Not all DN interfaces exposed to clients from the NN should be used, an interface may not be routable by the client, or a user may want to restrict off-cluster clients from using cluster-private interfaces. Therefore the user should be able to make sure clients may be given only a subset of the addresses reported by workers. This can be accomplished by having masters filter the set of interfaces provided to clients, and/or having clients filter the interfaces they're given. The former is preferable because the configuration resides in a single place (the master instead of clients) and client configuration is less portable (the configuration from an off-cluster client might end up getting used on-cluser if passed as part of a job). In order to specify what interfaces clients receive the master is configured with a table with rules that map a given source address range (of the incoming connection) to a list of address ranges to used to filtering interfaces. An interface is given to the client only if it matches one of the address ranges (for the given source address it came in on). The rule has form: Range -> list <Range> where a range is specified in CIDR notation. If a source address matches multiple entries in the table only the first rule that matches is applied. If the table is empty or there are no matches then all interfaces are given to the client.