Add freebsd binary build

iptables: add reaction chain to FORWARD chain for docker
https://framagit.org/ppom/reaction/-/issues/84
2024-03-30 17:50:51 +01:00 · 2024-03-27 12:00:00 +01:00 · 2024-03-18 12:00:00 +01:00 · 2024-03-04 12:00:00 +01:00
19 changed files with 110 additions and 421 deletions
--- a/7
+++ b/7
@ -3,10 +3,10 @@ PREFIX ?= /usr/local
 BINDIR = $(PREFIX)/bin
 SYSTEMDDIR ?= /etc/systemd

-all: reaction ip46tables nft46
+all: reaction reaction.freebsd ip46tables nft46

 clean:
-	rm -f reaction ip46tables nft46 reaction.deb deb reaction.minisig ip46tables.minisig reaction.deb.minisig nft46.minisig
+	rm -f reaction reaction.freebsd ip46tables nft46 reaction.deb deb reaction.minisig ip46tables.minisig reaction.deb.minisig nft46.minisig

 ip46tables: helpers_c/ip46tables.c
 	$(CC) -s -static helpers_c/ip46tables.c -o ip46tables
@ -17,6 +17,9 @@ nft46: helpers_c/nft46.c
 reaction: app/* reaction.go go.mod go.sum
 	CGO_ENABLED=0 go build -buildvcs=false -ldflags "-s -X main.version=`git tag --sort=v:refname | tail -n1` -X main.commit=`git rev-parse --short HEAD`"

+reaction.freebsd: app/* reaction.go go.mod go.sum
+	GOOS=freebsd CGO_ENABLED=0 go build -buildvcs=false -ldflags "-s -X main.version=`git tag --sort=v:refname | tail -n1` -X main.commit=`git rev-parse --short HEAD`" -o reaction.freebsd
+
 reaction.deb: reaction ip46tables nft46
 	chmod +x reaction ip46tables nft46
 	mkdir -p deb/reaction/usr/bin/ deb/reaction/usr/sbin/ deb/reaction/lib/systemd/system/
--- a/README.md
+++ b/README.md
@ -208,3 +208,10 @@ To install the systemd file as well
 ```shell
 make install_systemd
 ```
+
+## Development
+
+Contributions are welcome. For any substantial feature, please file an issue first, to be assured that we agree on the feature, and to avoid unnecessary work.
+
+This is a free time project, so I'm not working on schedule.
+However, if you're willing to fund the project, I can priorise and plan paid work. This includes features, documentation and specific JSONnet configurations.
--- a/app/client.go
+++ b/app/client.go
@ -20,7 +20,7 @@ const (

 type Request struct {
 	Request int
-	Pattern []string
+	Pattern string
 }

 type Response struct {
@ -85,7 +85,7 @@ func usage(err string) {
 }

 func ClientShow(format, stream, filter string, regex *regexp.Regexp) {
-	response := SendAndRetrieve(Request{Show, []string{""}})
+	response := SendAndRetrieve(Request{Show, ""})
 	if response.Err != nil {
 		logger.Fatalln("Received error from daemon:", response.Err)
 	}
@ -166,7 +166,7 @@ func ClientShow(format, stream, filter string, regex *regexp.Regexp) {
 	os.Exit(0)
 }

-func ClientFlush(pattern []string, streamfilter, format string) {
+func ClientFlush(pattern, streamfilter, format string) {
 	response := SendAndRetrieve(Request{Flush, pattern})
 	if response.Err != nil {
 		logger.Fatalln("Received error from daemon:", response.Err)
--- a/app/daemon.go
+++ b/app/daemon.go
@ -2,8 +2,6 @@ package app

 import (
 	"bufio"
-	"bytes"
-	"fmt"
 	"os"
 	"os/exec"
 	"os/signal"
@ -15,71 +13,6 @@ import (
 	"framagit.org/ppom/reaction/logger"
 )

