commit bf244d01e4bfd0aac0fc4a2260aeac631b75322d from: mischa date: Mon May 08 07:49:51 2023 UTC add protect function, and check if IP is in the protected pf table commit - 04eb7c9266684569d1952994f81055ac3d33a4ac commit + bf244d01e4bfd0aac0fc4a2260aeac631b75322d blob - b6e64ac0d60e6a413aac75609759c47d49f28874 blob + 516d006f0c17e3adcb0ce727b3ae4d97033eb629 --- ptrd.pl +++ ptrd.pl @@ -126,10 +126,11 @@ sub http_child { my ($first, $token, $hostname) = split(/\//, $r->uri->as_string); my $tld = (defined($hostname) ? substr($hostname, rindex($hostname, '.')+1) : ''); $hostname = (!defined($hostname) ? $token : lc($hostname)); + my $protected = system("pfctl -qt protected -T test $client_ip 2> /dev/null"); if ($ip->overlaps($ipv4_range) or $ip->overlaps($ipv6_range)) { - if ($token eq 'token') { + if ($token eq 'token' and $protected) { my $token = sha1_hex(int(rand(32))); open my $fh_token, '>', "${workdir}/tokens/${token}"; print $fh_token "$client_ip\n"; @@ -138,8 +139,15 @@ sub http_child { _log("$client_ip $token"); _http_response($c, {content_type => 'text/plain'}, "$token"); - } elsif (-e "${workdir}/tokens/$token" and grep(/^${tld}$/i, @tlds) and ($hostname =~ /(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{1,63}(?&1); + chomp $protect; + _log("$client_ip $token $protect"); + _http_response($c, {content_type => 'text/plain'}, "Received [$client_ip -> protect] $protect"); + + } elsif (-e "${workdir}/tokens/$token" and grep(/^${tld}$/i, @tlds) and ($hostname =~ /(?=^.{4,253}$)(^((?!-)[a-zA-Z0-9-]{1,63}(?', "${workdir}/records/${client_ip}"; if ($ip->overlaps($ipv4_range)) { my $ptr = substr($client_ip, rindex($client_ip, '.')+1); @@ -170,7 +178,7 @@ sub http_child { _http_error($c, RC_REQUEST_TIMEOUT); } else { - _log("$client_ip RC_BAD_REQUEST $hostname"); + _log("$client_ip RC_BAD_REQUEST $hostname ($protected)"); _http_error($c, RC_BAD_REQUEST); }