Re: PROXY protocol v2 support
Amazing. Thank you! On 1/2/20 1:41 AM, Wietse Venema wrote: >>>> Maybe you can try to implement v2 support ? Parsing v2 when v1 is already >>>> supported is quite easy, especially at the same level of support (i.e. no >>>> TLV field support for TLS or whatever). You can have a look at >>>> conn_recv_proxy() in haproxy:src/connection.c which supports the two >>>> versions. Feel free to steal any code I wrote there, if that helps :-) >>> I'm looking into this, and a Postfix-quality implementation including >>> tests(!) is going to take more than a few hours. Primarily, because >>> v2 uses a binary protocol, which complicates everything. I'll put a >>> few hours in today. >> I found that I first have to refactor the existing Postfix >> implementation, because of a change in the haproxy message format. >> The "diff -u" output is about 750 lines -- and that is refactoring >> before adding v2 support. >> >> The existing Postfix code completely separates the haproxy message >> reader from the haproxy message parser. The v1 haproxy message has >> a unique message terminator, and the haproxy message reader can >> pull the entire message from the input queue before handing it off >> to the haproxy message parser. > The refactor is done (postfix-3.5-20200101-nonprod), and I verified > that version 1 protocol still support works as before. > > It took a littie over 200 lines to add version 2 protocol support. > That code will need some testing before I can share it. > > Wietse
Re: PROXY protocol v2 support
> > > Maybe you can try to implement v2 support ? Parsing v2 when v1 is already > > > supported is quite easy, especially at the same level of support (i.e. no > > > TLV field support for TLS or whatever). You can have a look at > > > conn_recv_proxy() in haproxy:src/connection.c which supports the two > > > versions. Feel free to steal any code I wrote there, if that helps :-) > > > > I'm looking into this, and a Postfix-quality implementation including > > tests(!) is going to take more than a few hours. Primarily, because > > v2 uses a binary protocol, which complicates everything. I'll put a > > few hours in today. > > I found that I first have to refactor the existing Postfix > implementation, because of a change in the haproxy message format. > The "diff -u" output is about 750 lines -- and that is refactoring > before adding v2 support. > > The existing Postfix code completely separates the haproxy message > reader from the haproxy message parser. The v1 haproxy message has > a unique message terminator, and the haproxy message reader can > pull the entire message from the input queue before handing it off > to the haproxy message parser. The refactor is done (postfix-3.5-20200101-nonprod), and I verified that version 1 protocol still support works as before. It took a littie over 200 lines to add version 2 protocol support. That code will need some testing before I can share it. Wietse
Re: What are these types trying to do?
On 30/12/2019 23:12, Benny Pedersen wrote: > Viktor Dukhovni skrev den 2019-12-30 23:46: > >>> Dec 30 23:26:09 mail postfix/postscreen[16020]: CONNECT from >>> [182.99.42.88]:49546 to [192.168.2.66]:25 >>> Dec 30 23:26:10 mail postfix/postscreen[16020]: PREGREET 14 after >>> 0.26 from [182.99.42.88]:49546: EHLO ylmf-pc\r\n > > https://blog.sys4.de/abwehr-des-botnets-pushdo-cutwail-ehlo-ylmf-pc-mit-iptables-string-recent-smtp-de.html > > > to remove noice in log files > > # cat shorewall-rules > ?SECTION ESTABLISHED > DROP net $FW tcp 25;;-m string --algo bm --string "EHLO ylmf-pc" Thank you. signature.asc Description: OpenPGP digital signature
