guardianctrl: Fix function call to get process-id.
[people/stevee/guardian.git] / modules / Events.pm
CommitLineData
df6ec59f
SS
1package Guardian::Events;
2use strict;
3use warnings;
4
5use Exporter qw(import);
6
7c8f0696 7our @EXPORT_OK = qw(Init CheckAction GenerateIgnoreList Update);
df6ec59f
SS
8
9# Hash which stores all supported commands from the queue.
10my %commands = (
11 'count' => \&Counter,
12 'block' => \&CallBlock,
13 'unblock' => \&CallUnblock,
14 'flush' => \&CallFlush,
7121d8cd 15 'reload' => \&main::Reload,
ab7c10eb 16 'reload-ignore-list' => \&main::ReloadIgnoreList,
648ca493 17 'logrotate' => \&main::Logrotate,
df6ec59f
SS
18);
19
20# Hash to store addresses and their current count.
21my %counthash = ();
22
23# Hash to store all currentyl blocked addresses and a timestamp
24# when the block for this address can be released.
25my %blockhash = ();
26
66e1ad0a 27# Hash to store user-defined IP addresses and/or subnets which should be
0d218038 28# ignored in case any events should be repored for them.
66e1ad0a
SS
29my %ignorehash = ();
30
0d218038
SS
31# Array to store localhost related IP addresses.
32# They are always white-listed to prevent guardian from blocking
33# any local traffic.
34my @localhost_addresses = ("127.0.0.1", "::1");
35
df6ec59f
SS
36# This object will contain the reference to the logger object after calling Init.
37my $logger;
38
39#
40## The "Init" (Block) function.
41#
42## This function is responsible to initialize Block as a class based object.
43## It has to be called once before any blocking event can be processed.
44#
45## The following arguments must be passed, during initialization:
46## "BlockCount" and "BlockTime" which both have to be natural numbers.
47#
48sub Init (%) {
49 my ( $class, %args ) = @_;
50 my $self = \%args;
51
52 # Fail, if some critical arguments are missing.
53 unless ((exists($self->{BlockCount})) && (exists($self->{BlockTime}))) {
54 die "Could not initialize Block: Too less arguments are given.\n";
55 }
56
57 # Use bless to make "$self" to an object of class "$class".
58 bless($self, $class);
59
60 # Assign logger object.
61 $logger = $self->{Logger};
62
63 # Log used firewall engine.
64 $logger->Log("debug", "Using firewall engine: $self->{FirewallEngine}");
65
66 # Try to load the specified firewall engine or die.
67 my $module_name = "Guardian::" . $self->{FirewallEngine};
68 eval "use $module_name; 1" or die "Could not load a module for firewall engine: $self->{FirewallEngine}!";
69
66e1ad0a
SS
70 # Check if an IgnoreFile has been configured.
71 if (exists($self->{IgnoreFile})) {
72 # Call function to handle the ignore mechanism.
73 &GenerateIgnoreList($self->{IgnoreFile});
0d218038
SS
74 } else {
75 # Whitelist local addresses.
76 %ignorehash = &_whitelist_localhost();
66e1ad0a
SS
77 }
78
df6ec59f
SS
79 # Return the class object.
80 return $self;
81}
82
83#
84## The main "CheckAction" function.
85#
86## This function is used to handle each recived event from the main event queue of guardian.
87#
88## It will check if the given command is valid and will pass it to the responsible function.
89#
90sub CheckAction ($$) {
91 my $self = shift;
92 my @event = split(/ /, $_[0], 4);
93 my ($command, $address, $module, $message) = @event;
94
95 # Check if we got an invalid command.
96 unless(exists($commands{$command})) {
97 $logger->Log("err", "The CheckAction function has been called with an unsupported command ($command)!");
98 return;
99 }
100
e1ff25ce
SS
101 # Check if the given event contains an address.
102 if ($address) {
103 # Convert and validate the given address.
104 my $bin_address = &Guardian::Base::IPOrNet2Int($address);
105
106 # Abort if the given address could not be converted because it is not valid.
107 unless ($bin_address) {
108 $logger->Log("err", "Invalid IP address: $address");
109 return;
110 }
111
112 # Check if address should be ignored.
113 if(&_IsOnIgnoreList($bin_address)) {
114 # Log message.
