[Mimedefang] Including archetypal filters to include in release?

Matthew.van.Eerde at hbinc.com Matthew.van.Eerde at hbinc.com
Mon Jan 9 19:26:45 EST 2006 

Matthew.van.Eerde wrote:
> Philip Prindeville wrote:
>> 
>> my %badnetworks = {
>>     '58.71.0.0/17'      => 'REJECT',
>>     '62.117.127.0/25'   => 'REJECT',
> ...
>>     '222.136.0.0/11'    => 'REJECT',
>>     # local mail
>>     '127.0.0.1/32'      => 'ACCEPT',
>>     '192.168.1.0/24'    => 'ACCEPT',
>>     # wildcard action
>>     '0.0.0.0/0'         => 'ACCEPT',
>> };
>> 
> ...
>>     while (my ($lhs, $action) = each %badnetworks) {
>>         my ($net, $length) = split('/', $lhs);
> 
> Umm... note that each %hash returns the key/value pairs in hash
> order.  This is NOT NECESSARILY THE SAME as the order you entered
> them into the hash.  If you happen to hit 0.0.0.0/0 => ACCEPT as the
> first entry none of your blacklists will take effect.   
> 
> You could fix this by using two arrays:
> 
> my @badnetworks = ( '58.71.0.0/17', ...);
> my @goodnetworks = ( '127.0.0.1/32', ... );
> 
> and iterating over each separately.

If you want to have a full-on layered permissions scheme (where the action applies to the smallest containing subnet) you could store a more complicated hash...

sub compile_subnet_policies();

my %subnet_policies =
(
	'0.0.0.0/0' => "ACCEPT",
	'127.0.0.1/32' => "ACCEPT",
	...
	'58.71.0.0/17' => "REJECT",
	...
)

my @compiled_subnet_policies;

compile_subnet_policies(); # run this once

sub compile_subnet_policy()
{
	my %temp = ();

	for my $subnet (keys %subnet_policies)
	{
		my ($neta, $length) = split("/", $subnet);
		my $net = inet_aton($neta);
		my $mask = (0xffffffff << (32 - $length)) & 0xffffffff;

		$temp{$subnet} = {
			subnet => $subnet,
			length => $length,
			net => $net,
			mask => $mask,
			action => $subnet_policies{$subnet},
		};
	}

	# sort /32's first, /0's at the end
	@compiled_subnet_policies = @temp{ sort { $b{length} <=> $a{length} } keys %temp };
}

Then your hard work is done at slave startup and your filter can look like:

sub filter_relay($$) {
    my ($hostname, $hostip) = @_;

    $hostip = inet_aton($hostip);

    # note policies are applied in /32 to /0 order
    for my $policy (@compiled_subnet_policies) {

        if (($hostip & $policy{mask}) == $policy{net}) {
            my $msg = ($policy{action} eq 'ACCEPT') ? 'OK'
                       : "This network is blacklisted";

            return ($action, $msg);
        }
    }

    ...

-- 
Matthew.van.Eerde (at) hbinc.com               805.964.4554 x902
Hispanic Business Inc./HireDiversity.com       Software Engineer

More information about the MIMEDefang mailing list