Skip to content
Permalink
Browse files

New nbdkit-ip-filter allows you to filter clients by IP address.

Using the new preconnect method we can filter clients early on against
IP address allow and deny lists.  As currently implemented this works
like tcp_wrappers.
  • Loading branch information
rwmjones committed Nov 30, 2019
1 parent 33e1ed2 commit 427e271e8392ecb696855f5a7d8ff3b2dce2637b
Showing with 777 additions and 4 deletions.
  1. +10 −2 TODO
  2. +2 −0 configure.ac
  3. +3 −2 docs/nbdkit-plugin.pod
  4. +1 −0 docs/nbdkit-service.pod
  5. +67 −0 filters/ip/Makefile.am
  6. +477 −0 filters/ip/ip.c
  7. +156 −0 filters/ip/nbdkit-ip-filter.pod
  8. +4 −0 tests/Makefile.am
  9. +57 −0 tests/test-ip-filter.sh
12 TODO
@@ -4,7 +4,7 @@ To-do list for nbdkit
General ideas for improvements
------------------------------

* Listen on specific interfaces or protocols (eg. only IPv6).
* Listen on specific interfaces or protocols.

* Performance - measure and improve it. Chart it over various buffer
sizes and threads, as that should make it easier to identify
@@ -200,11 +200,19 @@ nbdkit-retry-filter:

* subsecond times

nbdkit-ip-filter:

* permit hostnames and hostname wildcards to be used in the
allow and deny lists

* the allow and deny lists should be updatable while nbdkit is
running, for example by storing them in a database file

Filters for security
--------------------

Things like blacklisting or whitelisting IP addresses can be done
using external wrappers (TCP wrappers, systemd).
using external wrappers (TCP wrappers, systemd), or nbdkit-ip-filter.

However it might be nice to have a configurable filter for preventing
valid but not sensible requests. The server already filters invalid
@@ -897,6 +897,7 @@ filters="\
delay \
error \
fua \
ip \
log \
nocache \
noextents \
@@ -980,6 +981,7 @@ AC_CONFIG_FILES([Makefile
filters/delay/Makefile
filters/error/Makefile
filters/fua/Makefile
filters/ip/Makefile
filters/log/Makefile
filters/nocache/Makefile
filters/noextents/Makefile
@@ -456,8 +456,9 @@ For security reasons (to avoid denial of service attacks) this
callback should be written to be as fast and take as few resources as
possible. If you use this callback, only use it to do basic access
control, such as checking C<nbdkit_peer_name> against a whitelist (see
L</PEER NAME>). It may be better to do access control outside the
server, for example using TCP wrappers or a firewall.
L</PEER NAME> and L<nbdkit-ip-filter(1)>). It may be better to do
access control outside the server, for example using TCP wrappers or a
firewall.

The C<readonly> flag informs the plugin that the server was started
with the I<-r> flag on the command line.
@@ -143,6 +143,7 @@ L</SOCKET ACTIVATION>.
=head1 SEE ALSO

L<nbdkit(1)>,
L<nbdkit-ip-filter(1)>,
L<systemd(1)>,
L<systemd.socket(5)>,
L<syslog(3)>,
@@ -0,0 +1,67 @@
# nbdkit
# Copyright (C) 2019 Red Hat Inc.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
# * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#
# * Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# * Neither the name of Red Hat nor the names of its contributors may be
# used to endorse or promote products derived from this software without
# specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
# PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
# USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
# OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.

include $(top_srcdir)/common-rules.mk

EXTRA_DIST = nbdkit-ip-filter.pod

filter_LTLIBRARIES = nbdkit-ip-filter.la

nbdkit_ip_filter_la_SOURCES = \
ip.c \
$(top_srcdir)/include/nbdkit-filter.h \
$(NULL)

nbdkit_ip_filter_la_CPPFLAGS = \
-I$(top_srcdir)/include \
-I$(top_srcdir)/common/include \
-I$(top_srcdir)/common/utils \
$(NULL)
nbdkit_ip_filter_la_CFLAGS = $(WARNINGS_CFLAGS)
nbdkit_ip_filter_la_LDFLAGS = \
-module -avoid-version -shared \
-Wl,--version-script=$(top_srcdir)/filters/filters.syms \
$(NULL)
nbdkit_ip_filter_la_LIBADD = \
$(top_builddir)/common/utils/libutils.la \
$(NULL)

if HAVE_POD

man_MANS = nbdkit-ip-filter.1
CLEANFILES += $(man_MANS)

nbdkit-ip-filter.1: nbdkit-ip-filter.pod
$(PODWRAPPER) --section=1 --man $@ \
--html $(top_builddir)/html/$@.html \
$<

endif HAVE_POD

0 comments on commit 427e271

Please sign in to comment.
You can’t perform that action at this time.