mirror of
https://github.com/jrbrtsn/ban2fail
synced 2024-06-16 11:58:01 +00:00
Fixed bug not accounting for unjustly blocked addr
This commit is contained in:
parent
dd7575aee5
commit
c478c48d66
14
ban2fail.c
14
ban2fail.c
@ -86,7 +86,7 @@ struct Global G= {
|
|||||||
.version= {
|
.version= {
|
||||||
.major= 0,
|
.major= 0,
|
||||||
.minor= 10,
|
.minor= 10,
|
||||||
.patch= 1
|
.patch= 2
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -336,6 +336,11 @@ main(int argc, char **argv)
|
|||||||
|
|
||||||
/* List by address. Make a addr_map of LOGENTRY objects with composite counts */
|
/* List by address. Make a addr_map of LOGENTRY objects with composite counts */
|
||||||
MAP_visitAllEntries(&G.logType_map, (int(*)(void*,void*))LOGTYPE_map_addr, &S.addr_map);
|
MAP_visitAllEntries(&G.logType_map, (int(*)(void*,void*))LOGTYPE_map_addr, &S.addr_map);
|
||||||
|
|
||||||
|
/* Augment list of all blocked IP's by those which currently have not match in the log files */
|
||||||
|
IPTABLES_fill_in_missing(&S.addr_map);
|
||||||
|
|
||||||
|
/* Count up total */
|
||||||
unsigned nItems= MAP_numItems(&S.addr_map);
|
unsigned nItems= MAP_numItems(&S.addr_map);
|
||||||
|
|
||||||
{
|
{
|
||||||
@ -357,15 +362,16 @@ main(int argc, char **argv)
|
|||||||
if(-1 == nAllowed)
|
if(-1 == nAllowed)
|
||||||
flags |= WHITELIST_FLG;
|
flags |= WHITELIST_FLG;
|
||||||
|
|
||||||
if((-1 == nAllowed || e->count <= nAllowed) &&
|
if((flags & WHITELIST_FLG || e->count <= nAllowed) &&
|
||||||
(flags & BLOCKED_FLG)) {
|
(flags & BLOCKED_FLG))
|
||||||
|
{
|
||||||
|
|
||||||
flags |= UNJUST_BLOCK_FLG;
|
flags |= UNJUST_BLOCK_FLG;
|
||||||
PTRVEC_addTail(&S.toUnblock_vec, e->addr);
|
PTRVEC_addTail(&S.toUnblock_vec, e->addr);
|
||||||
}
|
}
|
||||||
|
|
||||||
if(!(flags & BLOCKED_FLG) &&
|
if(!(flags & BLOCKED_FLG) &&
|
||||||
-1 != nAllowed &&
|
!(flags & WHITELIST_FLG) &&
|
||||||
e->count > nAllowed)
|
e->count > nAllowed)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
* work with a much larger number. The command line maximum
|
* work with a much larger number. The command line maximum
|
||||||
* is something like 200K characters.
|
* is something like 200K characters.
|
||||||
*/
|
*/
|
||||||
#define IPTABLES_BATCH_SZ 10
|
#define IPTABLES_BATCH_SZ 100
|
||||||
|
|
||||||
/* Where to find stuff */
|
/* Where to find stuff */
|
||||||
#define CONFIGFILE "/etc/ban2fail/ban2fail.cfg"
|
#define CONFIGFILE "/etc/ban2fail/ban2fail.cfg"
|
||||||
|
52
iptables.c
52
iptables.c
@ -17,6 +17,7 @@
|
|||||||
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
|
* 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. *
|
||||||
***************************************************************************/
|
***************************************************************************/
|
||||||
#include <assert.h>
|
#include <assert.h>
|
||||||
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
#include <unistd.h>
|
#include <unistd.h>
|
||||||
@ -24,6 +25,7 @@
|
|||||||
#include "ban2fail.h"
|
#include "ban2fail.h"
|
||||||
#include "ez_stdio.h"
|
#include "ez_stdio.h"
|
||||||
#include "iptables.h"
|
#include "iptables.h"
|
||||||
|
#include "logEntry.h"
|
||||||
#include "map.h"
|
#include "map.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
|
|
||||||
@ -47,18 +49,20 @@ initialize (void)
|
|||||||
static char lbuf[1024];
|
static char lbuf[1024];
|
||||||
static char addr[64];
|
static char addr[64];
|
||||||
FILE *fh= ez_popen(IPTABLES " -nL INPUT 2>/dev/null", "r");
