Hi,
>>>>> On Fri, 28 Jul 2006 15:39:38 +0000
>>>>> Emmanuel Dreyfus <manu@...> said:
manu> Checked in, with a few additionnal changes so that it builds...
It seems my patch was incomplete. Sorry for the mess.
manu> I'll roll out 2.1.9 so that everyone can test with your patches easily.
Thank you. It seems running well, here.
When blacklisted holds an IPv6 address, we need to query AAAA RR
instead of A RR. Here is a patch with some cleanup.
Index: dnsrbl.c
diff -u -p dnsrbl.c.orig dnsrbl.c
--- dnsrbl.c.orig Sat Jul 29 00:41:51 2006
+++ dnsrbl.c Sat Jul 29 03:42:14 2006
@@ -103,10 +103,12 @@ dnsrbl_check_source(sa, salen, source)
int anslen;
ns_msg handle;
ns_rr rr;
- int i;
+ int qtype, i;
char *dnsrbl = source->d_domain;
struct sockaddr *blacklisted;
int retval = 0;
+ char *addr;
+ size_t len;
blacklisted = SA(&source->d_blacklisted);
@@ -123,7 +125,27 @@ dnsrbl_check_source(sa, salen, source)
(void)strncat(req, ".", NS_MAXDNAME);
(void)strncat(req, dnsrbl, NS_MAXDNAME);
- anslen = res_nquery(&res, req, C_IN, T_A, ans, sizeof(ans));
+ switch (blacklisted->sa_family) {
+ case AF_INET:
+ qtype = T_A;
+ addr = (char *)SADDR4(blacklisted);
+ len = sizeof(*SADDR4(blacklisted));
+ break;
+#ifdef AF_INET6
+ case AF_INET6:
+ qtype = T_AAAA;
+ addr = (char *)SADDR6(blacklisted);
+ len = sizeof(*SADDR6(blacklisted));
+ break;
+#endif
+ default:
+ syslog(LOG_ERR, "unexpected address family %d",
+ blacklisted->sa_family);
+ exit(EX_SOFTWARE);
+ break;
+ }
+
+ anslen = res_nquery(&res, req, C_IN, qtype, ans, sizeof(ans));
if (anslen == -1)
goto end;
@@ -134,9 +156,6 @@ dnsrbl_check_source(sa, salen, source)
}
for (i = 0; i < ns_msg_count(handle, ns_s_an); i++) {
- char *addr;
- size_t len;
-
if ((ns_parserr(&handle, ns_s_an, i, &rr)) != 0) {
syslog(LOG_ERR, "ns_parserr failed: %s",
strerror(errno));
@@ -145,35 +164,16 @@ dnsrbl_check_source(sa, salen, source)
}
switch (blacklisted->sa_family) {
- case AF_INET: {
- struct sockaddr_in *sin;
-
+ case AF_INET:
if (rr.type != T_A)
continue;
-
- sin = SA4(blacklisted);
- addr = (char *)&sin->sin_addr;
- len = sizeof(sin->sin_addr);
break;
- }
#ifdef AF_INET6
- case AF_INET6: {
- struct sockaddr_in6 *sin6;
-
+ case AF_INET6:
if (rr.type != T_AAAA)
continue;
-
- sin6 = SA6(blacklisted);
- addr = (char *)&sin6->sin6_addr;
- len = sizeof(sin6->sin6_addr);
break;
- }
#endif
- default:
- syslog(LOG_ERR, "unexpected address family %d",
- blacklisted->sa_family);
- exit(EX_SOFTWARE);
- break;
}
if (memcmp(addr, rr.rdata, len) == 0) {
> BTW, in current implementation, IPv6 address is also handled as same
> manner as IPv4 address. Perhaps, it is wrong. But, I have no idea
> how it should be handled. Are there any specification around here for
> IPv6?
manu> I'm not aware of any IPv6 DNSRBL...
Okay. Then, I think we have two choices:
1) disable DNSRBL query against an IPv6 address
2) make our format for an IPv6 address
If we choose 2), I offer to use similar format with IPv6 PTR RR like:
0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.0.1.2.3.4.5.6.7.8.9.a.b.c.d.e.f.example.com.
If you like it, I'll implement it.
Sincerely,
--
Hajimu UMEMOTO @ Internet Mutual Aid Society Yokohama, Japan
ume@... ume@{,jp.}FreeBSD.org
http://www.imasy.org/~ume/Message
Re: [milter-greylist] milter-greylist 2.1.8 is available
2006-07-28 by Hajimu UMEMOTO