Merge pull request #456 from jarrodb/pike_rm

Added pike mi command for unblocking IP addresses
OpenSIPS · Apr 9, 2015 · 0fed048 · 0fed048
2 parents 7e1bded + 3a37fa4
commit 0fed048
Show file tree

Hide file tree

Showing 4 changed files with 110 additions and 21 deletions.
diff --git a/modules/pike/doc/pike_admin.xml b/modules/pike/doc/pike_admin.xml
@@ -1,15 +1,15 @@
 <!-- Module User's Guide -->
 
 <chapter>
-	
+
 	<title>&adminguide;</title>
-	
+
 	<section>
 	<title>Overview</title>
 	<para>
 		The module provides a simple mechanism for DOS protection - DOS based
-		on floods at network level. The module keeps trace of all (or selected 
-		ones) IPs of incoming SIP traffic (as source IP) and blocks the ones 
+		on floods at network level. The module keeps trace of all (or selected
+		ones) IPs of incoming SIP traffic (as source IP) and blocks the ones
 		that exceeded some limit.
 		Works simultaneous for IPv4 and IPv6 addresses.
 	</para>
@@ -38,13 +38,13 @@
 		</listitem>
 		<listitem>
 			<para>
-				<emphasis>automatic</emphasis> - the module will install 
+				<emphasis>automatic</emphasis> - the module will install
 				internal hooks to catch all incoming requests and replies (even
 				if not well formed from SIP point of view) - more or less the
 				module will monitor all incoming packages (from the network) on
-				the SIP sockets. Each time the source IP of a package needs to 
+				the SIP sockets. Each time the source IP of a package needs to
 				be analyse (to see if trusted or not), the module will run a
-				script route - see "check_route" module parameter -, where, 
+				script route - see "check_route" module parameter -, where,
 				based on custom logic, you can decide if that IP needs to be
 				monitored for flooding or not. As action, when flood is
 				detected, the module will automatically drop the packages.
@@ -72,7 +72,7 @@
 	<section>
 		<title>External Libraries or Applications</title>
 		<para>
-		The following libraries or applications must be installed before 
+		The following libraries or applications must be installed before
 		running &osips; with this module loaded:
 			<itemizedlist>
 			<listitem>
@@ -89,14 +89,14 @@
 	<section>
 		<title><varname>sampling_time_unit</varname> (integer)</title>
 		<para>
-		Time period used for sampling (or the sampling accuracy ;-) ). The 
-		smaller the better, but slower. If you want to detect peaks, use a 
-		small one. To limit the access (like total number of requests on a 
-		long period of time) to a proxy resource (a gateway for ex), use 
+		Time period used for sampling (or the sampling accuracy ;-) ). The
+		smaller the better, but slower. If you want to detect peaks, use a
+		small one. To limit the access (like total number of requests on a
+		long period of time) to a proxy resource (a gateway for ex), use
 		a bigger value of this parameter.
 		</para>
 		<para>
-		IMPORTANT: a too small value may lead to performance penalties due 
+		IMPORTANT: a too small value may lead to performance penalties due
 		timer process overloading.
 		</para>
 		<para>
@@ -116,9 +116,9 @@ modparam("pike", "sampling_time_unit", 10)
 	<section>
 		<title><varname>reqs_density_per_unit</varname> (integer)</title>
 		<para>
-		How many requests should be allowed per sampling_time_unit before 
-		blocking all the incoming request from that IP. Practically, the 
-		blocking limit is between ( let's have x=reqs_density_per_unit) x 
+		How many requests should be allowed per sampling_time_unit before
+		blocking all the incoming request from that IP. Practically, the
+		blocking limit is between ( let's have x=reqs_density_per_unit) x
 		and 3*x for IPv4 addresses and between x and 8*x for ipv6 addresses.
 		</para>
 		<para>
@@ -138,7 +138,7 @@ modparam("pike", "reqs_density_per_unit", 30)
 	<section>
 		<title><varname>remove_latency</varname> (integer)</title>
 		<para>
-		For how long the IP address will be kept in memory after the last 
+		For how long the IP address will be kept in memory after the last
 		request from that IP address. It's a sort of timeout value.
 		</para>
 		<para>
@@ -219,15 +219,15 @@ modparam("pike", "pike_log_level", -1)
 		<function moreinfo="none">pike_check_req()</function>
 		</title>
 		<para>
-		Process the source IP of the current request and returns false if 
+		Process the source IP of the current request and returns false if
 		the IP was exceeding the blocking limit.
 		</para>
 		<para>
 		Return codes:
 		<itemizedlist>
 			<listitem>
 			<para>
-				<emphasis>1 (true)</emphasis> - IP is not to be blocked or 
+				<emphasis>1 (true)</emphasis> - IP is not to be blocked or
 				internal error occured.
 			</para>
 			<warning>
@@ -243,7 +243,7 @@ modparam("pike", "pike_log_level", -1)
 			</listitem>
 			<listitem>
 			<para>
-				<emphasis>-2 (false)</emphasis> - IP is detected as a new 
+				<emphasis>-2 (false)</emphasis> - IP is detected as a new
 				source of flooding - first time detection
 			</para>
 			</listitem>
@@ -275,6 +275,30 @@ if (!pike_check_req()) { exit; };
 		<para>
 		Name: <emphasis>pike_list</emphasis>
 		</para>
+		<para>Parameters: </para>
+                <itemizedlist>
+                        <listitem><para>
+                                <emphasis>IP</emphasis> - IP address currently blocked.
+                        </para></listitem>
+                </itemizedlist>
+ 		<para>
+		MI FIFO Command Format:
+		</para>
+		<programlisting  format="linespecific">
+		:pike_list:_reply_fifo_file_
+		_empty_line_
+		</programlisting>
+	</section>
+	<section>
+		<title>
+		<function moreinfo="none">pike_rm</function>
+		</title>
+		<para>
+                Remove a node from the pike tree by IP address.
+		</para>
+		<para>
+		Name: <emphasis>pike_rm</emphasis>
+		</para>
 		<para>Parameters: <emphasis>none</emphasis></para>
  		<para>
 		MI FIFO Command Format:

diff --git a/modules/pike/pike.c b/modules/pike/pike.c
@@ -93,6 +93,8 @@ static param_export_t params[]={
 static mi_export_t mi_cmds [] = {
 	{MI_PIKE_LIST, "lists the nodes in the pike tree",
 		mi_pike_list,   MI_NO_INPUT_FLAG,  0,  0 },
+	{MI_PIKE_RM, "remove a node from the tree",
+		mi_pike_rm,     0,                 0,  0 },
 	{0,0,0,0,0,0}
 };
 

diff --git a/modules/pike/pike_mi.c b/modules/pike/pike_mi.c
@@ -24,6 +24,10 @@
  *  2006-12-05  created (bogdan)
  */
 
+#include <assert.h>
+
+#include "../../resolve.h"
+
 #include "ip_tree.h"
 #include "pike_mi.h"
 
@@ -32,7 +36,8 @@
 #define MAX_IP_LEN IPv6_LEN
 
 
-static struct ip_node *ip_stack[MAX_IP_LEN];
+static struct 		 ip_node *ip_stack[MAX_IP_LEN];
+extern int    		 pike_log_level;
 
 
 static inline void print_ip_stack( int level, struct mi_node *node)
@@ -86,6 +91,62 @@ static void print_red_ips( struct ip_node *ip, int level, struct mi_node *node)
 
 }
 
+struct mi_root* mi_pike_rm(struct mi_root *cmd, void *param)
+{
+    struct mi_node   *mn;
+    struct ip_node   *node;
+    struct ip_node   *kid;
+    struct ip_addr   *ip;
+    int byte_pos;
+
+    mn = cmd->node.kids;
+    if (mn==NULL)
+	return init_mi_tree( 400, MI_MISSING_PARM_S, MI_MISSING_PARM_LEN);
+
+    ip = str2ip(&mn->value);
+    if (ip==0)
+	return init_mi_tree( 500, "Bad IP", 6);
+
+    node = 0;
+    byte_pos = 0;
+
+    kid = get_tree_branch((unsigned char)ip->u.addr[byte_pos]);
+
+    /* pilfered from ip_tree.c:mark_node(..) */
+    while (kid && byte_pos < ip->len) {
+	while (kid && kid->byte!=(unsigned char)ip->u.addr[byte_pos]) {
+	    kid = kid->next;
+	}
+	if (kid) {
+	    node = kid;
+	    kid = kid->kids;
+	    byte_pos++;
+	}
+    }
+
+    /* If all octets weren't matched, 404 */
+    if (byte_pos!=ip->len) {
+	return init_mi_tree( 404, "Match not found", 15);
+    }
+
+    /* If the node exists, check to see if it's really blocked */
+    if (!(node->flags&NODE_ISRED_FLAG)) {
+	return init_mi_tree( 400, "IP not blocked", 14);
+    }
+
+    /* reset the node block flag and counters */
+    node->flags &= ~(NODE_ISRED_FLAG);
+
+    node->hits[PREV_POS] = 0;
+    node->hits[CURR_POS] = 0;
+    node->leaf_hits[PREV_POS] = 0;
+    node->leaf_hits[CURR_POS] = 0;
+
+    LM_GEN1(pike_log_level,
+	    "PIKE - UNBLOCKing ip %s, node=%p\n",ip_addr2a(ip),node);
+
+    return init_mi_tree( 200, MI_OK_S, MI_OK_LEN);
+}
 
 
 /*

diff --git a/modules/pike/pike_mi.h b/modules/pike/pike_mi.h
@@ -31,8 +31,10 @@
 #include "../../mi/mi.h"
 
 #define MI_PIKE_LIST      "pike_list"
+#define MI_PIKE_RM        "pike_rm"
 
 struct mi_root* mi_pike_list(struct mi_root* cmd_tree, void* param);
+struct mi_root* mi_pike_rm(struct mi_root *cmd, void *param);
 
 #endif