From 0ac86a5b267c3e049eb6370bd62a61359f151dfd Mon Sep 17 00:00:00 2001 From: Gandalf Date: Fri, 12 Apr 2019 00:54:43 +0800 Subject: [PATCH] Added nftables support --- iptablespush.c | 32 +++++++++++++++++++++++++------- ttl_iptables.c | 9 +++++++++ 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/iptablespush.c b/iptablespush.c index a77a1b1..88a87d9 100644 --- a/iptablespush.c +++ b/iptablespush.c @@ -77,6 +77,10 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int static char insert_command[256]; sprintf(insert_command, " pfctl -t block_ip -T add %s", RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + static char insert_command[256]; + sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop", + RedisModule_StringPtrLen(argv[1], NULL)); #else static char check_command[256], insert_command[256]; char tmp_buf[4096]; @@ -87,7 +91,7 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int #endif printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL), RedisModule_StringPtrLen(argv[1], NULL)); -#if defined (WITH_IPSET) || defined (BSD) +#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES) fd = execute_popen(&pid, insert_command); redis_waitpid(pid); close(fd); @@ -121,7 +125,10 @@ int DROP_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int sprintf(insert_command, "ipset del block_ip %s", RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD - sprintf(insert_command, " pfctl -t block_ip -T delete %s", + sprintf(insert_command, "pfctl -t block_ip -T delete %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`", RedisModule_StringPtrLen(argv[1], NULL)); #else sprintf(insert_command, "iptables -D INPUT -s %s -j DROP", @@ -155,7 +162,11 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD static char insert_command[256]; - sprintf(insert_command, " pfctl -t allow_ip -T add %s", + sprintf(insert_command, "pfctl -t allow_ip -T add %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + static char insert_command[256]; + sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s accept", RedisModule_StringPtrLen(argv[1], NULL)); #else char tmp_buf[4096]; @@ -167,7 +178,7 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in #endif printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL), RedisModule_StringPtrLen(argv[1], NULL)); -#if defined (WITH_IPSET) || defined (BSD) +#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES) fd = execute_popen(&pid, insert_command); redis_waitpid(pid); close(fd); @@ -201,7 +212,10 @@ int ACCEPT_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in sprintf(insert_command, "ipset del allow_ip %s", RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD - sprintf(insert_command, " pfctl -t allow_ip -T delete %s", + sprintf(insert_command, "pfctl -t allow_ip -T delete %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s accept\"|grep -oe \"handle [0-9]*\"`", RedisModule_StringPtrLen(argv[1], NULL)); #else sprintf(insert_command, "iptables -D INPUT -s %s -j ACCEPT", @@ -239,7 +253,11 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD static char insert_command[256]; - sprintf(insert_command, " pfctl -t block_ip -T add %s", + sprintf(insert_command, "pfctl -t block_ip -T add %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + static char insert_command[256]; + sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop", RedisModule_StringPtrLen(argv[1], NULL)); #else static char check_command[256], insert_command[256]; @@ -251,7 +269,7 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, #endif printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL), RedisModule_StringPtrLen(argv[1], NULL)); -#if defined (WITH_IPSET) || defined (BSD) +#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES) fd = execute_popen(&pid, insert_command); redis_waitpid(pid); close(fd); diff --git a/ttl_iptables.c b/ttl_iptables.c index 009e5d5..e51d957 100644 --- a/ttl_iptables.c +++ b/ttl_iptables.c @@ -250,6 +250,9 @@ int main(int argc, char **argv) { #elif BSD sprintf(insert_command, "pfctl -t block_ip -T del %s", reply->element[3]->str); +#elif WITH_NFTABLES + sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`", + reply->element[3]->str); #else sprintf(insert_command, "iptables -D INPUT -s %s -j DROP", reply->element[3]->str); @@ -268,6 +271,12 @@ int main(int argc, char **argv) { loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour, loc_time->tm_min, loc_time->tm_sec, __progname, getpid(), reply->element[3]->str); +#elif WITH_NFTABLES + sprintf(msg, + "%04d/%02d/%02d %02d:%02d:%02d %s pid=%d nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`\n", + loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour, + loc_time->tm_min, loc_time->tm_sec, __progname, getpid(), + reply->element[3]->str); #else sprintf(msg, "%04d/%02d/%02d %02d:%02d:%02d %s pid=%d iptables -D INPUT -s %s -j DROP\n",