commit - 178ebd8a074bdc2986f2cc10ddf3c69fe4058d33
commit + eb7b9c0cd148ddc6bdbebeb7f5984d1245b33156
blob - de09fcea1171a044591f0bdc0a08e28675aa389b
blob + d80a0b87e95845194e8b13b40c12c2d1056b55a0
--- ard.pl
+++ ard.pl
@@ -124,10 +124,11 @@ sub http_child {
 		my ($first, $token, $hostname) = split(/\//, $r->uri->as_string);
 		$hostname = (!defined($hostname) ? $token : lc($hostname));
 		my $fqdn = "${hostname}.${domain}";
+		my $protected = system("pfctl -qt protected -T test $client_ip 2> /dev/null");
 
 		if ($ip->overlaps($ipv4_range) or $ip->overlaps($ipv6_range)) {
 
-			if ($token eq 'token') {
+			if ($token eq 'token' and $protected) {
 				my $token = sha1_hex(int(rand(32)));
 				open my $fh_token, '>', "${workdir}/tokens/${token}";
 				print $fh_token "$client_ip\n";
@@ -136,8 +137,15 @@ sub http_child {
 				_log("$client_ip $token");
 				_http_response($c, {content_type => 'text/plain'}, "$token");
 
-			} elsif (-e  "${workdir}/tokens/$token" and ($hostname =~ /^[a-zA-Z0-9-]{1,20}$/)) {
+			} elsif ($token eq 'protect') {
+				my $protect = qx(pfctl -t protected -T add $client_ip 2>&1);
+				chomp $protect;
 
+				_log("$client_ip $token $protect");
+				_http_response($c, {content_type => 'text/plain'}, "Received [$client_ip -> protect] $protect");
+
+			} elsif (-e  "${workdir}/tokens/$token" and ($hostname =~ /^[a-zA-Z0-9-]{1,20}$/) and $protected) {
+
 				open my $fh, '>', "${workdir}/records/${client_ip}";
 				if ($ip->overlaps($ipv4_range)) {
 					print $fh sprintf("%s\t\tIN\tA\t%s\n", $hostname, $client_ip);
@@ -155,7 +163,7 @@ sub http_child {
 				_http_error($c, RC_REQUEST_TIMEOUT);
 
 			} else {
-				_log("$client_ip RC_BAD_REQUEST $hostname");
+				_log("$client_ip RC_BAD_REQUEST $hostname ($protected)");
 				_http_error($c, RC_BAD_REQUEST);
 			}