115 $logger->Log("info", "Ignoring event for $address, because it is part of the ignore list.");
116 return;
117 }
66e1ad0a
SS
118 }
119
df6ec59f
SS
120 # Call required handler.
121 my $error = $commands{$command}->($self, $address, $module, $message);
122
123 # If we got any return code, something went wrong and should be logged.
124 if ($error) {
125 $logger->Log("err", "Got error: $error");
126 return;
127 }
128}
129
130#
131## The main "Counter" function.
132#
133## This function is used to handle each count message + address, which has been sent by the main event
134## loop of guardian.
135#
136## It stores the address and the current count into the counthash and increase the count each time when
137## the same address should be counted again. When the current count reaches the configured BlockCount,
138## the responsible function will be called to block the address.
139#
140sub Counter ($@) {
141 my $self = shift;
142 my ($address, $module, $message) = @_;
143
144 # Log event.
145 $logger->Log("debug", "$module reported $message for address: $address");
146
147 # Increase existing count or start counting for new source addresses.
148 if (exists($counthash{$address})) {
149 # Skip already blocked addresses.
150 if (exists($blockhash{$address})) {
151 return undef;
152 }
153
154 # Increase count of the existing entry.
155 $counthash{$address} = $counthash{$address} + 1;
156
157 # Log altered count of the address.
158 $logger->Log("debug", "Source $address now has count $counthash{$address}/$self->{BlockCount}...");
159 } else {
160 # Log that counting for the address has been started.
161 $logger->Log("debug", "Start counting for $address...");
162
163 # Set count to "1".
164 $counthash{$address} = 1;
165 }
166
167 # Check if the address has reached the configured count limit.
168 if ($counthash{$address} >= $self->{BlockCount}) {
169 # Write out log message.
170 $logger->Log("info", "Blocking $address for $self->{BlockTime} seconds...");
171
172 # Call block subroutine to block the address.
173 my $error = &CallBlock($self, $address, $module, $message);
174
175 # Return the message if an error occurs.
176 return $error;
177 }
178
179 # Everything worked well, return nothing.
180 return undef;
181}
182
183#
184## The RemoveBlocks function.
185#
186## This function periodly will be called and is responsible for releasing the block if the Blocktime
187## on an address has expired.
188#
189## To do this, the code will loop through all entries of the blockhash and check
190## if the estimiated BlockTime of each address has reached and so the block can be released.
191#
192sub RemoveBlocks () {
193 my $self = shift;
194
195 # Get the current time.
196 my $time = time();
197
198 # Loop through the blockhash.
199 foreach my $address (keys %blockhash) {
200 # Check if the blocktime for the address has expired.
201 if ($blockhash{$address} <= $time) {
202 # Call unblock subroutine.
203 my $error = &CallUnblock($self, $address, "BlockTime", "has expired for $address");
204
205 # Log error messages if returned.
206 if ($error) {
207 $logger->Log("err", "$error");
208 }
209 }
210 }
211
212 # Everything okay, return nothing.
213 return undef;
214}
215
216#
217## The CallBlock function.
218#
219## This function is called, if the BlockCount for an address is reached or a direct
220## request for blocking an address has been recieved.
221#
222sub CallBlock ($@) {
223 my $self = shift;
224 my ($address, $module, $message) = @_;
225
226 # Log the call for blocking an address.
227 $logger->Log("info", "$module - $message");
228
229 # Check if an entry for this address exists
230 # in the blockhash. If not, the address has
231 # not been blocked yet, call the responisible
232 # function to do this now.
233 unless (exists($blockhash{$address})) {
e9c558fe
SS
234 # Obtain the configured FirewallAction.
235 my $action = $self->{FirewallAction};
df6ec59f
SS
236
237 # Block the given address.
238 my $error = &DoBlock($address, $action);
239
240 # If we got back an error message something went wrong.
241 if ($error) {
f842727a
SS
242 # Exit function and return the used FirewallEngine and the error message.
243 return "$self->{FirewallEngine} - $error";
df6ec59f
SS
244 } else {
245 # Address has been successfully blocked, print a log message.
246 $logger->Log("debug", "Address $address successfully has been blocked...");
247 }
248 }
249
250 # Generate time when the block will expire.
251 my $expire = time() + $self->{BlockTime};
252
253 # Store the blocked address and the expire time
254 # in the blockhash.
255 $blockhash{$address} = $expire;
256
257 # Return nothing "undef" if everything is okay.
