mirror of https://github.com/jrbrtsn/ban2fail
iptables max addresses per command workaround.
This commit is contained in:
john
parent
7826601e01
commit
af57115d23
|
|
@ -92,7 +92,7 @@ struct Global G= {
|
||||||
.version= {
|
.version= {
|
||||||
.major= 0,
|
.major= 0,
|
||||||
.minor= 14,
|
.minor= 14,
|
||||||
.patch= 3
|
.patch= 4
|
||||||
},
|
},
|
||||||
|
|
||||||
.bitTuples.flags= GlobalFlagBitTuples
|
.bitTuples.flags= GlobalFlagBitTuples
|
||||||
|
|
|
||||||
115
iptables.c
115
iptables.c
|
|
@ -27,10 +27,17 @@
|
||||||
#include "ban2fail.h"
|
#include "ban2fail.h"
|
||||||
#include "ez_libc.h"
|
#include "ez_libc.h"
|
||||||
#include "iptables.h"
|
#include "iptables.h"
|
||||||
#include "offEntry.h"
|
#include "limits.h"
|
||||||
#include "map.h"
|
#include "map.h"
|
||||||
|
#include "offEntry.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
|
/* JDR Fri 26 Feb 2021 09:37:59 AM EST
|
||||||
|
* it appears that iptables has a limit on how many
|
||||||
|
* addresses it will handle in a single command.
|
||||||
|
*/
|
||||||
|
#define IPTABLES_MAX_ADDR 9000
|
||||||
|
|
||||||
static struct {
|
static struct {
|
||||||
|
|
||||||
int is_init;
|
int is_init;
|
||||||
|
|
@ -255,36 +262,56 @@ _control_addresses(const char *cmdFlag, PTRVEC *h_vec)
|
||||||
argv[1]= cmdFlag;
|
argv[1]= cmdFlag;
|
||||||
argv[2]= "INPUT";
|
argv[2]= "INPUT";
|
||||||
argv[3]= "-s";
|
argv[3]= "-s";
|
||||||
|
/* argv[4] supplied below */
|
||||||
|
argv[5]= "-j";
|
||||||
|
argv[6]= "DROP";
|
||||||
|
|
||||||
const char *addr;
|
const char *addr= NULL;
|
||||||
|
|
||||||
/* Move any ipv6 addresses to the end */
|
/* Move any ipv6 addresses to the end */
|
||||||
PTRVEC_sort(h_vec, addrCmp_pvsort);
|
PTRVEC_sort(h_vec, addrCmp_pvsort);
|
||||||
|
|
||||||
{ /* Place comma separated address list into single string buffer */
|
{ /* Place comma separated address list into single string buffer */
|
||||||
unsigned i;
|
const char *colon=NULL;
|
||||||
for(i= 0;
|
unsigned naddr= 0;
|
||||||
(addr= PTRVEC_remHead(h_vec)) && !strchr(addr, ':');
|
|
||||||
++i)
|
|
||||||
{
|
|
||||||
/* Need comma after 1st address */
|
|
||||||
if(i)
|
|
||||||
STR_append(&addr_sb, ",", 1);
|
|
||||||
|
|
||||||
/* Put address in place */
|
do {
|
||||||
STR_append(&addr_sb, addr, -1);
|
|
||||||
|
|
||||||
}
|
addr= PTRVEC_remHead(h_vec);
|
||||||
// Place string buffer in argv
|
if(addr)
|
||||||
argv[4]= STR_str(&addr_sb);
|
colon= strchr(addr, ':');
|
||||||
argv[5]= "-j";
|
|
||||||
argv[6]= "DROP";
|
|
||||||
|
|
||||||
// Run iptables
|
/* We have an ipv4 address */
|
||||||
if(i && run_command(argv)) {
|
if(addr && !colon) {
|
||||||
eprintf("ERROR: run_command() failed.");
|
|
||||||
goto abort;
|
/* Need comma after 1st address */
|
||||||
}
|
if(naddr)
|
||||||
|
STR_append(&addr_sb, ",", 1);
|
||||||
|
|
||||||
|
/* Put address in buffer */
|
||||||
|
STR_append(&addr_sb, addr, -1);
|
||||||
|
|
||||||
|
/* Note we will use this address */
|
||||||
|
++naddr;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Keep adding addresses until we bump up against iptables maximum,
|
||||||
|
* or run out of ipv4 addresses
|
||||||
|
*/
|
||||||
|
if(!naddr || (naddr < IPTABLES_MAX_ADDR && !colon))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
// Place string buffer in argv
|
||||||
|
argv[4]= STR_str(&addr_sb);
|
||||||
|
if(run_command(argv)) {
|
||||||
|
eprintf("ERROR: run_command() failed.");
|
||||||
|
goto abort;
|
||||||
|
}
|
||||||
|
/* Reset for next command */
|
||||||
|
naddr= 0;
|
||||||
|
STR_reset(&addr_sb);
|
||||||
|
|
||||||
|
} while(addr && !colon);
|
||||||
}
|
}
|
||||||
|
|
||||||
/**************************************************************************/
|
/**************************************************************************/
|
||||||
|
|
@ -295,28 +322,40 @@ _control_addresses(const char *cmdFlag, PTRVEC *h_vec)
|
||||||
argv[0]= IP6TABLES;
|
argv[0]= IP6TABLES;
|
||||||
// Load up ipv6 addresses in string buffer
|
// Load up ipv6 addresses in string buffer
|
||||||
STR_reset(&addr_sb);
|
STR_reset(&addr_sb);
|
||||||
|
|
||||||
|
unsigned naddr= 0;
|
||||||
|
|
||||||
/* Work through ipv6 addresses in the vector */
|
do { /* Work through ipv6 addresses in the vector */
|
||||||
unsigned i;
|
|
||||||
for(i= 0 ; addr; (addr= PTRVEC_remHead(h_vec)), ++i) {
|
|
||||||
|
|
||||||
/* Need comma after 1st address */
|
addr= PTRVEC_remHead(h_vec);
|
||||||
if(i)
|
|
||||||
STR_append(&addr_sb, ",", 1);
|
|
||||||
|
|
||||||
/* Put address in place */
|
if(addr) {
|
||||||
STR_append(&addr_sb, addr, -1);
|
/* Need comma after 1st address */
|
||||||
|
if(naddr)
|
||||||
|
STR_append(&addr_sb, ",", 1);
|
||||||
|
|
||||||
}
|
/* Put address in place */
|
||||||
|
STR_append(&addr_sb, addr, -1);
|
||||||
|
}
|
||||||
|
|
||||||
// Address list is the only thing that changed
|
/* Keep adding addresses until we bump up against iptables maximum,
|
||||||
argv[4]= STR_str(&addr_sb);
|
* or run out of ipv4 addresses
|
||||||
|
*/
|
||||||
|
if(!naddr || (naddr < IPTABLES_MAX_ADDR && addr))
|
||||||
|
continue;
|
||||||
|
|
||||||
// Run iptables
|
// Place string buffer in argv
|
||||||
if(i && run_command(argv)) {
|
argv[4]= STR_str(&addr_sb);
|
||||||
eprintf("ERROR: run_command() failed.");
|
if(run_command(argv)) {
|
||||||
goto abort;
|
eprintf("ERROR: run_command() failed.");
|
||||||
}
|
goto abort;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Reset for next command */
|
||||||
|
naddr= 0;
|
||||||
|
STR_reset(&addr_sb);
|
||||||
|
|
||||||
|
} while(addr);
|
||||||
}
|
}
|
||||||
|
|
||||||
rtn= 0;
|
rtn= 0;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue