+2007-10-17 Christian Thaeter <ct@pipapo.org>
+
+ reserve and extend the list of forbidden filename characters
+
+2007-10-17 Christian Thaeter <ct@pipapo.org>
+
+ EXPIRE command
+
+2007-10-17 Christian Thaeter <ct@pipapo.org>
+
+ implemented atime handling, rules maintain a timestamp when they where last triggered
+
+2007-10-16 Christian Thaeter <ct@pipapo.org>
+
+ reorder init sequence, daemonize after all commandline processing
+
+2007-10-16 Christian Thaeter <ct@pipapo.org>
+
+ dont change the current dir when daemonize
+
+2007-10-16 Christian Thaeter <ct@pipapo.org>
+
+ HELP produces comment syntax (leading #)
+
+2007-10-16 Christian Thaeter <ct@pipapo.org>
+
+ extended the VERSION command
+
+2007-10-16 Christian Thaeter <ct@pipapo.org>
+
+ autoreconf needs this files for bootstraping D'oh
+
2007-10-16 Christian Thaeter <ct@pipapo.org>
HELP command
the daemon answers with "#OK:". This can be used to syncronize the
queries before sending new data.
* 'APPEND:list\n..rules..'
- + append the following lines to list
+ + append the following lines to list.
* 'PREPEND:list\n..rules..'
- + prepend the following lines to list
+ + prepend the following lines to list.
* 'REMOVE:list\n..rules..'
- + remove all matching lines from list
+ + remove all matching lines from list.
* 'REPLACE:list\nrule\n..replacements..'
+ find the position matching the first line, which can be a rule or a
comment and replaces it with the following rules. Updates are atomic
disk.
* 'SAVE:list\n'
+ save list to disk, saves new atime records.
+ * 'EXPIRE:list\nseconds'
+ + removes all rules from list which are subject of atime updates and
+ where not touched for some (much) seconds.
+ * 'SYNC:list\nremote'
+ + fetches a list from remote which has the form address/listname where
+ address is either 'ip:port' or a path to a unix domain socket. Then
+ updates 'list' atimes to newer ones from the remote list.
+
+ Idea: do we want 'SYNC:list\
+ nremote:policylist' which gives a local list filtering remote first?
+ * 'MERGE:list\nremote'
+ + fetches a list from remote which has the form address/listname where
+ address is either 'ip:port' or a path to a unix domain socket. Then
+ merges new rules from remote.
+
+ Idea: do we want 'SYNC:list\
+ nremote:policylist' which gives a local list filtering remote first?
* 'DUMP:list\n'
- + dump the content of list
+ + dump the content of list.
* 'LIST:\n'
- + list all loaded lists
+ + list all loaded lists.
+ * 'SHUTDOWN:\n'
+ + exits the daemon gracefully, pending connections will still be served
+ but no new connections are accepted.
+ * 'VERSION:\n'
+ + prints package and version information.
+ * 'HELP:\n'
+ + gives a short list of available commands.
Using the rxpd
<!> WIP
+Access Policies
+
+One list of rules can be used to define access policies for the rxpd itself (-p
+option). Each command will be extended with access protocol (one of tcp4, tcp6
+or unix) and the peer address and then checked against this policy list. When
+this check yields in an 'ACCEPT:..' rule, the command is allowed, for
+everything else will result in an error and drop the connection.
+
+For example if '-p policy' is used:
+
+# Syntax:
+# [atime]:rulename:command:list:proto:address
+#
+# Allow dumping of the 'policy' list itself
+:ACCEPT:DUMP:policy
+# Clients from local network are allowed to do anything
+:ACCEPT:.*:tcp.:10\..*$
+# Forbid all others to do anything else with the policy
+:REJECT:.*:policy
+# Finally allow anything else
+:ACCEPT:.*
+
+Example
+
We want to protect a wiki or such against vandalism: blacklists are in
$blacklists.d/ lets say /etc/blacklists.d/
this is /etc/blacklist.d/hosts
# local access are always trusted, thats localhost any my local network
-allow:localhost;127.0.0.1
-allow:mydomain.org;10.10.
+:allow:localhost;127.0.0.1
+:allow:mydomain.org;10.10.
# some really bad guys are put on a blacklist which never ever shall get access
-deny:.*aol.com;
+:deny:.*aol.com;
# everyone else shall just get the content checked
-check:
+:check:
so printf("CHECK:hosts\n%s;%s\n", hostname, ipaddr) send to the blacklist
daemon will result in either 'allow', 'deny' or 'check' send back. The first
content'
#example .. see BadContent on this wiki
-deny:sex.com
-deny:warez
+:deny:sex.com
+:deny:warez
Demonstation