changeset 36:6a2f26976898

shutdown removes iptables entries that we added
author carl
date Thu, 08 Nov 2007 10:52:56 -0800
parents d2ceebcf6595
children e4eb969dfc4a
files ChangeLog NEWS configure.in src/syslog2iptables.cpp src/syslog2iptables.h src/syslogconfig.cpp src/syslogconfig.h src/tokenizer.cpp src/tokenizer.h syslog2iptables.rc.in xml/syslog2iptables.in
diffstat 11 files changed, 721 insertions(+), 765 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Tue Sep 18 09:54:22 2007 -0700
+++ b/ChangeLog	Thu Nov 08 10:52:56 2007 -0800
@@ -1,5 +1,9 @@
     $Id$
 
+1.8 2007-11-08
+    Allow sigterm/sigint to properly shutdown by removing all
+    the iptables entries that we added.
+
 1.7 2007-09-18
     Add description in config file for each regular expression
     so the log is more readable.
--- a/NEWS	Tue Sep 18 09:54:22 2007 -0700
+++ b/NEWS	Thu Nov 08 10:52:56 2007 -0800
@@ -1,5 +1,6 @@
     $Id$
 
+1.8 2007-11-08 Allow shutdown to remove the iptables entries that we added.
 1.7 2007-09-18 Add description in config file for each regular expression.
 1.6 2007-09-09 GPL3.
 1.5 2007-08-30 Fix pre/post scripts in the rpm spec file.
--- a/configure.in	Tue Sep 18 09:54:22 2007 -0700
+++ b/configure.in	Thu Nov 08 10:52:56 2007 -0800
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(syslog2iptables,1.7,carl@five-ten-sg.com)
+AC_INIT(syslog2iptables,1.8,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 
--- a/src/syslog2iptables.cpp	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslog2iptables.cpp	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,11 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
+
 
 // debug levels:
 // 4 - show syslog lines that match regex
@@ -37,7 +26,8 @@
 static char* syslog2iptables_version = "$Id$";
 
 extern "C" {
-	void sig_chld(int signo);
+    void sigchld(int sig);
+    void sigterm(int sig);
 }
 int  debug_syslog  = 0;
 bool syslog_opened = false;
@@ -94,13 +84,11 @@
 
 ////////////////////////////////////////////////
 //	thread to watch the old config files for changes
-//	and reload when needed. we also cleanup old
-//	configs whose reference count has gone to zero.
+//  and reload when needed.
 //
 void* config_loader(void *arg);
 void* config_loader(void *arg) {
 	typedef set<CONFIG *> configp_set;
-	configp_set old_configs;
 	while (loader_run) {
 		sleep(180);  // look for modifications every 3 minutes
 		if (!loader_run) break;
@@ -119,10 +107,8 @@
 			if (newc) {
 				// replace the global config pointer
 				pthread_mutex_lock(&config_mutex);
-					CONFIG *old = config;
 					config = newc;
 				pthread_mutex_unlock(&config_mutex);
-				if (old) old_configs.insert(old);
 			}
 			else {
 				// failed to load new config
@@ -132,30 +118,16 @@
 				dc.load_time = time(NULL);
 			}
 		}
-		// now look for old configs with zero ref counts
-		for (configp_set::iterator i=old_configs.begin(); i!=old_configs.end(); ) {
-			CONFIG *old = *i;
-			if (!old->reference_count) {
-				if (debug_syslog) {
-					char buf[maxlen];
-					snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation);
-					my_syslog(buf);
-				}
-				delete old; // destructor does all the work
-				old_configs.erase(i++);
-			}
-			else i++;
-		}
 	}
 	return NULL;
 }
 
 
 ////////////////////////////////////////////////
-// The signal handler function -- only gets called when a SIGCHLD
-// is received, ie when a child terminates
+// The signal handler function for child process terminations,
+// called when a child terminates.
 //
-void sig_chld(int signo)
+void sigchld(int sig)
 {
 	int status;
 	/* Wait for any child without blocking */
@@ -165,6 +137,17 @@
 }
 
 
+////////////////////////////////////////////////
+// The termination signal handler function, called to
+// request termination of this process.
+//
+void sigterm(int sig)
+{
+    loader_run = false;
+    signal(sig, SIG_DFL);   // quit on repeated signals
+}
+
+
 void usage(char *prog);
 void usage(char *prog)
 {
@@ -183,17 +166,26 @@
 		c = config;
 		c->reference_count++;
 	pthread_mutex_unlock(&config_mutex);
-	while (true) {
+    while (loader_run) {
 		if (c != config) {
 			pthread_mutex_lock(&config_mutex);
-				c->reference_count--;
-				c = config;
-				c->reference_count++;
+                CONFIG *old = c;    old->reference_count--;
+                c = config;         c->reference_count++;
 			pthread_mutex_unlock(&config_mutex);
+            if (!old->reference_count) {
+                if (debug_syslog) {
+                    char buf[maxlen];
+                    snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation);
+                    my_syslog(buf);
+                }
+                delete old; // destructor does all the work
+            }
 		}
 		c->read();
 		c->sleep(2, t);
 	}
+    // worker shutting down, free all ip addresses
+    c->free_all();
 }
 
