Compare commits
15 Commits
Author | SHA1 | Date | |
---|---|---|---|
1998e6e77a | |||
f0cb50e797 | |||
3c4d6fb2cf | |||
bdf41fa605 | |||
ebb6e5ec6d | |||
46eaf6017f | |||
9b456d403f | |||
71d640f393 | |||
0a82d46bf1 | |||
29472b4d7f | |||
22214b8d55 | |||
9bae2248df | |||
ecd35fd37a | |||
129a7e9ada | |||
1e2f047824 |
663
Cargo.lock
generated
663
Cargo.lock
generated
File diff suppressed because it is too large
Load Diff
@ -1,6 +1,6 @@
|
|||||||
[package]
|
[package]
|
||||||
name = "ipblc"
|
name = "ipblc"
|
||||||
version = "1.6.7"
|
version = "1.7.0"
|
||||||
edition = "2021"
|
edition = "2021"
|
||||||
authors = ["PaulBSD <paul@paulbsd.com>"]
|
authors = ["PaulBSD <paul@paulbsd.com>"]
|
||||||
description = "ipblc is a tool that search and send attacking ip addresses to ipbl"
|
description = "ipblc is a tool that search and send attacking ip addresses to ipbl"
|
||||||
@ -21,6 +21,7 @@ regex = "1.10"
|
|||||||
reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls"] }
|
reqwest = { version = "0.11", default-features = false, features = ["json", "rustls-tls"] }
|
||||||
serde = { version = "1.0", features = ["derive"] }
|
serde = { version = "1.0", features = ["derive"] }
|
||||||
serde_json = "1.0"
|
serde_json = "1.0"
|
||||||
|
sd-notify = { version = "0.4" }
|
||||||
tokio = { version = "1.35", features = ["full", "sync"] }
|
tokio = { version = "1.35", features = ["full", "sync"] }
|
||||||
tungstenite = { version = "0.21", features = ["handshake", "rustls-tls-native-roots"] }
|
tungstenite = { version = "0.21", features = ["handshake", "rustls-tls-native-roots"] }
|
||||||
|
|
||||||
|
@ -103,12 +103,12 @@ impl Context {
|
|||||||
.send()
|
.send()
|
||||||
.await;
|
.await;
|
||||||
let req = match resp {
|
let req = match resp {
|
||||||
Ok(re) => re,
|
Ok(o) => o,
|
||||||
Err(err) => return Err(err),
|
Err(e) => return Err(e),
|
||||||
};
|
};
|
||||||
let data: Discovery = match req.json().await {
|
let data: Discovery = match req.json().await {
|
||||||
Ok(res) => res,
|
Ok(o) => o,
|
||||||
Err(err) => return Err(err),
|
Err(e) => return Err(e),
|
||||||
};
|
};
|
||||||
Ok(data)
|
Ok(data)
|
||||||
}
|
}
|
||||||
@ -127,8 +127,8 @@ impl Context {
|
|||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("error loading config: {err}, retrying in {CONFIG_RETRY_INTERVAL}s");
|
println!("error loading config: {e}, retrying in {CONFIG_RETRY_INTERVAL}s");
|
||||||
last_in_err = true;
|
last_in_err = true;
|
||||||
sleep_s(CONFIG_RETRY_INTERVAL).await;
|
sleep_s(CONFIG_RETRY_INTERVAL).await;
|
||||||
}
|
}
|
||||||
@ -365,12 +365,12 @@ impl Config {
|
|||||||
.send()
|
.send()
|
||||||
.await;
|
.await;
|
||||||
let req = match resp {
|
let req = match resp {
|
||||||
Ok(re) => re,
|
Ok(o) => o,
|
||||||
Err(err) => return Err(err),
|
Err(e) => return Err(e),
|
||||||
};
|
};
|
||||||
let data: GlobalConfigV2 = match req.json::<GlobalConfigV2>().await {
|
let data: GlobalConfigV2 = match req.json::<GlobalConfigV2>().await {
|
||||||
Ok(res) => res,
|
Ok(o) => o,
|
||||||
Err(err) => return Err(err),
|
Err(e) => return Err(e),
|
||||||
};
|
};
|
||||||
|
|
||||||
for d in data.sets {
|
for d in data.sets {
|
||||||
@ -400,13 +400,13 @@ impl Config {
|
|||||||
.await;
|
.await;
|
||||||
|
|
||||||
let req = match resp {
|
let req = match resp {
|
||||||
Ok(re) => re,
|
Ok(o) => o,
|
||||||
Err(err) => return Err(err),
|
Err(e) => return Err(e),
|
||||||
};
|
};
|
||||||
|
|
||||||
let data: Vec<IpData> = match req.json::<Vec<IpData>>().await {
|
let data: Vec<IpData> = match req.json::<Vec<IpData>>().await {
|
||||||
Ok(res) => res,
|
Ok(o) => o,
|
||||||
Err(err) => return Err(err),
|
Err(e) => return Err(e),
|
