Mercurial > hg > maltfilter

changeset 93:55670dabda5a maltfilter-0.19.2

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Add support for FILTER_CHAIN and FILTER_TABLE settings.
author Matti Hamalainen <ccr@tnsp.org>
date Sun, 30 Aug 2009 23:06:58 +0300
parents 6e47a5c97538
children 02e3479a055c
files maltfilter
diffstat 1 files changed, 22 insertions(+), 7 deletions(-) [+]
line wrap: on
line diff
--- a/maltfilter	Sun Aug 30 22:39:31 2009 +0300
+++ b/maltfilter	Sun Aug 30 23:06:58 2009 +0300
@@ -13,7 +13,7 @@
 use LWP::UserAgent;
 use IO::Seekable;
 
-my $progversion = "0.19.1";
+my $progversion = "0.19.2";
 my $progbanner =
 "Malicious Attack Livid Termination Filter daemon (maltfilter) v$progversion\n".
 "Programmed by Matti 'ccr' Hamalainen <ccr\@tnsp.org>\n".
@@ -37,6 +37,8 @@
   "FILTER_THRESHOLD"    => 3,
   "FILTER_MAX_AGE"      => 168,  # in hours
   "FILTER_TARGET"       => "DROP",
+  "FILTER_CHAIN"        => "INPUT",
+  "FILTER_TABLE"        => "filter",
   "IPTABLES"            => "/sbin/iptables",
 
   "FULL_TIME"           => 1,
@@ -73,6 +75,9 @@
   "192.168.0.0/16"
 );
 
+# Valid target tables for FILTER_TABLE
+my %filter_valid_tables = ("filter", "nat", "mangle", "raw");
+
 my %systemacct = ();
 sub check_add_hit($$$$$$);
 
@@ -800,15 +805,15 @@
   }
 }
 
-### Get current Netfilter INPUT table entries that match
-### entry types we manage, e.g. filterlist
+### Get current Netfilter table entries that match entry types we
+### manage, e.g. filterlist
 sub update_filterlist($)
 {
   my $first = $_[0];
   return unless ($settings{"FILTER"} > 0);
 
   $ENV{"PATH"} = "";
-  open(STATUS, $settings{"IPTABLES"}." -v -n -L INPUT |") or
+  open(STATUS, $settings{"IPTABLES"}." -v -n -t ".$settings{"FILTER_TABLE"}." -L ".$settings{"FILTER_CHAIN"}." |") or
     mdie("Could not execute ".$settings{"IPTABLES"}."\n");
   my %newlist = ();
   undef(%newlist);
@@ -856,7 +861,7 @@
 {
   my $mtime = $filterlist{$_[0]};
   mlog(2, "* Weeding $_[0] (".get_time_str($mtime).")\n");
-  exec_iptables("-D", "INPUT", "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"});
+  exec_iptables("-t", $settings{"FILTER_TABLE"}, "-D", $settings{"FILTER_CHAIN"}, "-s", $_[0], "-d", "0.0.0.0/0", "-j", $settings{"FILTER_TARGET"});
   delete($filterlist{$_[0]});
   delete($statlist{$_[0]});
   delete($ignorelist{$_[0]});
@@ -981,7 +986,7 @@
     # Add to filterlist, unless already there.
     if (!defined($filterlist{$mip})) {
       mlog(1, "* Adding $mip \@ ".get_time_str($mdate).": [$mclass] $mreason\n");
-      exec_iptables("-I", "INPUT", "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"});
+      exec_iptables("-t", $settings{"FILTER_TABLE"}, "-I", $settings{"FILTER_CHAIN"}, "1", "-s", $mip, "-j", $settings{"FILTER_TARGET"});
     }
     # Update date of last hit
     $filterlist{$mip} = $mdate;
@@ -1238,7 +1243,17 @@
     mdie("Invalid FILTER_THRESHOLD value $val, must be >= 0.\n") unless ($val >= 0);
   
     $val = $settings{"IPTABLES"};
-    mdie("iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val);
+    mdie("Iptables binary does not exist or is not executable: $val\n") unless (-e $val && -x $val);
+
+    $val = $settings{"FILTER_TARGET"};
+    mdie("Value of FILTER_TARGET must not be empty!\n") unless ($val ne "");
+
+    my $mtable = $settings{"FILTER_TABLE"};
+    mdie("Value of FILTER_TABLE should be one of ".join(", ", keys %filter_valid_tables).".\n")
+      unless defined($filter_valid_tables{$mtable});
+
+    $val = $settings{"FILTER_CHAIN"};
+    mdie("Value of FILTER_CHAIN must not be empty!\n") unless ($val ne "");
   } else {
     mlog(1, "Netfilter handling disabled.\n");
   }