# HG changeset patch # User Matti Hamalainen # Date 1251662818 -10800 # Node ID 55670dabda5a4dddf4d7c02ca025f72037dd754d # Parent 6e47a5c97538839073cf4bf2def8efcdd0988bc9 Add support for FILTER_CHAIN and FILTER_TABLE settings. diff -r 6e47a5c97538 -r 55670dabda5a maltfilter --- a/maltfilter Sun Aug 30 22:39:31 2009 +0300 +++ b/maltfilter Sun Aug 30 23:06:58 2009 +0300 @@ -13,7 +13,7 @@ use LWP::UserAgent; use IO::Seekable; -my $progversion = "0.19.1"; +my $progversion = "0.19.2"; my $progbanner = "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". "Programmed by Matti 'ccr' Hamalainen \n". @@ -37,6 +37,8 @@ "FILTER_THRESHOLD" => 3, "FILTER_MAX_AGE" => 168, # in hours "FILTER_TARGET" => "DROP", + "FILTER_CHAIN" => "INPUT", + "FILTER_TABLE" => "filter", "IPTABLES" => "/sbin/iptables", "FULL_TIME" => 1, @@ -73,6 +75,9 @@ "192.168.0.0/16" ); +# Valid target tables for FILTER_TABLE +my %filter_valid_tables = ("filter", "nat", "mangle", "raw"); + my %systemacct = (); sub check_add_hit($$$$$$); @@ -800,15 +805,15 @@ } } -### Get current Netfilter INPUT table entries that match -### entry types we manage, e.g. filterlist +### Get current Netfilter table entries that match entry types we +### manage, e.g. filterlist sub update_filterlist($) { my $first = $_[0]; return unless ($settings{"FILTER"} > 0); $ENV{"PATH"} = ""; - open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or + open(STATUS, $settings{"IPTABLES"}." -v -n -t ".$settings{"FILTER_TABLE"}." -L ".$settings{"FILTER_CHAIN"}." |") or mdie("Could not execute ".$settings{"IPTABLES"}."\n"); my %newlist = (); undef(%newlist); @@ -856,7 +861,7 @@ { my $mtime = $filterlist{$_[0]}; mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n"); - exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); + exec_iptables("-t", $settings{"FILTER_TABLE"}, "-D", $settings{"FILTER_CHAIN"}, "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"}); delete($filterlist{$_[0]}); delete($statlist{$_[0]}); delete($ignorelist{$_[0]}); @@ -981,7 +986,7 @@ # Add to filterlist, unless already there. if (!defined($filterlist{$mip})) { mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n"); - exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); + exec_iptables("-t", $settings{"FILTER_TABLE"}, "-I", $settings{"FILTER_CHAIN"}, "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"}); } # Update date of last hit $filterlist{$mip} = $mdate; @@ -1238,7 +1243,17 @@ mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0); $val = $settings{"IPTABLES"}; - mdie("iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); + mdie("Iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val); + + $val = $settings{"FILTER_TARGET"}; + mdie("Value of FILTER_TARGET must not be empty!\n") unless ($val ne ""); + + my $mtable = $settings{"FILTER_TABLE"}; + mdie("Value of FILTER_TABLE should be one of ".join(", ", keys %filter_valid_tables).".\n") + unless defined($filter_valid_tables{$mtable}); + + $val = $settings{"FILTER_CHAIN"}; + mdie("Value of FILTER_CHAIN must not be empty!\n") unless ($val ne ""); } else { mlog(1, "Netfilter handling disabled.\n"); }