add an option to allow adding a comment to iptables rules (#386)

Author: verybadsoldier

config/crowdsec-firewall-bouncer.yaml

@@ -31,6 +31,7 @@ iptables_chains:
   - INPUT
 #  - FORWARD
 #  - DOCKER-USER
+iptables_add_rule_comments: true
 
 ## nftables
 nftables:

pkg/cfg/config.go

@@ -52,6 +52,8 @@ type BouncerConfig struct {
 
 	// specific to iptables, following https://github.com/crowdsecurity/cs-firewall-bouncer/issues/19
 	IptablesChains          []string `yaml:"iptables_chains"`
+	IptablesAddRuleComments bool     `yaml:"iptables_add_rule_comments"`
+
 	SupportedDecisionsTypes []string `yaml:"supported_decisions_types"`
 	// specific to nftables, following https://github.com/crowdsecurity/cs-firewall-bouncer/issues/74
 	Nftables struct {
@@ -79,7 +81,9 @@ func MergedConfig(configPath string) ([]byte, error) {
 }
 
 func NewConfig(reader io.Reader) (*BouncerConfig, error) {
-	config := &BouncerConfig{}
+	config := &BouncerConfig{
+		IptablesAddRuleComments: true,
+	}
 
 	fcontent, err := io.ReadAll(reader)
 	if err != nil {

pkg/iptables/iptables.go

@@ -65,6 +65,7 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {
 		target:               target,
 		loggingEnabled:       config.DenyLog,
 		loggingPrefix:        config.DenyLogPrefix,
+		addRuleComments:      config.IptablesAddRuleComments,
 	}
 	ipv6Ctx := &ipTablesContext{
 		version:              "v6",
@@ -77,6 +78,7 @@ func NewIPTables(config *cfg.BouncerConfig) (types.Backend, error) {
 		target:               target,
 		loggingEnabled:       config.DenyLog,
 		loggingPrefix:        config.DenyLogPrefix,
+		addRuleComments:      config.IptablesAddRuleComments,
 	}
 
 	ipv4Ctx.iptablesSaveBin, err = exec.LookPath("iptables-save")

pkg/iptables/iptables_context.go

@@ -51,6 +51,8 @@ type ipTablesContext struct {
 
 	loggingEnabled bool
 	loggingPrefix  string
+
+	addRuleComments bool
 }
 
 func (ctx *ipTablesContext) setupChain() {
@@ -174,7 +176,7 @@ func (ctx *ipTablesContext) deleteChain() {
 	}
 }
 
-func (ctx *ipTablesContext) createRule(setName string) {
+func (ctx *ipTablesContext) createRule(setName string, origin string) {
 	target := ctx.target
 
 	if ctx.loggingEnabled {
@@ -183,6 +185,10 @@ func (ctx *ipTablesContext) createRule(setName string) {
 
 	cmd := []string{"-I", chainName, "-m", "set", "--match-set", setName, "src", "-j", target}
 
+	if ctx.addRuleComments {
+		cmd = append(cmd, "-m", "comment", "--comment", "CrowdSec: "+origin)
+	}
+
 	c := exec.Command(ctx.iptablesBin, cmd...)
 
 	log.Infof("Creating rule : %s %s", ctx.iptablesBin, strings.Join(cmd, " "))
@@ -308,7 +314,7 @@ func (ctx *ipTablesContext) commit() error {
 
 				if !ctx.ipsetContentOnly {
 					// Create the rule to use the set
-					ctx.createRule(set.Name())
+					ctx.createRule(set.Name(), origin)
 				}
 			}
 		}

pkg/iptables/metrics.go

@@ -29,7 +29,7 @@ import (
 // In case of a rule, the counters represent the number of packets and bytes that have been matched by the rule (ie, the packets that have been dropped).
 
 var chainRegexp = regexp.MustCompile(`^\[(\d+):(\d+)\]`)
-var ruleRegexp = regexp.MustCompile(`^\[(\d+):(\d+)\] -A [0-9A-Za-z_-]+ -m set --match-set (.*) src -j \w+`)
+var ruleRegexp = regexp.MustCompile(`^\[(\d+):(\d+)\] -A [0-9A-Za-z_-]+ -m set --match-set (.*) src .*-j \w+`)
 
 // In ipset mode, we have to track the numbers of processed bytes/packets at the chain level
 // This is not really accurate, as a rule *before* the crowdsec rule could impact the numbers, but we don't have any other way.