I've been trying to implement white/black lists in FTP server and
thought of running my findings/ideas with you guys.
Currently, each listener can have a black list. There is NO white
listing capability.
I've been thinking, instead of having the black list IPs/Subnets,
simply have an interface called IPFilter. Each listener can have at
most one IPFilter. The IPFilter requires an implementation for a
method named accept(), which tells if the client's connection should
be accepted or rejected based on the IP address. This gives us the
flexibility of having a black or white list which ever is preferred by
the server administrator. By default, we can ship default
implementation for IPFilter which can be a black or white filter. For
example, in the spring configuration, instead of having a blacklist
element, we would have a <ipFilter> element as shown below:
<ipFilter type="whitelist|blacklist">
192.168.1.200/32, 192.168.1.201/32
</ipFilter>
The type attribute in the ipFilter element tells us if it should be a
white or black list. The value for this attribute could be "whitelist"
or "blacklist" or something similar such as BLOCK/PASS.
I could not think of any good usage scenarios where one might want to
have both white and black lists for a given listener. So, one IP
Filter per listener should be good enough, unless you guys think
otherwise.
The above should work for users who want to run the FTP server
out-of-the-box. For people who want to override the default IP filter
implementaton, could create a new class that implements the IPFilter
interface and specify the class name(?) in the spring config or
programmatically call ListenerFactory.setIPFilter(IPFilter) method.
Let me know what do you guys think and we can decide on how best it
should be implemented. I do have sometime this week to work on this if
we finalize on something.
Thanks & Regards,
Sai Pullabhotla
