LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
12370 Commits
1 Branch
46 MiB
Tree: 277ca59008
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '277ca59008'
${ noResults }
openwrt-packages-dist/net/banip/files/banip.sh

671 lines
18 KiB
Raw Normal View History

banip: new package to block incoming & outgoing ip addresses a new script based package called "banIP" to block incoming & outgoing ip adresses/subnets via ipset. Features: * a shell script which uses ipset and iptables to ban a large number of IP addresses published in various IP blacklists (bogon, firehol etc.) * support blocking by ASN numbers * support blocking by iso country codes * support local white & blacklist (IPv4, IPv6 & CIDR notation) * auto-add unsuccessful ssh login attempts to local blacklist * auto-add the uplink subnet to local whitelist * per source configuration of SRC (incoming) and DST (outgoing) * supports IPv4 & IPv6 Strong LuCI support: * easy interface to track & change all aspects of your ipset configuration on the fly * integrated IPSet-Lookup * integrated RIPE-Lookup * Log-Viewer & online configuration of white- & blacklist LuCI-Screenshots will follow in the second post. Forum discussion: https://forum.openwrt.org/t/banip-new-project-needs-testers-feedback/16985 Signed-off-by: Dirk Brenken <dev@brenken.org>
6 years ago
 
  1. #!/bin/sh

  2. # banIP - ban incoming and outgoing ip adresses/subnets via ipset
  3. # written by Dirk Brenken (dev@brenken.org)
  4. 

  5. # This is free software, licensed under the GNU General Public License v3.
  6. # You should have received a copy of the GNU General Public License
  7. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  8. 

  9. # set initial defaults
  10. #
  11. LC_ALL=C
  12. PATH="/usr/sbin:/usr/bin:/sbin:/bin"
  13. ban_ver="0.0.5"
  14. ban_sysver="unknown"
  15. ban_enabled=0
  16. ban_automatic="1"
  17. ban_iface=""
  18. ban_debug=0
  19. ban_maxqueue=8
  20. ban_fetchutil="uclient-fetch"
  21. ban_ipt="$(command -v iptables)"
  22. ban_ipt_save="$(command -v iptables-save)"
  23. ban_ipt_restore="$(command -v iptables-restore)"
  24. ban_ipt6="$(command -v ip6tables)"
  25. ban_ipt6_save="$(command -v ip6tables-save)"
  26. ban_ipt6_restore="$(command -v ip6tables-restore)"
  27. ban_ipset="$(command -v ipset)"
  28. ban_chain="banIP"
  29. ban_action="${1:-"start"}"
  30. ban_pidfile="/var/run/banip.pid"
  31. ban_rtfile="/tmp/ban_runtime.json"
  32. ban_setcnt=0
  33. ban_cnt=0
  34. ban_rc=0
  35. 

  36. # load environment
  37. #
  38. f_envload()
  39. {
  40. 	local sys_call sys_desc sys_model
  41. 

  42. 	# get system information
  43. 	#
  44. 	sys_call="$(ubus -S call system board 2>/dev/null)"
  45. 	if [ -n "${sys_call}" ]
  46. 	then
  47. 		sys_desc="$(printf '%s' "${sys_call}" | jsonfilter -e '@.release.description')"
  48. 		sys_model="$(printf '%s' "${sys_call}" | jsonfilter -e '@.model')"
  49. 		ban_sysver="${sys_model}, ${sys_desc}"
  50. 	fi
  51. 

  52. 	# parse 'global' and 'extra' section by callback
  53. 	#
  54. 	config_cb()
  55. 	{
  56. 		local type="${1}"
  57. 		if [ "${type}" = "banip" ]
  58. 		then
  59. 			option_cb()
  60. 			{
  61. 				local option="${1}"
  62. 				local value="${2}"
  63. 				eval "${option}=\"${value}\""
  64. 			}
  65. 		else
  66. 			reset_cb
  67. 		fi
  68. 	}
  69. 

