|
@ -434,7 +434,7 @@ f_env() |
|
|
then |
|
|
then |
|
|
json_load_file "${ban_srcfile}" |
|
|
json_load_file "${ban_srcfile}" |
|
|
json_get_keys ban_allsources |
|
|
json_get_keys ban_allsources |
|
|
ban_allsources="${ban_allsources} ${ban_localsources}" |
|
|
|
|
|
|
|
|
ban_allsources="${ban_allsources} maclist blacklist whitelist" |
|
|
else |
|
|
else |
|
|
f_log "err" "banIP source file not found" |
|
|
f_log "err" "banIP source file not found" |
|
|
fi |
|
|
fi |
|
@ -501,7 +501,7 @@ f_iptrule() |
|
|
{ |
|
|
{ |
|
|
local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}" |
|
|
local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}" |
|
|
|
|
|
|
|
|
if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ] |
|
|
|
|
|
|
|
|
if [ "${ban_proto4_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]; } |
|
|
then |
|
|
then |
|
|
rc="$("${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})" |
|
|
rc="$("${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})" |
|
|
if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \ |
|
|
if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \ |
|
@ -513,7 +513,7 @@ f_iptrule() |
|
|
rc=0 |
|
|
rc=0 |
|
|
fi |
|
|
fi |
|
|
fi |
|
|
fi |
|
|
if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ] |
|
|
|
|
|
|
|
|
if [ "${ban_proto6_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]; } |
|
|
then |
|
|
then |
|
|
rc="$("${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})" |
|
|
rc="$("${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})" |
|
|
if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \ |
|
|
if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \ |
|
@ -528,7 +528,7 @@ f_iptrule() |
|
|
if [ -n "${rc}" ] && [ "${rc}" != "0" ] |
|
|
if [ -n "${rc}" ] && [ "${rc}" != "0" ] |
|
|
then |
|
|
then |
|
|
> "${tmp_err}" |
|
|
> "${tmp_err}" |
|
|
f_log "info" "iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'" |
|
|
|
|
|
|
|
|
f_log "info" "${src_name}: iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'" |
|
|
fi |
|
|
fi |
|
|
} |
|
|
} |
|
|
|
|
|
|
|
@ -557,7 +557,7 @@ f_iptables() |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
|
fi |
|
|
fi |
|
|
if [ -z "${destroy}" ] && [ "${cnt}" -gt "0" ] |
|
|
|
|
|
|
|
|
if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; } |
|
|
then |
|
|
then |
|
|
if [ "${src_settype}" != "dst" ] |
|
|
if [ "${src_settype}" != "dst" ] |
|
|
then |
|
|
then |
|
@ -644,7 +644,7 @@ f_iptables() |
|
|
# |
|
|
# |
|
|
f_ipset() |
|
|
f_ipset() |
|
|
{ |
|
|
{ |
|
|
local src src_list action rule ipt_cmd out_rc cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4" |
|
|
|
|
|
|
|
|
local src src_list action rule ipt_cmd out_rc max="0" cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4" |
|
|
|
|
|
|
|
|
case "${mode}" in |
|
|
case "${mode}" in |
|
|
"backup") |
|
|
"backup") |
|
@ -747,22 +747,22 @@ f_ipset() |
|
|
if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] && \ |
|
|
if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] && \ |
|
|
{ [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; } |
|
|
{ [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; } |
|
|
then |
|
|
then |
|
|
cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)" |
|
|
|
|
|
cnt=$((cnt+262144)) |
|
|
|
|
|
|
|
|
max="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)" |
|
|
|
|
|
max=$((max+262144)) |
|
|
if [ "${src_name}" = "maclist" ] |
|
|
if [ "${src_name}" = "maclist" ] |
|
|
then |
|
|
then |
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}" |
|
|
|
|
|
|
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${max}" counters timeout "${ban_maclist_timeout:-"0"}" |
|
|
out_rc="${?}" |
|
|
out_rc="${?}" |
|
|
elif [ "${src_name%_*}" = "whitelist" ] |
|
|
elif [ "${src_name%_*}" = "whitelist" ] |
|
|
then |
|
|
then |
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" |
|
|
|
|
|
|
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" |
|
|
out_rc="${?}" |
|
|
out_rc="${?}" |
|
|
elif [ "${src_name%_*}" = "blacklist" ] |
|
|
elif [ "${src_name%_*}" = "blacklist" ] |
|
|
then |
|
|
then |
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" |
|
|
|
|
|
|
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" |
|
|
out_rc="${?}" |
|
|
out_rc="${?}" |
|
|
else |
|
|
else |
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters |
|
|
|
|
|
|
|
|
"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters |
|
|
out_rc="${?}" |
|
|
out_rc="${?}" |
|
|
fi |
|
|
fi |
|
|
elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] |
|
|
elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] |
