Skip to content

Commit

Permalink
Merge pull request #7 from limithit/limithit-patch-nftables
Browse files Browse the repository at this point in the history
Limithit patch nftables
  • Loading branch information
limithit authored Apr 11, 2019
2 parents 7fb318f + 3b43195 commit addc719
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 10 deletions.
11 changes: 8 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ content
## Requirements

1. Redis4.0+
2. iptables or pfctl
2. iptables `or pf or nftables`
3. gcc
4. make

Expand Down Expand Up @@ -140,10 +140,10 @@ ACCEPT all -- 192.168.188.8 0.0.0.0/0
#2: git clone https://github.com/limithit/RedisPushIptables.git
cd RedisPushIptables
make #OR make CFLAGS=-DWITH_IPSET
make #OR make CFLAGS=-DWITH_IPSET #OR make CFLAGS=-DWITH_NFTABLES
make install
```
If you need to enable ipset, you must configure the following settings
* If you need to enable ipset, you must configure the following settings
```
#ipset create block_ip hash:ip timeout 60 hashsize 4096 maxelem 10000000
#iptables -I INPUT -m set --match-set block_ip src -j DROP
Expand All @@ -152,6 +152,11 @@ If you need to enable ipset, you must configure the following settings
```
The `timeout` parameter and `ttl_drop_insert` parameter has the same effect. If the `timeout` parameter is configured, ipset is used to implement periodic deletion. If the `timeout` parameter is not configured, it is periodic deletion used `ttl_drop_insert`.

* If you need to enable nftables, you must configure the following settings
```
#nft add table redis
#nft add chain redis INPUT \{ type filter hook input priority 0\; policy accept\; \}
```
#### Installing Packages on BSD and MacOS
```
#1: Compile hiredis
Expand Down
32 changes: 25 additions & 7 deletions iptablespush.c
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,10 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
static char insert_command[256];
sprintf(insert_command, " pfctl -t block_ip -T add %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
static char insert_command[256];
sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop",
RedisModule_StringPtrLen(argv[1], NULL));
#else
static char check_command[256], insert_command[256];
char tmp_buf[4096];
Expand All @@ -87,7 +91,7 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
#endif
printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
RedisModule_StringPtrLen(argv[1], NULL));
#if defined (WITH_IPSET) || defined (BSD)
#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES)
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
Expand Down Expand Up @@ -121,7 +125,10 @@ int DROP_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int
sprintf(insert_command, "ipset del block_ip %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
sprintf(insert_command, " pfctl -t block_ip -T delete %s",
sprintf(insert_command, "pfctl -t block_ip -T delete %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`",
RedisModule_StringPtrLen(argv[1], NULL));
#else
sprintf(insert_command, "iptables -D INPUT -s %s -j DROP",
Expand Down Expand Up @@ -155,7 +162,11 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
static char insert_command[256];
sprintf(insert_command, " pfctl -t allow_ip -T add %s",
sprintf(insert_command, "pfctl -t allow_ip -T add %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
static char insert_command[256];
sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s accept",
RedisModule_StringPtrLen(argv[1], NULL));
#else
char tmp_buf[4096];
Expand All @@ -167,7 +178,7 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
#endif
printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
RedisModule_StringPtrLen(argv[1], NULL));
#if defined (WITH_IPSET) || defined (BSD)
#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES)
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
Expand Down Expand Up @@ -201,7 +212,10 @@ int ACCEPT_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in
sprintf(insert_command, "ipset del allow_ip %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
sprintf(insert_command, " pfctl -t allow_ip -T delete %s",
sprintf(insert_command, "pfctl -t allow_ip -T delete %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s accept\"|grep -oe \"handle [0-9]*\"`",
RedisModule_StringPtrLen(argv[1], NULL));
#else
sprintf(insert_command, "iptables -D INPUT -s %s -j ACCEPT",
Expand Down Expand Up @@ -239,7 +253,11 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv,
RedisModule_StringPtrLen(argv[1], NULL));
#elif BSD
static char insert_command[256];
sprintf(insert_command, " pfctl -t block_ip -T add %s",
sprintf(insert_command, "pfctl -t block_ip -T add %s",
RedisModule_StringPtrLen(argv[1], NULL));
#elif WITH_NFTABLES
static char insert_command[256];
sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop",
RedisModule_StringPtrLen(argv[1], NULL));
#else
static char check_command[256], insert_command[256];
Expand All @@ -251,7 +269,7 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv,
#endif
printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL),
RedisModule_StringPtrLen(argv[1], NULL));
#if defined (WITH_IPSET) || defined (BSD)
#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES)
fd = execute_popen(&pid, insert_command);
redis_waitpid(pid);
close(fd);
Expand Down
9 changes: 9 additions & 0 deletions ttl_iptables.c
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,9 @@ int main(int argc, char **argv) {
#elif BSD
sprintf(insert_command, "pfctl -t block_ip -T del %s",
reply->element[3]->str);
#elif WITH_NFTABLES
sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`",
reply->element[3]->str);
#else
sprintf(insert_command, "iptables -D INPUT -s %s -j DROP",
reply->element[3]->str);
Expand All @@ -268,6 +271,12 @@ int main(int argc, char **argv) {
loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour,
loc_time->tm_min, loc_time->tm_sec, __progname, getpid(),
reply->element[3]->str);
#elif WITH_NFTABLES
sprintf(msg,
"%04d/%02d/%02d %02d:%02d:%02d %s pid=%d nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`\n",
loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour,
loc_time->tm_min, loc_time->tm_sec, __progname, getpid(),
reply->element[3]->str);
#else
sprintf(msg,
"%04d/%02d/%02d %02d:%02d:%02d %s pid=%d iptables -D INPUT -s %s -j DROP\n",
Expand Down

0 comments on commit addc719

Please sign in to comment.