From 6e29272b847536a1a6eaf1cab1acc0c0207702c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20K=C3=A1cha?= <ph@cesnet.cz>
Date: Fri, 12 Apr 2013 18:37:53 +0200
Subject: [PATCH] Pridan modul IPset (ipset - rychly lookup adres pro iptables)
---
src/contrib/warden-app/Modules/IPset.pm | 40 +++++++++++++++++++++++++
src/contrib/warden-app/doc/WApp.README | 2 ++
src/contrib/warden-app/etc/factory.conf | 18 +++++++++++
3 files changed, 60 insertions(+)
create mode 100644 src/contrib/warden-app/Modules/IPset.pm
diff --git a/src/contrib/warden-app/Modules/IPset.pm b/src/contrib/warden-app/Modules/IPset.pm
new file mode 100644
index 0000000..0d06504
--- /dev/null
+++ b/src/contrib/warden-app/Modules/IPset.pm
@@ -0,0 +1,40 @@
+package IPset;
+use strict;
+use warnings;
+use Data::Dumper;
+
+my %CONSTANTS = (
+ enabled => "no",
+ outputfile => "tmp/ipset.txt",
+ threshold => 250,
+ excludedip => [],
+ eventtype => [],
+ setname => "BLOCK",
+ maxage => "1D",
+ );
+
+my %FORMAT = ( maxage => qr/\d+[hdmHDM]/, logging => qr/enable|disable/,);
+
+sub run {
+ my (undef, $modprefix, $cfg, $dbh, $db_engine) = @_;
+
+ my $v = Constants::mergeConfigs($cfg, $modprefix, \%CONSTANTS, \%FORMAT);
+
+ my $eventtype_query = DB::joinIN("type", \@{$v->{'eventtype'}});
+ my $excluded_query = DB::joinNotIN("source", \@{$v->{'excludedip'}});
+
+ my $condition = substr($excluded_query . $eventtype_query, 0, -5);
+ my @columns= ("source");
+ my @params = ($condition, DB::getOldDataDB($db_engine, "NEWER", $v->{'maxage'}));
+ my $query = DB::getQueryCondThreshold($db_engine, "events", \@columns, \@params, $v->{'threshold'});
+
+ my @rows = Utils::fetchall_array_hashref($dbh, $query);
+
+ sub header { my $v = shift; return "create $v->{'setname'}_tmp hash:ip\n"; };
+ sub record { my ($r, $v) = @_; return "add $v->{'setname'}_tmp $r->{'source'}\n" if ($r->{'source'}=~/\d+\.\d+\.\d+\.\d+/); };
+ sub footer { my ($v) = @_; return "swap $v->{'setname'}_tmp $v->{'setname'}\ndestroy $v->{'setname'}_tmp\nquit\n"; };
+
+ my $ret = Utils::generateOutput($v->{'outputfile'}, \@rows, \&header, \&record, \&footer, $v);
+ return $ret;
+}
+1;
diff --git a/src/contrib/warden-app/doc/WApp.README b/src/contrib/warden-app/doc/WApp.README
index 5b3e0b2..6a12fbd 100644
--- a/src/contrib/warden-app/doc/WApp.README
+++ b/src/contrib/warden-app/doc/WApp.README
@@ -50,6 +50,7 @@ A. Overall Information
| |-- DNSblacklist.pm
| |-- IPblacklist.pm
| |-- IPtables.pm
+ | |-- IPset.pm
| `-- MailReport.pm
|-- sh
| |-- create_tables_mysql.sh
@@ -145,6 +146,7 @@ F. Modules
DNSblacklist - generates zone file for the most widely used DNS software on the Internet.
IPblacklist - generates traditional CSV file with IP addresses.
IPtables - generates iptables rules.
+ IPset - generates ipset rules (use on big sets of addresses rather than iptables).
MailReport - generates reports which are sent to specific recipients.
Section XX. describes how to write own module.
diff --git a/src/contrib/warden-app/etc/factory.conf b/src/contrib/warden-app/etc/factory.conf
index f0c23d0..426859e 100644
--- a/src/contrib/warden-app/etc/factory.conf
+++ b/src/contrib/warden-app/etc/factory.conf
@@ -40,6 +40,24 @@ destchain="DROP"
# Time interval for generating data [D - Days, M - Months, H - Hours];
maxage="4M"
+[MOD_IPSET_1]
+# Enabling module [yes, no]
+enabled="yes"
+# Type of module; see 'moddir' directory
+module="IPset"
+# Where will be result stored
+outputfile="/opt/warden-app/var/ipset.txt"
+# Threshold for SQL query (events grouped by source IP) [number]
+threshold="10"
+# Which source IP we want to exclude from result [ip1, ip2, ipN]
+excludedip="1.1.1.1"
+# Which type of events we want to process [ see Warden manual ]
+eventtype=
+# Chain in which will be iptables rules inserted
+setname="BLOCK"
+# Time interval for generating data [D - Days, M - Months, H - Hours];
+maxage="4M"
+
[MOD_DNSBL_1]
# Enabling module [yes, no]
enabled="yes"
--
GitLab