# A filter can returns different values. Each return value is given a name. The
# configuration associates an action to run to a return value name.
#
+# A hook action has the format: (counter:id:incr:)?(filter_name|postfix:ACTION)
+#
+# The action can contains the reference to a counter to update. This counters are "message"-wide
+# counters that stay valid until the end of the filtering of the message. This counters are useful
+# to trig different actions depending on the number of failures encountered during the processing
+# of a message. There are 64 counters (0..63), accessible from all the filters. By specifying
+# counter:id:incr as a prefix of the hook action, you tell postlicyd to add (incr) to counter
+# (id) when this hook is reached. The "counter" filter type allow you to run actions depending
+# on the value of a counter.
+#
# The action can be either a postfix access(5) value or a filter name. Postfix access
# parameters must be prefixed by 'postfix:'. The text argument given to a postfix reply
# may contain format strings to be replaced by the parameters of the query. This arguments
# eg:
# on_match = postfix:REJECT Blacklisted;
# on_fail = postfix:450 Greylisted, see http://www.example.org/${sender_domain}.html
+# on_error = counter:0:1:postfix:DUNNO
+# on_match = counter:63:10:whitelist
#
# Filter:
# Current defined filter types are:
# hook
on_match = postfix:OK;
- on_fail = greylist;
+ on_fail = counter:0:1:greylist;
}
+# - counter: trig actions depending on the value of a counter
+# Parameters:
+# - counter: the id of the counter to trig on (0 -> 63)
+# - hard_threshold: minimum counter value to trig the hard_match hook
+# - soft_threshold: minimum counter value to trig the soft_match hook
+# Return value:
+# - hard_match if the counter with the given id is greater or equal to hard_threshold
+# - soft_match if the counter value is between soft_threshold and hard_threshold
+# - fail if the counter value is below soft_match
+
+# match if the counter 0 value is greater than 8, or between 5 and 7
+counter {
+ type = counter;
+
+ # configuration
+ counter = 0;
+ hard_threshold = 8;
+ soft_threshold = 5;
+
+ # hook
+ on_hard_match = postfix:REJECT ${sender_domain};
+ on_soft_match = greylist;
+ on_fail = counter:1:10:match;
+}
+
# ENTRY POINTS
#
# Access policy daemon can be used at several protocol states. For each of this states,
$(RM) $@
$(AR) rcs $@ $(filter %.o,$^)
-$(PROGRAMS) $(TESTS): $$(patsubst %.c,.%.o,$$($$@_SOURCES)) Makefile ../common.ld
+$(PROGRAMS) $(TESTS): $$(patsubst %.c,.%.o,$$($$@_SOURCES)) Makefile
$(CC) -o $@ $(filter %.o,$^) $(LDFLAGS) $($@_LIBADD) $(filter %.a,$^)
-include $(foreach p,$(PROGRAMS) $(TESTS),$(patsubst %.c,.%.dep,$(filter %.c,$($p_SOURCES))))
UB_LIBS = -lunbound
-FILTERS = iplist.c greylist.c strlist.c match.c
+FILTERS = iplist.c greylist.c strlist.c match.c counters.c
postlicyd_SOURCES = main-postlicyd.c ../common/lib.a filter.c config.c query.c $(FILTERS) $(GENERATED)
postlicyd_LIBADD = $(UB_LIBS) $(TC_LIBS) -lev
--- /dev/null
+/******************************************************************************/
+/* pfixtools: a collection of postfix related tools */
+/* ~~~~~~~~~ */
+/* ________________________________________________________________________ */
+/* */
+/* Redistribution and use in source and binary forms, with or without */
+/* modification, are permitted provided that the following conditions */
+/* are met: */
+/* */
