Re: [Exim] host_reject_recipients leaking a few subnets

Top Pagina
Delete this message
Reply to this message
Auteur: Dave C.
Datum:  
Aan: Philip Hazel
CC: Bill Duncan, exim-users
Onderwerp: Re: [Exim] host_reject_recipients leaking a few subnets
On Wed, 26 Sep 2001, Philip Hazel wrote:

> On Tue, 25 Sep 2001, Dave C. wrote:
>
> > I'm not sure if this has been discussed before or not, but, in exim 4
> > will there be a way to have a file containing network specifications
> > with varying bitmask legnths in it (possibly some negated), that one
> > will be able to do a lookup in with a single IP address as the key?
>
> Exim lookups are either
>
> (a) "Please find the data that corresponds to this key"
> or
> (b) "Please find the data the this query returns"



Hrm. The concept needed here is more:

"Is this item included "


> and the former type uses existing standard lookup methods: DBM, cdb,
> NIS, together with lsearch, which is implemented to be compatible with
> them. In the case of addresses, the key is either the textual
> representation of the address, e.g. "192.168.23.24", or one with a mask
> appended, e.g. "192.168.34.56/27".
>
> The lookup methods handle text strings. They do not have any knowledge
> of IP addresses or bit masks.
>
> If you have network data with varying bitmask lengths, and negation,
> there is normally some kind of precedence that you want (e.g. look for
> the negated /16 networks before the non-negated /8 networks). I do not
> understand how one could invent a lookup method that does this
> automatically. (And by "lookup method" I mean some kind of key probing
> method like the ones Exim uses.) [*]
>
> With negation in particular, the order of testing is vitally important.
> Therefore, I cannot see any way of doing this other than by a simple
> included file, in which Exim processes each line as if it were an
> in-line item.


Yes, these would definately be specific.

Basically, I want to reverse the current net lookup - for each item in
the list, does it match the given IP. If it does, and its not negated,
break out and the lookup succeeds, if it mathes and its negated, break
out, the lookup fails.

Lets say:

I want to allow anyone in the 10.0.0.0/8 to relay, but not 10.1.2.0/24,
but I do want to make an exception for 10.1.2.7

If I could put:

10.1.2.7 : ! 10.1.2.0/24 : 10.0.0.0/8

and 10.1.2.7 would be permitted, anything else in 10.1.2 would fail, but
then 10.9.9.9 would pass, and anything else would fail - either use the
same 'fall off the end' logic as with a host list, if not, then an
explicit global negation could be added:

10.1.2.7 : ! 10.1.2.0/24 : 10.0.0.0/8 : ! 0.0.0.0/0

>
> If you want to use DBM for some of the lookups, for speed, there is no
> reason why you couldn't write
>
>
>     !net16-dbm;/some/file : net8-dbm;/some/file : ...

>
> where _the same file_ is used in both cases. Exim would do two probes,
> first with a /16 mask, and then with a /8 mask.
>
> You could even include items like this as lines in an included file.
>
> ---------
> [*] To speed up a linear search, I could conceive of some entirely new
> idea, in which the data is preprocessed in some special way that
> understands negation and masks. It would have to be very clever and
> create some kind of partial ordering of the data and some fast way of
> searching it. This would be a major project, and if anybody implemented
> it, they should do it as a new free-standing library, because it could
> be used outside Exim.
>
>
>


--