This way we may have an idea how long each action takes and why some of
them take half a day.

The set of columns is little bit different.

Make sure the client string is in lower-case before looking that up in a
dictionary.

With SELECT *, it is impossible to drop columns (needed during migration
to new data types).

Don't rollback the database when we don't use transactions (they are
useless here, with single select being done to refresh again and again).

Also, don't recycle the cursor, clean it up (it is reportedly better for
the DB).

So the main thread can still answer queries and not get blocked.

Refresh the data from DB every 15 minutes. If it fails, try again next
time.

So we don't access the DB all the time.

The ssh honeypot now provides local IP addresses. Use them in the
export.

Some data come from attacker. And not all attackers know that passwords
should be in UTF8, so accept everything simply as raw data.

Allow changing the size of an IPset. The infrastructure should be able
to handle it now.

Don't include the addresses excluded from analysis into the export.
Also, reuse some code from the builders of address lists.

• Simplify the rules for inclusion in the blacklist. Count score for
  each client, leave out the low-score clients (hardcoded for 100 now,
  adjusting the scores for events to match that) and sum them together
  across each attacker IP. These are compared to limits.
• Split the computation of this into several views, to improve
  readability and understandability (this way it looks more procedural,
  as the views can be understood to be done one by one).
• Include the ssh honeypot as one of the sources.

Ensure the inet→text conversion in build_fwup_sets.pl doesn't produce
/32 at the end, as ucollect master doesn't handle that.

Don't try to create the IPset if it already exists. It may be of wrong
size (which will be fixed on the refill). Also, recreate IPsets if they
are missing on refill (may be caused by a queue breakage during setup)
and handle leftover temporary sets.

Use sanity instead of assert in the fake plugin

Use a class variable where appropriate instead of overriding it in each
object.

Keep the attackers that drop out of the fake logs still blocked if they
get caught on the firewall. Do so by scanning the firewall logs for
addresses we would like to delete from the filter.

Sanity reports an error to logs, which may help us debug some of the
problems and crashes.

Also, fix result check at getsockname.

So we generate logout before the new login.

Recover from broken DB connection even if it happens in the
__connection.cursor()

Newer uci mandates flags are before commands. Older one doesn't mind
either way.

In case ipset terminates with error, wait with closing the output until
EOF comes. Closing it right away may cause losing error messages.

When the set size needs to be updated, warn about it, as the firewall
definitions need to be updated.

The firewall rules use names ending with _X, the plain ones are the
temporary sets.

These are filled with bare IP addresses for now. We need them for the
same purpose we had net:ip ones, but there needs to be interoperability
with firewall scripts and these use hash:net.