syslog2iptables: src/syslog2iptables.cpp comparison

comparison src/syslog2iptables.cpp @ 36:6a2f26976898

shutdown removes iptables entries that we added

author	carl
date	Thu, 08 Nov 2007 10:52:56 -0800
parents	00bd0b0ef015
children	26c29da3fbdf

comparison

equal deleted inserted replaced

-:d2ceebcf6595
+:6a2f26976898
-/***************************************************************************
+/*
-*	 Copyright (C) 2005 by 510 Software Group							   *
-*																		   *
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
-*																		   *
+the GPL version 3 or any later version at your choice available at
-*	 This program is free software; you can redistribute it and/or modify  *
+http://www.gnu.org/licenses/gpl-3.0.txt
-*	 it under the terms of the GNU General Public License as published by  *
-*	 the Free Software Foundation; either version 2 of the License, or	   *
+*/
-*	 (at your option) any later version.								   *
-*																		   *
-*	 This program is distributed in the hope that it will be useful,	   *
-*	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
-*	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
-*	 GNU General Public License for more details.						   *
-*																		   *
-*	 You should have received a copy of the GNU General Public License	   *
-*	 along with this program; if not, write to the						   *
-*	 Free Software Foundation, Inc.,									   *
-*	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
-***************************************************************************/
 // debug levels:
 // 4 - show syslog lines that match regex
 // 3 - show addresses being dropped/released from the filter
 // 2 - show files open/close
 #include <cstdlib>
 #include <errno.h>
 #include <sysexits.h>
 #include <pthread.h>
 #include <syslog.h>
-#include <sys/wait.h>	/* header for waitpid() and various macros */
+#include <sys/wait.h>   /* header for waitpid() and various macros */
-#include <signal.h> 	/* header for signal functions */
+#include <signal.h>     /* header for signal functions */
 static char* syslog2iptables_version = "$Id$";
 extern "C" {
-	void sig_chld(int signo);
+void sigchld(int sig);
+void sigterm(int sig);
 }
 int  debug_syslog  = 0;
 bool syslog_opened = false;
-bool use_syslog    = true;	// false to printf
+bool use_syslog    = true;  // false to printf
-bool loader_run    = true;	// used to stop the config loader thread
+bool loader_run    = true;  // used to stop the config loader thread
-CONFIG	 *config = NULL;	// protected by the config_mutex
+CONFIG   *config = NULL;    // protected by the config_mutex
-int   generation = 0;		// protected by the config_mutex
+int   generation = 0;       // protected by the config_mutex
-const int maxlen = 1000;	// used for snprintf buffers
+const int maxlen = 1000;    // used for snprintf buffers
 pthread_mutex_t  config_mutex;
 pthread_mutex_t  syslog_mutex;
 ////////////////////////////////////////////////
 // syslog a message
 //
 void my_syslog(char *text) {
-	if (use_syslog) {
+if (use_syslog) {
-		pthread_mutex_lock(&syslog_mutex);
+pthread_mutex_lock(&syslog_mutex);
-			if (!syslog_opened) {
+if (!syslog_opened) {
-				openlog("syslog2iptables", LOG_PID, LOG_AUTHPRIV);
+openlog("syslog2iptables", LOG_PID, LOG_AUTHPRIV);
-				syslog_opened = true;
+syslog_opened = true;
-			}
+}
-			syslog(LOG_NOTICE, "%s", text);
+syslog(LOG_NOTICE, "%s", text);
-		pthread_mutex_unlock(&syslog_mutex);
+pthread_mutex_unlock(&syslog_mutex);
-	}
+}
-	else {
+else {
-		printf("%s\n", text);
+printf("%s\n", text);
-	}
+}
 }
 ////////////////////////////////////////////////
-//	reload the config
+//  reload the config
 //
 CONFIG* new_conf();
 CONFIG* new_conf() {
-	CONFIG *newc = new CONFIG;
