1 /******************************************************************************/
2 /* pfixtools: a collection of postfix related tools */
4 /* ________________________________________________________________________ */
6 /* Redistribution and use in source and binary forms, with or without */
7 /* modification, are permitted provided that the following conditions */
10 /* 1. Redistributions of source code must retain the above copyright */
11 /* notice, this list of conditions and the following disclaimer. */
12 /* 2. Redistributions in binary form must reproduce the above copyright */
13 /* notice, this list of conditions and the following disclaimer in the */
14 /* documentation and/or other materials provided with the distribution. */
15 /* 3. The names of its contributors may not be used to endorse or promote */
16 /* products derived from this software without specific prior written */
19 /* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND */
20 /* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE */
21 /* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR */
22 /* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS */
23 /* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR */
24 /* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF */
25 /* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS */
26 /* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN */
27 /* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) */
28 /* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF */
29 /* THE POSSIBILITY OF SUCH DAMAGE. */
30 /******************************************************************************/
33 * Copyright © 2007 Pierre Habouzit
34 * Copyright © 2008 Florent Bruneau
37 #include <arpa/inet.h>
38 #include <netinet/in.h>
48 #define IPv4_PREFIX(ip) ((uint32_t)(ip) >> IPv4_BITS)
49 #define IPv4_SUFFIX(ip) ((uint32_t)(ip) & ((1 << IPv4_BITS) - 1))
50 #define NODE(db, i) ((db)->tree + (i))
68 static int get_o(const char *s, const char **out)
72 if (*s < '0' || *s > '9')
76 if (*s < '0' || *s > '9')
79 res = res * 10 + *s++ - '0';
80 if (*s < '0' || *s > '9')
83 res = res * 10 + *s++ - '0';
84 if (!(*s < '0' || *s > '9') || res < 100)
92 static int parse_ipv4(const char *s, const char **out, uint32_t *ip)
97 if ((o & ~0xff) || *s++ != '.')
102 if ((o & ~0xff) || *s++ != '.')
107 if ((o & ~0xff) || *s++ != '.')
120 rbldb_t *rbldb_create(const char *file, bool lock)
126 if (!file_map_open(&map, file, false)) {
132 while (end > p && end[-1] != '\n') {
135 if (end != map.end) {
136 warn("file %s miss a final \\n, ignoring last line",
140 db = p_new(rbldb_t, 1);
144 while (*p == ' ' || *p == '\t' || *p == '\r')
147 if (parse_ipv4(p, &p, &ip) < 0) {
148 p = (char *)memchr(p, '\n', end - p) + 1;
150 array_add(db->ips, ip);
153 file_map_close(&map);
155 /* Lookup may perform serveral I/O, so avoid swap.
157 array_adjust(db->ips);
158 if (lock && !array_lock(db->ips)) {
163 # define QSORT_TYPE uint32_t
164 # define QSORT_BASE db->ips.data
165 # define QSORT_NELT db->ips.len
166 # define QSORT_LT(a,b) *a < *b
170 info("rbl %s loaded, %d IPs", file, db->ips.len);
174 static void rbldb_wipe(rbldb_t *db)
179 void rbldb_delete(rbldb_t **db)
187 uint32_t rbldb_stats(const rbldb_t *rbl)
192 bool rbldb_ipv4_lookup(const rbldb_t *db, uint32_t ip)
194 int l = 0, r = db->ips.len;
199 if (array_elt(db->ips, i) == ip)
202 if (ip < array_elt(db->ips, i)) {
212 /* postlicyd filter declaration */
216 typedef struct rbl_filter_t {
223 int32_t hard_threshold;
224 int32_t soft_threshold;
227 static rbl_filter_t *rbl_filter_new(void)
229 return p_new(rbl_filter_t, 1);
232 static void rbl_filter_delete(rbl_filter_t **rbl)
235 array_deep_wipe((*rbl)->rbls, rbldb_delete);
236 array_wipe((*rbl)->weights);
237 array_wipe((*rbl)->hosts);
238 array_wipe((*rbl)->host_offsets);
239 array_wipe((*rbl)->host_weights);
245 static bool rbl_filter_constructor(filter_t *filter)
247 rbl_filter_t *data = rbl_filter_new();
249 #define PARSE_CHECK(Expr, Str, ...) \
251 err(Str, ##__VA_ARGS__); \
252 rbl_filter_delete(&data); \
256 data->hard_threshold = 1;
257 data->soft_threshold = 1;
258 foreach (filter_param_t *param, filter->params) {
259 switch (param->type) {
260 /* file parameter is:
261 * [no]lock:weight:filename
263 * - lock: memlock the database in memory.
