From eeaa543746ebafd762213f4a7d99a03ef49c5fa8 Mon Sep 17 00:00:00 2001 From: "Nathan A. Ferch" Date: Sun, 7 Jan 2024 15:04:33 -0500 Subject: [PATCH 1/3] emit banned IPs metrics when in ipset mode --- cmd/root.go | 8 ++++++-- pkg/iptables/metrics.go | 12 ++++++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/cmd/root.go b/cmd/root.go index fe08914f..8db54114 100644 --- a/cmd/root.go +++ b/cmd/root.go @@ -213,9 +213,13 @@ func Execute() error { }) if config.PrometheusConfig.Enabled { - if config.Mode == cfg.IptablesMode || config.Mode == cfg.NftablesMode { + if config.Mode == cfg.IptablesMode || config.Mode == cfg.NftablesMode || config.Mode == cfg.IpsetMode { go backend.CollectMetrics() - prometheus.MustRegister(metrics.TotalDroppedBytes, metrics.TotalDroppedPackets, metrics.TotalActiveBannedIPs) + if config.Mode == cfg.IpsetMode { + prometheus.MustRegister(metrics.TotalActiveBannedIPs) + } else { + prometheus.MustRegister(metrics.TotalDroppedBytes, metrics.TotalDroppedPackets, metrics.TotalActiveBannedIPs) + } } prometheus.MustRegister(csbouncer.TotalLAPICalls, csbouncer.TotalLAPIError) diff --git a/pkg/iptables/metrics.go b/pkg/iptables/metrics.go index 382ce19b..07614377 100644 --- a/pkg/iptables/metrics.go +++ b/pkg/iptables/metrics.go @@ -65,14 +65,18 @@ func (ipt *iptables) CollectMetrics() { t := time.NewTicker(metrics.MetricCollectionInterval) for range t.C { - ip4DroppedPackets, ip4DroppedBytes = collectDroppedPackets(ipt.v4.iptablesBin, ipt.v4.Chains, ipt.v4.SetName) + if !ipt.v4.ipsetContentOnly { + ip4DroppedPackets, ip4DroppedBytes = collectDroppedPackets(ipt.v4.iptablesBin, ipt.v4.Chains, ipt.v4.SetName) + } - if ipt.v6 != nil { + if !ipt.v6.ipsetContentOnly && ipt.v6 != nil { ip6DroppedPackets, ip6DroppedBytes = collectDroppedPackets(ipt.v6.iptablesBin, ipt.v6.Chains, ipt.v6.SetName) } - metrics.TotalDroppedPackets.Set(ip4DroppedPackets + ip6DroppedPackets) - metrics.TotalDroppedBytes.Set(ip6DroppedBytes + ip4DroppedBytes) + if !ipt.v4.ipsetContentOnly || !ipt.v6.ipsetContentOnly { + metrics.TotalDroppedPackets.Set(ip4DroppedPackets + ip6DroppedPackets) + metrics.TotalDroppedBytes.Set(ip6DroppedBytes + ip4DroppedBytes) + } out, err := exec.Command(ipt.v4.ipsetBin, "list", "-o", "xml").CombinedOutput() if err != nil { From 410490b67080d79e8493a64af7323ac54f6df338 Mon Sep 17 00:00:00 2001 From: mmetc <92726601+mmetc@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:12:39 +0100 Subject: [PATCH 2/3] fix nil checks metrics.go --- pkg/iptables/metrics.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/iptables/metrics.go b/pkg/iptables/metrics.go index 07614377..28c51d69 100644 --- a/pkg/iptables/metrics.go +++ b/pkg/iptables/metrics.go @@ -65,15 +65,15 @@ func (ipt *iptables) CollectMetrics() { t := time.NewTicker(metrics.MetricCollectionInterval) for range t.C { - if !ipt.v4.ipsetContentOnly { + if ipt.v4 != nil || !ipt.v4.ipsetContentOnly { ip4DroppedPackets, ip4DroppedBytes = collectDroppedPackets(ipt.v4.iptablesBin, ipt.v4.Chains, ipt.v4.SetName) } - if !ipt.v6.ipsetContentOnly && ipt.v6 != nil { + if ipt.v6 != nil && !ipt.v6.ipsetContentOnly { ip6DroppedPackets, ip6DroppedBytes = collectDroppedPackets(ipt.v6.iptablesBin, ipt.v6.Chains, ipt.v6.SetName) } - if !ipt.v4.ipsetContentOnly || !ipt.v6.ipsetContentOnly { + if (ipt.v4 != nil && !ipt.v4.ipsetContentOnly) || (ipt.v6 != nil && !ipt.v6.ipsetContentOnly) { metrics.TotalDroppedPackets.Set(ip4DroppedPackets + ip6DroppedPackets) metrics.TotalDroppedBytes.Set(ip6DroppedBytes + ip4DroppedBytes) } From a0b1d1748120bf067f3b3b869f19bcef2cab81fc Mon Sep 17 00:00:00 2001 From: mmetc <92726601+mmetc@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:14:39 +0100 Subject: [PATCH 3/3] oops --- pkg/iptables/metrics.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/iptables/metrics.go b/pkg/iptables/metrics.go index 28c51d69..07b33a55 100644 --- a/pkg/iptables/metrics.go +++ b/pkg/iptables/metrics.go @@ -65,7 +65,7 @@ func (ipt *iptables) CollectMetrics() { t := time.NewTicker(metrics.MetricCollectionInterval) for range t.C { - if ipt.v4 != nil || !ipt.v4.ipsetContentOnly { + if ipt.v4 != nil && !ipt.v4.ipsetContentOnly { ip4DroppedPackets, ip4DroppedBytes = collectDroppedPackets(ipt.v4.iptablesBin, ipt.v4.Chains, ipt.v4.SetName) }