diff options
author | David Sommerseth <dazo@users.sourceforge.net> | 2008-11-05 16:35:33 +0100 |
---|---|---|
committer | David Sommerseth <dazo@users.sourceforge.net> | 2008-11-05 16:35:33 +0100 |
commit | cf5d35553be9269587261866e8b21904d2840857 (patch) | |
tree | 37e1f306d3fedaaeb165c40fc4b0618e0df5722b /plugin | |
parent | e1d6d2f011b0a3b95517597a1e37f32445506251 (diff) | |
download | eurephia-cf5d35553be9269587261866e8b21904d2840857.tar.gz eurephia-cf5d35553be9269587261866e8b21904d2840857.tar.xz eurephia-cf5d35553be9269587261866e8b21904d2840857.zip |
FEATURE: Enhanced firewall blacklisting to make it more flexible
It will now support config option 'firewall_blacklist_send_to'. If set
it will send all blacklisted IP addresses to this chain (iptables -j).
If this option is not set, it will default to DROP.
Diffstat (limited to 'plugin')
-rw-r--r-- | plugin/eurephia_struct.h | 1 | ||||
-rw-r--r-- | plugin/firewall/eurephiafw.c | 14 | ||||
-rw-r--r-- | plugin/firewall/iptables/efw_iptables.c | 16 |
3 files changed, 28 insertions, 3 deletions
diff --git a/plugin/eurephia_struct.h b/plugin/eurephia_struct.h index 9fea9ca..3a23459 100644 --- a/plugin/eurephia_struct.h +++ b/plugin/eurephia_struct.h @@ -80,6 +80,7 @@ typedef struct { // Where to update firewall if we block blackisted // IP addr in firewall too char *fwblacklist; + char *fwblacklist_sendto; eurephiaVALUES *blacklisted; // Contains all IP addresses we have blacklisted } eurephiaFWINTF; diff --git a/plugin/firewall/eurephiafw.c b/plugin/firewall/eurephiafw.c index fd3aa5e..1aba1c7 100644 --- a/plugin/firewall/eurephiafw.c +++ b/plugin/firewall/eurephiafw.c @@ -142,6 +142,16 @@ void eFW_StartFirewall(eurephiaCTX *ctx) { // Create value space for blacklisted IP addresses ctx->fwcfg->blacklisted = eCreate_value_space(ctx, 20); + + // Setup where to send the blacklisted IP addresses - default is to drop them. + ctx->fwcfg->fwblacklist_sendto = eGet_value(ctx->dbc->config, "firewall_blacklist_send_to"); + if( ctx->fwcfg->fwblacklist_sendto == NULL ) { + ctx->fwcfg->fwblacklist_sendto = strdup("DROP\0"); + eurephia_log(ctx, LOG_INFO, 2,"Blacklisted IP addresses will be dropped immediately"); + } else { + eurephia_log(ctx, LOG_INFO, 2,"Blacklisted IP addresses will be sent to '%s'", + ctx->fwcfg->fwblacklist_sendto); + } } eurephia_log(ctx, LOG_INFO, 3, "Starting eurephia firewall interface"); @@ -297,6 +307,8 @@ void eFW_StopFirewall(eurephiaCTX *ctx) { // Send acknowledge back sem_post(ctx->fwcfg->thrdata.semp_master); + // Clean up and exit + free_nullsafe(ctx->fwcfg->fwblacklist_sendto); eFree_values(ctx, ctx->fwcfg->blacklisted); free_nullsafe((*ctx->fwcfg).thrdata.fw_command); free_nullsafe(ctx->fwcfg); @@ -337,7 +349,7 @@ int eFW_UpdateFirewall(eurephiaCTX *ctx, int mode, // Check if IP address is already registered as blacklisted if( (blchk = eGet_value(ctx->fwcfg->blacklisted, addr)) == NULL ) { - snprintf(buf, 1024, "B %s %s", addr, fwdest); + snprintf(buf, 1024, "B %s %s %s", addr, fwdest, ctx->fwcfg->fwblacklist_sendto); mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1); eAdd_value(ctx, ctx->fwcfg->blacklisted, addr, fwdest); } else { diff --git a/plugin/firewall/iptables/efw_iptables.c b/plugin/firewall/iptables/efw_iptables.c index f238222..a0807f9 100644 --- a/plugin/firewall/iptables/efw_iptables.c +++ b/plugin/firewall/iptables/efw_iptables.c @@ -201,16 +201,28 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) { *destchain = 0; // end of string for IP address destchain++; // start of string for destchain + // Search for end of destchain and NULL terminate it + jump = destchain+1; + while( (*jump != 0x20) || (*jump == 0) ) { + jump++; + } + *jump = 0; // end of string for destchain + jump++; // start of string for jump + if( *jump == 0 ) { + return 0; + } + iptables_args[1] = "-A\0"; iptables_args[2] = destchain; iptables_args[3] = "-s\0"; iptables_args[4] = addr; iptables_args[5] = "-j\0"; - iptables_args[6] = "DROP\0"; + iptables_args[6] = jump; iptables_args[7] = NULL; eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules " - "==> mode: BLACKLIST destchain: '%s' IP address: %s", destchain, addr); + "==> mode: BLACKLIST destchain: '%s' IP address: %s Send to: '%s'", + destchain, addr, jump); ret = call_iptables(ctx, fwcmd, iptables_args); break; |