FEATURE: Enhanced firewall blacklisting to make it more flexible

It will now support config option 'firewall_blacklist_send_to'. If set it will send all blacklisted IP addresses to this chain (iptables -j). If this option is not set, it will default to DROP.
author: David Sommerseth <dazo@users.sourceforge.net> 2008-11-05 16:35:33 +0100
committer: David Sommerseth <dazo@users.sourceforge.net> 2008-11-05 16:35:33 +0100
commit: cf5d35553be9269587261866e8b21904d2840857 (patch)
tree: 37e1f306d3fedaaeb165c40fc4b0618e0df5722b /plugin
parent: e1d6d2f011b0a3b95517597a1e37f32445506251 (diff)
download: eurephia-cf5d35553be9269587261866e8b21904d2840857.tar.gz
eurephia-cf5d35553be9269587261866e8b21904d2840857.tar.xz
eurephia-cf5d35553be9269587261866e8b21904d2840857.zip
3 files changed, 28 insertions, 3 deletions
diff --git a/plugin/eurephia_struct.h b/plugin/eurephia_struct.h
index 9fea9ca..3a23459 100644
--- a/plugin/eurephia_struct.h
+++ b/plugin/eurephia_struct.h
@@ -80,6 +80,7 @@ typedef struct {
         // Where to update firewall if we block blackisted
         // IP addr in firewall too
         char *fwblacklist;
+        char *fwblacklist_sendto;
         eurephiaVALUES *blacklisted; // Contains all IP addresses we have blacklisted
 } eurephiaFWINTF;
 
diff --git a/plugin/firewall/eurephiafw.c b/plugin/firewall/eurephiafw.c
index fd3aa5e..1aba1c7 100644
--- a/plugin/firewall/eurephiafw.c
+++ b/plugin/firewall/eurephiafw.c
@@ -142,6 +142,16 @@ void eFW_StartFirewall(eurephiaCTX *ctx) {
 
                 // Create value space for blacklisted IP addresses
                 ctx->fwcfg->blacklisted = eCreate_value_space(ctx, 20);
+
+                // Setup where to send the blacklisted IP addresses - default is to drop them.
+                ctx->fwcfg->fwblacklist_sendto = eGet_value(ctx->dbc->config, "firewall_blacklist_send_to");
+                if( ctx->fwcfg->fwblacklist_sendto == NULL ) {
+                        ctx->fwcfg->fwblacklist_sendto = strdup("DROP\0");
+                        eurephia_log(ctx, LOG_INFO, 2,"Blacklisted IP addresses will be dropped immediately");
+                } else {
+                        eurephia_log(ctx, LOG_INFO, 2,"Blacklisted IP addresses will be sent to '%s'",
+                                     ctx->fwcfg->fwblacklist_sendto);
+                }
         }
 
         eurephia_log(ctx, LOG_INFO, 3, "Starting eurephia firewall interface");
@@ -297,6 +307,8 @@ void eFW_StopFirewall(eurephiaCTX *ctx) {
         // Send acknowledge back
         sem_post(ctx->fwcfg->thrdata.semp_master);
 
+        // Clean up and exit
+        free_nullsafe(ctx->fwcfg->fwblacklist_sendto);
         eFree_values(ctx, ctx->fwcfg->blacklisted);
         free_nullsafe((*ctx->fwcfg).thrdata.fw_command);
         free_nullsafe(ctx->fwcfg);
@@ -337,7 +349,7 @@ int eFW_UpdateFirewall(eurephiaCTX *ctx, int mode,
 
                 // Check if IP address is already registered as blacklisted
                 if( (blchk = eGet_value(ctx->fwcfg->blacklisted, addr)) == NULL ) {
-                        snprintf(buf, 1024, "B %s %s", addr, fwdest);
+                        snprintf(buf, 1024, "B %s %s %s", addr, fwdest, ctx->fwcfg->fwblacklist_sendto);
                         mq_send((*ctx->fwcfg).thrdata.msgq, buf, strlen(buf)+1, 1);
                         eAdd_value(ctx, ctx->fwcfg->blacklisted, addr, fwdest);
                 } else {
diff --git a/plugin/firewall/iptables/efw_iptables.c b/plugin/firewall/iptables/efw_iptables.c
index f238222..a0807f9 100644
--- a/plugin/firewall/iptables/efw_iptables.c
+++ b/plugin/firewall/iptables/efw_iptables.c
@@ -201,16 +201,28 @@ int process_input(eurephiaCTX *ctx, const char *fwcmd, const char *input) {
                 *destchain = 0; // end of string for IP address
                 destchain++;    // start of string for destchain
 
+                // Search for end of destchain and NULL terminate it
+                jump = destchain+1;
+                while( (*jump != 0x20) || (*jump == 0) ) {
+                        jump++;
+                }
+                *jump = 0; // end of string for destchain
+                jump++;  // start of string for jump
+                if( *jump == 0 ) {
+                        return 0;
+                }
+
                 iptables_args[1] = "-A\0";
                 iptables_args[2] = destchain;
                 iptables_args[3] = "-s\0";
                 iptables_args[4] = addr;
                 iptables_args[5] = "-j\0";
-                iptables_args[6] = "DROP\0";
+                iptables_args[6] = jump;
                 iptables_args[7] = NULL;
 
                 eurephia_log(ctx, LOG_INFO, 3, "eFW_RunFirewall - updating iptables rules "
-                             "==> mode: BLACKLIST  destchain: '%s'  IP address: %s", destchain, addr);
+                             "==> mode: BLACKLIST  destchain: '%s'  IP address: %s  Send to: '%s'",
+                             destchain, addr, jump);
 		ret = call_iptables(ctx, fwcmd, iptables_args);
                 break;
author	David Sommerseth <dazo@users.sourceforge.net>	2008-11-05 16:35:33 +0100
committer	David Sommerseth <dazo@users.sourceforge.net>	2008-11-05 16:35:33 +0100
commit	cf5d35553be9269587261866e8b21904d2840857 (patch)
tree	37e1f306d3fedaaeb165c40fc4b0618e0df5722b /plugin
parent	e1d6d2f011b0a3b95517597a1e37f32445506251 (diff)
download	eurephia-cf5d35553be9269587261866e8b21904d2840857.tar.gz eurephia-cf5d35553be9269587261866e8b21904d2840857.tar.xz eurephia-cf5d35553be9269587261866e8b21904d2840857.zip