Mercurial > syslog2iptables
comparison src/syslogconfig.cpp @ 24:ec051169fdfd
don't flush input chain, use -D option instead
| author | carl |
|---|---|
| date | Wed, 01 Feb 2006 10:33:58 -0800 |
| parents | 0d65c3de34fd |
| children | 28fec0c67646 |
comparison
equal
deleted
inserted
replaced
| 23:048cd6e642bc | 24:ec051169fdfd |
|---|---|
| 101 } | 101 } |
| 102 } | 102 } |
| 103 | 103 |
| 104 | 104 |
| 105 void IPR::leak(int amount, CONFIG &con) { | 105 void IPR::leak(int amount, CONFIG &con) { |
| 106 bool ch = false; | |
| 107 for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { | 106 for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) { |
| 108 int ip = (*i).first; | 107 int ip = (*i).first; |
| 109 bucket &b = (*i).second; | 108 bucket &b = (*i).second; |
| 110 if (b.count <= amount) { | 109 if (b.count <= amount) { |
| 111 if (b.latch) { | 110 if (b.latch) { |
| 112 update(ip, false, NULL, 0); | 111 update(ip, false, NULL, 0); |
| 113 ch = true; | 112 changed(con, ip, false); |
| 114 } | 113 } |
| 115 violations.erase(i++); | 114 violations.erase(i++); |
| 116 } | 115 } |
| 117 else { | 116 else { |
| 118 b.count -= amount; | 117 b.count -= amount; |
| 119 i++; | 118 i++; |
| 120 } | 119 } |
| 121 } | 120 } |
| 122 if (ch) changed(con, 0, false); | |
| 123 } | 121 } |
| 124 | 122 |
| 125 | 123 |
| 126 void IPR::update(int ip, bool added, char *file_name, int pattern_index) { | 124 void IPR::update(int ip, bool added, char *file_name, int pattern_index) { |
| 127 if (debug_syslog > 2) { | 125 if (debug_syslog > 2) { |
| 146 snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); | 144 snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); |
| 147 system(buf); | 145 system(buf); |
| 148 } | 146 } |
| 149 } | 147 } |
| 150 else { | 148 else { |
| 151 // releasing some ip, redo the table | 149 in_addr ad; |
| 152 snprintf(buf, maxlen, "%s -F INPUT", iptables); | 150 ad.s_addr = htonl(ip); |
| 151 snprintf(buf, maxlen, "%s -D INPUT --src %s --jump DROP", iptables, inet_ntoa(ad)); | |
| 153 system(buf); | 152 system(buf); |
| 154 for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) { | |
| 155 int ip = (*i).first; | |
| 156 bucket &b = (*i).second; | |
| 157 if (con.looking(ip) && (b.count > t)) { | |
| 158 in_addr ad; | |
| 159 ad.s_addr = htonl(ip); | |
| 160 snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad)); | |
| 161 system(buf); | |
| 162 } | |
| 163 } | |
| 164 } | 153 } |
| 165 } | 154 } |
| 166 | 155 |
| 167 | 156 |
| 168 //////////////////////////////////////////////// | 157 //////////////////////////////////////////////// |