You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@mina.apache.org by Niklas Gustavsson <ni...@protocol7.com> on 2008/03/12 16:31:17 UTC
Add IP range support to BlacklistFilter
Hi
I would like to replace our IpRestrictor implementation in FtpServer
with the BlacklistFilter available in MINA. However, for FtpServer we
would need support for ranges, i.e. 123.45.67.0-123.45.67.123 or
123.45.0.0-123.45.255.255. Support would be needed both for IP4 and
IP6. Would this be of interest to add in BlacklistFilter? If not, I'll
create a separate implementation for FtpServer.
/niklas
Re: Add IP range support to BlacklistFilter
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Thu, Mar 13, 2008 at 1:39 AM, Mark Webb <el...@gmail.com> wrote:
> Couple points to make:
>
> 1. Why make a blacklist range and a blacklist. Why not just add the
> range to the blacklist?
I wanted to keep them separate to be able to keep the check more
efficient. However, I don't have any strong feelings so feel free to
change anything.
> 2. Should there be more synchronizing of the adding/removing and the
> check for blocked addresses? What happens if an add and a check for a
> blocked address happen at the same time?
Yes, we probably do. I'll await the discussion about using submasks
and make the required changes after that.
/niklas
Re: Add IP range support to BlacklistFilter
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Subnet blocking support now added to BlacklistFilter. Only IPv4 is
supported for now, if anyone wants to have a go at IPv6 support, feel
free :-)
Have a look and see if it looks good.
/niklas
On Thu, Mar 13, 2008 at 4:54 PM, 이희승 (Trustin Lee) <tr...@gmail.com> wrote:
> Niklas, thanks for the information. Wikipedia rocks! :)
>
> I agree with your idea. We could make it pretty generic so it can be used
> anywhere in MINA.
>
> On Thu, 13 Mar 2008 23:51:04 +0900, Niklas Gustavsson
>
>
> <ni...@protocol7.com> wrote:
>
> > Seems like CIDR notation is available for IP6 as well:
> > http://en.wikipedia.org/wiki/IPv6#Network_notation
> >
> > How about allowing for CIDR submasks as well as IP address directly?
> > Thus replacing ranges with subnets. That would be a fine solution for
> > me and I would be happy to implement it.
> >
> > /niklas
> >
> > On Thu, Mar 13, 2008 at 3:18 PM, 이희승 (Trustin Lee)
> > <tr...@gmail.com> wrote:
> >> I'm actually not sure if CIDR submasks can be used for IPv6 addresses.
> >> I am also not really used to IPv6 yet. :)
> >>
> >> At least for IPv4 addresses, I believe CIDR submask is what users want.
> >>
> >> 2008-03-13 (목), 08:42 +0100, Niklas Gustavsson 쓰시길:
> >>
> >>
> >> > Now, this is certainly not my area of expertise so bare with me. Isn't
> >> > CIDR submasks only for IP4 addresses? Also, they can not represent
> >> any
> >> > range in IP4 but blocking on subnets is probably what users need,
> >> > right?
> >> >
> >> > /niklas
> >> >
> >> >
> >> > On Thu, Mar 13, 2008 at 4:13 AM, 이희승 (Trustin Lee)
> >> <tr...@gmail.com> wrote:
> >> > > By using submask, we can merge blacklist range and blacklist,
> >> because a
> >> > > single IP address can be represented with 32-bit submask (i.e.
> >> > > 192.168.10.25/32 = 192.168.10.25).
> >> > >
> >> > > 2008-03-12 (수), 20:39 -0400, Mark Webb 쓰시길:
> >> > >
> >> > > > Couple points to make:
> >> > > >
> >> > > > 1. Why make a blacklist range and a blacklist. Why not just
> >> add the
> >> > > > range to the blacklist?
> >> > > > 2. Should there be more synchronizing of the adding/removing
> >> and the
> >> > > > check for blocked addresses? What happens if an add and a
> >> check for a
> >> > > > blocked address happen at the same time?
> >> > > >
> >> > > > --Mark
> >> > > >
> >> > > > On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson
> >> <ni...@protocol7.com> wrote:
> >> > > > > On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
> >> > > > > <ni...@protocol7.com> wrote:
> >> > > > > > Cool, so I'll add it and ask for a review when its in SVN.
