Would it be possible to add a field in "protocols" to check the source IP of the connection, so that the probe is only run if the source address matches?

The field could be an array of IP addresses in CIDR notation.

It would be very useful to filter certain protocols (SSH for example, but also others) so that they are only accessible from certain source IPs or subnets.

I know it's possible to configure transparent proxying and filter after redirected, but it would be very useful to be able to do it in sslh directly.

Actually if you compile with libwrap, sslh should use /etc/hosts.allow and /etc/hosts.deny on a per-protocol basis, meaning:

• sslh accepts the connection
• sslh runs the probe and determines what protocol matches
• sslh runs the libwrap check on that service
• if the check is ok, sslh connects to the target service

this is just slightly different to what you suggest (libwrap matching is done after probing), but the result should be the same.

If this is indeed what you are requesting, the enhancement is actually "just" documentatin, as libwrap support is kind of unobviously burried in the example.cfg file.