Refine auto block mechanism

8 years ago · a5c9bcfb58
4 changed files with 42 additions and 11 deletions
--- a/src/acl.c
+++ b/src/acl.c
@ -25,6 +25,7 @@

 #include "rule.h"
 #include "utils.h"
+#include "cache.h"
 #include "acl.h"

 static struct ip_set white_list_ipv4;
@ -38,6 +39,34 @@ static struct cork_dllist white_list_rules;

 static int acl_mode = BLACK_LIST;

+static struct cache *block_list;
+
+void init_block_list()
+{
+    // Initialize cache
+    cache_create(&block_list, 256, NULL);
+}
+
+int check_block_list(char* addr, int max_tries)
+{
+    size_t addr_len = strlen(addr);
+
+    if (cache_key_exist(block_list, addr, addr_len)) {
+        int *count = NULL;
+        cache_lookup(block_list, addr, addr_len, &count);
+        if (count != NULL) {
+            if (*count > max_tries) return 1;
+            (*count)++;
+        }
+    } else {
+        int *count = (int*)ss_malloc(sizeof(int));
+        *count = 1;
+        cache_insert(block_list, addr, addr_len, count);
+    }
+
+    return 0;
+}
+
 static void
 parse_addr_cidr(const char *str, char *host, int *cidr)
 {
--- a/src/acl.h
+++ b/src/acl.h
@ -35,4 +35,7 @@ int acl_remove_ip(const char *ip);

 int get_acl_mode(void);

+void init_block_list();
+int check_block_list(char* addr, int max_tries);
+
 #endif // _ACL_H
--- a/src/cache.c
+++ b/src/cache.c
@ -93,6 +93,8 @@ cache_delete(struct cache *cache, int keep_data)
            if (entry->data != NULL) {
                if (cache->free_cb) {
                    cache->free_cb(entry->data);
+                } else {
+                    ss_free(tmp->data);
                }
            }
            ss_free(entry->key);
--- a/src/server.c
+++ b/src/server.c
@ -306,6 +306,10 @@ report_addr(int fd)
    if (peer_name != NULL) {
        LOGE("failed to handshake with %s", peer_name);
    }
+    // Block all requests from this IP, if the err# exceeds 128.
+    if (check_block_list(peer_name, 128)) {
+        LOGE("block all requests from %s", peer_name);
+    }
 }

 int
@ -735,17 +739,7 @@ server_recv_cb(EV_P_ ev_io *w, int revents)

            server->buf->len = offset + header_len + ONETIMEAUTH_BYTES;
            if (ss_onetimeauth_verify(server->buf, server->d_ctx->evp.iv)) {
-                char *peer_name = get_peer_name(server->fd);
-                if (peer_name) {
-                    LOGE("authentication error from %s", peer_name);
-                    if (acl) {
-                        if (get_acl_mode() == BLACK_LIST) {
-                            // Auto ban enabled only in black list mode
-                            acl_add_ip(peer_name);
-                            LOGE("add %s to the black list", peer_name);
-                        }
-                    }
-                }
+                report_addr(server->fd);
                close_and_free_server(EV_A_ server);
                return;
            }
@ -1715,6 +1709,9 @@ main(int argc, char **argv)
    LOGI("initializing ciphers... %s", method);
    int m = enc_init(password, method);

+    // init block list
+    init_block_list();
+
    // initialize ev loop
    struct ev_loop *loop = EV_DEFAULT;