|
@@ -18,7 +18,12 @@ import dns.exception
|
|
|
|
|
|
|
|
while True:
|
|
while True:
|
|
|
try:
|
|
try:
|
|
|
- r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
|
|
|
|
|
|
|
+ redis_slaveof_ip = os.getenv('REDIS_SLAVEOF_IP', '')
|
|
|
|
|
+ redis_slaveof_port = os.getenv('REDIS_SLAVEOF_PORT', '')
|
|
|
|
|
+ if "".__eq__(redis_slaveof_ip):
|
|
|
|
|
+ r = redis.StrictRedis(host=os.getenv('IPV4_NETWORK', '172.22.1') + '.249', decode_responses=True, port=6379, db=0)
|
|
|
|
|
+ else:
|
|
|
|
|
+ r = redis.StrictRedis(host=redis_slaveof_ip, decode_responses=True, port=redis_slaveof_port, db=0)
|
|
|
r.ping()
|
|
r.ping()
|
|
|
except Exception as ex:
|
|
except Exception as ex:
|
|
|
print('%s - trying again in 3 seconds' % (ex))
|
|
print('%s - trying again in 3 seconds' % (ex))
|
|
@@ -53,16 +58,16 @@ def log(priority, message):
|
|
|
tolog['message'] = message
|
|
tolog['message'] = message
|
|
|
r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
|
|
r.lpush('NETFILTER_LOG', json.dumps(tolog, ensure_ascii=False))
|
|
|
print(message)
|
|
print(message)
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def logWarn(message):
|
|
def logWarn(message):
|
|
|
log('warn', message)
|
|
log('warn', message)
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def logCrit(message):
|
|
def logCrit(message):
|
|
|
log('crit', message)
|
|
log('crit', message)
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def logInfo(message):
|
|
def logInfo(message):
|
|
|
log('info', message)
|
|
log('info', message)
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def refreshF2boptions():
|
|
def refreshF2boptions():
|
|
|
global f2boptions
|
|
global f2boptions
|
|
|
global quit_now
|
|
global quit_now
|
|
@@ -132,14 +137,13 @@ def ban(address):
|
|
|
return
|
|
return
|
|
|
|
|
|
|
|
self_network = ipaddress.ip_network(address)
|
|
self_network = ipaddress.ip_network(address)
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
with lock:
|
|
with lock:
|
|
|
temp_whitelist = set(WHITELIST)
|
|
temp_whitelist = set(WHITELIST)
|
|
|
|
|
|
|
|
if temp_whitelist:
|
|
if temp_whitelist:
|
|
|
for wl_key in temp_whitelist:
|
|
for wl_key in temp_whitelist:
|
|
|
wl_net = ipaddress.ip_network(wl_key, False)
|
|
wl_net = ipaddress.ip_network(wl_key, False)
|
|
|
-
|
|
|
|
|
if wl_net.overlaps(self_network):
|
|
if wl_net.overlaps(self_network):
|
|
|
logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
|
|
logInfo('Address %s is whitelisted by rule %s' % (self_network, wl_net))
|
|
|
return
|
|
return
|
|
@@ -215,7 +219,6 @@ def unban(net):
|
|
|
|
|
|
|
|
def permBan(net, unban=False):
|
|
def permBan(net, unban=False):
|
|
|
global lock
|
|
global lock
|
|
|
-
|
|
|
|
|
if type(ipaddress.ip_network(net, strict=False)) is ipaddress.IPv4Network:
|
|
if type(ipaddress.ip_network(net, strict=False)) is ipaddress.IPv4Network:
|
|
|
with lock:
|
|
with lock:
|
|
|
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
|
|
chain = iptc.Chain(iptc.Table(iptc.Table.FILTER), 'MAILCOW')
|
|
@@ -246,7 +249,7 @@ def permBan(net, unban=False):
|
|
|
logCrit('Remove host/network %s from blacklist' % net)
|
|
logCrit('Remove host/network %s from blacklist' % net)
|
|
|
chain.delete_rule(rule)
|
|
chain.delete_rule(rule)
|
|
|
r.hdel('F2B_PERM_BANS', '%s' % net)
|
|
r.hdel('F2B_PERM_BANS', '%s' % net)
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def quit(signum, frame):
|
|
def quit(signum, frame):
|
|
|
global quit_now
|
|
global quit_now
|
|
|
quit_now = True
|
|
quit_now = True
|
|
@@ -388,18 +391,16 @@ def isIpNetwork(address):
|
|
|
return False
|
|
return False
|
|
|
return True
|
|
return True
|
|
|
|
|
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def genNetworkList(list):
|
|
def genNetworkList(list):
|
|
|
resolver = dns.resolver.Resolver()
|
|
resolver = dns.resolver.Resolver()
|
|
|
hostnames = []
|
|
hostnames = []
|
|
|
networks = []
|
|
networks = []
|
|
|
-
|
|
|
|
|
for key in list:
|
|
for key in list:
|
|
|
if isIpNetwork(key):
|
|
if isIpNetwork(key):
|
|
|
networks.append(key)
|
|
networks.append(key)
|
|
|
else:
|
|
else:
|
|
|
hostnames.append(key)
|
|
hostnames.append(key)
|
|
|
-
|
|
|
|
|
for hostname in hostnames:
|
|
for hostname in hostnames:
|
|
|
hostname_ips = []
|
|
hostname_ips = []
|
|
|
for rdtype in ['A', 'AAAA']:
|
|
for rdtype in ['A', 'AAAA']:
|
|
@@ -413,66 +414,49 @@ def genNetworkList(list):
