Merge pull request #4 from limithit/limithit-for-BSD

Added pfctl firewall
limithit · Apr 9, 2019 · f20fbad · f20fbad
2 parents 08c55e7 + 61cc30e
commit f20fbad
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -128,6 +128,7 @@ DROP       all  --  192.168.188.8        0.0.0.0/0
 ACCEPT       all  --  192.168.188.8        0.0.0.0/0 
 ```
 ## Installation
+#### Installing Packages on Linux
 
 ```
   #1: Compile hiredis
@@ -151,6 +152,36 @@ If you need to enable ipset, you must configure the following settings
 ```
 The `timeout` parameter and  `ttl.drop.insert` parameter has the same effect. If the `timeout` parameter is configured, ipset is used to implement periodic deletion. If the `timeout` parameter is not configured, it is periodic deletion used `ttl.drop.insert`.
 
+#### Installing Packages on BSD and MacOS
+```
+  #1: Compile hiredis
+    cd redis-4.0**version**/deps/hiredis
+    make 
+    make install 
+    
+  #2: git clone  https://github.com/limithit/RedisPushIptables.git
+    cd RedisPushIptables
+    make CFLAGS=-DBSD        
+    make install
+ ```
+
+First edit the /etc/pf.conf file and add the code as follows:
+```
+table <block_ip> persist file "/etc/pf.block_ip.conf"
+table <allow_ip> persist file "/etc/pf.allow_ip.conf"
+block in log proto tcp from <block_ip> to any
+block in log proto udp from <block_ip> to any
+pass in proto tcp from <allow_ip> to any
+pass in proto udp from <allow_ip> to any
+```
+```
+touch /etc/pf.block_ip.conf
+touch /etc/pf.allow_ip.conf
+pfctl -F all -f /etc/pf.conf 
+pfctl -e
+```
+BSD system does not provide a startup script
+
 ## HOWTOs
 In theory, except for the C language native support API call, the corresponding library before the other language API calls must be re-encapsulated because the third-party modules are not supported by other languages. Only C, Python, Bash, Lua are shown here, and the principles of other languages are the same.
 

diff --git a/iptablespush.c b/iptablespush.c
@@ -73,6 +73,10 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
 	static char insert_command[256];
 	sprintf(insert_command, "ipset add block_ip %s",
 			RedisModule_StringPtrLen(argv[1], NULL));
+#elif BSD
+	static char insert_command[256];
+	sprintf(insert_command, " pfctl -t block_ip -T add %s",
+			RedisModule_StringPtrLen(argv[1], NULL));
 #else
 	static char check_command[256], insert_command[256];
 	char tmp_buf[4096];
@@ -87,6 +91,10 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
 	fd = execute_popen(&pid, insert_command);
 	redis_waitpid(pid);
 	close(fd);
+#elif BSD
+	fd = execute_popen(&pid, insert_command);
+	redis_waitpid(pid);
+	close(fd);
 #else
 	fd = execute_popen(&pid, check_command);
 	redis_waitpid(pid);
@@ -116,6 +124,9 @@ int DROP_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
 #ifdef WITH_IPSET
 	sprintf(insert_command, "ipset del block_ip %s",
 			RedisModule_StringPtrLen(argv[1], NULL));
+#elif BSD
+	sprintf(insert_command, " pfctl -t block_ip -T del %s",
+			RedisModule_StringPtrLen(argv[1], NULL));
 #else
 	sprintf(insert_command, "iptables -D INPUT -s %s -j DROP",
 			RedisModule_StringPtrLen(argv[1], NULL));
@@ -146,6 +157,10 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
 	static char insert_command[256];
 	sprintf(insert_command, "ipset add allow_ip %s",
 			RedisModule_StringPtrLen(argv[1], NULL));
+#elif BSD
+	static char insert_command[256];
+	sprintf(insert_command, " pfctl -t allow_ip -T add %s",
+			RedisModule_StringPtrLen(argv[1], NULL));
 #else
 	char tmp_buf[4096];
 	static char check_command[256], insert_command[256];
@@ -160,6 +175,10 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
 	fd = execute_popen(&pid, insert_command);
 	redis_waitpid(pid);
 	close(fd);
+#elif BSD
+	fd = execute_popen(&pid, insert_command);
+	redis_waitpid(pid);
+	close(fd);
 #else
 	fd = execute_popen(&pid, check_command);
 	redis_waitpid(pid);
@@ -189,6 +208,9 @@ int ACCEPT_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
 #ifdef WITH_IPSET
 	sprintf(insert_command, "ipset del allow_ip %s",
 			RedisModule_StringPtrLen(argv[1], NULL));
+#elif BSD
+	sprintf(insert_command, " pfctl -t allow_ip -T del %s",
+			RedisModule_StringPtrLen(argv[1], NULL));
 #else
 	sprintf(insert_command, "iptables -D INPUT -s %s -j ACCEPT",
 			RedisModule_StringPtrLen(argv[1], NULL));
@@ -223,6 +245,10 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv,
 	static char insert_command[256];
 	sprintf(insert_command, "ipset add block_ip %s",
 			RedisModule_StringPtrLen(argv[1], NULL));
+#elif BSD
+	static char insert_command[256];
+	sprintf(insert_command, " pfctl -t block_ip -T add %s",
+			RedisModule_StringPtrLen(argv[1], NULL));
 #else
 	static char check_command[256], insert_command[256];
 	char tmp_buf[4096];
@@ -237,6 +263,10 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv,
 	fd = execute_popen(&pid, insert_command);
 	redis_waitpid(pid);
 	close(fd);
+#elif BSD
+	fd = execute_popen(&pid, insert_command);
+	redis_waitpid(pid);
+	close(fd);
 #else
 	fd = execute_popen(&pid, check_command);
 	redis_waitpid(pid);

diff --git a/ttl_iptables.c b/ttl_iptables.c
@@ -197,7 +197,11 @@ int main(int argc, char **argv) {
 	redisReply *reply;
 	const char *hostname = (argc > 1) ? argv[1] : "127.0.0.1";
 	int port = (argc > 2) ? atoi(argv[2]) : 6379;
+#ifdef BSD
+	__progname = argv[0];
+#else
 	__progname = get_progname(argv[0]);
+#endif
 	int logfd;
 	if ((logfd = open("/var/log/ttl_iptables.log", O_RDWR | O_CREAT | O_APPEND,
 	S_IRUSR | S_IWUSR)) == -1) {
@@ -215,7 +219,21 @@ int main(int argc, char **argv) {
 		}
 		exit(1);
 	}
-	daemon(0, 0);
+#ifdef BSD
+        pid_t pidt = fork();
+
+        if (pidt != 0) {
+                exit(0);
+        }
+
+        setsid();
+        chdir("/");
+     close(0); /* close stdin */
+     close(1); /* close stdout */
+     close(2); /* close stderr */
+#else
+        daemon(0, 0);
+#endif
 	acquire_daemonlock(0);
 	static char insert_command[256];
 	static char msg[1024];
@@ -229,6 +247,9 @@ int main(int argc, char **argv) {
 #ifdef WITH_IPSET
 			sprintf(insert_command, "ipset del block_ip %s",
 					reply->element[3]->str);
+#elif BSD
+			sprintf(insert_command, "pfctl -t block_ip -T del %s",
+					reply->element[3]->str);
 #else
 			sprintf(insert_command, "iptables -D INPUT -s %s -j DROP",
 					reply->element[3]->str);
@@ -241,6 +262,12 @@ int main(int argc, char **argv) {
 					loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour,
 					loc_time->tm_min, loc_time->tm_sec, __progname, getpid(),
 					reply->element[3]->str);
+#elif BSD
+			sprintf(msg,
+					"%04d/%02d/%02d %02d:%02d:%02d %s pid=%d pfctl -t block_ip -T del %s\n",
+					loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour,
+					loc_time->tm_min, loc_time->tm_sec, __progname, getpid(),
+					reply->element[3]->str);
 #else
 			sprintf(msg,
 					"%04d/%02d/%02d %02d:%02d:%02d %s pid=%d iptables -D INPUT -s %s -j DROP\n",