X-Git-Url: http://git.madism.org/?a=blobdiff_plain;ds=sidebyside;f=postlicyd%2Fiplist.c;fp=postlicyd%2Fiplist.c;h=256c360d9c546923a44f6a30e7f2694d3d23af07;hb=d6f820ed2e86f48c23bc7dc4ee3f591a2d46fc5f;hp=0000000000000000000000000000000000000000;hpb=1b0d47e10359293dafc8937b8036168d7ec61a6a;p=apps%2Fpfixtools.git diff --git a/postlicyd/iplist.c b/postlicyd/iplist.c new file mode 100644 index 0000000..256c360 --- /dev/null +++ b/postlicyd/iplist.c @@ -0,0 +1,459 @@ +/******************************************************************************/ +/* pfixtools: a collection of postfix related tools */ +/* ~~~~~~~~~ */ +/* ________________________________________________________________________ */ +/* */ +/* Redistribution and use in source and binary forms, with or without */ +/* modification, are permitted provided that the following conditions */ +/* are met: */ +/* */ +/* 1. Redistributions of source code must retain the above copyright */ +/* notice, this list of conditions and the following disclaimer. */ +/* 2. Redistributions in binary form must reproduce the above copyright */ +/* notice, this list of conditions and the following disclaimer in the */ +/* documentation and/or other materials provided with the distribution. */ +/* 3. The names of its contributors may not be used to endorse or promote */ +/* products derived from this software without specific prior written */ +/* permission. */ +/* */ +/* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND */ +/* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE */ +/* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR */ +/* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS */ +/* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR */ +/* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF */ +/* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS */ +/* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN */ +/* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) */ +/* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF */ +/* THE POSSIBILITY OF SUCH DAMAGE. */ +/******************************************************************************/ + +/* + * Copyright © 2007 Pierre Habouzit + * Copyright © 2008 Florent Bruneau + */ + +#include +#include +#include + +#include "common.h" +#include "iplist.h" +#include "str.h" +#include "file.h" +#include "array.h" +#include "rbl.h" + +#define IPv4_BITS 5 +#define IPv4_PREFIX(ip) ((uint32_t)(ip) >> IPv4_BITS) +#define IPv4_SUFFIX(ip) ((uint32_t)(ip) & ((1 << IPv4_BITS) - 1)) +#define NODE(db, i) ((db)->tree + (i)) +#ifndef DEBUG +#define DEBUG(...) +#endif + +/* Implementation */ + +enum { + BALANCED = 0, + LEFT_HEAVY = 1, + RIGHT_HEAVY = 2, +}; + +struct rbldb_t { + A(uint32_t) ips; +}; +ARRAY(rbldb_t) + +static int get_o(const char *s, const char **out) +{ + int res = 0; + + if (*s < '0' || *s > '9') + return -1; + + res = *s++ - '0'; + if (*s < '0' || *s > '9') + goto ok; + + res = res * 10 + *s++ - '0'; + if (*s < '0' || *s > '9') + goto ok; + + res = res * 10 + *s++ - '0'; + if (!(*s < '0' || *s > '9') || res < 100) + return -1; + + ok: + *out = s; + return res; +} + +static int parse_ipv4(const char *s, const char **out, uint32_t *ip) +{ + int o; + + o = get_o(s, &s); + if ((o & ~0xff) || *s++ != '.') + return -1; + *ip = o << 24; + + o = get_o(s, &s); + if ((o & ~0xff) || *s++ != '.') + return -1; + *ip |= o << 16; + + o = get_o(s, &s); + if ((o & ~0xff) || *s++ != '.') + return -1; + *ip |= o << 8; + + o = get_o(s, &s); + if (o & ~0xff) + return -1; + *ip |= o; + + *out = s; + return 0; +} + +rbldb_t *rbldb_create(const char *file, bool lock) +{ + rbldb_t *db; + file_map_t map; + const char *p, *end; + + if (!file_map_open(&map, file, false)) { + return NULL; + } + + p = map.map; + end = map.end; + while (end > p && end[-1] != '\n') { + --end; + } + if (end != map.end) { + warn("file %s miss a final \\n, ignoring last line", + file); + } + + db = p_new(rbldb_t, 1); + while (p < end) { + uint32_t ip; + + while (*p == ' ' || *p == '\t' || *p == '\r') + p++; + + if (parse_ipv4(p, &p, &ip) < 0) { + p = (char *)memchr(p, '\n', end - p) + 1; + } else { + array_add(db->ips, ip); + } + } + file_map_close(&map); + + /* Lookup may perform serveral I/O, so avoid swap. + */ + array_adjust(db->ips); + if (lock && !array_lock(db->ips)) { + UNIXERR("mlock"); + } + + if (db->ips.len) { +# define QSORT_TYPE uint32_t +# define QSORT_BASE db->ips.data +# define QSORT_NELT db->ips.len +# define QSORT_LT(a,b) *a < *b +# include "qsort.c" + } + + info("rbl %s loaded, %d IPs", file, db->ips.len); + return db; +} + +static void rbldb_wipe(rbldb_t *db) +{ + array_wipe(db->ips); +} + +void rbldb_delete(rbldb_t **db) +{ + if (*db) { + rbldb_wipe(*db); + p_delete(&(*db)); + } +} + +uint32_t rbldb_stats(const rbldb_t *rbl) +{ + return rbl->ips.len; +} + +bool rbldb_ipv4_lookup(const rbldb_t *db, uint32_t ip) +{ + int l = 0, r = db->ips.len; + + while (l < r) { + int i = (r + l) / 2; + + if (array_elt(db->ips, i) == ip) + return true; + + if (ip < array_elt(db->ips, i)) { + r = i; + } else { + l = i + 1; + } + } + return false; +} + + +/* postlicyd filter declaration */ + +#include "filter.h" + +typedef struct rbl_filter_t { + PA(rbldb_t) rbls; + A(int) weights; + A(char) hosts; + A(int) host_offsets; + A(int) host_weights; + + int32_t hard_threshold; + int32_t soft_threshold; +} rbl_filter_t; + +static rbl_filter_t *rbl_filter_new(void) +{ + return p_new(rbl_filter_t, 1); +} + +static void rbl_filter_delete(rbl_filter_t **rbl) +{ + if (*rbl) { + array_deep_wipe((*rbl)->rbls, rbldb_delete); + array_wipe((*rbl)->weights); + array_wipe((*rbl)->hosts); + array_wipe((*rbl)->host_offsets); + array_wipe((*rbl)->host_weights); + p_delete(rbl); + } +} + + +static bool rbl_filter_constructor(filter_t *filter) +{ + rbl_filter_t *data = rbl_filter_new(); + +#define PARSE_CHECK(Expr, Str, ...) \ + if (!(Expr)) { \ + err(Str, ##__VA_ARGS__); \ + rbl_filter_delete(&data); \ + return false; \ + } + + data->hard_threshold = 1; + data->soft_threshold = 1; + foreach (filter_param_t *param, filter->params) { + switch (param->type) { + /* file parameter is: + * [no]lock:weight:filename + * valid options are: + * - lock: memlock the database in memory. + * - nolock: don't memlock the database in memory [default]. + * - \d+: a number describing the weight to give to the match + * the given list [mandatory] + * the file pointed by filename MUST be a valid ip list issued from + * the rsync (or equivalent) service of a (r)bl. + */ + case ATK_FILE: { + bool lock = false; + int weight = 0; + rbldb_t *rbl = NULL; + const char *current = param->value; + const char *p = m_strchrnul(param->value, ':'); + char *next = NULL; + for (int i = 0 ; i < 3 ; ++i) { + PARSE_CHECK(i == 2 || *p, + "file parameter must contains a locking state " + "and a weight option"); + switch (i) { + case 0: + if ((p - current) == 4 && strncmp(current, "lock", 4) == 0) { + lock = true; + } else if ((p - current) == 6 + && strncmp(current, "nolock", 6) == 0) { + lock = false; + } else { + PARSE_CHECK(false, "illegal locking state %.*s", + p - current, current); + } + break; + + case 1: + weight = strtol(current, &next, 10); + PARSE_CHECK(next == p && weight >= 0 && weight <= 1024, + "illegal weight value %.