+CONFIG *newc = new CONFIG;
-	pthread_mutex_lock(&config_mutex);
+pthread_mutex_lock(&config_mutex);
-		newc->generation = generation++;
+newc->generation = generation++;
-	pthread_mutex_unlock(&config_mutex);
+pthread_mutex_unlock(&config_mutex);
-	if (debug_syslog) {
+if (debug_syslog) {
-		char buf[maxlen];
+char buf[maxlen];
-		snprintf(buf, sizeof(buf), "loading configuration generation %d", newc->generation);
+snprintf(buf, sizeof(buf), "loading configuration generation %d", newc->generation);
-		my_syslog(buf);
+my_syslog(buf);
-	}
+}
-	if (load_conf(*newc, "syslog2iptables.conf")) {
+if (load_conf(*newc, "syslog2iptables.conf")) {
-		newc->load_time = time(NULL);
+newc->load_time = time(NULL);
-		return newc;
+return newc;
-	}
+}
-	delete newc;
+delete newc;
-	return NULL;
+return NULL;
 }
 ////////////////////////////////////////////////
-//	thread to watch the old config files for changes
+//  thread to watch the old config files for changes
-//	and reload when needed. we also cleanup old
+//  and reload when needed.
-//	configs whose reference count has gone to zero.
 //
 void* config_loader(void *arg);
 void* config_loader(void *arg) {
-	typedef set<CONFIG *> configp_set;
+typedef set<CONFIG *> configp_set;
-	configp_set old_configs;
+while (loader_run) {
-	while (loader_run) {
+sleep(180);  // look for modifications every 3 minutes
-		sleep(180);  // look for modifications every 3 minutes
+if (!loader_run) break;
-		if (!loader_run) break;
+CONFIG &dc = *config;
-		CONFIG &dc = *config;
+time_t then = dc.load_time;
-		time_t then = dc.load_time;
+struct stat st;
-		struct stat st;
+bool reload = false;
-		bool reload = false;
+for (string_set::iterator i=dc.config_files.begin(); i!=dc.config_files.end(); i++) {
-		for (string_set::iterator i=dc.config_files.begin(); i!=dc.config_files.end(); i++) {
+char *fn = *i;
-			char *fn = *i;
+if (stat(fn, &st))           reload = true; // file disappeared
-			if (stat(fn, &st))			 reload = true; // file disappeared
+else if (st.st_mtime > then) reload = true; // file modified
-			else if (st.st_mtime > then) reload = true; // file modified
+if (reload) break;
-			if (reload) break;
+}
-		}
+if (reload) {
-		if (reload) {
+CONFIG *newc = new_conf();
-			CONFIG *newc = new_conf();
+if (newc) {
-			if (newc) {
+// replace the global config pointer
-				// replace the global config pointer
+pthread_mutex_lock(&config_mutex);
-				pthread_mutex_lock(&config_mutex);
+config = newc;
-					CONFIG *old = config;
+pthread_mutex_unlock(&config_mutex);
-					config = newc;
+}
-				pthread_mutex_unlock(&config_mutex);
+else {
-				if (old) old_configs.insert(old);
+// failed to load new config
-			}
+my_syslog("failed to load new configuration");
-			else {
+system("echo 'failed to load new /etc/syslog2iptables.conf' | mail -s 'error in /etc/syslog2iptables.conf' root");
-				// failed to load new config
+// update the load time on the current config to prevent complaining every 3 minutes
-				my_syslog("failed to load new configuration");
+dc.load_time = time(NULL);
-				system("echo 'failed to load new /etc/syslog2iptables.conf' | mail -s 'error in /etc/syslog2iptables.conf' root");
+}
-				// update the load time on the current config to prevent complaining every 3 minutes
+}
-				dc.load_time = time(NULL);
+}
-			}
+return NULL;
-		}
+}
-		// now look for old configs with zero ref counts
-		for (configp_set::iterator i=old_configs.begin(); i!=old_configs.end(); ) {
-			CONFIG *old = *i;
+////////////////////////////////////////////////
-			if (!old->reference_count) {
+// The signal handler function for child process terminations,
-				if (debug_syslog) {
+// called when a child terminates.
-					char buf[maxlen];
+//
-					snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation);
