -1,6 +1,6 @@ /* -*-c-*- * - * $Id: fw.c,v 1.14 2003/01/24 20:12:40 mdw Exp $ + * $Id: fw.c,v 1.15 2003/11/25 14:46:50 mdw Exp $ * * Port forwarding thingy * @@ -29,6 +29,9 @@ /*----- Revision history --------------------------------------------------* * * $Log: fw.c,v $ + * Revision 1.15 2003/11/25 14:46:50 mdw + * Update docco for new options. + * * Revision 1.14 2003/01/24 20:12:40 mdw * Correctly cast uid and gid sentinel values. * @@ -515,53 +518,53 @@ static void grammar(FILE *fp) Grammar summary\n\ \n\ Basic syntax\n\ - file ::= empty | file stmt [`;']\n\ - stmt ::= option-stmt | fw-stmt\n\ - fw-stmt ::= `fw' source options [`to'|`->'] target options\n\ - options ::= `{' option-seq `}'\n\ - option-seq ::= empty | option-stmt [`;'] option-seq\n\ + FILE ::= EMPTY | FILE STMT [`;']\n\ + STMT ::= OPTION-STMT | FW-STMT\n\ + FW-STMT ::= `fw' SOURCE OPTIONS [`to'|`->'] TARGET OPTIONS\n\ + OPTIONS ::= `{' OPTION-SEQ `}'\n\ + OPTION-SEQ ::= EMPTY | OPTION-STMT [`;'] OPTION-SEQ\n\ \n\ Option syntax\n\ - option-stmt ::= q-option\n\ - q-option ::= option\n\ - | prefix `.' q-option\n\ - | prefix `{' option-seq `}'\n\ - prefix ::= word\n\ + OPTION-STMT ::= Q-OPTION\n\ + Q-OPTION ::= OPTION\n\ + | PREFIX `.' Q-OPTION\n\ + | PREFIX `{' OPTION-SEQ `}'\n\ + PREFIX ::= WORD\n\ \n\ File source and target\n\ - source ::= file\n\ - target ::= file\n\ - file ::= `file' [`.'] fspec [`,' fspec]\n\ - fspec ::= fd-spec | name-spec | null-spec\n\ - fd-spec ::= [[`:']`fd'[`:']] number|`stdin'|`stdout'\n\ - name-spec ::= [[`:']`file'[`:']] file-name\n\ - file-name ::= path-seq | [ path-seq ]\n\ - path-seq ::= path-elt | path-seq path-elt\n\ - path-elt ::= `/' | word\n\ - null-spec ::= [`:']`null'[`:']\n\ + SOURCE ::= FILE\n\ + TARGET ::= FILE\n\ + FILE ::= `file' [`.'] FSPEC [`,' FSPEC]\n\ + FSPEC ::= FD-SPEC | NAME-SPEC | NULL-SPEC\n\ + FD-SPEC ::= [[`:']`fd'[`:']] NUMBER|`stdin'|`stdout'\n\ + NAME-SPEC ::= [[`:']`file'[`:']] FILE-NAME\n\ + FILE-NAME ::= PATH-SEQ | [ PATH-SEQ ]\n\ + PATH-SEQ ::= PATH-ELT | PATH-SEQ PATH-ELT\n\ + PATH-ELT ::= `/' | WORD\n\ + NULL-SPEC ::= [`:']`null'[`:']\n\ \n\ Exec source and target\n\ - source ::= exec\n\ - target ::= exec\n\ - exec ::= `exec' [`.'] cmd-spec\n\ - cmd-spec ::= shell-cmd | [prog-name] `[' argv0 arg-seq `]'\n\ - arg-seq ::= word | arg-seq word\n\ - shell-cmd ::= word\n\ - argv0 ::= word\n\ + SOURCE ::= EXEC\n\ + TARGET ::= EXEC\n\ + EXEC ::= `exec' [`.'] CMD-SPEC\n\ + CMD-SPEC ::= SHELL-CMD | [PROG-NAME] `[' ARGV0 ARG-SEQ `]'\n\ + ARG-SEQ ::= WORD | ARG-SEQ WORD\n\ + SHELL-CMD ::= WORD\n\ + ARGV0 ::= WORD\n\ \n\ Socket source and target\n\ - source ::= socket-source\n\ - target ::= socket-target\n\ - socket-source ::= [`socket'[`.']] [[`:']addr-type[`:']] source-addr\n\ - socket-target ::= [`socket'[`.']] [[`:']addr-type[`:']] target-addr\n\ + SOURCE ::= SOCKET-SOURCE\n\ + TARGET ::= SOCKET-TARGET\n\ + SOCKET-SOURCE ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] SOURCE-ADDR\n\ + SOCKET-TARGET ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] TARGET-ADDR\n\ \n\ - inet-source-addr ::= [port] port\n\ - inet-target-addr ::= address [`:'] port\n\ - address ::= addr-elt | address addr-elt\n\ - addr-elt ::= `.' | word\n\ + INET-SOURCE-ADDR ::= [`port'] PORT\n\ + INET-TARGET-ADDR ::= ADDRESS [`:'] PORT\n\ + ADDRESS ::= ADDR-ELT | ADDRESS ADDR-ELT\n\ + ADDR-ELT ::= `.' | WORD\n\ \n\ - unix-source-addr ::= file-name\n\ - unix-target-addr ::= file-name\n\ + UNIX-SOURCE-ADDR ::= FILE-NAME\n\ + UNIX-TARGET-ADDR ::= FILE-NAME\n\ "); } @@ -572,9 +575,9 @@ static void options(FILE *fp) Options summary\n\ \n\ File attributes (`fattr')\n\ - prefix.fattr.mode [=] mode\n\ - prefix.fattr.owner [=] user\n\ - prefix.fattr.group [=] group\n\ + prefix.FATTR.MODE [=] MODE\n\ + prefix.FATTR.OWNER [=] USER\n\ + prefix.FATTR.GROUP [=] GROUP\n\ \n\ File options\n\ file.create [=] yes|no\n\ @@ -583,21 +586,24 @@ File options\n\ \n\ Exec options\n\ exec.logging [=] yes|no\n\ - exec.dir [=] file-name\n\ - exec.root [=] file-name\n\ - exec.user [=] user\n\ - exec.group [=] group\n\ - exec.rlimit.limit[.hard|.soft] [=] value\n\ + exec.dir [=] FILE-NAME\n\ + exec.root [=] FILE-NAME\n\ + exec.user [=] USER\n\ + exec.group [=] GROUP\n\ + exec.rlimit.LIMIT[.hard|.soft] [=] VALUE\n\ exec.env.clear\n\ - exec.env.unset var\n\ - exec.env.[set] var [=] value\n\ + exec.env.unset VAR\n\ + exec.env.[set] VAR [=] VALUE\n\ \n\ Socket options\n\ - socket.conn [=] number|unlimited|one-shot\n\ - socket.listen [=] number\n\ + socket.conn [=] NUMBER|unlimited|one-shot\n\ + socket.listen [=] NUMBER\n\ socket.logging [=] yes|no\n\ \n\ - socket.inet.[allow|deny] [from] address [/ address]\n\ + socket.inet.source.[allow|deny] [host] ADDR [/ ADDR]\n\ + socket.inet.source.[allow|deny] priv-port\n\ + socket.inet.source.addr [=] any|ADDR\n\ + socket.inet.dest.addr [=] any|ADDR\n\ \n\ socket.unix.fattr.*\n\ "); diff --git a/grammar b/grammar index ae3ce1f..6c4fc02 100644 --- a/grammar +++ b/grammar @@ -1,56 +1,56 @@ Basic syntax - file ::= empty | file stmt [`;'] - stmt ::= option-stmt | fw-stmt - fw-stmt ::= `fw' source options [`to'|`->'] target options - options ::= `{' option-seq `}' - option-seq ::= empty | option-stmt [`;'] option-seq + FILE ::= EMPTY | FILE STMT [`;'] + STMT ::= OPTION-STMT | FW-STMT + FW-STMT ::= `fw' SOURCE OPTIONS [`to'|`->'] TARGET OPTIONS + OPTIONS ::= `{' OPTION-SEQ `}' + OPTION-SEQ ::= EMPTY | OPTION-STMT [`;'] OPTION-SEQ Option syntax - option-stmt ::= q-option - q-option ::= option - | prefix `.' q-option - | prefix `{' option-seq `}' - prefix ::= word + OPTION-STMT ::= Q-OPTION + Q-OPTION ::= OPTION + | PREFIX `.' Q-OPTION + | PREFIX `{' OPTION-SEQ `}' + PREFIX ::= WORD File source and target - source ::= file - target ::= file - file ::= `file' [`.'] fspec [`,' fspec] - fspec ::= fd-spec | name-spec | null-spec - fd-spec ::= [[`:']`fd'[`:']] number|`stdin'|`stdout' - name-spec ::= [[`:']`file'[`:']] file-name - file-name ::= path-seq | [ path-seq ] - path-seq ::= path-elt | path-seq path-elt - path-elt ::= `/' | word - null-spec ::= [`:']`null'[`:'] + SOURCE ::= FILE + TARGET ::= FILE + FILE ::= `file' [`.'] FSPEC [`,' FSPEC] + FSPEC ::= FD-SPEC | NAME-SPEC | NULL-SPEC + FD-SPEC ::= [[`:']`fd'[`:']] NUMBER|`stdin'|`stdout' + NAME-SPEC ::= [[`:']`file'[`:']] FILE-NAME + FILE-NAME ::= PATH-SEQ | [ PATH-SEQ ] + PATH-SEQ ::= PATH-ELT | PATH-SEQ PATH-ELT + PATH-ELT ::= `/' | WORD + NULL-SPEC ::= [`:']`null'[`:'] Exec source and target - source ::= exec - target ::= exec - exec ::= `exec' [`.'] cmd-spec - cmd-spec ::= shell-cmd | [prog-name] `[' argv0 arg-seq `]' - arg-seq ::= word | arg-seq word - shell-cmd ::= word - argv0 ::= word + SOURCE ::= EXEC + TARGET ::= EXEC + EXEC ::= `exec' [`.'] CMD-SPEC + CMD-SPEC ::= SHELL-CMD | [PROG-NAME] `[' ARGV0 ARG-SEQ `]' + ARG-SEQ ::= WORD | ARG-SEQ WORD + SHELL-CMD ::= WORD + ARGV0 ::= WORD Socket source and target - source ::= socket-source - target ::= socket-target - socket-source ::= [`socket'[`.']] [[`:']addr-type[`:']] source-addr - socket-target ::= [`socket'[`.']] [[`:']addr-type[`:']] target-addr + SOURCE ::= SOCKET-SOURCE + TARGET ::= SOCKET-TARGET + SOCKET-SOURCE ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] SOURCE-ADDR + SOCKET-TARGET ::= [`socket'[`.']] [[`:']ADDR-TYPE[`:']] TARGET-ADDR - inet-source-addr ::= [port] port - inet-target-addr ::= address [`:'] port - address ::= addr-elt | address addr-elt - addr-elt ::= `.' | word + INET-SOURCE-ADDR ::= [`port'] PORT + INET-TARGET-ADDR ::= ADDRESS [`:'] PORT + ADDRESS ::= ADDR-ELT | ADDRESS ADDR-ELT + ADDR-ELT ::= `.' | WORD - unix-source-addr ::= file-name - unix-target-addr ::= file-name + UNIX-SOURCE-ADDR ::= FILE-NAME + UNIX-TARGET-ADDR ::= FILE-NAME File attributes (`fattr') - prefix.fattr.mode [=] mode - prefix.fattr.owner [=] user - prefix.fattr.group [=] group + PREFIX.fattr.mode [=] MODE + PREFIX.fattr.owner [=] USER + PREFIX.fattr.group [=] GROUP File options file.create [=] yes|no @@ -59,17 +59,22 @@ File options Exec options exec.logging [=] yes|no - exec.dir [=] file-name - exec.root [=] file-name - exec.user [=] user - exec.group [=] group - exec.rlimit.limit[.hard|.soft] [=] value + exec.dir [=] FILE-NAME + exec.root [=] FILE-NAME + exec.user [=] USER + exec.group [=] GROUP + exec.rlimit.LIMIT[.hard|.soft] [=] VALUE exec.env.clear - exec.env.unset var - exec.env.[set] var [=] value + exec.env.unset VAR + exec.env.[set] VAR [=] VALUE Socket options - socket.conn [=] number|unlimited|one-shot + socket.conn [=] NUMBER|unlimited|one-shot socket.logging [=] yes|no - socket.inet.[allow|deny] [from] address [/ address] - socket.unix.fattr.* + + socket.inet.source.[allow|deny] priv-port + socket.inet.source.[allow|deny] [host] ADDR [/ ADDR] + socket.inet.source.addr [=] any|ADDR + socket.inet.dest.addr [=] any|ADDR + + socket.unix.source.fattr.*