You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

702 lines
19 KiB

  1. #!/bin/sh
  2. # banIP - ban incoming and outgoing ip adresses/subnets via ipset
  3. # written by Dirk Brenken (dev@brenken.org)
  4. # This is free software, licensed under the GNU General Public License v3.
  5. # You should have received a copy of the GNU General Public License
  6. # along with this program. If not, see <http://www.gnu.org/licenses/>.
  7. # set initial defaults
  8. #
  9. LC_ALL=C
  10. PATH="/usr/sbin:/usr/bin:/sbin:/bin"
  11. ban_ver="0.0.6"
  12. ban_sysver="unknown"
  13. ban_enabled=0
  14. ban_automatic="1"
  15. ban_iface=""
  16. ban_debug=0
  17. ban_maxqueue=8
  18. ban_fetchutil="uclient-fetch"
  19. ban_ip="$(command -v ip)"
  20. ban_ipt="$(command -v iptables)"
  21. ban_ipt_save="$(command -v iptables-save)"
  22. ban_ipt_restore="$(command -v iptables-restore)"
  23. ban_ipt6="$(command -v ip6tables)"
  24. ban_ipt6_save="$(command -v ip6tables-save)"
  25. ban_ipt6_restore="$(command -v ip6tables-restore)"
  26. ban_ipset="$(command -v ipset)"
  27. ban_chain="banIP"
  28. ban_action="${1:-"start"}"
  29. ban_pidfile="/var/run/banip.pid"
  30. ban_rtfile="/tmp/ban_runtime.json"
  31. ban_setcnt=0
  32. ban_cnt=0
  33. ban_rc=0
  34. # load environment
  35. #
  36. f_envload()
  37. {
  38. local sys_call sys_desc sys_model
  39. # get system information
  40. #
  41. sys_call="$(ubus -S call system board 2>/dev/null)"
  42. if [ -n "${sys_call}" ]
  43. then
  44. sys_desc="$(printf '%s' "${sys_call}" | jsonfilter -e '@.release.description')"
  45. sys_model="$(printf '%s' "${sys_call}" | jsonfilter -e '@.model')"
  46. ban_sysver="${sys_model}, ${sys_desc}"
  47. fi
  48. # parse 'global' and 'extra' section by callback
  49. #
  50. config_cb()
  51. {
  52. local type="${1}"
  53. if [ "${type}" = "banip" ]
  54. then
  55. option_cb()
  56. {
  57. local option="${1}"
  58. local value="${2}"
  59. eval "${option}=\"${value}\""
  60. }
  61. else
  62. reset_cb
  63. fi
  64. }
  65. # parse 'source' typed sections
  66. #
  67. parse_config()
  68. {
  69. local value opt section="${1}" options="ban_src ban_src_6 ban_src_rset ban_src_rset_6 ban_src_settype ban_src_ruletype ban_src_on ban_src_on_6 ban_src_cat"
  70. for opt in ${options}
  71. do
  72. config_get value "${section}" "${opt}"
  73. if [ -n "${value}" ]
  74. then
  75. eval "${opt}_${section}=\"${value}\""
  76. if [ "${opt}" = "ban_src" ]
  77. then
  78. eval "ban_sources=\"${ban_sources} ${section}\""
  79. elif [ "${opt}" = "ban_src_6" ]
  80. then
  81. eval "ban_sources=\"${ban_sources} ${section}_6\""
  82. fi
  83. fi
  84. done
  85. }
  86. # load config
  87. #
  88. config_load banip
  89. config_foreach parse_config source
  90. # create temp directory & files
  91. #
  92. f_temp
  93. # check status
  94. #
  95. if [ ${ban_enabled} -eq 0 ]
  96. then
  97. f_jsnup disabled
  98. f_ipset destroy
  99. f_rmtemp
  100. f_log "info" "banIP is currently disabled, please set ban_enabled to '1' to use this service"
  101. exit 0
  102. fi
  103. }
  104. # check environment
  105. #
  106. f_envcheck()
  107. {
  108. local ssl_lib tmp
  109. # check fetch utility
  110. #
  111. case "${ban_fetchutil}" in
  112. uclient-fetch)
  113. if [ -f "/lib/libustream-ssl.so" ]
  114. then
  115. ban_fetchparm="${ban_fetchparm:-"--timeout=20 --no-check-certificate -O"}"
  116. ssl_lib="libustream-ssl"
  117. else