+void sigchld(int sig)
-					my_syslog(buf);
+{
-				}
+int status;
-				delete old; // destructor does all the work
+/* Wait for any child without blocking */
-				old_configs.erase(i++);
+while (waitpid(-1, &status, WNOHANG) > 0) {
-			}
+// ignore child exit status, we only do this to cleanup zombies
-			else i++;
+}
-		}
+}
-	}
-	return NULL;
-}
+////////////////////////////////////////////////
+// The termination signal handler function, called to
+// request termination of this process.
-////////////////////////////////////////////////
+//
-// The signal handler function -- only gets called when a SIGCHLD
+void sigterm(int sig)
-// is received, ie when a child terminates
+{
-//
+loader_run = false;
-void sig_chld(int signo)
+signal(sig, SIG_DFL);   // quit on repeated signals
-{
-	int status;
-	/* Wait for any child without blocking */
-	while (waitpid(-1, &status, WNOHANG) > 0) {
-		// ignore child exit status, we only do this to cleanup zombies
-	}
 }
 void usage(char *prog);
 void usage(char *prog)
 {
-	fprintf(stderr, "Usage: %s  [-d [level]] [-c]\n", prog);
+fprintf(stderr, "Usage: %s  [-d [level]] [-c]\n", prog);
-	fprintf(stderr, "-c will load and dump the config to stdout\n");
+fprintf(stderr, "-c will load and dump the config to stdout\n");
-	fprintf(stderr, "-d will set the syslog message level, currently 0 to 3\n");
+fprintf(stderr, "-d will set the syslog message level, currently 0 to 3\n");
 }
 void worker();
 void worker()
 {
-	time_t t = time(NULL);
+time_t t = time(NULL);
-	CONFIG *c;
+CONFIG *c;
-	pthread_mutex_lock(&config_mutex);
+pthread_mutex_lock(&config_mutex);
-		c = config;
+c = config;
-		c->reference_count++;
+c->reference_count++;
-	pthread_mutex_unlock(&config_mutex);
+pthread_mutex_unlock(&config_mutex);
-	while (true) {
+while (loader_run) {
-		if (c != config) {
+if (c != config) {
-			pthread_mutex_lock(&config_mutex);
+pthread_mutex_lock(&config_mutex);
-				c->reference_count--;
+CONFIG *old = c;    old->reference_count--;
-				c = config;
+c = config;         c->reference_count++;
-				c->reference_count++;
+pthread_mutex_unlock(&config_mutex);
-			pthread_mutex_unlock(&config_mutex);
+if (!old->reference_count) {
-		}
+if (debug_syslog) {
-		c->read();
+char buf[maxlen];
-		c->sleep(2, t);
+snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation);
-	}
+my_syslog(buf);
+}
+delete old; // destructor does all the work
+}
+}
+c->read();
+c->sleep(2, t);
+}
+// worker shutting down, free all ip addresses
+c->free_all();
 }
 int main(int argc, char *argv[])
 {
-	token_init();
+token_init();
-	bool check = false;
+bool check = false;
-	int c;
+int c;
-	const char *args = "d:ch";
+const char *args = "d:ch";
-	extern char *optarg;
+extern char *optarg;
-	// Process command line options
+// Process command line options
-	while ((c = getopt(argc, argv, args)) != -1) {
+while ((c = getopt(argc, argv, args)) != -1) {
-		switch (c) {
+switch (c) {
-			case 'c':
+case 'c':
-				check = true;
+check = true;
-				break;
+break;
-			case 'd':
+case 'd':
-				if (optarg == NULL || *optarg == '\0') debug_syslog = 1;
+if (optarg == NULL || *optarg == '\0') debug_syslog = 1;
-				else								   debug_syslog = atoi(optarg);
+else                                   debug_syslog = atoi(optarg);
-				break;
+break;
-			case 'h':
+case 'h':
-			default:
+default:
-				usage(argv[0]);
+usage(argv[0]);
-				exit(EX_USAGE);
+exit(EX_USAGE);
-		}
+}
-	}
+}
-	if (check) {
+if (check) {
-		use_syslog	 = false;
+use_syslog   = false;
-		debug_syslog = 10;
+debug_syslog = 10;
-		config = new_conf();
+config = new_conf();
-		if (config) {
+if (config) {
-			config->dump();
+config->dump();
-			delete config;
+delete config;
-			return 0;
+return 0;
-		}
+}