||||||
};
|
};
|
||||||
|
|
||||||
Ok(data)
|
Ok(data)
|
||||||
@ -417,8 +417,8 @@ impl Config {
|
|||||||
for trustnet in &self.trustnets {
|
for trustnet in &self.trustnets {
|
||||||
match trustnet.parse() {
|
match trustnet.parse() {
|
||||||
Ok(net) => trustnets.push(net),
|
Ok(net) => trustnets.push(net),
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("error parsing {trustnet}, error: {err}");
|
println!("error parsing {trustnet}, error: {e}");
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
33
src/fw.rs
33
src/fw.rs
@ -21,7 +21,6 @@ pub fn fwglobalinit<'a>() -> ((Batch, Table), (Batch, Table)) {
|
|||||||
|
|
||||||
macro_rules! initrules {
|
macro_rules! initrules {
|
||||||
($batch:expr, $table:expr, $chain:ident) => {
|
($batch:expr, $table:expr, $chain:ident) => {
|
||||||
let mut $chain = Chain::new(&CString::new(PKG_NAME).unwrap(), &$table);
|
|
||||||
$chain.set_hook(nftnl::Hook::In, 1);
|
$chain.set_hook(nftnl::Hook::In, 1);
|
||||||
$chain.set_policy(nftnl::Policy::Accept);
|
$chain.set_policy(nftnl::Policy::Accept);
|
||||||
|
|
||||||
@ -29,13 +28,11 @@ macro_rules! initrules {
|
|||||||
$batch.add(&Rule::new(&$chain), nftnl::MsgType::Del);
|
$batch.add(&Rule::new(&$chain), nftnl::MsgType::Del);
|
||||||
|
|
||||||
let mut rule = Rule::new(&$chain);
|
let mut rule = Rule::new(&$chain);
|
||||||
|
|
||||||
rule.add_expr(&nft_expr!(ct state));
|
rule.add_expr(&nft_expr!(ct state));
|
||||||
rule.add_expr(&nft_expr!(bitwise mask 4u32, xor 0u32));
|
rule.add_expr(&nft_expr!(bitwise mask 4u32, xor 0u32));
|
||||||
rule.add_expr(&nft_expr!(cmp != 0u32));
|
rule.add_expr(&nft_expr!(cmp != 0u32));
|
||||||
rule.add_expr(&nft_expr!(counter));
|
rule.add_expr(&nft_expr!(counter));
|
||||||
rule.add_expr(&nft_expr!(verdict accept));
|
rule.add_expr(&nft_expr!(verdict accept));
|
||||||
|
|
||||||
$batch.add(&rule, nftnl::MsgType::Add);
|
$batch.add(&rule, nftnl::MsgType::Add);
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@ -86,17 +83,33 @@ fn fwinit(t: FwTableType) -> (Batch, Table) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
pub fn fwblock(
|
pub fn fwblock(
|
||||||
ips_add: &Vec<IpData>,
|
ips_add_all: &Vec<IpData>,
|
||||||
ret: &mut Vec<String>,
|
ret: &mut Vec<String>,
|
||||||
fwlen: &mut usize,
|
fwlen: &mut usize,
|
||||||
) -> std::result::Result<(), Error> {
|
) -> std::result::Result<(), Error> {
|
||||||
let ((mut batch4, table4), (mut batch6, table6)) = fwglobalinit();
|
let ((mut batch4, table4), (mut batch6, table6)) = fwglobalinit();
|
||||||
|
|
||||||
|
let mut chain4 = Chain::new(&CString::new(PKG_NAME).unwrap(), &table4);
|
||||||
|
let mut chain6 = Chain::new(&CString::new(PKG_NAME).unwrap(), &table6);
|
||||||
|
|
||||||
initrules!(batch4, table4, chain4);
|
initrules!(batch4, table4, chain4);
|
||||||
initrules!(batch6, table6, chain6);
|
initrules!(batch6, table6, chain6);
|
||||||
|
|
||||||
|
let mut factor = 1;
|
||||||
|
if ips_add_all.len() > 100 {
|
||||||
|
factor = (ips_add_all.len() / 10) as usize
|
||||||
|
}
|
||||||
|
|
||||||
|
let ips_add_tmp: Vec<IpData> = ips_add_all.clone().iter().map(|x| x.clone()).collect();
|
||||||
|
let mut ips_add_iter = ips_add_tmp.chunks(factor);
|
||||||
|
let mut ips_add: Vec<&[IpData]> = vec![];
|
||||||
|
while let Some(x) = ips_add_iter.next() {
|
||||||
|
ips_add.push(x);
|
||||||
|
}
|
||||||
|
|
||||||
// build and add rules
|
// build and add rules
|
||||||
for ipdata in ips_add.clone() {
|
for ipdata_group in ips_add.clone() {
|
||||||
|
for ipdata in ipdata_group {
|
||||||
match ipdata.t {
|
match ipdata.t {
|
||||||
4 => {
|
4 => {
|
||||||
createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4);
|
