v4

This reverts commit dc8f37e41f.

This message can print on a normal and legitimate user when they
disconnect, and therefore would be a false positive. We should
100% never get close to blocking legitimate users, ever.

configure.ac

@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.64])
-AC_INIT([tallow], [3], [auke-jan.h.kok@intel.com])
+AC_INIT([tallow], [4], [auke-jan.h.kok@intel.com])
 AM_INIT_AUTOMAKE([])
 AC_CONFIG_FILES([Makefile])
 

tallow.c

@@ -15,6 +15,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdarg.h>
+#include <stdbool.h>
 #include <signal.h>
 #include <unistd.h>
 #include <limits.h>
@@ -69,11 +70,47 @@ static void ext_ignore(char *fmt, ...)
 	__attribute__((unused)) int ret = system(cmd);
 }
 
+static void setup(void)
+{
+	static bool done = false;
+	if (done)
+		return;
+	done = true;
+
+	/* init ipset and iptables */
+	/* delete iptables ref to set before the ipset! */
+	ext_ignore("%s/iptables -t filter -D INPUT -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path);
+	ext_ignore("%s/ipset destroy tallow 2> /dev/null", ipt_path);
+	if (ext("%s/ipset create tallow hash:ip family inet timeout %d", ipt_path, expires)) {
+		fprintf(stderr, "Unable to create ipv4 ipset.\n");
+		exit(EXIT_FAILURE);
+	}
+	if (ext("%s/iptables -t filter -A INPUT -m set --match-set tallow src -j DROP", ipt_path)) {
+		fprintf(stderr, "Unable to create iptables rule.\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (has_ipv6) {
+		ext_ignore("%s/ip6tables -t filter -D INPUT -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path);
+		ext_ignore("%s/ipset destroy tallow6 2> /dev/null", ipt_path);
+		if (ext("%s/ipset create tallow6 hash:ip family inet6 timeout %d", ipt_path, expires)) {
+			fprintf(stderr, "Unable to create ipv6 ipset.\n");
+			exit(EXIT_FAILURE);
+		}
+		if (ext("%s/ip6tables -t filter -A INPUT -m set --match-set tallow6 src -j DROP", ipt_path)) {
+			fprintf(stderr, "Unable to create ipt6ables rule.\n");
+			exit(EXIT_FAILURE);
+		}
+	}
+}
+
 static void block(struct tallow_struct *s)
 {
 	if (s->count != threshold)
 		return;
 
+	setup();
+
 	if (strchr(s->ip, ':')) {
 		if (has_ipv6)
 			(void) ext("%s/ipset -A tallow6 %s", ipt_path, s->ip);
@@ -82,18 +119,6 @@ static void block(struct tallow_struct *s)
 	}
 
 	fprintf(stderr, "Blocked %s\n", s->ip);
-
-	/* remove entry from the list */
-	if (head == s) {
-		head = s->next;
-		free(s->ip);
-		free(s);
-	} else {
-		struct tallow_struct *p = s;
-		s = s->next;
-		free(p->ip);
-		free(p);
-	}
 }
 
 static void whitelist_add(char *ip)
@@ -107,7 +132,7 @@ static void whitelist_add(char *ip)
 	n = malloc(sizeof(struct tallow_struct));
 	if (!n) {
 		fprintf(stderr, "Out of memory.\n");
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 	memset(n, 0, sizeof(struct tallow_struct));
 	n->ip = strdup(ip);
@@ -163,7 +188,7 @@ static void find(char *ip)
 	n = malloc(sizeof(struct tallow_struct));
 	if (!n) {
 		fprintf(stderr, "Out of memory.\n");
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 	memset(n, 0, sizeof(struct tallow_struct));
 
