low response timeout

add ipv6 support
add multiple record support

data/Dockerfiles/netfilter/Dockerfile

@@ -6,7 +6,7 @@ ENV PYTHON_IPTABLES_XTABLES_VERSION 12
 ENV IPTABLES_LIBDIR /usr/lib
 
 RUN apk add -U python2 python-dev py-pip gcc musl-dev iptables ip6tables tzdata \
-  && pip2 install --upgrade python-iptables==0.13.0 redis ipaddress \
+  && pip2 install --upgrade python-iptables==0.13.0 redis ipaddress dnspython \
   && apk del python-dev py2-pip gcc
 
 COPY server.py /

data/Dockerfiles/netfilter/server.py

@@ -5,7 +5,6 @@ import os
 import time
 import atexit
 import signal
-import socket
 import ipaddress
 from random import randint
 from threading import Thread
@@ -13,6 +12,8 @@ from threading import Lock
 import redis
 import json
 import iptc
+import dns.resolver
+import dns.exception
 
 while True:
   try:
@@ -26,6 +27,8 @@ while True:
 
 pubsub = r.pubsub()
 
+resolver = dns.resolver.Resolver()
+
 RULES = {}
 RULES[1] = 'warning: .*\[([0-9a-f\.:]+)\]: SASL .+ authentication failed'
 RULES[2] = '-login: Disconnected \(auth failed, .+\): user=.*, method=.+, rip=([0-9a-f\.:]+),'
@@ -126,21 +129,51 @@ def ban(address):
 
   self_network = ipaddress.ip_network(address.decode('ascii'))
   if WHITELIST:
+    wl_hostnames=[]
+    wl_networks=[]
+    
     for wl_key in WHITELIST:
-      if not is_ip_network(wl_key):
+      if is_ip_network(wl_key):
-        hostname = wl_key
+        wl_networks.append(wl_key)
+      else:
+        wl_hostnames.append(wl_key)
+
+    for w1_hostname in wl_hostnames:
+      hostname_ips = []
+      for rdtype in ['A', 'AAAA']:
         try:
-          wl_key = socket.gethostbyname(hostname)
+          answer = resolver.query(qname=w1_hostname, rdtype=rdtype, lifetime=1)
-        except socket.gaierror as err:
+        except dns.exception.Timeout as timout:
+          log['time'] = int(round(time.time()))
+          log['priority'] = 'info'
+          log['message'] = 'Hostname %s timedout on resolve' % (w1_hostname)
+          r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
+          print 'Hostname %s timedout on resolve' % (w1_hostname)
+          break
+        except (dns.resolver.NXDOMAIN, dns.resolver.NoAnswer):
+          continue
+        except dns.exception.DNSException as dnsexception:
+          log['time'] = int(round(time.time()))
+          log['priority'] = 'info'
+          log['message'] = '%s' % (dnsexception)
+          r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
+          print '%s' % (dnsexception)
           continue
           
-        log['time'] = int(round(time.time()))
+        for rdata in answer:
-        log['priority'] = 'info'
+          hostname_ips.append(rdata.to_text())
-        log['message'] = 'Hostname %s is resolved to %s' % (hostname, wl_key)
+            
-        r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
+      wl_networks.extend(hostname_ips)
-        print 'Hostname %s is resolved to %s' % (hostname, wl_key)
+          
-
+      log['time'] = int(round(time.time()))
+      log['priority'] = 'info'
+      log['message'] = 'Hostname %s is resolved to %s' % (w1_hostname, hostname_ips)
+      r.lpush('NETFILTER_LOG', json.dumps(log, ensure_ascii=False))
+      print 'Hostname %s is resolved to %s' % (w1_hostname, hostname_ips)     
+     
+    for wl_key in wl_networks:
       wl_net = ipaddress.ip_network(wl_key.decode('ascii'), False)
+          
       if wl_net.overlaps(self_network):
         log['time'] = int(round(time.time()))
         log['priority'] = 'info'