current/SOURCES/squidGuard-1.4-dnsbl.patch

diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html
--- squidGuard-1.4/doc/configuration.html       2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100
@@ -1630,6 +1630,15 @@
      "<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($|[:/])</TT></B>".
     </DD>
     <DT>
+     <B>dnsbl</B>
+    </DT>
+    <DD>
+     <B>!dnsbl</B> can be used to dynamically check domain names against
+     DNS-based blacklists, such as black.uribl.com, which is the default.
+     The DNS blacklist can be set to another domain by setting
+     !dnsbl:your.blacklist.domain.com
+    </DD>
+    <DT>
      <B>any</B>
     </DT>
     <DD>
@@ -2419,6 +2428,9 @@
    even if they would match a blocking regex:
    <BR>
    &nbsp;<TT><B>+</B></TT> limiting the usage of IP-address URLs:
+   <BR>
+   &nbsp;<TT><B>+</B></TT> blocking sites known to be part of the
+   black.uribl.com DNS blacklist.
   </P>

   <TT>
@@ -2442,7 +2454,7 @@

      acl {
         default {
-            pass local good !in-addr !porn all
+            pass local good !in-addr !porn !dnsbl:black.uribl.com all
             redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
         }
      }
diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt
--- squidGuard-1.4/doc/configuration.txt        2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/configuration.txt  2009-03-04 18:09:39.000000000 +0100
@@ -637,6 +637,12 @@
                 "^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9
                 ]\{1,3\}($|[:/])".

+        dnsbl
+                !dnsbl can be used to dynamically check domain names against
+                DNS-based blacklists, such as black.uribl.com, which is the default.
+                The DNS blacklist can be set to another domain by setting
+                !dnsbl:your.blacklist.domain.com
+
         any
                 matches any URL and is a fast equivalent to the
                 expression ".*".
@@ -1052,6 +1058,7 @@
     + ensuring local and good sites are passed even if they would match a
    blocking regex:
     + limiting the usage of IP-address URLs:
+    + blocking sites known to be part of the black.uribl.com DNS blacklist:
      logdir /usr/local/squidGuard/log
      dbhome /usr/local/squidGuard/db

@@ -1071,7 +1078,7 @@

      acl {
          default {
-             pass local good !in-addr !porn all
+             pass local good !in-addr !porn !dnsbl:black.uribl.com all
              redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&
 clientuser=%i&clientgroup=%s&url=%u
          }
diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html
--- squidGuard-1.4/doc/extended.html    2007-11-16 17:58:37.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/extended.html      2009-03-04 18:15:59.000000000 +0100
@@ -168,6 +168,34 @@
 </pre>
 </td></tr></table>
 <br><br>
+
+<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br>
+Several DNS based databases can be used to block domain names referrenced in
+blacklists. First choose which database you would like to trust (some well known
+are : http://www.uribl.com/, or http://www.surbl.org/).
+Be aware that this will raise several DNS requests every time squidGuard
+receives a request to filter. SquidGuard will not cache any DNS result, so make
+sure your DNS server does, and mesure the performance impact before using on
+production.
+To get squidGuard to request DNS dynamically and block listed domain names, just use :
+<br><br>
+<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;">
+<tr>
+<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font>
+</td></tr>
+<tr>
+<td>
+<pre> acl {
+        default {
+                pass !dnsbl:black.uribl.com all
+                redirect http://localhost/block.html
+        }
+ }
+</pre>
+</td></tr>
+</table>
+<br><br>
+
 <li><a name=blocklog><b>Logging blocked access tries</b></a>
 <br><br>
 It may be of interest who is accessing blocked sites. To track that
diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt
--- squidGuard-1.4/doc/extended.txt     2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/doc/extended.txt       2009-03-04 18:18:01.000000000 +0100
@@ -100,6 +100,29 @@
 172.16.12.0/255.255.255.0
 10.5.3.1/28

