crowdsecurity
diff --git a/‎cmd/root.go
+20-4 b/‎cmd/root.go
+20-4
diff --git a/‎pkg/backend/backend.go
+7 b/‎pkg/backend/backend.go
+7
diff --git a/‎pkg/cfg/config.go
+3 b/‎pkg/cfg/config.go
+3
diff --git a/‎pkg/cfg/logging.go
+3 b/‎pkg/cfg/logging.go
+3
diff --git a/‎pkg/iptables/iptables.go
+24-2 b/‎pkg/iptables/iptables.go
+24-2
@@ -28,12 +28,11 @@ import (
 	"github.com/crowdsecurity/cs-firewall-bouncer/pkg/metrics"
 )
 
-const (
-	name = "crowdsec-firewall-bouncer"
-)
+const name = "crowdsec-firewall-bouncer"
 
 func backendCleanup(backend *backend.BackendCTX) {
 	log.Info("Shutting down backend")
+
 	if err := backend.ShutDown(); err != nil {
 		log.Errorf("while shutting down backend: %s", err)
 	}
@@ -54,22 +53,27 @@ func HandleSignals(ctx context.Context) error {
 	case <-ctx.Done():
 		return ctx.Err()
 	}
+
 	return nil
 }
 
 func deleteDecisions(backend *backend.BackendCTX, decisions []*models.Decision, config *cfg.BouncerConfig) {
 	nbDeletedDecisions := 0
+
 	for _, d := range decisions {
 		if !slices.Contains(config.SupportedDecisionsTypes, strings.ToLower(*d.Type)) {
 			log.Debugf("decisions for ip '%s' will not be deleted because its type is '%s'", *d.Value, *d.Type)
 			continue
 		}
+
 		if err := backend.Delete(d); err != nil {
 			if !strings.Contains(err.Error(), "netlink receive: no such file or directory") {
 				log.Errorf("unable to delete decision for '%s': %s", *d.Value, err)
 			}
+
 			continue
 		}
+
 		log.Debugf("deleted %s", *d.Value)
 		nbDeletedDecisions++
 	}
@@ -78,24 +82,29 @@ func deleteDecisions(backend *backend.BackendCTX, decisions []*models.Decision,
 	if nbDeletedDecisions == 1 {
 		noun = "decision"
 	}
+
 	if nbDeletedDecisions > 0 {
 		log.Debug("committing expired decisions")
+
 		if err := backend.Commit(); err != nil {
 			log.Errorf("unable to commit expired decisions %v", err)
 			return
 		}
+
 		log.Debug("committed expired decisions")
 		log.Infof("%d %s deleted", nbDeletedDecisions, noun)
 	}
 }
 
 func addDecisions(backend *backend.BackendCTX, decisions []*models.Decision, config *cfg.BouncerConfig) {
 	nbNewDecisions := 0
+
 	for _, d := range decisions {
 		if !slices.Contains(config.SupportedDecisionsTypes, strings.ToLower(*d.Type)) {
 			log.Debugf("decisions for ip '%s' will not be added because its type is '%s'", *d.Value, *d.Type)
 			continue
 		}
+
 		if err := backend.Add(d); err != nil {
 			log.Errorf("unable to insert decision for '%s': %s", *d.Value, err)
 			continue
@@ -109,19 +118,21 @@ func addDecisions(backend *backend.BackendCTX, decisions []*models.Decision, con
 	if nbNewDecisions == 1 {
 		noun = "decision"
 	}
+
 	if nbNewDecisions > 0 {
 		log.Debug("committing added decisions")
+
 		if err := backend.Commit(); err != nil {
 			log.Errorf("unable to commit add decisions %v", err)
 			return
 		}
+
 		log.Debug("committed added decisions")
 		log.Infof("%d %s added", nbNewDecisions, noun)
 	}
 }
 
 func Execute() error {
-	var err error
 	configPath := flag.String("c", "", "path to crowdsec-firewall-bouncer.yaml")
 	verbose := flag.Bool("v", false, "set verbose mode")
 	bouncerVersion := flag.Bool("V", false, "display version and exit (deprecated)")
@@ -173,6 +184,7 @@ func Execute() error {
 	defer backendCleanup(backend)
 
