Home Explore Help
Sign In
mirrors
/
mailcow-dockerized
mirror of https://github.com/mailcow/mailcow-dockerized
2
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #5679 from Habetdin/staging

[Netfilter] respect ban time limits
Patrick Schult 1 year ago
parent
7d3f9fa407 1787c53d98
commit
d8baadb991
1 changed files with 15 additions and 8 deletions
Split View Show Diff Stats
  1. 15 8
      data/Dockerfiles/netfilter/main.py

+ 15 - 8
data/Dockerfiles/netfilter/main.py
View File 

@@ -114,8 +114,6 @@ def ban(address):
 
   global lock

 

   refreshF2boptions()

-  BAN_TIME = int(f2boptions['ban_time'])

-  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])

   MAX_ATTEMPTS = int(f2boptions['max_attempts'])

   RETRY_WINDOW = int(f2boptions['retry_window'])

   NETBAN_IPV4 = '/' + str(f2boptions['netban_ipv4'])

@@ -150,7 +148,7 @@ def ban(address):
 
 

   if bans[net]['attempts'] >= MAX_ATTEMPTS:

     cur_time = int(round(time.time()))

-    NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']

+    NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])

     logger.logCrit('Banning %s for %d minutes' % (net, NET_BAN_TIME / 60 ))

     if type(ip) is ipaddress.IPv4Address and int(f2boptions['manage_external']) != 1:

       with lock:

@@ -277,12 +275,11 @@ def snat6(snat_target):
 
       tables.snat6(snat_target, os.getenv('IPV6_NETWORK', 'fd4d:6169:6c63:6f77::/64'))

 

 def autopurge():

+  global f2boptions

+

   while not quit_now:

     time.sleep(10)

     refreshF2boptions()

-    BAN_TIME = int(f2boptions['ban_time'])

-    MAX_BAN_TIME = int(f2boptions['max_ban_time'])

-    BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])

     MAX_ATTEMPTS = int(f2boptions['max_attempts'])

     QUEUE_UNBAN = r.hgetall('F2B_QUEUE_UNBAN')

     if QUEUE_UNBAN:

@@ -290,9 +287,9 @@ def autopurge():
 
         unban(str(net))

     for net in bans.copy():

       if bans[net]['attempts'] >= MAX_ATTEMPTS:

-        NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** bans[net]['ban_counter']

+        NET_BAN_TIME = calcNetBanTime(bans[net]['ban_counter'])

         TIME_SINCE_LAST_ATTEMPT = time.time() - bans[net]['last_attempt']

-        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME or TIME_SINCE_LAST_ATTEMPT > MAX_BAN_TIME:

+        if TIME_SINCE_LAST_ATTEMPT > NET_BAN_TIME:

           unban(net)

 

 def mailcowChainOrder():

@@ -306,6 +303,16 @@ def mailcowChainOrder():
 
       if quit_now: return

       quit_now, exit_code = tables.checkIPv6ChainOrder()

 

+def calcNetBanTime(ban_counter):

+  global f2boptions

+

+  BAN_TIME = int(f2boptions['ban_time'])

+  MAX_BAN_TIME = int(f2boptions['max_ban_time'])

+  BAN_TIME_INCREMENT = bool(f2boptions['ban_time_increment'])

+  NET_BAN_TIME = BAN_TIME if not BAN_TIME_INCREMENT else BAN_TIME * 2 ** ban_counter

+  NET_BAN_TIME = max([BAN_TIME, min([NET_BAN_TIME, MAX_BAN_TIME])])

+  return NET_BAN_TIME

+

 def isIpNetwork(address):

   try:

     ipaddress.ip_network(address, False)