gdouble sync_timeout;
radix_compressed_t *update_ips;
radix_compressed_t *master_ips;
+ radix_compressed_t *blocked_ips;
+
struct rspamd_cryptobox_keypair *sync_keypair;
struct rspamd_cryptobox_pubkey *master_key;
struct timeval master_io_tv;
GPtrArray *mirrors;
const ucl_object_t *update_map;
const ucl_object_t *masters_map;
+ const ucl_object_t *blocked_map;
+
GHashTable *master_flags;
guint keypair_cache_size;
gint peer_fd;
static void rspamd_fuzzy_write_reply (struct fuzzy_session *session);
static gboolean
-rspamd_fuzzy_check_client (struct fuzzy_session *session)
+rspamd_fuzzy_check_client (struct fuzzy_session *session, gboolean is_write)
{
- if (session->ctx->update_ips != NULL) {
+ if (session->ctx->blocked_ips != NULL) {
if (radix_find_compressed_addr (session->ctx->update_ips,
- session->addr) == RADIX_NO_VALUE) {
+ session->addr) != RADIX_NO_VALUE) {
return FALSE;
}
- else {
- return TRUE;
+ }
+
+ if (is_write) {
+ if (session->ctx->update_ips != NULL) {
+ if (radix_find_compressed_addr (session->ctx->update_ips,
+ session->addr) == RADIX_NO_VALUE) {
+ return FALSE;
+ } else {
+ return TRUE;
+ }
}
+
+ return FALSE;
}
- return FALSE;
+ /* Non write */
+ return TRUE;
}
static void
}
if (cmd->cmd == FUZZY_CHECK) {
- if (G_UNLIKELY (session->ctx->collection_mode)) {
- result.v1.prob = 0;
- result.v1.value = 500;
- result.v1.flag = 0;
- rspamd_fuzzy_make_reply (cmd, &result, session, encrypted, is_shingle);
+ if (rspamd_fuzzy_check_client (session, FALSE)) {
+ if (G_UNLIKELY (session->ctx->collection_mode)) {
+ result.v1.prob = 0;
+ result.v1.value = 500;
+ result.v1.flag = 0;
+ rspamd_fuzzy_make_reply (cmd, &result, session, encrypted,
+ is_shingle);
+ } else {
+ REF_RETAIN (session);
+ rspamd_fuzzy_backend_check (session->ctx->backend, cmd,
+ rspamd_fuzzy_check_callback, session);
+ }
}
else {
- REF_RETAIN (session);
- rspamd_fuzzy_backend_check (session->ctx->backend, cmd,
- rspamd_fuzzy_check_callback, session);
+ result.v1.value = 403;
+ result.v1.prob = 0.0;
}
}
else if (cmd->cmd == FUZZY_STAT) {
}
}
else {
- if (rspamd_fuzzy_check_client (session)) {
+ if (rspamd_fuzzy_check_client (session, TRUE)) {
/* Check whitelist */
if (session->ctx->skip_hashes && cmd->cmd == FUZZY_WRITE) {
rspamd_encode_hex_buf (cmd->digest, sizeof (cmd->digest),
0,
"Allow master/slave updates from the following IP addresses");
+ rspamd_rcl_register_worker_option (cfg,
+ type,
+ "blocked",
+ rspamd_rcl_parse_struct_ucl,
+ ctx,
+ G_STRUCT_OFFSET (struct rspamd_fuzzy_storage_ctx, blocked_map),
+ 0,
+ "Block requests from specific networks");
+
rspamd_rcl_register_worker_option (cfg,
type,
"master_key",
"Allow fuzzy updates from specified addresses",
&ctx->update_ips, NULL);
}
+
if (ctx->masters_map != NULL) {
rspamd_config_radix_from_ucl (worker->srv->cfg, ctx->masters_map,
"Allow fuzzy master/slave updates from specified addresses",
&ctx->master_ips, NULL);
}
+
if (ctx->skip_map != NULL) {
struct rspamd_map *m;
}
}
+ if (ctx->blocked_map != NULL) {
+ rspamd_config_radix_from_ucl (worker->srv->cfg, ctx->blocked_map,
+ "Block fuzzy requests from the specific IPs",
+ &ctx->blocked_ips, NULL);
+ }
+
/* Maps events */
ctx->resolver = dns_resolver_init (worker->srv->logger,
ctx->ev_base,
projects / rspamd.git / commitdiff