-		else {
+else {
-			return 1;	// config failed to load
+return 1;   // config failed to load
-		}
+}
-	}
+}
-	// switch to background mode
+// switch to background mode
-	if (daemon(1,0) < 0) {
+if (daemon(1,0) < 0) {
-		fprintf(stderr, "daemon() call failed\n");
+fprintf(stderr, "daemon() call failed\n");
-		exit(EX_UNAVAILABLE);
+exit(EX_UNAVAILABLE);
-	}
+}
-	// write the pid
+// write the pid
-	const char *pidpath = "/var/run/syslog2iptables.pid";
+const char *pidpath = "/var/run/syslog2iptables.pid";
-	unlink(pidpath);
+unlink(pidpath);
-	FILE *f = fopen(pidpath, "w");
+FILE *f = fopen(pidpath, "w");
-	if (f) {
+if (f) {
 #ifdef linux
-		// from a comment in the DCC source code:
+// from a comment in the DCC source code:
-		// Linux threads are broken.  Signals given the
+// Linux threads are broken.  Signals given the
-		// original process are delivered to only the
+// original process are delivered to only the
-		// thread that happens to have that PID.  The
+// thread that happens to have that PID.  The
-		// sendmail libmilter thread that needs to hear
+// sendmail libmilter thread that needs to hear
-		// SIGINT and other signals does not, and that breaks
+// SIGINT and other signals does not, and that breaks
-		// scripts that need to stop milters.
+// scripts that need to stop milters.
-		// However, signaling the process group works.
+// However, signaling the process group works.
-		fprintf(f, "-%d\n", (u_int)getpgrp());
+fprintf(f, "-%d\n", (u_int)getpgrp());
 #else
-		fprintf(f, "%d\n", (u_int)getpid());
+fprintf(f, "%d\n", (u_int)getpid());
 #endif
-		fclose(f);
+fclose(f);
-	}
+}
-	// initialize the thread sync objects
+// setup signal handler for termination signals
-	pthread_mutex_init(&config_mutex, 0);
+signal(SIGHUP, sigterm);
-	pthread_mutex_init(&syslog_mutex, 0);
+signal(SIGTERM, sigterm);
+signal(SIGINT, sigterm);
-	// load the initial config
-	config = new_conf();
+// initialize the thread sync objects
-	if (!config) {
+pthread_mutex_init(&config_mutex, 0);
-		my_syslog("failed to load initial configuration, quitting");
+pthread_mutex_init(&syslog_mutex, 0);
-		exit(1);
-	}
+// load the initial config
+config = new_conf();
-	// setup sigchld handler to prevent zombies
+if (!config) {
-	struct sigaction act;
+my_syslog("failed to load initial configuration, quitting");
-	act.sa_handler = sig_chld;		// Assign sig_chld as our SIGCHLD handler
+exit(1);
-	sigemptyset(&act.sa_mask);		// We don't want to block any other signals in this example
+}
-	act.sa_flags = SA_NOCLDSTOP;	// only want children that have terminated
-	if (sigaction(SIGCHLD, &act, NULL) < 0) {
+// setup sigchld handler to prevent zombies
-		my_syslog("failed to setup SIGCHLD handler");
+struct sigaction act;
-		exit(1);
+act.sa_handler = sigchld;       // Assign sig_chld as our SIGCHLD handler
-	}
+sigemptyset(&act.sa_mask);      // We don't want to block any other signals in this example
+act.sa_flags = SA_NOCLDSTOP;    // only want children that have terminated
-	// only create threads after the fork() in daemon
+if (sigaction(SIGCHLD, &act, NULL) < 0) {
-	pthread_t tid;
+my_syslog("failed to setup SIGCHLD handler");
-	if (pthread_create(&tid, 0, config_loader, 0))
+exit(1);
-		my_syslog("failed to create config loader thread");
+}
-	if (pthread_detach(tid))
-		my_syslog("failed to detach config loader thread");
+// only create threads after the fork() in daemon
+pthread_t tid;
-	worker();
+if (pthread_create(&tid, 0, config_loader, 0))
+my_syslog("failed to create config loader thread");
-	return EXIT_SUCCESS;
+if (pthread_detach(tid))
-}
+my_syslog("failed to detach config loader thread");
+worker();
+return EXIT_SUCCESS;
+}

Mercurial > syslog2iptables

comparison src/syslog2iptables.cpp @ 36:6a2f26976898