feat: new ver

cmd/banforge/command/daemon.go

@@ -30,6 +30,11 @@ var DaemonCmd = &cobra.Command{
 			log.Error("Failed to create request writer", "error", err)
 			os.Exit(1)
 		}
+		reqDb_r, err := storage.NewRequestsRd()
+		if err != nil {
+			log.Error("Failed to create request reader", "error", err)
+			os.Exit(1)
+		}
 		banDb_r, err := storage.NewBanReader()
 		if err != nil {
 			log.Error("Failed to create ban reader", "error", err)
@@ -63,7 +68,7 @@ var DaemonCmd = &cobra.Command{
 			log.Error("Failed to load rules", "error", err)
 			os.Exit(1)
 		}
-		j := judge.New(banDb_r, banDb_w, b, resultCh, entryCh)
+		j := judge.New(banDb_r, banDb_w, reqDb_r, b, resultCh, entryCh)
 		j.LoadRules(r)
 		go j.UnbanChecker()
 		go j.Tribunal()

cmd/banforge/command/rule.go

@@ -61,11 +61,12 @@ var ListCmd = &cobra.Command{
 		}
 		for _, rule := range r {
 			fmt.Printf(
-				"Name: %s\nService: %s\nPath: %s\nStatus: %s\nMethod: %s\n\n",
+				"Name: %s\nService: %s\nPath: %s\nStatus: %s\n MaxRetry: %d\nMethod: %s\n\n",
 				rule.Name,
 				rule.ServiceName,
 				rule.Path,
 				rule.Status,
+				rule.MaxRetry,
 				rule.Method,
 			)
 		}

cmd/banforge/command/version.go

@@ -6,7 +6,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var version = "0.4.3"
+var version = "0.5.0"
 