|
@ -778,8 +778,8 @@ f_ipset() |
|
|
then |
|
|
then |
|
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" |
|
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" |
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" |
|
|
|
|
|
|
|
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" |
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
printf "%s\n" "${cnt}" > "${tmp_cnt}" |
|
|
printf "%s\n" "${cnt}" > "${tmp_cnt}" |
|
|
fi |
|
|
fi |
|
@ -796,8 +796,8 @@ f_ipset() |
|
|
out_rc=0 |
|
|
out_rc=0 |
|
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" |
|
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" |
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" |
|
|
|
|
|
|
|
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" |
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
printf "%s\n" "${cnt}" > "${tmp_cnt}" |
|
|
printf "%s\n" "${cnt}" > "${tmp_cnt}" |
|
|
f_iptables |
|
|
f_iptables |
|
@ -839,8 +839,8 @@ f_ipset() |
|
|
rm -f "${ban_backupdir}/${src_name}.file" |
|
|
rm -f "${ban_backupdir}/${src_name}.file" |
|
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" |
|
|
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")" |
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")" |
|
|
|
|
|
|
|
|
cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" |
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
printf "%s\n" "${cnt}" > "${tmp_cnt}" |
|
|
printf "%s\n" "${cnt}" > "${tmp_cnt}" |
|
|
fi |
|
|
fi |
|
@ -877,7 +877,7 @@ f_ipset() |
|
|
"${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null |
|
|
"${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
|
for src in ${ban_sources} ${ban_localsources} |
|
|
|
|
|
|
|
|
for src in ${ban_sources} maclist blacklist whitelist |
|
|
do |
|
|
do |
|
|
if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ] |
|
|
if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ] |
|
|
then |
|
|
then |
|
@ -1298,6 +1298,11 @@ f_main() |
|
|
f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}" |
|
|
f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}" |
|
|
)& |
|
|
)& |
|
|
fi |
|
|
fi |
|
|
|
|
|
else |
|
|
|
|
|
( |
|
|
|
|
|
src_name="${src_name}_4" |
|
|
|
|
|
f_ipset "flush" |
|
|
|
|
|
)& |
|
|
fi |
|
|
fi |
|
|
if [ "${ban_proto6_enabled}" = "1" ] |
|
|
if [ "${ban_proto6_enabled}" = "1" ] |
|
|
then |
|
|
then |
|
@ -1314,6 +1319,11 @@ f_main() |
|
|
f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}" |
|
|
f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}" |
|
|
)& |
|
|
)& |
|
|
fi |
|
|
fi |
|
|
|
|
|
else |
|
|
|
|
|
( |
|
|
|
|
|
src_name="${src_name}_6" |
|
|
|
|
|
f_ipset "flush" |
|
|
|
|
|
)& |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
|
wait |
|
|
wait |
|
@ -1390,7 +1400,7 @@ f_main() |
|
|
if [ -z "$(printf "%s" "${ban_sources}" | grep -F "${src_name%_*}")" ] |
|
|
if [ -z "$(printf "%s" "${ban_sources}" | grep -F "${src_name%_*}")" ] |
|
|
then |
|
|
then |
|
|
ban_sources="${ban_sources} ${src_name%_*}" |
|
|
ban_sources="${ban_sources} ${src_name%_*}" |
|
|
ban_allsources="${ban_allsources/${src_name%_*}/}" |
|
|
|
|
|
|
|
|
ban_allsources="${ban_allsources//${src_name%_*}/}" |
|
|
fi |
|
|
fi |
|
|
fi |
|
|
fi |
|
|
done |
|
|
done |
|
@ -1511,7 +1521,7 @@ f_report() |
|
|
if [ -n "${src_list}" ] |
|
|
if [ -n "${src_list}" ] |
|
|
then |
|
|
then |
|
|
cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt_acc="$(printf "%s" "${src_list}" | grep -cE " packets [1-9]+")" |
|
|
|
|
|
|
|
|
cnt_acc="$(printf "%s" "${src_list}" | grep -cE "packets [1-9]+")" |
|
|
cnt_acc_sum=$((cnt_acc_sum+cnt_acc)) |
|
|
cnt_acc_sum=$((cnt_acc_sum+cnt_acc)) |
|
|
cnt_mac_sum="${cnt}" |
|
|
cnt_mac_sum="${cnt}" |
|
|
cnt_sum=$((cnt_sum+cnt)) |
|
|
cnt_sum=$((cnt_sum+cnt)) |
|
@ -1540,9 +1550,9 @@ f_report() |
|
|
if [ -n "${src_list}" ] |
|
|
if [ -n "${src_list}" ] |
|
|
then |
|
|
then |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" |
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} packets [0-9]+")" |
|
|
|
|
|
|
|
|
cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} ")" |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
cnt_ip=$((cnt-cnt_cidr-cnt_mac)) |
|
|
cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE " packets [1-9]+")" |
|
|
|
|
|
|
|
|
cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE "packets [1-9]+")" |
|
|
cnt_cidr_sum=$((cnt_cidr_sum+cnt_cidr)) |
|
|
cnt_cidr_sum=$((cnt_cidr_sum+cnt_cidr)) |
|
|
cnt_ip_sum=$((cnt_ip_sum+cnt_ip)) |
|
|
cnt_ip_sum=$((cnt_ip_sum+cnt_ip)) |
|
|
cnt_acc_sum=$((cnt_acc_sum+cnt_acc)) |
|
|
cnt_acc_sum=$((cnt_acc_sum+cnt_acc)) |
|
|