  118. ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
  119. fi
  120. ;;
  121. wget)
  122. ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 --no-check-certificate -O"}"
  123. ssl_lib="built-in"
  124. ;;
  125. wget-nossl)
  126. ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
  127. ;;
  128. busybox)
  129. ban_fetchparm="${ban_fetchparm:-"-O"}"
  130. ;;
  131. curl)
  132. ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 --insecure -o"}"
  133. ssl_lib="built-in"
  134. ;;
  135. aria2c)
  136. ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=false -o"}"
  137. ssl_lib="built-in"
  138. ;;
  139. esac
  140. ban_fetchutil="$(command -v "${ban_fetchutil}")"
  141. ban_fetchinfo="${ban_fetchutil:-"-"} (${ssl_lib:-"-"})"
  142. if [ ! -x "${ban_fetchutil}" ] || [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
  143. then
  144. f_log "err" "download utility not found, please install 'uclient-fetch' with 'libustream-mbedtls' or the full 'wget' package"
  145. fi
  146. # get wan device and wan subnets
  147. #
  148. if [ "${ban_automatic}" = "1" ]
  149. then
  150. network_find_wan ban_iface
  151. if [ -z "${ban_iface}" ]
  152. then
  153. network_find_wan6 ban_iface
  154. fi
  155. fi
  156. for iface in ${ban_iface}
  157. do
  158. network_get_physdev tmp "${iface}"
  159. if [ -n "${tmp}" ]
  160. then
  161. ban_dev="${ban_dev} ${tmp}"
  162. fi
  163. network_get_subnets tmp "${iface}"
  164. if [ -n "${tmp}" ]
  165. then
  166. ban_subnets="${ban_subnets} ${tmp}"
  167. fi
  168. network_get_subnets6 tmp "${iface}"
  169. if [ -n "${tmp}" ]
  170. then
  171. ban_subnets6="${ban_subnets6} ${tmp}"
  172. fi
  173. done
  174. if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
  175. then
  176. f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
  177. fi
  178. ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
  179. uci_set banip global ban_iface "${ban_iface}"
  180. uci_commit banip
  181. f_jsnup "running"
  182. f_log "info" "start banIP processing (${ban_action})"
  183. }
  184. # create temporary files and directories
  185. #
  186. f_temp()
  187. {
  188. if [ -z "${ban_tmpdir}" ]
  189. then
  190. ban_tmpdir="$(mktemp -p /tmp -d)"
  191. ban_tmpload="$(mktemp -p ${ban_tmpdir} -tu)"
  192. ban_tmpfile="$(mktemp -p ${ban_tmpdir} -tu)"
  193. fi
  194. if [ ! -s "${ban_pidfile}" ]
  195. then
  196. printf '%s' "${$}" > "${ban_pidfile}"
  197. fi
  198. }
  199. # remove temporary files and directories
  200. #
  201. f_rmtemp()
  202. {
  203. if [ -d "${ban_tmpdir}" ]
  204. then
  205. rm -rf "${ban_tmpdir}"
  206. fi
  207. > "${ban_pidfile}"
  208. }
  209. # iptables rules engine
  210. #
  211. f_iptrule()
  212. {
  213. local rc timeout="-w 5" action="${1}" rule="${2}"
  214. if [ "${src_name##*_}" = "6" ]
  215. then
  216. rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
  217. if ([ ${rc} -ne 0 ] && ([ "${action}" = "-A" ] || [ "${action}" = "-I" ])) \
  218. || ([ ${rc} -eq 0 ] && [ "${action}" = "-D" ])
  219. then
  220. "${ban_ipt6}" "${timeout}" "${action}" ${rule}
  221. fi
  222. else
  223. rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
  224. if ([ ${rc} -ne 0 ] && ([ "${action}" = "-A" ] || [ "${action}" = "-I" ])) \
  225. || ([ ${rc} -eq 0 ] && [ "${action}" = "-D" ])
  226. then
  227. "${ban_ipt}" "${timeout}" "${action}" ${rule}
  228. fi
  229. fi
  230. }
  231. # remove/add iptables rules
  232. #
  233. f_iptadd()
  234. {