 	bouncer := &csbouncer.StreamBouncer{}
+
 	err = bouncer.ConfigReader(bytes.NewReader(configBytes))
 	if err != nil {
 		return err
@@ -204,9 +216,12 @@ func Execute() error {
 			go backend.CollectMetrics()
 			prometheus.MustRegister(metrics.TotalDroppedBytes, metrics.TotalDroppedPackets, metrics.TotalActiveBannedIPs)
 		}
+
 		prometheus.MustRegister(csbouncer.TotalLAPICalls, csbouncer.TotalLAPIError)
+
 		go func() {
 			http.Handle("/metrics", promhttp.Handler())
+
 			listenOn := net.JoinHostPort(
 				config.PrometheusConfig.ListenAddress,
 				config.PrometheusConfig.ListenPort,
@@ -215,6 +230,7 @@ func Execute() error {
 			log.Error(http.ListenAndServe(listenOn, nil))
 		}()
 	}
+
 	g.Go(func() error {
 		log.Infof("Processing new and deleted decisions . . .")
 		for {
 
@@ -61,15 +61,19 @@ func NewBackend(config *cfg.BouncerConfig) (*BackendCTX, error) {
 	var err error
 
 	b := &BackendCTX{}
+
 	log.Printf("backend type : %s", config.Mode)
+
 	if config.DisableIPV6 {
 		log.Println("IPV6 is disabled")
 	}
+
 	switch config.Mode {
 	case cfg.IptablesMode, cfg.IpsetMode:
 		if runtime.GOOS != "linux" {
 			return nil, fmt.Errorf("iptables and ipset is linux only")
 		}
+
 		b.firewall, err = iptables.NewIPTables(config)
 		if err != nil {
 			return nil, err
@@ -78,6 +82,7 @@ func NewBackend(config *cfg.BouncerConfig) (*BackendCTX, error) {
 		if runtime.GOOS != "linux" {
 			return nil, fmt.Errorf("nftables is linux only")
 		}
+
 		b.firewall, err = nftables.NewNFTables(config)
 		if err != nil {
 			return nil, err
@@ -86,6 +91,7 @@ func NewBackend(config *cfg.BouncerConfig) (*BackendCTX, error) {
 		if !isPFSupported(runtime.GOOS) {
 			log.Warning("pf mode can only work with openbsd and freebsd. It is available on other platforms only for testing purposes")
 		}
+
 		b.firewall, err = pf.NewPF(config)
 		if err != nil {
 			return nil, err
@@ -98,5 +104,6 @@ func NewBackend(config *cfg.BouncerConfig) (*BackendCTX, error) {
 	default:
 		return b, fmt.Errorf("firewall '%s' is not supported", config.Mode)
 	}
+
 	return b, nil
 }
@@ -69,10 +69,12 @@ type BouncerConfig struct {
 // MergedConfig() returns the byte content of the patched configuration file (with .yaml.local).
 func MergedConfig(configPath string) ([]byte, error) {
 	patcher := yamlpatch.NewPatcher(configPath, ".local")
+
 	data, err := patcher.MergedPatchContent()
 	if err != nil {
 		return nil, err
 	}
+
 	return data, nil
 }
 
@@ -119,6 +121,7 @@ func NewConfig(reader io.Reader) (*BouncerConfig, error) {
 	if config.BlacklistsIpv6 == "" {
 		config.BlacklistsIpv6 = "crowdsec6-blacklists"
 	}
+
 	if config.SetType == "" {
 		config.SetType = "nethash"
 	}
 
@@ -76,14 +76,17 @@ func (c *LoggingConfig) validate() error {
 	if c.LogMode != "stdout" && c.LogMode != "file" {
 		return fmt.Errorf("log_mode should be either 'stdout' or 'file'")
 	}
+
 	return nil
 }
 
 func (c *LoggingConfig) setup(fileName string) error {
 	c.setDefaults()
+
 	if err := c.validate(); err != nil {
 		return err
 	}
+
 	log.SetLevel(*c.LogLevel)
 
