Strange behavior of “Allow IF(eth0)” directives in cupsd.conf

When configuring access controls for <Location> sections in the CUPS daemon configuration file cupsd.conf, one might notice the following in the man page cupsd.conf(5):

DIRECTIVES VALID WITHIN LOCATION AND LIMIT SECTIONS
       The following directives may be placed inside Location and Limit sections in the cupsd.conf file:
       [..]
       Allow @IF(name)
       [..]
            Allows access from the named hosts, domains, addresses, or interfaces.  The Order directive controls whether Allow lines are evaluated before or after Deny lines.

On a multi-homed box, one might then be tempted to use this Allow @IF(name) directive as e.g. Allow @IF(eth0), further assuming that any requests received on that interface will be allowed in the context of the associated Location section.

Unfortunately, that is not how it works. How it actually works: Each incoming request is checked to determine whether it is on the same IP subnet as the interface named in the @IF directive! This means that requests routed from another network, or even requests from directly attached hosts configured for a different subnet, will be mysteriously rejected by this directive, and with no real useful message in the log to find out that it was this rule that failed.

So don’t use this directive unless you know exactly what you’re doing. It’s misleading and practically undocumented.

Leave a Reply