diff options
| author |   gilles <gilles@openbsd.org> | 2018-12-09 18:05:20 +0000 |
|---|---|---|
| committer | gilles <gilles@openbsd.org> | 2018-12-09 18:05:20 +0000 |
| commit | 15c39be5550e5b1f2a200fee47d33fb8de045f67 (patch) | |
| tree | 2d394c818239f1463967524e8ddfe5b3dc8b90af | |
| parent | no longer pass rdns in all filtering requests, they can be retrieved from (diff) | |
| download | wireguard-openbsd-15c39be5550e5b1f2a200fee47d33fb8de045f67.tar.xz wireguard-openbsd-15c39be5550e5b1f2a200fee47d33fb8de045f67.zip | |
add check-fcrdns builtin filter
ok eric@
| -rw-r--r-- | usr.sbin/smtpd/lka_filter.c | 17 | ||||
| -rw-r--r-- | usr.sbin/smtpd/parse.y | 14 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.h | 5 |
3 files changed, 30 insertions, 6 deletions
diff --git a/usr.sbin/smtpd/lka_filter.c b/usr.sbin/smtpd/lka_filter.c index 2015265a80b..a17b75c977c 100644 --- a/usr.sbin/smtpd/lka_filter.c +++ b/usr.sbin/smtpd/lka_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka_filter.c,v 1.10 2018/12/09 17:37:15 gilles Exp $ */ +/* $OpenBSD: lka_filter.c,v 1.11 2018/12/09 18:05:20 gilles Exp $ */ /* * Copyright (c) 2018 Gilles Chehade <gilles@poolp.org> @@ -434,6 +434,18 @@ filter_check_regex(struct filter_rule *rule, const char *key) } static int +filter_check_fcrdns_connected(struct filter_rule *rule, int fcrdns) +{ + int ret = 0; + + if (rule->fcrdns) { + ret = fcrdns == 0; + ret = rule->not_fcrdns < 0 ? !ret : ret; + } + return ret; +} + +static int filter_check_rdns_connected(struct filter_rule *rule, const char *hostname) { int ret = 0; @@ -478,7 +490,8 @@ filter_exec_connected(uint64_t reqid, struct filter_rule *rule, const char *para fs = tree_xget(&sessions, reqid); if (filter_check_table(rule, K_NETADDR, param) || filter_check_regex(rule, param) || - filter_check_rdns_connected(rule, fs->rdns)) + filter_check_rdns_connected(rule, fs->rdns) || + filter_check_fcrdns_connected(rule, fs->fcrdns)) return 1; return 0; } diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 6a3d1ae182e..1d1268f2658 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.233 2018/12/06 13:57:06 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.234 2018/12/09 18:05:20 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -174,7 +174,7 @@ typedef struct { %token ACTION ALIAS ANY ARROW AUTH AUTH_OPTIONAL %token BACKUP BOUNCE %token CA CERT CHROOT CIPHERS COMMIT COMPRESSION CONNECT -%token CHECK_RDNS CHECK_REGEX CHECK_TABLE +%token CHECK_FCRDNS CHECK_RDNS CHECK_REGEX CHECK_TABLE %token DATA DATA_LINE DHE DISCONNECT DOMAIN %token EHLO ENABLE ENCRYPTION ERROR EXPAND_ONLY %token FILTER FOR FORWARD_ONLY FROM @@ -1179,6 +1179,13 @@ negation CHECK_REGEX tables { } ; +filter_phase_check_fcrdns: +negation CHECK_FCRDNS { + filter_rule->not_fcrdns = $1 ? -1 : 1; + filter_rule->fcrdns = 1; +} +; + filter_phase_check_rdns: negation CHECK_RDNS { filter_rule->not_rdns = $1 ? -1 : 1; @@ -1187,7 +1194,7 @@ negation CHECK_RDNS { ; filter_phase_connect_options: -filter_phase_check_table | filter_phase_check_regex | filter_phase_check_rdns; +filter_phase_check_table | filter_phase_check_regex | filter_phase_check_fcrdns | filter_phase_check_rdns; filter_phase_connect: CONNECT { @@ -1872,6 +1879,7 @@ lookup(char *s) { "bounce", BOUNCE }, { "ca", CA }, { "cert", CERT }, + { "check-fcrdns", CHECK_FCRDNS }, { "check-rdns", CHECK_RDNS }, { "check-regex", CHECK_REGEX }, { "check-table", CHECK_TABLE }, diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 38475ffb290..a3cdcb4952a 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.584 2018/12/09 17:37:15 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.585 2018/12/09 18:05:20 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1061,6 +1061,9 @@ struct filter_rule { int8_t not_rdns; int8_t rdns; + + int8_t not_fcrdns; + int8_t fcrdns; }; enum filter_status { |