Compare commits
5 Commits
v0.4.2
...
5fd2a53541
| Author | SHA1 | Date | |
|---|---|---|---|
|
5fd2a53541 | ||
|
|
5dbacc765f | ||
|
|
d437512d24 | ||
|
|
c1a3110b79 | ||
|
|
4e52d43d04 |
@@ -1,86 +0,0 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
|
||||
"github.com/d3m0k1d/BanForge/internal/blocker"
|
||||
"github.com/d3m0k1d/BanForge/internal/logger"
|
||||
)
|
||||
|
||||
func main() {
|
||||
// Initialize logger
|
||||
appLogger := logger.New(true)
|
||||
|
||||
// Create factory
|
||||
factory := blocker.NewBlockerFactory(appLogger)
|
||||
|
||||
// Example 1: List all available blockers
|
||||
fmt.Println("Available blockers:")
|
||||
for _, name := range blocker.ListAvailable(appLogger) {
|
||||
fmt.Printf(" - %s\n", name)
|
||||
}
|
||||
|
||||
// Example 2: Use nftables
|
||||
fmt.Println("\n=== NFTables Example ===")
|
||||
nftBlocker, err := factory.Create(blocker.BlockerTypeNftables, "/etc/nftables.conf")
|
||||
if err != nil {
|
||||
log.Fatalf("failed to create nftables blocker: %v", err)
|
||||
}
|
||||
|
||||
// Check if available
|
||||
if !nftBlocker.IsAvailable() {
|
||||
fmt.Println("NFTables is not available on this system")
|
||||
} else {
|
||||
fmt.Printf("Blocker: %s\n", nftBlocker.Name())
|
||||
|
||||
// Setup
|
||||
if err := nftBlocker.Setup(); err != nil {
|
||||
fmt.Printf("Failed to setup: %v\n", err)
|
||||
}
|
||||
|
||||
// Ban an IP
|
||||
if err := nftBlocker.Ban("192.168.1.100"); err != nil {
|
||||
fmt.Printf("Failed to ban IP: %v\n", err)
|
||||
}
|
||||
|
||||
// List banned IPs
|
||||
bannedIPs, err := nftBlocker.List()
|
||||
if err != nil {
|
||||
fmt.Printf("Failed to list IPs: %v\n", err)
|
||||
} else {
|
||||
fmt.Println("Banned IPs:")
|
||||
for _, ip := range bannedIPs {
|
||||
fmt.Printf(" - %s\n", ip)
|
||||
}
|
||||
}
|
||||
|
||||
// Cleanup
|
||||
if err := nftBlocker.Close(); err != nil {
|
||||
fmt.Printf("Failed to close: %v\n", err)
|
||||
}
|
||||
}
|
||||
|
||||
// Example 3: Use UFW
|
||||
fmt.Println("\n=== UFW Example ===")
|
||||
ufwBlocker, err := factory.Create(blocker.BlockerTypeUfw, "")
|
||||
if err != nil {
|
||||
log.Fatalf("failed to create ufw blocker: %v", err)
|
||||
}
|
||||
|
||||
if !ufwBlocker.IsAvailable() {
|
||||
fmt.Println("UFW is not available on this system")
|
||||
} else {
|
||||
fmt.Printf("Blocker: %s\n", ufwBlocker.Name())
|
||||
// UFW operations...
