Add the ability to negate matches for the daemon's "refuse options".

1 files changed, 57 insertions, 12 deletions

diff --git a/rsyncd.conf.yo b/rsyncd.conf.yo
index 8f004ae6..c3bc3dd1 100644
--- a/rsyncd.conf.yo
+++ b/rsyncd.conf.yo
@@ -735,28 +735,73 @@ is specified in seconds. A value of zero means no timeout and is the
 default. A good choice for anonymous rsync daemons may be 600 (giving
 a 10 minute timeout).
 
-dit(bf(refuse options)) This parameter allows you to
-specify a space-separated list of rsync command line options that will
-be refused by your rsync daemon.
+dit(bf(refuse options)) This parameter allows you to specify a space-separated
+list of rsync command line options that will be refused by your rsync daemon.
 You may specify the full option name, its one-letter abbreviation, or a
-wild-card string that matches multiple options.
+wild-card string that matches multiple options. Beginning in 3.2.0, you can
+also negate a match term by starting it with a "!".
+
+When an option is refused, the daemon prints an error message and exits.
+
 For example, this would refuse bf(--checksum) (bf(-c)) and all the various
 delete options:
 
-quote(tt(    refuse options = c delete))
+verb(    refuse options = c delete)
 
 The reason the above refuses all delete options is that the options imply
 bf(--delete), and implied options are refused just like explicit options.
+
+The use of a negated match allows you to fine-tune your refusals after a
+wild-card, such as this:
+
+verb(    refuse options = delete-* !delete-during)
+
+Negated matching can also turn your list of refused options into a list of
+accepted options. To do this, begin the list with a "*" (to refuse all options)
+and then specify one or more negated matches to allow.  For example:
+
+verb(    refuse options = * !a !v !compress*)
+
+Don't worry that the "*" will refuse certain vital options such as
+bf(--server), bf(--no-iconv), bf(--protect-args), etc. These important options
+are not matched by a wild-card, so they must be overridden by their exact name.
+For instance, if you're forcing iconv transfers you could use something like
+this:
+
+verb(    refuse options = * no-iconv !a !v)
+
+As an additional aid (beginning in 3.2.0), refusing (or "!refusing") the "a" or
+"archive"  option also affects all the options that the bf(--archive) option
+implies (bf(-rdlptgoD)), but only if the option  is matched explicitly (not
+using a wildcard). If you want to do something tricky, you can use "archive*"
+to avoid this side-effect, but keep in mind that no normal rsync client ever
+sends the actual archive option to the server.
+
 As an additional safety feature, the refusal of "delete" also refuses
 bf(remove-source-files) when the daemon is the sender; if you want the latter
-without the former, instead refuse "delete-*" -- that refuses all the
-delete modes without affecting bf(--remove-source-files).
+without the former, instead refuse "delete-*" as that refuses all the delete
+modes without affecting bf(--remove-source-files). (Keep in mind that the
+client's bf(--delete) option typically enables bf(--delete-during).)
 
-When an option is refused, the daemon prints an error message and exits.
-To prevent all compression when serving files,
-you can use "dont compress = *" (see below)
-instead of "refuse options = compress" to avoid returning an error to a
-client that requests compression.
+When un-refusing delete options, you should either specify "!delete*" (to
+accept all delete options) or specify a limited set that includes "delete",
+such as:
+
+verb(    refuse options = * !a !delete !delete-during)
+
+... whereas this accepts any delete option except bf(--delete-after):
+
+verb(    refuse options = * !a !delete* delete-after)
+
+A note on refusing "compress" -- it is better to set the "dont compress" daemon
+option to "*" because that disables compression silently instead of returning
+an error that forces the client to remove the bf(-z) option.
+
+If you are un-refusing the compress option, you probably want to match
+"!compress*" so that you also allow the bf(--compress-level) option.
+
+Finally, the "write-devices" option is refused by default, but can be
+explicitly enabled with "!write-devices".
 
 dit(bf(dont compress)) This parameter allows you to select
 filenames based on wildcard patterns that should not be compressed