remade handling of missing chains or other errors from IPTables

19 years ago · da0bb74180
parent 03e7d722de
commit da0bb74180
3 changed files with 174 additions and 146 deletions
--- a/31
+++ b/31
@ -26,7 +26,7 @@ __date__ = "$Date: 2005/08/04 20:51:14 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"

-import sys, traceback, logging, time
+import sys, traceback, logging

 # Appends our own modules path.
 sys.path.append("/usr/share/fail2ban")
@ -34,16 +34,6 @@ sys.path.append("/usr/share/fail2ban")
 # Now we can import our modules.
 import fail2ban
 from utils.pidlock import PIDLock
-from utils.process import ExternalError
-
-# Start the application. Handle all the unhandled exceptions
-# yoh: I don't think that this parameters need to be configured
-#      and probably maxRestarts should be removed
-legitRestartTime = 10				 # legitimate minimal restart time
-maxRestarts = 100			  # max number of times to perform restart
-
-lastRestartTime = time.time()
-restarts = 0

 # Get the instance of the logger.
 logSys = logging.getLogger("fail2ban")
@ -51,21 +41,9 @@ logSys = logging.getLogger("fail2ban")
 # Get PID lock file instance
 pidLock = PIDLock()

+# Start the application. Handle all the unhandled exceptions
 try:
-	while True:
-		restarts += 1
-		try:
-			fail2ban.main(restarts>1)
-		except ExternalError, e:
-			# There went something wrong while dealing with Iptables. May be chain got
-			# removed?
-			logSys.error("Fail2Ban got a problem: " + e.__str__())
-			if (time.time() - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
-				logSys.error("Restarting for the %d time "%restarts)
-				lastRestartTime = time.time()
-			else:
-				logSys.error("Exiting: restarts follow too often, or too many restart attempts")
-				sys.exit(0)
+	fail2ban.main()
 except SystemExit:
 	# We called sys.exit(). Nothing wrong so just pass
 	pass
@ -77,9 +55,6 @@ except Exception, e:
 	logSys.error("Type: " + `type.__name__` + "\n" +
 				 "Value: " + `e.args` + "\n" +
 				 "TB: " + `tbStack`)
-
 	# Remove the PID lock file. Should close #1239562
 	pidLock.remove()
-logSys.info("Exiting...")
 	logging.shutdown()
-	
--- a/fail2ban.py
+++ b/fail2ban.py
@ -25,7 +25,7 @@ __date__ = "$Date: 2005/09/13 20:42:33 $"
 __copyright__ = "Copyright (c) 2004 Cyril Jaquier"
 __license__ = "GPL"

-import time, sys, getopt, os, string, signal, logging, logging.handlers
+import time, sys, getopt, os, string, signal, logging, logging.handlers, copy
 from ConfigParser import *

 from version import version
@ -92,12 +92,34 @@ def sigTERMhandler(signum, frame):
 	logSys.debug("Signal handler called with sig "+`signum`)
 	killApp()

+def initializeFwRules():
+	""" Initializes firewalls by running cmdstart and then
+	    fwstart for each section
+	"""
+	# Execute global start command
+	executeCmd(conf["cmdstart"], conf["debug"])
+	# Execute start command of each section
+	for element in logFwList:
+		l = element[4]
+		executeCmd(l["fwstart"], conf["debug"])
+
+
+def reBan():
+	""" For each section asks the Firewall to reban known IPs
+	"""
+	for element in logFwList:
+		element[2].reBan(conf["debug"])
+
 def restoreFwRules():
 	""" Flush the ban list
 	"""
 	logSys.warn("Restoring firewall rules...")
 	for element in logFwList:
+		try:
 			element[2].flushBanList(conf["debug"])
+		except ExternalError, e:
+			# nothing bad really - we can survive :-)
+			pass
 	# Execute end command of each section
 	for element in logFwList:
 		l = element[4]
@ -106,11 +128,15 @@ def restoreFwRules():
 	executeCmd(conf["cmdend"], conf["debug"])

 def killApp():
-	""" Flush the ban list, remove and exit
+	""" Flush the ban list, remove the PID lock file and exit
 		nicely.
 	"""
 	# Restore Fw rules
 	restoreFwRules()
+	# Remove the PID lock
+	pidLock.remove()
+	logSys.info("Exiting...")
+	logging.shutdown()
 	sys.exit(0)

 def getCmdLineOptions(optList):
@ -138,12 +164,9 @@ def getCmdLineOptions(optList):
 		if opt[0] == "-k":
 			conf["kill"] = True

