Checkgroups handling

Julien ÉLIE julien at trigofacile.com
Sat Mar 7 21:45:06 UTC 2009 

Hi Russ,

> 1. Build a list of applicable rules by suppressing earlier rules that are
>    overridden by later ones.  I think we can do this by saying that if the
>    first three components of the rule are the same, the later rule is
>    taken to be an override of the earlier rule and the earlier rule is
>    deleted.  (However, see below.)
>
> 2. For an incoming checkgroups, find all checkgroups rules that match that
>    from address.  If any of them have verify actions, ensure that the
>    checkgroups is signed by that key and discard all rules where that
>    validation fails.
>
> 3. For each rule remaining, apply the pattern as a filter and act on the
>    checkgroups after non-matching lines have been filtered out.

[...]

> We can't just make drop special since the user may use mail or some other
> action in the override.

Why not something like that:

  foo.bar1
  foo.bar2.first
  foo.bar2.second
  foo.bar3.first
  foo.bar3.second
  foo.bar4
  foo.bar5

checkgroups:from:foo.*:verify-key-foo
checkgroups:from:foo.bar2.*:doit
checkgroups:from:foo.bar3.*:mail
checkgroups:from:foo.bar5:drop

(4) => exclusion-list=foo.bar5
(3) => We check for foo.bar3.first and foo.bar3.second in foo.bar3.*
       (minus the exclusion-list) and mail the result.
       exclusion-list=foo.bar5,foo.bar3.*
(2) => We check for foo.bar2.first and foo.bar2.second in foo.bar2.*
       (minus the exclusion-list) and do the necessary changes.
       exclusion-list=foo.bar5,foo.bar3.*,foo.bar2.*
(1) => We check for foo.bar1 and foo.bar4 in foo.* (minus the
       exclusion-list) and do the necessary changes if the checkgroups
       is verified.


> This gets rather complicated, and in thinking
> about it for five minutes or so, I'm having a hard time coming up with the
> right mental model for it.

Then why not just add to your step 3 the fact that after processing each rule,
an exclusion list is updated (and also passed as the second argument to
docheckgroups).


>>  Do you see other control.ctl issues?
>
> Well, there's the basic syntactical problem that the current syntax
> unfortunately conflates verification (verify-key) and action.   The key
> should really be a separate field.

Hopefully we can handle everything with the current syntax (verify-*=file,
verify-*=mail and verify-*).


> There's also the problem that the
> syntax doesn't distinguish between additive rules that should also be
> processed and overrides of existing rules.
> Also, it would be nice to use wildmats instead of the weird | thing so
> that you can say something like comp.*,!*binaries*.

Sure.  Maybe we do not need to make a change there, especially if control.ctl
is converted one day so that it can be parsed by the configuration parser
you wrote.

-- 
Julien ÉLIE

« Mon âme a son secret, ma vie a son mystère. » (Félix Arvers)

More information about the inn-workers mailing list