diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2015-02-15 20:53:21 +0000 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2015-02-15 20:53:21 +0000 |
| commit | e031df40789c5175b3dea9fa65c453cb50cf4721 (patch) | |
| tree | 537fdc07e44c7ec76162689ace8a5ab69849de36 | |
| parent | 1878a26bcb216b06cbf6154954ba12285a888cab (diff) | |
| parent | 3fd3a8e6b708401ca14204f0ab71501c08f16d78 (diff) | |
| download | rspamd-e031df40789c5175b3dea9fa65c453cb50cf4721.tar.gz rspamd-e031df40789c5175b3dea9fa65c453cb50cf4721.zip | |
Merge pull request #172 from fatalbanana/master
rbl.lua: Support site-local IP address / subnet exclusions
| -rw-r--r-- | doc/markdown/modules/rbl.md | 6 | ||||
| -rw-r--r-- | src/plugins/lua/ip_score.lua | 6 | ||||
| -rw-r--r-- | src/plugins/lua/multimap.lua | 2 | ||||
| -rw-r--r-- | src/plugins/lua/rbl.lua | 18 |
4 files changed, 25 insertions, 7 deletions
diff --git a/doc/markdown/modules/rbl.md b/doc/markdown/modules/rbl.md index 2c654c808..8748f4617 100644 --- a/doc/markdown/modules/rbl.md +++ b/doc/markdown/modules/rbl.md @@ -57,6 +57,12 @@ If set to true, do not use this RBL if the message sender is authenticated. If set to true, from/received RBL checks will ignore private IP address space. +Other parameters which can be set here are: + +- local_exclude_ip_map + +Can be set to a URL of a list of IPv4/IPv6 addresses & subnets not to be processed by from/received RBL checks. + RBL-specific subsection is structured as follows: ~~~nginx diff --git a/src/plugins/lua/ip_score.lua b/src/plugins/lua/ip_score.lua index 1ba267dce..6da59c3ed 100644 --- a/src/plugins/lua/ip_score.lua +++ b/src/plugins/lua/ip_score.lua @@ -68,8 +68,7 @@ local ip_score_set = function(task) if action then -- Check whitelist if whitelist then - local ipnum = task:get_from_ip():to_number() - if task:get_from_ip():is_valid() and whitelist:get_key(ipnum) then + if task:get_from_ip():is_valid() and whitelist:get_key(task:get_from_ip()) then -- Address is whitelisted return end @@ -131,8 +130,7 @@ local ip_score_check = function(task) local ip = task:get_from_ip() if ip:is_valid() then if whitelist then - local ipnum = task:get_from_ip():to_number() - if whitelist:get_key(ipnum) then + if whitelist:get_key(task:get_from_ip()) then -- Address is whitelisted return end diff --git a/src/plugins/lua/multimap.lua b/src/plugins/lua/multimap.lua index 0a809ca52..6af38a40c 100644 --- a/src/plugins/lua/multimap.lua +++ b/src/plugins/lua/multimap.lua @@ -57,7 +57,7 @@ local function check_multimap(task) end else local ip = task:get_from_ip() - if ip:is_valid() and rule['ips'] and rule['ips']:get_key(ip:to_number()) then + if ip:is_valid() and rule['ips'] and rule['ips']:get_key(ip) then task:insert_result(rule['symbol'], 1) end end diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua index 05b7312ef..6fa7d25cc 100644 --- a/src/plugins/lua/rbl.lua +++ b/src/plugins/lua/rbl.lua @@ -30,6 +30,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -- https://rspamd.com/doc/modules/rbl.html local rbls = {} +local local_exclusions = nil local rspamd_logger = require "rspamd_logger" local rspamd_ip = require "rspamd_ip" @@ -84,6 +85,13 @@ local function is_private_ip(rip) return false end +local function is_excluded_ip(rip) + if local_exclusions and local_exclusions:get_key(rip) then + return true + end + return false +end + local function ip_to_rbl(ip, rbl) return table.concat(ip:inversed_str_octets(), ".") .. '.' .. rbl end @@ -200,7 +208,8 @@ local function rbl_cb (task) if not havegot['from'] then havegot['from'] = task:get_from_ip() if not havegot['from']:is_valid() or - (rbl['exclude_private_ips'] and is_private_ip(havegot['from'])) then + (rbl['exclude_private_ips'] and is_private_ip(havegot['from'])) + or is_excluded_ip(havegot['from']) then notgot['from'] = true return end @@ -230,7 +239,7 @@ local function rbl_cb (task) if ((rh['real_ip']:get_version() == 6 and rbl['ipv6']) or (rh['real_ip']:get_version() == 4 and rbl['ipv4'])) and ((rbl['exclude_private_ips'] and not is_private_ip(rh['real_ip'])) or - not rbl['exclude_private_ips']) then + not rbl['exclude_private_ips']) and not is_excluded_ip(rh['real_ip']) then task:get_resolver():resolve_a(task:get_session(), task:get_mempool(), ip_to_rbl(rh['real_ip'], rbl['rbl']), rbl_dns_cb, k) end @@ -255,6 +264,7 @@ if type(rspamd_config.get_api_version) ~= 'nil' then rspamd_config:register_module_option('rbl', 'default_unknown', 'string') rspamd_config:register_module_option('rbl', 'default_exclude_users', 'string') rspamd_config:register_module_option('rbl', 'default_exclude_private_ips', 'string') + rspamd_config:register_module_option('rbl', 'local_exclude_ip_map', 'string') end end @@ -291,6 +301,10 @@ if(opts['default_exclude_private_ips'] == nil) then opts['default_exclude_private_ips'] = false end +if(opts['local_exclude_ip_map'] ~= nil) then + local_exclusions = rspamd_config:add_radix_map(opts['local_exclude_ip_map']) +end + for key,rbl in pairs(opts['rbls']) do local o = { "ipv4", "ipv6", "from", "received", "unknown", "rdns", "helo", "exclude_users", "exclude_private_ips" } for i=1,table.maxn(o) do |