+/* 1. Redistributions of source code must retain the above copyright */
+/* notice, this list of conditions and the following disclaimer. */
+/* 2. Redistributions in binary form must reproduce the above copyright */
+/* notice, this list of conditions and the following disclaimer in the */
+/* documentation and/or other materials provided with the distribution. */
+/* 3. The names of its contributors may not be used to endorse or promote */
+/* products derived from this software without specific prior written */
+/* permission. */
+/* */
+/* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND */
+/* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE */
+/* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR */
+/* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS */
+/* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR */
+/* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF */
+/* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS */
+/* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN */
+/* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) */
+/* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF */
+/* THE POSSIBILITY OF SUCH DAMAGE. */
+/******************************************************************************/
+
+/*
+ * Copyright © 2008 Florent Bruneau
+ */
+
+#include "filter.h"
+#include "config.h"
+#include "query.h"
+
+typedef struct counter_config_t {
+ int counter;
+ uint32_t hard_threshold;
+ uint32_t soft_threshold;
+} counter_config_t;
+
+
+static counter_config_t *counter_config_new(void)
+{
+ return p_new(counter_config_t, 1);
+}
+
+static void counter_config_delete(counter_config_t **config)
+{
+ if (*config) {
+ p_delete(config);
+ }
+}
+
+static bool counter_filter_constructor(filter_t *filter)
+{
+ counter_config_t *config = counter_config_new();
+ config->counter = -1;
+
+#define PARSE_CHECK(Expr, Str, ...) \
+ if (!(Expr)) { \
+ err(Str, ##__VA_ARGS__); \
+ counter_config_delete(&config); \
+ return false; \
+ }
+
+ config->hard_threshold = 1;
+ config->soft_threshold = 1;
+ foreach (filter_param_t *param, filter->params) {
+ switch (param->type) {
+ FILTER_PARAM_PARSE_INT(COUNTER, config->counter);
+ FILTER_PARAM_PARSE_INT(HARD_THRESHOLD, config->hard_threshold);
+ FILTER_PARAM_PARSE_INT(SOFT_THRESHOLD, config->soft_threshold);
+ default: break;
+ }
+ }}
+
+ PARSE_CHECK(config->counter >= 0 && config->counter < MAX_COUNTERS,
+ "invalid counter number: %d", config->counter);
+ filter->data = config;
+ return true;
+}
+
+static void counter_filter_destructor(filter_t *filter)
+{
+ counter_config_t *config = filter->data;
+ counter_config_delete(&config);
+ filter->data = config;
+}
+
+static filter_result_t counter_filter(const filter_t *filter, const query_t *query,
+ filter_context_t *context)
+{
+ const counter_config_t *counter = filter->data;
+ const uint32_t val = context->counters[counter->counter];
+
+ if (val >= counter->hard_threshold) {
+ return HTK_HARD_MATCH;
+ } else if (val >= counter->soft_threshold) {
+ return HTK_SOFT_MATCH;
+ } else {
+ return HTK_FAIL;
+ }
+}
+
+static int counter_init(void)
+{
+ filter_type_t type = filter_register("counter", counter_filter_constructor,
+ counter_filter_destructor, counter_filter,
+ NULL, NULL);
+ /* Hooks.
+ */
+ (void)filter_hook_register(type, "fail");
+ (void)filter_hook_register(type, "hard_match");
+ (void)filter_hook_register(type, "soft_match");
+
+ /* Parameters.
