The change is to support the 'fail2ban' feature. Instead of
blocking IPs by server itself, server just add malicious IPs
to specified sets of nftables. So admin can configure rules
to deal with those IPs.
Notes: cap_net_admin capability is required.
Example configuration:
# nft add table ip fail2ban
# nft add chain ip fail2ban input { type filter hook input priority 0 \; }
# nft add set ip fail2ban badips { type ipv4_addr \; flags dynamic, timeout \; timeout 1h \; }
# nft add rule ip fail2ban input ip saddr @badips drop
# ss-server -c config.json --nftables-sets badips
Use pkg-config to retrieve the dependencies of netfilter_conntrack
and avoid the following build failure when building statically:
configure:13096: /data/buildroot-test/instance-1/output-1/host/bin/x86_64-linux-gcc -o conftest -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -Os -static -I/data/buildroot-test/instance-1/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/include -DPCRE_STATIC -pthread -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 -static -L/data/buildroot-test/instance-1/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib conftest.c -lnetfilter_conntrack -lnfnetlink -lev -lcares -lsodium -lmbedcrypto -lpcre >&5
/data/buildroot-test/instance-1/output-1/host/opt/ext-toolchain/bin/../lib/gcc/x86_64-buildroot-linux-uclibc/8.3.0/../../../../x86_64-buildroot-linux-uclibc/bin/ld: /data/buildroot-test/instance-1/output-1/host/x86_64-buildroot-linux-uclibc/sysroot/usr/lib/libnetfilter_conntrack.a(api.o): in function `nfct_fill_hdr.constprop.4':
api.c:(.text+0x3f): undefined reference to `mnl_nlmsg_put_header'
Fixes:
- http://autobuild.buildroot.org/results/6cad497a7ab941a0ee3fd7007defc81e30cdcbe0
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
* Replace udns with c-ares
* Get IO loop work
* Clean up
* Avoid initializing nameservers each query
* Add ARES_OPT_SERVERS
* Refine resolv_cancel
* Fix a memory leak
* Replace udns.h with ares.h
* Fix all inet_* fucntions
* Clean up
* Enable servers_ports when VERSION_MINOR >= 11
* Avoid ares_inet_XtoX
* Handle multipe nameservers correctly
* Use ares_set_servers for IPv4 and IPv6 mixed list
* Refine c-ares for udprelay
* Refine ares_set_servers()
* Refine the timer based on ares_timeout
* Avoid resolv_cancel
* Fix an issue of null pointer
* Fix another null pointer issue
* Refine the order of resolv_shutdown
* Fix the corrupted ev io
* Add Ping-Pong bloom filter
* Refine bloom filter insertion
* Reduce the error rate to 0.00001
* Avoid alignment issue in murmurhash2
* Fix a memory leak
* Fix build on non-GPU targets
* Detect get_current_dir_name in configure
* Update README.md
* Remove redudant bfree()
* Reduce the memory usage for local client
* Fix#1275
* Refine #1275
* Use IP when bypassing SNI domains
* Also apply replay detector on UDP traffic
* Update deb build script
Now build script is able to auto detect system and choose libraries
necessary to build.
Also update the README accordingly.
* Update build script to enable jessie/stretch etc
Also include a few cleanup that simplified pkg installation from
backports repository.
* Add Ping-Pong bloom filter
* Refine bloom filter insertion
* Reduce the error rate to 0.00001
* Avoid alignment issue in murmurhash2
* Fix a memory leak
* Fix build on non-GPU targets
* Detect get_current_dir_name in configure
* Update README.md
* Remove redudant bfree()
* Reduce the memory usage for local client
* Fix#1275
* Refine #1275
* Use IP when bypassing SNI domains
* Also apply replay detector on UDP traffic
* Update deb build script
Now build script is able to auto detect system and choose libraries
necessary to build.
Also update the README accordingly.
* Update build script to enable jessie/stretch etc
Also include a few cleanup that simplified pkg installation from
backports repository.
DDoSolitary
Aven
Fabrice Fontaine
Max Lv
Max Lv
DUPONCHEEL Sébastien
Yuxiang Zhu
Linus Yang
Syrone Wong
Felix Yan
zhou0
Sebastien DUPONCHEEL