*s", + (p - current), current); + break; + + case 2: + rbl = rbldb_create(current, lock); + PARSE_CHECK(rbl != NULL, + "cannot load rbl db from %s", current); + array_add(data->rbls, rbl); + array_add(data->weights, weight); + break; + } + if (i != 2) { + current = p + 1; + p = m_strchrnul(current, ':'); + } + } + } break; + + /* host parameter. + * weight:hostname. + * define a RBL to use through DNS resolution. + */ + case ATK_HOST: { + int weight = 0; + const char *current = param->value; + const char *p = m_strchrnul(param->value, ':'); + char *next = NULL; + for (int i = 0 ; i < 2 ; ++i) { + PARSE_CHECK(i == 1 || *p, + "host parameter must contains a weight option"); + switch (i) { + case 0: + weight = strtol(current, &next, 10); + PARSE_CHECK(next == p && weight >= 0 && weight <= 1024, + "illegal weight value %.*s", + (p - current), current); + break; + + case 1: + array_add(data->host_offsets, array_len(data->hosts)); + array_append(data->hosts, current, strlen(current) + 1); + array_add(data->host_weights, weight); + break; + } + if (i != 1) { + current = p + 1; + p = m_strchrnul(current, ':'); + } + } + } break; + + /* hard_threshold parameter is an integer. + * If the matching score is greater or equal than this threshold, + * the hook "hard_match" is called. + * hard_threshold = 1 means, that all matches are hard matches. + * default is 1; + */ + FILTER_PARAM_PARSE_INT(HARD_THRESHOLD, data->hard_threshold); + + /* soft_threshold parameter is an integer. + * if the matching score is greater or equal than this threshold + * and smaller or equal than the hard_threshold, the hook "soft_match" + * is called. + * default is 1; + */ + FILTER_PARAM_PARSE_INT(SOFT_THRESHOLD, data->soft_threshold); + + default: break; + } + }} + + PARSE_CHECK(data->rbls.len, + "no file parameter in the filter %s", filter->name); + filter->data = data; + return true; +} + +static void rbl_filter_destructor(filter_t *filter) +{ + rbl_filter_t *data = filter->data; + rbl_filter_delete(&data); + filter->data = data; +} + +static filter_result_t rbl_filter(const filter_t *filter, const query_t *query) +{ + uint32_t ip; + int32_t sum = 0; + const char *end = NULL; + const rbl_filter_t *data = filter->data; + bool error = true; + + if (parse_ipv4(query->client_address, &end, &ip) != 0) { + warn("invalid client address: %s, expected ipv4", + query->client_address); + return HTK_ERROR; + } + for (uint32_t i = 0 ; i < data->rbls.len ; ++i) { + const rbldb_t *rbl = array_elt(data->rbls, i); + int weight = array_elt(data->weights, i); + if (rbldb_ipv4_lookup(rbl, ip)) { + sum += weight; + if (sum >= data->hard_threshold) { + return HTK_HARD_MATCH; + } + } + error = false; + } + for (uint32_t i = 0 ; i < data->host_offsets.len ; ++i) { + const char *rbl = array_ptr(data->hosts, array_elt(data->host_offsets, i)); + int weight = array_elt(data->host_weights, i); + switch (rbl_check(rbl, ip)) { + case RBL_FOUND: + error = false; + sum += weight; + if (sum >= data->hard_threshold) { + return HTK_HARD_MATCH; + } + break; + case RBL_NOTFOUND: + error = false; + break; + case RBL_ERROR: + warn("rbl %s unavailable", rbl); + break; + } + } + if (error) { + err("filter %s: all the rbl returned an error", filter->name); + return HTK_ERROR; + } + if (sum >= data->hard_threshold) { + return HTK_HARD_MATCH; + } else if (sum >= data->soft_threshold) { + return HTK_SOFT_MATCH; + } else { + return HTK_FAIL; + } +} + +static int rbl_init(void) +{ + filter_type_t type = filter_register("iplist", rbl_filter_constructor, + rbl_filter_destructor, rbl_filter); + /* Hooks. + */ + (void)filter_hook_register(type, "abort"); + (void)filter_hook_register(type, "error"); + (void)filter_hook_register(type, "fail"); + (void)filter_hook_register(type, "hard_match"); + (void)filter_hook_register(type, "soft_match"); + + /* Parameters. + */ + (void)filter_param_register(type, "file"); + (void)filter_param_register(type, "host"); + (void)filter_param_register(type, "hard_threshold"); + (void)filter_param_register(type, "soft_threshold"); + return 0; +} +module_init(rbl_init);