-def main(secondaryStart):
+def main():
 	""" Fail2Ban main function
 	"""
-	# (re)Initialize global variables
-	logFwList.__init__()
-	conf.clear()
 	
 	# Add the default logging handler
 	stdout = logging.StreamHandler(sys.stdout)
@ -218,12 +241,8 @@ def main(secondaryStart):
 	except KeyError:
 		pass

-	# If it is not a hot restart
-	#   fork, setup logging, create pid, check for root
-	if not secondaryStart:
 	# Start Fail2Ban in daemon mode
 	if conf["background"]:
-			logSys.debug("Daemonizing")
 		retCode = createDaemon()
 		signal.signal(signal.SIGTERM, sigTERMhandler)
 		if not retCode:
@ -301,6 +320,9 @@ def main(secondaryStart):
 		logSys.warn("DEBUG MODE: FIREWALL COMMANDS ARE _NOT_ EXECUTED BUT " +
 					"ONLY DISPLAYED IN THE LOG MESSAGES")

+	# Ignores IP list
+	ignoreIPList = conf["ignoreip"].split(' ')
+
 	# Checks for root user. This is necessary because log files
 	# are owned by root and firewall needs root access.
 	if not checkForRoot():
@ -319,9 +341,6 @@ def main(secondaryStart):
 			# Unable to create PID lock. Exit
 			sys.exit(-1)
 	
-	# Ignores IP list
-	ignoreIPList = conf["ignoreip"].split(' ')
-
 	logSys.debug("ConfFile is " + conf["conffile"])
 	logSys.debug("BanTime is " + `conf["bantime"]`)
 	logSys.debug("FindTime is " + `conf["findtime"]`)
@ -394,12 +413,15 @@ def main(secondaryStart):
 		else:
 			logSys.warn(ip + " is not a valid IP address")
 	
-	# Execute global start command
-	executeCmd(conf["cmdstart"], conf["debug"])
-	# Execute start command of each section
-	for element in logFwList:
-		l = element[4]
-		executeCmd(l["fwstart"], conf["debug"])
+	initializeFwRules()
+	
+	# yoh: I don't think that this parameters need to be configured
+	#      and probably maxRestarts should be removed
+	legitRestartTime = 10				 # legitimate minimal restart time
+	maxRestarts = 100			  # max number of times to perform restart
+
+	lastRestartTime = time.time()
+	restarts = 0
 	# Main loop
 	while True:
 		try:
@ -459,10 +481,27 @@ def main(secondaryStart):
 							mail.sendmail(mailConf["subject"],
 										  mailConf["message"], aInfo)
 						del element[3][attempt]
-		except ExternalError:
-			# restore as much as possible before restart
+		except ExternalError, e:
+			# Something wrong while dealing with Iptables.
+			# May be chain got removed?
+			logSys.error("Fail2Ban got a problem: " + e.__str__())
+			if (unixTime - lastRestartTime > legitRestartTime) and (restarts < maxRestarts):
+				logSys.error("Reinitializing firewalls for the %dst time "%restarts)
+				lastRestartTime = time.time()
+			else:
+				logSys.error("Exiting: restarts follow too often, or too many restart attempts")
+				killApp()
+
+			# save firewalls to keep a list of IPs for rebanning
+			logFwListCopy = copy.deepcopy(logFwList)
+			# restore as much as possible
 			restoreFwRules()
-			raise
+			# reinitialize all the chains
+			initializeFwRules()
+			# restore the lists of baned IPs
+			logFwList = logFwListCopy
+			# reBan known IPs
+			reBan()
 		except KeyboardInterrupt:
 			# When the user press <ctrl>+<c> we exit nicely.
 			killApp()
--- a/firewall/firewall.py
+++ b/firewall/firewall.py
@ -73,6 +73,20 @@ class Firewall:
 		else:
 			logSys.error(ip+" not in ban list")

+	def reBan(self, debug):
+		""" Re-Bans known IPs.
+		"""
+		for ip in self.banList:
+			aInfo = {"ip": ip,
+					 "bantime":self.banList[ip]}
+			logSys.warn("ReBan "+ip)
+			# next piece is similar to the on in addBanIp
+			# so might be one more function will not hurt
+			self.runCheck("pre-fw-reban", debug)
+			cmd = self.banIP(aInfo)
+			if executeCmd(cmd, debug):
+				raise ExternalError("Firewall: execution of fwban command '%s' failed"%cmd)
+	
 	def inBanList(self, ip):
 		""" Checks if IP is in ban list.
 		"""