The s6-tcpserver-access program

s6-tcpserver-access is a command-line TCP access control tool, and additionally performs some fine-tuning on a TCP socket. It is meant to be run after s6-tcpserver and before the application program on the s6-tcpserver command line, just like tcpwrappers' tcpd program.


     s6-tcpserver-access [ -v verbosity ] [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ] prog...

Environment variables

s6-tcpserver-access expects to inherit some environment variables from its parent:

Additionally, it exports the following variables before executing into prog...:

Also, the access rules database can instruct s6-tcpserver-access to set up, or unset, more environment variables, depending on the client address.


Access rule checking

s6-tcpserver-access checks its client connection against a ruleset. This ruleset can be implemented:

The exact format of the ruleset is described on the s6-accessrules-cdb-from-fs page.

s6-tcpserver-access first gets the remote address ip of the client and converts it to canonical form. Then it checks it with the s6_accessrules_keycheck_ip46() function. In other words, it tries to match broader and broader network prefixes of ip, from ip4/ip_32 to ip4/ if ip is v4, or from ip6/ip_128 to ip6/::_0 if ip is v6. If the result is:

  • S6_ACCESSRULES_ERROR: it immediately exits 111.
  • S6_ACCESSRULES_DENY: it immediately exits 1.
  • S6_ACCESSRULES_ALLOW: it grants access.
  • S6_ACCESSRULES_NOTFOUND: more information is needed.
  • In the last case, if DNS lookups have been deactivated (-H) then access is denied. But if s6-tcpserver-access is authorized to perform DNS lookups, then it gets the remote name of the client, remotehost, and checks it with the s6_accessrules_keycheck_reversedns() function. In other words, it tries to match shorter and shorter suffixes of remotehost, from reversedns/remotehost to reversedns/@. This time, the connection is denied is the result is anything else than S6_ACCESSRULES_ALLOW.

    Note that even if the access check succeeds, the connection can still be denied if paranoid mode has been requested (-p) and a forward DNS query on remotehost does not match ip.

    Environment and executable modifications

    s6-tcpserver-access interprets non-empty env subdirectories and exec files it finds in the matching rule of the ruleset, as explained in the s6-accessrules-cdb-from-fs page.