+     Using online DNS blacklists
+   Several DNS based databases can be used to block domain names referrenced in
+   blacklists. First choose which database you would like to trust (some well known
+   are : http://www.uribl.com/, or http://www.surbl.org/).
+   Be aware that this will raise several DNS requests every time squidGuard
+   receives a request to filter. SquidGuard will not cache any DNS result, so make
+   sure your DNS server does, and mesure the performance impact before using on
+   production.
+   To get squidGuard to request DNS dynamically and block listed domain names, just use :
+acl {
+        default {
+                pass !dnsbl:black.uribl.com all
+                redirect http://localhost/block.html
+        }
+}
+
+
+
+
+
+
+
+
      Logging blocked access tries
    It may be of interest who is accessing blocked sites. To track that
    down you can add a log directive to your src or dest definitions in
diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in
--- squidGuard-1.4/src/sg.h.in  2007-11-16 17:58:32.000000000 +0100
+++ squidGuard-1.4-dnsbl/src/sg.h.in    2009-03-04 17:38:32.000000000 +0100
@@ -68,6 +68,7 @@
 #define ACL_TYPE_DEFAULT    1
 #define ACL_TYPE_TERMINATOR 2
 #define ACL_TYPE_INADDR     3
+#define ACL_TYPE_DNSBL      4

 #define REQUEST_TYPE_REWRITE    1
 #define REQUEST_TYPE_REDIRECT   2
@@ -301,6 +302,7 @@

 struct AclDest {
   char *name;
+  char *dns_suffix;
   struct Destination *dest;
   int    access;
   int    type;
diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in
--- squidGuard-1.4/src/sg.y.in  2008-05-17 20:25:18.000000000 +0200
+++ squidGuard-1.4-dnsbl/src/sg.y.in    2009-03-22 21:43:08.000000000 +0100
@@ -2253,6 +2274,7 @@
      int allowed;
 #endif
 {
+  char *subval = NULL;
   struct Destination *dest = NULL;
   struct sgRewrite *rewrite = NULL;
   struct AclDest *acldest;
@@ -2264,6 +2286,9 @@
       allowed=0;
     else if(!strcmp(value,"in-addr")){
       type = ACL_TYPE_INADDR;
+    } else if (!strncmp(value,"dnsbl",5)) {
+      subval = strstr(value,":");
+      type = ACL_TYPE_DNSBL;
     } else {
       if((dest = sgDestFindName(value)) == NULL){
        sgLogFatalError("%s: ACL destination %s is not defined in configfile %s",
@@ -2278,6 +2303,25 @@
     acldest->dest = dest;
     acldest->access = allowed;
     acldest->type = type;
+    if (type == ACL_TYPE_DNSBL)
+    {
+      if ((subval==NULL) || (subval[1])=='\0')//Config does not define which dns domain to use
+      {
+       acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1);
+       strcpy(acldest->dns_suffix, ".black.uribl.com");
+      }else{
+       subval=subval+1;
+       if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") !=
+                                                    strlen(subval)  )
+         {
+           sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix",
+                           progname,subval);
+         }
+       acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1);
+       strcpy(acldest->dns_suffix, ".");
+       strcat(acldest->dns_suffix,subval);
+      }
+    }
     acldest->next = NULL;
     if(lastAcl->pass == NULL){
       lastAcl->pass = acldest;
@@ -2365,6 +2409,56 @@
   return acl;
 }

