Improved iptables output parsing

ban2fail-cron.sh

@@ -12,9 +12,13 @@ TRIES=
 
 for (( TRIES= 0; TRIES < 10; ++TRIES )); do
 
+# cron generates an entry in auth.log when it runs, which means
+# ban2fail.sh will launch ban2fail because of the new log entry.
+# Solution is to pause for a second before running ban2fail here.
+   sleep 1
+
    $BAN2FAIL -s && break
 
-   sleep 1
 
 done
 

ban2fail.c

@@ -95,7 +95,7 @@ struct Global G= {
    .version= {
       .major= 0,
       .minor= 11,
-      .patch= 3
+      .patch= 5
    },
 
    .bitTuples.flags= GlobalFlagBitTuples
@@ -290,7 +290,7 @@ main(int argc, char **argv)
 
    /* Default sending listing to stdout */
    G.listing_fh= stdout;
-
+#ifndef DEBUG
    /* if stdout is a tty, and listing is likely
     * to be long, then use $PAGER.
     */
@@ -298,7 +298,7 @@ main(int argc, char **argv)
       S.flags |= PAGER_RUNNING_FLG;
       G.listing_fh= pager_open();
    }
-
+#endif
    assert(G.listing_fh);
 
 

ban2fail.sh

@@ -4,6 +4,9 @@
 # The purpose of this script is to be run from a systemd service
 # file, or sysvinit script.
 #
+# BE CAREFUL not to monitor the log file to which output from this
+# script gets written - you will have a feedback loop!
+#
 
 BAN2FAIL=/usr/local/bin/ban2fail
 BAN2FAIL_CFG=/etc/ban2fail/ban2fail.cfg

iptables.c

@@ -46,34 +46,55 @@ initialize (void)
 
    MAP_constructor(&S.addr_map, 1000, 200);
 
+   const static struct ipv {
+      const char *cmd,
+                 *pattern;
+   } Ipv[] = {
+      { .cmd= IPTABLES " -nL INPUT 2>/dev/null",
+        .pattern= "DROP[[:space:]]+all[[:space:]]+--[[:space:]]+([0-9.]+)[[:space:]]+0\\.0\\.0\\.0/0"
+      },
+      { .cmd= IP6TABLES " -nL INPUT 2>/dev/null",
+        .pattern= "DROP[[:space:]]+all[[:space:]]+([0-9a-f:]+)[[:space:]]+::/0"
+      },
+      { /* Terminating member */ }
+   };
+
+   for(const struct ipv *ipv= Ipv; ipv->cmd; ++ipv) {
+
       static char lbuf[1024];
-   static char addr[64];
+      static char addr[43];
-   FILE *fh= ez_popen(IPTABLES " -nL INPUT 2>/dev/null", "r");
+      regex_t re;
+      regmatch_t matchArr[2];
+      size_t len;
+      FILE *fh= NULL;
 
-   unsigned i;
+      if(regex_compile(&re, ipv->pattern, REG_EXTENDED)) {   
-   for(i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
+         eprintf("ERROR: regex_compile(\"%s\") failed.", ipv->pattern);
-      if(0 == i || 1 == i) continue;
+         exit(1);
-      if(1 != sscanf(lbuf, "DROP all -- %63s 0.0.0.0/0", addr)) {
-         eprintf("ERROR: scanning pattern");
-         continue;
       }   
+         
+      fh= ez_popen(ipv->cmd, "r");
+
+      while(ez_fgets(lbuf, sizeof(lbuf)-1, fh)) {
+
+         /* Filter all that looks uninteresting */
+         if(regexec(&re, lbuf, 2, matchArr, 0)) continue;
+
+         /* Compute the length needed for the address string */
+         len= matchArr[1].rm_eo -  matchArr[1].rm_so;
+
+         /* Copy address into a null terminated static buffer */
+         strncpy(addr, lbuf + matchArr[1].rm_so, sizeof(addr)-1);
+         addr[len]= '\0';
+
+         if(MAP_findStrItem(&S.addr_map, addr))
+            eprintf("WARNING: duplicate iptable entry for %s", addr);
+         else
             MAP_addStrKey(&S.addr_map, addr, strdup(addr));
       }
       ez_pclose(fh);
-
+      regfree(&re);
-   fh= ez_popen(IP6TABLES " -nL INPUT 2>/dev/null", "r");
-   for(i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
-      if(0 == i || 1 == i) continue;
-
-// DROP       all      2607:5300:60:653b::  ::/0
-      if(1 != sscanf(lbuf, "DROP all %63s ::/0", addr)) {
-         eprintf("ERROR: scanning pattern");
-         continue;
    }
-      MAP_addStrKey(&S.addr_map, addr, strdup(addr));
-   }
-   ez_pclose(fh);
-
 }
 
 int