mirror of
https://framagit.org/ppom/reaction
synced 2026-03-14 12:45:47 +01:00
2f57f73ac9- Non-absolute WorkingDirectory was refused by systemd - Plugin specific-conf updated Improvements: - ReadOnlyPaths=/ - ProtectHome=true in release builds - SystemCallFilter further restricted Disabled: - DynamicUser: breaks stdio communication, FIXME! - RestrictAddressFamilies: seems impossible to override to default. - CapabilityBoundingSet: too restrictive
52 lines
1.1 KiB
Jsonnet
52 lines
1.1 KiB
Jsonnet
{
|
|
patterns: {
|
|
ip: {
|
|
type: 'ip',
|
|
},
|
|
all: {
|
|
regex: @".*",
|
|
},
|
|
},
|
|
|
|
plugins: {
|
|
ipset: {
|
|
path: './target/debug/reaction-plugin-ipset',
|
|
check_root: false,
|
|
systemd_options: {
|
|
AmbientCapabilities: ['CAP_NET_ADMIN'],
|
|
},
|
|
},
|
|
},
|
|
|
|
streams: {
|
|
s0: {
|
|
cmd: ['bash', '-c', 'sleep 1; for i in $(seq 4); do echo 192.0.2.$i; echo 2001:db8:$i:a31b::$i; sleep 0.1; done; sleep 3'],
|
|
filters: {
|
|
f0: {
|
|
regex: ['^<ip>$'],
|
|
actions: {
|
|
a0: {
|
|
type: 'ipset',
|
|
options: {
|
|
set: 'reactiontest',
|
|
// pattern: 'ip',
|
|
// version: 'ip',
|
|
// chains: ['INPUT', 'FORWARD'],
|
|
// target: 'DROP',
|
|
// action: 'add',
|
|
},
|
|
},
|
|
a1: {
|
|
after: '2s',
|
|
type: 'ipset',
|
|
options: {
|
|
set: 'reactiontest',
|
|
action: 'del',
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|