  70. 	# parse 'source' typed sections
  71. 	#
  72. 	parse_config()
  73. 	{
  74. 		local value opt section="${1}" options="ban_src ban_src_6 ban_src_rset ban_src_rset_6 ban_src_settype ban_src_ruletype ban_src_on ban_src_on_6 ban_src_cat"
  75. 		for opt in ${options}
  76. 		do
  77. 			config_get value "${section}" "${opt}"
  78. 			if [ -n "${value}" ]
  79. 			then
  80. 				eval "${opt}_${section}=\"${value}\""
  81. 				if [ "${opt}" = "ban_src" ]
  82. 				then
  83. 					eval "ban_sources=\"${ban_sources} ${section}\""
  84. 				elif [ "${opt}" = "ban_src_6" ]
  85. 				then
  86. 					eval "ban_sources=\"${ban_sources} ${section}_6\""
  87. 				fi
  88. 			fi
  89. 		done
  90. 	}
  91. 

  92. 	# load config
  93. 	#
  94. 	config_load banip
  95. 	config_foreach parse_config source
  96. 

  97. 	# create temp directory & files
  98. 	#
  99. 	f_temp
  100. 

  101. 	# check status
  102. 	#
  103. 	if [ ${ban_enabled} -eq 0 ]
  104. 	then
  105. 		f_jsnup disabled
  106. 		f_ipset destroy
  107. 		f_rmtemp
  108. 		f_log "info" "banIP is currently disabled, please set ban_enabled to '1' to use this service"
  109. 		exit 0
  110. 	fi
  111. }
  112. 

  113. # check environment
  114. #
  115. f_envcheck()
  116. {
  117. 	local ssl_lib
  118. 

  119. 	# check fetch utility
  120. 	#
  121. 	case "${ban_fetchutil}" in
  122. 		uclient-fetch)
  123. 			if [ -f "/lib/libustream-ssl.so" ]
  124. 			then
  125. 				ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
  126. 				ssl_lib="libustream-ssl"
  127. 			else
  128. 				ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
  129. 			fi
  130. 		;;
  131. 		wget)
  132. 			ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
  133. 			ssl_lib="built-in"
  134. 		;;
  135. 		wget-nossl)
  136. 			ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
  137. 		;;
  138. 		busybox)
  139. 			ban_fetchparm="${ban_fetchparm:-"-O"}"
  140. 		;;
  141. 		curl)
  142. 			ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
  143. 			ssl_lib="built-in"
  144. 		;;
  145. 		aria2c)
  146. 			ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
  147. 			ssl_lib="built-in"
  148. 		;;
  149. 	esac
  150. 	ban_fetchutil="$(command -v "${ban_fetchutil}")"
  151. 	ban_fetchinfo="${ban_fetchutil:-"-"} (${ssl_lib:-"-"})"
  152. 

  153. 	if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
  154. 	then
  155. 		f_log "err" "download utility not found, please install 'uclient-fetch' with 'libustream-mbedtls' or the full 'wget' package"
  156. 	fi
  157. 

  158. 	# get wan device and wan subnets
  159. 	#
  160. 	if [ "${ban_automatic}" = "1" ]
  161. 	then
  162. 		network_find_wan ban_iface
  163. 		if [ -z "${ban_iface}" ]
  164. 		then
  165. 			network_find_wan6 ban_iface
  166. 		fi
  167. 	fi
  168. 	network_get_device ban_dev "${ban_iface}"
  169. 	network_get_subnets ban_subnets "${ban_iface}"
  170. 	network_get_subnets6 ban_subnets6 "${ban_iface}"
  171. 

  172. 	if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
  173. 	then
  174. 		f_log "err" "wan interface/device (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
  175. 	fi
  176. 	uci_set banip global ban_iface "${ban_iface}"
  177. 	uci_commit banip
  178. 

  179. 	f_jsnup "running"
  180. 	f_log "info" "start banIP processing (${ban_action})"
  181. }
  182. 