createrules!(ipdata, chain4, batch4, Ipv4Addr, ipv4);
|
||||||
@ -107,6 +120,7 @@ pub fn fwblock(
|
|||||||
_ => {}
|
_ => {}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// validate and send batch
|
// validate and send batch
|
||||||
for b in [batch4, batch6] {
|
for b in [batch4, batch6] {
|
||||||
@ -118,10 +132,13 @@ pub fn fwblock(
|
|||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
if fwlen != &mut ips_add.len() {
|
if fwlen != &mut ips_add_all.len() {
|
||||||
ret.push(format!("{length} ip in firewall", length = ips_add.len()));
|
ret.push(format!(
|
||||||
|
"{length} ip in firewall",
|
||||||
|
length = ips_add_all.len()
|
||||||
|
));
|
||||||
}
|
}
|
||||||
*fwlen = ips_add.len();
|
*fwlen = ips_add_all.len();
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
21
src/ipblc.rs
21
src/ipblc.rs
@ -11,6 +11,7 @@ use chrono::prelude::*;
|
|||||||
use chrono::prelude::{DateTime, Local};
|
use chrono::prelude::{DateTime, Local};
|
||||||
use chrono::Duration;
|
use chrono::Duration;
|
||||||
use nix::sys::inotify::{InitFlags, Inotify, InotifyEvent};
|
use nix::sys::inotify::{InitFlags, Inotify, InotifyEvent};
|
||||||
|
use sd_notify::*;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
use std::sync::Arc;
|
use std::sync::Arc;
|
||||||
use tokio::sync::mpsc::{channel, Receiver, Sender};
|
use tokio::sync::mpsc::{channel, Receiver, Sender};
|
||||||
@ -21,6 +22,13 @@ const BL_CHAN_SIZE: usize = 32;
|
|||||||
const WS_CHAN_SIZE: usize = 64;
|
const WS_CHAN_SIZE: usize = 64;
|
||||||
const LOOP_MAX_WAIT: u64 = 5;
|
const LOOP_MAX_WAIT: u64 = 5;
|
||||||
|
|
||||||
|
macro_rules! log_with_systemd {
|
||||||
|
($msg:expr) => {
|
||||||
|
println!("{}", $msg);
|
||||||
|
notify(false, &[NotifyState::Status(format!("{}", $msg).as_str())]).unwrap();
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
pub async fn run() {
|
pub async fn run() {
|
||||||
let inotify = Inotify::init(InitFlags::empty()).unwrap();
|
let inotify = Inotify::init(InitFlags::empty()).unwrap();
|
||||||
let globalctx = Context::new(&inotify).await;
|
let globalctx = Context::new(&inotify).await;
|
||||||
@ -31,7 +39,7 @@ pub async fn run() {
|
|||||||
let pkgversion = format!("{}@{}", env!("CARGO_PKG_VERSION"), GIT_VERSION);
|
let pkgversion = format!("{}@{}", env!("CARGO_PKG_VERSION"), GIT_VERSION);
|
||||||
|
|
||||||
let mut last_cfg_reload: DateTime<Local> = Local::now().trunc_subsecs(0);
|
let mut last_cfg_reload: DateTime<Local> = Local::now().trunc_subsecs(0);
|
||||||
println!("Launching {}, version {}", PKG_NAME, pkgversion);
|
log_with_systemd!(format!("Launching {}, version {}", PKG_NAME, pkgversion));
|
||||||
fwglobalinit();
|
fwglobalinit();
|
||||||
|
|
||||||
let ctxapi = Arc::clone(&ctxarc);
|
let ctxapi = Arc::clone(&ctxarc);
|
||||||
@ -60,6 +68,8 @@ pub async fn run() {
|
|||||||
compare_files_changes(&ctxclone, &mut blrx, &ipeventclone).await;
|
compare_files_changes(&ctxclone, &mut blrx, &ipeventclone).await;
|
||||||
});
|
});
|
||||||
|
|
||||||
|
notify(false, &[NotifyState::Ready]).unwrap();
|
||||||
|
|
||||||
loop {
|
loop {
|
||||||
let mut ret: Vec<String> = Vec::new();
|
let mut ret: Vec<String> = Vec::new();
|
||||||
|
|
||||||
@ -94,7 +104,7 @@ pub async fn run() {
|
|||||||
// send ip list to api and ws sockets
|
// send ip list to api and ws sockets
|
||||||
if let Some(ipevent) = filtered_ipevent {
|
if let Some(ipevent) = filtered_ipevent {
|
||||||
if received_ip.msgtype != "init" {
|
if received_ip.msgtype != "init" {
|
||||||
println!("sending {} to api and ws", ipevent.ipdata.clone().unwrap().ip);
|
log_with_systemd!(format!("sending {} to api and ws", ipevent.ipdata.clone().unwrap().ip));
|
||||||
