fix: linter run and gosec fix

cmd/banforge/command/daemon.go

@@ -60,6 +60,11 @@ var DaemonCmd = &cobra.Command{
 			log.Error("Failed to load config", "error", err)
 			os.Exit(1)
 		}
+		_, err = config.LoadMetricsConfig()
+		if err != nil {
+			log.Error("Failed to load metrics config", "error", err)
+			os.Exit(1)
+		}
 		var b blocker.BlockerEngine
 		fw := cfg.Firewall.Name
 		b = blocker.GetBlocker(fw, cfg.Firewall.Config)

cmd/banforge/command/rule.go

@@ -15,6 +15,7 @@ var (
 	status    string
 	method    string
 	ttl       string
+	max_retry int
 )
 
 var RuleCmd = &cobra.Command{
@@ -41,7 +42,7 @@ var AddCmd = &cobra.Command{
 		if ttl == "" {
 			ttl = "1y"
 		}
-		err := config.NewRule(name, service, path, status, method, ttl)
+		err := config.NewRule(name, service, path, status, method, ttl, max_retry)
 		if err != nil {
 			fmt.Println(err)
 			os.Exit(1)
@@ -82,4 +83,5 @@ func RuleRegister() {
 	AddCmd.Flags().StringVarP(&status, "status", "c", "", "status code")
 	AddCmd.Flags().StringVarP(&method, "method", "m", "", "method")
 	AddCmd.Flags().StringVarP(&ttl, "ttl", "t", "", "ban time")
+	AddCmd.Flags().IntVarP(&max_retry, "max_retry", "r", 0, "max retry")
 }

cmd/banforge/command/version.go

@@ -6,7 +6,7 @@ import (
 	"github.com/spf13/cobra"
 )
 
-var version = "0.5.0"
+var version = "0.5.2"
 
 var VersionCmd = &cobra.Command{
 	Use:   "version",

docs/cli.md

@@ -79,5 +79,6 @@ These command help you to create and manage detection rules in CLI interface.
 | -m -method  | -        |
 | -c -status  | -        |
 | -t -ttl     | -(if not used default ban 1 year)        |
+| -r -max_retry | -        |
 
 You must specify at least 1 of the optional flags to create a rule.

docs/config.md

@@ -47,4 +47,5 @@ Example:
 **Description**
 The [[rule]] section require name and one of the following parameters: service, path, status, method. To add a rule, create a [[rule]] block and specify the parameters.
 ban_time require in format "1m", "1h", "1d", "1M", "1y".
-If you want to ban all requests to PHP files (e.g., path = "*.php") or requests to the admin panel (e.g., path = "/admin/*")
+If you want to ban all requests to PHP files (e.g., path = "*.php") or requests to the admin panel (e.g., path = "/admin/*").
+If max_retry = 0 ban on first request.

internal/config/appconf.go

@@ -10,8 +10,25 @@ import (
 
 	"github.com/BurntSushi/toml"
 	"github.com/d3m0k1d/BanForge/internal/logger"
+	"github.com/d3m0k1d/BanForge/internal/metrics"
 )
 
+func LoadMetricsConfig() (*Metrics, error) {
+	cfg := &Metrics{}
+	_, err := toml.DecodeFile("/etc/banforge/config.toml", cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to decode config: %w", err)
+	}
+
+	if cfg.Enabled && cfg.Port > 0 && cfg.Port < 65535 {
+		go metrics.StartMetricsServer(cfg.Port)
+	} else if cfg.Enabled {
+		fmt.Println("Metrics enabled but port invalid, not starting server")
+	}
+
+	return cfg, nil
+}
+
 func LoadRuleConfig() ([]Rule, error) {
 	log := logger.New(false)
 	var cfg Rules
@@ -33,6 +50,7 @@ func NewRule(
 	Status string,
 	Method string,
 	ttl string,
+	max_retry int,
 ) error {
 	r, err := LoadRuleConfig()
 	if err != nil {
@@ -51,6 +69,7 @@ func NewRule(
 			Status:      Status,
 			Method:      Method,
 			BanTime:     ttl,
+			MaxRetry:    max_retry,
 		},
 	)
 	file, err := os.Create("/etc/banforge/rules.toml")

internal/config/template.go

@@ -8,6 +8,10 @@ const Base_config = `
 name = ""
 config = "/etc/nftables.conf"
 