  183. # create temporary files and directories
  184. #
  185. f_temp()
  186. {
  187. 	if [ -z "${ban_tmpdir}" ]
  188. 	then
  189. 		ban_tmpdir="$(mktemp -p /tmp -d)"
  190. 		ban_tmpload="$(mktemp -p ${ban_tmpdir} -tu)"
  191. 		ban_tmpfile="$(mktemp -p ${ban_tmpdir} -tu)"
  192. 	fi
  193. 

  194. 	if [ ! -s "${ban_pidfile}" ]
  195. 	then
  196. 		printf '%s' "${$}" > "${ban_pidfile}"
  197. 	fi
  198. }
  199. 

  200. # remove temporary files and directories
  201. #
  202. f_rmtemp()
  203. {
  204. 	if [ -d "${ban_tmpdir}" ]
  205. 	then
  206. 		rm -rf "${ban_tmpdir}"
  207. 	fi
  208. 	> "${ban_pidfile}"
  209. }
  210. 

  211. # iptables rules engine
  212. #
  213. f_iptrule()
  214. {
  215. 	local rc timeout="-w 5" action="${1}" rule="${2}"
  216. 

  217. 	if [ "${src_name##*_}" = "6" ]
  218. 	then
  219. 		rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
  220. 

  221. 		if ([ ${rc} -ne 0 ] && ([ "${action}" = "-A" ] || [ "${action}" = "-I" ])) \

  222. 		   || ([ ${rc} -eq 0 ] && [ "${action}" = "-D" ])
  223. 		then
  224. 			"${ban_ipt6}" "${timeout}" "${action}" ${rule}
  225. 		fi
  226. 	else
  227. 		rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
  228. 

  229. 		if ([ ${rc} -ne 0 ] && ([ "${action}" = "-A" ] || [ "${action}" = "-I" ])) \

  230. 		   || ([ ${rc} -eq 0 ] && [ "${action}" = "-D" ])
  231. 		then
  232. 			"${ban_ipt}" "${timeout}" "${action}" ${rule}
  233. 		fi
  234. 	fi
  235. }
  236. 

  237. # remove/add iptables rules
  238. #
  239. f_iptadd()
  240. {
  241. 	local rm="${1}"
  242. 

  243. 	f_iptrule "-D" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
  244. 	f_iptrule "-D" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
  245. 

  246. 	if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
  247. 	then
  248. 		if [ "${src_ruletype}" != "dst" ]
  249. 		then
  250. 			if [ "${src_name##*_}" = "6" ]
  251. 			then
  252. 				# dummy, special IPv6 rules
  253. 				/bin/true
  254. 			else
  255. 				f_iptrule "-I" "${wan_input} -p udp --dport 67:68 --sport 67:68 -j RETURN"
  256. 			fi
  257. 			f_iptrule "-A" "${wan_input} -j ${ban_chain}"
  258. 			f_iptrule "-A" "${wan_forward} -j ${ban_chain}"
  259. 			f_iptrule "${action:-"-A"}" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
  260. 		fi
  261. 		if [ "${src_ruletype}" != "src" ]
  262. 		then
  263. 			if [ "${src_name##*_}" = "6" ]
  264. 			then
  265. 				# dummy, special IPv6 rules
  266. 				/bin/true
  267. 			else
  268. 				f_iptrule "-I" "${lan_input} -p udp --dport 67:68 --sport 67:68 -j RETURN"
  269. 			fi
  270. 			f_iptrule "-A" "${lan_input} -j ${ban_chain}"
  271. 			f_iptrule "-A" "${lan_forward} -j ${ban_chain}"
  272. 			f_iptrule "${action:-"-A"}" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
  273. 		fi
  274. 	else
  275. 		if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  276. 		then
  277. 			"${ban_ipset}" destroy "${src_name}"
  278. 		fi
  279. 	fi
  280. }
  281. 

  282. # ipset/iptables actions
  283. #
  284. f_ipset()
  285. {
  286. 	local rc cnt cnt_ip cnt_cidr size source action ruleset ruleset_6 rule timeout="-w 5" mode="${1}"
  287. 

  288. 	if [ "${src_name%_6*}" = "whitelist" ]
  289. 	then
  290. 		target_src="ACCEPT"
  291. 		target_dst="ACCEPT"
  292. 		action="-I"
  293. 	fi
  294. 

