From fb4bfd259df3e06499e2c8b7c9197755bd39ab72 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 26 Mar 2021 19:19:57 +0100 Subject: [PATCH] banip: update to 0.7.5-4 * fix another IPv4/IPv6 related iptables chain creation problem * fix counter during ipset creation * fix regex for debug counters * fix ipset housekeeping for local sources Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip.sh | 56 +++++++++++++++++++++++----------------- 2 files changed, 34 insertions(+), 24 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 3a3427c92..60a890ace 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.7.5 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index 17a25a24a..9252b449b 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -434,7 +434,7 @@ f_env() then json_load_file "${ban_srcfile}" json_get_keys ban_allsources - ban_allsources="${ban_allsources} ${ban_localsources}" + ban_allsources="${ban_allsources} maclist blacklist whitelist" else f_log "err" "banIP source file not found" fi @@ -501,7 +501,7 @@ f_iptrule() { local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}" - if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ] + if [ "${ban_proto4_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]; } then rc="$("${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})" if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \ @@ -513,7 +513,7 @@ f_iptrule() rc=0 fi fi - if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ] + if [ "${ban_proto6_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]; } then rc="$("${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})" if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \ @@ -528,7 +528,7 @@ f_iptrule() if [ -n "${rc}" ] && [ "${rc}" != "0" ] then > "${tmp_err}" - f_log "info" "iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'" + f_log "info" "${src_name}: iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'" fi } @@ -557,7 +557,7 @@ f_iptables() fi done fi - if [ -z "${destroy}" ] && [ "${cnt}" -gt "0" ] + if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; } then if [ "${src_settype}" != "dst" ] then @@ -644,7 +644,7 @@ f_iptables() # f_ipset() { - local src src_list action rule ipt_cmd out_rc cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4" + local src src_list action rule ipt_cmd out_rc max="0" cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4" case "${mode}" in "backup") @@ -747,22 +747,22 @@ f_ipset() if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] && \ { [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; } then - cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)" - cnt=$((cnt+262144)) + max="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)" + max=$((max+262144)) if [ "${src_name}" = "maclist" ] then - "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}" + "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${max}" counters timeout "${ban_maclist_timeout:-"0"}" out_rc="${?}" elif [ "${src_name%_*}" = "whitelist" ] then - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" + "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" out_rc="${?}" elif [ "${src_name%_*}" = "blacklist" ] then - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" + "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" out_rc="${?}" else - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters + "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters out_rc="${?}" fi elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] @@ -778,8 +778,8 @@ f_ipset() then src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" + cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" + cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" cnt_ip=$((cnt-cnt_cidr-cnt_mac)) printf "%s\n" "${cnt}" > "${tmp_cnt}" fi @@ -796,8 +796,8 @@ f_ipset() out_rc=0 src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" + cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" + cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" cnt_ip=$((cnt-cnt_cidr-cnt_mac)) printf "%s\n" "${cnt}" > "${tmp_cnt}" f_iptables @@ -839,8 +839,8 @@ f_ipset() rm -f "${ban_backupdir}/${src_name}.file" src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" + cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" + cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" cnt_ip=$((cnt-cnt_cidr-cnt_mac)) printf "%s\n" "${cnt}" > "${tmp_cnt}" fi @@ -877,7 +877,7 @@ f_ipset() "${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null fi done - for src in ${ban_sources} ${ban_localsources} + for src in ${ban_sources} maclist blacklist whitelist do if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ] then @@ -1298,6 +1298,11 @@ f_main() f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}" )& fi + else + ( + src_name="${src_name}_4" + f_ipset "flush" + )& fi if [ "${ban_proto6_enabled}" = "1" ] then @@ -1314,6 +1319,11 @@ f_main() f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}" )& fi + else + ( + src_name="${src_name}_6" + f_ipset "flush" + )& fi done wait @@ -1390,7 +1400,7 @@ f_main() if [ -z "$(printf "%s" "${ban_sources}" | grep -F "${src_name%_*}")" ] then ban_sources="${ban_sources} ${src_name%_*}" - ban_allsources="${ban_allsources/${src_name%_*}/}" + ban_allsources="${ban_allsources//${src_name%_*}/}" fi fi done @@ -1511,7 +1521,7 @@ f_report() if [ -n "${src_list}" ] then cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_acc="$(printf "%s" "${src_list}" | grep -cE " packets [1-9]+")" + cnt_acc="$(printf "%s" "${src_list}" | grep -cE "packets [1-9]+")" cnt_acc_sum=$((cnt_acc_sum+cnt_acc)) cnt_mac_sum="${cnt}" cnt_sum=$((cnt_sum+cnt)) @@ -1540,9 +1550,9 @@ f_report() if [ -n "${src_list}" ] then cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} packets [0-9]+")" + cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} ")" cnt_ip=$((cnt-cnt_cidr-cnt_mac)) - cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE " packets [1-9]+")" + cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE "packets [1-9]+")" cnt_cidr_sum=$((cnt_cidr_sum+cnt_cidr)) cnt_ip_sum=$((cnt_ip_sum+cnt_ip)) cnt_acc_sum=$((cnt_acc_sum+cnt_acc))