 var VersionCmd = &cobra.Command{
 	Use:   "version",

docs/config.md

@@ -40,6 +40,7 @@ Example:
   service = "nginx"
   path = ""
   status = "304"
+  max_retry = 3
   method = ""
   ban_time = "1m"
 ```

internal/blocker/firewalld.go

@@ -23,6 +23,7 @@ func (f *Firewalld) Ban(ip string) error {
 	if err != nil {
 		return err
 	}
+	// #nosec G204 - ip is validated
 	cmd := exec.Command("firewall-cmd", "--zone=drop", "--add-source", ip, "--permanent")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -44,6 +45,7 @@ func (f *Firewalld) Unban(ip string) error {
 	if err != nil {
 		return err
 	}
+	// #nosec G204 - ip is validated
 	cmd := exec.Command("firewall-cmd", "--zone=drop", "--remove-source", ip, "--permanent")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -61,7 +63,7 @@ func (f *Firewalld) Unban(ip string) error {
 }
 
 func (f *Firewalld) PortOpen(port int, protocol string) error {
-	// #nosec G204 - handle is extracted from nftables output and validated
+	// #nosec G204 - handle is extracted from Firewalld output and validated
 	if port >= 0 && port <= 65535 {
 		if protocol != "tcp" && protocol != "udp" {
 			f.logger.Error("invalid protocol")

internal/blocker/iptables.go

@@ -28,6 +28,7 @@ func (f *Iptables) Ban(ip string) error {
 	if err != nil {
 		return err
 	}
+	// #nosec G204 - f.config is validated above via validateConfigPath()
 	cmd := exec.Command("iptables", "-A", "INPUT", "-s", ip, "-j", "DROP")
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -70,6 +71,7 @@ func (f *Iptables) Unban(ip string) error {
 	if err != nil {
 		return err
 	}
+	// #nosec G204 - f.config is validated above via validateConfigPath()
 	cmd := exec.Command("iptables", "-D", "INPUT", "-s", ip, "-j", "DROP")
 	output, err := cmd.CombinedOutput()
 	if err != nil {

internal/blocker/nftables.go

@@ -26,7 +26,7 @@ func (n *Nftables) Ban(ip string) error {
 	if err != nil {
 		return err
 	}
-
+	// #nosec G204 - ip is validated
 	cmd := exec.Command("nft", "add", "rule", "inet", "banforge", "banned",
 		"ip", "saddr", ip, "drop")
 	output, err := cmd.CombinedOutput()
@@ -113,6 +113,7 @@ func (n *Nftables) Setup(config string) error {
 	}
 }
 `
+	// #nosec G204 - config is managed by adminstartor
 	cmd := exec.Command("tee", config)
 	stdin, err := cmd.StdinPipe()
 	if err != nil {
@@ -135,7 +136,7 @@ func (n *Nftables) Setup(config string) error {
 	if err = cmd.Wait(); err != nil {
 		return fmt.Errorf("failed to save config: %w", err)
 	}
-
+	// #nosec G204 - config is managed by adminstartor
 	cmd = exec.Command("nft", "-f", config)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -253,7 +254,7 @@ func saveNftablesConfig(configPath string) error {
 	if err != nil {
 		return fmt.Errorf("failed to get nftables ruleset: %w", err)
 	}
-
+	// #nosec G204 - managed by system adminstartor
 	cmd = exec.Command("tee", configPath)
 	stdin, err := cmd.StdinPipe()
 	if err != nil {

internal/blocker/ufw.go

@@ -23,7 +23,7 @@ func (u *Ufw) Ban(ip string) error {
 	if err != nil {
 		return err
 	}
-
+	// #nosec G204 - ip is validated
 	cmd := exec.Command("ufw", "--force", "deny", "from", ip)
 	output, err := cmd.CombinedOutput()
 	if err != nil {
@@ -42,7 +42,7 @@ func (u *Ufw) Unban(ip string) error {
 	if err != nil {
 		return err
 	}
-
+	// #nosec G204 - ip is validated
 	cmd := exec.Command("ufw", "--force", "delete", "deny", "from", ip)
 	output, err := cmd.CombinedOutput()
 	if err != nil {

internal/config/types.go

@@ -28,5 +28,6 @@ type Rule struct {
 	Path        string `toml:"path"`
 	Status      string `toml:"status"`
 	Method      string `toml:"method"`
+	MaxRetry    int    `toml:"max_retry"`
 	BanTime     string `toml:"ban_time"`
 }

internal/judge/judge.go

@@ -14,6 +14,7 @@ import (
 type Judge struct {
 	db_r           *storage.BanReader
 	db_w           *storage.BanWriter
+	db_rq          *storage.RequestReader
 	logger         *logger.Logger
 	Blocker        blocker.BlockerEngine
 	rulesByService map[string][]config.Rule
@@ -24,6 +25,7 @@ type Judge struct {
 func New(
 	db_r *storage.BanReader,
 	db_w *storage.BanWriter,
+	db_rq *storage.RequestReader,
 	b blocker.BlockerEngine,