|
||||
}
|
||||
|
||||
// Example 4: Create from string type
|
||||
fmt.Println("\n=== String Type Example ===")
|
||||
|
||||
blocker, err := factory.CreateFromString("ufw", "")
|
||||
if err != nil {
|
||||
log.Fatalf("failed to create blocker: %v", err)
|
||||
}
|
||||
fmt.Printf("Created blocker: %s\n", blocker.Name())
|
||||
}
|
||||
@@ -1,65 +0,0 @@
|
||||
package blocker
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
|
||||
"github.com/d3m0k1d/BanForge/internal/logger"
|
||||
)
|
||||
|
||||
// BlockerType defines the type of firewall blocker
|
||||
type BlockerType string
|
||||
|
||||
const (
|
||||
BlockerTypeNftables BlockerType = "nftables"
|
||||
BlockerTypeIptables BlockerType = "iptables"
|
||||
BlockerTypeFirewalld BlockerType = "firewalld"
|
||||
BlockerTypeUfw BlockerType = "ufw"
|
||||
)
|
||||
|
||||
// BlockerFactory creates new blocker instances
|
||||
type BlockerFactory struct {
|
||||
logger *logger.Logger
|
||||
}
|
||||
|
||||
// NewBlockerFactory creates a new blocker factory
|
||||
func NewBlockerFactory(logger *logger.Logger) *BlockerFactory {
|
||||
return &BlockerFactory{
|
||||
logger: logger,
|
||||
}
|
||||
}
|
||||
|
||||
// Create creates a new blocker instance of the specified type
|
||||
func (bf *BlockerFactory) Create(btype BlockerType, config string) (BlockerEngine, error) {
|
||||
switch btype {
|
||||
case BlockerTypeNftables:
|
||||
return NewNftables(bf.logger, config), nil
|
||||
case BlockerTypeIptables:
|
||||
return NewIptables(bf.logger, config), nil
|
||||
case BlockerTypeFirewalld:
|
||||
return NewFirewalld(bf.logger), nil
|
||||
case BlockerTypeUfw:
|
||||
return NewUfw(bf.logger), nil
|
||||
default:
|
||||
return nil, fmt.Errorf("unknown blocker type: %s", btype)
|
||||
}
|
||||
}
|
||||
|
||||
// CreateFromString creates a blocker from string type name
|
||||
func (bf *BlockerFactory) CreateFromString(typename, config string) (BlockerEngine, error) {
|
||||
return bf.Create(BlockerType(typename), config)
|
||||
}
|
||||
|
||||
// ListAvailable returns all available blocker types
|
||||
func ListAvailable(logger *logger.Logger) []string {
|
||||
factory := NewBlockerFactory(logger)
|
||||
var available []string
|
||||
|
||||
for _, btype := range []BlockerType{BlockerTypeNftables, BlockerTypeIptables, BlockerTypeFirewalld, BlockerTypeUfw} {
|
||||
blocker, err := factory.Create(btype, "")
|
||||
if err == nil && blocker.IsAvailable() {
|
||||
available = append(available, blocker.Name())
|
||||
}
|
||||
}
|
||||
|
||||
return available
|
||||
}
|
||||
@@ -1,19 +1,6 @@
|
||||
package blocker
|
||||
|
||||
// BlockerEngine defines the interface for all firewall implementations
|
||||
type BlockerEngine interface {
|
||||
// Core operations
|
||||
Ban(ip string) error
|
||||
Unban(ip string) error
|
||||
|
||||
// Lifecycle management
|
||||
Setup() error
|
||||
Close() error
|
||||
|
||||
// Query operations
|
||||
List() ([]string, error)
|
||||
|
||||
// Metadata
|
||||
Name() string
|
||||
IsAvailable() bool
|
||||
}
|
||||
|
||||
@@ -20,139 +20,6 @@ func NewNftables(logger *logger.Logger, config string) *Nftables {
|
||||
}
|
||||
}
|
||||
|
||||
// Name returns the blocker engine name
|
||||
func (n *Nftables) Name() string {
|
||||
return "nftables"
|
||||
}
|
||||
|
||||
// IsAvailable checks if nftables is available in the system
|
||||
func (n *Nftables) IsAvailable() bool {
|
||||
cmd := exec.Command("which", "nft")
|
||||
return cmd.Run() == nil
|
||||
}
|
||||
|
||||
// Setup initializes nftables with required tables and chains
|
||||
func (n *Nftables) Setup() error {
|
||||
return SetupNftables(n.config)
|
||||
}
|
||||
|
||||
// Ban adds an IP to the banned list
|
||||
func (n *Nftables) Ban(ip string) error {
|
||||
err := validateIP(ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cmd := exec.Command("sudo", "nft", "add", "rule", "inet", "banforge", "banned",
|
||||
"ip", "saddr", ip, "drop")
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
n.logger.Error("failed to ban IP",
|
||||
"ip", ip,
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("IP banned", "ip", ip)
|
||||
|
||||
err = saveNftablesConfig(n.config)
|
||||
if err != nil {
|
||||
n.logger.Error("failed to save config",
|
||||
"config_path", n.config,
|
||||
"error", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("config saved", "config_path", n.config)
|
||||
return nil
|
||||
}
|
||||
|
||||
// Unban removes an IP from the banned list
|
||||
func (n *Nftables) Unban(ip string) error {
|
||||
err := validateIP(ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
handle, err := n.findRuleHandle(ip)
|
||||
if err != nil {
|
||||
n.logger.Error("failed to find rule handle",
|
||||
"ip", ip,
|
||||
"error", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
if handle == "" {
|
||||
n.logger.Warn("no rule found for IP", "ip", ip)
|
||||
return fmt.Errorf("no rule found for IP %s", ip)
|
||||
}
|
||||
// #nosec G204 - handle is extracted from nftables output and validated
|
||||
cmd := exec.Command("sudo", "nft", "delete", "rule", "inet", "banforge", "banned",