|
|
|
except dns.exception.DNSException as dnsexception:
|
|
except dns.exception.DNSException as dnsexception:
|
|
|
logInfo('%s' % dnsexception)
|
|
logInfo('%s' % dnsexception)
|
|
|
continue
|
|
continue
|
|
|
-
|
|
|
|
|
for rdata in answer:
|
|
for rdata in answer:
|
|
|
hostname_ips.append(rdata.to_text())
|
|
hostname_ips.append(rdata.to_text())
|
|
|
-
|
|
|
|
|
networks.extend(hostname_ips)
|
|
networks.extend(hostname_ips)
|
|
|
-
|
|
|
|
|
return set(networks)
|
|
return set(networks)
|
|
|
|
|
|
|
|
def whitelistUpdate():
|
|
def whitelistUpdate():
|
|
|
global lock
|
|
global lock
|
|
|
global quit_now
|
|
global quit_now
|
|
|
global WHITELIST
|
|
global WHITELIST
|
|
|
-
|
|
|
|
|
while not quit_now:
|
|
while not quit_now:
|
|
|
start_time = time.time()
|
|
start_time = time.time()
|
|
|
list = r.hgetall('F2B_WHITELIST')
|
|
list = r.hgetall('F2B_WHITELIST')
|
|
|
-
|
|
|
|
|
new_whitelist = []
|
|
new_whitelist = []
|
|
|
-
|
|
|
|
|
if list:
|
|
if list:
|
|
|
new_whitelist = genNetworkList(list)
|
|
new_whitelist = genNetworkList(list)
|
|
|
-
|
|
|
|
|
with lock:
|
|
with lock:
|
|
|
if Counter(new_whitelist) != Counter(WHITELIST):
|
|
if Counter(new_whitelist) != Counter(WHITELIST):
|
|
|
WHITELIST = new_whitelist
|
|
WHITELIST = new_whitelist
|
|
|
logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
|
|
logInfo('Whitelist was changed, it has %s entries' % len(WHITELIST))
|
|
|
-
|
|
|
|
|
time.sleep(60.0 - ((time.time() - start_time) % 60.0))
|
|
time.sleep(60.0 - ((time.time() - start_time) % 60.0))
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def blacklistUpdate():
|
|
def blacklistUpdate():
|
|
|
global quit_now
|
|
global quit_now
|
|
|
global BLACKLIST
|
|
global BLACKLIST
|
|
|
-
|
|
|
|
|
while not quit_now:
|
|
while not quit_now:
|
|
|
start_time = time.time()
|
|
start_time = time.time()
|
|
|
list = r.hgetall('F2B_BLACKLIST')
|
|
list = r.hgetall('F2B_BLACKLIST')
|
|
|
-
|
|
|
|
|
new_blacklist = []
|
|
new_blacklist = []
|
|
|
-
|
|
|
|
|
if list:
|
|
if list:
|
|
|
new_blacklist = genNetworkList(list)
|
|
new_blacklist = genNetworkList(list)
|
|
|
-
|
|
|
|
|
if Counter(new_blacklist) != Counter(BLACKLIST):
|
|
if Counter(new_blacklist) != Counter(BLACKLIST):
|
|
|
addban = set(new_blacklist).difference(BLACKLIST)
|
|
addban = set(new_blacklist).difference(BLACKLIST)
|
|
|
delban = set(BLACKLIST).difference(new_blacklist)
|
|
delban = set(BLACKLIST).difference(new_blacklist)
|
|
|
-
|
|
|
|
|
BLACKLIST = new_blacklist
|
|
BLACKLIST = new_blacklist
|
|
|
logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
|
|
logInfo('Blacklist was changed, it has %s entries' % len(BLACKLIST))
|
|
|
-
|
|
|
|
|
if addban:
|
|
if addban:
|
|
|
for net in addban:
|
|
for net in addban:
|
|
|
permBan(net=net)
|
|
permBan(net=net)
|
|
|
-
|
|
|
|
|
if delban:
|
|
if delban:
|
|
|
for net in delban:
|
|
for net in delban:
|
|
|
permBan(net=net, unban=True)
|
|
permBan(net=net, unban=True)
|
|
|
-
|
|
|
|
|
-
|
|
|
|
|
time.sleep(60.0 - ((time.time() - start_time) % 60.0))
|
|
time.sleep(60.0 - ((time.time() - start_time) % 60.0))
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
def initChain():
|
|
def initChain():
|
|
|
# Is called before threads start, no locking
|
|
# Is called before threads start, no locking
|
|
|
print("Initializing mailcow netfilter chain")
|
|
print("Initializing mailcow netfilter chain")
|
|
@@ -500,7 +484,6 @@ def initChain():
|
|
|
rule.target = target
|
|
rule.target = target
|
|
|
if rule not in chain.rules:
|
|
if rule not in chain.rules:
|
|
|
chain.insert_rule(rule)
|
|
chain.insert_rule(rule)
|
|
|
-
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
if __name__ == '__main__':
|
|
|
|
|
|
|
@@ -542,7 +525,7 @@ if __name__ == '__main__':
|
|
|
mailcowchainwatch_thread = Thread(target=mailcowChainOrder)
|
|
mailcowchainwatch_thread = Thread(target=mailcowChainOrder)
|
|
|
mailcowchainwatch_thread.daemon = True
|
|
mailcowchainwatch_thread.daemon = True
|
|
|
mailcowchainwatch_thread.start()
|
|
mailcowchainwatch_thread.start()
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
blacklistupdate_thread = Thread(target=blacklistUpdate)
|
|
blacklistupdate_thread = Thread(target=blacklistUpdate)
|
|
|
blacklistupdate_thread.daemon = True
|
|
blacklistupdate_thread.daemon = True
|
|
|
blacklistupdate_thread.start()
|
|
blacklistupdate_thread.start()
|
andryyy