Skip to content

Commit d3fb394

Browse files
committed
basic nftables support
This is not perfect yet but the new -n flag trigger a switch from ipset to nftables. For example, if dom is started with: ./dom -f /var/log/suricata/eve.json -n nat -s libssh -vvv -i -m OpenSSH it will add the IP to a set named 'libssh' which exists in the table 'nat'. A working 'nat' table could then looks like: table ip nat { set libssh { type ipv4_addr } chain prerouting { type nat hook prerouting priority -150; ip saddr @libssh ip protocol tcp counter dnat 192.168.0.1:2200 } }
1 parent 15e46cd commit d3fb394

File tree

1 file changed

+16
-2
lines changed

1 file changed

+16
-2
lines changed

dom

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@ import simplejson as json
2525
from subprocess import call
2626

2727
IPSET = 'ipset'
28+
NFT = 'nft'
2829

2930
have_daemon = True
3031
try:
@@ -38,6 +39,7 @@ ips_list = []
3839
parser = argparse.ArgumentParser(description='Deny On Monitoring')
3940
parser.add_argument('-f', '--file', default='/var/log/suricata/eve.json', help='JSON file to monitor')
4041
parser.add_argument('-s', '--ipset', default='Sofitel', help='Set IPSET for blacklist')
42+
parser.add_argument('-n', '--nftables', default=None, help='Table where set used as blacklist is')
4143
parser.add_argument('-v', '--verbose', default=False, action="count", help="Show verbose output, use multiple times increase verbosity")
4244
parser.add_argument('-l', '--log', default=None, help='File to log output to (default to stdout)')
4345
parser.add_argument('-m', '--motif', default='libssh', help='String to look for in event')
@@ -64,6 +66,14 @@ def setup_logging(args):
6466
else:
6567
logging.basicConfig(level=loglevel)
6668

69+
def call_nft(args, src_ip, value = None):
70+
if not src_ip in ips_list:
71+
# TODO add test like in ipset
72+
ret = call([NFT, 'add', 'element', args.nftables, args.ipset, '{', src_ip, '}'])
73+
ips_list.append(src_ip)
74+
if ret == 0:
75+
logging.info("Added %s which use %s" % (src_ip, value))
76+
6777
def call_ipset(args, src_ip, value = None):
6878
if not src_ip in ips_list:
6979
ret = call([IPSET, 'test', args.ipset, src_ip, '-q'])
@@ -78,6 +88,10 @@ def call_ipset(args, src_ip, value = None):
7888
def main_task(args):
7989
setup_logging(args)
8090
file = open(args.file, 'r')
91+
if args.nftables:
92+
call_add = call_nft
93+
else:
94+
call_add = call_ipset
8195
while 1:
8296
where = file.tell()
8397
line = file.readline()
@@ -95,11 +109,11 @@ def main_task(args):
95109
if args.motif in event['ssh']['client']['software_version']:
96110
if not args.invert:
97111
# Vas-y Francis, c'est bon bon bon
98-
call_ipset(args, event['src_ip'],
112+
call_add(args, event['src_ip'],
99113
value = event['ssh']['client']['software_version'])
100114
else:
101115
if args.invert:
102-
call_ipset(args, event['src_ip'],
116+
call_add(args, event['src_ip'],
103117
value = event['ssh']['client']['software_version'])
104118

105119

0 commit comments

Comments
 (0)