github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

performance: optimize simplest case whether the ignoreip is a single IP (not subnet/dns) - uses a set instead of list (holds single IPs and subnets/dns in different lists); 

decrease log level for ignored duplicates (warning is too heavy here)
pull/2689/head
sebres 2020-04-06 12:10:32 +02:00
parent 22a04dae05
commit fc175fa78a
2 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
fail2ban/server/filter.py
View File

@ -80,6 +80,7 @@ class Filter(JailThread):
## Ignore own IPs flag: ## Ignore own IPs flag:
self.__ignoreSelf = True self.__ignoreSelf = True
## The ignore IP list. ## The ignore IP list.
self.__ignoreIpSet = set()
self.__ignoreIpList = [] self.__ignoreIpList = []
## External command ## External command
self.__ignoreCommand = False self.__ignoreCommand = False
@ -489,28 +490,36 @@ class Filter(JailThread):
# Create IP address object # Create IP address object
ip = IPAddr(ipstr) ip = IPAddr(ipstr)
# Avoid exact duplicates # Avoid exact duplicates
if ip in self.__ignoreIpList: if ip in self.__ignoreIpSet or ip in self.__ignoreIpList:
logSys.warn(" Ignore duplicate %r (%r), already in ignore list", ip, ipstr) logSys.log(logging.MSG, " Ignore duplicate %r (%r), already in ignore list", ip, ipstr)
return return
# log and append to ignore list # log and append to ignore list
logSys.debug(" Add %r to ignore list (%r)", ip, ipstr) logSys.debug(" Add %r to ignore list (%r)", ip, ipstr)
self.__ignoreIpList.append(ip) # if single IP (not DNS or a subnet) add to set, otherwise to list:
if ip.isSingle:
self.__ignoreIpSet.add(ip)
else:
self.__ignoreIpList.append(ip)
def delIgnoreIP(self, ip=None): def delIgnoreIP(self, ip=None):
# clear all: # clear all:
if ip is None: if ip is None:
self.__ignoreIpSet.clear()
del self.__ignoreIpList[:] del self.__ignoreIpList[:]
return return
# delete by ip: # delete by ip:
logSys.debug(" Remove %r from ignore list", ip) logSys.debug(" Remove %r from ignore list", ip)
self.__ignoreIpList.remove(ip) if ip in self.__ignoreIpSet:
self.__ignoreIpSet.remove(ip)
else:
self.__ignoreIpList.remove(ip)
def logIgnoreIp(self, ip, log_ignore, ignore_source="unknown source"): def logIgnoreIp(self, ip, log_ignore, ignore_source="unknown source"):
if log_ignore: if log_ignore:
logSys.info("[%s] Ignore %s by %s", self.jailName, ip, ignore_source) logSys.info("[%s] Ignore %s by %s", self.jailName, ip, ignore_source)
def getIgnoreIP(self): def getIgnoreIP(self):
return self.__ignoreIpList return self.__ignoreIpList + list(self.__ignoreIpSet)
## ##
# Check if IP address/DNS is in the ignore list. # Check if IP address/DNS is in the ignore list.
@ -550,8 +559,11 @@ class Filter(JailThread):
if self.__ignoreCache: c.set(key, True) if self.__ignoreCache: c.set(key, True)
return True return True
# check if the IP is covered by ignore IP (in set or in subnet/dns):
if ip in self.__ignoreIpSet:
self.logIgnoreIp(ip, log_ignore, ignore_source="ip")
return True
for net in self.__ignoreIpList: for net in self.__ignoreIpList:
# check if the IP is covered by ignore IP
if ip.isInNet(net): if ip.isInNet(net):
self.logIgnoreIp(ip, log_ignore, ignore_source=("ip" if net.isValid else "dns")) self.logIgnoreIp(ip, log_ignore, ignore_source=("ip" if net.isValid else "dns"))
if self.__ignoreCache: c.set(key, True) if self.__ignoreCache: c.set(key, True)

6
fail2ban/server/ipdns.py
View File

@ -379,6 +379,12 @@ class IPAddr(object):
""" """
return self._family != socket.AF_UNSPEC return self._family != socket.AF_UNSPEC
@property
def isSingle(self):
"""Returns whether the object is a single IP address (not DNS and subnet)
"""
return self._plen == {socket.AF_INET: 32, socket.AF_INET6: 128}.get(self._family, -1000)
def __eq__(self, other): def __eq__(self, other):
if self._family == IPAddr.CIDR_RAW and not isinstance(other, IPAddr): if self._family == IPAddr.CIDR_RAW and not isinstance(other, IPAddr):
return self._raw == other return self._raw == other