From 0ac86a5b267c3e049eb6370bd62a61359f151dfd Mon Sep 17 00:00:00 2001 From: Gandalf Date: Fri, 12 Apr 2019 00:54:43 +0800 Subject: [PATCH 1/2] Added nftables support --- iptablespush.c | 32 +++++++++++++++++++++++++------- ttl_iptables.c | 9 +++++++++ 2 files changed, 34 insertions(+), 7 deletions(-) diff --git a/iptablespush.c b/iptablespush.c index a77a1b1..88a87d9 100644 --- a/iptablespush.c +++ b/iptablespush.c @@ -77,6 +77,10 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int static char insert_command[256]; sprintf(insert_command, " pfctl -t block_ip -T add %s", RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + static char insert_command[256]; + sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop", + RedisModule_StringPtrLen(argv[1], NULL)); #else static char check_command[256], insert_command[256]; char tmp_buf[4096]; @@ -87,7 +91,7 @@ int DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int #endif printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL), RedisModule_StringPtrLen(argv[1], NULL)); -#if defined (WITH_IPSET) || defined (BSD) +#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES) fd = execute_popen(&pid, insert_command); redis_waitpid(pid); close(fd); @@ -121,7 +125,10 @@ int DROP_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, int sprintf(insert_command, "ipset del block_ip %s", RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD - sprintf(insert_command, " pfctl -t block_ip -T delete %s", + sprintf(insert_command, "pfctl -t block_ip -T delete %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`", RedisModule_StringPtrLen(argv[1], NULL)); #else sprintf(insert_command, "iptables -D INPUT -s %s -j DROP", @@ -155,7 +162,11 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD static char insert_command[256]; - sprintf(insert_command, " pfctl -t allow_ip -T add %s", + sprintf(insert_command, "pfctl -t allow_ip -T add %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + static char insert_command[256]; + sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s accept", RedisModule_StringPtrLen(argv[1], NULL)); #else char tmp_buf[4096]; @@ -167,7 +178,7 @@ int ACCEPT_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in #endif printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL), RedisModule_StringPtrLen(argv[1], NULL)); -#if defined (WITH_IPSET) || defined (BSD) +#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES) fd = execute_popen(&pid, insert_command); redis_waitpid(pid); close(fd); @@ -201,7 +212,10 @@ int ACCEPT_Delete_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, in sprintf(insert_command, "ipset del allow_ip %s", RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD - sprintf(insert_command, " pfctl -t allow_ip -T delete %s", + sprintf(insert_command, "pfctl -t allow_ip -T delete %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s accept\"|grep -oe \"handle [0-9]*\"`", RedisModule_StringPtrLen(argv[1], NULL)); #else sprintf(insert_command, "iptables -D INPUT -s %s -j ACCEPT", @@ -239,7 +253,11 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, RedisModule_StringPtrLen(argv[1], NULL)); #elif BSD static char insert_command[256]; - sprintf(insert_command, " pfctl -t block_ip -T add %s", + sprintf(insert_command, "pfctl -t block_ip -T add %s", + RedisModule_StringPtrLen(argv[1], NULL)); +#elif WITH_NFTABLES + static char insert_command[256]; + sprintf(insert_command, "nft insert rule ip redis INPUT ip saddr %s drop", RedisModule_StringPtrLen(argv[1], NULL)); #else static char check_command[256], insert_command[256]; @@ -251,7 +269,7 @@ int TTL_DROP_Insert_RedisCommand(RedisModuleCtx *ctx, RedisModuleString **argv, #endif printf("%s || %s\n", RedisModule_StringPtrLen(argv[0], NULL), RedisModule_StringPtrLen(argv[1], NULL)); -#if defined (WITH_IPSET) || defined (BSD) +#if defined (WITH_IPSET) || defined (BSD) || defined (WITH_NFTABLES) fd = execute_popen(&pid, insert_command); redis_waitpid(pid); close(fd); diff --git a/ttl_iptables.c b/ttl_iptables.c index 009e5d5..e51d957 100644 --- a/ttl_iptables.c +++ b/ttl_iptables.c @@ -250,6 +250,9 @@ int main(int argc, char **argv) { #elif BSD sprintf(insert_command, "pfctl -t block_ip -T del %s", reply->element[3]->str); +#elif WITH_NFTABLES + sprintf(insert_command, "nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`", + reply->element[3]->str); #else sprintf(insert_command, "iptables -D INPUT -s %s -j DROP", reply->element[3]->str); @@ -268,6 +271,12 @@ int main(int argc, char **argv) { loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour, loc_time->tm_min, loc_time->tm_sec, __progname, getpid(), reply->element[3]->str); +#elif WITH_NFTABLES + sprintf(msg, + "%04d/%02d/%02d %02d:%02d:%02d %s pid=%d nft delete rule redis INPUT `nft list table ip redis --handle --numeric |grep -m1 \"ip saddr %s drop\"|grep -oe \"handle [0-9]*\"`\n", + loc_time->tm_year + 1900, loc_time->tm_mon + 1, loc_time->tm_mday, loc_time->tm_hour, + loc_time->tm_min, loc_time->tm_sec, __progname, getpid(), + reply->element[3]->str); #else sprintf(msg, "%04d/%02d/%02d %02d:%02d:%02d %s pid=%d iptables -D INPUT -s %s -j DROP\n", From 3b43195cfb90ad67ac517efbe34847391eba5ed1 Mon Sep 17 00:00:00 2001 From: Gandalf Date: Fri, 12 Apr 2019 01:10:28 +0800 Subject: [PATCH 2/2] Update README.md --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index cc50dda..8035f7e 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ content ## Requirements 1. Redis4.0+ -2. iptables or pfctl +2. iptables `or pf or nftables` 3. gcc 4. make @@ -140,10 +140,10 @@ ACCEPT all -- 192.168.188.8 0.0.0.0/0 #2: git clone https://github.com/limithit/RedisPushIptables.git cd RedisPushIptables - make #OR make CFLAGS=-DWITH_IPSET + make #OR make CFLAGS=-DWITH_IPSET #OR make CFLAGS=-DWITH_NFTABLES make install ``` -If you need to enable ipset, you must configure the following settings +* If you need to enable ipset, you must configure the following settings ``` #ipset create block_ip hash:ip timeout 60 hashsize 4096 maxelem 10000000 #iptables -I INPUT -m set --match-set block_ip src -j DROP @@ -152,6 +152,11 @@ If you need to enable ipset, you must configure the following settings ``` The `timeout` parameter and `ttl_drop_insert` parameter has the same effect. If the `timeout` parameter is configured, ipset is used to implement periodic deletion. If the `timeout` parameter is not configured, it is periodic deletion used `ttl_drop_insert`. +* If you need to enable nftables, you must configure the following settings +``` +#nft add table redis +#nft add chain redis INPUT \{ type filter hook input priority 0\; policy accept\; \} +``` #### Installing Packages on BSD and MacOS ``` #1: Compile hiredis