Add files via upload

Author: limithit

Makefile

@@ -13,7 +13,10 @@ endif
 
 .SUFFIXES: .c .so .xo .o
 
-all: iptablespush.so 
+all: iptablespush.so ttl_iptables
+
+ttl_iptables: ttl_iptables.c
+		$(CC) ttl_iptables.c -o $@ -I /usr/local/include/hiredis -lhiredis
 
 .c.xo:
 	$(CC) -I. $(CFLAGS) $(SHOBJ_CFLAGS) -fPIC -c $< -o $@
@@ -24,4 +27,4 @@ iptablespush.so: iptablespush.xo
 	$(LD) -o $@ $< $(SHOBJ_LDFLAGS) $(LIBS) -lc
 
 clean:
-	rm -rf *.xo *.so
+	rm -rf *.xo *.so ttl_iptables

iptablespush.c

@@ -155,6 +155,7 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
 	close(fd);
 
 	RedisModule_StringSet(key, argv[1]);
+
 	size_t newlen = RedisModule_ValueLength(key);
 	RedisModule_CloseKey(key);
 	RedisModule_ReplyWithLongLong(ctx, newlen);
@@ -186,6 +187,82 @@ int ACCEPT_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
 	return REDISMODULE_OK;
 }
 
+int TTL_ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int argc)
+{
+	if (argc != 3)
+			return RedisModule_WrongArity(ctx);
+		RedisModuleKey *key = RedisModule_OpenKey(ctx, argv[1],
+		REDISMODULE_READ | REDISMODULE_WRITE);
+		long long count;
+		    if ((RedisModule_StringToLongLong(argv[2],&count) != REDISMODULE_OK) ||
+		        (count < 0)) {
+		        return RedisModule_ReplyWithError(ctx,"ERR invalid count");
+		    }
+		pid_t pid;
+		int fd;
+		char tmp_buf[4096];
+
+		static char check_command[256], insert_command[256];
+		sprintf(check_command, "iptables -C INPUT -s %s -j ACCEPT",
+				RedisModule_StringPtrLen(argv[1], NULL));
+		sprintf(insert_command, "iptables -I INPUT -s %s -j ACCEPT",
+				RedisModule_StringPtrLen(argv[1], NULL));
+		printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
+				RedisModule_StringPtrLen(argv[1], NULL));
+		fd = execute_popen(&pid, check_command);
+		redis_waitpid(pid);
+		if (0 < read(fd, tmp_buf, sizeof(tmp_buf) - 1)) {
+			close(fd);
+			execute_popen(&pid, insert_command);
+			redis_waitpid(pid);
+		}
+		close(fd);
+		RedisModule_StringSet(key, argv[1]);
+		   RedisModule_SetExpire(key, count*1000);
+			size_t newlen = RedisModule_ValueLength(key);
+			RedisModule_CloseKey(key);
+			RedisModule_ReplyWithLongLong(ctx, newlen);
+		return REDISMODULE_OK;
+}
+
+int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int argc)
+{
+	if (argc != 3)
+				return RedisModule_WrongArity(ctx);
+			RedisModuleKey *key = RedisModule_OpenKey(ctx, argv[1],
+			REDISMODULE_READ | REDISMODULE_WRITE);
+			long long count;
+			    if ((RedisModule_StringToLongLong(argv[2],&count) != REDISMODULE_OK) ||
+			        (count < 0)) {
+			        return RedisModule_ReplyWithError(ctx,"ERR invalid count");
+			    }
+			pid_t pid;
+			int fd;
+			char tmp_buf[4096];
+
+			static char check_command[256], insert_command[256];
+			sprintf(check_command, "iptables -C INPUT -s %s -j DROP",
+					RedisModule_StringPtrLen(argv[1], NULL));
+			sprintf(insert_command, "iptables -I INPUT -s %s -j DROP",
+					RedisModule_StringPtrLen(argv[1], NULL));
+			printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
+					RedisModule_StringPtrLen(argv[1], NULL));
+			fd = execute_popen(&pid, check_command);
+			redis_waitpid(pid);
+			if (0 < read(fd, tmp_buf, sizeof(tmp_buf) - 1)) {
+				close(fd);
+				execute_popen(&pid, insert_command);
+				redis_waitpid(pid);
+			}
+			close(fd);
+			RedisModule_StringSet(key, argv[1]);
+			   RedisModule_SetExpire(key, count*1000);
+				size_t newlen = RedisModule_ValueLength(key);
+				RedisModule_CloseKey(key);
+				RedisModule_ReplyWithLongLong(ctx, newlen);
+			return REDISMODULE_OK;
+}
+
 /* This function must be present on each Redis module. It is used in order to
  * register the commands into the Redis server. */
 int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
@@ -210,7 +287,12 @@ int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc)
 	if (RedisModule_CreateCommand(ctx, "accept.delete",
 			ACCEPT_Delete_RedisCommand, "write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
 		return REDISMODULE_ERR;
-
+	if (RedisModule_CreateCommand(ctx, "ttl.accept.insert",
+			TTL_ACCEPT_Insert_RedisCommand, "write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
+			return REDISMODULE_ERR;
+	if (RedisModule_CreateCommand(ctx, "ttl.drop.insert",
+			TTL_DROP_Insert_RedisCommand, "write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
+			return REDISMODULE_ERR;
 
