paulbsd/ipblc
1
0
Fork 0
Code Issues Pull Requests Projects Releases 15 Wiki Activity

add ips in chunks to nftables
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Paul 2024-01-03 21:44:00 +01:00
parent a60ec90608
commit 1e2f047824
1 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
src/fw.rs
View File

@ -21,7 +21,6 @@ pub fn fwglobalinit<'a>() -> ((Batch, Table), (Batch, Table)) {
macro_rules! initrules { macro_rules! initrules {
($batch:expr, $table:expr, $chain:ident) => { ($batch:expr, $table:expr, $chain:ident) => {
let mut $chain = Chain::new(&CString::new(PKG_NAME).unwrap(), &$table);
$chain.set_hook(nftnl::Hook::In, 1); $chain.set_hook(nftnl::Hook::In, 1);
$chain.set_policy(nftnl::Policy::Accept); $chain.set_policy(nftnl::Policy::Accept);
@ -29,13 +28,11 @@ macro_rules! initrules {
$batch.add(&Rule::new(&$chain), nftnl::MsgType::Del); $batch.add(&Rule::new(&$chain), nftnl::MsgType::Del);
let mut rule = Rule::new(&$chain); let mut rule = Rule::new(&$chain);
rule.add_expr(&nft_expr!(ct state)); rule.add_expr(&nft_expr!(ct state));
rule.add_expr(&nft_expr!(bitwise mask 4u32, xor 0u32)); rule.add_expr(&nft_expr!(bitwise mask 4u32, xor 0u32));
rule.add_expr(&nft_expr!(cmp != 0u32)); rule.add_expr(&nft_expr!(cmp != 0u32));
rule.add_expr(&nft_expr!(counter)); rule.add_expr(&nft_expr!(counter));
rule.add_expr(&nft_expr!(verdict accept)); rule.add_expr(&nft_expr!(verdict accept));
$batch.add(&rule, nftnl::MsgType::Add); $batch.add(&rule, nftnl::MsgType::Add);
}; };
} }
@ -86,25 +83,42 @@ fn fwinit(t: FwTableType) -> (Batch, Table) {
} }
pub fn fwblock( pub fn fwblock(
ips_add: &Vec<IpData>, ips_add_all: &Vec<IpData>,
ret: &mut Vec<String>, ret: &mut Vec<String>,
fwlen: &mut usize, fwlen: &mut usize,
) -> std::result::Result<(), Error> { ) -> std::result::Result<(), Error> {
let ((mut batch4, table4), (mut batch6, table6)) = fwglobalinit(); let ((mut batch4, table4), (mut batch6, table6)) = fwglobalinit();
let mut chain4 = Chain::new(&CString::new(PKG_NAME).unwrap(), &table4);
let mut chain6 = Chain::new(&CString::new(PKG_NAME).unwrap(), &table6);
initrules!(batch4, table4, chain4); initrules!(batch4, table4, chain4);
initrules!(batch6, table6, chain6); initrules!(batch6, table6, chain6);
let mut factor = 1;
if ips_add_all.len() > 100 {
factor = (ips_add_all.len() / 10) as usize
}
let ips_add_tmp: Vec<IpData> = ips_add_all.clone().iter().map(|x| x.clone()).collect();
let mut ips_add_iter = ips_add_tmp.chunks(factor);
let mut ips_add: Vec<&[IpData]> = vec![];
while let Some(x) = ips_add_iter.next() {
ips_add.push(x);
}
// build and add rules // build and add rules
for ipdata in ips_add.clone() { for ipdata_group in ips_add.clone() {
match ipdata.t { for ipdata in ipdata_group {
4 => { match ipdata.t {
createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4); 4 => {
createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4);
}
6 => {
createrules!(ipdata, chain6, batch6, Ipv6Addr, ipv6);
}
_ => {}
} }
6 => {
createrules!(ipdata, chain6, batch6, Ipv6Addr, ipv6);
}
_ => {}
} }
} }
@ -118,10 +132,13 @@ pub fn fwblock(
} }
}; };
} }
if fwlen != &mut ips_add.len() { if fwlen != &mut ips_add_all.len() {
ret.push(format!("{length} ip in firewall", length = ips_add.len())); ret.push(format!(
"{length} ip in firewall",
length = ips_add_all.len()
));
} }
*fwlen = ips_add.len(); *fwlen = ips_add_all.len();
Ok(()) Ok(())
} }