NAME
ThreatNet::Filter::Network - Filter events within a set of IP ranges
SYNOPSIS
# Filter for IPs in our broadband customers' range
my $Broadband = ThreatNet::Filter::Network->new( keep => '123.123.0.0/16' );
# Create a filter for "local" and other things we want to discard
# (including our own personal broadband IP in the above network)
my $NotLocal = ThreatNet::Filter::Network->new( discard => qw{
123.123.123.123
LOCAL
111.245.76.248/29
222.234.52.192/29
} );
sub boot_zombies {
my $Msg = shift;
if ( $Broadband->keep($Msg) and $NotLocal->keep($Msg) ) {
my $account = $RadiusServer->ip_to_account($Msg->ip);
$account->disable();
$account->disconnect();
$account->add_support_note("You are infected with a virus");
}
}
DESCRIPTION
ThreatNet::Filter::Network
is a filter class for creating network filters.
That is, for filtering event streams to just those events that did (or did not) occur within a particular network.
The objects only check in two modes.
The keep
keyword as first argument indicates events should be kept if they match any of the networks.
The discard
keyword as first argument indicates events should be kept only if they do not match any of networks.
For more complex network masks, see the ThreatNet::Filter::Chain class for chaining groups of keep
and discard
filters together.
Specifying the Networks
The actual matching is done using the Net::IP::Match::XS module. Any values that can be used by it can also be used with it can thus also be used with ThreatNet::Filter::Network
.
Keyword Expansion
In addition to the normal IP specification above, ThreatNet::Filter::Network
also supports keyword expansion for a number of standard sets of network masks.
When specified by name, they will be expanded into a list of IP ranges.
Thus you can do something like the following.
my $Remove = ThreatNet::Filter::Network->new(
discard => 'RFC1918', '123.123.123.0/24'
);
This will filter out the three standard "local" IP blocks specified by RFC1918, plus the addition range 123.123.123.0 - 123.123.123.255.
All keywords are case-insensitive.
RFC1918
The RFC1918
keyword is expanded to the three network blocks reserved for local intranets. This specifically does NOT include the localhost address space.
RFC3330
The RFC3330
keyword is expanded to a larger set of network blocks restricted for various purposes as identifier in RFC3330. This includes those from RFC1918
, the localhost block, and several additional blocks reserved for benchmarking, IP 6to4 identifiers and various other blocks that should not appear in threat messages.
Where correctness is a factor, such as posting to a non-tolerant
channel, this filter should be applied before issuing messages, as they are highly likely to be fraudulent or technically nonsensical.
LOCAL
The LOCAL
keyword is expanded to represent the most common interpretation of a "local" address, which is the RFC1918 addresses, plus the 127.0.0.0/8
localhost block.
Message Compatibility
Please note that because the module on which this filter is based only supports IPv4 ranges, this filter class is only capable of processing ThreatNet::Message::IPv4 (or subclass) objects.
Any other message types passed to keep
will be returns undef
, and thus will act as a null filter in most configurations.
METHODS
new ('keep' | 'discard'), $network, ...
The new
constructor takes a param of either keep
or discard
, followed by a list of one or more values which are either an expandable keyword or an ip ranges compatible with Net::IP::Match::XS.
A ThreatNet filter is created which limits a message stream to events either inside or outside of the resulting network.
Returns a new ThreatNet::Filter::Network
object, or undef
if given invalid params.
type
The type
accessor returns the type of the network filter.
Returns either 'keep'
or 'discard'
.
network
The network
accessor returns the list of ip ranges as provided to the constructor.
keep $Message
The keep
method takes a ThreatNet::Message::IPv4
message as per the ThreatNet::Filter specification, and checks it against the network specification and keep
|discard
type.
Returns true if the message should be kept, false if not, or undef
on error.
SUPPORT
All bugs should be filed via the bug tracker at
http://rt.cpan.org/NoAuth/ReportBug.html?Queue=ThreatNet-Filter
For other issues, or commercial enhancement and support, contact the author
AUTHORS
Adam Kennedy <adamk@cpan.org>
SEE ALSO
http://ali.as/devel/threatnetwork.html, ThreatNet::Filter, ThreatNet::Message::IPv4.
COPYRIGHT
Copyright (c) 2005 Adam Kennedy. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
The full text of the license can be found in the LICENSE file included with this module.