| home | updates | download | manual | documents | feedback | search | ITS more |
|
HOSTLIST
HostList == [!][-iType]hostSpec[,HostList]
iType == {h|a|c|*}/[iType]
hostSpec == [{userList}@]hostSpec[/netMask]
userList == userNamePattern[,userNamePattern]*
hostSpec == hostNamePattern | hostAddrPattern
userNamePattern == [*]uname[*]
hostNamePattern == [*]hname[*]
hostAddrPattern == IPaddressPattern | IPrange
netMask == IPaddress | maskLength
-
A HostList is a list of hosts (by name or address)
to be used for matching to examine whether a certain host is included
in the list or not.
Each host (hostSpec)
is optionally prefixed with a list of users (userList),
and optionally followed by a netMask.
- TYPE OF IDENTITY
-
A hostSpec "person@place" represents following identities:
- [-h/] [Ident@]peerHost -- peer host's identity (client, server or proxy)
- The name or address of the host matches with peerHost, and if Ident@ part is specified, the name of the owner of the connection, detected automatically by the Identification protocol, matches with Ident.
- [-a/] authUser@authHost -- authenticated identity
- The user of the client is authenticated as authUser (showing the name with an appropriate password) by an authentication server authHost (specified as AUTHORIZER=authHost)
- [-c/] person@domain -- certificated identity
- The E-mail address of the client's user is given as /Email=person@domain/ in a client's certificate (which is passed over SSL).
-
user@host
-- matches if at least one of identities is "user@host"
-h/user@host -- matches if peer host's identity is "user@host"
host -- matches if peer host's identity is "host"
-*/host -- matches if at least one of identities is "*@host"
-a/host -- matches if authenticated identity is "*@host"
-a/c/host -- matches if authenticated or certificated identity is "*@host"
-a/* -- matches if authenticated successfully
- WILDCARD ( * )
- A set of hosts belonging to a domain or a network can be represented as a single hostSpec with wild-card notation. You can prefix or postfix wild-card character "*" to a hostname like "*.com" or "*.delegate.org" or "www.*". As a special case, hostSpec which begins with "*." like "*.domain" matches with "domain" as a hostname as well as ordinary hostnames like "xx.domain" or "yy.xx.domain" (since DeleGate/6.1.18). IP-address range, which may represent a network, can be specified like 192.168.[0-255], 192.168.1.[32-63]. These range can be written as 192.168.0.0/16 and 192.168.1.32/27. In IP-address notation, wild-card character "*" means [0-255], thus "192.168.*" is equals to 192.168.[0-255].
- NEGATION ( ! )
-
If "!" is prefixed to a host,
it means that the host is excluded from the list.
All of elements in the list are scanned from the first one to the last one.
Thus once included (excluded) name may be excluded (included)
in succeeding list.
For example, for a HostList like follows:
-
"*.dom,!*.xx.dom,*.yy.xx.dom"
a host named "host.yy.xx.dom" matches with the first hostSpec, but excluded by the second one, but included again by the third one. If the first host in a HostList is with "!", it means exclusion from the universe ("*", that is any host), that is, "!host, ..." is regarded as "*,!host, ..."
- NETMASK ( host/mask )
-
Specifying a netMask, you can check only a part of address,
the network address part typically.
The netMask can be specified in one of following formats;
- /24, /28, ... length of mask bits
- /FFFFFF00, /FFFFFFF0, ... hexadecimal notation
- /255.255.255.0, /255.255.240.0, ... dot notation
- /@A, /@B or /@C ... address class mask.
- /FFFFFF00, /FFFFFFF0, ... hexadecimal notation
- @A, @B and @C represent /8, /16 and /24 respectively. This notation can be followed by the number of bits for subnets; for example /@B4 means class B network divided into sixteen subnets.
- @ ... the default network mask
- represents one of /@A, /@B or /@C depending on the class of IP-address of the host to be masked
- . ... narrower default network mask
- similar to "@" but represents "/24" when it is applied to class-A IP-addresses. For an IPv6 address, the default mask is "ffff_ffff_ffff_ffff__" which represents a mask of 64bits "FFFF:FFFF:FFFF:FFFF::".