 
@@ -265,6 +257,11 @@
 		fclose(f);
 	}
 
+    // setup signal handler for termination signals
+    signal(SIGHUP, sigterm);
+    signal(SIGTERM, sigterm);
+    signal(SIGINT, sigterm);
+
 	// initialize the thread sync objects
 	pthread_mutex_init(&config_mutex, 0);
 	pthread_mutex_init(&syslog_mutex, 0);
@@ -278,7 +275,7 @@
 
 	// setup sigchld handler to prevent zombies
 	struct sigaction act;
-	act.sa_handler = sig_chld;		// Assign sig_chld as our SIGCHLD handler
+    act.sa_handler = sigchld;       // Assign sig_chld as our SIGCHLD handler
 	sigemptyset(&act.sa_mask);		// We don't want to block any other signals in this example
 	act.sa_flags = SA_NOCLDSTOP;	// only want children that have terminated
 	if (sigaction(SIGCHLD, &act, NULL) < 0) {
--- a/src/syslog2iptables.h	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslog2iptables.h	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 void my_syslog(char *text);
 extern int debug_syslog;
--- a/src/syslogconfig.cpp	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslogconfig.cpp	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 #include "includes.h"
 #include <fcntl.h>
@@ -65,6 +53,7 @@
 public:
 	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message);
 	void leak(int amount, CONFIG &con);
+    void free_all(CONFIG &con);
 	void update(int ip, bool added, char *file_name, int pattern_index, char *message);
 	void changed(CONFIG &con, int ip, bool added);
 };
@@ -123,6 +112,19 @@
 }
 
 
+void IPR::free_all(CONFIG &con) {
+    for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) {
+        int    ip = (*i).first;
+        bucket &b = (*i).second;
+        if (b.latch) {
+            update(ip, false, NULL, 0, NULL);
+            changed(con, ip, false);
+        }
+    }
+    violations.clear();
+}
+
+
 void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) {
 	if (debug_syslog > 2) {
 		char buf[maxlen];
@@ -310,6 +312,10 @@
 }
 
 
+void CONFIG::free_all() {
+    recorder.free_all(*this);
+}
+
 bool CONFIG::looking(int ip) {
 	for (ippair_list::iterator i=ignore.begin(); i!=ignore.end(); i++) {
 		IPPAIR &p = *i;
--- a/src/syslogconfig.h	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslogconfig.h	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 
 class SYSLOGCONFIG;
@@ -93,6 +81,7 @@
 	void	dump();
 	void	read();
 	void	sleep(int duration, time_t &previous);
+    void    free_all();
 	bool	looking(int ip);
 };
 
--- a/src/tokenizer.cpp	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/tokenizer.cpp	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 #include "includes.h"
 
--- a/src/tokenizer.h	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/tokenizer.h	Thu Nov 08 10:52:56 2007 -0800
@@ -1,23 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
 
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 
 using namespace std;
--- a/syslog2iptables.rc.in	Tue Sep 18 09:54:22 2007 -0700
+++ b/syslog2iptables.rc.in	Thu Nov 08 10:52:56 2007 -0800
@@ -51,19 +51,15 @@
         ;;
     restart|reload)
         $0 stop
-        $0 flush
         $0 start
         RETVAL=$?
         ;;
-    flush)
-        /sbin/iptables -F INPUT
-        ;;
     status)
         status syslog2iptables
         RETVAL=$?
         ;;
     *)
-        echo "Usage: syslog2iptables {start|stop|restart|status|flush}"
+        echo "Usage: syslog2iptables {start|stop|restart|reload|status}"
         exit 1
 esac
 exit $RETVAL
--- a/xml/syslog2iptables.in	Tue Sep 18 09:54:22 2007 -0700
+++ b/xml/syslog2iptables.in	Thu Nov 08 10:52:56 2007 -0800
@@ -11,7 +11,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2007-09-09</date>
+            <date>2007-11-08</date>
         </refentryinfo>
 
         <refmeta>
@@ -151,7 +151,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2007-09-09</date>
+            <date>2007-11-08</date>
         </refentryinfo>
 
         <refmeta>