Implemented probation

diff --git a/TODO b/TODO
index 4745a253971432ad58552de955b92dcef6578528..f992cea4ea8cc8dc8c2fd0bf8ca4ef3c6317e7d3 100644 (file)
--- a/TODO
+++ b/TODO
@@ -1,5 +1,6 @@
 - location of default config file
 - configurable names of PAM modules
+- per-account weights
 
 Doc:
 - ipset create bouncer4 hash:ip family inet

diff --git a/bouncer.c b/bouncer.c
index 41f85ea58caf9eb0847e51eaf3b3975d83e63af6..a74e5496c3ead43e3ccc21461157b82ce00ae816 100644 (file)
--- a/bouncer.c
+++ b/bouncer.c
@@ -92,6 +92,7 @@ static uns max_suspect_time = 86400;
 static uns max_banned_time = 86400;
 static uns max_suspects = ~0U;
 static uns max_banned = ~0U;
+static uns probation;
 static char *ipv4_set;
 static char *ipv6_set;
 static char *config_log_stream;
@@ -104,6 +105,7 @@ static struct cf_section bouncer_cf = {
     CF_UNS("MaxSuspectTime", &max_suspect_time),
     CF_UNS("MaxBannedTime", &max_banned_time),
     CF_UNS("MaxFailures", &max_failures),
+    CF_UNS("Probation", &probation),
     CF_STRING("IPv4Set", &ipv4_set),
     CF_STRING("IPv6Set", &ipv6_set),
     CF_STRING("LogStream", &config_log_stream),
@@ -271,25 +273,38 @@ static void cleanup_list(clist *list, uns *counter, timestamp_t max_time, uns ma
          break;
        }
 
+      clist_remove(&c->n);
+      (*counter)--;
+
       if (c->banned)
        {
          msg(L_INFO, "Unbanning %s", AFMT(c->addr));
          is_modify(0, c->addr);
+         if (probation)
+           {
+             c->banned = 0;
+             c->last_fail = now;
+             c->fail_count = max_failures - probation;
+             clist_add_tail(&suspect_list, &c->n);
+             num_suspects++;
+             msg(L_DEBUG, "Suspect %s: probation, failures=%u", AFMT(c->addr), c->fail_count);
+           }
+         else
+           culprit_remove(c);
        }
       else
-       msg(L_DEBUG, "Suspect %s: acquitted", AFMT(c->addr));
-
-      clist_remove(&c->n);
-      culprit_remove(c);
-      (*counter)--;
+       {
+         msg(L_DEBUG, "Suspect %s: acquitted", AFMT(c->addr));
+         culprit_remove(c);
+       }
     }
 }
 
 static void culprit_cleanup(void)
 {
   timestamp_t next_cleanup = main_get_now() + (timestamp_t)3600 * 1000;
-  cleanup_list(&suspect_list, &num_suspects, (timestamp_t)max_suspect_time * 1000, max_suspects, &next_cleanup);
   cleanup_list(&banned_list, &num_banned, (timestamp_t)max_banned_time * 1000, max_banned, &next_cleanup);
+  cleanup_list(&suspect_list, &num_suspects, (timestamp_t)max_suspect_time * 1000, max_suspects, &next_cleanup);
   timer_add(&cleanup_timer, next_cleanup);
 }
 

diff --git a/config b/config
index e8303b6f948c3b747ccd861ae9d1464c17da8a41..e3c9873291749245c143a01bc8f040e5fd0ab59d 100644 (file)
--- a/config
+++ b/config
@@ -9,11 +9,15 @@ MaxFailures   10
 
 # When a suspect address generates no more failure for this many seconds,
 # it is forgotten.
-MaxSuspectTime 300
+MaxSuspectTime 600
 
 # Bans are lifted after this many seconds.
 MaxBannedTime  3600
 
+# When a ban is lifted, the address is again considered suspect
+# and its number of failures is set to MaxFailures - Probation (0=disable).
+Probation      2
+
 # Limit on the number of suspect addresses and bans we keep in memory
 MaxSuspects    1000
 MaxBanned      1000