> >> > > > >
> >> > > > > Alright, the code is in (rev 636538), have a go at it. I'm
> >> particulary
> >> > > > > interested in a review of the IP comparison code, not sure I
> >> got it
> >> > > > > correct.
> >> > > > >
> >> > > > > /niklas
> >> > > > >
> >> > > >
> >> > > >
> >> > > >
> >> > > --
> >> > >
> >> > >
> >> > > Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> >> > > --
> >> > > what we call human nature is actually human habit
> >> > > --
> >> > > http://gleamynode.net/
> >> > >
> >> --
> >>
> >>
> >> Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> >> --
> >> what we call human nature is actually human habit
> >> --
> >> http://gleamynode.net/
> >>
>
>
>
> --
> Trustin Lee - Principal Software Engineer, JBoss division, Red Hat
>
>
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>
Re: Add IP range support to BlacklistFilter
Posted by "이희승 (Trustin Lee)" <tr...@gmail.com>.
Niklas, thanks for the information. Wikipedia rocks! :)
I agree with your idea. We could make it pretty generic so it can be used
anywhere in MINA.
On Thu, 13 Mar 2008 23:51:04 +0900, Niklas Gustavsson
<ni...@protocol7.com> wrote:
> Seems like CIDR notation is available for IP6 as well:
> http://en.wikipedia.org/wiki/IPv6#Network_notation
>
> How about allowing for CIDR submasks as well as IP address directly?
> Thus replacing ranges with subnets. That would be a fine solution for
> me and I would be happy to implement it.
>
> /niklas
>
> On Thu, Mar 13, 2008 at 3:18 PM, 이희승 (Trustin Lee)
> <tr...@gmail.com> wrote:
>> I'm actually not sure if CIDR submasks can be used for IPv6 addresses.
>> I am also not really used to IPv6 yet. :)
>>
>> At least for IPv4 addresses, I believe CIDR submask is what users want.
>>
>> 2008-03-13 (목), 08:42 +0100, Niklas Gustavsson 쓰시길:
>>
>>
>> > Now, this is certainly not my area of expertise so bare with me. Isn't
>> > CIDR submasks only for IP4 addresses? Also, they can not represent
>> any
>> > range in IP4 but blocking on subnets is probably what users need,
>> > right?
>> >
>> > /niklas
>> >
>> >
>> > On Thu, Mar 13, 2008 at 4:13 AM, 이희승 (Trustin Lee)
>> <tr...@gmail.com> wrote:
>> > > By using submask, we can merge blacklist range and blacklist,
>> because a
>> > > single IP address can be represented with 32-bit submask (i.e.
>> > > 192.168.10.25/32 = 192.168.10.25).
>> > >
>> > > 2008-03-12 (수), 20:39 -0400, Mark Webb 쓰시길:
>> > >
>> > > > Couple points to make:
>> > > >
>> > > > 1. Why make a blacklist range and a blacklist. Why not just
>> add the
>> > > > range to the blacklist?
>> > > > 2. Should there be more synchronizing of the adding/removing
>> and the
>> > > > check for blocked addresses? What happens if an add and a
>> check for a
>> > > > blocked address happen at the same time?
>> > > >
>> > > > --Mark
>> > > >
>> > > > On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson
>> <ni...@protocol7.com> wrote:
>> > > > > On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
>> > > > > <ni...@protocol7.com> wrote:
>> > > > > > Cool, so I'll add it and ask for a review when its in SVN.
>> > > > >
>> > > > > Alright, the code is in (rev 636538), have a go at it. I'm
>> particulary
>> > > > > interested in a review of the IP comparison code, not sure I
>> got it
>> > > > > correct.
>> > > > >
>> > > > > /niklas
>> > > > >
>> > > >
>> > > >
>> > > >
>> > > --
>> > >
>> > >
>> > > Trustin Lee - Principal Software Engineer, JBoss, Red Hat
>> > > --
>> > > what we call human nature is actually human habit
>> > > --
>> > > http://gleamynode.net/
>> > >
>> --
>>
>>
>> Trustin Lee - Principal Software Engineer, JBoss, Red Hat
>> --
>> what we call human nature is actually human habit
>> --
>> http://gleamynode.net/
>>
--
Trustin Lee - Principal Software Engineer, JBoss division, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: Add IP range support to BlacklistFilter
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Seems like CIDR notation is available for IP6 as well:
http://en.wikipedia.org/wiki/IPv6#Network_notation
How about allowing for CIDR submasks as well as IP address directly?
