On Sun, 21 Oct 2007, Tobias J. Kreidl wrote: > Sorry if this is trivial, but I searched all over to try to find an > answer to this and didn't see one in the documentation, the list archives > or via Google searches, or in the source code... > > If one has a subnet defined in the whitelist table, such as: > > 192.168.100.% > > but you want to except specifically an address or two withing that subnet, > like 192.168.100.24, can this be done? I don't want to blacklist that > address, either, I just want it to be examined like any other address > that's not specifically listed anywhere. Note that Postfix' anvil will > take the first match in the smtpd_client_event_limit_exceptions list, and > recognizes the syntax "!192.168.100.24" as being an exception as long as > it's put before the global one (in other words, the decision is made on > the first match). Will policyd do the same? If not, could this please be > considered for incorporation as a feature in a future release? > > Thanks, > --Tobias >
I believe this would be quite easy to implement. Assuming one only wants to create exceptions from IP address octets, as mentioned before, the whitelist table simply needs entries, for example, of the form: !192.168.100.24 in reference to 192.168.100.% or !192.168.100.% in reference to 192.168.%.% and the change in whitelist.c would simply have to be in one line, from: /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, "SELECT COUNT(*) FROM whitelist WHERE _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s'", host_array[fd][2], host_array[fd][3], host_array[fd][4], host_array[fd][5]); to: /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, "SELECT COUNT(*) FROM whitelist WHERE _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s' AND _whitelist!='!%s'", host_array[fd][2], host_array[fd][3], host_array[fd][4], host_array[fd][ 5]); I did some experiments with putting in exceptions into the whitelist table and doing queries on them, and this seems to work. I imagine it could also work with whitelisted dnsnames in a similar way. Is there anyone else who has run into this situation and is interested in this sort of adaptation? --Tobias ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ policyd-users mailing list policyd-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/policyd-users