 	if c.LogMode == "stdout" {
 
@@ -29,7 +29,9 @@ type iptables struct {
 
 func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {
 	var err error
+
 	ret := &iptables{}
+
 	ipv4Ctx := &ipTablesContext{
 		Name:             "ipset",
 		version:          "v4",
@@ -70,6 +72,7 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {
 	if err != nil {
 		return nil, fmt.Errorf("unable to find ipset")
 	}
+
 	ipv4Ctx.ipsetBin = ipsetBin
 	if config.Mode == cfg.IpsetMode {
 		ipv4Ctx.ipsetContentOnly = true
@@ -96,10 +99,12 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {
 			}
 		}
 	}
+
 	ret.v4 = ipv4Ctx
 	if config.DisableIPV6 {
 		return ret, nil
 	}
+
 	ipv6Ctx.ipsetBin = ipsetBin
 	if config.Mode == cfg.IpsetMode {
 		ipv6Ctx.ipsetContentOnly = true
@@ -126,6 +131,7 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {
 			}
 		}
 	}
+
 	ret.v6 = ipv6Ctx
 
 	return ret, nil
@@ -135,18 +141,20 @@ func (ipt *iptables) Init() error {
 	var err error
 
 	log.Printf("iptables for ipv4 initiated")
+
 	// flush before init
-	if err := ipt.v4.shutDown(); err != nil {
+	if err = ipt.v4.shutDown(); err != nil {
 		return fmt.Errorf("iptables shutdown failed: %w", err)
 	}
 
 	// Create iptable to rule to attach the set
-	if err := ipt.v4.CheckAndCreate(); err != nil {
+	if err = ipt.v4.CheckAndCreate(); err != nil {
 		return fmt.Errorf("iptables init failed: %w", err)
 	}
 
 	if ipt.v6 != nil {
 		log.Printf("iptables for ipv6 initiated")
+
 		err = ipt.v6.shutDown() // flush before init
 		if err != nil {
 			return fmt.Errorf("iptables shutdown failed: %w", err)
@@ -157,6 +165,7 @@ func (ipt *iptables) Init() error {
 			return fmt.Errorf("iptables init failed: %w", err)
 		}
 	}
+
 	return nil
 }
 
@@ -181,15 +190,19 @@ func (ipt *iptables) Add(decision *models.Decision) error {
 			log.Debugf("not adding '%s' because ipv6 is disabled", *decision.Value)
 			return nil
 		}
+
 		if err := ipt.v6.add(decision); err != nil {
 			return fmt.Errorf("failed inserting ban ip '%s' for iptables ipv4 rule", *decision.Value)
 		}
+
 		done = true
 	}
+
 	if strings.Contains(*decision.Value, ".") {
 		if err := ipt.v4.add(decision); err != nil {
 			return fmt.Errorf("failed inserting ban ip '%s' for iptables ipv6 rule", *decision.Value)
 		}
+
 		done = true
 	}
 
@@ -205,35 +218,44 @@ func (ipt *iptables) ShutDown() error {
 	if err != nil {
 		return fmt.Errorf("iptables for ipv4 shutdown failed: %w", err)
 	}
+
 	if ipt.v6 != nil {
 		err = ipt.v6.shutDown()
 		if err != nil {
 			return fmt.Errorf("iptables for ipv6 shutdown failed: %w", err)
 		}
 	}
+
 	return nil
 }
 
