On Mon, Mar 15, 2010 at 11:57 PM, Sai Pullabhotla <[email protected]> wrote: > I've been trying to implement white/black lists in FTP server and > thought of running my findings/ideas with you guys. > > Currently, each listener can have a black list. There is NO white > listing capability.
Is this IoListener or something specific to FtpServer? AFAIK, our filters are part of chain and get applied at session level. > > I've been thinking, instead of having the black list IPs/Subnets, > simply have an interface called IPFilter. Each listener can have at > most one IPFilter. The IPFilter requires an implementation for a > method named accept(), which tells if the client's connection should > be accepted or rejected based on the IP address. This gives us the > flexibility of having a black or white list which ever is preferred by > the server administrator. By default, we can ship default > implementation for IPFilter which can be a black or white filter. For > example, in the spring configuration, instead of having a blacklist > element, we would have a <ipFilter> element as shown below: > > <ipFilter type="whitelist|blacklist"> > 192.168.1.200/32, 192.168.1.201/32 > </ipFilter> > > The type attribute in the ipFilter element tells us if it should be a > white or black list. The value for this attribute could be "whitelist" > or "blacklist" or something similar such as BLOCK/PASS. > > I could not think of any good usage scenarios where one might want to > have both white and black lists for a given listener. So, one IP > Filter per listener should be good enough, unless you guys think > otherwise. me neither :) > > The above should work for users who want to run the FTP server > out-of-the-box. For people who want to override the default IP filter > implementaton, could create a new class that implements the IPFilter > interface and specify the class name(?) in the spring config or > programmatically call ListenerFactory.setIPFilter(IPFilter) method. > > Let me know what do you guys think and we can decide on how best it > should be implemented. I do have sometime this week to work on this if > we finalize on something. One suggestion is make the implementation more efficient. The current MINA balklist filter uses List for storing IP's and iteration through the list for each call is not efficient. So may be ConcurrentHashMap would be good idea for storing. However, this works fine for IP's. Need to think about Subnet and other stuff ;) -- thanks ashish