258 return undef;
259}
260
261#
262## CallUnblock function.
263#
264## This function is responsible for unblocking and deleting a given
265## address from the blockhash.
266#
267sub CallUnblock ($) {
268 my $self = shift;
269 my ($address, $module, $message) = @_;
270
271 # Log the call for unblocking an address.
272 $logger->Log("info", "$module - $message");
273
274 # Return an error if no entry for the given address
275 # is present in the blockhash.
276 unless (exists($blockhash{$address})) {
277 return "Address $address was not blocked!";
278 }
279
280 # Unblock the address.
281 my $error = &DoUnblock($address);
282
283 # If an error message is returned, something went wrong.
284 if ($error) {
285 # Exit function and return the error message.
286 return $error;
287 } else {
288 # Address successfully has been unblocked.
289 $logger->Log("debug", "Address $address successfully has been unblocked...");
290 }
291
292 # Drop address from blockhash.
293 delete ($blockhash{$address});
294
295 # Everything worked well, return nothing.
296 return undef;
297}
298
7c96d150
SS
299#
300## CallFlush function.
301#
302## This function is responsible for calling the used firewall
303## engine to do a flush of the used firewall chain. This will
304## clean the entire firewall chain.
305#
306sub CallFlush ($) {
307 my $self = shift;
308
309 # Log the call for flushing.
310 $logger->Log("info", "Flush has been called...");
311
312 # Call flush.
313 my $error = &DoFlush();
314
315 # If an error message is returned, something went wrong.
316 if ($error) {
317 # Exit function and return the error message.
318 return $error;
319 } else {
320 # Flush successfully has been performed.
321 $logger->Log("debug", "Flush successfully has been performed...");
322 }
323
324 # Flush blockhash.
325 %blockhash = ();
326
327 # Everything worked well, return nothing.
328 return undef;
329}
330
66e1ad0a
SS
331#
332## GenerateIgnoreList function.
333#
334## This function is responsible for generating/updating the
335## IgnoreHash which contains all ignored IP addresses and
336## networks.
337#
338sub GenerateIgnoreList($) {
339 my $file = shift;
900cad7f
SS
340 my @include_files;
341
342 # Reset current ignore hash and add
343 # localhost related IP addresses.
344 %ignorehash = &_whitelist_localhost();
66e1ad0a
SS
345
346 # Check if the given IgnoreFile could be opened.
347 unless(-e $file) {
348 $logger->Log("err", "The configured IgnoreFile \($file\) could not be opened. Skipped!");
349 return;
350 }
351
900cad7f 352 # Open the given IgnoreFile.
66e1ad0a
SS
353 open (IGNORE, $file);
354
355 # Read-in the file line by line.
356 while (<IGNORE>) {
357 # Skip comments.
358 next if (/\#/);
359
360 # Skip blank lines.
361 next if (/^\s*$/);
362
363 # Remove any newlines.
364 chomp;
365
900cad7f
SS
366 # Check for an include instruction.
367 if ($_ =~ /^Include_File = (.*)/) {
368 my $include_file = $1;
66e1ad0a 369
900cad7f
SS
370 # Check if the parsed include file exists and is read-able.
371 if (-e $include_file) {
372 # Add file to the array of files wich will be included.
373 push(@include_files, $include_file);
374
375 # Write out log message.
376 $logger->Log("debug", "Addresses from $include_file will be included...");
377 } else {
378 # Log missing file.
379 $logger->Log("err", "$include_file will not be included. File does not exist!");
380 }
381 } else {
382 # Check if the line contains a valid single address or network and
383 # convert it into binary format. Store the result/start and
384 # end values in a temporary array.
385 my @values = &Guardian::Base::IPOrNet2Int($_);
386
387 # If the function returned any values, the line contained a valid
388 # single address or network which successfully has been converted into
389 # binary format.
390 if (@values) {
391 # Assign the array as value to the ignorehash.
392 $ignorehash{$_} = [@values];
393 } else {
394 # Log invalid entry.
395 $logger->Log("err", "IgnoreFile contains an invalid address/network: $_");
396
397 # Skip line.
398 next;
399 }
66e1ad0a
SS
400 }
401 }
402
403 # Close filehandle for the IgnoreFile.
404 close (IGNORE);
5cd378cd 405
900cad7f
SS
406 # Check if any files should be included.