 func (ipt *iptables) Delete(decision *models.Decision) error {
 	done := false
+
 	if strings.Contains(*decision.Value, ":") {
 		if ipt.v6 == nil {
 			log.Debugf("not deleting '%s' because ipv6 is disabled", *decision.Value)
 			return nil
 		}
+
 		if err := ipt.v6.delete(decision); err != nil {
 			return fmt.Errorf("failed deleting ban")
 		}
+
 		done = true
 	}
+
 	if strings.Contains(*decision.Value, ".") {
 		if err := ipt.v4.delete(decision); err != nil {
 			return fmt.Errorf("failed deleting ban")
 		}
+
 		done = true
 	}
+
 	if !done {
 		return fmt.Errorf("failed deleting ban: ip %s was not recognized", *decision.Value)
 	}
+
 	return nil
 }
Original file line number	Diff line number	Diff line change
`@@ -69,10 +69,12 @@ type BouncerConfig struct {`
`69`	`69`	`// MergedConfig() returns the byte content of the patched configuration file (with .yaml.local).`
`70`	`70`	`func MergedConfig(configPath string) ([]byte, error) {`
`71`	`71`	`patcher := yamlpatch.NewPatcher(configPath, ".local")`
	`72`	`+`
`72`	`73`	`data, err := patcher.MergedPatchContent()`
`73`	`74`	`if err != nil {`
`74`	`75`	`return nil, err`
`75`	`76`	`}`
	`77`	`+`
`76`	`78`	`return data, nil`
`77`	`79`	`}`
`78`	`80`
`@@ -119,6 +121,7 @@ func NewConfig(reader io.Reader) (*BouncerConfig, error) {`
`119`	`121`	`if config.BlacklistsIpv6 == "" {`
`120`	`122`	`config.BlacklistsIpv6 = "crowdsec6-blacklists"`
`121`	`123`	`}`
	`124`	`+`
`122`	`125`	`if config.SetType == "" {`
`123`	`126`	`config.SetType = "nethash"`
`124`	`127`	`}`
Original file line number	Diff line number	Diff line change
`@@ -76,14 +76,17 @@ func (c *LoggingConfig) validate() error {`
`76`	`76`	`if c.LogMode != "stdout" && c.LogMode != "file" {`
`77`	`77`	`return fmt.Errorf("log_mode should be either 'stdout' or 'file'")`
`78`	`78`	`}`
	`79`	`+`
`79`	`80`	`return nil`
`80`	`81`	`}`
`81`	`82`
`82`	`83`	`func (c *LoggingConfig) setup(fileName string) error {`
`83`	`84`	`c.setDefaults()`
	`85`	`+`
`84`	`86`	`if err := c.validate(); err != nil {`
`85`	`87`	`return err`
`86`	`88`	`}`
	`89`	`+`
`87`	`90`	`log.SetLevel(*c.LogLevel)`
`88`	`91`
`89`	`92`	`if c.LogMode == "stdout" {`
Original file line number	Diff line number	Diff line change
`@@ -29,7 +29,9 @@ type iptables struct {`
`29`	`29`
`30`	`30`	`func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {`
`31`	`31`	`var err error`
	`32`	`+`
`32`	`33`	`ret := &iptables{}`
	`34`	`+`
`33`	`35`	`ipv4Ctx := &ipTablesContext{`
`34`	`36`	`Name: "ipset",`
`35`	`37`	`version: "v4",`
`@@ -70,6 +72,7 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {`
`70`	`72`	`if err != nil {`
`71`	`73`	`return nil, fmt.Errorf("unable to find ipset")`
`72`	`74`	`}`
	`75`	`+`
`73`	`76`	`ipv4Ctx.ipsetBin = ipsetBin`
`74`	`77`	`if config.Mode == cfg.IpsetMode {`
`75`	`78`	`ipv4Ctx.ipsetContentOnly = true`
`@@ -96,10 +99,12 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {`
`96`	`99`	`}`
`97`	`100`	`}`
`98`	`101`	`}`
	`102`	`+`
`99`	`103`	`ret.v4 = ipv4Ctx`
`100`	`104`	`if config.DisableIPV6 {`
`101`	`105`	`return ret, nil`
`102`	`106`	`}`
	`107`	`+`
`103`	`108`	`ipv6Ctx.ipsetBin = ipsetBin`
`104`	`109`	`if config.Mode == cfg.IpsetMode {`
`105`	`110`	`ipv6Ctx.ipsetContentOnly = true`
`@@ -126,6 +131,7 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {`
`126`	`131`	`}`
`127`	`132`	`}`
`128`	`133`	`}`
	`134`	`+`
`129`	`135`	`ret.v6 = ipv6Ctx`
`130`	`136`