-// Compare content and ordering. Case sensitive.
-func IsStringArrayEqual(one, two []string) bool {
-	for i, a := range one {
-		if a != two[i] {
-			return false
-		}
-	}
-	return true
-}
-
-
-// Executes a command and write to its stdin via input channel until command, or reaction, dies
-func cmdStdin(commandline []string, input <-chan string) {
-	cmd := exec.Command(commandline[0], commandline[1:]...)
-	stdin, err := cmd.StdinPipe()
-	if err != nil {
-		logger.Fatalln("couldn't open stdin on command:", err)
-	}
-	stdout, err := cmd.StdoutPipe()
-	if err != nil {
-		logger.Fatalln("couldn't open stdout on command:", err)
-	}
-	if err := cmd.Start(); err != nil {
-		logger.Fatalln("couldn't start command:", err)
-	}
-	defer stdin.Close()
-
-	logger.Printf(logger.INFO, fmt.Sprintf("Output started with %v\n", commandline))
-
-	// stdout displaying thread
-	go func() {
-		// FIXME
-		tmp := make([]byte, 1024)
-		for {
-			_, err := stdout.Read(tmp)
-			if len(bytes.Trim(tmp, "\x00")) > 0 {
-				for _, line := range strings.Split(strings.ReplaceAll(string(bytes.Trim(tmp, "\x00")), "\r\n", "\n"), "\n") {
-					if len(line) > 0 {
-						logger.Printf(logger.INFO, fmt.Sprintf("Output returned %s", line))
-					}
-				}
-			}
-			if err != nil {
-				logger.Printf(logger.ERROR, fmt.Sprintf("Reading output error: %v\n", err))
-				break
-			}
-		}
-	}()
-
-	// Stdin writing thread
-	go func() {
-		for {
-			in := <-input
-			_, err := stdin.Write([]byte(in))
-			if err != nil {
-				logger.Printf(logger.ERROR, fmt.Sprintf("Writing to output error: %v\n", err))
-				break
-			}
-		}
-	}()
-
-	err = cmd.Wait()
-	logger.Fatalln("command %v stopped: %v", cmd, err)
-}
-
 // Executes a command and channel-send its stdout
 func cmdStdout(commandline []string) chan *string {
 	lines := make(chan *string)
@ -144,68 +77,44 @@ func (p *Pattern) notAnIgnore(match *string) bool {
 }

 // Whether one of the filter's regexes is matched on a line
-func (f *Filter) match(line *string) []string {
-	var result []string
+func (f *Filter) match(line *string) string {
 	for _, regex := range f.compiledRegex {

 		if matches := regex.FindStringSubmatch(*line); matches != nil {
-			var pnames []string
-			for _, p := range f.pattern {
-				pnames = append(pnames, p.name)
-			}

-			for _, p := range f.pattern {
-				match := matches[regex.SubexpIndex(p.name)]
-				if p.notAnIgnore(&match) {
+			if f.pattern != nil {
+				match := matches[regex.SubexpIndex(f.pattern.name)]
+
+				if f.pattern.notAnIgnore(&match) {
 					logger.Printf(logger.INFO, "%s.%s: match [%v]\n", f.stream.name, f.name, match)
-					result = append(result, match)
+					return match
 				}
-			}
-			if f.pattern == nil {
-				// No pattern, so this match will never actually be used
-				return nil
-			}
-		}
-	}
-	if len(result) == len(f.pattern) {
-		return result
 			} else {
-		// Incomplete match = no match.
-		return nil
+				logger.Printf(logger.INFO, "%s.%s: match [.]\n", f.stream.name, f.name)
+				// No pattern, so this match will never actually be used
+				return "."
 			}
+		}
+	}
+	return ""
 }

-func (f *Filter) sendActions(match []string, at time.Time) {
+func (f *Filter) sendActions(match string, at time.Time) {
 	for _, a := range f.Actions {
 		actionsC <- PAT{match, a, at.Add(a.afterDuration)}
 	}
 }

-func (a *Action) exec(match []string) {
+func (a *Action) exec(match string) {
 	defer wgActions.Done()

-	if len(a.Cmd) > 0 {
-		a.execCmd(match)
-	}
-
-	if a.Write != nil {
-		a.execWrite(match)
-	}
-}
-
-func (a *Action) execCmd(match []string) {
 	var computedCommand []string
-	var cmdItem string

 	if a.filter.pattern != nil {
 		computedCommand = make([]string, 0, len(a.Cmd))

 		for _, item := range a.Cmd {
-			cmdItem = strings.Clone(item)
-			for i, p := range a.filter.pattern {
-				cmdItem = strings.ReplaceAll(cmdItem, p.nameWithBraces, match[i])
-			}
-			computedCommand = append(computedCommand, cmdItem)
+			computedCommand = append(computedCommand, strings.ReplaceAll(item, a.filter.pattern.nameWithBraces, match))
 		}
 	} else {
 		computedCommand = a.Cmd
@ -220,29 +129,6 @@ func (a *Action) execCmd(match []string) {
 	}
 }

-func (a *Action) execWrite(match []string) {
-	var computedWrite string
-	var writeItem string
-
-	if a.filter.pattern != nil {
-		for _, item := range a.Write.Text {
-			writeItem = strings.Clone(item)
-			for i, p := range a.filter.pattern {
-				writeItem = strings.ReplaceAll(writeItem, p.nameWithBraces, match[i])
-			}
-			if len(computedWrite) > 0 {
-				computedWrite = computedWrite + " " + writeItem
-			} else {
-				computedWrite = writeItem
-			}
-		}
-	} else {
-		computedWrite = strings.Join(a.Write.Text, " ")
-	}
-
-	a.Write.Output.Stdin <- fmt.Sprintf("%s\n", computedWrite)
-}
-
 func ActionsManager(concurrency int) {
 	// concurrency init
 	execActionsC := make(chan PA)
@ -267,7 +153,7 @@ func ActionsManager(concurrency int) {
 			}
 		}()
 	}
-	execAction := func(a *Action, p []string) {
+	execAction := func(a *Action, p string) {
 		wgActions.Add(1)
 		execActionsC <- PA{p, a}
 	}
@ -285,10 +171,10 @@ func ActionsManager(concurrency int) {
 				execAction(action, pattern)
 			} else {
 				actionsLock.Lock()
-				if actions[&pa] == nil {
-					actions[&pa] = make(map[time.Time]struct{})
+				if actions[pa] == nil {
+					actions[pa] = make(map[time.Time]struct{})
 				}
-				actions[&pa][then] = struct{}{}
+				actions[pa][then] = struct{}{}
 				actionsLock.Unlock()
 				go func(insidePat PAT, insideNow time.Time) {
 					time.Sleep(insidePat.t.Sub(insideNow))
@ -299,8 +185,8 @@ func ActionsManager(concurrency int) {
 			pa := PA{pat.p, pat.a}
 			pattern, action, then := pat.p, pat.a, pat.t
 			actionsLock.Lock()
-			if actions[&pa] != nil {
-				delete(actions[&pa], then)
+			if actions[pa] != nil {
+				delete(actions[pa], then)
 			}
 			actionsLock.Unlock()
 			execAction(action, pattern)
@ -308,7 +194,7 @@ func ActionsManager(concurrency int) {
 			ret := make(ActionsMap)
 			actionsLock.Lock()
 			for pa := range actions {
-				if IsStringArrayEqual(pa.p, fo.p) {
+				if pa.p == fo.p {
 					for range actions[pa] {
 						execAction(pa.a, pa.p)
 					}
@ -371,7 +257,7 @@ func matchesManagerHandleFlush(fo FlushMatchOrder) {
 	ret := make(MatchesMap)
 	matchesLock.Lock()
 	for pf := range matches {
-		if IsStringArrayEqual(fo.p, pf.p) {
+		if fo.p == pf.p {
 			if fo.ret != nil {
 				ret[pf] = matches[pf]
 			}
@ -393,26 +279,26 @@ func matchesManagerHandleMatch(pft PFT) bool {

 	if filter.Retry > 1 {
 		// make sure map exists
-		if matches[&pf] == nil {
-			matches[&pf] = make(map[time.Time]struct{})
+		if matches[pf] == nil {
+			matches[pf] = make(map[time.Time]struct{})
 		}
 		// add new match
-		matches[&pf][then] = struct{}{}
+		matches[pf][then] = struct{}{}
 		// remove match when expired
 		go func(pf PF, then time.Time) {
 			time.Sleep(then.Sub(time.Now()) + filter.retryDuration)
 			matchesLock.Lock()
-			if matches[&pf] != nil {
+			if matches[pf] != nil {
 				// FIXME replace this and all similar occurences
 				// by clear() when switching to go 1.21
-				delete(matches[&pf], then)
+				delete(matches[pf], then)
 			}
 			matchesLock.Unlock()
 		}(pf, then)
 	}

-	if filter.Retry <= 1 || len(matches[&pf]) >= filter.Retry {
-		delete(matches, &pf)
+	if filter.Retry <= 1 || len(matches[pf]) >= filter.Retry {
+		delete(matches, pf)
 		filter.sendActions(pattern, then)
 		return true
 	}
@ -432,7 +318,7 @@ func StreamManager(s *Stream, endedSignal chan *Stream) {
 				return
 			}
 			for _, filter := range s.Filters {
-				if match := filter.match(line); len(match) > 0 {
+				if match := filter.match(line); match != "" {
 					matchesC <- PFT{match, filter, time.Now()}
 				}
 			}
@ -443,14 +329,6 @@ func StreamManager(s *Stream, endedSignal chan *Stream) {

 }

-func OutputsManager(c *Conf) {
-	for outputName := range c.Outputs {
-		output := c.Outputs[outputName]
-		output.Stdin = make(chan string)
-		cmdStdin(output.Start, output.Stdin)
-	}
-}
-
 var actions ActionsMap
 var matches MatchesMap
 var actionsLock sync.Mutex
@ -514,7 +392,6 @@ func Daemon(confFilename string) {
 	_ = runCommands(conf.Start, "start")

 	go DatabaseManager(conf)
-	go OutputsManager(conf)
 	go MatchesManager()
 	go ActionsManager(conf.Concurrency)

--- a/app/example.yml
+++ b/app/example.yml
@ -1,4 +1,11 @@
 ---
+# This example configuration file is a good starting point, but you're
+# strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
+#
+# This file is using the well-established YAML configuration language.
+# Note that the more powerful JSONnet configuration language is also supported
+# and that the documentation uses JSONnet
+
 # definitions are just a place to put chunks of conf you want to reuse in another place
 # using YAML anchors `&name` and pointers `*name`
 # definitions are not readed by reaction
@ -31,10 +38,12 @@ patterns:
 start:
  - [ 'ip46tables', '-w', '-N', 'reaction' ]
  - [ 'ip46tables', '-w', '-I', 'INPUT', '-p', 'all', '-j', 'reaction' ]
+  - [ 'ip46tables', '-w', '-I', 'FORWARD', '-p', 'all', '-j', 'reaction' ]