let ipe = ipevent!("add","ws",gethostname(true),ipevent.ipdata);
|
let ipe = ipevent!("add","ws",gethostname(true),ipevent.ipdata);
|
||||||
send_to_ipbl_api(&server.clone(), &ipe).await;
|
send_to_ipbl_api(&server.clone(), &ipe).await;
|
||||||
if !send_to_ipbl_websocket(&mut wssocketrr, &ipe).await {
|
if !send_to_ipbl_websocket(&mut wssocketrr, &ipe).await {
|
||||||
@ -119,7 +129,8 @@ pub async fn run() {
|
|||||||
|
|
||||||
// log lines
|
// log lines
|
||||||
if ret.len() > 0 {
|
if ret.len() > 0 {
|
||||||
println!("{ret}", ret = ret.join(", "));
|
let result = ret.join(", ");
|
||||||
|
log_with_systemd!(format!("{result}"));
|
||||||
}
|
}
|
||||||
|
|
||||||
let ctxclone = Arc::clone(&ctxarc);
|
let ctxclone = Arc::clone(&ctxarc);
|
||||||
@ -178,8 +189,8 @@ async fn handle_fwblock(ctxclone: Arc<RwLock<Context>>, ret: &mut Vec<String>, f
|
|||||||
// apply firewall blocking
|
// apply firewall blocking
|
||||||
match fwblock(&toblock, ret, fwlen) {
|
match fwblock(&toblock, ret, fwlen) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("Err: {err}, unable to push firewall rules, use super user")
|
println!("err: {e}, unable to push firewall rules, use super user")
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -11,9 +11,9 @@ pub async fn apiserver(ctxarc: &Arc<RwLock<Context>>) -> io::Result<()> {
|
|||||||
let ctxarc = ctxarc.clone();
|
let ctxarc = ctxarc.clone();
|
||||||
let addr: String = { ctxarc.read().await.cfg.api.parse().unwrap() };
|
let addr: String = { ctxarc.read().await.cfg.api.parse().unwrap() };
|
||||||
let listener = match TcpListener::bind(addr).await {
|
let listener = match TcpListener::bind(addr).await {
|
||||||
Ok(l) => l,
|
Ok(o) => o,
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("Error: {err}");
|
println!("error: {e}");
|
||||||
std::process::exit(1);
|
std::process::exit(1);
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
@ -29,13 +29,13 @@ pub async fn apiserver(ctxarc: &Arc<RwLock<Context>>) -> io::Result<()> {
|
|||||||
match socket.try_read(&mut buf) {
|
match socket.try_read(&mut buf) {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
println!("{e}");
|
println!("error: {e}");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
println!("{e}");
|
println!("error: {e}");
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -49,8 +49,8 @@ pub async fn apiserver(ctxarc: &Arc<RwLock<Context>>) -> io::Result<()> {
|
|||||||
|
|
||||||
match socket.write_all(res.as_bytes()).await {
|
match socket.write_all(res.as_bytes()).await {
|
||||||
Ok(_) => {}
|
Ok(_) => {}
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("ee {err}");
|
println!("error: {e}");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -6,9 +6,9 @@ use tokio::time::{sleep, Duration};
|
|||||||
|
|
||||||
pub fn read_lines(filename: &String, offset: u64) -> Option<Box<dyn Read>> {
|
pub fn read_lines(filename: &String, offset: u64) -> Option<Box<dyn Read>> {
|
||||||
let mut file = match File::open(filename) {
|
let mut file = match File::open(filename) {
|
||||||
Ok(f) => f,
|
Ok(o) => o,
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("{err}");
|
println!("error: {e}");
|
||||||
return None;
|
return None;
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
@ -15,8 +15,8 @@ pub async fn send_to_ipbl_api(server: &str, ip: &IpEvent) {
|
|||||||
Ok(_) => {
|
Ok(_) => {
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
Err(err) => {
|
Err(e) => {
|
||||||
println!("{err}");
|
println!("error: {e}");
|
||||||
sleep_s(1).await;
|
sleep_s(1).await;
|
||||||
if try_req == MAX_FAILED_API_RATE {
|
if try_req == MAX_FAILED_API_RATE {
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user