From 709655fd55ea787f3aafdb10d991c0a0f9c52890 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Tue, 14 Aug 2018 17:19:58 +0100 Subject: [Feature] Allow to get dkim signing data directly from HTTP headers --- src/plugins/lua/arc.lua | 24 +++++++++++++++--------- src/plugins/lua/dkim_signing.lua | 30 ++++++++++++++++++------------ 2 files changed, 33 insertions(+), 21 deletions(-) (limited to 'src') diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index ef6a11e71..30ae0cd19 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -549,16 +549,22 @@ local function arc_signing_cb(task) try_redis_key(p.selector) end else - if (p.key and p.selector) then - p.key = lua_util.template(p.key, {domain = p.domain, selector = p.selector}) - local exists,err = rspamd_util.file_exists(p.key) - if not exists then - if err and err == 'No such file or directory' then - lua_util.debugm(N, task, 'cannot read key from %s: %s', p.key, err) - else - rspamd_logger.warnx(N, task, 'cannot read key from %s: %s', p.key, err) + if ((p.key or p.rawkey) and p.selector) then + if p.key then + p.key = lua_util.template(p.key, { + domain = p.domain, + selector = p.selector + }) + + local exists,err = rspamd_util.file_exists(p.key) + if not exists then + if err and err == 'No such file or directory' then + lua_util.debugm(N, task, 'cannot read key from %s: %s', p.key, err) + else + rspamd_logger.warnx(N, task, 'cannot read key from %s: %s', p.key, err) + end + return false end - return false end local dret, hdr = dkim_sign(task, p) diff --git a/src/plugins/lua/dkim_signing.lua b/src/plugins/lua/dkim_signing.lua index 343fb8a84..99e1fca68 100644 --- a/src/plugins/lua/dkim_signing.lua +++ b/src/plugins/lua/dkim_signing.lua @@ -152,20 +152,26 @@ local function dkim_signing_cb(task) try_redis_key(p.selector) end else - if (p.key and p.selector) then - p.key = lua_util.template(p.key, { domain = p.domain, selector = p.selector}) - local exists,err = rspamd_util.file_exists(p.key) - if not exists then - if err and err == 'No such file or directory' then - lua_util.debugm(N, task, 'cannot read key from "%s": %s', p.key, err) - else - rspamd_logger.warnx(N, task, 'cannot read key from "%s": %s', p.key, err) + if ((p.key or p.rawkey) and p.selector) then + if p.key then + -- templates + p.key = lua_util.template(p.key, { + domain = p.domain, + selector = p.selector + }) + local exists,err = rspamd_util.file_exists(p.key) + if not exists then + if err and err == 'No such file or directory' then + lua_util.debugm(N, task, 'cannot read key from "%s": %s', p.key, err) + else + rspamd_logger.warnx(N, task, 'cannot read key from "%s": %s', p.key, err) + end + return false end - return false - end - lua_util.debugm(N, task, 'key found at "%s", use selector "%s" for domain "%s"', - p.key, p.selector, p.domain) + lua_util.debugm(N, task, 'key found at "%s", use selector "%s" for domain "%s"', + p.key, p.selector, p.domain) + end do_sign() else -- cgit v1.2.3 From c5da4b573a5348dbc5aaa68c0629021d38794d35 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Wed, 15 Aug 2018 11:25:49 +0100 Subject: [Fix] Fix dynamic buckets in ratelimits --- src/plugins/lua/ratelimit.lua | 54 +++++++++++++++++++++++++------------------ 1 file changed, 31 insertions(+), 23 deletions(-) (limited to 'src') diff --git a/src/plugins/lua/ratelimit.lua b/src/plugins/lua/ratelimit.lua index acf5b9a8e..c6caf6d41 100644 --- a/src/plugins/lua/ratelimit.lua +++ b/src/plugins/lua/ratelimit.lua @@ -65,7 +65,7 @@ local settings = { local bucket_check_script = [[ local last = redis.call('HGET', KEYS[1], 'l') local now = tonumber(KEYS[2]) - local dynr, dynb = 0, 0 + local dynr, dynb, leaked = 0, 0, 0 if not last then -- New bucket redis.call('HSET', KEYS[1], 'l', KEYS[2]) @@ -73,7 +73,7 @@ local bucket_check_script = [[ redis.call('HSET', KEYS[1], 'dr', '10000') redis.call('HSET', KEYS[1], 'db', '10000') redis.call('EXPIRE', KEYS[1], KEYS[5]) - return {0, 0, 1, 1} + return {0, '0', '1', '1', '0'} end last = tonumber(last) @@ -84,9 +84,10 @@ local bucket_check_script = [[ local rate = tonumber(KEYS[3]) dynr = tonumber(redis.call('HGET', KEYS[1], 'dr')) / 10000.0 rate = rate * dynr - local leaked = ((now - last) * rate) + leaked = ((now - last) * rate) burst = burst - leaked redis.call('HINCRBYFLOAT', KEYS[1], 'b', -(leaked)) + redis.call('HSET', KEYS[1], 'l', KEYS[2]) end else burst = 0 @@ -95,11 +96,11 @@ local bucket_check_script = [[ dynb = tonumber(redis.call('HGET', KEYS[1], 'db')) / 10000.0 - if (burst + 1) * dynb > tonumber(KEYS[4]) then - return {1, tostring(burst), tostring(dynr), tostring(dynb)} + if (burst + 1) > tonumber(KEYS[4]) * dynb then + return {1, tostring(burst), tostring(dynr), tostring(dynb), tostring(leaked)} end - return {0, tostring(burst), tostring(dynr), tostring(dynb)} + return {0, tostring(burst), tostring(dynr), tostring(dynb), tostring(leaked)} ]] local bucket_check_id @@ -461,28 +462,35 @@ local function ratelimit_cb(task) return function(err, data) if err then rspamd_logger.errx('cannot check limit %s: %s %s', prefix, err, data) - elseif type(data) == 'table' and data[1] and data[1] == 1 then - -- set symbol only and do NOT soft reject - if settings.symbol then - task:insert_result(settings.symbol, 0.0, lim_name .. "(" .. prefix .. ")") + elseif type(data) == 'table' and data[1] then + lua_util.debugm(N, task, + "got reply for limit %s (%s / %s); %s burst, %s:%s dyn, %s leaked", + prefix, bucket.burst, bucket.rate, + data[2], data[3], data[4], data[5]) + + if data[1] == 1 then + -- set symbol only and do NOT soft reject + if settings.symbol then + task:insert_result(settings.symbol, 0.0, lim_name .. "(" .. prefix .. ")") + rspamd_logger.infox(task, + 'set_symbol_only: ratelimit "%s(%s)" exceeded, (%s / %s): %s (%s:%s dyn)', + lim_name, prefix, + bucket.burst, bucket.rate, + data[2], data[3], data[4]) + return + -- set INFO symbol and soft reject + elseif settings.info_symbol then + task:insert_result(settings.info_symbol, 1.0, + lim_name .. "(" .. prefix .. ")") + end rspamd_logger.infox(task, - 'set_symbol_only: ratelimit "%s(%s)" exceeded, (%s / %s): %s (%s:%s dyn)', + 'ratelimit "%s(%s)" exceeded, (%s / %s): %s (%s:%s dyn)', lim_name, prefix, bucket.burst, bucket.rate, data[2], data[3], data[4]) - return - -- set INFO symbol and soft reject - elseif settings.info_symbol then - task:insert_result(settings.info_symbol, 1.0, - lim_name .. "(" .. prefix .. ")") + task:set_pre_result('soft reject', + message_func(task, lim_name, prefix, bucket)) end - rspamd_logger.infox(task, - 'ratelimit "%s(%s)" exceeded, (%s / %s): %s (%s:%s dyn)', - lim_name, prefix, - bucket.burst, bucket.rate, - data[2], data[3], data[4]) - task:set_pre_result('soft reject', - message_func(task, lim_name, prefix, bucket)) end end end -- cgit v1.2.3 From 729f6d3df5c1fb31c5e6801ab30474d8e16004f1 Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Wed, 15 Aug 2018 12:17:15 +0100 Subject: [Feature] Add more ratelimits: by digest, by attachments data, by filenames --- src/plugins/lua/ratelimit.lua | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) (limited to 'src') diff --git a/src/plugins/lua/ratelimit.lua b/src/plugins/lua/ratelimit.lua index c6caf6d41..59f3c0522 100644 --- a/src/plugins/lua/ratelimit.lua +++ b/src/plugins/lua/ratelimit.lua @@ -335,6 +335,48 @@ local keywords = { return task:get_principal_recipient() end, }, + ['digest'] = { + ['get_value'] = function(task) + return task:get_digest() + end, + }, + ['attachments'] = { + ['get_value'] = function(task) + local parts = task:get_parts() or E + local digests = {} + + for _,p in ipairs(parts) do + if p:get_filename() then + table.insert(digests, p:get_digest()) + end + end + + if #digests > 0 then + return table.concat(digests, '') + end + + return nil + end, + }, + ['files'] = { + ['get_value'] = function(task) + local parts = task:get_parts() or E + local files = {} + + for _,p in ipairs(parts) do + local fname = p:get_filename() + if fname then + table.insert(files, fname) + end + end + + if #files > 0 then + return table.concat(files, ':') + end + + return nil + end, + }, } local function gen_rate_key(task, rtype, bucket) -- cgit v1.2.3 From 65ebfc1f05358ed000e33c8a09c4df1fc0138255 Mon Sep 17 00:00:00 2001 From: Mikhail Galanin Date: Wed, 15 Aug 2018 15:09:36 +0100 Subject: [Minor] kh_foreach should not be used with hash sets, it couses segfault on -O0 -fno-omit-frame-pointer. See kh_val() description --- src/libserver/events.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/libserver/events.c b/src/libserver/events.c index f62005b96..bff35351f 100644 --- a/src/libserver/events.c +++ b/src/libserver/events.c @@ -309,14 +309,17 @@ void rspamd_session_cleanup (struct rspamd_async_session *session) { struct rspamd_async_event *ev; - gchar t; + int i; if (session == NULL) { msg_err ("session is NULL"); return; } - kh_foreach (session->events, ev, t, { + for (i = kh_begin (session->events); i != kh_end (session->events); i ++) { + if (!kh_exist (session->events, i)) continue; + ev = kh_key (session->events, i); + /* Call event's finalizer */ msg_debug_session ("removed event on destroy: %p, subsystem: %s", ev->user_data, @@ -325,9 +328,7 @@ rspamd_session_cleanup (struct rspamd_async_session *session) if (ev->fin != NULL) { ev->fin (ev->user_data); } - }); - - (void)t; + } kh_clear (rspamd_events_hash, session->events); } -- cgit v1.2.3