Re: [exim] does "net-lsearch" support mask-ed IP ranges, or …

Pàgina inicial
Delete this message
Reply to this message
Autor: OpenMacNews
Data:  
A: exim-users
Assumpte: Re: [exim] does "net-lsearch" support mask-ed IP ranges, or just indiv IPs?
hi fred,

thx 4 the reply =)

>| % cat /path/to/ipnets.blacklist
>|     A.B.C.D/17        # TESTING ONLY
>| ...
>| iiuc, per the spec & google, net-lsearch is the right choice for IP lookups.

>
> Plain IP lookups, but not masked.
>
>| is there an additional syntax requirement for IP masks?
>
> Yes, look a bit further down in section 10.12. net17-lsearch would
> have matched, in your example above. But keep reading...


re-rtfm-ing ...

aha. i think.

changing:

    ---    drop     hosts           = net-lsearch;/path/to/ipnets.blacklist
    +++    drop     hosts           = /path/to/ipnets.blacklist



_seems_ to do it ... on telnet FROM A.B.C.XX, logs -->

    24395 using ACL "acl_check_connect"
    24395 processing "drop"
    24395 check hosts = /path/to/ipnets.blacklist
    24395 host in "/path/to/ipnets.blacklist"? yes (matched "A.B.C.D/17" in
    /path/to/ipnets.blacklist)
    24395 drop: condition test succeeded
    24395 SMTP>> 550 Administrative prohibition
    24395 LOG: MAIN REJECT
    24395   H=some.other.domain.com [A.B.C.XX] rejected connection in "connect"
    ACL
    24395 LOG: smtp_connection MAIN
    24395   SMTP connection from some.other.domain.com [A.B.C.XX] closed by
    DROP in ACL
    24395 search_tidyup called
    24393 child 24395 ended: status=0x0
    24393 0 SMTP accept processes now running
    24393 Listening...


cool. assuming this *is* what you *intended* me to find by 'reading futher',
thx!

>| also, can my
>| 'ipnets.blacklist' have a MIX of masked ranges and single IPs?
>
> Not with netNN-lsearch. All the entries must have the same mask
> (/NN).
>
> What you are really wanting is the iplsearch lookup type:
>
>   drop     hosts           = net-iplsearch;/path/to/ipnets.blacklist


net-iplsearch? hmmm .... aha. Ch9.

    "iplsearch: The given file is a text file containing keys and data. A key
    is terminated by a colon or white space or the end of the line. The keys in
    the file must be IP addresses, or IP addresses with CIDR masks. ... "


ok, now, so ...

    drop     hosts           = /path/to/ipnets.blacklist


works as expected/hoped for a mixed list of masked (*.*.*.*/NN) and single
(*.*.*.*) ips. and, so does

    drop     hosts           = net-iplsearch;/path/to/ipnets.blacklist


so what is, if any, the advantage of using "net-iplsearch;/blah" in this action?

Ch's 9 & 10, at 1st ... er ... 3rd ... read seem to address the WHAT & HOW, but
not the WHY.

i have a suspicion that the WHY is less obvious in my particular example, but
gotta dig/play a little more ...

cheers,

richard