 	resultCh chan *storage.LogEntry,
 	entryCh chan *storage.LogEntry,
@@ -31,6 +33,7 @@ func New(
 	return &Judge{
 		db_w:           db_w,
 		db_r:           db_r,
+		db_rq:          db_rq,
 		logger:         logger.New(false),
 		rulesByService: make(map[string][]config.Rule),
 		Blocker:        b,
@@ -75,31 +78,28 @@ func (j *Judge) Tribunal() {
 			methodMatch := rule.Method == "" || entry.Method == rule.Method
 			statusMatch := rule.Status == "" || entry.Status == rule.Status
 			pathMatch := matchPath(entry.Path, rule.Path)
-
-			j.logger.Debug(
-				"Testing rule",
-				"rule", rule.Name,
-				"method_match", methodMatch,
-				"status_match", statusMatch,
-				"path_match", pathMatch,
-			)
-
 			if methodMatch && statusMatch && pathMatch {
 				ruleMatched = true
 				j.logger.Info("Rule matched", "rule", rule.Name, "ip", entry.IP)
-
+				j.resultCh <- entry
 				banned, err := j.db_r.IsBanned(entry.IP)
 				if err != nil {
 					j.logger.Error("Failed to check ban status", "ip", entry.IP, "error", err)
 					break
 				}
-
 				if banned {
 					j.logger.Info("IP already banned", "ip", entry.IP)
-					j.resultCh <- entry
 					break
 				}
-
+				exceeded, err := j.db_rq.IsMaxRetryExceeded(entry.IP, rule.MaxRetry)
+				if err != nil {
+					j.logger.Error("Failed to check retry count", "ip", entry.IP, "error", err)
+					break
+				}
+				if !exceeded {
+					j.logger.Info("Max retry not exceeded", "ip", entry.IP)
+					break
+				}
 				err = j.db_w.AddBan(entry.IP, rule.BanTime, rule.Name)
 				if err != nil {
 					j.logger.Error(
@@ -127,7 +127,6 @@ func (j *Judge) Tribunal() {
 					"ban_time",
 					rule.BanTime,
 				)
-				j.resultCh <- entry
 				break
 			}
 		}

internal/parser/parser.go

@@ -24,6 +24,7 @@ type Scanner struct {
 }
 
 func NewScannerTail(path string) (*Scanner, error) {
+	// #nosec G204 - managed by system adminstartor
 	cmd := exec.Command("tail", "-F", "-n", "10", path)
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {
@@ -46,6 +47,7 @@ func NewScannerTail(path string) (*Scanner, error) {
 }
 
 func NewScannerJournald(unit string) (*Scanner, error) {
+	// #nosec G204 - managed by system adminstartor
 	cmd := exec.Command("journalctl", "-u", unit, "-f", "-n", "0", "-o", "short", "--no-pager")
 	stdout, err := cmd.StdoutPipe()
 	if err != nil {

internal/storage/requests_db.go

@@ -28,3 +28,36 @@ func NewRequestsWr() (*RequestWriter, error) {
 		db:     db,
 	}, nil
 }
+
+type RequestReader struct {
+	logger *logger.Logger
+	db     *sql.DB
+}
+
+func NewRequestsRd() (*RequestReader, error) {
+	db, err := sql.Open(
+		"sqlite",
+		buildSqliteDsn(ReqDBPath, pragmas),
+	)
+	if err != nil {
+		return nil, err
+	}
+	db.SetMaxOpenConns(1)
+	db.SetMaxIdleConns(1)
+	db.SetConnMaxLifetime(0)
+	return &RequestReader{
+		logger: logger.New(false),
+		db:     db,
+	}, nil
+}
+
+func (r *RequestReader) IsMaxRetryExceeded(ip string, maxRetry int) (bool, error) {
+	var count int
+	err := r.db.QueryRow("SELECT COUNT(*) FROM requests WHERE ip = ?", ip).Scan(&count)
+	if err != nil {
+		r.logger.Error("error query count: " + err.Error())
+		return false, err
+	}
+	r.logger.Info("Current request count for IP", "ip", ip, "count", count, "maxRetry", maxRetry)
+	return count >= maxRetry, nil
+}

internal/storage/writer.go

@@ -94,3 +94,13 @@ func WriteReq(db *RequestWriter, resultCh <-chan *LogEntry) {
 		}
 	}
 }
+
+func (w *RequestWriter) GetRequestCount() (int, error) {
+	var count int
+	err := w.db.QueryRow("SELECT COUNT(*) FROM requests").Scan(&count)
+	return count, err
+}
+
+func (w *RequestWriter) Close() error {
+	return w.db.Close()
+}

internal/storage/writer_test.go

@@ -299,21 +299,3 @@ func (w *RequestWriter) CreateTable() error {
 	w.logger.Info("Created requests table")
 	return nil
 }
-
-func (w *RequestWriter) Close() error {
-	w.logger.Info("Closing request database connection")
-	err := w.db.Close()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func (w *RequestWriter) GetRequestCount() (int, error) {
-	var count int
-	err := w.db.QueryRow("SELECT COUNT(*) FROM requests").Scan(&count)
-	if err != nil {
-		return 0, err
-	}
-	return count, nil
-}