[rbldnsd] Excluding a CIDR range
Matthew Sullivan
matthew at sorbs.net
Fri Dec 2 02:15:33 MSK 2005
Chris Gabe wrote:
> Matthew Sullivan wrote:
>
>> Chris Gabe wrote:
>>
>>> It seems that the ! directive works only on individual ip addresses,
>>> not address ranges.
>>> I need to exclude a long list of CIDRs, effectively something like this
>>> !1.2/16
>>> !3.4.5/24
>>> .... (many more entries)
>>> Short of expanding these all out, is there any way to effect this?
>>>
>> This one can be answered in the archives...
>>
>> exclusions will always work if the CIDR mask is smaller than 24 (ie
>> 25 -> 32). However because of the way rbldnsd stores each entry
>> internally if you have the following:
>>
>> 1.2.0.0/16
>> !1.2.3.0/24
>> 1.3.4.128/25
>> !1.3.4.0/24
>> 1.4.4.0/22
>> !1.4.5.0/24
>>
>> Then the range 1.2.3.0/24 *will* be excluded,. but 1.3.4.128/25 *will
>> not* be excluded, and 1.4.5.0/24 *will* be excluded. The boundaries
>> for this behavior are /8, /16 and /24.
>>
>> Regards,
>>
>> Mat
>>
>> PS: I still think we should have some sort of 'super exclude' which
>> always overrides so people can whitelist their own ranges there the
>> MTA has no mechanism for this.
>
>
> So there's a problem implementing exclude within the normal include
> framework.
> To turn the problem around, since rbldnsd is so good at *includes*,
> why not have an agreed ip address like 0.255.9.9 (or even a special
> nonsensical A or TXT result) that means "clear any A records already
> encountered, return no A record". Then you could have
> :0.255.9.9
> 1.2/16
> etc
> meaning in effect, exclude 1.2/16 etc. Then the excludes don't need
> to worry about the way rbldnsd stores stuff, it just rewinds and kicks
> out when it encounters the ip.
>
> Or maybe
> :127.0.0.2:excludehereafter
>
IIRC its based on how the structures are held within rbldnsd and Michael
also asked previously of what should happen if we see:
1.2/16
!1.2/16
or
!1.2/16
1.2/16
At this point remember that everyone has their own zone format, eg SORBS
will create the zones with includes first and excludes afterwards. Also
what do you do if you see:
1/8
!1.2/16
1.2.3/24
Personally I would expect, to exclude 1.2/16 from 1/8 but include
1.2.3/24 specifically.... seems a reasonable request, but how about if
we do this:
1/8
1.2.3/24
!1.2/16
Would this be handled differently?
.... adn that not even touching on the technical reasons why this won't
work in the current version of rbldnsd. I am sure Michael will explain
in detail the issue when it is day light in Russia ;-)
Regards,
Mat
More information about the rbldnsd
mailing list