From 0bc8c311aa6ffbdc6aed2dc7d101186542d3e194 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 5 Sep 2024 13:35:12 +0100 Subject: [Rework] Change fuzzy error symbols FUZZY_BLOCKED -> FUZZY_RATELIMITED FUZZY_BLOCKED - new symbol for permanent bans --- src/plugins/fuzzy_check.c | 34 +++++++++++++++++++++++++++++++++- 1 file changed, 33 insertions(+), 1 deletion(-) diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c index 91b77c702..0af9248e5 100644 --- a/src/plugins/fuzzy_check.c +++ b/src/plugins/fuzzy_check.c @@ -49,6 +49,8 @@ #include "libutil/libev_helper.h" #define DEFAULT_SYMBOL "R_FUZZY_HASH" +#define RSPAMD_FUZZY_SYMBOL_BLOCKED "FUZZY_BLOCKED" +#define RSPAMD_FUZZY_SYMBOL_RATELIMITED "FUZZY_RATELIMITED" #define DEFAULT_IO_TIMEOUT 1.0 #define DEFAULT_RETRANSMITS 3 @@ -1153,6 +1155,32 @@ int fuzzy_check_module_config(struct rspamd_config *cfg, bool validate) 1, 1); + /* Register meta symbols (blocked, ratelimited, etc) */ + rspamd_symcache_add_symbol(cfg->cache, + RSPAMD_FUZZY_SYMBOL_BLOCKED, 0, NULL, NULL, + SYMBOL_TYPE_VIRTUAL, + cb_id); + rspamd_config_add_symbol(cfg, + RSPAMD_FUZZY_SYMBOL_BLOCKED, + 0.0, + "Fuzzy access denied", + "fuzzy", + 0, + 1, + 1); + rspamd_symcache_add_symbol(cfg->cache, + RSPAMD_FUZZY_SYMBOL_RATELIMITED, 0, NULL, NULL, + SYMBOL_TYPE_VIRTUAL, + cb_id); + rspamd_config_add_symbol(cfg, + RSPAMD_FUZZY_SYMBOL_RATELIMITED, + 0.0, + "Fuzzy rate limit is reached", + "fuzzy", + 0, + 1, + 1); + /* * Here we can have 2 possibilities: * @@ -2486,7 +2514,11 @@ fuzzy_check_try_read(struct fuzzy_client_session *session) } } else if (rep->v1.value == 403) { - rspamd_task_insert_result(task, "FUZZY_BLOCKED", 0.0, + rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_RATELIMITED, 1.0, + session->rule->name); + } + else if (rep->v1.value == 503) { + rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_BLOCKED, 1.0, session->rule->name); } else if (rep->v1.value == 401) { -- cgit v1.2.3 From 7d355135c9aba53676e974b5a91a06f2da327de8 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 5 Sep 2024 13:36:40 +0100 Subject: [Minor] s/BLOCKED/FORBIDDEN/ We want it to be more informative and to distinguish from FUZZY_DENIED --- src/plugins/fuzzy_check.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c index 0af9248e5..dd2347f19 100644 --- a/src/plugins/fuzzy_check.c +++ b/src/plugins/fuzzy_check.c @@ -49,7 +49,7 @@ #include "libutil/libev_helper.h" #define DEFAULT_SYMBOL "R_FUZZY_HASH" -#define RSPAMD_FUZZY_SYMBOL_BLOCKED "FUZZY_BLOCKED" +#define RSPAMD_FUZZY_SYMBOL_FORBIDDEN "FUZZY_FORBIDDEN" #define RSPAMD_FUZZY_SYMBOL_RATELIMITED "FUZZY_RATELIMITED" #define DEFAULT_IO_TIMEOUT 1.0 @@ -1157,11 +1157,11 @@ int fuzzy_check_module_config(struct rspamd_config *cfg, bool validate) /* Register meta symbols (blocked, ratelimited, etc) */ rspamd_symcache_add_symbol(cfg->cache, - RSPAMD_FUZZY_SYMBOL_BLOCKED, 0, NULL, NULL, + RSPAMD_FUZZY_SYMBOL_FORBIDDEN, 0, NULL, NULL, SYMBOL_TYPE_VIRTUAL, cb_id); rspamd_config_add_symbol(cfg, - RSPAMD_FUZZY_SYMBOL_BLOCKED, + RSPAMD_FUZZY_SYMBOL_FORBIDDEN, 0.0, "Fuzzy access denied", "fuzzy", @@ -2518,7 +2518,7 @@ fuzzy_check_try_read(struct fuzzy_client_session *session) session->rule->name); } else if (rep->v1.value == 503) { - rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_BLOCKED, 1.0, + rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_FORBIDDEN, 1.0, session->rule->name); } else if (rep->v1.value == 401) { -- cgit v1.2.3 From 4375176d87c8da705dd40cef763c75e6fa716242 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 5 Sep 2024 13:42:08 +0100 Subject: [Minor] Add `encryption_required` symbol --- src/plugins/fuzzy_check.