+char *strip_fqdn(char *domain)
+{
+  char *result;
+  result=strstr(domain,".");
+  if (result == NULL)
+    return NULL;
+  return (result+1);
+}
+
+int is_blacklisted(char *domain, char *suffix)
+{
+  char target[MAX_BUF];
+  struct addrinfo *res;
+  int result;
+  //Copying domain to target
+  if (strlen(domain)+strlen(suffix)+1>MAX_BUF)
+  {
+    //Buffer overflow risk - just return and accept
+@NOLOG1@
+    if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); }
+@NOLOG2@
+    return(0);
+  }
+  strncpy(target,domain,strlen(domain)+1);
+  strcat(target,suffix);
+
+  result = getaddrinfo(target,NULL,NULL,&res);
+  if (result == 0) //Result is defined
+  {
+    freeaddrinfo(res);
+    return 1;
+  }
+  //If anything fails (DNS server not reachable, any problem in the resolution,
+  //let's not block anything.
+  return 0;
+}
+
+int blocked_by_dnsbl(char *domain, char *suffix)
+{
+  char *dn=domain;
+  while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com"
+  {
+    if (is_blacklisted(dn,suffix))
+      return(1);
+    dn=strip_fqdn(dn);
+  }
+  return 0;
+}
+
+
 #if __STDC__
 char *sgAclAccess(struct Source *src, struct Acl *acl, struct SquidInfo *req)
 #else
@@ -2397,6 +2491,16 @@
        }
        continue;
       }
+      // http://www.yahoo.fr/ 172.16.2.32 - GET
+      if(aclpass->type == ACL_TYPE_DNSBL){
+       if (req->dot)
+         continue;
+       if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){
+         access=0;
+         break;
+       }
+       continue;
+      }
       if(aclpass->dest->domainlistDb != NULL){
        result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata);
        if(result != DB_NOTFOUND) {
1	diff -Naurb squidGuard-1.4/doc/configuration.html squidGuard-1.4-dnsbl/doc/configuration.html
2	--- squidGuard-1.4/doc/configuration.html 2007-11-16 17:58:32.000000000 +0100
3	+++ squidGuard-1.4-dnsbl/doc/configuration.html 2009-03-04 18:07:15.000000000 +0100
4	@@ -1630,6 +1630,15 @@
5	"<B><TT>^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}($\|[:/])</TT></B>".
6	</DD>
7	<DT>
8	+ <B>dnsbl</B>
9	+ </DT>
10	+ <DD>
11	+ <B>!dnsbl</B> can be used to dynamically check domain names against
12	+ DNS-based blacklists, such as black.uribl.com, which is the default.
13	+ The DNS blacklist can be set to another domain by setting
14	+ !dnsbl:your.blacklist.domain.com
15	+ </DD>
16	+ <DT>
17	<B>any</B>
18	</DT>
19	<DD>
20	@@ -2419,6 +2428,9 @@
21	even if they would match a blocking regex:
22	<BR>
23	<TT><B>+</B></TT> limiting the usage of IP-address URLs:
24	+ <BR>
25	+  <TT><B>+</B></TT> blocking sites known to be part of the
26	+ black.uribl.com DNS blacklist.
27	</P>
28
29	<TT>
30	@@ -2442,7 +2454,7 @@
31
32	acl {
33	default {
34	- pass local good !in-addr !porn all
35	+ pass local good !in-addr !porn !dnsbl:black.uribl.com all
36	redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&clientuser=%i&clientgroup=%s&url=%u
37	}
38	}
39	diff -Naurb squidGuard-1.4/doc/configuration.txt squidGuard-1.4-dnsbl/doc/configuration.txt
40	--- squidGuard-1.4/doc/configuration.txt 2007-11-16 17:58:32.000000000 +0100
41	+++ squidGuard-1.4-dnsbl/doc/configuration.txt 2009-03-04 18:09:39.000000000 +0100
42	@@ -637,6 +637,12 @@
43	"^[^:/]+://[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9
44	]\{1,3\}($\|[:/])".
45
46	+ dnsbl
47	+ !dnsbl can be used to dynamically check domain names against
48	+ DNS-based blacklists, such as black.uribl.com, which is the default.
49	+ The DNS blacklist can be set to another domain by setting
50	+ !dnsbl:your.blacklist.domain.com
51	+
52	any
53	matches any URL and is a fast equivalent to the
54	expression ".*".
55	@@ -1052,6 +1058,7 @@
56	+ ensuring local and good sites are passed even if they would match a
57	blocking regex:
58	+ limiting the usage of IP-address URLs:
59	+ + blocking sites known to be part of the black.uribl.com DNS blacklist:
60	logdir /usr/local/squidGuard/log
61	dbhome /usr/local/squidGuard/db
62
63	@@ -1071,7 +1078,7 @@
64
65	acl {
66	default {
67	- pass local good !in-addr !porn all
68	+ pass local good !in-addr !porn !dnsbl:black.uribl.com all
69	redirect http://localhost/cgi/blocked?clientaddr=%a&clientname=%n&
70	clientuser=%i&clientgroup=%s&url=%u
71	}
72	diff -Naurb squidGuard-1.4/doc/extended.html squidGuard-1.4-dnsbl/doc/extended.html
73	--- squidGuard-1.4/doc/extended.html 2007-11-16 17:58:37.000000000 +0100
74	+++ squidGuard-1.4-dnsbl/doc/extended.html 2009-03-04 18:15:59.000000000 +0100
75	@@ -168,6 +168,34 @@
76	</pre>
77	</td></tr></table>
78	<br><br>
79	+
80	+<li> <a name=notIP> <b>Using online DNS blacklists</b></a><br><br>
81	+Several DNS based databases can be used to block domain names referrenced in
82	+blacklists. First choose which database you would like to trust (some well known
83	+are : http://www.uribl.com/, or http://www.surbl.org/).
84	+Be aware that this will raise several DNS requests every time squidGuard
85	+receives a request to filter. SquidGuard will not cache any DNS result, so make
86	+sure your DNS server does, and mesure the performance impact before using on
87	+production.
88	+To get squidGuard to request DNS dynamically and block listed domain names, just use :
89	+<br><br>
90	+<table width="75%" cellpadding="0" cellspacing="0" style="background-color: #f2fff0; border: solid 1px #2299bf;">
91	+<tr>
92	+<td style="background-color: #77afaf; border-bottom: 1px solid #888;"> <font size="-1" color=white>Blocking domain names referenced in a DNS blacklist</font>
93	+</td></tr>
94	+<tr>
95	+<td>
96	+<pre> acl {
97	+ default {
98	+ pass !dnsbl:black.uribl.com all
99	+ redirect http://localhost/block.html
100	+ }
101	+ }
102	+</pre>
103	+</td></tr>
104	+</table>
105	+<br><br>
106	+
107	<li><a name=blocklog><b>Logging blocked access tries</b></a>
108	<br><br>
109	It may be of interest who is accessing blocked sites. To track that
110	diff -Naurb squidGuard-1.4/doc/extended.txt squidGuard-1.4-dnsbl/doc/extended.txt
111	--- squidGuard-1.4/doc/extended.txt 2007-11-16 17:58:32.000000000 +0100
112	+++ squidGuard-1.4-dnsbl/doc/extended.txt 2009-03-04 18:18:01.000000000 +0100
113	@@ -100,6 +100,29 @@
114	172.16.12.0/255.255.255.0
115	10.5.3.1/28
116
117	+ Using online DNS blacklists
118	+ Several DNS based databases can be used to block domain names referrenced in
119	+ blacklists. First choose which database you would like to trust (some well known
120	+ are : http://www.uribl.com/, or http://www.surbl.org/).
121	+ Be aware that this will raise several DNS requests every time squidGuard
122	+ receives a request to filter. SquidGuard will not cache any DNS result, so make
123	+ sure your DNS server does, and mesure the performance impact before using on
124	+ production.
125	+ To get squidGuard to request DNS dynamically and block listed domain names, just use :
126	+acl {
127	+ default {
128	+ pass !dnsbl:black.uribl.com all
129	+ redirect http://localhost/block.html
130	+ }
131	+}
132	+
133	+
134	+
135	+
136	+
137	+
138	+
139	+
140	Logging blocked access tries
141	It may be of interest who is accessing blocked sites. To track that
142	down you can add a log directive to your src or dest definitions in
143	diff -Naurb squidGuard-1.4/src/sg.h.in squidGuard-1.4-dnsbl/src/sg.h.in
144	--- squidGuard-1.4/src/sg.h.in 2007-11-16 17:58:32.000000000 +0100
145	+++ squidGuard-1.4-dnsbl/src/sg.h.in 2009-03-04 17:38:32.000000000 +0100
146	@@ -68,6 +68,7 @@
147	#define ACL_TYPE_DEFAULT 1
148	#define ACL_TYPE_TERMINATOR 2
149	#define ACL_TYPE_INADDR 3
150	+#define ACL_TYPE_DNSBL 4
151
152	#define REQUEST_TYPE_REWRITE 1
