RE: [Mimedefang] Including archetypal filters to include in release?

[Matthew.van.Eerde]

Matthew.van.Eerde wrote:
> Philip Prindeville wrote:
>> 
>> my %badnetworks = {
>>     '58.71.0.0/17'      => 'REJECT',
>>     '62.117.127.0/25'   => 'REJECT',
> ...
>>     '222.136.0.0/11'    => 'REJECT',
>>     # local mail
>>     '127.0.0.1/32'      => 'ACCEPT',
>>     '192.168.1.0/24'    => 'ACCEPT',
>>     # wildcard action
>>     '0.0.0.0/0'         => 'ACCEPT',
>> };
>> 
> ...
>>     while (my ($lhs, $action) = each %badnetworks) {
>>         my ($net, $length) = split('/', $lhs);
> 
> Umm... note that each %hash returns the key/value pairs in hash
> order.  This is NOT NECESSARILY THE SAME as the order you entered
> them into the hash.  If you happen to hit 0.0.0.0/0 => ACCEPT as the
> first entry none of your blacklists will take effect.   
> 
> You could fix this by using two arrays:
> 
> my @badnetworks = ( '58.71.0.0/17', ...);
> my @goodnetworks = ( '127.0.0.1/32', ... );
> 
> and iterating over each separately.

If you want to have a full-on layered permissions scheme (where the action 
applies to the smallest containing subnet) you could store a more complicated 
hash...

sub compile_subnet_policies();

my %subnet_policies =
(
        '0.0.0.0/0' => "ACCEPT",
        '127.0.0.1/32' => "ACCEPT",
        ...
        '58.71.0.0/17' => "REJECT",
        ...
)

my @compiled_subnet_policies;

compile_subnet_policies(); # run this once

sub compile_subnet_policy()
{
        my %temp = ();

        for my $subnet (keys %subnet_policies)
        {
                my ($neta, $length) = split("/", $subnet);
                my $net = inet_aton($neta);
                my $mask = (0xffffffff << (32 - $length)) & 0xffffffff;

                $temp{$subnet} = {
                        subnet => $subnet,
                        length => $length,
                        net => $net,
                        mask => $mask,
                        action => $subnet_policies{$subnet},
                };
        }

        # sort /32's first, /0's at the end
        @compiled_subnet_policies = @temp{ sort { $b{length} <=> $a{length} } 
keys %temp };
}

Then your hard work is done at slave startup and your filter can look like:

sub filter_relay($$) {
    my ($hostname, $hostip) = @_;

    $hostip = inet_aton($hostip);

    # note policies are applied in /32 to /0 order
    for my $policy (@compiled_subnet_policies) {

        if (($hostip & $policy{mask}) == $policy{net}) {
            my $msg = ($policy{action} eq 'ACCEPT') ? 'OK'
                       : "This network is blacklisted";

            return ($action, $msg);
        }
    }

    ...

-- 
Matthew.van.Eerde (at) hbinc.com               805.964.4554 x902
Hispanic Business Inc./HireDiversity.com       Software Engineer

_______________________________________________
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID.  You may ignore it.

Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang