/* 
Copyright (c) 2007 Carl Byington  510 Software Group, released under  
the GPL version 3 or any later version at your choice available at  
http://www.gnu.org/licenses/gpl3.0.txt  
*/  
class SYSLOGCONFIG;  
class CONTEXT; 
class CONFIG; 
struct IPPAIR {  
int first; 
int last; 
int cidr; 
}; 
class PATTERN {  
const char * pattern; // owned by the string table 
regex_t re; 
int index; // zero based substring of the regex match that contains the ip address or hostname 
int amount; // count to add to the ip address leaky bucket 
const char * message; // for logging, owned by the string table 
~PATTERN(); 
PATTERN(TOKEN &tok, const char *pattern_, int index_, int amount_, const char *msg_); 
bool process(char *buf, CONTEXT &con, const char *file_name, int pattern_index); 
void dump(int level); 
1  32 
33 struct ltint 
34 { 
35 bool operator()(const int s1, const int s2) const 
36 { 
37 return (unsigned)s1 < (unsigned)s2; 
38 } 
39 }; 
40 
41 struct bucket { 
42 int count; 
43 bool latch; // true iff ever count>threshold 
44 }; 
45 
46 typedef map<int, bucket, ltint> ip_buckets; 
47 
48 class IPR { 
49 int reference_count; // number of contexts using this recorder 
50 ip_buckets violations; 
51 public: 
52 IPR(); 
53 int reference(int delta) {reference_count += delta; return reference_count;}; 
54 void add(int ip, int amount, CONTEXT &con, const char *file_name, int pattern_index, const char *message); 
55 void leak(int amount, CONTEXT &con); 
56 void free_all(CONTEXT &con); 
57 void update(int ip, bool added, const char *file_name, int pattern_index, const char *message); 
58 void changed(CONTEXT &con, int ip, bool added); 
59 static IPR* find(const char* name); 
60 static void release(const char* name); 
61 }; 
62 
63 
64 typedef SYSLOGCONFIG * SYSLOGCONFIGP; 
65 typedef PATTERN * PATTERNP; 
66 typedef CONTEXT * CONTEXTP; 
67 typedef map<const char *, IPR*> recorder_map; 
68 typedef list<CONTEXTP> context_list; 
69 typedef list<SYSLOGCONFIGP> syslogconfig_list; 
70 typedef list<IPPAIR> ippair_list; 
71 typedef list<PATTERNP> pattern_list; 
const int buflen = 1024; 
class SYSLOGCONFIG {  
TOKEN * tokp; 
const char * file_name; // name of the syslog file 
pattern_list patterns; // owns the patterns 
int fd; 
struct stat openfdstat; 
int len; // bytes in the buffer 
char buf[buflen]; 
83 SYSLOGCONFIG(TOKEN &tok, const char *file_name_); 
84 ~SYSLOGCONFIG(); 
85 bool failed() { return (fd == 1); }; 
86 void open(bool msg); 
87 bool read(CONTEXT &con); 
88 void close(); 
89 void add_pattern(PATTERNP pat); 
90 void process(CONTEXT &con); 
91 void dump(int level); 
94 
95 class CONTEXT { 
96 public: 
97 const char * name; // name of this context 
98 int threshold; 
99 ippair_list ignore; // owns all the ippairs 
100 const char * add_command; // owned by the string table 
101 const char * remove_command; // "" 
102 IPR * recorder; // used to record violations 
103 syslogconfig_list syslogconfigs; // owns all the syslogconfigs 
104 
105 CONTEXT(const char *nam); 
106 ~CONTEXT(); 
107 void set_add(const char *add) { add_command = add; }; 
108 void set_remove(const char *remove) { remove_command = remove; }; 
109 void set_threshold(int threshold_) { threshold = threshold_; }; 
110 int get_threshold() { return threshold; }; 
111 void add_syslogconfig(SYSLOGCONFIGP con); 
112 void add_pair(IPPAIR pair); 
113 void dump(); 
114 void read(CONFIG &con); 
115 void free_all(); 
116 void leak(int delta); 
117 bool looking(int ip); 
118 }; 
119 
120 
123 // the only mutable stuff once it has been loaded from the config file 
124 int reference_count; // protected by the global config_mutex 
125 // all the rest is constant after loading from the config file 
126 int generation; 
127 time_t load_time; 
128 string_set config_files; 
129 context_list contexts; 
131 CONFIG(); 
132 ~CONFIG(); 
133 void add_context(CONTEXTP con) {contexts.push_back(con);} ; 
134 void dump(); 
135 void read(); 
136 void sleep(int duration, time_t &previous); 
36  137 void free_all(); 
140 void discard(string_set &s); 
141 const char* register_string(string_set &s, const char *name); 
142 const char* register_string(const char *name); 
143 void clear_strings(); 
144 int ip_address(const char *have); 
145 bool load_conf(CONFIG &dc, const char *fn); 
146 void token_init(); 
148 extern const char *token_add; 
149 extern const char *token_bucket; 
150 extern const char *token_context; 
151 extern const char *token_file; 
152 extern const char *token_ignore; 
153 extern const char *token_include; 
154 extern const char *token_index; 
155 extern const char *token_lbrace; 
156 extern const char *token_pattern; 
157 extern const char *token_rbrace; 
158 extern const char *token_remove; 
159 extern const char *token_semi; 
160 extern const char *token_slash; 
161 extern const char *token_threshold; 
