fix #2129: allow (some) filters for dnsbl-entry

currently we only handle dnsbl-sites with optional <WEIGHT>, but postfix also
allows for an optional <FILTER> (which dns-answers to interpret as hit) [0].

The regex is extended to also allow for a filter with singular answers, as
well as ranges ([0..255])for each octet. Filters relying on 'lists' of numbers
split by ';' break the use of JSONSchema's '-list' format matching (it
uses split_list, which splits on ';') and were thus excluded.

[0] http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/PMG/Config.pm b/PMG/Config.pm
index 21bc204ff9b277162eb14b5318bc70621b998fab..b2e1c6c9a428ae9bcca3cd5cf3e381a5ba14370b 100755 (executable)
--- a/PMG/Config.pm
+++ b/PMG/Config.pm
@@ -715,10 +715,15 @@ PVE::JSONSchema::register_format(
 sub pmg_verify_dnsbl_entry {
     my ($name, $noerr) = @_;
 
-    # like dns-name, but can contain trailing weight: 'domain*<WEIGHT>'
+    # like dns-name, but can contain trailing filter and weight: 'domain=<FILTER>*<WEIGHT>'
+    # see http://www.postfix.org/postconf.5.html#postscreen_dnsbl_sites
+    # we don't implement the ';' separated numbers in pattern, because this
+    # breaks at PVE::JSONSchema::split_list
     my $namere = "([a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?)";
 
-    if ($name !~ /^(${namere}\.)*${namere}(\*\-?\d+)?$/) {
+    my $dnsbloctet = qr/[0-9]+|\[(?:[0-9]+\.\.[0-9]+)\]/;
+    my $filterre = qr/=$dnsbloctet(:?\.$dnsbloctet){3}/;
+    if ($name !~ /^(${namere}\.)*${namere}(:?${filterre})?(?:\*\-?\d+)?$/) {
           return undef if $noerr;
           die "value '$name' does not look like a valid dnsbl entry\n";
     }