|
||||
"handle", handle)
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
n.logger.Error("failed to unban IP",
|
||||
"ip", ip,
|
||||
"handle", handle,
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("IP unbanned", "ip", ip, "handle", handle)
|
||||
|
||||
err = saveNftablesConfig(n.config)
|
||||
if err != nil {
|
||||
n.logger.Error("failed to save config",
|
||||
"config_path", n.config,
|
||||
"error", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("config saved", "config_path", n.config)
|
||||
return nil
|
||||
}
|
||||
|
||||
// List returns all currently banned IPs
|
||||
func (n *Nftables) List() ([]string, error) {
|
||||
cmd := exec.Command("sudo", "nft", "-a", "list", "chain", "inet", "banforge", "banned")
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
n.logger.Error("failed to list banned IPs",
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
var bannedIPs []string
|
||||
lines := strings.Split(string(output), "\n")
|
||||
for _, line := range lines {
|
||||
if strings.Contains(line, "drop") && strings.Contains(line, "saddr") {
|
||||
// Extract IP from line like: ip saddr 10.0.0.1 drop # handle 2
|
||||
parts := strings.Fields(line)
|
||||
for i, part := range parts {
|
||||
if part == "saddr" && i+1 < len(parts) {
|
||||
ip := parts[i+1]
|
||||
if validateIP(ip) == nil {
|
||||
bannedIPs = append(bannedIPs, ip)
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return bannedIPs, nil
|
||||
}
|
||||
|
||||
// Close performs cleanup operations (placeholder for future use)
|
||||
func (n *Nftables) Close() error {
|
||||
// No cleanup needed for nftables
|
||||
n.logger.Info("nftables blocker closed")
|
||||
return nil
|
||||
}
|
||||
|
||||
func SetupNftables(config string) error {
|
||||
err := validateConfigPath(config)
|
||||
if err != nil {
|
||||
@@ -205,6 +72,82 @@ func SetupNftables(config string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (n *Nftables) Ban(ip string) error {
|
||||
err := validateIP(ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cmd := exec.Command("sudo", "nft", "add", "rule", "inet", "banforge", "banned",
|
||||
"ip", "saddr", ip, "drop")
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
n.logger.Error("failed to ban IP",
|
||||
"ip", ip,
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("IP banned", "ip", ip)
|
||||
|
||||
err = saveNftablesConfig(n.config)
|
||||
if err != nil {
|
||||
n.logger.Error("failed to save config",
|
||||
"config_path", n.config,
|
||||
"error", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("config saved", "config_path", n.config)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (n *Nftables) Unban(ip string) error {
|
||||
err := validateIP(ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
handle, err := n.findRuleHandle(ip)
|
||||
if err != nil {
|
||||
n.logger.Error("failed to find rule handle",
|
||||
"ip", ip,
|
||||
"error", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
if handle == "" {
|
||||
n.logger.Warn("no rule found for IP", "ip", ip)
|
||||
return fmt.Errorf("no rule found for IP %s", ip)
|
||||
}
|
||||
// #nosec G204 - handle is extracted from nftables output and validated
|
||||
cmd := exec.Command("sudo", "nft", "delete", "rule", "inet", "banforge", "banned",
|
||||
"handle", handle)
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
n.logger.Error("failed to unban IP",
|
||||
"ip", ip,
|
||||
"handle", handle,
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("IP unbanned", "ip", ip, "handle", handle)
|
||||
|
||||
err = saveNftablesConfig(n.config)
|
||||
if err != nil {
|
||||
n.logger.Error("failed to save config",
|
||||
"config_path", n.config,
|
||||
"error", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
n.logger.Info("config saved", "config_path", n.config)
|
||||
return nil
|
||||
}
|
||||
|
||||
func (n *Nftables) findRuleHandle(ip string) (string, error) {
|
||||
cmd := exec.Command("sudo", "nft", "-a", "list", "chain", "inet", "banforge", "banned")
|
||||
output, err := cmd.CombinedOutput()
|
||||
|
||||
@@ -1,9 +1,7 @@
|
||||
package blocker
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"os/exec"
|
||||
"strings"
|
||||
|
||||
"github.com/d3m0k1d/BanForge/internal/logger"
|
||||
)
|
||||
@@ -18,119 +16,32 @@ func NewUfw(logger *logger.Logger) *Ufw {
|
||||
}
|
||||
}
|
||||
|
||||
// Name returns the blocker engine name
|
||||
func (u *Ufw) Name() string {
|
||||
return "ufw"
|
||||
}
|
||||
|
||||
// IsAvailable checks if ufw is available in the system
|
||||
func (u *Ufw) IsAvailable() bool {
|
||||
cmd := exec.Command("which", "ufw")
|
||||
return cmd.Run() == nil
|
||||
}
|
||||
|
||||
// Setup initializes UFW (if not already enabled)
|
||||
func (u *Ufw) Setup() error {
|
||||
// Check if UFW is enabled
|
||||
cmd := exec.Command("sudo", "ufw", "status")
|
||||
output, err := cmd.CombinedOutput()
|
||||
|
||||
if err != nil || !strings.Contains(string(output), "active") {
|
||||
u.logger.Warn("UFW is not active, attempting to enable...")
