Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 7184 invoked from network); 3 Aug 2005 21:04:01 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 3 Aug 2005 21:04:01 -0000 Received: (qmail 68582 invoked by uid 500); 3 Aug 2005 21:03:56 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 68540 invoked by uid 500); 3 Aug 2005 21:03:55 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 68527 invoked by uid 99); 3 Aug 2005 21:03:55 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Aug 2005 14:03:55 -0700 X-ASF-Spam-Status: No, hits=0.2 required=10.0 tests=DATE_IN_PAST_06_12 X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: local policy) Received: from [69.55.224.148] (HELO mail.pc9.org) (69.55.224.148) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 03 Aug 2005 14:03:45 -0700 Received: by mail.pc9.org (Postfix, from userid 82) id 9236D15051; Wed, 3 Aug 2005 14:03:53 -0700 (PDT) Received: from localhost (mail [69.55.224.148]) by mail.pc9.org (Postfix) with SMTP id 6530C14FDE for ; Wed, 3 Aug 2005 14:03:53 -0700 (PDT) From: "Jem Berkes" To: dev@httpd.apache.org Subject: Re: mod_dnsbl_lookup 0.90 Date: Wed, 03 Aug 2005 14:03:53 +0000 Message-ID: <1123103033349.jb-httpd@pc9.org> Content-Type: text/plain; charset=iso-8859-1 X-Mailer: Null Webmail / 0.8.4 X-SenderIP: 130.179.133.240 X-Filtered-With: renattach 1.2.3 X-RenAttach-Info: mode=badlist action=rename count=0 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Sorry for the slow replies, our phone landline +internet is dead and the telco [TSX: MBT] won't fix it for a week. Terrible for getting work done. > Cool. I'd split dnsbl_zones into ipv4_dnsbl_zones and ipv6_dnsbl_zones > and have the DnsblZones directive work like; > > DnsblIPv4Zones > DnsblIPv6Zones That's a good idea, I suspected IPv6 RBLs might exist :) I'll add the IPv6 support. > dnsbl_lookup_query() takes an IP address argument as a string, but it > would probably be a lot better to take it as an apr_sockaddr_t, since > that's an IP version agnostic format, and is generally the way an Apache > module would have the address available to it. The problem this introduces is when looking up RHSBLs, which operate on host names or domain names instead of IP address. Would you recommend different functions for DNSBL (pass an IP) and RHSBL (pass a hostname or domain name)? > Passing it around in binary format also helps you avoid using sscanf and > the associated reentrancy problems on many platforms. I did not know there were reentrancy problems with sscanf. strtok I know. > The implementation is neat, but it could also do with efficiency being > in mind, IME (I help run a very large RBL) rbl lookups tend to be a big > source of latency during request/mail handling and it's worth making the > effort to go a bit further :) Yes, I am going to add some caching for recent queries. I thought at first that the resolver already does this but as far as I can tell, it does not do any caching. > Although the dnsbl_lookup_query() function's output is comprehensive, > perhaps more useful and efficient would be to supply a framework for > allowing modules to check DNSBL's in a boolean manner. As-is the code > scans every registered RBL, even if one flags an address as listed. > That's super in-efficient for the majority case, and there's no > application level caching, which tends to be a must for most > implementations (even if it is only per-request, like Exim's or > sendmail's implementations for example). I agree. What I've started can probably be taken much further but I want to put the basic layers there first. I'll split up the code so it will be easier to modify later to not query all at once. > Part of the lack of boolean-checking reveals another problem, how are > other modules supposed to know what constitutes a positive for a > particular RBL? What constitutes a positive depends entirely on the particular RBL's policy. Some RBLs are whitelists themselves, so if an IP or domain matches then it should NOT be blocked.