On Mon, Mar 29, 2010 at 05:17:22PM +0200, Louis-David Mitterrand wrote: > On Mon, Mar 29, 2010 at 04:55:19PM +0200, Steve wrote: > > > You if/endif suggestion for the prefix is interesting. > > > > > > For added safety, the individual rules should be anchored with ^ and the > > > bracketed atom plussed, no? > > > > > > /^[^:]+:.+ > > > > > Yes. You are right. But to be honest this should be enough (just an > > example): > > 001) if > > /^Received|X\-((Origin(ating)?|Client|MDRemote|Sender)\-?IP|(Client|Remote_)Addr|PHP\-Script):/ > > 002) /\b(127\.0.\d+\.\d+)\b/ REJECT aviso.ci junk 2 > > 003) endif > > > > > > * Rule 001 will match a specific header. > > * Rule 002 will match 127.0.xxx.xxx > > * 127.0.xxx.xxx could be anchored with ^ but the rule/if-condition in > > 001 is already taking care of that 127.0.xxx.xxx is not part of the > > header name. So you can shorten the regexp to just "/\b(<ip you > > check/rule>)/b REJECT blah-blah-blah" > > Indeed, on second thought the anchoring is useless in individual rules, > making it much more readable/managable. > > Thanks for taking to time to de-parse my giga-rule into its component > parts!
In theory that's quite inefficient. Given your traffic it might not make a difference. A better approach would be keeping all the IPs etc in a file and generating the rule using for example perl + Regexp::Assemble.
