Re: [Libguestfs] [PATCH nbdkit v2 2/3] ip: Add filtering by process ID, user ID and group ID.

--- filters/ip/nbdkit-ip-filter.pod | 64 +++++++++++++++++++++++++----- tests/Makefile.am | 14 ++++++- filters/ip/ip.c | 69 +++++++++++++++++++++++++++++--- tests/test-ip-filter-gid.sh | 51 ++++++++++++++++++++++++ tests/test-ip-filter-pid.sh | 70 +++++++++++++++++++++++++++++++++ tests/test-ip-filter-uid.sh | 51 ++++++++++++++++++++++++ 6 files changed, 301 insertions(+), 18 deletions(-) diff --git a/filters/ip/nbdkit-ip-filter.pod b/filters/ip/nbdkit-ip-filter.pod index 17108617..aa91cff2 100644 --- a/filters/ip/nbdkit-ip-filter.pod +++ b/filters/ip/nbdkit-ip-filter.pod @@ -1,6 +1,7 @@ =head1 NAME -nbdkit-ip-filter - filter clients by IP address +nbdkit-ip-filter - filter clients by IP address, process ID, user ID +or group ID =head1 SYNOPSIS @@ -14,6 +15,10 @@ address. Usually it is better to control this outside nbdkit, for example using TCP wrappers or a firewall, but this filter can be used if these are not available. +nbdkit E<ge> 1.24 added the ability to filter clients connecting over +local Unix domain sockets by client process ID, user ID and group ID. +This currently only works on Linux. + =head1 EXAMPLES nbdkit --filter=ip [...] allow=127.0.0.1,::1 deny=all @@ -28,13 +33,29 @@ network. nbdkit --filter=ip [...] allow=anyipv6 deny=all -Allow IPv6 clients to connect from anywhere, deny all IPv4 -connections. +Allow IPv6 clients to connect from anywhere, deny all other sources. + + nbdkit -U sock --filter=ip [...] allow=pid:1234 deny=all + +Only process ID 1234 can connect to the server over the local Unix +domain socket.