[rbldnsd] Problem with exclusion entries
Michael Tokarev
mjt at tls.msk.ru
Tue Dec 4 01:29:59 MSK 2012
On 03.12.2012 18:32, Oli Schacher wrote:
> Hi
> I have a daemon that writes lots of single IPs in a rbldsnd ip4set
> file. I want to whitelist some ranges, so I thought I just add
> exclusion entries for those networks to be sure they never get listed.
> However, these exclusion entries don't seem to work. I reduced this to
> a simple test case:
>
> cat test.rbldnsd:
> 192.168.10.10
> !192.168.10.0/24
>
> The doc states "if an entry starts with an exclamation sign (!), this
> is an exclusion entry, i.e. corresponding address range is excluded
> from being listed (and any value for this record is ignored).", so if I
> understand this correctly, the entry '192.168.10.10' should be ignored
> since 192.168.10.0/24 is exluded.
This is a common trap.
Smaller, ie, more specific, entry wins.
In your case, more specific entry is "included".
With ip4set (not ip4trie), entries fall into 4 sizes:
/8, /16, /24 and /32, due to implementation details.
So, say, /25 and /32 are of the same "size" internally
(/25 is actually represented as 128 /32s), and there,
exclusion wins over "inclusion".
Hope this clears things a bit.
Thanks,
/mjt
More information about the rbldnsd
mailing list