  235. local rm="${1}" dev
  236. for dev in ${ban_dev_all}
  237. do
  238. f_iptrule "-D" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
  239. f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
  240. done
  241. if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
  242. then
  243. if [ "${src_ruletype}" != "dst" ]
  244. then
  245. if [ "${src_name##*_}" = "6" ]
  246. then
  247. # dummy, special IPv6 rules
  248. /bin/true
  249. else
  250. f_iptrule "-I" "${wan_input} -p udp --dport 67:68 --sport 67:68 -j RETURN"
  251. fi
  252. f_iptrule "-A" "${wan_input} -j ${ban_chain}"
  253. f_iptrule "-A" "${wan_forward} -j ${ban_chain}"
  254. for dev in ${ban_dev}
  255. do
  256. f_iptrule "${action:-"-A"}" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
  257. done
  258. fi
  259. if [ "${src_ruletype}" != "src" ]
  260. then
  261. if [ "${src_name##*_}" = "6" ]
  262. then
  263. # dummy, special IPv6 rules
  264. /bin/true
  265. else
  266. f_iptrule "-I" "${lan_input} -p udp --dport 67:68 --sport 67:68 -j RETURN"
  267. fi
  268. f_iptrule "-A" "${lan_input} -j ${ban_chain}"
  269. f_iptrule "-A" "${lan_forward} -j ${ban_chain}"
  270. for dev in ${ban_dev}
  271. do
  272. f_iptrule "${action:-"-A"}" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
  273. done
  274. fi
  275. else
  276. if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  277. then
  278. "${ban_ipset}" destroy "${src_name}"
  279. fi
  280. fi
  281. }
  282. # ipset/iptables actions
  283. #
  284. f_ipset()
  285. {
  286. local rc cnt cnt_ip cnt_cidr size source action ruleset ruleset_6 rule timeout="-w 5" mode="${1}"
  287. if [ "${src_name%_6*}" = "whitelist" ]
  288. then
  289. target_src="ACCEPT"
  290. target_dst="ACCEPT"
  291. action="-I"
  292. fi
  293. case "${mode}" in
  294. initial)
  295. if [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  296. then
  297. "${ban_ipt}" "${timeout}" -N "${ban_chain}"
  298. fi
  299. if [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  300. then
  301. "${ban_ipt6}" "${timeout}" -N "${ban_chain}"
  302. fi
  303. src_name="ruleset"
  304. ruleset="${ban_wan_input_chain:-"input_wan_rule"} ${ban_wan_forward_chain:-"forwarding_wan_rule"} ${ban_lan_input_chain:-"input_lan_rule"} ${ban_lan_forward_chain:-"forwarding_lan_rule"}"
  305. for rule in ${ruleset}
  306. do
  307. f_iptrule "-D" "${rule} -j ${ban_chain}"
  308. done
  309. src_name="ruleset_6"
  310. ruleset_6="${ban_wan_input_chain_6:-"input_wan_rule"} ${ban_wan_forward_chain_6:-"forwarding_wan_rule"} ${ban_lan_input_chain_6:-"input_lan_rule"} ${ban_lan_forward_chain_6:-"forwarding_lan_rule"}"
  311. for rule in ${ruleset_6}
  312. do
  313. f_iptrule "-D" "${rule} -j ${ban_chain}"
  314. done
  315. f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset}, ruleset_6: ${ruleset_6}"
  316. ;;
  317. create)
  318. cnt="$(wc -l 2>/dev/null < "${tmp_file}")"
  319. cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
  320. cnt_ip="$(( cnt - cnt_cidr ))"
  321. size="$(( cnt / 4 ))"
  322. if [ ${cnt} -gt 0 ]
  323. then
  324. if [ -z "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  325. then
  326. "${ban_ipset}" create "${src_name}" hash:"${src_settype}" hashsize "${size}" maxelem 262144 family "${src_setipv}" counters
  327. else
  328. "${ban_ipset}" flush "${src_name}"
  329. fi
  330. "${ban_ipset}" -! restore < "${tmp_file}"
  331. printf "%s\n" "1" > "${tmp_set}"
