atmos/ban2fail
1
1
Fork 0
mirror of https://github.com/jrbrtsn/ban2fail synced 2024-06-16 11:58:01 +00:00
Code Issues Releases Wiki Activity

Fixes for ipv6/iptables issues

Browse Source
This commit is contained in:
john 2019-11-24 17:12:21 -05:00
parent 0dbb96cc78
commit 2702259c8c
3 changed files with 84 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ban2fail.c
View File

@ -85,8 +85,8 @@ struct Global G= {
.version= { .version= {
.major= 0, .major= 0,
.minor= 9, .minor= 10,
.patch= 7 .patch= 0
} }
}; };
@ -376,7 +376,7 @@ main(int argc, char **argv)
/* Print out only for list option */ /* Print out only for list option */
if(G.flags & GLB_LIST_ADDR_FLG) { if(G.flags & GLB_LIST_ADDR_FLG) {
ez_fprintf(stdout, "%-15s: %5u / %u\t offenses %s (%s)\n" ez_fprintf(stdout, "%-15s\t%5u/%-4u offenses %s (%s)\n"
, e->addr , e->addr
, e->count , e->count
, nAllowed , nAllowed

1
ban2fail.h
View File

@ -40,6 +40,7 @@
#define LOCKPATH "/run/lock/ban2fail" #define LOCKPATH "/run/lock/ban2fail"
#define CACHEDIR "/var/cache/ban2fail" #define CACHEDIR "/var/cache/ban2fail"
#define IPTABLES "/usr/sbin/iptables" #define IPTABLES "/usr/sbin/iptables"
#define IP6TABLES "/usr/sbin/ip6tables"
#define GEOIP_DB "/usr/share/GeoIP/GeoIP.dat" #define GEOIP_DB "/usr/share/GeoIP/GeoIP.dat"
#define GEOIP6_DB "/usr/share/GeoIP/GeoIPv6.dat" #define GEOIP6_DB "/usr/share/GeoIP/GeoIPv6.dat"

84
iptables.c
View File

@ -49,7 +49,23 @@ initialize (void)
FILE *fh= ez_popen(IPTABLES " -nL INPUT 2>/dev/null", "r"); FILE *fh= ez_popen(IPTABLES " -nL INPUT 2>/dev/null", "r");
for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) { for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
if(0 == i || 1 == i) continue; if(0 == i || 1 == i) continue;
if(1 != sscanf(lbuf, "DROP all -- %63s 0.0.0.0/0", addr)) continue; if(1 != sscanf(lbuf, "DROP all -- %63s 0.0.0.0/0", addr)) {
eprintf("ERROR: scanning pattern");
continue;
}
MAP_addStrKey(&S.addr_map, addr, (void*)-1);
}
ez_pclose(fh);
fh= ez_popen(IP6TABLES " -nL INPUT 2>/dev/null", "r");
for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
if(0 == i || 1 == i) continue;
// DROP all 2607:5300:60:653b:: ::/0
if(1 != sscanf(lbuf, "DROP all %63s ::/0", addr)) {
eprintf("ERROR: scanning pattern");
continue;
}
MAP_addStrKey(&S.addr_map, addr, (void*)-1); MAP_addStrKey(&S.addr_map, addr, (void*)-1);
} }
ez_pclose(fh); ez_pclose(fh);
@ -75,6 +91,25 @@ IPTABLES_is_currently_blocked(const char *addr)
return 0; return 0;
} }
static int
addrCmp_pvsort(const void *const* pp1, const void *const* pp2)
/**************************************************************
* PTRVEC_sort() comparison function for addresses, puts
* ipv6 at the bottom.
*/
{
const char *addr1= *((const char*const*)pp1),
*addr2= *((const char*const*)pp2);
if(strchr(addr2, ':')) {
if(!strchr(addr1, ':')) return -1;
} else {
if(strchr(addr1, ':')) return 1;
}
return 0;
}
static int static int
_control_addresses(int cmdFlag, PTRVEC *h_vec, unsigned batch_sz) _control_addresses(int cmdFlag, PTRVEC *h_vec, unsigned batch_sz)
/************************************************************** /**************************************************************
@ -94,15 +129,56 @@ _control_addresses(int cmdFlag, PTRVEC *h_vec, unsigned batch_sz)
const char *addr; const char *addr;
/* Work through addresses in the vector */ /* Put any ipv6 addresses at end */
while((addr= PTRVEC_remHead(h_vec))) { PTRVEC_sort(h_vec, addrCmp_pvsort);
/* Work through ipv4 addresses in the vector */
while((addr= PTRVEC_remHead(h_vec)) &&
!strchr(addr, ':'))
{
/* Initialize / reset string buffer */ /* Initialize / reset string buffer */
STR_sinit(&cmd_sb, 256+batch_sz*42); STR_sinit(&cmd_sb, 256+batch_sz*42);
/* Beginning of command string, with first source address */ /* Beginning of command string, with first source address */
STR_sprintf(&cmd_sb, IPTABLES " 2>&1 -%c INPUT -s %s", cmdFlag, addr); STR_sprintf(&cmd_sb, IPTABLES " 2>&1 -%c INPUT -s %s", cmdFlag, addr);
/* Append additional source addresses */
unsigned i= 1;
while(i < batch_sz &&
(addr= PTRVEC_remHead(h_vec)) &&
!strchr(addr, ':'))
{
/* employ multiple source addresses for batching */
STR_sprintf(&cmd_sb, ",%s", addr);
++i;
}
/* Put the end of the command in place */
STR_sprintf(&cmd_sb, " -j DROP");
/* Run iptables */
FILE *fh= ez_popen(STR_str(&cmd_sb), "r");
/* Display any output from iptables */
static char lbuf[1024];
while(ez_fgets(lbuf, sizeof(lbuf), fh))
ez_fprintf(stderr, "NOTE: iptables output: %s", lbuf);
/* All done */
ez_pclose(fh);
/* If the last address pulled was ipv6, move on */
if(addr && strchr(addr, ':')) break;
}
/* Work through ipv6 addresses in the vector */
for( ; addr; (addr= PTRVEC_remHead(h_vec))) {
/* Initialize / reset string buffer */
STR_sinit(&cmd_sb, 256+batch_sz*42);
/* Beginning of command string, with first source address */
STR_sprintf(&cmd_sb, IP6TABLES " 2>&1 -%c INPUT -s %s", cmdFlag, addr);
/* Append additional source addresses */ /* Append additional source addresses */
unsigned i= 1; unsigned i= 1;
while(i < batch_sz && (addr= PTRVEC_remHead(h_vec))) { while(i < batch_sz && (addr= PTRVEC_remHead(h_vec))) {
@ -120,7 +196,7 @@ _control_addresses(int cmdFlag, PTRVEC *h_vec, unsigned batch_sz)
/* Display any output from iptables */ /* Display any output from iptables */
static char lbuf[1024]; static char lbuf[1024];
while(ez_fgets(lbuf, sizeof(lbuf), fh)) while(ez_fgets(lbuf, sizeof(lbuf), fh))
ez_fprintf(stderr, "NOTE: iptables output: %s", lbuf); ez_fprintf(stderr, "NOTE: ip6tables output: %s", lbuf);
/* All done */ /* All done */
ez_pclose(fh); ez_pclose(fh);