diff options
| author | Andrew Lewis <nerf@judo.za.org> | 2015-02-13 23:52:53 +0200 |
|---|---|---|
| committer | Andrew Lewis <nerf@judo.za.org> | 2015-02-14 00:02:41 +0200 |
| commit | ec25baf156342780326fefc7950e00dde45d0a3d (patch) | |
| tree | 55483248103a8877ac2d4e16635021fa8859e1a4 /src/plugins | |
| parent | b0ed876d0a85dd676b005185fba895c2db616b20 (diff) | |
| download | rspamd-ec25baf156342780326fefc7950e00dde45d0a3d.tar.gz rspamd-ec25baf156342780326fefc7950e00dde45d0a3d.zip | |
rbl.lua: Ignore private IP space
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/lua/rbl.lua | 45 |
1 files changed, 42 insertions, 3 deletions
diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua index 12b42f186..ef48428b3 100644 --- a/src/plugins/lua/rbl.lua +++ b/src/plugins/lua/rbl.lua @@ -32,6 +32,7 @@ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. local rbls = {} local rspamd_logger = require "rspamd_logger" +local rspamd_ip = require "rspamd_ip" local function validate_dns(lstr, rstr) if (lstr:len() + rstr:len()) > 252 then @@ -46,6 +47,43 @@ local function validate_dns(lstr, rstr) return true end +local private_ranges_v4 = { + {[1] = rspamd_ip.from_string("127.0.0.0"), [2] = 8}, + {[1] = rspamd_ip.from_string("10.0.0.0"), [2] = 8}, + {[1] = rspamd_ip.from_string("192.168.0.0"), [2] = 16}, + {[1] = rspamd_ip.from_string("169.254.0.0"), [2] = 16}, + {[1] = rspamd_ip.from_string("172.16.0.0"), [2] = 12}, + {[1] = rspamd_ip.from_string("100.64.0.0"), [2] = 10}, +} + +local private_ranges_v6 = { + {[1] = rspamd_ip.from_string("fc00::"), [2] = 7}, + {[1] = rspamd_ip.from_string("fe80::"), [2] = 10}, + {[1] = rspamd_ip.from_string("fec0::"), [2] = 10}, +} + +local ipv6_loopback = rspamd_ip.from_string("::1") + +local function is_private_ip(rip) + if rip:get_version() == 4 then + for _, r in pairs(private_ranges_v4) do + if r[1] == rip:apply_mask(r[2]) then + return true + end + end + else + if rip == ipv6_loopback then + return true + end + for _r in pairs(private_ranges_v6) do + if r[1] == rip:apply_mask(r[2]) then + return true + end + end + end + return false +end + local function ip_to_rbl(ip, rbl) return table.concat(ip:inversed_str_octets(), ".") .. '.' .. rbl end @@ -161,7 +199,7 @@ local function rbl_cb (task) end if not havegot['from'] then havegot['from'] = task:get_from_ip() - if not havegot['from']:is_valid() then + if not havegot['from']:is_valid() or is_private_ip(havegot['from']) then notgot['from'] = true return end @@ -188,8 +226,9 @@ local function rbl_cb (task) end for _,rh in ipairs(havegot['received']) do if rh['real_ip'] and rh['real_ip']:is_valid() then - if (rh['real_ip']:get_version() == 6 and rbl['ipv6']) or - (rh['real_ip']:get_version() == 4 and rbl['ipv4']) then + if ((rh['real_ip']:get_version() == 6 and rbl['ipv6']) or + (rh['real_ip']:get_version() == 4 and rbl['ipv4'])) + and not is_private_ip(rh['real_ip']) then task:get_resolver():resolve_a(task:get_session(), task:get_mempool(), ip_to_rbl(rh['real_ip'], rbl['rbl']), rbl_dns_cb, k) end |