- /24, /28, ... length of mask bits
- USER LIST ( {userList}@host )
- For a srcHostList (i.e. HostList concerning client hosts),
list of user names (userList) can be prefixed to a host name
like {user1,user2,...}@host.
The negate symbol "!" have the same meaning with that in a HostList.
Note that !user@host is different from {!user}@host;
the former excludes user@host,
but the latter means {*,!user}@host thus includes *@host except user@host.
The special user name "?" matches with users whos names are not
IDENTified with identd.
Example: inhibit access from unknown hosts or from unknown users
-
RELIABLE="{!?,!?@*}"
- PORT LIST ( host:{portList} )
-
For a dstHostList (i.e. HostList concerning server hosts), a list of
port numbers (postList) can be postfixed to a host,
to make matching by port number as well as host name/address.
Example: conditional filtering using CMAP
- SPECIAL HOST NAMES
-
There are special host names which are substituted with real host
names at runtime.
- "."
- the host where the DeleGate is running.
- "-"
- identical to "." if the host has unique IP address (network interface), but if it have multiple IP addresses, it will be the IP address from which the client connected to this DeleGate.
- ".o"
- identical to "." if the host has unique IP address, but if it have multiple network interface, outgoing network interface
- ".localnet"
- represents "localhost,./.,-/.,.o/." by default. It can be redefined by the HOSTLIST parameter as HOSTLIST=.localnet:HostList.
- ".C" or "-C"
- the client host which may be useful to restrict access from a client only to the client (network).
- "?"
- matches any "unknown hosts" of which name or address is not known by resolvers (listed in RESOLV).
- DISABLING NAME RESOLUTION ( -host )
- If a hostname (or a IP-address) is prefixed with "-" like "-hostname" ("-192.168.1.1"), then no name resolution (reverse resolution) will be tried for the hostname (IP-address). This will avoid wasting time in resolution trial for a never resolvable hostname (IP-address).
- ADDRESS TYPE ( _4. | _6. )
- "_4.*" matches any IPv4 addresses while "_6.*" matches any IPv6 addresses. These can be used for routing or access control based on address types.
- AGENT CONDITION ( -A/agentNamePattern )
-
A pseudo host name pattern with prefix "-A/" at the top of it is used to
specify the User Agent of the client.
Example:
- TIME CONDITION ( -T.period )
- A pseudo host name pattern with prefix "-T." at the top of it is used to specify a time period in a day.
- "-T.period" matches if the current time is in the specified time period, where period is represented as "hour1-hour2" which means "from hour1:00:00 to hour2:59:59".
Example:
-
PERMIT="*:-T.9-16:hostList1" PERMIT="*:-T.17-8:hostList2"
// hostList1 is permitted during office hours whereas
// hostList2 is permitted non-office hours.The complete format of period is like this: [wW]HH[MM][-HH[MM]]. A time period in a week is represented with "wW" where W expresses a day in a week ranging from "0" to "6" according to Sunday through Saturday. Sunday can be expressed as "7" too for convenience.
Example:
-
-T.w5-0 // Friday through Sunday
-T.w5-7 // Friday through Sunday
-T.w51730-10830 // from 5:30pm on Friday to 8:30am on Monday- COMPOSITE OPERATORS ( &, |, ! )
- As explained above, the meaning of a comma (,) in HostList like "A,B" is not AND nor OR. Operators like AND, OR and NOT operators are provided as a special member of a list.
- "&"
- AND operator used as "hostList=A,&,B" where when A turn to be false, the hostList as a whole turns to be false without evaluating B. Otherwise B must be true to be true as a whole.
- "|"
- OR operator used as "hostList=A,|,B" where when A turns to be true, the hostList as a whole turns to be true without evaluating B. Otherwise B must be true to be true as a whole.
- "!"
- NOT operator used as "A,!,B" where the result of A is negated, and succeed evaluation of B if it exists.
Example: