Re: [Exim] host_reject_recipients leaking a few subnets

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Philip Hazel
Dátum:  
Címzett: Dave C.
CC: Bill Duncan, exim-users
Tárgy: Re: [Exim] host_reject_recipients leaking a few subnets
On Tue, 25 Sep 2001, Dave C. wrote:

> I'm not sure if this has been discussed before or not, but, in exim 4
> will there be a way to have a file containing network specifications
> with varying bitmask legnths in it (possibly some negated), that one
> will be able to do a lookup in with a single IP address as the key?


Exim lookups are either

(a) "Please find the data that corresponds to this key"
or
(b) "Please find the data the this query returns"

and the former type uses existing standard lookup methods: DBM, cdb,
NIS, together with lsearch, which is implemented to be compatible with
them. In the case of addresses, the key is either the textual
representation of the address, e.g. "192.168.23.24", or one with a mask
appended, e.g. "192.168.34.56/27".

The lookup methods handle text strings. They do not have any knowledge
of IP addresses or bit masks.

If you have network data with varying bitmask lengths, and negation,
there is normally some kind of precedence that you want (e.g. look for
the negated /16 networks before the non-negated /8 networks). I do not
understand how one could invent a lookup method that does this
automatically. (And by "lookup method" I mean some kind of key probing
method like the ones Exim uses.) [*]

With negation in particular, the order of testing is vitally important.
Therefore, I cannot see any way of doing this other than by a simple
included file, in which Exim processes each line as if it were an
in-line item.

If you want to use DBM for some of the lookups, for speed, there is no
reason why you couldn't write


    !net16-dbm;/some/file : net8-dbm;/some/file : ...


where _the same file_ is used in both cases. Exim would do two probes,
first with a /16 mask, and then with a /8 mask.

You could even include items like this as lines in an included file.

---------
[*] To speed up a linear search, I could conceive of some entirely new
idea, in which the data is preprocessed in some special way that
understands negation and masks. It would have to be very clever and
create some kind of partial ordering of the data and some fast way of
searching it. This would be a major project, and if anybody implemented
it, they should do it as a new free-standing library, because it could
be used outside Exim.


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.