changes:
core:
- Master and childs reread configuration after MAINTENANCE_LEVEL
and if the config has changed. (daemon mode)
- "reload" action added (daemon mode)
- -d (ebug) didn't behave correct, it should now also be possible
to run as normal user a debug session
- cache_query: alarm on <$csock> didn't result in a break of
read() also the validation of returned strings from
cache has been improved/corrected.
- HELO names with not ASCII chars which were replaced by "?" by
postfix don't cause regexes and in consequence perl/policyd-weight
to fail/die anymore (reported by Gary V ages ago).
Note:
I've also ACL support for the inet socket on my schedule, allthough
it will be limited ACL support as Berkely TCP Sockets / OS implementations
do not provide any way to refuse (RST) a connection attempt in the
application (only FreeBSD has accept filters (accept_filter(9), other
unices may provide other ways which I'm not aware of).
Thus we have first to accept() it before we can ACL() and close() it,
which doesn't help in case of "attacks". Thus, firewalling and ACLing on
firewall-level is a must. Unless someone can report a way for a application
to extract the peer addr and port number _before_ we accepted it. Even then
it'd be questionable if we are allowed to send a RST and tell the kernel
to erase that one from syn-caches or Cookie caches and other queues.
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