  295. 	case "${mode}" in
  296. 		initial)
  297. 			if [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  298. 			then
  299. 				"${ban_ipt}" "${timeout}" -N "${ban_chain}"
  300. 			fi
  301. 

  302. 			if [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  303. 			then
  304. 				"${ban_ipt6}" "${timeout}" -N "${ban_chain}"
  305. 			fi
  306. 

  307. 			src_name="ruleset"
  308. 			ruleset="${ban_wan_input_chain:-"input_wan_rule"} ${ban_wan_forward_chain:-"forwarding_wan_rule"} ${ban_lan_input_chain:-"input_lan_rule"} ${ban_lan_forward_chain:-"forwarding_lan_rule"}"
  309. 			for rule in ${ruleset}
  310. 			do
  311. 				f_iptrule "-D" "${rule} -j ${ban_chain}"
  312. 			done
  313. 

  314. 			src_name="ruleset_6"
  315. 			ruleset_6="${ban_wan_input_chain_6:-"input_wan_rule"} ${ban_wan_forward_chain_6:-"forwarding_wan_rule"} ${ban_lan_input_chain_6:-"input_lan_rule"} ${ban_lan_forward_chain_6:-"forwarding_lan_rule"}"
  316. 			for rule in ${ruleset_6}
  317. 			do
  318. 				f_iptrule "-D" "${rule} -j ${ban_chain}"
  319. 			done
  320. 

  321. 			f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset}, ruleset_6: ${ruleset_6}"
  322. 		;;
  323. 		create)
  324. 			cnt="$(wc -l 2>/dev/null < "${tmp_file}")"
  325. 			cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
  326. 			cnt_ip="$(( cnt - cnt_cidr ))"
  327. 			size="$(( cnt / 4 ))"
  328. 

  329. 			if [ ${cnt} -gt 0 ]
  330. 			then
  331. 				if [ -z "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  332. 				then
  333. 					"${ban_ipset}" create "${src_name}" hash:"${src_settype}" hashsize "${size}" maxelem 262144 family "${src_setipv}" counters
  334. 				else
  335. 					"${ban_ipset}" flush "${src_name}"
  336. 				fi
  337. 

  338. 				"${ban_ipset}" -! restore < "${tmp_file}"
  339. 				printf "%s\n" "1" > "${tmp_set}"
  340. 				printf "%s\n" "${cnt}" > "${tmp_cnt}"
  341. 			fi
  342. 			f_iptadd
  343. 

  344. 			end_ts="$(date +%s)"
  345. 			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: "${src_setipv}", ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
  346. 		;;
  347. 		refresh)
  348. 			if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  349. 			then
  350. 				"${ban_ipset}" save "${src_name}" > "${tmp_file}"
  351. 				if [ -s "${tmp_file}" ]
  352. 				then
  353. 					cnt="$(( $(wc -l 2>/dev/null < "${tmp_file}") - 1 ))"
  354. 					cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
  355. 					cnt_ip="$(( cnt - cnt_cidr ))"
  356. 					printf "%s\n" "1" > "${tmp_set}"
  357. 					printf "%s\n" "${cnt}" > "${tmp_cnt}"
  358. 				fi
  359. 				f_iptadd
  360. 			fi
  361. 

  362. 			end_ts="$(date +%s)"
  363. 			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
  364. 		;;
  365. 		flush)
  366. 			f_iptadd "remove"
  367. 

  368. 			if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  369. 			then
  370. 				"${ban_ipset}" flush "${src_name}"
  371. 				"${ban_ipset}" destroy "${src_name}"
  372. 			fi
  373. 

  374. 			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
  375. 		;;
  376. 		destroy)
  377. 			if [ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  378. 			then
  379. 				"${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}"
  380. 				"${ban_ipt}" "${timeout}" -F "${ban_chain}"
  381. 				"${ban_ipt}" "${timeout}" -X "${ban_chain}"
  382. 			fi
  383. 