  332. printf "%s\n" "${cnt}" > "${tmp_cnt}"
  333. fi
  334. f_iptadd
  335. end_ts="$(date +%s)"
  336. f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: "${src_setipv}", ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
  337. ;;
  338. refresh)
  339. if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  340. then
  341. "${ban_ipset}" save "${src_name}" > "${tmp_file}"
  342. if [ -s "${tmp_file}" ]
  343. then
  344. cnt="$(( $(wc -l 2>/dev/null < "${tmp_file}") - 1 ))"
  345. cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
  346. cnt_ip="$(( cnt - cnt_cidr ))"
  347. printf "%s\n" "1" > "${tmp_set}"
  348. printf "%s\n" "${cnt}" > "${tmp_cnt}"
  349. fi
  350. f_iptadd
  351. fi
  352. end_ts="$(date +%s)"
  353. f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
  354. ;;
  355. flush)
  356. f_iptadd "remove"
  357. if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
  358. then
  359. "${ban_ipset}" flush "${src_name}"
  360. "${ban_ipset}" destroy "${src_name}"
  361. fi
  362. f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
  363. ;;
  364. destroy)
  365. if [ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  366. then
  367. "${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}"
  368. "${ban_ipt}" "${timeout}" -F "${ban_chain}"
  369. "${ban_ipt}" "${timeout}" -X "${ban_chain}"
  370. fi
  371. if [ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
  372. then
  373. "${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}"
  374. "${ban_ipt6}" "${timeout}" -F "${ban_chain}"
  375. "${ban_ipt6}" "${timeout}" -X "${ban_chain}"
  376. fi
  377. for source in ${ban_sources}
  378. do
  379. if [ -n "$("${ban_ipset}" -n list "${source}" 2>/dev/null)" ]
  380. then
  381. "${ban_ipset}" destroy "${source}"
  382. fi
  383. done
  384. f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
  385. ;;
  386. esac
  387. }
  388. # write to syslog
  389. #
  390. f_log()
  391. {
  392. local class="${1}" log_msg="${2}"
  393. if [ -n "${log_msg}" ] && ([ "${class}" != "debug" ] || [ ${ban_debug} -eq 1 ])
  394. then
  395. logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
  396. if [ "${class}" = "err" ]
  397. then
  398. f_jsnup error
  399. f_ipset destroy
  400. f_rmtemp
  401. logger -p "${class}" -t "banIP-[${ban_ver}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
  402. exit 1
  403. fi
  404. fi
  405. }
  406. # main function for banIP processing
  407. #
  408. f_main()
  409. {
  410. local start_ts end_ts ip tmp_raw tmp_cnt tmp_setcnt tmp_load tmp_file entry list suffix mem_total mem_free cnt=1
  411. local src_name src_on src_url src_rset src_setipv src_settype src_ruletype src_cat src_log src_addon
  412. local pid pid_list log_content="$(logread -e "dropbear")"
  413. local wan_input wan_forward lan_input lan_forward target_src target_dst
  414. mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
  415. mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
  416. f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
  417. f_ipset initial
  418. # main loop
  419. #
  420. for src_name in ${ban_sources}
  421. do
  422. if [ "${src_name##*_}" = "6" ]
  423. then
  424. src_on="$(eval printf '%s' \"\${ban_src_on_6_${src_name%_6*}\}\")"
  425. src_url="$(eval printf '%s' \"\${ban_src_6_${src_name%_6*}\}\")"
  426. src_rset="$(eval printf '%s' \"\${ban_src_rset_6_${src_name%_6*}\}\")"
  427. src_setipv="inet6"
  428. wan_input="${ban_wan_input_chain_6:-"input_wan_rule"}"