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c index dd2347f19..6ca6f3459 100644 --- a/src/plugins/fuzzy_check.c +++ b/src/plugins/fuzzy_check.c @@ -51,6 +51,7 @@ #define DEFAULT_SYMBOL "R_FUZZY_HASH" #define RSPAMD_FUZZY_SYMBOL_FORBIDDEN "FUZZY_FORBIDDEN" #define RSPAMD_FUZZY_SYMBOL_RATELIMITED "FUZZY_RATELIMITED" +#define RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED "FUZZY_ENCRYPTION_REQUIRED" #define DEFAULT_IO_TIMEOUT 1.0 #define DEFAULT_RETRANSMITS 3 @@ -1180,6 +1181,18 @@ int fuzzy_check_module_config(struct rspamd_config *cfg, bool validate) 0, 1, 1); + rspamd_symcache_add_symbol(cfg->cache, + RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED, 0, NULL, NULL, + SYMBOL_TYPE_VIRTUAL, + cb_id); + rspamd_config_add_symbol(cfg, + RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED, + 0.0, + "Fuzzy encryption is required by a server", + "fuzzy", + 0, + 1, + 1); /* * Here we can have 2 possibilities: @@ -2514,6 +2527,7 @@ fuzzy_check_try_read(struct fuzzy_client_session *session) } } else if (rep->v1.value == 403) { + /* In fact, it should be 429, but we preserve compatibility */ rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_RATELIMITED, 1.0, session->rule->name); } @@ -2521,6 +2535,10 @@ fuzzy_check_try_read(struct fuzzy_client_session *session) rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_FORBIDDEN, 1.0, session->rule->name); } + else if (rep->v1.value == 415) { + rspamd_task_insert_result(task, RSPAMD_FUZZY_SYMBOL_ENCRYPTION_REQUIRED, 1.0, + session->rule->name); + } else if (rep->v1.value == 401) { if (cmd->cmd != FUZZY_CHECK) { msg_info_task( -- cgit v1.2.3 From fa45b8e629a26114deaade89fa4825e500691473 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Thu, 5 Sep 2024 13:46:12 +0100 Subject: [Rework] Implement new replies logic on the server's side --- src/fuzzy_storage.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/src/fuzzy_storage.c b/src/fuzzy_storage.c index 5fd3303dc..e65fbb31a 100644 --- a/src/fuzzy_storage.c +++ b/src/fuzzy_storage.c @@ -1464,7 +1464,14 @@ rspamd_fuzzy_process_command(struct fuzzy_session *session) if (session->ctx->encrypted_only && !encrypted) { /* Do not accept unencrypted commands */ - result.v1.value = 403; + result.v1.value = 415; + result.v1.prob = 0.0f; + rspamd_fuzzy_make_reply(cmd, &result, session, send_flags); + return; + } + + if (!rspamd_fuzzy_check_client(session->ctx, session->addr)) { + result.v1.value = 503; result.v1.prob = 0.0f; rspamd_fuzzy_make_reply(cmd, &result, session, send_flags); return; @@ -1487,23 +1494,24 @@ rspamd_fuzzy_process_command(struct fuzzy_session *session) } if (cmd->cmd == FUZZY_CHECK) { - bool can_continue = true; + bool is_rate_allowed = true; if (session->ctx->ratelimit_buckets) { if (session->ctx->ratelimit_log_only) { (void) rspamd_fuzzy_check_ratelimit(session); /* Check but ignore */ } else { - can_continue = rspamd_fuzzy_check_ratelimit(session); + is_rate_allowed = rspamd_fuzzy_check_ratelimit(session); } } - if (can_continue) { + if (is_rate_allowed) { REF_RETAIN(session); rspamd_fuzzy_backend_check(session->ctx->backend, cmd, rspamd_fuzzy_check_callback, session); } else { + /* Should be 429 but we keep compatibility */ result.v1.value = 403; result.v1.prob = 0.0f; result.v1.flag = 0; @@ -1574,7 +1582,7 @@ rspamd_fuzzy_process_command(struct fuzzy_session *session) result.v1.prob = 1.0f; } else { - result.v1.value = 403; + result.v1.value = 503; result.v1.prob = 0.0f; } reply: @@ -2041,11 +2049,6 @@ accept_fuzzy_socket(EV_P_ ev_io *w, int revents) if (MSG_FIELD(msg[i], msg_namelen) >= sizeof(struct sockaddr)) { client_addr = rspamd_inet_address_from_sa(MSG_FIELD(msg[i], msg_name), MSG_FIELD(msg[i], msg_namelen)); - if (!rspamd_fuzzy_check_client(worker->ctx, client_addr)) { - /* Disallow forbidden clients silently */ - rspamd_inet_address_free(client_addr); - continue; - } } else { client_addr = NULL; -- cgit v1.2.3