Add tls mode now routeros api understands about ECDHE certs since v6.47

You can add `usetls = true` to make the connection encrypted. Handy for
remote Mikrotiks which you can only reach over the wild west called Internet.

README.md

@@ -51,6 +51,7 @@ extractions, we use named capturing groups. `(?P<IP>...)`.
   Mikrotik to do it for us. Default is true.
 * `--verbose`: Be more verbose in our logging. Default is false.
 * `--debug`: Be absolutely staggering in our logging. Default is false.
+* `-version`: output version information and exit.
 
 ## Installation
 
@@ -109,4 +110,4 @@ and start this daemon at startup.
 Mikrotik-fwban uses
 [go-gcfg](https://github.com/go-gcfg/gcfg/tree/v1),
 [syslogparser](github.com/jeromer/syslogparser),
-[routeros](https://github.com/go-routeros/routeros/tree/v2)
+[routeros](https://github.com/go-routeros/routeros/tree/master)

config.go

@@ -16,6 +16,7 @@ import (
 // Note that missing elements are inititalized to a sensible default.
 type ConfigMikrotik struct {
 	Disabled  bool
+	UseTLS    bool
 	Address   string
 	User      string
 	Passwd    string
@@ -35,8 +36,8 @@ type Config struct {
 		Port       uint16
 	}
 	RegExps struct {
-		RE     []string `json:",omitempty"`
-		TestRE []string `json:",omitempty"`
+		RE      []string `json:",omitempty"`
+		Test_RE []string `json:",omitempty"`
 	}
 	re       []regexps
 	Mikrotik map[string]*ConfigMikrotik `json:",omitempty"`
@@ -86,14 +87,18 @@ func (c *Config) setupDefaults() error {
 		if v.Passwd == "" {
 			return fmt.Errorf("%s: passwd is a required field", k)
 		}
-		// Add port 8728 if it was not included
+		// Add port 8728/8729 if it was not included
 		_, _, err := net.SplitHostPort(v.Address)
 		if err != nil {
 			// For anything else than missing port, bail.
 			if !strings.Contains(err.Error(), "missing port in address") {
 				return fmt.Errorf("%s: malformed address: %v", k, err)
 			}
-			v.Address = net.JoinHostPort(v.Address, "8728")
+			if v.UseTLS {
+				v.Address = net.JoinHostPort(v.Address, "8729")
+			} else {
+				v.Address = net.JoinHostPort(v.Address, "8728")
+			}
 		}
 		// set default managed addresslist name
 		if v.BanList == "" {
@@ -126,7 +131,7 @@ func (c *Config) setupREs() error {
 		}
 	}
 
-	for _, v := range c.RegExps.TestRE {
+	for _, v := range c.RegExps.Test_RE {
 		found := false
 		for _, re := range c.re {
 			if res := re.RE.FindStringSubmatch(v); len(res) > 0 {

go.mod

@@ -3,12 +3,12 @@ module github.com/middelink/mikrotik-fwban
 go 1.15
 
 require (
+	github.com/go-routeros/routeros v0.0.0-20190727190637-9419d2537732
 	github.com/google/gops v0.3.5
 	github.com/howeyc/fsnotify v0.9.0
 	github.com/jeromer/syslogparser v0.0.0-20180622150051-323c7ad120db
 	github.com/kardianos/osext v0.0.0-20170510131534-ae77be60afb1 // indirect
 	gopkg.in/gcfg.v1 v1.2.3
-	gopkg.in/routeros.v2 v2.0.0-20171228113335-2dc19c12445c
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.2.2
 	launchpad.net/gocheck v0.0.0-20140225173054-000000000087 // indirect

go.sum

@@ -1,3 +1,5 @@
+github.com/go-routeros/routeros v0.0.0-20190727190637-9419d2537732 h1:NPTa6THAsbxnkCvjHcdiylqTeWgZ/qg04Tct+O/Bbsk=
+github.com/go-routeros/routeros v0.0.0-20190727190637-9419d2537732/go.mod h1:em1mEqFKnoeQuQP9Sg7i26yaW8o05WwcNj7yLhrXxSQ=
 github.com/google/gops v0.3.5 h1:SIWvPLiYvy5vMwjxB3rVFTE4QBhUFj2KKWr3Xm7CKhw=
 github.com/google/gops v0.3.5/go.mod h1:pMQgrscwEK/aUSW1IFSaBPbJX82FPHWaSoJw1axQfD0=
 github.com/howeyc/fsnotify v0.9.0 h1:0gtV5JmOKH4A8SsFxG2BczSeXWWPvcMT0euZt5gDAxY=
@@ -10,8 +12,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/gcfg.v1 v1.2.3 h1:m8OOJ4ccYHnx2f4gQwpno8nAX5OGOh7RLaaz0pj3Ogs=
 gopkg.in/gcfg.v1 v1.2.3/go.mod h1:yesOnuUOFQAhST5vPY4nbZsb/huCgGGXlipJsBn0b3o=
-gopkg.in/routeros.v2 v2.0.0-20171228113335-2dc19c12445c h1:MdF0YWpo+DT+2UE5Is7xEW4Qm0jdcfDY3fQA7c7Jf38=
-gopkg.in/routeros.v2 v2.0.0-20171228113335-2dc19c12445c/go.mod h1:dXYL5YdVb9GEWLoWK8VHdwL/SuFrNyb/hj2/CXZVT7E=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=

mikrotik-fwban.cfg

@@ -30,6 +30,7 @@
 [Mikrotik "remote"]
 # disabled = true
  address = 192.168.88.ww
+ usetls = true
  user = blacklister
  passwd = yyyyyyy
  whitelist = @admins

mikrotik.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"crypto/tls"
 	"fmt"
 	"log"
 	"net"
@@ -11,7 +12,7 @@ import (
 	"sync"
 	"time"
 
