From 1235acdde621d5ba5dd85d3e232db1162f1f086f Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sun, 28 Mar 2021 17:06:46 +0200 Subject: [PATCH] banip: update to 0.7.6 * rework the central iptables function to significantly reduce the code complexity and the overall number of iptables calls * check early and only once in the chain for ctstate NEW and return otherwise (thanks @ldir-EDB0) * made the whitelist ordering within the chain more flexible Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 +- net/banip/files/banip.sh | 98 ++++++++++++++++++---------------------- 2 files changed, 45 insertions(+), 57 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 60a890ace..a716d4c34 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,8 +6,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.7.5 -PKG_RELEASE:=4 +PKG_VERSION:=0.7.6 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index 9252b449b..04812420a 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -12,7 +12,7 @@ export LC_ALL=C export PATH="/usr/sbin:/usr/bin:/sbin:/bin" set -o pipefail -ban_ver="0.7.5" +ban_ver="0.7.6" ban_enabled="0" ban_mail_enabled="0" ban_proto4_enabled="0" @@ -536,102 +536,90 @@ f_iptrule() # f_iptables() { - local destroy="${1}" dev + local ipt_cmd chain chainsets dev pos timeout="-w 5" destroy="${1}" if [ "${ban_action}" != "refresh" ] && [ "${ban_action}" != "resume" ] then for dev in ${ban_ipdevs} do - if [ "${src_name}" = "maclist" ] + if [ ! -f "${ban_tmpfile}.${src_name}.delete" ] then - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN" - elif [ "${src_name%_*}" = "whitelist" ] - then - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j RETURN" - else - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${ban_logtarget_src}" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}" - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${ban_logchain_src}" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${ban_logchain_dst}" + > "${ban_tmpfile}.${src_name}.delete" + if [ "${src_name}" = "maclist" ] + then + f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" + elif [ "${src_name%_*}" = "whitelist" ] + then + f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" + f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" + else + f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logtarget_src}" + f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}" + f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logchain_src}" + f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logchain_dst}" + fi fi done fi if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; } then - if [ "${src_settype}" != "dst" ] + if [ "${src_name##*_}" = "4" ] then - if [ "${src_name##*_}" = "4" ] + ipt_cmd="${ban_ipt4_cmd}" + if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ] then - for chain in ${ban_wan_inputchains_4} - do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - for chain in ${ban_wan_forwardchains_4} + > "${ban_tmpfile}.${src_name##*_}.chains" + chainsets="${ban_lan_inputchains_4} ${ban_wan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_forwardchains_4}" + for chain in ${chainsets} do f_iptrule "-I" "${chain}" "-j ${ban_chain}" done f_iptrule "-A" "${ban_chain}" "-p udp --dport 67:68 --sport 67:68 -j RETURN" - elif [ "${src_name##*_}" = "6" ] + f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN" + fi + elif [ "${src_name##*_}" = "6" ] + then + ipt_cmd="${ban_ipt6_cmd}" + if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ] then - for chain in ${ban_wan_inputchains_6} - do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - for chain in ${ban_wan_forwardchains_6} + > "${ban_tmpfile}.${src_name##*_}.chains" + chainsets="${ban_lan_inputchains_6} ${ban_wan_inputchains_6} ${ban_lan_forwardchains_6} ${ban_wan_forwardchains_6}" + for chain in ${chainsets} do f_iptrule "-I" "${chain}" "-j ${ban_chain}" done f_iptrule "-A" "${ban_chain}" "-p ipv6-icmp -s fe80::/10 -d fe80::/10 -j RETURN" f_iptrule "-A" "${ban_chain}" "-p udp -s fc00::/6 --sport 547 -d fc00::/6 --dport 546 -j RETURN" + f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN" fi + fi + if [ "${src_settype}" != "dst" ] + then for dev in ${ban_devs} do if [ "${src_name}" = "maclist" ] then - f_iptrule "-I" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN" "1" + f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" "1" elif [ "${src_name%_*}" = "whitelist" ] then - f_iptrule "-I" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j RETURN" "2" + pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))" + f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}" else - f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${ban_target_src}" + f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_target_src}" fi done fi if [ "${src_settype}" != "src" ] then - if [ "${src_name##*_}" = "4" ] - then - for chain in ${ban_lan_inputchains_4} - do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - for chain in ${ban_lan_forwardchains_4} - do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - f_iptrule "-A" "${ban_chain}" "-p udp --dport 67:68 --sport 67:68 -j RETURN" - elif [ "${src_name##*_}" = "6" ] - then - for chain in ${ban_lan_inputchains_6} - do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - for chain in ${ban_lan_forwardchains_6} - do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - f_iptrule "-A" "${ban_chain}" "-p ipv6-icmp -s fe80::/10 -d fe80::/10 -j RETURN" - f_iptrule "-A" "${ban_chain}" "-p udp -s fc00::/6 --sport 547 -d fc00::/6 --dport 546 -j RETURN" - fi for dev in ${ban_devs} do if [ "${src_name%_*}" = "whitelist" ] then - f_iptrule "-I" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j RETURN" "3" + pos="$(( $("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN")+1))" + f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}" elif [ "${src_name}" != "maclist" ] then - f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${ban_target_dst}" + f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_target_dst}" fi done fi