407 if (@include_files) {
408 # Loop through the array of files which should be included.
409 foreach my $file (@include_files) {
410 # Open the file.
411 open(INCLUDE, $file);
412
413 # Read-in file line by line.
414 while(<INCLUDE>) {
415 # Skip any comments.
416 next if (/\#/);
417
418 # Skip any blank lines.
419 next if (/^\s*$/);
420
421 # Chomp any newlines.
422 chomp;
423
424 # Check if the line contains a valid single address or network and
425 # convert it into binary format. Store the result/start and
426 # end values in a temporary array.
427 my @values = &Guardian::Base::IPOrNet2Int($_);
428
429 # If the function returned any values, the line contained a valid
430 # single address or network which successfully has been converted into
431 # binary format.
432 if (@values) {
433 # Assign the array as value to the ignorehash.
434 $ignorehash{$_} = [@values];
435 } else {
436 # Log invalid entry.
437 $logger->Log("err", "$file contains an invalid address/network: $_");
438
439 # Skip line.
440 next;
441 }
442 }
443
444 # Close filehandle.
445 close(INCLUDE);
446 }
447 }
448
5cd378cd
SS
449 # Get amount of current elements in hash.
450 my $amount = scalar(keys(%ignorehash));
451
452 # Write out log message.
453 $logger->Log("debug", "Ignore list currently contains $amount entries.");
66e1ad0a
SS
454}
455
456#
457## Private function to check if an address is part of the Ignore Hash.
458#
7c8f0696
SS
459## This function checks if a passed IP address in binary format (!),
460## directly or as part of an ignored network is stored in the ignore hash.
66e1ad0a
SS
461#
462sub _IsOnIgnoreList ($) {
463 my $bin_address = shift;
464
465 # Loop through the ignore hash and grab the stored values.
466 foreach my $key ( keys %ignorehash ) {
467 # Dereference values array.
468 my @values = @{$ignorehash{$key}};
469
470 # Obtain amount of items for the current value array.
471 my $items = scalar @values;
472
473 # Whether the amount equals one, the given binary address just
474 # needs to be compared against a single address.
475 if ($items eq "1") {
476 my ($ignored_address) = @values;
477
478 # Simple check if the stored and the given binary address
479 # are the same.
480 if ($bin_address eq $ignored_address) {
481 # The given address is part of the ignore list.
482 $logger->Log("debug", "Address $key found on the ignore list.");
483
484 # Return "1" (True).
485 return 1;
486 }
487 }
488
489 # If the amount equals two, for passed binary address needs to
490 # be checked if it is part of the ignored network range.
491 elsif ($items eq "2") {
492 my ($first_address, $last_address) = @values;
493
494 # Check if the passed binary address is bigger than
495 # the first address and smaler than the last address
496 # (between) the stored network range.
497 if (($bin_address >= $first_address) && ($bin_address <= $last_address)) {
498 # The address is part of an ignored network.
499 $logger->Log("debug", "Address is found inside the ignored network $key.");
500
501 # Return "1" (True).
502 return 1;
503 }
504
505 # If the amount is not eighter one or two, the current entry of the ignorehash seems
506 # to be corrupted. Skip and log it.
507 } else {
508 # Write log message about this corruped item in the ignore hash.
509 $logger->Log("err", "Invalid item in the Ignore Hash: $key - @values");
510
511 # Skip this element of the ignore hash.
512 next;
513 }
514 }
515
516 # If we got here, the given address is not part of the ignore hash.
517 # Return nothing (False).
518 return;
519}
520
0d218038
SS
521#
522## The _whitelist_localhost function.
523#
524## This tiny private function simple generates and returns a hash which contains
525## the clear and binary converted addresses for all array-stored
526## (@localhost_addresses) in an ignorelist compatible format.
527#
528sub _whitelist_localhost () {
529 my %temphash;
530
531 # Loop through the array of localhost related addresses.
532 foreach my $address (@localhost_addresses) {
533 # Validate and convert the addresss into binary format.
534 my @values = &Guardian::Base::IPOrNet2Int($address);
535
536 # Check if any values are returned.
537 if (@values) {
538 # Store the converted binary values in the temporary hash.
539 $temphash{$address} = [@values];
540 }
541 }
542
543 # Return the temporary hash.
544 return %temphash;
545}
546
df6ec59f 5471;