-	ros "gopkg.in/routeros.v2"
+	ros "github.com/go-routeros/routeros"
 )
 
 var (
@@ -38,7 +39,7 @@ type BlackIP struct {
 }
 
 func (b BlackIP) String() string {
-	return fmt.Sprintf("{%s, %q, %q}", b.Net.String(), b.Dead, b.ID)
+	return fmt.Sprintf("{%s, %q, %q}", b.Net.String(), b.Dead.Format(time.RFC3339), b.ID)
 }
 
 // Mikrotik contains the internal state of a Mikrotik object, configuration
@@ -88,7 +89,13 @@ func NewMikrotik(name string, c *ConfigMikrotik) (*Mikrotik, error) {
 	// Open the connection, use our own code for this, as we need
 	// access to it for setting deadlines.
 	var err error
-	mt.conn, err = net.DialTimeout("tcp", mt.Address, time.Minute)
+	dialer := new(net.Dialer)
+	dialer.Timeout = time.Minute
+	if c.UseTLS {
+		mt.conn, err = tls.DialWithDialer(dialer, "tcp", mt.Address, nil)
+	} else {
+		mt.conn, err = dialer.Dial("tcp", mt.Address)
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -339,12 +346,15 @@ func (mt *Mikrotik) getAddresslist(mapname string) []BlackIP {
 // DelIP removed an ip address from the Mikrotik.
 func (mt *Mikrotik) DelIP(ip BlackIP) error {
 	if *debug || cfg.Settings.Verbose {
-		defer log.Printf("%s: DelIP(%s)", mt.Name, ip.String())
+		defer log.Printf("%s: DelIP(%s) finished", mt.Name, ip.String())
 	}
 	// Protect against racing DelIP/AddIPs.
 	mt.lock.Lock()
 	defer mt.lock.Unlock()
 
+	if *debug || cfg.Settings.Verbose {
+		log.Printf("%s: DelIP(%s) started", mt.Name, ip.String())
+	}
 	selector := fmt.Sprintf("=.id=%s", ip.ID)
 	var err error
 	cancel := mt.startDeadline(5 * time.Second)
@@ -374,13 +384,16 @@ func (mt *Mikrotik) DelIP(ip BlackIP) error {
 // connection is stored, together with the IP itself, in the dynlist entry.
 func (mt *Mikrotik) AddIP(ip net.IPNet, duration Duration, comment string) error {
 	if *debug || cfg.Settings.Verbose {
-		defer log.Printf("%s: AddIP(%s/%v)", mt.Name, ip.String(), duration)
+		defer log.Printf("%s: AddIP(%s/%v) finished", mt.Name, ip.String(), duration)
 	}
 	// Protect against racing DelIP/AddIPs.
 	mt.lock.Lock()
 	defer mt.lock.Unlock()
 
-	// For permanent members skip the built-in white/blacklist checking
+	if *debug || cfg.Settings.Verbose {
+		log.Printf("%s: AddIP(%s/%v) started", mt.Name, ip.String(), duration)
+	}
+	// For permanent members skip the built-in white/blacklist checking.
 	if duration != 0 {
 		// Check if it is on the whitelist
 		for _, v := range mt.whitelist {

testdata/config_test_bad_testre.yml

@@ -3,7 +3,7 @@ in: |
 
         [regexps]
         re = "Dummy regexp for (?P<IP>\\S+)"
-        testre = "Something not matched"
+        test-re = "Something not matched"
 
         [Mikrotik "MT-1"]
         address = 1.2.3.4

testdata/config_test_minimal.yml

@@ -10,6 +10,7 @@ in: |-
         
         [Mikrotik "MT-1"]
           address = 1.2.3.4
+          usetls = true
           user = user
           passwd = passwd
 
@@ -29,7 +30,8 @@ out: |+
          "Mikrotik": {
              "MT-1": {
                  "Disabled": false,
-                 "Address": "1.2.3.4:8728",
+                 "UseTLS": true,
+                 "Address": "1.2.3.4:8729",
                  "User": "user",
                  "Passwd": "passwd",
                  "BanList": "blacklist"

vendor/modules.txt

@@ -1,3 +1,7 @@
+# github.com/go-routeros/routeros v0.0.0-20190727190637-9419d2537732
+## explicit
+github.com/go-routeros/routeros
+github.com/go-routeros/routeros/proto
 # github.com/google/gops v0.3.5
 ## explicit
 github.com/google/gops/agent
@@ -20,10 +24,6 @@ gopkg.in/gcfg.v1
 gopkg.in/gcfg.v1/scanner
 gopkg.in/gcfg.v1/token
 gopkg.in/gcfg.v1/types
-# gopkg.in/routeros.v2 v2.0.0-20171228113335-2dc19c12445c
-## explicit
-gopkg.in/routeros.v2
-gopkg.in/routeros.v2/proto
 # gopkg.in/warnings.v0 v0.1.2
 ## explicit
 gopkg.in/warnings.v0