Thus replacing ranges with subnets. That would be a fine solution for
me and I would be happy to implement it.
/niklas
On Thu, Mar 13, 2008 at 3:18 PM, 이희승 (Trustin Lee) <tr...@gmail.com> wrote:
> I'm actually not sure if CIDR submasks can be used for IPv6 addresses.
> I am also not really used to IPv6 yet. :)
>
> At least for IPv4 addresses, I believe CIDR submask is what users want.
>
> 2008-03-13 (목), 08:42 +0100, Niklas Gustavsson 쓰시길:
>
>
> > Now, this is certainly not my area of expertise so bare with me. Isn't
> > CIDR submasks only for IP4 addresses? Also, they can not represent any
> > range in IP4 but blocking on subnets is probably what users need,
> > right?
> >
> > /niklas
> >
> >
> > On Thu, Mar 13, 2008 at 4:13 AM, 이희승 (Trustin Lee) <tr...@gmail.com> wrote:
> > > By using submask, we can merge blacklist range and blacklist, because a
> > > single IP address can be represented with 32-bit submask (i.e.
> > > 192.168.10.25/32 = 192.168.10.25).
> > >
> > > 2008-03-12 (수), 20:39 -0400, Mark Webb 쓰시길:
> > >
> > > > Couple points to make:
> > > >
> > > > 1. Why make a blacklist range and a blacklist. Why not just add the
> > > > range to the blacklist?
> > > > 2. Should there be more synchronizing of the adding/removing and the
> > > > check for blocked addresses? What happens if an add and a check for a
> > > > blocked address happen at the same time?
> > > >
> > > > --Mark
> > > >
> > > > On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > > > > On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
> > > > > <ni...@protocol7.com> wrote:
> > > > > > Cool, so I'll add it and ask for a review when its in SVN.
> > > > >
> > > > > Alright, the code is in (rev 636538), have a go at it. I'm particulary
> > > > > interested in a review of the IP comparison code, not sure I got it
> > > > > correct.
> > > > >
> > > > > /niklas
> > > > >
> > > >
> > > >
> > > >
> > > --
> > >
> > >
> > > Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> > > --
> > > what we call human nature is actually human habit
> > > --
> > > http://gleamynode.net/
> > >
> --
>
>
> Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>
Re: Add IP range support to BlacklistFilter
Posted by "이희승 (Trustin Lee)" <tr...@gmail.com>.
I'm actually not sure if CIDR submasks can be used for IPv6 addresses.
I am also not really used to IPv6 yet. :)
At least for IPv4 addresses, I believe CIDR submask is what users want.
2008-03-13 (목), 08:42 +0100, Niklas Gustavsson 쓰시길:
> Now, this is certainly not my area of expertise so bare with me. Isn't
> CIDR submasks only for IP4 addresses? Also, they can not represent any
> range in IP4 but blocking on subnets is probably what users need,
> right?
>
> /niklas
>
>
> On Thu, Mar 13, 2008 at 4:13 AM, 이희승 (Trustin Lee) <tr...@gmail.com> wrote:
> > By using submask, we can merge blacklist range and blacklist, because a
> > single IP address can be represented with 32-bit submask (i.e.
> > 192.168.10.25/32 = 192.168.10.25).
> >
> > 2008-03-12 (수), 20:39 -0400, Mark Webb 쓰시길:
> >
> > > Couple points to make:
> > >
> > > 1. Why make a blacklist range and a blacklist. Why not just add the
> > > range to the blacklist?
> > > 2. Should there be more synchronizing of the adding/removing and the
> > > check for blocked addresses? What happens if an add and a check for a
> > > blocked address happen at the same time?
> > >
> > > --Mark
> > >
> > > On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > > > On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
> > > > <ni...@protocol7.com> wrote:
> > > > > Cool, so I'll add it and ask for a review when its in SVN.
> > > >
> > > > Alright, the code is in (rev 636538), have a go at it. I'm particulary
> > > > interested in a review of the IP comparison code, not sure I got it
> > > > correct.
