Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: limithit/RedisPushIptables
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: 6.0
Choose a base ref
...
head repository: limithit/RedisPushIptables
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: master
Choose a head ref

Commits on Apr 9, 2019

  1. Update README.md

    limithit authored Apr 9, 2019
    Copy the full SHA
    837c215 View commit details
  2. Update README.md

    limithit authored Apr 9, 2019
    Copy the full SHA
    8587d4f View commit details
  3. Update README.md

    limithit authored Apr 9, 2019
    Copy the full SHA
    48afdf2 View commit details

Commits on Apr 10, 2019

  1. Update iptablespush.c

    limithit authored Apr 10, 2019
    Copy the full SHA
    ca28872 View commit details
  2. Update Makefile

    limithit authored Apr 10, 2019
    Copy the full SHA
    2602bf7 View commit details
  3. Update Makefile

    limithit authored Apr 10, 2019
    Copy the full SHA
    728e521 View commit details
  4. Merge pull request #6 from limithit/limithit-patch-1

    Limithit patch 1
    limithit authored Apr 10, 2019
    Copy the full SHA
    5bb362b View commit details
  5. Update ttl_iptables.c

    limithit authored Apr 10, 2019
    Copy the full SHA
    da58e80 View commit details

Commits on Apr 11, 2019

  1. Update iptablespush.c

    Some languages do not support the '.' character, so switch to the '_' character
    limithit authored Apr 11, 2019
    Copy the full SHA
    550eaf0 View commit details
  2. Update README.md

    Some languages do not support the '.' character, so switch to the '_' character
    limithit authored Apr 11, 2019
    Copy the full SHA
    b82c193 View commit details
  3. Update README.md

    limithit authored Apr 11, 2019
    Copy the full SHA
    b13a7dc View commit details
  4. Update README.md

    limithit authored Apr 11, 2019
    Copy the full SHA
    6ab9e76 View commit details
  5. Update README.md

    limithit authored Apr 11, 2019
    Copy the full SHA
    44ff933 View commit details
  6. Update iptablespush.c

    limithit authored Apr 11, 2019
    Copy the full SHA
    7fb318f View commit details
  7. Added nftables support

    limithit authored Apr 11, 2019
    Copy the full SHA
    0ac86a5 View commit details
  8. Update README.md

    limithit authored Apr 11, 2019
    Copy the full SHA
    3b43195 View commit details
  9. Merge pull request #7 from limithit/limithit-patch-nftables

    Limithit patch nftables
    limithit authored Apr 11, 2019
    Copy the full SHA
    addc719 View commit details

Commits on Apr 12, 2019

  1. Update README.md

    limithit authored Apr 12, 2019
    Copy the full SHA
    c70bbed View commit details
  2. Update README.md

    limithit authored Apr 12, 2019
    Copy the full SHA
    1fc6eea View commit details
  3. Update README.md

    limithit authored Apr 12, 2019
    Copy the full SHA
    7808aba View commit details
  4. Update README.md

    limithit authored Apr 12, 2019
    Copy the full SHA
    55b3aed View commit details
  5. Update README.md

    limithit authored Apr 12, 2019
    Copy the full SHA
    999cc95 View commit details

Commits on Apr 13, 2019

  1. Update Makefile

    limithit authored Apr 13, 2019
    1
    Copy the full SHA
    4beccef View commit details
  2. Update README.md

    limithit authored Apr 13, 2019
    Copy the full SHA
    affd7fc View commit details

Commits on Apr 14, 2019

  1. Update Makefile

    limithit authored Apr 14, 2019
    Copy the full SHA
    7abbbbc View commit details

Commits on Apr 26, 2019

  1. Update README.md

    limithit authored Apr 26, 2019
    Copy the full SHA
    2252be2 View commit details
Showing with 104 additions and 67 deletions.
  1. +8 −2 Makefile
  2. +48 −41 README.md
  3. +30 −24 iptablespush.c
  4. +18 −0 ttl_iptables.c
10 changes: 8 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -4,7 +4,13 @@ uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')
ifeq ($(uname_S),Linux)
SHOBJ_CFLAGS ?= -W -Wall -fno-common -g -ggdb -std=c99 -O2
SHOBJ_LDFLAGS ?= -shared
else ifeq ($(uname_S),Darwin)
CFLAGS+=-DBSD
mac_S := $(shell sh -c 'sw_vers|grep ProductVersion|cut -f 2')
SHOBJ_CFLAGS ?= -W -Wall -fno-common -g -ggdb -std=c99 -O2
SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup -macosx_version_min $(mac_S)
else
CFLAGS+=-DBSD
SHOBJ_CFLAGS ?= -W -Wall -dynamic -fno-common -g -ggdb -std=c99 -O2
SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup
endif
@@ -14,7 +20,7 @@ endif
all: iptablespush.so ttl_iptables

ttl_iptables: ttl_iptables.c
$(CC) ttl_iptables.c -o $@ -I/usr/local/include/hiredis -lhiredis $(CFLAGS)
$(CC) ttl_iptables.c -o $@ -I/usr/local/include/hiredis -L/usr/local/lib -lhiredis $(CFLAGS)

.c.xo:
$(CC) -I. $(CFLAGS) $(SHOBJ_CFLAGS) -fPIC -c $< -o $@
@@ -29,6 +35,6 @@ clean:

install:
cp ttl_iptables /usr/sbin/
cp init.d/ttl_iptables /etc/init.d
test ! -d '/etc/init.d/' || cp init.d/ttl_iptables /etc/init.d/
test -d '/etc/redis/modules' || mkdir -p '/etc/redis/modules'
cp iptablespush.so /etc/redis/modules
89 changes: 48 additions & 41 deletions README.md
Original file line number Diff line number Diff line change
@@ -11,11 +11,11 @@ content
* [Command](#Command)
* [HOWTOs](#HOWTOs)
* [Installation](#Installation)

* [Point](#Point)
## Requirements

1. Redis4.0+
2. iptables
2. iptables `or pf or nftables`
3. gcc
4. make

@@ -87,7 +87,7 @@ root@debian:~/RedisPushIptables# /etc/init.d/ttl_iptables start

Logs are viewed in /var/log/ttl_iptables.log
```
root@debian:~# redis-cli TTL.DROP.INSERT 192.168.18.5 60
root@debian:~# redis-cli TTL_DROP_INSERT 192.168.18.5 60
(integer) 12
root@debian:~# date
Fri Mar 15 09:38:49 CST 2019
@@ -103,21 +103,21 @@ target prot opt source destination
```

## Command
* [accept.insert](#Core) - Filter table INPUT ADD ACCEPT
* [accept.delete](#Core) - Filter table INPUT DEL ACCEPT
* [drop.insert](#Core) - Filter table INPUT ADD DROP
* [drop.delete](#Core) - Filter table INPUT DEL DROP
* [ttl.drop.insert](#Core) - Dynamic delete filter table INPUT ADD DROP
* [accept_insert](#Core) - Filter table INPUT ADD ACCEPT
* [accept_delete](#Core) - Filter table INPUT DEL ACCEPT
* [drop_insert](#Core) - Filter table INPUT ADD DROP
* [drop_delete](#Core) - Filter table INPUT DEL DROP
* [ttl_drop_insert](#Core) - Dynamic delete filter table INPUT ADD DROP
```
127.0.0.1:6379>accept.insert 192.168.188.8
127.0.0.1:6379>accept_insert 192.168.188.8
(integer) 13
127.0.0.1:6379>accept.delete 192.168.188.8
127.0.0.1:6379>accept_delete 192.168.188.8
(integer) 13
127.0.0.1:6379>drop.delete 192.168.188.8
127.0.0.1:6379>drop_delete 192.168.188.8
(integer) 13
127.0.0.1:6379>drop.insert 192.168.188.8
127.0.0.1:6379>drop_insert 192.168.188.8
(integer) 13
127.0.0.1:6379> TTL.DROP.INSERT 192.168.1.6 600 #600 seconds
127.0.0.1:6379>ttl_drop_insert 192.168.1.6 600 #600 seconds
(integer) 11
```
```
@@ -140,18 +140,23 @@ ACCEPT all -- 192.168.188.8 0.0.0.0/0
#2: git clone https://github.com/limithit/RedisPushIptables.git
cd RedisPushIptables
make #OR make CFLAGS=-DWITH_IPSET
make #OR make CFLAGS=-DWITH_IPSET #OR make CFLAGS=-DWITH_NFTABLES
make install
```
If you need to enable ipset, you must configure the following settings
* If you need to enable ipset, you must configure the following settings
```
#ipset create block_ip hash:ip timeout 60 hashsize 4096 maxelem 10000000
#iptables -I INPUT -m set --match-set block_ip src -j DROP
#ipset create allow_ip hash:ip hashsize 4096 maxelem 10000000
#iptables -I INPUT -m set --match-set allow_ip src -j ACCEPT
```
The `timeout` parameter and `ttl.drop.insert` parameter has the same effect. If the `timeout` parameter is configured, ipset is used to implement periodic deletion. If the `timeout` parameter is not configured, it is periodic deletion used `ttl.drop.insert`.
The `timeout` parameter and `ttl_drop_insert` parameter has the same effect. If the `timeout` parameter is configured, ipset is used to implement periodic deletion. If the `timeout` parameter is not configured, it is periodic deletion used `ttl_drop_insert`.

* If you need to enable nftables, you must configure the following settings
```
#nft add table redis
#nft add chain redis INPUT \{ type filter hook input priority 0\; policy accept\; \}
```
#### Installing Packages on BSD and MacOS
```
#1: Compile hiredis
@@ -161,19 +166,18 @@ The `timeout` parameter and `ttl.drop.insert` parameter has the same effect. If
#2: git clone https://github.com/limithit/RedisPushIptables.git
cd RedisPushIptables
make CFLAGS=-DBSD
make
make install
```

First edit the /etc/pf.conf file and add the code as follows:
```
table <block_ip> persist file "/etc/pf.block_ip.conf"
table <allow_ip> persist file "/etc/pf.allow_ip.conf"
block in log proto tcp from <block_ip> to any
block in log proto udp from <block_ip> to any
pass in proto tcp from <allow_ip> to any
pass in proto udp from <allow_ip> to any
block in log proto {tcp,udp,sctp,icmp} from <block_ip> to any
pass in proto {tcp,udp,sctp,icmp} from <allow_ip> to any
```
then
```
touch /etc/pf.block_ip.conf
touch /etc/pf.allow_ip.conf
@@ -216,22 +220,22 @@ int main(int argc, char **argv) {
exit(1);
}

reply = redisCommand(c,"drop.insert 192.168.18.3");
reply = redisCommand(c,"drop_insert 192.168.18.3");
printf("%d\n", reply->integer);
freeReplyObject(reply);
reply = redisCommand(c,"accept.insert 192.168.18.4");
reply = redisCommand(c,"accept_insert 192.168.18.4");
printf("%d\n", reply->integer);
freeReplyObject(reply);

reply = redisCommand(c,"drop.delete 192.168.18.3");
reply = redisCommand(c,"drop_delete 192.168.18.3");
printf("%d\n", reply->integer);
freeReplyObject(reply);

reply = redisCommand(c,"accept.delete 192.168.18.5");
reply = redisCommand(c,"accept_delete 192.168.18.5");
printf("%d\n", reply->integer);
freeReplyObject(reply);

reply = redisCommand(c,"ttl.drop.insert 192.168.18.5 600");
reply = redisCommand(c,"ttl_drop_insert 192.168.18.5 600");
printf("%d\n", reply->integer);
freeReplyObject(reply);
redisFree(c);
@@ -259,31 +263,31 @@ After downloading, don't rush to compile and install. First edit the redis-py/re
"""
Return the value at key ``name``, or None if the key doesn't exist
"""
return self.execute_command('drop.insert', name)
return self.execute_command('drop_insert', name)
def accept_insert(self, name):
"""
Return the value at key ``name``, or None if the key doesn't exist
"""
return self.execute_command('accept.insert', name)
return self.execute_command('accept_insert', name)
def drop_delete(self, name):
"""
Return the value at key ``name``, or None if the key doesn't exist
"""
return self.execute_command('drop.delete', name)
return self.execute_command('drop_delete', name)
def accept_delete(self, name):
"""
Return the value at key ``name``, or None if the key doesn't exist
"""
return self.execute_command('accept.delete', name)
return self.execute_command('accept_delete', name)
def ttl_drop_insert(self, name, blocktime):
"""
Return the value at key ``name``, or None if the key doesn't exist
"""
return self.execute_command('ttl.drop.insert', name, blocktime)
return self.execute_command('ttl_drop_insert', name, blocktime)
```
```
root@debian:~/bookscode/redis-py# python setup.py build
@@ -312,12 +316,12 @@ Type "help", "copyright", "credits" or "license" for more information.
set -x
for ((i=1; i<=254; i++))
do
redis-cli TTL.DROP.INSERT 192.168.17.$i 60
redis-cli TTL_DROP_INSERT 192.168.17.$i 60
done
redis-cli DROP.INSERT 192.168.18.5
redis-cli DROP.DELETE 192.168.18.5
redis-cli ACCEPT.DELETE 192.168.18.5
redis-cli ACCEPT.INSERT 192.168.18.5
redis-cli DROP_INSERT 192.168.18.5
redis-cli DROP_DELETE 192.168.18.5
redis-cli ACCEPT_INSERT 192.168.18.5
redis-cli ACCEPT_DELETE 192.168.18.5
```
### Lua
```
@@ -328,11 +332,11 @@ First edit the redis-lua/src/redis.lua file and add the code as follows:
redis.commands = {
.....
ttl = command('TTL'),
drop_insert = command('drop.insert'),
drop_delete = command('drop.delete'),
accept_insert = command('accept.insert'),
accept_delete = command('accept.delete'),
ttl_drop_insert = command('ttl.drop.insert'),
drop_insert = command('drop_insert'),
drop_delete = command('drop_delete'),
accept_insert = command('accept_insert'),
accept_delete = command('accept_delete'),
ttl_drop_insert = command('ttl_drop_insert'),
pttl = command('PTTL'), -- >= 2.6
.....
```
@@ -360,6 +364,9 @@ local value = client:get('192.168.1.2')

print(value)
```
## Point

The master repository does not provide nftables repeat rule detection, but provides duplicate rule detection in the branch limithit-patch-1. Because this affects the execution speed of nftables, you need to make your own choices.

Lauchpad Pump Demo
=========================
54 changes: 30 additions & 24 deletions iptablespush.c
Original file line number Diff line number Diff line change
@@ -77,6 +77,10 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
static char insert_command[256];
sprintf(insert_command, " pfctl -t block_ip -T add %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
static char insert_command[256];
sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop",
RedisModule_StringPtrLen(argv[1], NULL));
#else
static char check_command[256], insert_command[256];
char tmp_buf[4096];
@@ -87,11 +91,7 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
#endif
printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
RedisModule_StringPtrLen(argv[1], NULL));
#ifdef WITH_IPSET
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
#elif BSD
#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES)
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
@@ -125,7 +125,10 @@ int DROP_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
sprintf(insert_command, "ipset del block_ip %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
sprintf(insert_command, " pfctl -t block_ip -T del %s",
sprintf(insert_command, "pfctl -t block_ip -T delete %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`",
RedisModule_StringPtrLen(argv[1], NULL));
#else
sprintf(insert_command, "iptables -D INPUT -s %s -j DROP",
@@ -159,7 +162,11 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
static char insert_command[256];
sprintf(insert_command, " pfctl -t allow_ip -T add %s",
sprintf(insert_command, "pfctl -t allow_ip -T add %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
static char insert_command[256];
sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s accept",
RedisModule_StringPtrLen(argv[1], NULL));
#else
char tmp_buf[4096];
@@ -171,11 +178,7 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
#endif
printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
RedisModule_StringPtrLen(argv[1], NULL));
#ifdef WITH_IPSET
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
#elif BSD
#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES)
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
@@ -209,7 +212,10 @@ int ACCEPT_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
sprintf(insert_command, "ipset del allow_ip %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
sprintf(insert_command, " pfctl -t allow_ip -T del %s",
sprintf(insert_command, "pfctl -t allow_ip -T delete %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s accept\"|grep -oe \"handle [0-9]*\"`",
RedisModule_StringPtrLen(argv[1], NULL));
#else
sprintf(insert_command, "iptables -D INPUT -s %s -j ACCEPT",
@@ -247,7 +253,11 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv,
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
static char insert_command[256];
sprintf(insert_command, " pfctl -t block_ip -T add %s",
sprintf(insert_command, "pfctl -t block_ip -T add %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
static char insert_command[256];
sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop",
RedisModule_StringPtrLen(argv[1], NULL));
#else
static char check_command[256], insert_command[256];
@@ -259,11 +269,7 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv,
#endif
printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
RedisModule_StringPtrLen(argv[1], NULL));
#ifdef WITH_IPSET
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
#elif BSD
#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES)
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
@@ -298,19 +304,19 @@ int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc)
printf("Module loaded with ARGV[%d] = %s\n", j, s);
}

if (RedisModule_CreateCommand(ctx, "drop.insert", DROP_Insert_RedisCommand,
if (RedisModule_CreateCommand(ctx, "drop_insert", DROP_Insert_RedisCommand,
"write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "drop.delete", DROP_Delete_RedisCommand,
if (RedisModule_CreateCommand(ctx, "drop_delete", DROP_Delete_RedisCommand,
"write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "accept.insert", ACCEPT_Insert_RedisCommand,
if (RedisModule_CreateCommand(ctx, "accept_insert", ACCEPT_Insert_RedisCommand,
"write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "accept.delete", ACCEPT_Delete_RedisCommand,
if (RedisModule_CreateCommand(ctx, "accept_delete", ACCEPT_Delete_RedisCommand,
"write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "ttl.drop.insert", TTL_DROP_Insert_RedisCommand,
if (RedisModule_CreateCommand(ctx, "ttl_drop_insert", TTL_DROP_Insert_RedisCommand,
"write deny-oom", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;

Loading