From 907c616734982a387f1595166f42948ee1ecee17 Mon Sep 17 00:00:00 2001
From: Alex 'AdUser' Z <ad_user@runbox.com>
Date: Tue, 22 Mar 2016 10:57:53 +1000
Subject: [PATCH] * new jail option: 'expiretime' * addr list cleanup

---
 configs/f2b.conf.sample |  1 +
 src/jail.c              | 45 +++++++++++++++++++++++++++++++++++++----
 src/jail.h              |  1 +
 3 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/configs/f2b.conf.sample b/configs/f2b.conf.sample
index 0edd7b7..8f9df04 100644
--- a/configs/f2b.conf.sample
+++ b/configs/f2b.conf.sample
@@ -12,6 +12,7 @@ daemon = yes
 enabled  = no
 bantime  = 3600
 findtime = 300
+expiretime = 14400
 incr_bantime = 0.0
 incr_findtime = 0.0
 maxretry = 5
diff --git a/src/jail.c b/src/jail.c
index 1d07586..538656c 100644
--- a/src/jail.c
+++ b/src/jail.c
@@ -10,6 +10,7 @@
 #define DEFAULT_STATE    false
 #define DEFAULT_BANTIME  3600 /* in seconds, 1 hour */
 #define DEFAULT_FINDTIME  300 /* in seconds, 5 min */
+#define DEFAULT_EXPIRETIME 14400 /* in seconds, 4 hours */
 #define DEFAULT_MAXRETRY    5
 
 static f2b_jail_t defaults = {
@@ -68,6 +69,12 @@ f2b_jail_apply_config(f2b_jail_t *jail, f2b_config_section_t *section) {
         jail->findtime = DEFAULT_FINDTIME;
       continue;
     }
+    if (strcmp(param->name, "expiretime") == 0) {
+      jail->expiretime = atoi(param->value);
+      if (jail->expiretime <= 0)
+        jail->expiretime = DEFAULT_EXPIRETIME;
+      continue;
+    }
     if (strcmp(param->name, "maxretry") == 0) {
       jail->maxretry = atoi(param->value);
       if (jail->maxretry <= 0)
@@ -184,12 +191,15 @@ f2b_jail_create(f2b_config_section_t *section) {
 size_t
 f2b_jail_process(f2b_jail_t *jail) {
   f2b_logfile_t *file = NULL;
+  f2b_ipaddr_t  *prev = NULL;
   f2b_ipaddr_t  *addr = NULL;
   size_t processed = 0;
   char logline[LOGLINE_MAX] = "";
   char matchbuf[IPADDR_MAX] = "";
   time_t now  = time(NULL);
   time_t findtime = 0;
+  time_t expiretime = 0;
+  bool remove = false;
 
   assert(jail != NULL);
 
@@ -238,11 +248,38 @@ f2b_jail_process(f2b_jail_t *jail) {
      } /* while(lines) */
   } /* for(files) */
 
-  for (addr = jail->ipaddrs; addr != NULL; addr = addr->next) {
-    if (!addr->banned)
-      continue;
-    if (now > addr->release_at)
+  for (addr = jail->ipaddrs, prev = NULL; addr != NULL; ) {
+    remove = false;
+    /* check release time */
+    if (addr->banned && now > addr->release_at)
       f2b_jail_unban(jail, addr);
+    /* check expiration */
+    expiretime = (addr->lastseen >= addr->release_at)
+      ? addr->lastseen
+      : addr->release_at;
+    expiretime += jail->expiretime;
+    if (now > expiretime) {
+      f2b_log_msg(log_info, "jail '%s': expired ip -- %s",
+        jail->name, addr->text);
+      remove = true;
+    }
+    /* list cleanup */
+    if (!remove) {
+      prev = addr, addr = addr->next;
+      continue;
+    }
+    /* remove from list */
+    if (prev == NULL) {
+      /* first item in list */
+      jail->ipaddrs = addr->next;
+      f2b_ipaddr_destroy(addr);
+      addr = jail->ipaddrs;
+    } else {
+      /* somewhere in list */
+      prev->next = addr->next;
+      f2b_ipaddr_destroy(addr);
+      addr = prev->next;
+    }
   }
 
   return processed;
diff --git a/src/jail.h b/src/jail.h
index 2d86bc2..03b6ae5 100644
--- a/src/jail.h
+++ b/src/jail.h
@@ -20,6 +20,7 @@ typedef struct f2b_jail_t {
   bool enabled;
   time_t bantime;
   time_t findtime;
+  time_t expiretime;
   size_t maxretry;
   float incr_bantime;
   float incr_findtime;