  384. 			if [ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  385. 			then
  386. 				"${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}"
  387. 				"${ban_ipt6}" "${timeout}" -F "${ban_chain}"
  388. 				"${ban_ipt6}" "${timeout}" -X "${ban_chain}"
  389. 			fi
  390. 

  391. 			for source in ${ban_sources}
  392. 			do
  393. 				if [ -n "$("${ban_ipset}" -n list "${source}" 2>/dev/null)" ]
  394. 				then
  395. 					"${ban_ipset}" destroy "${source}"
  396. 				fi
  397. 			done
  398. 

  399. 			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
  400. 		;;
  401. 	esac
  402. }
  403. 

  404. # write to syslog
  405. #
  406. f_log()
  407. {
  408. 	local class="${1}" log_msg="${2}"
  409. 

  410. 	if [ -n "${log_msg}" ] && ([ "${class}" != "debug" ] || [ ${ban_debug} -eq 1 ])
  411. 	then
  412. 		logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
  413. 		if [ "${class}" = "err" ]
  414. 		then
  415. 			f_jsnup error
  416. 			f_ipset destroy
  417. 			f_rmtemp
  418. 			logger -p "${class}" -t "banIP-[${ban_ver}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
  419. 			exit 1
  420. 		fi
  421. 	fi
  422. }
  423. 

  424. # main function for banIP processing
  425. #
  426. f_main()
  427. {
  428. 	local start_ts end_ts ip tmp_raw tmp_cnt tmp_setcnt tmp_load tmp_file entry list suffix mem_total mem_free cnt=1
  429. 	local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon
  430. 	local pid pid_list log_content="$(logread -e "dropbear")"
  431. 	local wan_input wan_forward lan_input lan_forward target_src target_dst
  432. 

  433. 	mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
  434. 	mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
  435. 	f_log "debug" "f_main  ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, iface: ${ban_iface:-"-"}, dev: ${ban_dev:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
  436. 

  437. 	f_ipset initial
  438. 

  439. 	# main loop
  440. 	#
  441. 	for src_name in ${ban_sources}
  442. 	do
  443. 		if [ "${src_name##*_}" = "6" ]
  444. 		then
  445. 			src_on="$(eval printf '%s' \"\${ban_src_on_6_${src_name%_6*}\}\")"
  446. 			src_url="$(eval printf '%s' \"\${ban_src_6_${src_name%_6*}\}\")"
  447. 			src_rset="$(eval printf '%s' \"\${ban_src_rset_6_${src_name%_6*}\}\")"
  448. 			src_setipv="inet6"
  449. 			wan_input="${ban_wan_input_chain_6:-"input_wan_rule"}"
  450. 			wan_forward="${ban_wan_forward_chain_6:-"forwarding_wan_rule"}"
  451. 			lan_input="${ban_lan_input_chain_6:-"input_lan_rule"}"
  452. 			lan_forward="${ban_lan_forward_chain_6:-"forwarding_lan_rule"}"
  453. 			target_src="${ban_target_src_6:-"DROP"}"
  454. 			target_dst="${ban_target_dst_6:-"REJECT"}"
  455. 		else
  456. 			src_on="$(eval printf '%s' \"\${ban_src_on_${src_name}\}\")"
  457. 			src_url="$(eval printf '%s' \"\${ban_src_${src_name}\}\")"
  458. 			src_rset="$(eval printf '%s' \"\${ban_src_rset_${src_name}\}\")"
  459. 			src_setipv="inet"
  460. 			wan_input="${ban_wan_input_chain:-"input_wan_rule"}"
  461. 			wan_forward="${ban_wan_forward_chain:-"forwarding_wan_rule"}"
  462. 			lan_input="${ban_lan_input_chain:-"input_lan_rule"}"
  463. 			lan_forward="${ban_lan_forward_chain:-"forwarding_lan_rule"}"
  464. 			target_src="${ban_target_src:-"DROP"}"
  465. 			target_dst="${ban_target_dst:-"REJECT"}"
  466. 		fi
  467. 		src_settype="$(eval printf '%s' \"\${ban_src_settype_${src_name%_6*}\}\")"
  468. 		src_ruletype="$(eval printf '%s' \"\${ban_src_ruletype_${src_name%_6*}\}\")"
  469. 		src_cat="$(eval printf '%s' \"\${ban_src_cat_${src_name%_6*}\}\")"
  470. 		src_addon=""
  471. 		tmp_load="${ban_tmpload}.${src_name}"
  472. 		tmp_file="${ban_tmpfile}.${src_name}"
  473. 		tmp_raw="${tmp_load}.raw"
  474. 		tmp_cnt="${tmp_file}.cnt"
  475. 		tmp_set="${tmp_file}.setcnt"
  476. 

