in client/blocky.py [0:0]
def run_new_checks():
""" Runs the blocky process using the modern UI server """
global LAST_UPLOAD
# First, get our rules and post 'em to the server, if need be
mylist = getbans()
if LAST_UPLOAD < (time.time() - 600): # Only send once every ten minutes
try:
rv = None
js = {
'hostname': CONFIG['client']['hostname'],
'iptables': mylist
}
apiurl = "%s/myrules" % CONFIG['server']['apiurl']
rv = requests.put(apiurl, json = js)
assert(rv.status_code == 200)
LAST_UPLOAD = time.time()
except requests.RequestException:
if rv:
syslog.syslog(syslog.LOG_WARNING, rv.text)
syslog.syslog(syslog.LOG_WARNING, "Could not send my iptables list to server at %s - server down?" % apiurl)
# Then, get applicable actions from the server
whitelist = []
whiteblocks = [] # same as above, but as IPNetwork classes
banlist = []
try:
whiteurl = "%s/whitelist" % CONFIG['server']['apiurl']
whitelist = requests.get(whiteurl).json()['whitelist']
except requests.RequestException:
syslog.syslog(syslog.LOG_WARNING, "Could not fetch whitelist entries at %s - server down?" % whiteurl)
try:
banurl = "%s/bans" % CONFIG['server']['apiurl']
banlist = requests.get(banurl).json()['bans']
except requests.RequestException:
syslog.syslog(syslog.LOG_WARNING, "Could not fetch whitelist entries at %s - server down?" % banurl)
# First, check if we've banned someone on the whitelist
for entry in whitelist:
ip = entry.get('ip')
reason = entry.get('reason', 'No reason specified')
target = entry.get('target', '*')
if target == '*' or target == CONFIG['client']['hostname']:
if ip:
block = None
if '/' in ip:
block = netaddr.IPNetwork(ip)
else:
if ':' in ip:
block = netaddr.IPNetwork("%s/128" % ip) # IPv6
else:
block = netaddr.IPNetwork("%s/32" % ip) # IPv4
whiteblocks.append(block)
found = inlist(mylist, ip)
if found:
entry = found[0]
syslog.syslog(syslog.LOG_INFO, "Removing %s from block list (found at line %s as %s)" % (ip, entry['linenumber'], entry['source']))
if not unban_line(ip, found[0]['linenumber']):
syslog.syslog(syslog.LOG_WARNING, "Could not remove ban for %s from iptables!" % ip)
else:
note_unban(CONFIG['client']['hostname'], found[0]['linenumber'])
mylist = getbans() # Refresh after action succeeded
# Then process bans
for entry in banlist:
ip = entry.get('ip')
reason = entry.get('reason', 'No reason specified')
target = entry.get('target', '*')
if ip:
if target == '*' or target == CONFIG['client']['hostname']:
banit = True
block = None
if '/' in ip:
block = netaddr.IPNetwork(ip)
else:
if ':' in ip:
block = netaddr.IPNetwork("%s/128" % ip) # IPv6
else:
block = netaddr.IPNetwork("%s/32" % ip) # IPv4
for wblock in whiteblocks:
if block in wblock or wblock in block:
syslog.syslog(syslog.LOG_WARNING, "%s was requested banned but %s is whitelisted, ignoring ban" % (block, wblock))
banit = False
if banit:
found = inlist(mylist, ip)
if not found:
reason = entry.get('reason', "No reason specified")
syslog.syslog(syslog.LOG_INFO, "Adding %s to block list; %s" % (ip, reason))
if not ban(ip):
syslog.syslog(syslog.LOG_WARNING, "Could not add ban for %s in iptables!" % ip)
else:
mylist = getbans() # Refresh after action succeeded
found = inlist(mylist, ip)
if found: # make sure we have it in iptables now
note_ban(CONFIG['client']['hostname'], found[0])