|
FILE *fh= ez_popen(IPTABLES " -nL INPUT 2>/dev/null", "r");
|
||||||
for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
|
|
||||||
|
unsigned i;
|
||||||
|
for(i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
|
||||||
if(0 == i || 1 == i) continue;
|
if(0 == i || 1 == i) continue;
|
||||||
if(1 != sscanf(lbuf, "DROP all -- %63s 0.0.0.0/0", addr)) {
|
if(1 != sscanf(lbuf, "DROP all -- %63s 0.0.0.0/0", addr)) {
|
||||||
eprintf("ERROR: scanning pattern");
|
eprintf("ERROR: scanning pattern");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
MAP_addStrKey(&S.addr_map, addr, (void*)-1);
|
MAP_addStrKey(&S.addr_map, addr, strdup(addr));
|
||||||
}
|
}
|
||||||
ez_pclose(fh);
|
ez_pclose(fh);
|
||||||
|
|
||||||
fh= ez_popen(IP6TABLES " -nL INPUT 2>/dev/null", "r");
|
fh= ez_popen(IP6TABLES " -nL INPUT 2>/dev/null", "r");
|
||||||
for(unsigned i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
|
for(i= 0; ez_fgets(lbuf, sizeof(lbuf)-1, fh); ++i) {
|
||||||
if(0 == i || 1 == i) continue;
|
if(0 == i || 1 == i) continue;
|
||||||
|
|
||||||
// DROP all 2607:5300:60:653b:: ::/0
|
// DROP all 2607:5300:60:653b:: ::/0
|
||||||
@ -66,7 +70,7 @@ initialize (void)
|
|||||||
eprintf("ERROR: scanning pattern");
|
eprintf("ERROR: scanning pattern");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
MAP_addStrKey(&S.addr_map, addr, (void*)-1);
|
MAP_addStrKey(&S.addr_map, addr, strdup(addr));
|
||||||
}
|
}
|
||||||
ez_pclose(fh);
|
ez_pclose(fh);
|
||||||
|
|
||||||
@ -233,3 +237,43 @@ IPTABLES_unblock_addresses(PTRVEC *h_vec, unsigned batch_sz)
|
|||||||
return _control_addresses('D', h_vec, batch_sz);
|
return _control_addresses('D', h_vec, batch_sz);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int
|
||||||
|
fill_in_missing(char *blocked_addr, MAP *h_rtn_map)
|
||||||
|
/**************************************************************
|
||||||
|
* If blocked_addr is not in h_rtn_map, create an object and
|
||||||
|
* place it their.
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
if( MAP_findStrItem(h_rtn_map, blocked_addr)) return 0;
|
||||||
|
|
||||||
|
/* Create a new faux logentry object */
|
||||||
|
LOGENTRY *e;
|
||||||
|
LOGENTRY_addr_create(e, blocked_addr);
|
||||||
|
assert(e);
|
||||||
|
|
||||||
|
/* Place in the return map */
|
||||||
|
MAP_addStrKey(h_rtn_map, blocked_addr, e);
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
int
|
||||||
|
IPTABLES_fill_in_missing(MAP *h_rtn_map)
|
||||||
|
/**************************************************************
|
||||||
|
* Fill in all blocked IP's which are not already in *h_map.
|
||||||
|
*/
|
||||||
|
{
|
||||||
|
if(!S.is_init)
|
||||||
|
initialize();
|
||||||
|
|
||||||
|
int rtn= -1;
|
||||||
|
|
||||||
|
MAP_visitAllEntries(&S.addr_map, (int(*)(void*,void*))fill_in_missing, h_rtn_map);
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
rtn= 0;
|
||||||
|
abort:
|
||||||
|
return rtn;
|
||||||
|
}
|
||||||
|
@ -48,6 +48,11 @@ IPTABLES_unblock_addresses(PTRVEC *h_vec, unsigned batch_sz);
|
|||||||
* Unblock addresses in batches of batch_sz.
|
* Unblock addresses in batches of batch_sz.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
int
|
||||||
|
IPTABLES_fill_in_missing(MAP *h_rtn_map);
|
||||||
|
/**************************************************************
|
||||||
|
* Fill in all blocked IP's which are not already in *h_map.
|
||||||
|
*/
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user