LILiK
/
openwrt-packages-dist
5
0
Fork 0
Code Issues 0 Pull Requests 0 Projects 0 Releases 0 Wiki Activity
Browse Source

banip: update 0.3.7 

* fix a logical glitch in the hotplug event handler
* properly handle fatal iptables errors - even in subshells

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 5 years ago
parent
72fba3a17b
commit
49b43b81e8
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
3 changed files with 51 additions and 26 deletions
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +1
    -1
      net/banip/Makefile
  2. +5
    -4
      net/banip/files/banip.hotplug
  3. +45
    -21
      net/banip/files/banip.sh

+ 1
- 1
net/banip/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.3.6
PKG_VERSION:=0.3.7
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>


+ 5
- 4
net/banip/files/banip.hotplug View File

@ -1,11 +1,12 @@
#!/bin/sh
#
[ "${ACTION}" != "add" ] && exit 0
ban_pidfile="/var/run/banip.pid"
ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")"
if [ "${ban_enabled}" = "1" ] || [ ! -f "${ban_pidfile}" ] || [ -s "${ban_pidfile}" ] || [ "${ACTION}" != "add" ]
if [ "${ban_enabled}" = "0" ] && [ ! -s "${ban_pidfile}" ]
then
exit 0
else
/etc/init.d/banip refresh
fi
exit 0

+ 45
- 21
net/banip/files/banip.sh View File

@ -13,7 +13,7 @@
#
LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.3.6"
ban_ver="0.3.7"
ban_basever=""
ban_enabled=0
ban_automatic="1"
@ -341,7 +341,7 @@ f_iptrule()
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
then
"${ban_ipt6}" "${timeout}" "${action}" ${rule}
"${ban_ipt6}" "${timeout}" "${action}" ${rule} 2>/dev/null
fi
fi
else
@ -352,10 +352,15 @@ f_iptrule()
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
then
"${ban_ipt}" "${timeout}" "${action}" ${rule}
"${ban_ipt}" "${timeout}" "${action}" ${rule} 2>/dev/null
fi
fi
fi
if [ "${?}" -ne 0 ]
then
> "${tmp_err}"
f_log "info" "can't create iptables rule: action: '${action:-"-"}', rule: '${rule:-"-"}'"
fi
}
# remove/add iptables rules
@ -455,7 +460,8 @@ f_ipset()
"initial")
if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then
"${ban_ipt}" "${timeout}" -N "${ban_chain}"
"${ban_ipt}" "${timeout}" -N "${ban_chain}" 2>/dev/null
out_rc="${?}"
elif [ -x "${ban_ipt}" ]
then
src_name="ruleset"
@ -467,7 +473,8 @@ f_ipset()
fi
if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then
"${ban_ipt6}" "${timeout}" -N "${ban_chain}"
"${ban_ipt6}" "${timeout}" -N "${ban_chain}" 2>/dev/null
out_rc="${?}"
elif [ -x "${ban_ipt6}" ]
then
src_name="ruleset_6"
@ -477,7 +484,9 @@ f_ipset()
f_iptrule "-D" "${rule} -j ${ban_chain}"
done
fi
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}"
out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}, out_rc: ${out_rc}"
return "${out_rc}"
;;
"create")
if [ -x "${ban_ipset}" ]
@ -508,6 +517,7 @@ f_ipset()
end_ts="$(date +%s)"
out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
return "${out_rc}"
;;
"refresh")
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
@ -543,15 +553,15 @@ f_ipset()
[ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then
"${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}"
"${ban_ipt}" "${timeout}" -F "${ban_chain}"
"${ban_ipt}" "${timeout}" -X "${ban_chain}"
"${ban_ipt}" "${timeout}" -F "${ban_chain}" 2>/dev/null
"${ban_ipt}" "${timeout}" -X "${ban_chain}" 2>/dev/null
fi
if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \
[ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then
"${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}"
"${ban_ipt6}" "${timeout}" -F "${ban_chain}"
"${ban_ipt6}" "${timeout}" -X "${ban_chain}"
"${ban_ipt6}" "${timeout}" -F "${ban_chain}" 2>/dev/null
"${ban_ipt6}" "${timeout}" -X "${ban_chain}" 2>/dev/null
fi
for source in ${ban_sources}
do
@ -622,9 +632,16 @@ f_main()
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
# main loop
# chain creation
#
f_ipset initial
if [ "${?}" -ne 0 ]
then
f_log "err" "banIP processing failed, fatal error during iptables chain creation (${ban_sysver})"
fi
# main loop
#
for src_name in ${ban_sources}
do
unset src_on
@ -667,6 +684,8 @@ f_main()
tmp_file="${ban_tmpfile}.${src_name}.file"
tmp_raw="${tmp_file}.raw"
tmp_cnt="${tmp_file}.cnt"
tmp_err="${tmp_file}.err"
# basic pre-checks
#
f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}"
@ -855,18 +874,23 @@ f_main()
done
wait
for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
do
ban_cnt="$((ban_cnt+cnt))"
done
if [ "${ban_cnt}" -gt 0 ]
if [ -z "$(ls "${ban_tmpfile}".*.err 2>/dev/null)" ]
then
ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)"
for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
do
ban_cnt="$((ban_cnt+cnt))"
done
if [ "${ban_cnt}" -gt 0 ]
then
ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)"
fi
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start"
f_jsnup
f_rmtemp
else
f_log "err" "banIP processing failed, fatal iptables error(s) during subshell processing (${ban_sysver})"
fi
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start"
f_jsnup
f_rmtemp
}
# update runtime information


Write Preview
Loading…
Cancel
Save