+[metrics]
+enabled = false
+port = 2122
+
 [[service]]
 name = "nginx"
 logging = "file"

internal/config/types.go

@@ -14,6 +14,7 @@ type Service struct {
 
 type Config struct {
 	Firewall Firewall  `toml:"firewall"`
+	Metrics  Metrics   `toml:"metrics"`
 	Service  []Service `toml:"service"`
 }
 
@@ -31,3 +32,8 @@ type Rule struct {
 	MaxRetry    int    `toml:"max_retry"`
 	BanTime     string `toml:"ban_time"`
 }
+
+type Metrics struct {
+	Enabled bool `toml:"enabled"`
+	Port    int  `toml:"port"`
+}

internal/metrics/metrics.go

@@ -0,0 +1,78 @@
+package metrics
+
+import (
+	"fmt"
+	"log"
+	"net/http"
+	"sync"
+	"time"
+)
+
+var (
+	metricsMu sync.RWMutex
+	metrics   = make(map[string]int64)
+)
+
+func IncBan(service string) {
+	metricsMu.Lock()
+	metrics["ban_count"]++
+	metrics[service+"_bans"]++
+	metricsMu.Unlock()
+}
+
+func IncUnban(service string) {
+	metricsMu.Lock()
+	metrics["unban_count"]++
+	metrics[service+"_unbans"]++
+	metricsMu.Unlock()
+}
+
+func IncRuleMatched(rule_name string) {
+	metricsMu.Lock()
+	metrics[rule_name+"_rule_matched"]++
+	metricsMu.Unlock()
+}
+
+func IncLogParsed() {
+	metricsMu.Lock()
+	metrics["log_parsed"]++
+	metricsMu.Unlock()
+}
+
+func MetricsHandler() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		metricsMu.RLock()
+		snapshot := make(map[string]int64, len(metrics))
+		for k, v := range metrics {
+			snapshot[k] = v
+		}
+		metricsMu.RUnlock()
+
+		w.Header().Set("Content-Type", "text/plain; version=0.0.4")
+
+		for name, value := range snapshot {
+			metricName := name + "_total"
+			_, _ = fmt.Fprintf(w, "# TYPE %s counter\n", metricName)
+			_, _ = fmt.Fprintf(w, "%s %d\n", metricName, value)
+		}
+	})
+}
+
+func StartMetricsServer(port int) {
+	mux := http.NewServeMux()
+	mux.Handle("/metrics", MetricsHandler())
+
+	server := &http.Server{
+		Addr:         fmt.Sprintf(":%d", port),
+		Handler:      mux,
+		ReadTimeout:  5 * time.Second,
+		WriteTimeout: 10 * time.Second,
+		IdleTimeout:  15 * time.Second,
+	}
+
+	log.Printf("Starting metrics server on %s", server.Addr)
+	if err := server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+		log.Printf("Metrics server error: %v", err)
+	}
+}
+

internal/storage/requests_db.go

@@ -53,6 +53,9 @@ func NewRequestsRd() (*RequestReader, error) {
 
 func (r *RequestReader) IsMaxRetryExceeded(ip string, maxRetry int) (bool, error) {
 	var count int
+	if maxRetry == 0 {
+		return true, nil
+	}
 	err := r.db.QueryRow("SELECT COUNT(*) FROM requests WHERE ip = ?", ip).Scan(&count)
 	if err != nil {
 		r.logger.Error("error query count: " + err.Error())