X-Git-Url: http://git.madism.org/?a=blobdiff_plain;f=postlicyd%2Frbl.c;h=3177334f801a831ffd001e7a35fd11fb8b595e0f;hb=7d041574a564b98145fc2235bd3c8676a1689911;hp=3f8c6822f1345d034447a0c3577bbaa04d72366a;hpb=1b6ea933129c7a718fc81bedb282a13958a8ea68;p=apps%2Fpfixtools.git diff --git a/postlicyd/rbl.c b/postlicyd/rbl.c index 3f8c682..3177334 100644 --- a/postlicyd/rbl.c +++ b/postlicyd/rbl.c @@ -31,17 +31,18 @@ /* * Copyright © 2007 Pierre Habouzit + * Copyright © 2008 Florent Bruneau */ #include -#include #include #include -#include #include "common.h" #include "rbl.h" #include "str.h" +#include "file.h" +#include "array.h" #define IPv4_BITS 5 #define IPv4_PREFIX(ip) ((uint32_t)(ip) >> IPv4_BITS) @@ -51,6 +52,8 @@ #define DEBUG(...) #endif +/* Implementation */ + enum { BALANCED = 0, LEFT_HEAVY = 1, @@ -58,10 +61,10 @@ enum { }; struct rbldb_t { - uint32_t len, size; - uint32_t *ips; - bool locked; + A(uint32_t) ips; + bool locked; }; +ARRAY(rbldb_t) static int get_o(const char *s, const char **out) { @@ -118,35 +121,19 @@ static int parse_ipv4(const char *s, const char **out, uint32_t *ip) rbldb_t *rbldb_create(const char *file, bool lock) { rbldb_t *db; - const char *map, *p, *end; - struct stat st; - int fd; - - fd = open(file, O_RDONLY, 0000); - if (fd < 0) { - UNIXERR("open"); - return NULL; - } - - if (fstat(fd, &st) < 0) { - UNIXERR("fstat"); - close(fd); - return NULL; - } + file_map_t map; + const char *p, *end; - p = map = mmap(NULL, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - if (map == MAP_FAILED) { - UNIXERR("mmap"); - close(fd); + if (!file_map_open(&map, file, false)) { return NULL; } - close(fd); - end = map + st.st_size; - while (end > map && end[-1] != '\n') { + p = map.map; + end = map.end; + while (end > p && end[-1] != '\n') { --end; } - if (end != map + st.st_size) { + if (end != map.end) { syslog(LOG_WARNING, "file %s miss a final \\n, ignoring last line", file); } @@ -161,61 +148,63 @@ rbldb_t *rbldb_create(const char *file, bool lock) if (parse_ipv4(p, &p, &ip) < 0) { p = (char *)memchr(p, '\n', end - p) + 1; } else { - if (db->len >= db->size) { - db->size += 64 * 1024; - p_realloc(&db->ips, db->size); - } - db->ips[db->len++] = ip; + array_add(db->ips, ip); } } - munmap((void*)map, st.st_size); + file_map_close(&map); /* Lookup may perform serveral I/O, so avoid swap. */ - db->locked = lock && mlock(db->ips, db->len * sizeof(*(db->ips))) == 0; + array_adjust(db->ips); + db->locked = lock && array_lock(db->ips); if (lock && !db->locked) { UNIXERR("mlock"); } - if (db->len) { + if (db->ips.len) { # define QSORT_TYPE uint32_t -# define QSORT_BASE db->ips -# define QSORT_NELT db->len +# define QSORT_BASE db->ips.data +# define QSORT_NELT db->ips.len # define QSORT_LT(a,b) *a < *b # include "qsort.c" } - syslog(LOG_INFO, "rbl %s loaded, %d IPs", file, db->len); + syslog(LOG_INFO, "rbl %s loaded, %d IPs", file, db->ips.len); return db; } +static void rbldb_wipe(rbldb_t *db) +{ + if (db->locked) { + array_unlock(db->ips); + } + array_wipe(db->ips); +} + void rbldb_delete(rbldb_t **db) { if (*db) { - if ((*db)->locked) { - (void)munlock((*db)->ips, (*db)->len * sizeof(*(*db)->ips)); - } - p_delete(&(*db)->ips); + rbldb_wipe(*db); p_delete(&(*db)); } } -uint32_t rbldb_stats(rbldb_t *rbl) +uint32_t rbldb_stats(const rbldb_t *rbl) { - return rbl->len; + return rbl->ips.len; } -bool rbldb_ipv4_lookup(rbldb_t *db, uint32_t ip) +bool rbldb_ipv4_lookup(const rbldb_t *db, uint32_t ip) { - int l = 0, r = db->len; + int l = 0, r = db->ips.len; while (l < r) { int i = (r + l) / 2; - if (db->ips[i] == ip) + if (array_elt(db->ips, i) == ip) return true; - if (ip < db->ips[i]) { + if (ip < array_elt(db->ips, i)) { r = i; } else { l = i + 1; @@ -223,3 +212,187 @@ bool rbldb_ipv4_lookup(rbldb_t *db, uint32_t ip) } return false; } + + +/* postlicyd filter declaration */ + +#include "filter.h" + +typedef struct rbl_filter_t { + PA(rbldb_t) rbls; + A(int) weights; + + int32_t hard_threshold; + int32_t soft_threshold; +} rbl_filter_t; + +static rbl_filter_t *rbl_filter_new(void) +{ + return p_new(rbl_filter_t, 1); +} + +static void rbl_filter_delete(rbl_filter_t **rbl) +{ + if (*rbl) { + array_deep_wipe((*rbl)->rbls, rbldb_delete); + array_wipe((*rbl)->weights); + p_delete(rbl); + } +} + + +static bool rbl_filter_constructor(filter_t *filter) +{ + rbl_filter_t *data = rbl_filter_new(); + +#define PARSE_CHECK(Expr, Str, ...) \ + if (!(Expr)) { \ + syslog(LOG_ERR, Str, ##__VA_ARGS__); \ + rbl_filter_delete(&data); \ + return false; \ + } + + foreach (filter_param_t *param, filter->params) { + switch (param->type) { + /* file parameter is: + * [no]lock:weight:filename + * valid options are: + * - lock: memlock the database in memory. + * - nolock: don't memlock the database in memory [default]. + * - \d+: a number describing the weight to give to the match + * the given list [mandatory] + * the file pointed by filename MUST be a valid ip list issued from + * the rsync (or equivalent) service of a (r)bl. + */ + case ATK_FILE: { + bool lock = false; + int weight = 0; + rbldb_t *rbl = NULL; + const char *current = param->value; + const char *p = m_strchrnul(param->value, ':'); + char *next = NULL; + for (int i = 0 ; i < 3 ; ++i) { + PARSE_CHECK(i == 2 || *p, + "file parameter must contains a locking state " + "and a weight option"); + switch (i) { + case 0: + if ((p - current) == 4 && strncmp(current, "lock", 4) == 0) { + lock = true; + } else if ((p - current) == 6 + && strncmp(current, "nolock", 6) == 0) { + lock = false; + } else { + PARSE_CHECK(false, "illegal locking state %.*s", + p - current, current); + } + break; + + case 1: + weight = strtol(current, &next, 10); + PARSE_CHECK(next == p && weight >= 0 && weight <= 1024, + "illegal weight value %.*s", + (p - current), current); + break; + + case 2: + rbl = rbldb_create(current, lock); + PARSE_CHECK(rbl != NULL, + "cannot load rbl db from %s", current); + array_add(data->rbls, rbl); + array_add(data->weights, weight); + break; + } + current = p + 1; + p = m_strchrnul(current, ':'); + } + } break; + + /* hard_threshold parameter is an integer. + * If the matching score is greater than this threshold, + * the hook "hard_match" is called. + * hard_threshold = 0 means, that all matches are hard matches. + * default is 0; + */ + case ATK_HARD_THRESHOLD: { + char *next; + data->hard_threshold = strtol(param->value, &next, 10); + PARSE_CHECK(!*next, "invalid threshold value %s", param->value); + } break; + + /* soft_threshold parameter is an integer. + * if the matching score is greater than this threshold + * and smaller or equal than the hard_threshold, the hook "soft_match" + * is called. + * default is 0; + */ + case ATK_SOFT_THRESHOLD: { + char *next; + data->soft_threshold = strtol(param->value, &next, 10); + PARSE_CHECK(!*next, "invalid threshold value %s", param->value); + } break; + + default: break; + } + }} + + PARSE_CHECK(data->rbls.len, + "no file parameter in the filter %s", filter->name); + filter->data = data; + return true; +} + +static void rbl_filter_destructor(filter_t *filter) +{ + rbl_filter_t *data = filter->data; + rbl_filter_delete(&data); + filter->data = data; +} + +static filter_result_t rbl_filter(const filter_t *filter, const query_t *query) +{ + uint32_t ip; + int32_t sum = 0; + const char *end = NULL; + const rbl_filter_t *data = filter->data; + + if (parse_ipv4(query->client_address, &end, &ip) != 0) { + syslog(LOG_WARNING, "invalid client address: %s, expected ipv4", + query->client_address); + return HTK_ERROR; + } + for (int i = 0 ; i < data->rbls.len ; ++i) { + const rbldb_t *rbl = array_elt(data->rbls, i); + int weight = array_elt(data->weights, i); + if (rbldb_ipv4_lookup(rbl, ip)) { + sum += weight; + } + } + if (sum > data->hard_threshold) { + return HTK_HARD_MATCH; + } else if (sum > data->soft_threshold) { + return HTK_SOFT_MATCH; + } else { + return HTK_FAIL; + } +} + +static int rbl_init(void) +{ + filter_type_t type = filter_register("rbl", rbl_filter_constructor, + rbl_filter_destructor, rbl_filter); + /* Hooks. + */ + (void)filter_hook_register(type, "error"); + (void)filter_hook_register(type, "fail"); + (void)filter_hook_register(type, "hard_match"); + (void)filter_hook_register(type, "soft_match"); + + /* Parameters. + */ + (void)filter_param_register(type, "file"); + (void)filter_param_register(type, "hard_threshold"); + (void)filter_param_register(type, "soft_threshold"); + return 0; +} +module_init(rbl_init);