root/src/modules/ip_acl.xml

Revision c446502a4ee40c22d4500431adfafa754be78122, 1.2 kB (checked in by Theo Schlossnagle <jesus@omniti.com>, 2 years ago)

An ip_acl module allowing for the restriction of check execution
against specified IP addresses (both IPv4 and IPv6).

There is an ordering problem with this inherited ACL rulesets
(in that ordering is non-deterministic if multiple ACLs are
applied. With a default allow, this means that ACLs should
only use deny rules (until ordering issues are fixed) to
ensure expected behavior.

  • Property mode set to 100644
Line 
1 <module>
2     <name>ip_acl</name>
3     <description>
4         <para>
5           This module exposes hooks the pre-flight execution of
6           checks and applies user-specified ACLs to possible
7           prevent the execution of the check.
8         </para></description>
9     <loader>C</loader>
10     <image>ip_acl.so</image>
11     <moduleconfig>
12     </moduleconfig>
13     <checkconfig />
14     <examples>
15         <example>
16             <title>Loading the ip_acl module.</title>
17             <para>This example loads the ip_acl module and creates a "global" ACL that denies
18              any check running against the host 4.2.2.1 and the entier 10.0.0.0 RFC1819 space.
19              </para>
20             <programlisting><![CDATA[
21       <noit>
22         <modules>
23           <generic image="ip_acl" name="ip_acl" />
24         </modules>
25         <checks>
26           <config xmlns:ip_acl="noit://module/ip_acl">
27             <ip_acl:global/>
28           </config>
29         </checks>
30         <acls>
31           <acl name="global">
32             <rule type="deny">4.2.2.1/32</rule>
33             <rule type="deny">10.0.0.0/8</rule>
34           </acl>
35         </acls>
36       </noit>
37     ]]></programlisting>
38         </example>
39     </examples>
40 </module>
Note: See TracBrowser for help on using the browser.