  477. 		# basic pre-checks
  478. 		#
  479. 		f_log "debug" "f_main  ::: name: ${src_name}, src_on: ${src_on:-"-"}"
  480. 

  481. 		if [ "${src_on}" != "1" ] || [ -z "${src_url}" ] || [ -z "${src_rset}" ] ||\

  482. 			[ -z "${src_settype}" ] || [ -z "${src_ruletype}" ]
  483. 		then
  484. 			f_ipset flush
  485. 			continue
  486. 		fi
  487. 

  488. 		# download queue processing
  489. 		#
  490. 		(
  491. 			start_ts="$(date +%s)"
  492. 			if [ -f "${src_url}" ]
  493. 			then
  494. 				src_log="$(cat "${src_url}" 2>/dev/null > "${tmp_load}")"
  495. 				ban_rc=${?}
  496. 

  497. 				case "${src_name}" in
  498. 					whitelist)
  499. 						src_addon="${ban_subnets}"
  500. 					;;
  501. 					whitelist_6)
  502. 						src_addon="${ban_subnets6}"
  503. 					;;
  504. 					blacklist)
  505. 						pid_list="$(printf "%s\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  506. 						for pid in ${pid_list}
  507. 						do
  508. 							src_addon="${src_addon} $(printf "%s\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  509. 						done
  510. 					;;
  511. 					blacklist_6)
  512. 						pid_list="$(printf "%s\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  513. 						for pid in ${pid_list}
  514. 						do
  515. 							src_addon="${src_addon} $(printf "%s\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  516. 						done
  517. 					;;
  518. 				esac
  519. 

  520. 				for ip in ${src_addon}
  521. 				do
  522. 					if [ -z "$(grep -F "${ip}" "${src_url}")" ]
  523. 					then
  524. 						printf '\n%s\n' "${ip}" >> "${tmp_load}"
  525. 						printf '\n%s\n' "${ip}" >> "${src_url}"
  526. 					fi
  527. 				done
  528. 			elif [ -n "${src_cat}" ]
  529. 			then
  530. 				if [ "${src_cat//[0-9]/}" != "${src_cat}" ]
  531. 				then
  532. 					for as in ${src_cat}
  533. 					do
  534. 						src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${as}" 2>&1)"
  535. 						ban_rc=${?}
  536. 						if [ ${ban_rc} -eq 0 ]
  537. 						then
  538. 							jsonfilter -i "${tmp_raw}" -e '@.data.prefixes.*.prefix' 2>/dev/null >> "${tmp_load}"
  539. 						else
  540. 							break
  541. 						fi
  542. 					done
  543. 				else
  544. 					for co in ${src_cat}
  545. 					do
  546. 						src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${co}&v4_format=prefix" 2>&1)"
  547. 						ban_rc=${?}
  548. 						if [ ${ban_rc} -eq 0 ]
  549. 						then
  550. 							if [ "${src_name##*_}" = "6" ]
  551. 							then
  552. 								jsonfilter -i "${tmp_raw}" -e '@.data.resources.ipv6.*' 2>/dev/null >> "${tmp_load}"
  553. 							else
  554. 								jsonfilter -i "${tmp_raw}" -e '@.data.resources.ipv4.*' 2>/dev/null >> "${tmp_load}"
  555. 							fi
  556. 						else
  557. 							break
  558. 						fi
  559. 					done
  560. 				fi
  561. 			else
  562. 				src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)"
  563. 				ban_rc=${?}
  564. 				if [ ${ban_rc} -eq 0 ]
  565. 				then
  566. 					zcat "${tmp_raw}" 2>/dev/null > "${tmp_load}"
  567. 					ban_rc=${?}
  568. 					if [ ${ban_rc} -ne 0 ]
  569. 					then
  570. 						mv -f "${tmp_raw}" "${tmp_load}"
  571. 						ban_rc=${?}
  572. 					fi
  573. 				fi
  574. 			fi
  575. 			if [ ${ban_rc} -eq 0 ]
  576. 			then
  577. 				awk "${src_rset}" "${tmp_load}" 2>/dev/null | sort -u > "${tmp_file}"
  578. 				ban_rc=${?}
  579. 				if [ ${ban_rc} -eq 0 ]
  580. 				then
  581. 					f_ipset create
  582. 				else
  583. 					f_ipset refresh
  584. 				fi
  585. 			else
  586. 				src_log="$(printf '%s' "${src_log}" | awk '{ORS=" ";print $0}')"
  587. 				f_log "debug" "f_main  ::: name: ${src_name}, url: ${src_url}, rc: ${ban_rc}, log: ${src_log:-"-"}"
  588. 				f_ipset refresh
  589. 			fi
  590. 		) &
  591. 		hold=$(( cnt % ban_maxqueue ))
  592. 		if [ ${hold} -eq 0 ]
  593. 		then
  594. 			wait
  595. 		fi
  596. 		cnt=$(( cnt + 1 ))
  597. 	done
  598. 

