# HG changeset patch # User Matti Hamalainen # Date 1250366729 -10800 # Node ID cb0a4b747cf0f24c8674519b002384f667288ac4 # Parent 6b2ed125a3e4fc9c5f22520d813d5436c9385835 Handle importing of current netfilter entries differently. diff -r 6b2ed125a3e4 -r cb0a4b747cf0 README --- a/README Sat Aug 15 21:17:32 2009 +0300 +++ b/README Sat Aug 15 23:05:29 2009 +0300 @@ -1,4 +1,4 @@ -Malicious Attack Livid Termination Filter daemon (maltfilter) v0.9.1 +Malicious Attack Livid Termination Filter daemon (maltfilter) v0.9.2 ==================================================================== Programmed by Matti 'ccr' Hämäläinen (C) Copyright 2009 Tecnic Software productions (TNSP) diff -r 6b2ed125a3e4 -r cb0a4b747cf0 maltfilter --- a/maltfilter Sat Aug 15 21:17:32 2009 +0300 +++ b/maltfilter Sat Aug 15 23:05:29 2009 +0300 @@ -10,7 +10,7 @@ use Date::Parse; use Net::IP; -my $progversion = "0.9.1"; +my $progversion = "0.9.2"; my $progbanner = "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n". "Programmed by Matti 'ccr' Hamalainen \n". @@ -451,8 +451,8 @@ $ENV{"PATH"} = ""; open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or die("Could not execute ".$settings{"IPTABLES"}."\n"); - %blocklist = (); - undef(%blocklist); + my %newlist = (); + undef(%newlist); while () { chomp; if (/^\s*(\d+)\s+\d+\s+$settings{"ACTION"}\s+all\s+--\s+\*\s+\*\s+(\d+\.\d+\.\d+\.\d+)\s+0\.0\.0\.0\/0\s*$/) { @@ -462,10 +462,18 @@ mlog(2, "* $mip appeared in iptables.\n"); $blocklist{$2} = $mdate; } + $newlist{$2} = $mdate; update_entry(\%statlist, $mip, $mdate, "IPTABLES", ""); } } close(STATUS); + + foreach my $mip (keys %blocklist) { + if (!defined($newlist{$mip})) { + mlog(2, "* $mip removed from iptables.\n"); + delete($blocklist{$mip}); + } + } } ### Check if given timestamp is _newer_ than weedperiod threshold. @@ -576,7 +584,7 @@ { my $level = shift; my $msg = shift; - if (defined($LOGFILE)) { + if ($LOGFILE) { print $LOGFILE "[".scalar localtime()."] ".$msg if ($settings{"VERBOSITY"} > $level); } elsif ($settings{"DRY_RUN"}) { print STDERR $msg if ($settings{"VERBOSITY"} > $level); @@ -584,7 +592,8 @@ } ### Initialize -sub malt_init { +sub malt_init +{ mlog(0, "Updating initial blocklist from netfilter.\n"); update_blocklist(); @@ -604,13 +613,15 @@ } ### Quick cleanup (not complete shutdown) -sub malt_cleanup { +sub malt_cleanup +{ foreach my $filename (keys %filehandles) { close($filehandles{$filename}); } } -sub malt_finish { +sub malt_finish +{ # Unlink pid-file if ($pid_file ne "" && -e $pid_file) { unlink $pid_file; @@ -621,21 +632,24 @@ } ### Signal handlers -sub malt_int { +sub malt_int +{ mlog(-1, "\nCaught Interrupt (^C), aborting.\n"); malt_cleanup(); malt_finish(); exit(1); } -sub malt_term { +sub malt_term +{ mlog(-1, "Received TERM, quitting.\n"); malt_cleanup(); malt_finish(); exit(1); } -sub malt_hup { +sub malt_hup +{ mlog(-1, "Received HUP, reinitializing.\n"); malt_cleanup(); malt_init(); @@ -643,7 +657,8 @@ } ### Main scanning function -sub malt_scan { +sub malt_scan +{ mlog(1, "Entering main scanning loop.\n"); my $counter = -1; while (1) { @@ -759,7 +774,7 @@ # Force dry run mode if we are reporting only if ($reportmode) { $settings{"DRY_RUN"} = 1; - $settings{"VERBOSITY"} = 1; +# $settings{"VERBOSITY"} = 1; } # Clean up certain arrays duplicate entries