dovecot-2.0: auth: Track penalty for IPv6 addresses with their /...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.0/rev/77d990bee666
changeset: 10774:77d990bee666
user:      Timo Sirainen <tss at iki.fi>
date:      Sat Feb 20 09:04:25 2010 +0200
description:
auth: Track penalty for IPv6 addresses with their /48 mask.

diffstat:

 src/auth/auth-penalty.c |  24 ++++++++++++++++++++++--
 1 files changed, 22 insertions(+), 2 deletions(-)

diffs (55 lines):

diff -r 4cdb58bb0360 -r 77d990bee666 src/auth/auth-penalty.c
--- a/src/auth/auth-penalty.c	Sat Feb 20 08:48:54 2010 +0200
+++ b/src/auth/auth-penalty.c	Sat Feb 20 09:04:25 2010 +0200
@@ -10,6 +10,10 @@
 
 #include <stdio.h>
 
+/* We don't want IPv6 hosts being able to flood our penalty
+   tracking with tons of different IPs. */
+#define PENALTY_IPV6_MASK_BITS 48
+
 struct auth_penalty_request {
 	struct auth_request *auth_request;
 	auth_penalty_callback_t *callback;
@@ -86,6 +90,22 @@
 	request->callback(penalty, request->auth_request);
 }
 
+static const char *
+auth_penalty_get_ident(struct auth_request *auth_request)
+{
+	struct ip_addr ip;
+
+	ip = auth_request->remote_ip;
+#ifdef HAVE_IPV6
+	if (IPADDR_IS_V6(&ip)) {
+		memset(ip.u.ip6.s6_addr + PENALTY_IPV6_MASK_BITS/CHAR_BIT, 0,
+		       sizeof(ip.u.ip6.s6_addr) -
+		       PENALTY_IPV6_MASK_BITS/CHAR_BIT);
+	}
+#endif
+	return net_ip2addr(&ip);
+}
+
 void auth_penalty_lookup(struct auth_penalty *penalty,
 			 struct auth_request *auth_request,
 			 auth_penalty_callback_t *callback)
@@ -93,7 +113,7 @@
 	struct auth_penalty_request *request;
 	const char *ident;
 
-	ident = net_ip2addr(&auth_request->remote_ip);
+	ident = auth_penalty_get_ident(auth_request);
 	if (penalty->disabled || ident == NULL) {
 		callback(0, auth_request);
 		return;
@@ -123,7 +143,7 @@
 {
 	const char *ident;
 
-	ident = net_ip2addr(&auth_request->remote_ip);
+	ident = auth_penalty_get_ident(auth_request);
 	if (penalty->disabled || ident == NULL)
 		return;