  599. 	wait
  600. 	if [ ${ban_rc} -eq 0 ]
  601. 	then
  602. 		for cnt in $(cat ${ban_tmpfile}.*.setcnt 2>/dev/null)
  603. 		do
  604. 			ban_setcnt=$(( ban_setcnt + cnt ))
  605. 		done
  606. 		for cnt in $(cat ${ban_tmpfile}.*.cnt 2>/dev/null)
  607. 		do
  608. 			ban_cnt=$(( ban_cnt + cnt ))
  609. 		done
  610. 		f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
  611. 	fi
  612. 	f_jsnup
  613. 	f_rmtemp
  614. 	exit ${ban_rc}
  615. }
  616. 

  617. # update runtime information
  618. #
  619. f_jsnup()
  620. {
  621. 	local rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")" status="${1:-"enabled"}"
  622. 

  623. 	ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
  624. 

  625. 	json_add_string "status" "${status}"
  626. 	json_add_string "version" "${ban_ver}"
  627. 	json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
  628. 	json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
  629. 	json_add_string "last_run" "${rundate:-"-"}"
  630. 	json_add_string "system" "${ban_sysver}"
  631. 	json_dump > "${ban_rtfile}"
  632. 

  633. 	f_log "debug" "f_jsnup ::: status: ${status}, setcnt: ${ban_setcnt}, cnt: ${ban_cnt}"
  634. }
  635. 

  636. # source required system libraries
  637. #
  638. if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]
  639. then
  640. 	. "/lib/functions.sh"
  641. 	. "/lib/functions/network.sh"
  642. 	. "/usr/share/libubox/jshn.sh"
  643. else
  644. 	f_log "err" "system libraries not found"
  645. fi
  646. 

  647. # initialize json runtime file
  648. #
  649. json_load_file "${ban_rtfile}" >/dev/null 2>&1
  650. json_select data >/dev/null 2>&1
  651. if [ ${?} -ne 0 ]
  652. then
  653. 	> "${ban_rtfile}"
  654. 	json_init
  655. 	json_add_object "data"
  656. fi
  657. 

  658. # handle different banIP actions
  659. #
  660. f_envload
  661. case "${ban_action}" in
  662. 	stop)
  663. 		f_jsnup stopped
  664. 		f_ipset destroy
  665. 		f_rmtemp
  666. 	;;
  667. 	start|restart|reload)
  668. 		f_envcheck
  669. 		f_main
  670. 	;;
  671. esac