Commit b7e59198 authored by Robert Anderson's avatar Robert Anderson
Browse files

Better peer type detection



- Store peer type unix/tcp
- Check whether peer type is tcp or unix before running certain checks

Change-Id: I2c61d3db936aac8093862df487572955d18110fd
Signed-off-by: default avatarRobert Anderson <randerson@lbsd.net>
parent 6665dda6
......@@ -396,9 +396,14 @@ sub policySourceItemMatches
$server->log(LOG_WARN,"[POLICIES] $debugTxt: - Resolved source '$item' to a PEER IP/CIDR specification, but its INVALID: ".awitpt::netip::Error());
next;
}
# Check if IP is within the range
$res = $sessionData->{'_PeerAddress'}->is_within($matchRange);
$server->log(LOG_DEBUG,"[POLICIES] $debugTxt: - Resolved source '$item' to a PEER IP/CIDR specification, match = $res") if ($log);
if ($server->{'server'}->{'peer_type'} eq "TCP") {
# Check if IP is within the range
$res = $sessionData->{'_PeerAddress'}->is_within($matchRange);
$server->log(LOG_DEBUG,"[POLICIES] $debugTxt: - Resolved source '$item' to a PEER IP/CIDR specification, match = $res") if ($log);
} else {
$server->log(LOG_WARN,"[POLICIES] $debugTxt: - Trying to match source '$item' to a PEER IP/CIDR specification when peer type is '".$server->{'server'}->{'peer_type'}."'") if ($log);
next;
}
# Match SASL user, must be above email addy to match SASL usernames in the same format as email addies
......
......@@ -121,6 +121,16 @@ sub getSessionDataFromRequest
my $sessionData;
# Requesting server address, we need this before the policy call. Only do this for TCP
if ($server->{'server'}->{'peer_type'} eq "TCP") {
$sessionData->{'PeerAddress'} = $request->{'_peer_address'};
$sessionData->{'_PeerAddress'} = new awitpt::netip($sessionData->{'PeerAddress'});
if (!defined($sessionData->{'_PeerAddress'})) {
$server->log(LOG_ERR,"[TRACKING] Failed to understand PeerAddress: ".awitpt::netip::Error());
return -1;
}
}
# Check protocol
if ($request->{'_protocol_transport'} eq "Postfix") {
my $initSessionData = 0;
......@@ -224,14 +234,7 @@ sub getSessionDataFromRequest
$sessionData->{'RecipientData'} = "";
}
# Requesting server address, we need this before the policy call
$sessionData->{'PeerAddress'} = $request->{'_peer_address'};
$sessionData->{'_PeerAddress'} = new awitpt::netip($sessionData->{'PeerAddress'});
if (!defined($sessionData->{'_PeerAddress'})) {
$server->log(LOG_ERR,"[TRACKING] Failed to understand PeerAddress: ".awitpt::netip::Error());
return -1;
}
# and client address...
# Set client address..
$sessionData->{'_ClientAddress'} = new awitpt::netip($sessionData->{'ClientAddress'});
if (!defined($sessionData->{'_ClientAddress'})) {
$server->log(LOG_ERR,"[TRACKING] Failed to understand ClientAddress: ".awitpt::netip::Error());
......@@ -272,14 +275,8 @@ sub getSessionDataFromRequest
# Check for HTTP protocol transport
} elsif ($request->{'_protocol_transport'} eq "HTTP") {
# Requesting server address, we need this before the policy call
$sessionData->{'PeerAddress'} = $request->{'_peer_address'};
$sessionData->{'_PeerAddress'} = new awitpt::netip($sessionData->{'PeerAddress'});
if (!defined($sessionData->{'_PeerAddress'})) {
$server->log(LOG_ERR,"[TRACKING] Failed to understand PeerAddress: ".awitpt::netip::Error());
return -1;
}
# and client address...
# Set client address..
$sessionData->{'ClientAddress'} = $request->{'client_address'};
$sessionData->{'_ClientAddress'} = new awitpt::netip($sessionData->{'ClientAddress'});
if (!defined($sessionData->{'_ClientAddress'})) {
......
......@@ -388,6 +388,22 @@ sub process_request {
my $server = $self->{'server'};
my $log = defined($self->{'config'}{'logging'}{'modules'});
# Check for unix/tcp peer and set peer_type
my $sock = $self->{'server'}->{'client'};
if ($sock->NS_proto eq 'UNIX') {
$server->{'peer_type'} = "UNIX";
# Some defaults for debugging, these are undef if UNIX
$server->{'peeraddr'} = "";
$server->{'peerport'} = $sock->NS_unix_path;
$server->{'sockaddr'} = "";
$server->{'sockport'} = "";
} elsif ($sock->NS_proto eq 'TCP') {
$server->{'peer_type'} = "TCP";
} else {
$self->log(LOG_WARN,"[CBPOLICYD] Unknown peer type, expected UNIX / TCP. Rejecting.");
return;
}
# How many times did we pipeline...
my $policyRequests = 0;
......@@ -492,8 +508,12 @@ CONN_READ:
$request->{'sasl_username'} = lc($request->{'sasl_username'}) if (defined($request->{'sasl_username'}));
# Internal data
$request->{'_peer_address'} = $server->{'peeraddr'};
$request->{'_timestamp'} = time();
# If this is a TCP peer type then it has a peer address
if ($server->{'peer_type'} eq "TCP") {
$request->{'_peer_address'} = $server->{'peeraddr'};
}
# Check if we got connected, if not ... bypass
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment