Merge pull request #1 from ajhoughton/master

A few improvements to fail2ban-iptables
2012-11-08 13:23:38 -08:00 · 2012-11-08 13:23:38 -08:00 · 485753afc9
parent bad7e1428d af2a312222
commit 485753afc9
1 changed files with 30 additions and 30 deletions
--- a/60
+++ b/60
@ -21,39 +21,39 @@

 import sys, re, subprocess

-# Try to avoid any shell injections
-def noinject(str):
-	for banned_chr in "`&;|":
-		if banned_chr in str: 
-			print "I don't like some chars in your iptables syntax"
-			sys.exit(2)                  
-	return True
+IPTABLES='/sbin/iptables'
+IP6TABLES='/sbin/ip6tables'

 # Main procedure
 def main(argv):
- regv4 = re.compile('([0-9]{1,3}\.){3}[0-9]{1,3}')
- if regv4.search(argv):   
-    # we are facing to a ipv4
-    ret = subprocess.call(["iptables", argv])
-    sys.exit(ret)                  
- else:
-    # if not, maybe it's a ipv6
-    regv6 = re.compile('::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,}')
-    if regv6.search(argv):
-       ret6 = subprocess.call(["ip6tables", argv])
-       sys.exit(ret6)                  
+    pline = " ".join(argv)
+    regv4 = re.compile('([0-9]{1,3}\.){3}[0-9]{1,3}')
+    if regv4.search(pline):   
+        # we are facing to a ipv4
+        ret = subprocess.call([IPTABLES] + argv)
+        sys.exit(ret)                  
    else:
-       # if it's not a ipv6 either, we call both iptables
-       ret = subprocess.call(["iptables", argv])
-       ret6 = subprocess.call(["ip6tables", argv])
-       # return worst error code  
-       if ret > ret6:
-	  sys.exit(ret)
-       else:
-          sys.exit(ret6)
-	
+        # if not, maybe it's a ipv6
+        regv6 = re.compile('::[A-Fa-f0-9]{1,4}|(:[A-Fa-f0-9]{1,4}){2,}')
+        if regv6.search(pline):
+            ret6 = subprocess.call([IP6TABLES] + argv)
+            sys.exit(ret6)
+        else:
+            # if it's not a ipv6 either, we call both iptables
+            proc = subprocess.Popen([IPTABLES] + argv)
+            proc6 = subprocess.Popen([IP6TABLES] + argv)
+
+            # Splitting the Popen and wait() calls lets us run them in
+            # parallel, rather than one after the other
+            ret = proc.wait()
+            ret6 = proc6.wait()
+            
+            # return worst error code
+            if ret > ret6:
+                sys.exit(ret)
+            else:
+                sys.exit(ret6)
+
 # Main call, pass all variables
 if __name__ == "__main__":
-	pline = " ".join(sys.argv[1:])
-	if noinject(pline):
-		main(pline)
+    main(sys.argv[1:])