153	#define REQUEST_TYPE_REDIRECT 2
154	@@ -301,6 +302,7 @@
155
156	struct AclDest {
157	char *name;
158	+ char *dns_suffix;
159	struct Destination *dest;
160	int access;
161	int type;
162	diff -Naurb squidGuard-1.4/src/sg.y.in squidGuard-1.4-dnsbl/src/sg.y.in
163	--- squidGuard-1.4/src/sg.y.in 2008-05-17 20:25:18.000000000 +0200
164	+++ squidGuard-1.4-dnsbl/src/sg.y.in 2009-03-22 21:43:08.000000000 +0100
165	@@ -2253,6 +2274,7 @@
166	int allowed;
167	#endif
168	{
169	+ char *subval = NULL;
170	struct Destination *dest = NULL;
171	struct sgRewrite *rewrite = NULL;
172	struct AclDest *acldest;
173	@@ -2264,6 +2286,9 @@
174	allowed=0;
175	else if(!strcmp(value,"in-addr")){
176	type = ACL_TYPE_INADDR;
177	+ } else if (!strncmp(value,"dnsbl",5)) {
178	+ subval = strstr(value,":");
179	+ type = ACL_TYPE_DNSBL;
180	} else {
181	if((dest = sgDestFindName(value)) == NULL){
182	sgLogFatalError("%s: ACL destination %s is not defined in configfile %s",
183	@@ -2278,6 +2303,25 @@
184	acldest->dest = dest;
185	acldest->access = allowed;
186	acldest->type = type;
187	+ if (type == ACL_TYPE_DNSBL)
188	+ {
189	+ if ((subval==NULL) \|\| (subval[1])=='\0')//Config does not define which dns domain to use
190	+ {
191	+ acldest->dns_suffix = (char *) sgCalloc(1,strlen(".black.uribl.com")+1);
192	+ strcpy(acldest->dns_suffix, ".black.uribl.com");
193	+ }else{
194	+ subval=subval+1;
195	+ if (strspn(subval,".-abcdefghijklmnopqrstuvwxyz0123456789") !=
196	+ strlen(subval) )
197	+ {
198	+ sgLogFatalError("%s: provided dnsbl \"%s\" doesn't look like a valid domain suffix",
199	+ progname,subval);
200	+ }
201	+ acldest->dns_suffix = (char *) sgCalloc(1,strlen(subval)+1);
202	+ strcpy(acldest->dns_suffix, ".");
203	+ strcat(acldest->dns_suffix,subval);
204	+ }
205	+ }
206	acldest->next = NULL;
207	if(lastAcl->pass == NULL){
208	lastAcl->pass = acldest;
209	@@ -2365,6 +2409,56 @@
210	return acl;
211	}
212
213	+char strip_fqdn(char domain)
214	+{
215	+ char *result;
216	+ result=strstr(domain,".");
217	+ if (result == NULL)
218	+ return NULL;
219	+ return (result+1);
220	+}
221	+
222	+int is_blacklisted(char domain, char suffix)
223	+{
224	+ char target[MAX_BUF];
225	+ struct addrinfo *res;
226	+ int result;
227	+ //Copying domain to target
228	+ if (strlen(domain)+strlen(suffix)+1>MAX_BUF)
229	+ {
230	+ //Buffer overflow risk - just return and accept
231	+@NOLOG1@
232	+ if( globalDebug == 1 ) { sgLogError("dnsbl : too long domain name - accepting without actual check"); }
233	+@NOLOG2@
234	+ return(0);
235	+ }
236	+ strncpy(target,domain,strlen(domain)+1);
237	+ strcat(target,suffix);
238	+
239	+ result = getaddrinfo(target,NULL,NULL,&res);
240	+ if (result == 0) //Result is defined
241	+ {
242	+ freeaddrinfo(res);
243	+ return 1;
244	+ }
245	+ //If anything fails (DNS server not reachable, any problem in the resolution,
246	+ //let's not block anything.
247	+ return 0;
248	+}
249	+
250	+int blocked_by_dnsbl(char domain, char suffix)
251	+{
252	+ char *dn=domain;
253	+ while ((dn !=NULL) && (strchr(dn,'.')!=NULL)) //No need to lookup "com.black.uribl.com"
254	+ {
255	+ if (is_blacklisted(dn,suffix))
256	+ return(1);
257	+ dn=strip_fqdn(dn);
258	+ }
259	+ return 0;
260	+}
261	+
262	+
263	#if __STDC__
264	char sgAclAccess(struct Source src, struct Acl acl, struct SquidInfo req)
265	#else
266	@@ -2397,6 +2491,16 @@
267	}
268	continue;
269	}
270	+ // http://www.yahoo.fr/ 172.16.2.32 - GET
271	+ if(aclpass->type == ACL_TYPE_DNSBL){
272	+ if (req->dot)
273	+ continue;
274	+ if (blocked_by_dnsbl(req->domain, aclpass->dns_suffix)){
275	+ access=0;
276	+ break;
277	+ }
278	+ continue;
279	+ }
280	if(aclpass->dest->domainlistDb != NULL){
281	result = defined(aclpass->dest->domainlistDb, req->domain, &dbdata);
282	if(result != DB_NOTFOUND) {