|
||||
cmd := exec.Command("sudo", "ufw", "--force", "enable")
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
u.logger.Error("failed to enable UFW",
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return fmt.Errorf("failed to enable UFW: %w", err)
|
||||
}
|
||||
u.logger.Info("UFW enabled successfully")
|
||||
}
|
||||
|
||||
u.logger.Info("UFW setup completed")
|
||||
return nil
|
||||
}
|
||||
|
||||
// Ban adds an IP to the deny list
|
||||
func (u *Ufw) Ban(ip string) error {
|
||||
func (ufw *Ufw) Ban(ip string) error {
|
||||
err := validateIP(ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cmd := exec.Command("sudo", "ufw", "--force", "deny", "from", ip)
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
u.logger.Error("failed to ban IP",
|
||||
"ip", ip,
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return fmt.Errorf("failed to ban IP %s: %w", ip, err)
|
||||
ufw.logger.Error(err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
u.logger.Info("IP banned", "ip", ip, "output", string(output))
|
||||
ufw.logger.Info("Banning " + ip + " " + string(output))
|
||||
return nil
|
||||
}
|
||||
|
||||
// Unban removes an IP from the deny list
|
||||
func (u *Ufw) Unban(ip string) error {
|
||||
func (ufw *Ufw) Unban(ip string) error {
|
||||
err := validateIP(ip)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cmd := exec.Command("sudo", "ufw", "--force", "delete", "deny", "from", ip)
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
u.logger.Error("failed to unban IP",
|
||||
"ip", ip,
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return fmt.Errorf("failed to unban IP %s: %w", ip, err)
|
||||
ufw.logger.Error(err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
u.logger.Info("IP unbanned", "ip", ip, "output", string(output))
|
||||
return nil
|
||||
}
|
||||
|
||||
// List returns all currently denied IPs
|
||||
func (u *Ufw) List() ([]string, error) {
|
||||
cmd := exec.Command("sudo", "ufw", "status", "numbered")
|
||||
output, err := cmd.CombinedOutput()
|
||||
if err != nil {
|
||||
u.logger.Error("failed to list UFW rules",
|
||||
"error", err.Error(),
|
||||
"output", string(output))
|
||||
return nil, fmt.Errorf("failed to list UFW rules: %w", err)
|
||||
}
|
||||
|
||||
var deniedIPs []string
|
||||
lines := strings.Split(string(output), "\n")
|
||||
for _, line := range lines {
|
||||
// Looking for lines with "Deny" and "From"
|
||||
if strings.Contains(line, "Deny") && strings.Contains(line, "Anywhere on") {
|
||||
// Parse UFW status output format
|
||||
parts := strings.Fields(line)
|
||||
for i, part := range parts {
|
||||
// Extract IP that comes after "from"
|
||||
if part == "from" && i+1 < len(parts) {
|
||||
ip := parts[i+1]
|
||||
if validateIP(ip) == nil {
|
||||
deniedIPs = append(deniedIPs, ip)
|
||||
}
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return deniedIPs, nil
|
||||
}
|
||||
|
||||
// Close performs cleanup operations (placeholder for future use)
|
||||
func (u *Ufw) Close() error {
|
||||
// No cleanup needed for UFW
|
||||
u.logger.Info("UFW blocker closed")
|
||||
ufw.logger.Info("Unbanning " + ip + " " + string(output))
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user