`131`	`137`	`return ret, nil`
`@@ -135,18 +141,20 @@ func (ipt *iptables) Init() error {`
`135`	`141`	`var err error`
`136`	`142`
`137`	`143`	`log.Printf("iptables for ipv4 initiated")`
	`144`	`+`
`138`	`145`	`// flush before init`
`139`		`- if err := ipt.v4.shutDown(); err != nil {`
	`146`	`+ if err = ipt.v4.shutDown(); err != nil {`
`140`	`147`	`return fmt.Errorf("iptables shutdown failed: %w", err)`
`141`	`148`	`}`
`142`	`149`
`143`	`150`	`// Create iptable to rule to attach the set`
`144`		`- if err := ipt.v4.CheckAndCreate(); err != nil {`
	`151`	`+ if err = ipt.v4.CheckAndCreate(); err != nil {`
`145`	`152`	`return fmt.Errorf("iptables init failed: %w", err)`
`146`	`153`	`}`
`147`	`154`
`148`	`155`	`if ipt.v6 != nil {`
`149`	`156`	`log.Printf("iptables for ipv6 initiated")`
	`157`	`+`
`150`	`158`	`err = ipt.v6.shutDown() // flush before init`
`151`	`159`	`if err != nil {`
`152`	`160`	`return fmt.Errorf("iptables shutdown failed: %w", err)`
`@@ -157,6 +165,7 @@ func (ipt *iptables) Init() error {`
`157`	`165`	`return fmt.Errorf("iptables init failed: %w", err)`
`158`	`166`	`}`
`159`	`167`	`}`
	`168`	`+`
`160`	`169`	`return nil`
`161`	`170`	`}`
`162`	`171`
`@@ -181,15 +190,19 @@ func (ipt iptables) Add(decision models.Decision) error {`
`181`	`190`	`log.Debugf("not adding '%s' because ipv6 is disabled", *decision.Value)`
`182`	`191`	`return nil`
`183`	`192`	`}`
	`193`	`+`
`184`	`194`	`if err := ipt.v6.add(decision); err != nil {`
`185`	`195`	`return fmt.Errorf("failed inserting ban ip '%s' for iptables ipv4 rule", *decision.Value)`
`186`	`196`	`}`
	`197`	`+`
`187`	`198`	`done = true`
`188`	`199`	`}`
	`200`	`+`
`189`	`201`	`if strings.Contains(*decision.Value, ".") {`
`190`	`202`	`if err := ipt.v4.add(decision); err != nil {`
`191`	`203`	`return fmt.Errorf("failed inserting ban ip '%s' for iptables ipv6 rule", *decision.Value)`
`192`	`204`	`}`
	`205`	`+`
`193`	`206`	`done = true`
`194`	`207`	`}`
`195`	`208`
`@@ -205,35 +218,44 @@ func (ipt *iptables) ShutDown() error {`
`205`	`218`	`if err != nil {`
`206`	`219`	`return fmt.Errorf("iptables for ipv4 shutdown failed: %w", err)`
`207`	`220`	`}`
	`221`	`+`
`208`	`222`	`if ipt.v6 != nil {`
`209`	`223`	`err = ipt.v6.shutDown()`
`210`	`224`	`if err != nil {`
`211`	`225`	`return fmt.Errorf("iptables for ipv6 shutdown failed: %w", err)`
`212`	`226`	`}`
`213`	`227`	`}`
	`228`	`+`
`214`	`229`	`return nil`
`215`	`230`	`}`
`216`	`231`
`217`	`232`	`func (ipt iptables) Delete(decision models.Decision) error {`
`218`	`233`	`done := false`
	`234`	`+`
`219`	`235`	`if strings.Contains(*decision.Value, ":") {`
`220`	`236`	`if ipt.v6 == nil {`
`221`	`237`	`log.Debugf("not deleting '%s' because ipv6 is disabled", *decision.Value)`
`222`	`238`	`return nil`
`223`	`239`	`}`
	`240`	`+`
`224`	`241`	`if err := ipt.v6.delete(decision); err != nil {`
`225`	`242`	`return fmt.Errorf("failed deleting ban")`
`226`	`243`	`}`
	`244`	`+`
`227`	`245`	`done = true`
`228`	`246`	`}`
	`247`	`+`
`229`	`248`	`if strings.Contains(*decision.Value, ".") {`
`230`	`249`	`if err := ipt.v4.delete(decision); err != nil {`
`231`	`250`	`return fmt.Errorf("failed deleting ban")`
`232`	`251`	`}`
	`252`	`+`
`233`	`253`	`done = true`
`234`	`254`	`}`
	`255`	`+`
`235`	`256`	`if !done {`
`236`	`257`	`return fmt.Errorf("failed deleting ban: ip %s was not recognized", *decision.Value)`
`237`	`258`	`}`
	`259`	`+`
`238`	`260`	`return nil`
`239`	`261`	`}`