Browse Source

banip: update to 0.7.6

* rework the central iptables function to significantly
  reduce the code complexity and the overall number of iptables calls
* check early and only once in the chain for ctstate NEW and
  return otherwise (thanks @ldir-EDB0)
* made the whitelist ordering within the chain more flexible

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 4 years ago
parent
commit
1235acdde6
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
2 changed files with 45 additions and 57 deletions
  1. +2
    -2
      net/banip/Makefile
  2. +43
    -55
      net/banip/files/banip.sh

+ 2
- 2
net/banip/Makefile View File

@ -6,8 +6,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.7.5
PKG_RELEASE:=4
PKG_VERSION:=0.7.6
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>


+ 43
- 55
net/banip/files/banip.sh View File

@ -12,7 +12,7 @@
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_ver="0.7.5"
ban_ver="0.7.6"
ban_enabled="0"
ban_mail_enabled="0"
ban_proto4_enabled="0"
@ -536,102 +536,90 @@ f_iptrule()
#
f_iptables()
{
local destroy="${1}" dev
local ipt_cmd chain chainsets dev pos timeout="-w 5" destroy="${1}"
if [ "${ban_action}" != "refresh" ] && [ "${ban_action}" != "resume" ]
then
for dev in ${ban_ipdevs}
do
if [ "${src_name}" = "maclist" ]
if [ ! -f "${ban_tmpfile}.${src_name}.delete" ]
then
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN"
elif [ "${src_name%_*}" = "whitelist" ]
then
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j RETURN"
else
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${ban_logtarget_src}"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}"
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${ban_logchain_src}"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${ban_logchain_dst}"
> "${ban_tmpfile}.${src_name}.delete"
if [ "${src_name}" = "maclist" ]
then
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN"
elif [ "${src_name%_*}" = "whitelist" ]
then
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN"
else
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logtarget_src}"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}"
f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logchain_src}"
f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logchain_dst}"
fi
fi
done
fi
if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; }
then
if [ "${src_settype}" != "dst" ]
if [ "${src_name##*_}" = "4" ]
then
if [ "${src_name##*_}" = "4" ]
ipt_cmd="${ban_ipt4_cmd}"
if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]
then
for chain in ${ban_wan_inputchains_4}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
for chain in ${ban_wan_forwardchains_4}
> "${ban_tmpfile}.${src_name##*_}.chains"
chainsets="${ban_lan_inputchains_4} ${ban_wan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_forwardchains_4}"
for chain in ${chainsets}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
f_iptrule "-A" "${ban_chain}" "-p udp --dport 67:68 --sport 67:68 -j RETURN"
elif [ "${src_name##*_}" = "6" ]
f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN"
fi
elif [ "${src_name##*_}" = "6" ]
then
ipt_cmd="${ban_ipt6_cmd}"
if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]
then
for chain in ${ban_wan_inputchains_6}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
for chain in ${ban_wan_forwardchains_6}
> "${ban_tmpfile}.${src_name##*_}.chains"
chainsets="${ban_lan_inputchains_6} ${ban_wan_inputchains_6} ${ban_lan_forwardchains_6} ${ban_wan_forwardchains_6}"
for chain in ${chainsets}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
f_iptrule "-A" "${ban_chain}" "-p ipv6-icmp -s fe80::/10 -d fe80::/10 -j RETURN"
f_iptrule "-A" "${ban_chain}" "-p udp -s fc00::/6 --sport 547 -d fc00::/6 --dport 546 -j RETURN"
f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN"
fi
fi
if [ "${src_settype}" != "dst" ]
then
for dev in ${ban_devs}
do
if [ "${src_name}" = "maclist" ]
then
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN" "1"
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" "1"
elif [ "${src_name%_*}" = "whitelist" ]
then
f_iptrule "-I" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN" "2"
pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))"
f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}"
else
f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${ban_target_src}"
f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_target_src}"
fi
done
fi
if [ "${src_settype}" != "src" ]
then
if [ "${src_name##*_}" = "4" ]
then
for chain in ${ban_lan_inputchains_4}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
for chain in ${ban_lan_forwardchains_4}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
f_iptrule "-A" "${ban_chain}" "-p udp --dport 67:68 --sport 67:68 -j RETURN"
elif [ "${src_name##*_}" = "6" ]
then
for chain in ${ban_lan_inputchains_6}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
for chain in ${ban_lan_forwardchains_6}
do
f_iptrule "-I" "${chain}" "-j ${ban_chain}"
done
f_iptrule "-A" "${ban_chain}" "-p ipv6-icmp -s fe80::/10 -d fe80::/10 -j RETURN"
f_iptrule "-A" "${ban_chain}" "-p udp -s fc00::/6 --sport 547 -d fc00::/6 --dport 546 -j RETURN"
fi
for dev in ${ban_devs}
do
if [ "${src_name%_*}" = "whitelist" ]
then
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j RETURN" "3"
pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))"
f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}"
elif [ "${src_name}" != "maclist" ]
then
f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${ban_target_dst}"
f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_target_dst}"
fi
done
fi


Loading…
Cancel
Save