 	return REDISMODULE_OK;
 }

ttl_iptables.c

@@ -0,0 +1,111 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+#include <string.h>
+#include <unistd.h>
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <hiredis.h>
+#include <syslog.h>
+#include <fcntl.h>
+#include <time.h>
+
+int redis_waitpid(pid_t pid) {
+	int rc, status;
+	do {
+		if (-1 == (rc = waitpid(pid, &status, WUNTRACED))) {
+			goto exit;
+		}
+	} while (!WIFEXITED(status) && !WIFSIGNALED(status));
+	exit:
+
+	return rc;
+}
+
+int execute_fork() {
+	fflush(stdout);
+	fflush(stderr);
+	return fork();
+}
+
+int execute_popen(pid_t *pid, const char *command) {
+	int fd[2];
+
+	if (-1 == pipe(fd))
+		return -1;
+
+	if (-1 == (*pid = execute_fork())) {
+		close(fd[0]);
+		close(fd[1]);
+		return -1;
+	}
+
+	if (0 != *pid) /* parent process */
+	{
+		close(fd[1]);
+		return fd[0];
+	}
+
+	close(fd[0]);
+	dup2(fd[1], STDOUT_FILENO);
+	dup2(fd[1], STDERR_FILENO);
+	close(fd[1]);
+	if (-1 == setpgid(0, 0)) {
+		exit(EXIT_SUCCESS);
+	}
+
+	execl("/bin/sh", "sh", "-c", command, NULL);
+	exit(EXIT_SUCCESS);
+}
+
+int main(int argc, char **argv) {
+	unsigned int j;
+	redisContext *c;
+	redisReply *reply;
+	const char *hostname = (argc > 1) ? argv[1] : "127.0.0.1";
+	int port = (argc > 2) ? atoi(argv[2]) : 6379;
+
+	int logfd;
+	if ((logfd = open("/var/log/ttl_iptables.log", O_RDWR | O_CREAT | O_APPEND,
+	S_IRUSR | S_IWUSR)) == -1) {
+		fprintf(stderr, "can not open file:logfile\n");
+	}
+
+	struct timeval timeout = { 1, 500000 }; // 1.5 seconds
+	c = redisConnectWithTimeout(hostname, port, timeout);
+	if (c == NULL || c->err) {
+		if (c) {
+			fprintf(stderr, "Redis connection error: %s\n", c->errstr);
+			redisFree(c);
+		} else {
+			fprintf(stderr, "Connection error: can't allocate redis context\n");
+		}
+		exit(1);
+	}
+	daemon(0, 0);
+	static char insert_command[256];
+	static char msg[1024];
+	pid_t pid;
+	int fd;
+
+    //reply = redisCommand(c,"psubscribe __key*__:*");
+	reply = redisCommand(c, "psubscribe __key*__:expired");
+	while (redisGetReply(c, (void *) &reply) == REDIS_OK) {
+		printf("%s\n", reply->element[3]->str);
+		sprintf(insert_command, "iptables -D INPUT -s %s -j DROP",
+				reply->element[3]->str);
+		time_t t = time(NULL);
+		struct tm *loc_time = localtime(&t);
+		sprintf(msg, "pid=%d %d:%d:%d iptables -D INPUT -s %s -j DROP\n",
+				getpid(), loc_time->tm_hour, loc_time->tm_min, loc_time->tm_sec,
+				reply->element[3]->str);
+		write(logfd, msg, strlen(msg));
+		fd = execute_popen(&pid, insert_command);
+		close(fd);
+		freeReplyObject(reply);
+	}
+	redisFree(c);
+	close(logfd);
+	return 0;
+}