Fixed bug not accounting for unjustly blocked addr

2019-11-26 06:42:23 -05:00 · 2019-11-26 06:42:23 -05:00 · c478c48d66
parent dd7575aee5
commit c478c48d66
4 changed files with 64 additions and 9 deletions
--- a/ban2fail.c
+++ b/ban2fail.c
@ -86,7 +86,7 @@ struct Global G= {
   .version= {
      .major= 0,
      .minor= 10,
-      .patch= 1
+      .patch= 2
   }
 };

@ -336,6 +336,11 @@ main(int argc, char **argv)

      /* List by address. Make a addr_map of LOGENTRY objects with composite counts */
      MAP_visitAllEntries(&G.logType_map, (int(*)(void*,void*))LOGTYPE_map_addr, &S.addr_map);
+
+      /* Augment list of all blocked IP's by those which currently have not match in the log files */
+      IPTABLES_fill_in_missing(&S.addr_map);
+
+      /* Count up total */
      unsigned nItems= MAP_numItems(&S.addr_map);

      {
@ -357,15 +362,16 @@ main(int argc, char **argv)
             if(-1 == nAllowed)
                flags |= WHITELIST_FLG;

-             if((-1 == nAllowed || e->count <= nAllowed) &&
-                (flags & BLOCKED_FLG)) {
+             if((flags & WHITELIST_FLG || e->count <= nAllowed) &&
+                (flags & BLOCKED_FLG))
+             {

                  flags |= UNJUST_BLOCK_FLG;
                  PTRVEC_addTail(&S.toUnblock_vec, e->addr);
             }

             if(!(flags & BLOCKED_FLG) &&
-                -1 != nAllowed &&
+                !(flags & WHITELIST_FLG) &&
                e->count > nAllowed)
             {

--- a/ban2fail.h
+++ b/ban2fail.h
@ -33,7 +33,7 @@
 * work with a much larger number.  The command line maximum
 * is something like 200K characters.
 */
-#define IPTABLES_BATCH_SZ 10
+#define IPTABLES_BATCH_SZ 100

 /* Where to find stuff */
 #define CONFIGFILE "/etc/ban2fail/ban2fail.cfg"
--- a/iptables.c
+++ b/iptables.c
@ -17,6 +17,7 @@
 *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
 ***************************************************************************/
 #include <assert.h>
+#include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <unistd.h>
@ -24,6 +25,7 @@
 #include "ban2fail.h"
 #include "ez_stdio.h"
 #include "iptables.h"
+#include "logEntry.h"
 #include "map.h"
 #include "util.h"

@ -47,18 +49,20 @@ initialize (void)
   static char lbuf[1024];
   static char addr[64];
   FILE *fh= ez_popen(IPTABLES " -nL INPUT 2>/dev/null", "r");
-   for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
+
+   unsigned i;
+   for(i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
      if(0 == i || 1 == i) continue;
      if(1 != sscanf(lbuf, "DROP all -- %63s 0.0.0.0/0", addr)) {
         eprintf("ERROR: scanning pattern");
         continue;
      }
-      MAP_addStrKey(&S.addr_map, addr, (void*)-1);
+      MAP_addStrKey(&S.addr_map, addr, strdup(addr));
   }
   ez_pclose(fh);

   fh= ez_popen(IP6TABLES " -nL INPUT 2>/dev/null", "r");
-   for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
+   for(i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
      if(0 == i || 1 == i) continue;

 // DROP       all      2607:5300:60:653b::  ::/0
@ -66,7 +70,7 @@ initialize (void)
         eprintf("ERROR: scanning pattern");
         continue;
      }
-      MAP_addStrKey(&S.addr_map, addr, (void*)-1);
+      MAP_addStrKey(&S.addr_map, addr, strdup(addr));
   }
   ez_pclose(fh);

@ -233,3 +237,43 @@ IPTABLES_unblock_addresses(PTRVEC *h_vec, unsigned batch_sz)
   return _control_addresses('D', h_vec, batch_sz);

 }
+
+static int
+fill_in_missing(char *blocked_addr, MAP *h_rtn_map)
+/**************************************************************
+ * If blocked_addr is not in h_rtn_map, create an object and
+ * place it their.
+ */
+{
+   if( MAP_findStrItem(h_rtn_map, blocked_addr)) return 0;
+
+   /* Create a new faux logentry object */
+   LOGENTRY *e;
+   LOGENTRY_addr_create(e, blocked_addr);
+   assert(e);
+
+   /* Place in the return map */
+   MAP_addStrKey(h_rtn_map, blocked_addr, e);
+
+   return 0;
+}
+
+int
+IPTABLES_fill_in_missing(MAP *h_rtn_map)
+/**************************************************************
+ * Fill in all blocked IP's which are not already in *h_map.
+ */
+{
+   if(!S.is_init)
+      initialize();
+
+   int rtn= -1;
+
+   MAP_visitAllEntries(&S.addr_map, (int(*)(void*,void*))fill_in_missing, h_rtn_map);
+
+
+
+   rtn= 0;
+abort:
+   return rtn;
+}
--- a/iptables.h
+++ b/iptables.h
@ -48,6 +48,11 @@ IPTABLES_unblock_addresses(PTRVEC *h_vec, unsigned batch_sz);
 * Unblock addresses in batches of batch_sz.
 */

+int
+IPTABLES_fill_in_missing(MAP *h_rtn_map);
+/**************************************************************
+ * Fill in all blocked IP's which are not already in *h_map.
+ */

 #ifdef __cplusplus
 }