+ */
+ (void)filter_param_register(type, "counter");
+ (void)filter_param_register(type, "hard_threshold");
+ (void)filter_param_register(type, "soft_threshold");
+ return 0;
+}
+module_init(counter_init);
static const filter_hook_t default_hook = {
.type = 0,
.value = (char*)"DUNNO",
+ .counter = -1,
+ .cost = 0,
.postfix = true,
.async = false,
.filter_id = 0
static const filter_hook_t async_hook = {
.type = 0,
.value = NULL,
+ .counter = -1,
+ .cost = 0,
.postfix = false,
.async = true,
.filter_id = 0
const char *value, int value_len)
{
filter_hook_t hook;
+ hook.filter_id = -1;
hook.type = hook_tokenize(name, name_len);
if (hook.type == HTK_UNKNOWN) {
err("unknown hook type %.*s", name_len, name);
htokens[hook.type], ftokens[filter->type]);
return false;
}
- hook.async = false;
- hook.filter_id = -1;
- hook.value = NULL;
+ hook.async = false;
+
+ /* Value format is (counter:id:incr)?(postfix:reply|filter_name)
+ */
+ hook.value = NULL;
+ if (strncmp(value, "counter:", 8) == 0) {
+ char *end = NULL;
+ value += 8;
+ hook.counter = strtol(value, &end, 10);
+ if (end == value || *end != ':') {
+ err("hook %s, cannot read counter id", htokens[hook.type]);
+ return false;
+ } else if (hook.counter < 0 || hook.counter >= MAX_COUNTERS) {
+ err("hook %s, invalid counter id %d", htokens[hook.type], hook.counter);
+ return false;
+ }
+ value = end + 1;
+ hook.cost = strtol(value, &end, 10);
+ if (end == value || *end != ':') {
+ err("hook %s, cannot read counter increment", htokens[hook.type]);
+ return false;
+ } else if (hook.cost < 0) {
+ err("hook %s, invalid counter increment value %d", htokens[hook.type],
+ hook.cost);
+ return false;
+ }
+ value = end + 1;
+ } else {
+ hook.counter = -1;
+ hook.cost = 0;
+ }
hook.postfix = (strncmp(value, "postfix:", 8) == 0);
if (hook.postfix && query_format(NULL, 0, value + 8, NULL) == -1) {
err("invalid formatted text \"%s\"", value + 8);
}
}
+void filter_context_clean(filter_context_t *context)
+{
+ p_clear(&context->counters, 1);
+ context->instance[0] = '\0';
+}
+
void filter_post_async_result(filter_context_t *context, filter_result_t result)
{
const filter_t *filter = context->current_filter;
filter_result_t type;
char *value;
+ int counter;
+ int cost;
+
unsigned postfix:1;
unsigned async:1;
int filter_id;
+
} filter_hook_t;
ARRAY(filter_hook_t)
} filter_t;
ARRAY(filter_t)
+#define MAX_COUNTERS (64)
+
/** Context of the query. To be filled with data to use when
* performing asynchronous filtering.
*/
typedef struct filter_context_t {
+ /* filter context
+ */
const filter_t *current_filter;
void *contexts[FTK_count];
+ /* message context
+ */
+ char instance[64];
+ uint32_t counters[MAX_COUNTERS];
+
+ /* connection context
+ */
void *data;
} filter_context_t;
__attribute__((nonnull))
void filter_context_wipe(filter_context_t *context);
+__attribute__((nonnull))
+void filter_context_clean(filter_context_t *context);
+
__attribute__((nonnull))
void filter_post_async_result(filter_context_t *context, filter_result_t result);
static const filter_t *next_filter(server_t *pcy, const filter_t *filter,
const query_t *query, const filter_hook_t *hook, bool *ok) {
+ if (hook != NULL) {
+ query_context_t *context = pcy->data;
+ if (hook->counter >= 0 && hook->counter < MAX_COUNTERS && hook->cost > 0) {
+ context->context.counters[hook->counter] += hook->cost;
+ debug("request client=%s, from=<%s>, to=<%s>: added %d to counter %d (now %u)",
+ query->client_name,
+ query->sender == NULL ? "undefined" : query->sender,
+ query->recipient == NULL ? "undefined" : query->recipient,
+ hook->cost, hook->counter, context->context.counters[hook->counter]);
+ }
+ }
if (hook == NULL) {
warn("request client=%s, from=<%s>, to=<%s>: aborted",
query->client_name,
if (!query_parse(pcy->data, pcy->ibuf.data))
return -1;
query->eoq = eoq + strlen("\n\n");
+ if (query->instance == NULL || strcmp(context->context.instance, query->instance) != 0) {
+ filter_context_clean(&context->context);
+ m_strcat(context->context.instance, 64, query->instance);
+ }
server_none(pcy);
return policy_process(pcy, mconfig) ? 0 : -1;
}