264 * - nolock: don't memlock the database in memory [default].
265 * - \d+: a number describing the weight to give to the match
266 * the given list [mandatory]
267 * the file pointed by filename MUST be a valid ip list issued from
268 * the rsync (or equivalent) service of a (r)bl.
274 const char *current = param->value;
275 const char *p = m_strchrnul(param->value, ':');
277 for (int i = 0 ; i < 3 ; ++i) {
278 PARSE_CHECK(i == 2 || *p,
279 "file parameter must contains a locking state "
280 "and a weight option");
283 if ((p - current) == 4 && strncmp(current, "lock", 4) == 0) {
285 } else if ((p - current) == 6
286 && strncmp(current, "nolock", 6) == 0) {
289 PARSE_CHECK(false, "illegal locking state %.*s",
290 p - current, current);
295 weight = strtol(current, &next, 10);
296 PARSE_CHECK(next == p && weight >= 0 && weight <= 1024,
297 "illegal weight value %.*s",
298 (p - current), current);
302 rbl = rbldb_create(current, lock);
303 PARSE_CHECK(rbl != NULL,
304 "cannot load rbl db from %s", current);
305 array_add(data->rbls, rbl);
306 array_add(data->weights, weight);
311 p = m_strchrnul(current, ':');
318 * define a RBL to use through DNS resolution.
322 const char *current = param->value;
323 const char *p = m_strchrnul(param->value, ':');
325 for (int i = 0 ; i < 2 ; ++i) {
326 PARSE_CHECK(i == 1 || *p,
327 "host parameter must contains a weight option");
330 weight = strtol(current, &next, 10);
331 PARSE_CHECK(next == p && weight >= 0 && weight <= 1024,
332 "illegal weight value %.*s",
333 (p - current), current);
337 array_add(data->host_offsets, array_len(data->hosts));
338 array_append(data->hosts, current, strlen(current) + 1);
339 array_add(data->host_weights, weight);
344 p = m_strchrnul(current, ':');
349 /* hard_threshold parameter is an integer.
350 * If the matching score is greater or equal than this threshold,
351 * the hook "hard_match" is called.
352 * hard_threshold = 1 means, that all matches are hard matches.
355 FILTER_PARAM_PARSE_INT(HARD_THRESHOLD, data->hard_threshold);
357 /* soft_threshold parameter is an integer.
358 * if the matching score is greater or equal than this threshold
359 * and smaller or equal than the hard_threshold, the hook "soft_match"
363 FILTER_PARAM_PARSE_INT(SOFT_THRESHOLD, data->soft_threshold);
369 PARSE_CHECK(data->rbls.len,
370 "no file parameter in the filter %s", filter->name);
375 static void rbl_filter_destructor(filter_t *filter)
377 rbl_filter_t *data = filter->data;
378 rbl_filter_delete(&data);
382 static filter_result_t rbl_filter(const filter_t *filter, const query_t *query)
386 const char *end = NULL;
387 const rbl_filter_t *data = filter->data;
389 if (parse_ipv4(query->client_address, &end, &ip) != 0) {
390 warn("invalid client address: %s, expected ipv4",
391 query->client_address);
394 for (uint32_t i = 0 ; i < data->rbls.len ; ++i) {
395 const rbldb_t *rbl = array_elt(data->rbls, i);
396 int weight = array_elt(data->weights, i);
397 if (rbldb_ipv4_lookup(rbl, ip)) {
399 if (sum >= data->hard_threshold) {
400 return HTK_HARD_MATCH;
404 if (sum >= data->hard_threshold) {
405 return HTK_HARD_MATCH;
406 } else if (sum >= data->soft_threshold) {
407 return HTK_SOFT_MATCH;
413 static int rbl_init(void)
415 filter_type_t type = filter_register("iplist", rbl_filter_constructor,
416 rbl_filter_destructor, rbl_filter);
419 (void)filter_hook_register(type, "abort");
420 (void)filter_hook_register(type, "error");
421 (void)filter_hook_register(type, "fail");
422 (void)filter_hook_register(type, "hard_match");
423 (void)filter_hook_register(type, "soft_match");
427 (void)filter_param_register(type, "file");
428 (void)filter_param_register(type, "host");
429 (void)filter_param_register(type, "hard_threshold");
430 (void)filter_param_register(type, "soft_threshold");
433 module_init(rbl_init);