X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~mdw/git/preload-hacks/blobdiff_plain/e4976bb0731d14a7d8bfa53067ec1d99e94617cb..9111857cc67644ff89749d5919647b38033bb6fd:/noip.1 diff --git a/noip.1 b/noip.1 index fe56efd..f4598da 100644 --- a/noip.1 +++ b/noip.1 @@ -79,13 +79,15 @@ reads configuration from .B .noip in the calling user's home directory, as determined by the .B HOME -environment, or, failing that, looking up the -.I real -(not effective) user id in the password database. +environment, or, failing that, looking up the effective user id in the +password database. However, if the environment variable +.B NOIP_CONFIG +is set, then the file it names is read instead (assuming it exists; if +it doesn't, no configuration is read). .PP The configuration file has a simple line-based format. A line is -ignored if it consists only of whitespace, or if its first whitespace -character is +ignored if it consists only of whitespace, or if its first +non-whitespace character is .RB ` # '. Otherwise, the first whitespace-delimited word is a keyword and the remainder of the line is a value. The following keywords are @@ -106,23 +108,51 @@ can be used to control this. .BI "socketdir " directory Store the Unix-domain sockets in .IR directory -rather than the default. +rather than the default. The environment variable +.B NOIP_SOCKETDIR +can also be used to control which directory is used for sockets. +.TP +.BI "autoports " min "\-" max +Select which ports are used for implicit binding. Allocating ports can +be a bit slow, since checking whether a Unix domain socket is in use is +difficult. A wide range makes things easier, because +.B noip +starts by trying ports at random from the given range. The environment +variable +.B NOIP_AUTOPORTS +can also be used to control which ports are assigned automatically. .TP .BI "realbind " acl-entry -Add an entry to the +Add a comma-separated list of entries to the .B realbind -access control list (ACL). When a program attempts to +access control list (ACL). (See below for the format of an ACL entry.) +When a program attempts to .BR bind (2) a socket to an address, the .B realbind ACL is consulted. If the address is matched, then the program is allowed to bind a real Internet socket to that address; otherwise, the -socket is bound to a Unix-domain socket. +socket is bound to a Unix-domain socket. Three environment variables +are consulted too: +.BR NOIP_REALBIND_BEFORE , +.BR NOIP_REALBIND , +and +.BR NOIP_REALBIND_AFTER . +The +.B _BEFORE +rules are inserted at the front of the list; the +.B _AFTER +rules are appended on the end. Currently, the rules in +.B NOIP_REALBIND +are also put at the end (before the +.B _AFTER +rules), though this may change later. .TP -.BI "realbind " acl-entry -Add an entry to the +.BI "realconnect " acl-entry +Add a comma-separated list of entries to the .B realconnect -access control list (ACL). When a program attempts to +access control list (ACL). (See below for the format of an ACL entry.) +When a program attempts to .BR connect (2) a socket to an address, or to contact another socket using .BR sendto (2) @@ -132,8 +162,22 @@ the .B realconnect ACL is consulted. If the destination address is matched, then the program is allowed to contact the real Internet socket; otherwise, the -attempt is made to contact a Unix-domain socket. -.PP +attempt is made to contact a Unix-domain socket. Three environment variables +are consulted too: +.BR NOIP_REALCONNET_BEFORE , +.BR NOIP_REALCONNECT , +and +.BR NOIP_REALCONNECT_AFTER . +The +.B _BEFORE +rules are inserted at the front of the list; the +.B _AFTER +rules are appended on the end. Currently, the rules in +.B NOIP_REALCONNECT +are also put at the end (before the +.B _AFTER +rules), though this may change later. +.IP (Aside: An attempt to connect to a remote host may not be a hopeless failure, even if a real IP socket is denied: .B noip @@ -141,34 +185,68 @@ deliberately makes no attempt to check that addresses being bound to sockets correspond to locally available addresses; and besides, sockets can be introduced into the directory by other programs simulating remote servers.) +.TP +.BI "impbind " bind-rule +Add a comma-separated list of entries to the implicit-bind rule list. +When a program attempts to transmit from a socket \(en e.g., with +.BR connect (2), +.BR sendto (2), or +.BR sendmsg (2) +\(en without binding its local address first, +.B noip +consults this list to decide on the correct local address to assign. +Each entry in the list has the form +.RS +.IP +.I address-range +.IR address | \c +.B same +.PP +The rules are tried in order: if the remote address matches (in the same +way as in an ACL entry) the address range on the left side of the rule, +then the socket is bound to the address from the right side; if the +address on the right is +.B same +then the remote address is used. +.PP +Three environment variables +are consulted too: +.BR NOIP_IMPBIND_BEFORE , +.BR NOIP_IMPBIND , +and +.BR NOIP_IMPBIND_AFTER . +The +.B _BEFORE +rules are inserted at the front of the list; the +.B _AFTER +rules are appended on the end. Currently, the rules in +.B NOIP_IMPBIND +are also put at the end (before the +.B _AFTER +rules), though this may change later. +.RE .PP An .I acl-entry -has this format: +is a comma-separated list of entries of the form: .IP .BR + | \- -.IR address \c -.RB [ \- \c -.IR address | \c -.BR / \c -.IR mask ]| \c -.BR local | any +.I address-range .RB [ : \c -.IR port [ \c -.BI \- \c -.IR port ]] +.IR port-range ] .PP (The spaces in the above are optional.) .PP -The leading sign says whether -matching addresses should be +The leading sign says whether matching addresses should be .I accepted .RB (` + ') or .I denied .RB (` \- '). .PP -The IP-address portion may be any of the following +The +.I address-range +portion may be any of the following. .TP .B any Matches all addresses. @@ -177,20 +255,22 @@ Matches all addresses. Matches the address of one of the machine's network interfaces. .TP .I address -Matches just the given address +Matches just the given IPv4 or IPv6 address. An +.I address +may be enclosed in square brackets; IPv6 addresses must be so enclosed, +because colons are significant in the rest of the ACL syntax. .TP .IB address \- address Matches any address which falls in the given range. Addresses are compared lexicographically, with octets to the left given precedence over octets to the right. .TP -.IB address / mask -Matches an address in the given network. The -.I mask -may be a netmask in dotted-quad form, or a one-bit-count. +.IB address / prefix-length +Matches an address in the given network. .PP -The port portion may be omitted (which means `match any port'), or may -be a single +The +.I port-range +may be omitted (which means `match any port'), or may be a single .I port or a range .IB port \- port @@ -207,7 +287,7 @@ is empty, the default is to deny all addresses. For example, it may be useful to allow access at least to a DNS server. This can be accomplished by adding a line .VS -realconnect +1.2.3.4:52 +realconnect +1.2.3.4:53 .VE to the configuration file, where 1.2.3.4 is the IP address of one of your DNS server. @@ -238,9 +318,9 @@ port to himself or a small group. is implemented as an .B LD_PRELOAD hack. It won't work on setuid programs. Also, perhaps more -importantly, it can't do anything a +importantly, it can't do anything to prevent a .I malicious -program use of networking: a program could theoretically issue sockets +program's use of networking: a program could theoretically issue sockets system calls directly instead of using the C library calls that .B noip intercepts. It is intended only as a tool for enhancing the security of @@ -275,4 +355,4 @@ child processes will be unaffected. .PP This manual is surprisingly long and complicated for such a simple hack. .SH AUTHOR -Mark Wooding, +Mark Wooding,