  429. wan_forward="${ban_wan_forward_chain_6:-"forwarding_wan_rule"}"
  430. lan_input="${ban_lan_input_chain_6:-"input_lan_rule"}"
  431. lan_forward="${ban_lan_forward_chain_6:-"forwarding_lan_rule"}"
  432. target_src="${ban_target_src_6:-"DROP"}"
  433. target_dst="${ban_target_dst_6:-"REJECT"}"
  434. else
  435. src_on="$(eval printf '%s' \"\${ban_src_on_${src_name}\}\")"
  436. src_url="$(eval printf '%s' \"\${ban_src_${src_name}\}\")"
  437. src_rset="$(eval printf '%s' \"\${ban_src_rset_${src_name}\}\")"
  438. src_setipv="inet"
  439. wan_input="${ban_wan_input_chain:-"input_wan_rule"}"
  440. wan_forward="${ban_wan_forward_chain:-"forwarding_wan_rule"}"
  441. lan_input="${ban_lan_input_chain:-"input_lan_rule"}"
  442. lan_forward="${ban_lan_forward_chain:-"forwarding_lan_rule"}"
  443. target_src="${ban_target_src:-"DROP"}"
  444. target_dst="${ban_target_dst:-"REJECT"}"
  445. fi
  446. src_settype="$(eval printf '%s' \"\${ban_src_settype_${src_name%_6*}\}\")"
  447. src_ruletype="$(eval printf '%s' \"\${ban_src_ruletype_${src_name%_6*}\}\")"
  448. src_cat="$(eval printf '%s' \"\${ban_src_cat_${src_name%_6*}\}\")"
  449. src_addon=""
  450. tmp_load="${ban_tmpload}.${src_name}"
  451. tmp_file="${ban_tmpfile}.${src_name}"
  452. tmp_raw="${tmp_load}.raw"
  453. tmp_cnt="${tmp_file}.cnt"
  454. tmp_set="${tmp_file}.setcnt"
  455. # basic pre-checks
  456. #
  457. f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}"
  458. if [ "${src_on}" != "1" ] || [ -z "${src_url}" ] || [ -z "${src_rset}" ] ||\
  459. [ -z "${src_settype}" ] || [ -z "${src_ruletype}" ]
  460. then
  461. f_ipset flush
  462. continue
  463. elif [ "${ban_action}" = "refresh" ]
  464. then
  465. f_ipset refresh
  466. continue
  467. fi
  468. # download queue processing
  469. #
  470. (
  471. start_ts="$(date +%s)"
  472. if [ -f "${src_url}" ]
  473. then
  474. src_log="$(cat "${src_url}" 2>/dev/null > "${tmp_load}")"
  475. ban_rc=${?}
  476. case "${src_name}" in
  477. whitelist)
  478. src_addon="${ban_subnets}"
  479. ;;
  480. whitelist_6)
  481. src_addon="${ban_subnets6}"
  482. ;;
  483. blacklist)
  484. pid_list="$(printf "%s\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  485. for pid in ${pid_list}
  486. do
  487. src_addon="${src_addon} $(printf "%s\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9]{1,3}\.){3}[0-9]{1,3}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  488. done
  489. ;;
  490. blacklist_6)
  491. pid_list="$(printf "%s\n" "${log_content}" | grep -F "Exit before auth" | awk 'match($0,/(\[[0-9]+\])/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  492. for pid in ${pid_list}
  493. do
  494. src_addon="${src_addon} $(printf "%s\n" "${log_content}" | grep -F "${pid}" | awk 'match($0,/([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}/){ORS=" ";print substr($0,RSTART,RLENGTH)}')"
  495. done
  496. ;;
  497. esac
  498. for ip in ${src_addon}
  499. do
  500. if [ -z "$(grep -F "${ip}" "${src_url}")" ]
  501. then
  502. printf '\n%s\n' "${ip}" >> "${tmp_load}"
  503. printf '\n%s\n' "${ip}" >> "${src_url}"
  504. fi
  505. done
  506. elif [ -n "${src_cat}" ]
  507. then
  508. if [ "${src_cat//[0-9]/}" != "${src_cat}" ]
  509. then
  510. for as in ${src_cat}
  511. do
  512. src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${as}" 2>&1)"
  513. ban_rc=${?}
  514. if [ ${ban_rc} -eq 0 ]
  515. then
  516. jsonfilter -i "${tmp_raw}" -e '@.data.prefixes.*.prefix' 2>/dev/null >> "${tmp_load}"
