From 49b43b81e8a8c32465d3de921d8289541de3e7e1 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 8 Nov 2019 18:40:30 +0100 Subject: [PATCH] banip: update 0.3.7 * fix a logical glitch in the hotplug event handler * properly handle fatal iptables errors - even in subshells Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip.hotplug | 9 ++--- net/banip/files/banip.sh | 66 ++++++++++++++++++++++++----------- 3 files changed, 51 insertions(+), 26 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 111213b6a..cca5303b2 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.3.6 +PKG_VERSION:=0.3.7 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip.hotplug b/net/banip/files/banip.hotplug index 763c07baf..f021fcff0 100644 --- a/net/banip/files/banip.hotplug +++ b/net/banip/files/banip.hotplug @@ -1,11 +1,12 @@ #!/bin/sh # + +[ "${ACTION}" != "add" ] && exit 0 + ban_pidfile="/var/run/banip.pid" ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")" - -if [ "${ban_enabled}" = "1" ] || [ ! -f "${ban_pidfile}" ] || [ -s "${ban_pidfile}" ] || [ "${ACTION}" != "add" ] +if [ "${ban_enabled}" = "0" ] && [ ! -s "${ban_pidfile}" ] then - exit 0 -else /etc/init.d/banip refresh fi +exit 0 diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index d4d5638ca..743ea4d74 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -13,7 +13,7 @@ # LC_ALL=C PATH="/usr/sbin:/usr/bin:/sbin:/bin" -ban_ver="0.3.6" +ban_ver="0.3.7" ban_basever="" ban_enabled=0 ban_automatic="1" @@ -341,7 +341,7 @@ f_iptrule() if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \ { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; } then - "${ban_ipt6}" "${timeout}" "${action}" ${rule} + "${ban_ipt6}" "${timeout}" "${action}" ${rule} 2>/dev/null fi fi else @@ -352,10 +352,15 @@ f_iptrule() if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \ { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; } then - "${ban_ipt}" "${timeout}" "${action}" ${rule} + "${ban_ipt}" "${timeout}" "${action}" ${rule} 2>/dev/null fi fi fi + if [ "${?}" -ne 0 ] + then + > "${tmp_err}" + f_log "info" "can't create iptables rule: action: '${action:-"-"}', rule: '${rule:-"-"}'" + fi } # remove/add iptables rules @@ -455,7 +460,8 @@ f_ipset() "initial") if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] then - "${ban_ipt}" "${timeout}" -N "${ban_chain}" + "${ban_ipt}" "${timeout}" -N "${ban_chain}" 2>/dev/null + out_rc="${?}" elif [ -x "${ban_ipt}" ] then src_name="ruleset" @@ -467,7 +473,8 @@ f_ipset() fi if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] then - "${ban_ipt6}" "${timeout}" -N "${ban_chain}" + "${ban_ipt6}" "${timeout}" -N "${ban_chain}" 2>/dev/null + out_rc="${?}" elif [ -x "${ban_ipt6}" ] then src_name="ruleset_6" @@ -477,7 +484,9 @@ f_ipset() f_iptrule "-D" "${rule} -j ${ban_chain}" done fi - f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}" + out_rc="${out_rc:-"${in_rc}"}" + f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}, out_rc: ${out_rc}" + return "${out_rc}" ;; "create") if [ -x "${ban_ipset}" ] @@ -508,6 +517,7 @@ f_ipset() end_ts="$(date +%s)" out_rc="${out_rc:-"${in_rc}"}" f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}" + return "${out_rc}" ;; "refresh") if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ] @@ -543,15 +553,15 @@ f_ipset() [ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] then "${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}" - "${ban_ipt}" "${timeout}" -F "${ban_chain}" - "${ban_ipt}" "${timeout}" -X "${ban_chain}" + "${ban_ipt}" "${timeout}" -F "${ban_chain}" 2>/dev/null + "${ban_ipt}" "${timeout}" -X "${ban_chain}" 2>/dev/null fi if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \ [ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] then "${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}" - "${ban_ipt6}" "${timeout}" -F "${ban_chain}" - "${ban_ipt6}" "${timeout}" -X "${ban_chain}" + "${ban_ipt6}" "${timeout}" -F "${ban_chain}" 2>/dev/null + "${ban_ipt6}" "${timeout}" -X "${ban_chain}" 2>/dev/null fi for source in ${ban_sources} do @@ -622,9 +632,16 @@ f_main() mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}" - # main loop + # chain creation # f_ipset initial + if [ "${?}" -ne 0 ] + then + f_log "err" "banIP processing failed, fatal error during iptables chain creation (${ban_sysver})" + fi + + # main loop + # for src_name in ${ban_sources} do unset src_on @@ -667,6 +684,8 @@ f_main() tmp_file="${ban_tmpfile}.${src_name}.file" tmp_raw="${tmp_file}.raw" tmp_cnt="${tmp_file}.cnt" + tmp_err="${tmp_file}.err" + # basic pre-checks # f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}" @@ -855,18 +874,23 @@ f_main() done wait - for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null) - do - ban_cnt="$((ban_cnt+cnt))" - done - if [ "${ban_cnt}" -gt 0 ] + if [ -z "$(ls "${ban_tmpfile}".*.err 2>/dev/null)" ] then - ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)" + for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null) + do + ban_cnt="$((ban_cnt+cnt))" + done + if [ "${ban_cnt}" -gt 0 ] + then + ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)" + fi + f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" + f_bgserv "start" + f_jsnup + f_rmtemp + else + f_log "err" "banIP processing failed, fatal iptables error(s) during subshell processing (${ban_sysver})" fi - f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" - f_bgserv "start" - f_jsnup - f_rmtemp } # update runtime information