> > > >
> > > > /niklas
> > > >
> > >
> > >
> > >
> > --
> >
> >
> > Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> > --
> > what we call human nature is actually human habit
> > --
> > http://gleamynode.net/
> >
--
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: Add IP range support to BlacklistFilter
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Now, this is certainly not my area of expertise so bare with me. Isn't
CIDR submasks only for IP4 addresses? Also, they can not represent any
range in IP4 but blocking on subnets is probably what users need,
right?
/niklas
On Thu, Mar 13, 2008 at 4:13 AM, 이희승 (Trustin Lee) <tr...@gmail.com> wrote:
> By using submask, we can merge blacklist range and blacklist, because a
> single IP address can be represented with 32-bit submask (i.e.
> 192.168.10.25/32 = 192.168.10.25).
>
> 2008-03-12 (수), 20:39 -0400, Mark Webb 쓰시길:
>
> > Couple points to make:
> >
> > 1. Why make a blacklist range and a blacklist. Why not just add the
> > range to the blacklist?
> > 2. Should there be more synchronizing of the adding/removing and the
> > check for blocked addresses? What happens if an add and a check for a
> > blocked address happen at the same time?
> >
> > --Mark
> >
> > On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > > On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
> > > <ni...@protocol7.com> wrote:
> > > > Cool, so I'll add it and ask for a review when its in SVN.
> > >
> > > Alright, the code is in (rev 636538), have a go at it. I'm particulary
> > > interested in a review of the IP comparison code, not sure I got it
> > > correct.
> > >
> > > /niklas
> > >
> >
> >
> >
> --
>
>
> Trustin Lee - Principal Software Engineer, JBoss, Red Hat
> --
> what we call human nature is actually human habit
> --
> http://gleamynode.net/
>
Re: Add IP range support to BlacklistFilter
Posted by "이희승 (Trustin Lee)" <tr...@gmail.com>.
By using submask, we can merge blacklist range and blacklist, because a
single IP address can be represented with 32-bit submask (i.e.
192.168.10.25/32 = 192.168.10.25).
2008-03-12 (수), 20:39 -0400, Mark Webb 쓰시길:
> Couple points to make:
>
> 1. Why make a blacklist range and a blacklist. Why not just add the
> range to the blacklist?
> 2. Should there be more synchronizing of the adding/removing and the
> check for blocked addresses? What happens if an add and a check for a
> blocked address happen at the same time?
>
> --Mark
>
> On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> > On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
> > <ni...@protocol7.com> wrote:
> > > Cool, so I'll add it and ask for a review when its in SVN.
> >
> > Alright, the code is in (rev 636538), have a go at it. I'm particulary
> > interested in a review of the IP comparison code, not sure I got it
> > correct.
> >
> > /niklas
> >
>
>
>
--
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/
Re: Add IP range support to BlacklistFilter
Posted by Mark Webb <el...@gmail.com>.
Couple points to make:
1. Why make a blacklist range and a blacklist. Why not just add the
range to the blacklist?
2. Should there be more synchronizing of the adding/removing and the
check for blocked addresses? What happens if an add and a check for a
blocked address happen at the same time?
--Mark
On Wed, Mar 12, 2008 at 6:20 PM, Niklas Gustavsson <ni...@protocol7.com> wrote:
> On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
> <ni...@protocol7.com> wrote:
> > Cool, so I'll add it and ask for a review when its in SVN.
>
> Alright, the code is in (rev 636538), have a go at it. I'm particulary
> interested in a review of the IP comparison code, not sure I got it
> correct.
>
> /niklas
>
--
--------------------------------
Talent hits a target no one else can hit; Genius hits a target no one
else can see.
Re: Add IP range support to BlacklistFilter
Posted by Niklas Gustavsson <ni...@protocol7.com>.
On Wed, Mar 12, 2008 at 10:37 PM, Niklas Gustavsson
<ni...@protocol7.com> wrote:
> Cool, so I'll add it and ask for a review when its in SVN.
Alright, the code is in (rev 636538), have a go at it. I'm particulary
interested in a review of the IP comparison code, not sure I got it
correct.
/niklas
Re: Add IP range support to BlacklistFilter
Posted by Niklas Gustavsson <ni...@protocol7.com>.
Cool, so I'll add it and ask for a review when its in SVN.
Talking about that class, the following method seems a bit odd:
public void block(InetAddress address, String error_string) {
if (address == null) {
throw new NullPointerException(error_string);
}
blacklist.add(address);
}
Should that method really be public? It is used by some other methods
in the filter, but I fail to see any use for it in the public API.
/niklas
On Wed, Mar 12, 2008 at 5:53 PM, Alex Karasulu <ak...@apache.org> wrote:
> On Wed, Mar 12, 2008 at 11:36 AM, Mark Webb <el...@gmail.com> wrote:
>
> > I would say that it is a valid addition to the BlacklistFilter. No
> > need for duplication.
> >
>
> +1 - we could have used this same feature for various ApacheDS protocols.
>
> Alex
>
>
>
>
> >
> > On Wed, Mar 12, 2008 at 11:31 AM, Niklas Gustavsson
> > <ni...@protocol7.com> wrote:
> > > Hi
> > >
> > > I would like to replace our IpRestrictor implementation in FtpServer
> > > with the BlacklistFilter available in MINA. However, for FtpServer we
> > > would need support for ranges, i.e. 123.45.67.0-123.45.67.123 or
> > > 123.45.0.0-123.45.255.255. Support would be needed both for IP4 and
> > > IP6. Would this be of interest to add in BlacklistFilter? If not, I'll
> > > create a separate implementation for FtpServer.
> > >
> > > /niklas
> > >
> >
> >
> >
> > --
> > --------------------------------
> > Talent hits a target no one else can hit; Genius hits a target no one
> > else can see.
> >
>
Re: Add IP range support to BlacklistFilter
Posted by Alex Karasulu <ak...@apache.org>.
On Wed, Mar 12, 2008 at 11:36 AM, Mark Webb <el...@gmail.com> wrote:
> I would say that it is a valid addition to the BlacklistFilter. No
> need for duplication.
>
+1 - we could have used this same feature for various ApacheDS protocols.
Alex
>
> On Wed, Mar 12, 2008 at 11:31 AM, Niklas Gustavsson
> <ni...@protocol7.com> wrote:
> > Hi
> >
> > I would like to replace our IpRestrictor implementation in FtpServer
> > with the BlacklistFilter available in MINA. However, for FtpServer we
> > would need support for ranges, i.e. 123.45.67.0-123.45.67.123 or
> > 123.45.0.0-123.45.255.255. Support would be needed both for IP4 and
> > IP6. Would this be of interest to add in BlacklistFilter? If not, I'll
> > create a separate implementation for FtpServer.
> >
> > /niklas
> >
>
>
>
> --
> --------------------------------
> Talent hits a target no one else can hit; Genius hits a target no one
> else can see.
>
Re: Add IP range support to BlacklistFilter
Posted by Mark Webb <el...@gmail.com>.
I would say that it is a valid addition to the BlacklistFilter. No
need for duplication.
On Wed, Mar 12, 2008 at 11:31 AM, Niklas Gustavsson
<ni...@protocol7.com> wrote:
> Hi
>
> I would like to replace our IpRestrictor implementation in FtpServer
> with the BlacklistFilter available in MINA. However, for FtpServer we
> would need support for ranges, i.e. 123.45.67.0-123.45.67.123 or
> 123.45.0.0-123.45.255.255. Support would be needed both for IP4 and
> IP6. Would this be of interest to add in BlacklistFilter? If not, I'll
> create a separate implementation for FtpServer.
>
> /niklas
>
--
--------------------------------
Talent hits a target no one else can hit; Genius hits a target no one
else can see.
Re: Add IP range support to BlacklistFilter
Posted by "이희승 (Trustin Lee)" <tr...@gmail.com>.
I'd prefer to use a submask notation; 192.168.0.0/24 (i.e.
192.168.0.0-192.168.0.255).
2008-03-12 (수), 16:31 +0100, Niklas Gustavsson 쓰시길:
> Hi
>
> I would like to replace our IpRestrictor implementation in FtpServer
> with the BlacklistFilter available in MINA. However, for FtpServer we
> would need support for ranges, i.e. 123.45.67.0-123.45.67.123 or
> 123.45.0.0-123.45.255.255. Support would be needed both for IP4 and
> IP6. Would this be of interest to add in BlacklistFilter? If not, I'll
> create a separate implementation for FtpServer.
>
> /niklas
--
Trustin Lee - Principal Software Engineer, JBoss, Red Hat
--
what we call human nature is actually human habit
--
http://gleamynode.net/