Mercurial > syslog2iptables

changeset 36:6a2f26976898

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
shutdown removes iptables entries that we added
author carl
date Thu, 08 Nov 2007 10:52:56 -0800
parents d2ceebcf6595
children e4eb969dfc4a
files ChangeLog NEWS configure.in src/syslog2iptables.cpp src/syslog2iptables.h src/syslogconfig.cpp src/syslogconfig.h src/tokenizer.cpp src/tokenizer.h syslog2iptables.rc.in xml/syslog2iptables.in
diffstat 11 files changed, 721 insertions(+), 765 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Tue Sep 18 09:54:22 2007 -0700
+++ b/ChangeLog	Thu Nov 08 10:52:56 2007 -0800
@@ -1,5 +1,9 @@
     $Id$
 
+1.8 2007-11-08
+    Allow sigterm/sigint to properly shutdown by removing all
+    the iptables entries that we added.
+
 1.7 2007-09-18
     Add description in config file for each regular expression
     so the log is more readable.
--- a/NEWS	Tue Sep 18 09:54:22 2007 -0700
+++ b/NEWS	Thu Nov 08 10:52:56 2007 -0800
@@ -1,5 +1,6 @@
     $Id$
 
+1.8 2007-11-08 Allow shutdown to remove the iptables entries that we added.
 1.7 2007-09-18 Add description in config file for each regular expression.
 1.6 2007-09-09 GPL3.
 1.5 2007-08-30 Fix pre/post scripts in the rpm spec file.
--- a/configure.in	Tue Sep 18 09:54:22 2007 -0700
+++ b/configure.in	Thu Nov 08 10:52:56 2007 -0800
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(syslog2iptables,1.7,carl@five-ten-sg.com)
+AC_INIT(syslog2iptables,1.8,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 
--- a/src/syslog2iptables.cpp	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslog2iptables.cpp	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,11 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
+
 
 // debug levels:
 // 4 - show syslog lines that match regex
@@ -37,7 +26,8 @@
 static char* syslog2iptables_version = "$Id$";
 
 extern "C" {
-	void sig_chld(int signo);
+    void sigchld(int sig);
+    void sigterm(int sig);
 }
 int  debug_syslog  = 0;
 bool syslog_opened = false;
@@ -94,13 +84,11 @@
 
 ////////////////////////////////////////////////
 //	thread to watch the old config files for changes
-//	and reload when needed. we also cleanup old
-//	configs whose reference count has gone to zero.
+//  and reload when needed.
 //
 void* config_loader(void *arg);
 void* config_loader(void *arg) {
 	typedef set<CONFIG *> configp_set;
-	configp_set old_configs;
 	while (loader_run) {
 		sleep(180);  // look for modifications every 3 minutes
 		if (!loader_run) break;
@@ -119,10 +107,8 @@
 			if (newc) {
 				// replace the global config pointer
 				pthread_mutex_lock(&config_mutex);
-					CONFIG *old = config;
 					config = newc;
 				pthread_mutex_unlock(&config_mutex);
-				if (old) old_configs.insert(old);
 			}
 			else {
 				// failed to load new config
@@ -132,30 +118,16 @@
 				dc.load_time = time(NULL);
 			}
 		}
-		// now look for old configs with zero ref counts
-		for (configp_set::iterator i=old_configs.begin(); i!=old_configs.end(); ) {
-			CONFIG *old = *i;
-			if (!old->reference_count) {
-				if (debug_syslog) {
-					char buf[maxlen];
-					snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation);
-					my_syslog(buf);
-				}
-				delete old; // destructor does all the work
-				old_configs.erase(i++);
-			}
-			else i++;
-		}
 	}
 	return NULL;
 }
 
 
 ////////////////////////////////////////////////
-// The signal handler function -- only gets called when a SIGCHLD
-// is received, ie when a child terminates
+// The signal handler function for child process terminations,
+// called when a child terminates.
 //
-void sig_chld(int signo)
+void sigchld(int sig)
 {
 	int status;
 	/* Wait for any child without blocking */
@@ -165,6 +137,17 @@
 }
 
 
+////////////////////////////////////////////////
+// The termination signal handler function, called to
+// request termination of this process.
+//
+void sigterm(int sig)
+{
+    loader_run = false;
+    signal(sig, SIG_DFL);   // quit on repeated signals
+}
+
+
 void usage(char *prog);
 void usage(char *prog)
 {
@@ -183,17 +166,26 @@
 		c = config;
 		c->reference_count++;
 	pthread_mutex_unlock(&config_mutex);
-	while (true) {
+    while (loader_run) {
 		if (c != config) {
 			pthread_mutex_lock(&config_mutex);
-				c->reference_count--;
-				c = config;
-				c->reference_count++;
+                CONFIG *old = c;    old->reference_count--;
+                c = config;         c->reference_count++;
 			pthread_mutex_unlock(&config_mutex);
+            if (!old->reference_count) {
+                if (debug_syslog) {
+                    char buf[maxlen];
+                    snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation);
+                    my_syslog(buf);
+                }
+                delete old; // destructor does all the work
+            }
 		}
 		c->read();
 		c->sleep(2, t);
 	}
+    // worker shutting down, free all ip addresses
+    c->free_all();
 }
 
 
@@ -265,6 +257,11 @@
 		fclose(f);
 	}
 
+    // setup signal handler for termination signals
+    signal(SIGHUP, sigterm);
+    signal(SIGTERM, sigterm);
+    signal(SIGINT, sigterm);
+
 	// initialize the thread sync objects
 	pthread_mutex_init(&config_mutex, 0);
 	pthread_mutex_init(&syslog_mutex, 0);
@@ -278,7 +275,7 @@
 
 	// setup sigchld handler to prevent zombies
 	struct sigaction act;
-	act.sa_handler = sig_chld;		// Assign sig_chld as our SIGCHLD handler
+    act.sa_handler = sigchld;       // Assign sig_chld as our SIGCHLD handler
 	sigemptyset(&act.sa_mask);		// We don't want to block any other signals in this example
 	act.sa_flags = SA_NOCLDSTOP;	// only want children that have terminated
 	if (sigaction(SIGCHLD, &act, NULL) < 0) {
--- a/src/syslog2iptables.h	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslog2iptables.h	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 void my_syslog(char *text);
 extern int debug_syslog;
--- a/src/syslogconfig.cpp	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslogconfig.cpp	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 #include "includes.h"
 #include <fcntl.h>
@@ -65,6 +53,7 @@
 public:
 	void add(int ip, int amount, CONFIG &con, char *file_name, int pattern_index, char *message);
 	void leak(int amount, CONFIG &con);
+    void free_all(CONFIG &con);
 	void update(int ip, bool added, char *file_name, int pattern_index, char *message);
 	void changed(CONFIG &con, int ip, bool added);
 };
@@ -123,6 +112,19 @@
 }
 
 
+void IPR::free_all(CONFIG &con) {
+    for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) {
+        int    ip = (*i).first;
+        bucket &b = (*i).second;
+        if (b.latch) {
+            update(ip, false, NULL, 0, NULL);
+            changed(con, ip, false);
+        }
+    }
+    violations.clear();
+}
+
+
 void IPR::update(int ip, bool added, char *file_name, int pattern_index, char *message) {
 	if (debug_syslog > 2) {
 		char buf[maxlen];
@@ -310,6 +312,10 @@
 }
 
 
+void CONFIG::free_all() {
+    recorder.free_all(*this);
+}
+
 bool CONFIG::looking(int ip) {
 	for (ippair_list::iterator i=ignore.begin(); i!=ignore.end(); i++) {
 		IPPAIR &p = *i;
--- a/src/syslogconfig.h	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/syslogconfig.h	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 
 class SYSLOGCONFIG;
@@ -93,6 +81,7 @@
 	void	dump();
 	void	read();
 	void	sleep(int duration, time_t &previous);
+    void    free_all();
 	bool	looking(int ip);
 };
 
--- a/src/tokenizer.cpp	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/tokenizer.cpp	Thu Nov 08 10:52:56 2007 -0800
@@ -1,22 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
+
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 #include "includes.h"
 
--- a/src/tokenizer.h	Tue Sep 18 09:54:22 2007 -0700
+++ b/src/tokenizer.h	Thu Nov 08 10:52:56 2007 -0800
@@ -1,23 +1,10 @@
-/***************************************************************************
- *	 Copyright (C) 2005 by 510 Software Group							   *
- *																		   *
- *																		   *
- *	 This program is free software; you can redistribute it and/or modify  *
- *	 it under the terms of the GNU General Public License as published by  *
- *	 the Free Software Foundation; either version 2 of the License, or	   *
- *	 (at your option) any later version.								   *
- *																		   *
- *	 This program is distributed in the hope that it will be useful,	   *
- *	 but WITHOUT ANY WARRANTY; without even the implied warranty of 	   *
- *	 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the		   *
- *	 GNU General Public License for more details.						   *
- *																		   *
- *	 You should have received a copy of the GNU General Public License	   *
- *	 along with this program; if not, write to the						   *
- *	 Free Software Foundation, Inc.,									   *
- *	 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.			   *
- ***************************************************************************/
+/*
 
+Copyright (c) 2007 Carl Byington - 510 Software Group, released under
+the GPL version 3 or any later version at your choice available at
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+*/
 
 
 using namespace std;
--- a/syslog2iptables.rc.in	Tue Sep 18 09:54:22 2007 -0700
+++ b/syslog2iptables.rc.in	Thu Nov 08 10:52:56 2007 -0800
@@ -51,19 +51,15 @@
         ;;
     restart|reload)
         $0 stop
-        $0 flush
         $0 start
         RETVAL=$?
         ;;
-    flush)
-        /sbin/iptables -F INPUT
-        ;;
     status)
         status syslog2iptables
         RETVAL=$?
         ;;
     *)
-        echo "Usage: syslog2iptables {start|stop|restart|status|flush}"
+        echo "Usage: syslog2iptables {start|stop|restart|reload|status}"
         exit 1
 esac
 exit $RETVAL
--- a/xml/syslog2iptables.in	Tue Sep 18 09:54:22 2007 -0700
+++ b/xml/syslog2iptables.in	Thu Nov 08 10:52:56 2007 -0800
@@ -11,7 +11,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2007-09-09</date>
+            <date>2007-11-08</date>
         </refentryinfo>
 
         <refmeta>
@@ -151,7 +151,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2007-09-09</date>
+            <date>2007-11-08</date>
         </refentryinfo>
 
         <refmeta>