@@ -181,36 +206,21 @@ static void find(char *ip)
 	return;
 }
 
-static void dump(void)
+static void sig(int u __attribute__ ((unused)))
 {
+	fprintf(stderr, "Exiting on request.\n");
+	sd_journal_close(j);
+
 	struct tallow_struct *s = head;
-	fprintf(stderr, "Received SIGUSR1 - dumping address table: address: count, time\n");
-
 	while (s) {
-		fprintf(stderr, "%s: %d, %lu.%lu\n", s->ip, s->count, s->time.tv_sec, s->time.tv_usec);
+		struct tallow_struct *n = NULL;
+
+		free(s->ip);
+		n = s;
 		s = s->next;
+		free(n);
 	}
-}
-
-static void sig(int s)
-{
-	if (s == SIGUSR1) {
-		dump();
-	} else {
-		fprintf(stderr, "Exiting on request.\n");
-		sd_journal_close(j);
-
-		struct tallow_struct *s = head;
-		while (s) {
-			struct tallow_struct *n = NULL;
-
-			free(s->ip);
-			n = s;
-			s = s->next;
-			free(n);
-		}
-		exit(0);
-	}
+	exit(EXIT_SUCCESS);
 }
 
 static void prune(void)
@@ -255,7 +265,6 @@ int main(void)
 
 	memset(&s, 0, sizeof(struct sigaction));
 	s.sa_handler = sig;
-	sigaction(SIGUSR1, &s, NULL);
 	sigaction(SIGHUP, &s, NULL);
 	sigaction(SIGTERM, &s, NULL);
 	sigaction(SIGINT, &s, NULL);
@@ -310,34 +319,9 @@ int main(void)
 	r = sd_journal_open(&j, SD_JOURNAL_LOCAL_ONLY);
 	if (r < 0) {
 		fprintf(stderr, "Failed to open journal: %s\n", strerror(-r));
-		exit(1);
+		exit(EXIT_FAILURE);
 	}
 
-	/* init ipset and iptables */
-	/* delete iptables ref to set before the ipset! */
-	ext_ignore("%s/iptables -t filter -D INPUT -m set --match-set tallow src -j DROP 2> /dev/null", ipt_path);
-	ext_ignore("%s/ipset destroy tallow 2> /dev/null", ipt_path);
-	if (ext("%s/ipset create tallow hash:ip family inet timeout %d", ipt_path, expires)) {
-		fprintf(stderr, "Unable to create ipv4 ipset.\n");
-		exit(1);
-	}
-	if (ext("%s/iptables -t filter -A INPUT -m set --match-set tallow src -j DROP", ipt_path)) {
-		fprintf(stderr, "Unable to create iptables rule.\n");
-		exit(1);
-	}
-
-	if (has_ipv6) {
-		ext_ignore("%s/ip6tables -t filter -D INPUT -m set --match-set tallow6 src -j DROP 2> /dev/null", ipt_path);
-		ext_ignore("%s/ipset destroy tallow6 2> /dev/null", ipt_path);
-		if (ext("%s/ipset create tallow6 hash:ip family inet6 timeout %d", ipt_path, expires)) {
-			fprintf(stderr, "Unable to create ipv6 ipset.\n");
-			exit(1);
-		}
-		if (ext("%s/ip6tables -t filter -A INPUT -m set --match-set tallow6 src -j DROP", ipt_path)) {
-			fprintf(stderr, "Unable to create ipt6ables rule.\n");
-			exit(1);
-		}
-	}
 
 	/* ffwd journal */
 	sd_journal_add_match(j, FILTER_STRING, 0);
@@ -387,14 +371,6 @@ int main(void)
 				find(t);
 			}
 
-
-			if (strstr(m, "MESSAGE=Received disconnect from ")) {
-				t = strtok(m, " ");
-				for (i = 0; i < 4; i++)
-					t = strtok(NULL, " ");
-				find(t);
-			}
-
 			free(m);
 		}
 
@@ -403,5 +379,5 @@ int main(void)
 
 	sd_journal_close(j);
 
-	exit(0);
+	exit(EXIT_SUCCESS);
 }