Re: order in cidr_table

Wed, 03 Mar 2010 14:34:07 -0800 

Robert Lopez a écrit :
> Man for CIDR_TABLE(5) says:
> 
> " /etc/postfix/client.cidr:
>            # Rule order matters. Put more specific whitelist entries
>            # before more general blacklist entries.
>            192.168.1.1             OK
>            192.168.0.0/16          REJECT
> "
> 
> I have been google-ing for information on order in a CIDR table to
> help me understand exactly just what the above says.
> 
> "Rule order matters." states this is important to understand.
> 
> The point that whitelist (OK) should occur before blacklist (REJECT) is clear.
> 
> Is there any more about order that is important to understand?
> 

No, there's not "much about order ..." than this:
        first match wins

> It seems to me DUNNO is a sort of whitelist action so is there an
> order for OK and DUNNO?

you are confusing the search part with the result part.

when searching a map, it's a "go get it": it doesn't matter what the dog
gets. what matters is the search key. in short, it is a "find an entry
that matches this key". once a match is found, return the result.


> Is there any order for DISCARD and REJECT?

postfix uses maps for many things (virtual_alias_maps, relay_domains,
...). you don't think it relies on REJECT or DISCARD in such maps, do
you? map lookup is independent of the lookup result. (search order
depends on the map type, but not on the result).

> Are there or or there any other "more specific" issues with the
> actions OK, REJECT, DISCARD, DUNNO, etc.?
> 
> I think the order of the entries should be in increasing numeric
> order. Is that reasonable?
> 
> The man page example above could be stating either that an entry in
> the form of a complete IP (192.168.1.1) is more specific than a CIDR
> (192.168.0.0/16) address.
> Is that true?
> 
> Am I safe to create a CIDR table where in it has two parts; first a
> white list part and then a black list part; where each of those two
> parts would first list all the exact IP and then list all the CIDR
> patterns?

if you want general client policies, create a list ordered by the client
IP. something like

192.168.1.2     OK
192.168.1.0/24  DUNNO
192.168.2.3     REJECT blah
192.168.2.0/24  DUNNO
192.168.0.0/16  FILTER somefilter


in short, create client based policies, not result based policies.

> Or is it sufficient to have first the white list then the black list
> with no further concern for the order within each part?
> 

In most cases, you want a whitelist first and a black list later. this
is easier to manage (and less error prone than general per-client policy).

Reply via email to