  517. else
  518. break
  519. fi
  520. done
  521. else
  522. for co in ${src_cat}
  523. do
  524. src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${co}&v4_format=prefix" 2>&1)"
  525. ban_rc=${?}
  526. if [ ${ban_rc} -eq 0 ]
  527. then
  528. if [ "${src_name##*_}" = "6" ]
  529. then
  530. jsonfilter -i "${tmp_raw}" -e '@.data.resources.ipv6.*' 2>/dev/null >> "${tmp_load}"
  531. else
  532. jsonfilter -i "${tmp_raw}" -e '@.data.resources.ipv4.*' 2>/dev/null >> "${tmp_load}"
  533. fi
  534. else
  535. break
  536. fi
  537. done
  538. fi
  539. else
  540. src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)"
  541. ban_rc=${?}
  542. if [ ${ban_rc} -eq 0 ]
  543. then
  544. zcat "${tmp_raw}" 2>/dev/null > "${tmp_load}"
  545. ban_rc=${?}
  546. if [ ${ban_rc} -ne 0 ]
  547. then
  548. mv -f "${tmp_raw}" "${tmp_load}"
  549. ban_rc=${?}
  550. fi
  551. fi
  552. fi
  553. if [ ${ban_rc} -eq 0 ]
  554. then
  555. awk "${src_rset}" "${tmp_load}" 2>/dev/null | sort -u > "${tmp_file}"
  556. ban_rc=${?}
  557. if [ ${ban_rc} -eq 0 ]
  558. then
  559. f_ipset create
  560. else
  561. f_ipset refresh
  562. fi
  563. else
  564. src_log="$(printf '%s' "${src_log}" | awk '{ORS=" ";print $0}')"
  565. f_log "debug" "f_main ::: name: ${src_name}, url: ${src_url}, rc: ${ban_rc}, log: ${src_log:-"-"}"
  566. f_ipset refresh
  567. fi
  568. ) &
  569. hold=$(( cnt % ban_maxqueue ))
  570. if [ ${hold} -eq 0 ]
  571. then
  572. wait
  573. fi
  574. cnt=$(( cnt + 1 ))
  575. done
  576. wait
  577. if [ ${ban_rc} -eq 0 ]
  578. then
  579. for cnt in $(cat ${ban_tmpfile}.*.setcnt 2>/dev/null)
  580. do
  581. ban_setcnt=$(( ban_setcnt + cnt ))
  582. done
  583. for cnt in $(cat ${ban_tmpfile}.*.cnt 2>/dev/null)
  584. do
  585. ban_cnt=$(( ban_cnt + cnt ))
  586. done
  587. f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
  588. fi
  589. f_jsnup
  590. f_rmtemp
  591. exit ${ban_rc}
  592. }
  593. # update runtime information
  594. #
  595. f_jsnup()
  596. {
  597. local rundate="$(/bin/date "+%d.%m.%Y %H:%M:%S")" status="${1:-"enabled"}"
  598. ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
  599. json_add_string "status" "${status}"
  600. json_add_string "version" "${ban_ver}"
  601. json_add_string "fetch_info" "${ban_fetchinfo:-"-"}"
  602. json_add_string "ipset_info" "${ban_cntinfo:-"-"}"
  603. json_add_string "last_run" "${rundate:-"-"}"
  604. json_add_string "system" "${ban_sysver}"
  605. json_dump > "${ban_rtfile}"
  606. f_log "debug" "f_jsnup ::: status: ${status}, setcnt: ${ban_setcnt}, cnt: ${ban_cnt}"
  607. }
  608. # source required system libraries
  609. #
  610. if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]
  611. then
  612. . "/lib/functions.sh"
  613. . "/lib/functions/network.sh"
  614. . "/usr/share/libubox/jshn.sh"
  615. else
  616. f_log "err" "system libraries not found"
  617. fi
  618. # initialize json runtime file
  619. #
  620. json_load_file "${ban_rtfile}" >/dev/null 2>&1
  621. json_select data >/dev/null 2>&1
  622. if [ ${?} -ne 0 ]
  623. then
  624. > "${ban_rtfile}"
  625. json_init
  626. json_add_object "data"
  627. fi
  628. # handle different banIP actions
  629. #
  630. f_envload
  631. case "${ban_action}" in
  632. stop)
  633. f_jsnup stopped
  634. f_ipset destroy
  635. f_rmtemp
  636. ;;
  637. start|restart|reload|refresh)
  638. f_envcheck
  639. f_main
  640. ;;
  641. esac