Compare commits

...

4 Commits

Author SHA1 Message Date
yo
2c03ac4cf5 Add freebsd binary build 2024-03-30 17:50:51 +01:00
ppom
8e1c67cead iptables: add reaction chain to FORWARD chain for docker
https://framagit.org/ppom/reaction/-/issues/84
2024-03-27 12:00:00 +01:00
ppom
3ee48fa08e README: add development section 2024-03-18 12:00:00 +01:00
ppom
86bd75b926 nft46: recognize ipv6-mapped ipv4
closes #81
2024-03-04 12:00:00 +01:00
7 changed files with 38 additions and 9 deletions

View File

@ -3,10 +3,10 @@ PREFIX ?= /usr/local
BINDIR = $(PREFIX)/bin BINDIR = $(PREFIX)/bin
SYSTEMDDIR ?= /etc/systemd SYSTEMDDIR ?= /etc/systemd
all: reaction ip46tables nft46 all: reaction reaction.freebsd ip46tables nft46
clean: clean:
rm -f reaction ip46tables nft46 reaction.deb deb reaction.minisig ip46tables.minisig reaction.deb.minisig nft46.minisig rm -f reaction reaction.freebsd ip46tables nft46 reaction.deb deb reaction.minisig ip46tables.minisig reaction.deb.minisig nft46.minisig
ip46tables: helpers_c/ip46tables.c ip46tables: helpers_c/ip46tables.c
$(CC) -s -static helpers_c/ip46tables.c -o ip46tables $(CC) -s -static helpers_c/ip46tables.c -o ip46tables
@ -17,6 +17,9 @@ nft46: helpers_c/nft46.c
reaction: app/* reaction.go go.mod go.sum reaction: app/* reaction.go go.mod go.sum
CGO_ENABLED=0 go build -buildvcs=false -ldflags "-s -X main.version=`git tag --sort=v:refname | tail -n1` -X main.commit=`git rev-parse --short HEAD`" CGO_ENABLED=0 go build -buildvcs=false -ldflags "-s -X main.version=`git tag --sort=v:refname | tail -n1` -X main.commit=`git rev-parse --short HEAD`"
reaction.freebsd: app/* reaction.go go.mod go.sum
GOOS=freebsd CGO_ENABLED=0 go build -buildvcs=false -ldflags "-s -X main.version=`git tag --sort=v:refname | tail -n1` -X main.commit=`git rev-parse --short HEAD`" -o reaction.freebsd
reaction.deb: reaction ip46tables nft46 reaction.deb: reaction ip46tables nft46
chmod +x reaction ip46tables nft46 chmod +x reaction ip46tables nft46
mkdir -p deb/reaction/usr/bin/ deb/reaction/usr/sbin/ deb/reaction/lib/systemd/system/ mkdir -p deb/reaction/usr/bin/ deb/reaction/usr/sbin/ deb/reaction/lib/systemd/system/

View File

@ -208,3 +208,10 @@ To install the systemd file as well
```shell ```shell
make install_systemd make install_systemd
``` ```
## Development
Contributions are welcome. For any substantial feature, please file an issue first, to be assured that we agree on the feature, and to avoid unnecessary work.
This is a free time project, so I'm not working on schedule.
However, if you're willing to fund the project, I can priorise and plan paid work. This includes features, documentation and specific JSONnet configurations.

View File

@ -1,4 +1,11 @@
--- ---
# This example configuration file is a good starting point, but you're
# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
#
# This file is using the well-established YAML configuration language.
# Note that the more powerful JSONnet configuration language is also supported
# and that the documentation uses JSONnet
# definitions are just a place to put chunks of conf you want to reuse in another place # definitions are just a place to put chunks of conf you want to reuse in another place
# using YAML anchors `&name` and pointers `*name` # using YAML anchors `&name` and pointers `*name`
# definitions are not readed by reaction # definitions are not readed by reaction
@ -31,10 +38,12 @@ patterns:
start: start:
- [ 'ip46tables', '-w', '-N', 'reaction' ] - [ 'ip46tables', '-w', '-N', 'reaction' ]
- [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ] - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
# Those commands will be executed in order at stop, after everything else # Those commands will be executed in order at stop, after everything else
stop: stop:
- [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ] - [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w,', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
- [ 'ip46tables', '-w', '-F', 'reaction' ] - [ 'ip46tables', '-w', '-F', 'reaction' ]
- [ 'ip46tables', '-w', '-X', 'reaction' ] - [ 'ip46tables', '-w', '-X', 'reaction' ]

View File

@ -1,11 +1,15 @@
// This file is using JSONNET, a complete configuration language based on JSON // This file is using JSONnet, a complete configuration language based on JSON
// See https://jsonnet.org // See https://jsonnet.org
// JSONNET is a superset of JSON, so one can write plain JSON files if wanted. // JSONnet is a superset of JSON, so one can write plain JSON files if wanted.
// Note that YAML is also supported, see ./example.yml // Note that YAML is also supported, see ./example.yml
// JSONNET functions // This example configuration file is a good starting point, but you're
// strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
// JSONnet functions
local iptables(args) = ['ip46tables', '-w'] + args; local iptables(args) = ['ip46tables', '-w'] + args;
// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo. // ip46tables is a minimal C program (only POSIX dependencies) present in a
// subdirectory of this repo.
// it permits to handle both ipv4/iptables and ipv6/ip6tables commands // it permits to handle both ipv4/iptables and ipv6/ip6tables commands
// See meaning and usage of this function around L106 // See meaning and usage of this function around L106
@ -43,14 +47,16 @@ local banFor(time) = {
start: [ start: [
// Create an iptables chain for reaction // Create an iptables chain for reaction
iptables(['-N', 'reaction']), iptables(['-N', 'reaction']),
// Insert this chain as the first item of the INPUT chain (for incoming connections) // Insert this chain as the first item of the INPUT & FORWARD chains (for incoming connections)
iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']), iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']),
iptables(['-I', 'FORWARD', '-p', 'all', '-j', 'reaction']),
], ],
// Those commands will be executed in order at stop, after everything else // Those commands will be executed in order at stop, after everything else
stop: [ stop: [
// Remove the chain from the INPUT chain // Remove the chain from the INPUT & FORWARD chains
iptables(['-D', 'INPUT', '-p', 'all', '-j', 'reaction']), iptables(['-D', 'INPUT', '-p', 'all', '-j', 'reaction']),
iptables(['-D', 'FORWARD', '-p', 'all', '-j', 'reaction']),
// Empty the chain // Empty the chain
iptables(['-F', 'reaction']), iptables(['-F', 'reaction']),
// Delete the chain // Delete the chain

View File

@ -1,6 +1,8 @@
[Unit] [Unit]
Description=A daemon that scans program outputs for repeated patterns, and takes action. Description=A daemon that scans program outputs for repeated patterns, and takes action.
Documentation=https://framagit.org/ppom/reaction-wiki Documentation=https://framagit.org/ppom/reaction-wiki
# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
# After=docker.service
[Service] [Service]
ExecStart=/usr/bin/reaction start -c /etc/reaction.jsonnet ExecStart=/usr/bin/reaction start -c /etc/reaction.jsonnet

View File

@ -1,6 +1,8 @@
# vim: ft=systemd # vim: ft=systemd
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
# After=docker.service
# See `man systemd.exec` and `man systemd.service` for most options below # See `man systemd.exec` and `man systemd.service` for most options below
[Service] [Service]

View File

@ -38,7 +38,7 @@ int isIPv6(char *tab, int len) {
} }
// Each char must be a digit, :, a-f, or A-F // Each char must be a digit, :, a-f, or A-F
for (i=0; i<len; i++) { for (i=0; i<len; i++) {
if (!isdigit(tab[i]) && tab[i] != ':' && !(tab[i] >= 'a' && tab[i] <= 'f') && !(tab[i] >= 'A' && tab[i] <= 'F')) { if (!isdigit(tab[i]) && tab[i] != ':' && tab[i] != '.' && !(tab[i] >= 'a' && tab[i] <= 'f') && !(tab[i] >= 'A' && tab[i] <= 'F')) {
return 0; return 0;
} }
} }