[isf-wifidog] Gateway development
David Young
dyoung at pobox.com
Lun 14 Nov 21:35:01 EST 2011
On Mon, Nov 14, 2011 at 06:01:16PM -0500, acv wrote:
> On Mon, Nov 14, 2011 at 02:52:14PM -0700, Andrew Niemantsverdriet wrote:
> >
> > I can confirm that the use of DNS works in iptables. For example:
> > iptables -t nat -I WalledGarden -m state --state
> > NEW,ESTABLISHED,RELATED,INVALID -d "www.google.com" -j ACCEPT --p tcp
> > -dport 80
> >
> > Allows everything on tcp port 80 to www.google.com which is more than
> > 1 ip address.
>
> I know that works.
I'm curious whether that evaluates www.google.com once to a set of IP
addresses, or whether it re-evaluates when the TTL of the original
evaluation changes? I ask because I would not expect www.google.com to
constantly evaluate to a single set of IP addresses, or for the same IP
addresses to stay continuously in service.
I have a suggestion about your parser code:
> I'm more worried about the configuration parser in the
> gateway expecting numeric IPs only... I could totally have coded that:
>
> for (i = 0; *(mask + i) != '\0'; i++)
> if (!isdigit((unsigned char)*(mask + i)) && (*(mask + i) != '.')
> && (*(mask + i) != '/'))
> all_nums = 0; /*< No longer only digits */
> if (!all_nums) {
> debug(LOG_ERR, "Invalid mask %s", mask);
> return -3; /*< Fail */
> }
I think that you can write that more simply as the following:
for (i = 0; mask[i] != '\0'; i++)
if (!isdigit((unsigned char)mask[i]) && mask[i] != '.'
&& mask[i] != '/')
all_nums = 0; /*< No longer only digits */
if (!all_nums) {
debug(LOG_ERR, "Invalid mask %s", mask);
return -3; /*< Fail */
}
Or more simply still:
if (strspn(mask, "./0123456789") != strlen(mask)) {
debug(LOG_ERR, "Invalid mask %s", mask);
return -3; /*< Fail */
}
Dave
--
David Young
dyoung at pobox.com Urbana, IL (217) 721-9981
Plus d'informations sur la liste de diffusion WiFiDog