Vincent Lefevre put forth on 11/4/2010 7:49 PM:
> On 2010-11-04 20:33:11 -0400, Wietse Venema wrote:
>> check_client_access searches the address and domain with ALL lookup
>> table types. It just doesn't do the substring lookups with PCRE,
>> REGEXP and CIDR.
>
> If I understand correctly, there's another difference: in the default
> table format, the string to be checked depends on the pattern form
> (e.g. hostname for domain.tld, IP address for net.work.addr.ess), but
> for pcre, both strings are checked against all patterns?
>
> So, with pcre, if I want to check whether the IP address starts with
> 1.2.3, I need something like:
>
> /^1\.2\.3\.[0-9]+$/
>
> because /^1\.2\.3\./ could also match hostnames (I've noticed in my
> mail archives that hostnames of this form occur in practice).
This is why you need to use "fully qualified" patterns when matching
forward/reverse hostnames. For example:
/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.dyn\.isp\.net$/ REJECT
In practice, most ISPs don't have a /8 worth of dynamically assigned
addresses, usually a /16 or less. So for a specific ISP dynamic range
it would look my like this:
/^201\.33\.[0-9]{1,3}\.[0-9]{1,3}\.dyn\.isp\.net$/ REJECT
That will match a /16 of rDNS patterns only at the ISP "isp.net"
--
Stan
