[Mimedefang] Including archetypal filters to include in release?
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Mon Jan 9 19:26:45 EST 2006
Matthew.van.Eerde wrote:
> Philip Prindeville wrote:
>>
>> my %badnetworks = {
>> '58.71.0.0/17' => 'REJECT',
>> '62.117.127.0/25' => 'REJECT',
> ...
>> '222.136.0.0/11' => 'REJECT',
>> # local mail
>> '127.0.0.1/32' => 'ACCEPT',
>> '192.168.1.0/24' => 'ACCEPT',
>> # wildcard action
>> '0.0.0.0/0' => 'ACCEPT',
>> };
>>
> ...
>> while (my ($lhs, $action) = each %badnetworks) {
>> my ($net, $length) = split('/', $lhs);
>
> Umm... note that each %hash returns the key/value pairs in hash
> order. This is NOT NECESSARILY THE SAME as the order you entered
> them into the hash. If you happen to hit 0.0.0.0/0 => ACCEPT as the
> first entry none of your blacklists will take effect.
>
> You could fix this by using two arrays:
>
> my @badnetworks = ( '58.71.0.0/17', ...);
> my @goodnetworks = ( '127.0.0.1/32', ... );
>
> and iterating over each separately.
If you want to have a full-on layered permissions scheme (where the action applies to the smallest containing subnet) you could store a more complicated hash...
sub compile_subnet_policies();
my %subnet_policies =
(
'0.0.0.0/0' => "ACCEPT",
'127.0.0.1/32' => "ACCEPT",
...
'58.71.0.0/17' => "REJECT",
...
)
my @compiled_subnet_policies;
compile_subnet_policies(); # run this once
sub compile_subnet_policy()
{
my %temp = ();
for my $subnet (keys %subnet_policies)
{
my ($neta, $length) = split("/", $subnet);
my $net = inet_aton($neta);
my $mask = (0xffffffff << (32 - $length)) & 0xffffffff;
$temp{$subnet} = {
subnet => $subnet,
length => $length,
net => $net,
mask => $mask,
action => $subnet_policies{$subnet},
};
}
# sort /32's first, /0's at the end
@compiled_subnet_policies = @temp{ sort { $b{length} <=> $a{length} } keys %temp };
}
Then your hard work is done at slave startup and your filter can look like:
sub filter_relay($$) {
my ($hostname, $hostip) = @_;
$hostip = inet_aton($hostip);
# note policies are applied in /32 to /0 order
for my $policy (@compiled_subnet_policies) {
if (($hostip & $policy{mask}) == $policy{net}) {
my $msg = ($policy{action} eq 'ACCEPT') ? 'OK'
: "This network is blacklisted";
return ($action, $msg);
}
}
...
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
More information about the MIMEDefang
mailing list