 # Those commands will be executed in order at stop, after everything else
 stop:
  - [ 'ip46tables', '-w,', '-D', 'INPUT', '-p', 'all', '-j', 'reaction' ]
+  - [ 'ip46tables', '-w,', '-D', 'FORWARD', '-p', 'all', '-j', 'reaction' ]
  - [ 'ip46tables', '-w', '-F', 'reaction' ]
  - [ 'ip46tables', '-w', '-X', 'reaction' ]

--- a/app/main.go
+++ b/app/main.go
@ -103,8 +103,6 @@ func basicUsage() {
  # remove currently active matches and run currently pending actions for the specified TARGET
  # (then show flushed matches and actions)
  # e.g. reaction flush 192.168.1.1
-  # Concatenate patterns with " / " if several patterns in TARGET
-  # e.g. reaction flush "192.168.1.1 / root"

  # options:
    -s/--socket SOCKET               # path to the client-daemon communication socket
@ -211,7 +209,7 @@ func Main(version, commit string) {
 			logger.Fatalln("for now, -l/--limit is not supported")
 			os.Exit(1)
 		}
-		ClientFlush(strings.Split(f.Arg(0), " / "), *limit, *queryFormat)
+		ClientFlush(f.Arg(0), *limit, *queryFormat)

 	case "test-regex":
 		// socket not needed, no interaction with the daemon
--- a/app/persist.go
+++ b/app/persist.go
@ -134,7 +134,7 @@ func rotateDB(c *Conf, logDec *gob.Decoder, flushDec *gob.Decoder, logEnc *gob.E
 	}()

 	// pattern, stream, fitler → last flush
-	flushes := make(map[*PSF]time.Time)
+	flushes := make(map[PSF]time.Time)
 	for {
 		var entry LogEntry
 		var filter *Filter
@ -160,7 +160,7 @@ func rotateDB(c *Conf, logDec *gob.Decoder, flushDec *gob.Decoder, logEnc *gob.E
 		}

 		// store
-		flushes[&PSF{entry.Pattern, entry.Stream, entry.Filter}] = entry.T
+		flushes[PSF{entry.Pattern, entry.Stream, entry.Filter}] = entry.T
 	}

 	lastTimeCpt := int64(0)
@ -201,8 +201,8 @@ func rotateDB(c *Conf, logDec *gob.Decoder, flushDec *gob.Decoder, logEnc *gob.E
 		}

 		// check if it hasn't been flushed
-		lastGlobalFlush := flushes[&PSF{entry.Pattern, "", ""}].Unix()
-		lastLocalFlush := flushes[&PSF{entry.Pattern, entry.Stream, entry.Filter}].Unix()
+		lastGlobalFlush := flushes[PSF{entry.Pattern, "", ""}].Unix()
+		lastLocalFlush := flushes[PSF{entry.Pattern, entry.Stream, entry.Filter}].Unix()
 		entryTime := entry.T.Unix()
 		if lastLocalFlush > entryTime || lastGlobalFlush > entryTime {
 			continue
--- a/app/pipe.go
+++ b/app/pipe.go
@ -7,7 +7,6 @@ import (
 	"path"
 	"sync"
 	"time"
-	"strings"

 	"framagit.org/ppom/reaction/logger"
 )
@ -25,7 +24,7 @@ func genClientStatus(local_actions ActionsMap, local_matches MatchesMap, local_a
 		if cs[filter.stream.name][filter.name] == nil {
 			cs[filter.stream.name][filter.name] = make(MapPatternStatus)
 		}
-		cs[filter.stream.name][filter.name][strings.Join(pattern, " / ")] = &PatternStatus{len(times), nil}
+		cs[filter.stream.name][filter.name][pattern] = &PatternStatus{len(times), nil}
 	}

 	local_matchesLock.Unlock()
@ -40,10 +39,10 @@ func genClientStatus(local_actions ActionsMap, local_matches MatchesMap, local_a
 		if cs[action.filter.stream.name][action.filter.name] == nil {
 			cs[action.filter.stream.name][action.filter.name] = make(MapPatternStatus)
 		}
-		if cs[action.filter.stream.name][action.filter.name][strings.Join(pattern, " / ")] == nil {
-			cs[action.filter.stream.name][action.filter.name][strings.Join(pattern, " / ")] = new(PatternStatus)
+		if cs[action.filter.stream.name][action.filter.name][pattern] == nil {
+			cs[action.filter.stream.name][action.filter.name][pattern] = new(PatternStatus)
 		}
-		ps := cs[action.filter.stream.name][action.filter.name][strings.Join(pattern, " / ")]
+		ps := cs[action.filter.stream.name][action.filter.name][pattern]
 		if ps.Actions == nil {
 			ps.Actions = make(map[string][]string)
 		}
--- a/app/startup.go
+++ b/app/startup.go
@ -13,7 +13,6 @@ import (
 	"framagit.org/ppom/reaction/logger"

 	"github.com/google/go-jsonnet"
-	"golang.org/x/exp/slices"
 )

 func (c *Conf) setup() {
@ -21,15 +20,6 @@ func (c *Conf) setup() {
 		c.Concurrency = runtime.NumCPU()
 	}

-	for outputName := range c.Outputs {
-		output := c.Outputs[outputName]
-		output.name = outputName
-
-		if len(output.Start) == 0 {
-			logger.Fatalf("Bad configuration: output's start %v is empty!", outputName)
-		}
-	}
-
 	for patternName := range c.Patterns {
 		pattern := c.Patterns[patternName]
 		pattern.name = patternName
@ -84,17 +74,17 @@ func (c *Conf) setup() {
 			filter.name = filterName

 			if strings.Contains(filter.name, ".") {
-				logger.Fatalf(fmt.Sprintf("Bad configuration: character '.' is not allowed in filter names: '%v'", filter.name))
+				logger.Fatalf("Bad configuration: character '.' is not allowed in filter names: '%v'", filter.name)
 			}
 			// Parse Duration
 			if filter.RetryPeriod == "" {
 				if filter.Retry > 1 {
-					logger.Fatalf(fmt.Sprintf("Bad configuration: retry but no retryperiod in %v.%v", stream.name, filter.name))
+					logger.Fatalf("Bad configuration: retry but no retryperiod in %v.%v", stream.name, filter.name)
 				}
 			} else {
 				retryDuration, err := time.ParseDuration(filter.RetryPeriod)
 				if err != nil {
-					logger.Fatalf(fmt.Sprintf("Bad configuration: Failed to parse retry time in %v.%v: %v", stream.name, filter.name, err))
+					logger.Fatalf("Bad configuration: Failed to parse retry time in %v.%v: %v", stream.name, filter.name, err)
 				}
 				filter.retryDuration = retryDuration
 			}
@ -105,17 +95,27 @@ func (c *Conf) setup() {
 			// Compute Regexes
 			// Look for Patterns inside Regexes
 			for _, regex := range filter.Regex {
-				for _, pattern := range c.Patterns {
+				for patternName, pattern := range c.Patterns {
 					if strings.Contains(regex, pattern.nameWithBraces) {
-						if !slices.Contains(filter.pattern, pattern) {
-							filter.pattern = append(filter.pattern, pattern)
+
+						if filter.pattern == nil {
+							filter.pattern = pattern
+						} else if filter.pattern == pattern {
+							// no op
+						} else {
+							logger.Fatalf(
+								"Bad configuration: Can't mix different patterns (%s, %s) in same filter (%s.%s)\n",
+								filter.pattern.name, patternName, streamName, filterName,
+							)
 						}
+
+						// FIXME should go in the `if filter.pattern == nil`?
 						regex = strings.Replace(regex, pattern.nameWithBraces, pattern.Regex, 1)
 					}
 				}
 				compiledRegex, err := regexp.Compile(regex)
 				if err != nil {
-					log.Fatal(fmt.Sprintf("Bad configuration: regex of filter %s.%s: %v", stream.name, filter.name, err))
+					log.Fatalf("%vBad configuration: regex of filter %s.%s: %v", logger.FATAL, stream.name, filter.name, err)
 				}
 				filter.compiledRegex = append(filter.compiledRegex, *compiledRegex)
 			}
@ -145,20 +145,6 @@ func (c *Conf) setup() {
 				if filter.longuestActionDuration == nil || filter.longuestActionDuration.Milliseconds() < action.afterDuration.Milliseconds() {
 					filter.longuestActionDuration = &action.afterDuration
 				}
-
-				if action.Write != nil {
-					found := false
-					for oname := range c.Outputs {
-						if strings.EqualFold(oname, action.Write.OutputName) {
-							action.Write.Output = c.Outputs[oname]
-							found = true
-						}
-					}
-					if !found {
-						logger.Fatalln(fmt.Sprintf("Bad configuration: action %s.%s.%s refers to undeclared output %s",
-									   stream.name, filter.name, action.name, action.Write.OutputName))
-					}
-				}
 			}
 		}
 	}
--- a/app/types.go
+++ b/app/types.go
@ -9,24 +9,12 @@ import (

 type Conf struct {
 	Concurrency int                 `json:"concurrency"`
-	Outputs     map[string]*Output  `json:"outputs"`
 	Patterns    map[string]*Pattern `json:"patterns"`
 	Streams     map[string]*Stream  `json:"streams"`
 	Start       [][]string          `json:"start"`
 	Stop        [][]string          `json:"stop"`
 }

-type Output struct {
-	Start   []string `json:"start"`
-	Stop    []string `json:"stop"`
-	// TODO: Restart when lost communication with output
-	//Restart string   `json:"restart"`
-
-	name   string   `json:"-"`
-
-	Stdin  chan string
-}
-
 type Pattern struct {
 	Regex  string   `json:"regex"`
 	Ignore []string `json:"ignore"`
@ -54,7 +42,7 @@ type Filter struct {

 	Regex         []string        `json:"regex"`
 	compiledRegex []regexp.Regexp `json:"-"`
-	pattern       []*Pattern        `json:"-"`
+	pattern       *Pattern        `json:"-"`

 	Retry         int           `json:"retry"`
 	RetryPeriod   string        `json:"retryperiod"`
@ -64,19 +52,11 @@ type Filter struct {
 	longuestActionDuration *time.Duration
 }

-type OutputWrite struct {
-	OutputName string   `json:"output"`
-	Text       []string `json:"text"`
-
-	Output *Output
-}
-
 type Action struct {
 	filter *Filter `json:"-"`
 	name   string  `json:"-"`

 	Cmd []string `json:"cmd"`
-	Write       *OutputWrite `json:"write"`

 	After         string        `json:"after"`
 	afterDuration time.Duration `json:"-"`
@ -87,7 +67,7 @@ type Action struct {
 type LogEntry struct {
 	T              time.Time
 	S              int64
-	Pattern        []string
+	Pattern        string
 	Stream, Filter string
 	SF             int
 	Exec           bool
@ -102,43 +82,37 @@ type WriteDB struct {
 	file *os.File
 	enc  *gob.Encoder
 }
-// https://stackoverflow.com/a/69691894
-type MatchesMap map[*PF]map[time.Time]struct{}
-type ActionsMap map[*PA]map[time.Time]struct{}
+
+type MatchesMap map[PF]map[time.Time]struct{}
+type ActionsMap map[PA]map[time.Time]struct{}

 // Helper structs made to carry information
-// Stream, Filter
 type SF struct{ s, f string }
-// Pattern, Stream, Filter
-type PSF struct{
-	p []string
-	s string
-	f string
-}
+type PSF struct{ p, s, f string }
 type PF struct {
-	p []string
+	p string
 	f *Filter
 }
 type PFT struct {
-	p []string
+	p string
 	f *Filter
 	t time.Time
 }
 type PA struct {
-	p []string
+	p string
 	a *Action
 }
 type PAT struct {
-	p []string
+	p string
 	a *Action
 	t time.Time
 }

 type FlushMatchOrder struct {
-	p   []string
+	p   string
 	ret chan MatchesMap
 }
 type FlushActionOrder struct {
-	p   []string
+	p   string
 	ret chan ActionsMap
 }
--- a/config/example.jsonnet
+++ b/config/example.jsonnet
@ -1,11 +1,15 @@
-// This file is using JSONNET, a complete configuration language based on JSON
+// This file is using JSONnet, a complete configuration language based on JSON
 // See https://jsonnet.org
-// JSONNET is a superset of JSON, so one can write plain JSON files if wanted.
+// JSONnet is a superset of JSON, so one can write plain JSON files if wanted.
 // Note that YAML is also supported, see ./example.yml

-// JSONNET functions
+// This example configuration file is a good starting point, but you're
+// strongly encouraged to take a look at the full documentation: https://reaction.ppom.me
+
+// JSONnet functions
 local iptables(args) = ['ip46tables', '-w'] + args;
-// ip46tables is a minimal C program (only POSIX dependencies) present in a subdirectory of this repo.
+// ip46tables is a minimal C program (only POSIX dependencies) present in a
+// subdirectory of this repo.
 // it permits to handle both ipv4/iptables and ipv6/ip6tables commands

 // See meaning and usage of this function around L106
@ -43,14 +47,16 @@ local banFor(time) = {
  start: [
    // Create an iptables chain for reaction
    iptables(['-N', 'reaction']),
-    // Insert this chain as the first item of the INPUT chain (for incoming connections)
+    // Insert this chain as the first item of the INPUT & FORWARD chains (for incoming connections)
    iptables(['-I', 'INPUT', '-p', 'all', '-j', 'reaction']),
+    iptables(['-I', 'FORWARD', '-p', 'all', '-j', 'reaction']),
  ],

  // Those commands will be executed in order at stop, after everything else
  stop: [
-    // Remove the chain from the INPUT chain
+    // Remove the chain from the INPUT & FORWARD chains
    iptables(['-D', 'INPUT', '-p', 'all', '-j', 'reaction']),
+    iptables(['-D', 'FORWARD', '-p', 'all', '-j', 'reaction']),
    // Empty the chain
    iptables(['-F', 'reaction']),
    // Delete the chain
--- a/config/example_streamed_output.yml
+++ b/config/example_streamed_output.yml
@ -1,59 +0,0 @@
---
-concurrency: 0
-
-# patterns are substitued in regexes.
-# when a filter performs an action, it replaces the found pattern
-patterns:
-  ip:
-    # reaction regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
-    # simple version: regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
-    regex: '(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:\.(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)){3}|(?:(?:[0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,7}:|(?:[0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|(?:[0-9a-fA-F]{1,4}:){1,5}(?::[0-9a-fA-F]{1,4}){1,2}|(?:[0-9a-fA-F]{1,4}:){1,4}(?::[0-9a-fA-F]{1,4}){1,3}|(?:[0-9a-fA-F]{1,4}:){1,3}(?::[0-9a-fA-F]{1,4}){1,4}|(?:[0-9a-fA-F]{1,4}:){1,2}(?::[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:(?:(?::[0-9a-fA-F]{1,4}){1,6})|:(?:(?::[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(?::[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(?:ffff(?::0{1,4}){0,1}:){0,1}(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])|(?:[0-9a-fA-F]{1,4}:){1,4}:(?:(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9])\.){3,3}(?:25[0-5]|(?:2[0-4]|1{0,1}[0-9]){0,1}[0-9]))'
-    ignore:
-      - 127.0.0.1
-      - ::1
-    # Patterns can be ignored based on regexes, it will try to match the whole string detected by the pattern
-    # ignoreregex:
-    #   - '10\.0\.[0-9]{1,3}\.[0-9]{1,3}'
-  login:
-    regex: '[a-zA-Z0-9_\-\.]*'
-    
-  method:
-    regex: '.*'
-    
-  port:
-    regex: '[0-9]{1,5}'
-
-# Outputs are commands returning stdin you can use in write actions.
-# This can ben used to get a persistent connection to p.e. a KV database you will write into,
-#  eliminating the overhead of executing a process each time action is trigged.
-outputs:
-  redis:
-    start: ['redis-cli', '-h', 'redis.example.org', '-a', 'mypasswordoncmdlinedontdothis']
-#  tee:
-#    start: ['tee', 'output.log']
-
-    
-# streams are commands
-# they are run and their ouptut is captured
-# *example:* `tail -f /var/log/nginx/access.log`
-# their output will be used by one or more filters
-streams:
-  # streams have a user-defined name
-  ssh:
-    # note that if the command is not in environment's `PATH`
-    # its full path must be given.
-    cmd: ['tail', '-f', '/var/log/auth.log']
-    # filters run actions when they match regexes on a stream
-    filters:
-      # filters have a user-defined name
-      acceptedlogin:
-        # reaction's regex syntax is defined here: https://github.com/google/re2/wiki/Syntax
-        regex:
-          - 'Accepted <method> for <login> from <ip> port <port>'
-        # actions are run by the filter when regexes are matched
-        actions:
-          # actions have a user-defined name
-          store2redis:
-            write:
-              output: redis
-              text: ['XADD', 'logins', '*', 'username', '<login>', 'method', '<method>', 'ip', '<ip>', 'port', '<port>']
--- a/config/heavy-load_cmd_to_redis.yml
+++ b/config/heavy-load_cmd_to_redis.yml
@ -1,50 +0,0 @@
---
-patterns:
-  num:
-    regex: '[0-9]+'
-  idx:
-    regex: '[0-9]+'
-  ip:
-    regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
-    ignore:
-      - 1.0.0.1
-
-concurrency: 0
-
-streams:
-  tailDown1:
-    cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo found $(($i % 100)) for test 1; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^found <num> for test <idx>$'
-        actions:
-          store2redis:
-            cmd: ['redis-cli', '-h', 'redis.example.org', '-a', 'mypasswordoncmdlinedontdothis', 'XADD', 'teststream', '*', 'found', '<num>', 'test', '<idx>']
-  tailDown2:
-    cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo prout $(($i % 100)) for test 2; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^prout <num> for test <idx>$'
-        actions:
-          store2redis:
-            cmd: ['redis-cli', '-h', 'redis.example.org', '-a', 'mypasswordoncmdlinedontdothis', 'XADD', 'teststream', '*', 'found', '<num>', 'test', '<idx>']
-  tailDown3:
-    cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo nanana $(($i % 100)) for test 3; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^nanana <num> for test <idx>$'
-        actions:
-          store2redis:
-            cmd: ['redis-cli', '-h', 'redis.example.org', '-a', 'mypasswordoncmdlinedontdothis', 'XADD', 'teststream', '*', 'found', '<num>', 'test', '<idx>']
-  tailDown4:
-    cmd: [ 'sh', '-c', 'sleep 2; seq 100010 | while read i; do echo nanana $(($i % 100)) for test 4; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^nomatch <num> for test <idx>$'
-        actions:
-          store2redis:
-            cmd: ['redis-cli', '-h', 'redis.example.org', '-a', 'mypasswordoncmdlinedontdothis', 'XADD', 'teststream', '*', 'found', '<num>', 'test', '<idx>']
--- a/config/heavy-load_write_to_redis.yml
+++ b/config/heavy-load_write_to_redis.yml
@ -1,62 +0,0 @@
---
-patterns:
-  num:
-    regex: '[0-9]+'
-  idx:
-    regex: '[0-9]+'
-  ip:
-    regex: '(?:(?:[0-9]{1,3}\.){3}[0-9]{1,3})|(?:[0-9a-fA-F:]{2,90})'
-    ignore:
-      - 1.0.0.1
-
-concurrency: 0
-
-outputs:
-  redis:
-    start: ['redis-cli', '-h', 'redis.example.org', '-a', 'mypasswordoncmdlinedontdothis']
-
-streams:
-  tailDown1:
-    cmd: [ 'sh', '-c', 'seq 100010 | while read i; do echo found $(($i % 100)) for test 1; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^found <num> for test <idx>$'
-        actions:
-          store2redis:
-            write:
-              output: redis
-              text: ['XADD', 'teststream', '*', 'found', '<num>', 'test', '<idx>']
-  tailDown2:
-    cmd: [ 'sh', '-c', 'seq 100010 | while read i; do echo prout $(($i % 100)) for test 2; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^prout <num> for test <idx>$'
-        actions:
-          store2redis:
-            write:
-              output: redis
-              text: ['XADD', 'teststream', '*', 'prout', '<num>', 'test', '<idx>']
-  tailDown3:
-    cmd: [ 'sh', '-c', 'seq 100010 | while read i; do echo nanana $(($i % 100)) for test 3; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^nanana <num> for test <idx>$'
-        actions:
-          store2redis:
-            write:
-              output: redis
-              text: ['XADD', 'teststream', '*', 'nanana', '<num>', 'test', '<idx>']
-  tailDown4:
-    cmd: [ 'sh', '-c', 'seq 100010 | while read i; do echo nanana $(($i % 100)) for test 4; done' ]
-    filters:
-      findIP:
-        regex:
-          - '^nomatch <num> for test <idx>$'
-        actions:
-          store2redis:
-            write:
-              output: redis
-              text: ['XADD', 'teststream', '*', 'nomatch', '<num>', 'test', '<idx>']
--- a/config/reaction.debian.service
+++ b/config/reaction.debian.service
@ -1,6 +1,8 @@
 [Unit]
 Description=A daemon that scans program outputs for repeated patterns, and takes action.
 Documentation=https://framagit.org/ppom/reaction-wiki
+# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
+# After=docker.service

 [Service]
 ExecStart=/usr/bin/reaction start -c /etc/reaction.jsonnet
--- a/config/reaction.example.service
+++ b/config/reaction.example.service
@ -1,6 +1,8 @@
 # vim: ft=systemd
 [Install]
 WantedBy=multi-user.target
+# Ensure reaction will insert its chain after docker has inserted theirs. Only useful when iptables & docker are used
+# After=docker.service

 # See `man systemd.exec` and `man systemd.service` for most options below
 [Service]
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,6 @@ go 1.20

 require (
 	github.com/google/go-jsonnet v0.20.0
-	golang.org/x/exp v0.0.0-20240213143201-ec583247a57a
 	sigs.k8s.io/yaml v1.1.0
 )

--- a/go.sum
+++ b/go.sum
@ -1,8 +1,6 @@
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/google/go-jsonnet v0.20.0 h1:WG4TTSARuV7bSm4PMB4ohjxe33IHT5WVTrJSU33uT4g=
 github.com/google/go-jsonnet v0.20.0/go.mod h1:VbgWF9JX7ztlv770x/TolZNGGFfiHEVx9G6ca2eUmeA=
-golang.org/x/exp v0.0.0-20240213143201-ec583247a57a h1:HinSgX1tJRX3KsL//Gxynpw5CTOAIPhgL4W8PNiIpVE=
-golang.org/x/exp v0.0.0-20240213143201-ec583247a57a/go.mod h1:CxmFvTBINI24O/j8iY7H1xHzx2i4OsyguNBmN/uPtqc=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v2 v2.2.7 h1:VUgggvou5XRW9mHwD/yXxIYSMtY0zoKQf/v226p2nyo=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
--- a/helpers_c/nft46.c
+++ b/helpers_c/nft46.c
@ -38,7 +38,7 @@ int isIPv6(char *tab, int len) {
 	}
 	// Each char must be a digit, :, a-f, or A-F
 	for (i=0; i<len; i++) {
-		if (!isdigit(tab[i]) && tab[i] != ':' && !(tab[i] >= 'a' && tab[i] <= 'f') && !(tab[i] >= 'A' && tab[i] <= 'F')) {
+		if (!isdigit(tab[i]) && tab[i] != ':' && tab[i] != '.' && !(tab[i] >= 'a' && tab[i] <= 'f') && !(tab[i] >= 'A' && tab[i] <= 'F')) {
 			return 0;
 		}
 	}
Author	SHA1	Message	Date
yo	2c03ac4cf5	Add freebsd binary build	2024-03-30 17:50:51 +01:00
ppom	8e1c67cead	iptables: add reaction chain to FORWARD chain for docker https://framagit.org/ppom/reaction/-/issues/84	2024-03-27 12:00:00 +01:00
ppom	3ee48fa08e	README: add development section	2024-03-18 12:00:00 +01:00
ppom	86bd75b926	nft46: recognize ipv6-mapped ipv4 closes #81	2024-03-04 12:00:00 +01:00