Browse Source

Merge pull request #7448 from dibdot/banip

banip: update 0.0.6
lilik-openwrt-22.03
Dirk Brenken 6 years ago
committed by GitHub
parent
commit
5082cc2cef
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 56 additions and 19 deletions
  1. +2
    -2
      net/banip/Makefile
  2. +1
    -1
      net/banip/files/banip.conf
  3. +1
    -1
      net/banip/files/banip.hotplug
  4. +8
    -2
      net/banip/files/banip.init
  5. +44
    -13
      net/banip/files/banip.sh

+ 2
- 2
net/banip/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.0.5
PKG_VERSION:=0.0.6
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0+ PKG_LICENSE:=GPL-3.0+
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -17,7 +17,7 @@ define Package/banip
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=Ban incoming and/or outgoing ip adresses via ipsets TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
DEPENDS:=+jshn +jsonfilter +ipset +iptables
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables
PKGARCH:=all PKGARCH:=all
endef endef


+ 1
- 1
net/banip/files/banip.conf View File

@ -170,7 +170,7 @@ config source 'firehol1'
option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset' option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset'
option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)' option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)'
option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}' option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}'
option ban_src_settype 'net_inet'
option ban_src_settype 'net'
option ban_src_ruletype 'src' option ban_src_ruletype 'src'
option ban_src_on '0' option ban_src_on '0'


+ 1
- 1
net/banip/files/banip.hotplug View File

@ -9,4 +9,4 @@ then
exit 0 exit 0
fi fi
/etc/init.d/banip start
/etc/init.d/banip refresh

+ 8
- 2
net/banip/files/banip.init View File

@ -4,8 +4,9 @@
START=30 START=30
USE_PROCD=1 USE_PROCD=1
EXTRA_COMMANDS="status"
EXTRA_HELP=" status Print runtime information"
EXTRA_COMMANDS="refresh status"
EXTRA_HELP=" refresh Refresh ipsets only (no new download!)
status Print runtime information"
ban_init="/etc/init.d/banip" ban_init="/etc/init.d/banip"
ban_script="/usr/bin/banip.sh" ban_script="/usr/bin/banip.sh"
@ -42,6 +43,11 @@ stop_service()
rc_procd start_service rc_procd start_service
} }
refresh()
{
rc_procd start_service "refresh"
}
status() status()
{ {
local key keylist value rtfile="$(uci_get banip global ban_rtfile)" local key keylist value rtfile="$(uci_get banip global ban_rtfile)"


+ 44
- 13
net/banip/files/banip.sh View File

@ -10,7 +10,7 @@
# #
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.0.5"
ban_ver="0.0.6"
ban_sysver="unknown" ban_sysver="unknown"
ban_enabled=0 ban_enabled=0
ban_automatic="1" ban_automatic="1"
@ -18,6 +18,7 @@ ban_iface=""
ban_debug=0 ban_debug=0
ban_maxqueue=8 ban_maxqueue=8
ban_fetchutil="uclient-fetch" ban_fetchutil="uclient-fetch"
ban_ip="$(command -v ip)"
ban_ipt="$(command -v iptables)" ban_ipt="$(command -v iptables)"
ban_ipt_save="$(command -v iptables-save)" ban_ipt_save="$(command -v iptables-save)"
ban_ipt_restore="$(command -v iptables-restore)" ban_ipt_restore="$(command -v iptables-restore)"
@ -114,7 +115,7 @@ f_envload()
# #
f_envcheck() f_envcheck()
{ {
local ssl_lib
local ssl_lib tmp
# check fetch utility # check fetch utility
# #
@ -165,14 +166,31 @@ f_envcheck()
network_find_wan6 ban_iface network_find_wan6 ban_iface
fi fi
fi fi
network_get_device ban_dev "${ban_iface}"
network_get_subnets ban_subnets "${ban_iface}"
network_get_subnets6 ban_subnets6 "${ban_iface}"
for iface in ${ban_iface}
do
network_get_physdev tmp "${iface}"
if [ -n "${tmp}" ]
then
ban_dev="${ban_dev} ${tmp}"
fi
network_get_subnets tmp "${iface}"
if [ -n "${tmp}" ]
then
ban_subnets="${ban_subnets} ${tmp}"
fi
network_get_subnets6 tmp "${iface}"
if [ -n "${tmp}" ]
then
ban_subnets6="${ban_subnets6} ${tmp}"
fi
done
if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ] if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
then then
f_log "err" "wan interface/device (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
fi fi
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
uci_set banip global ban_iface "${ban_iface}" uci_set banip global ban_iface "${ban_iface}"
uci_commit banip uci_commit banip
@ -238,10 +256,13 @@ f_iptrule()
# #
f_iptadd() f_iptadd()
{ {
local rm="${1}"
local rm="${1}" dev
f_iptrule "-D" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
f_iptrule "-D" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
for dev in ${ban_dev_all}
do
f_iptrule "-D" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
done
if [ -z "${rm}" ] && [ ${cnt} -gt 0 ] if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
then then
@ -256,7 +277,10 @@ f_iptadd()
fi fi
f_iptrule "-A" "${wan_input} -j ${ban_chain}" f_iptrule "-A" "${wan_input} -j ${ban_chain}"
f_iptrule "-A" "${wan_forward} -j ${ban_chain}" f_iptrule "-A" "${wan_forward} -j ${ban_chain}"
f_iptrule "${action:-"-A"}" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
for dev in ${ban_dev}
do
f_iptrule "${action:-"-A"}" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
done
fi fi
if [ "${src_ruletype}" != "src" ] if [ "${src_ruletype}" != "src" ]
then then
@ -269,7 +293,10 @@ f_iptadd()
fi fi
f_iptrule "-A" "${lan_input} -j ${ban_chain}" f_iptrule "-A" "${lan_input} -j ${ban_chain}"
f_iptrule "-A" "${lan_forward} -j ${ban_chain}" f_iptrule "-A" "${lan_forward} -j ${ban_chain}"
f_iptrule "${action:-"-A"}" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
for dev in ${ban_dev}
do
f_iptrule "${action:-"-A"}" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
done
fi fi
else else
if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ] if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
@ -432,7 +459,7 @@ f_main()
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, iface: ${ban_iface:-"-"}, dev: ${ban_dev:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
f_ipset initial f_ipset initial
@ -483,6 +510,10 @@ f_main()
then then
f_ipset flush f_ipset flush
continue continue
elif [ "${ban_action}" = "refresh" ]
then
f_ipset refresh
continue
fi fi
# download queue processing # download queue processing
@ -664,7 +695,7 @@ case "${ban_action}" in
f_ipset destroy f_ipset destroy
f_rmtemp f_rmtemp
;; ;;
start|restart|reload)
start|restart|reload|refresh)
f_envcheck f_envcheck
f_main f_main
;; ;;


Loading…
Cancel
Save