From dcaddb5297351b1167912880cba4f3319755aa80 Mon Sep 17 00:00:00 2001
From: Dirk Brenken <dev@brenken.org>
Date: Fri, 16 Nov 2018 21:06:48 +0100
Subject: [PATCH] banip: update 0.0.6

* support multiple WAN interfaces in iptables rules,
  set 'ban_iface' option accordingly (as space separated list)
  or use the LuCI frontend
* add new "refresh" mode while triggered by fw changes (no download)
* add required ip dependency
* fix wrong 'settype' definition for firehol1 in config

Signed-off-by: Dirk Brenken <dev@brenken.org>
---
 net/banip/Makefile            |  4 +--
 net/banip/files/banip.conf    |  2 +-
 net/banip/files/banip.hotplug |  2 +-
 net/banip/files/banip.init    | 10 ++++--
 net/banip/files/banip.sh      | 57 +++++++++++++++++++++++++++--------
 5 files changed, 56 insertions(+), 19 deletions(-)

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 0b3a1c79a..2e50b0244 100644
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.0.5
+PKG_VERSION:=0.0.6
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0+
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@@ -17,7 +17,7 @@ define Package/banip
 	SECTION:=net
 	CATEGORY:=Network
 	TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
-	DEPENDS:=+jshn +jsonfilter +ipset +iptables
+	DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables
 	PKGARCH:=all
 endef
 
diff --git a/net/banip/files/banip.conf b/net/banip/files/banip.conf
index 731b44aa3..d93088dbc 100644
--- a/net/banip/files/banip.conf
+++ b/net/banip/files/banip.conf
@@ -170,7 +170,7 @@ config source 'firehol1'
 	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset'
 	option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)'
 	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}'
-	option ban_src_settype 'net_inet'
+	option ban_src_settype 'net'
 	option ban_src_ruletype 'src'
 	option ban_src_on '0'
 
diff --git a/net/banip/files/banip.hotplug b/net/banip/files/banip.hotplug
index 9cb5f7d67..56e5b2a99 100644
--- a/net/banip/files/banip.hotplug
+++ b/net/banip/files/banip.hotplug
@@ -9,4 +9,4 @@ then
 	exit 0
 fi
 
-/etc/init.d/banip start
+/etc/init.d/banip refresh
diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init
index 3d9accca7..1fe5f01d4 100755
--- a/net/banip/files/banip.init
+++ b/net/banip/files/banip.init
@@ -4,8 +4,9 @@
 START=30
 USE_PROCD=1
 
-EXTRA_COMMANDS="status"
-EXTRA_HELP="	status	Print runtime information"
+EXTRA_COMMANDS="refresh status"
+EXTRA_HELP="	refresh	Refresh ipsets only (no new download!)
+	status	Print runtime information"
 
 ban_init="/etc/init.d/banip"
 ban_script="/usr/bin/banip.sh"
@@ -42,6 +43,11 @@ stop_service()
 	rc_procd start_service
 }
 
+refresh()
+{
+	rc_procd start_service "refresh"
+}
+
 status()
 {
 	local key keylist value rtfile="$(uci_get banip global ban_rtfile)"
diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh
index 212b70610..20e15c938 100755
--- a/net/banip/files/banip.sh
+++ b/net/banip/files/banip.sh
@@ -10,7 +10,7 @@
 #
 LC_ALL=C
 PATH="/usr/sbin:/usr/bin:/sbin:/bin"
-ban_ver="0.0.5"
+ban_ver="0.0.6"
 ban_sysver="unknown"
 ban_enabled=0
 ban_automatic="1"
@@ -18,6 +18,7 @@ ban_iface=""
 ban_debug=0
 ban_maxqueue=8
 ban_fetchutil="uclient-fetch"
+ban_ip="$(command -v ip)"
 ban_ipt="$(command -v iptables)"
 ban_ipt_save="$(command -v iptables-save)"
 ban_ipt_restore="$(command -v iptables-restore)"
@@ -114,7 +115,7 @@ f_envload()
 #
 f_envcheck()
 {
-	local ssl_lib
+	local ssl_lib tmp
 
 	# check fetch utility
 	#
@@ -165,14 +166,31 @@ f_envcheck()
 			network_find_wan6 ban_iface
 		fi
 	fi
-	network_get_device ban_dev "${ban_iface}"
-	network_get_subnets ban_subnets "${ban_iface}"
-	network_get_subnets6 ban_subnets6 "${ban_iface}"
+
+	for iface in ${ban_iface}
+	do
+		network_get_physdev tmp "${iface}"
+		if [ -n "${tmp}" ]
+		then
+			ban_dev="${ban_dev} ${tmp}"
+		fi
+		network_get_subnets tmp "${iface}"
+		if [ -n "${tmp}" ]
+		then
+			ban_subnets="${ban_subnets} ${tmp}"
+		fi
+		network_get_subnets6 tmp "${iface}"
+		if [ -n "${tmp}" ]
+		then
+			ban_subnets6="${ban_subnets6} ${tmp}"
+		fi
+	done
 
 	if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
 	then
-		f_log "err" "wan interface/device (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
+		f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
 	fi
+	ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
 	uci_set banip global ban_iface "${ban_iface}"
 	uci_commit banip
 
@@ -238,10 +256,13 @@ f_iptrule()
 #
 f_iptadd()
 {
-	local rm="${1}"
+	local rm="${1}" dev
 
-	f_iptrule "-D" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
-	f_iptrule "-D" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
+	for dev in ${ban_dev_all}
+	do
+		f_iptrule "-D" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
+		f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
+	done
 
 	if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
 	then
@@ -256,7 +277,10 @@ f_iptadd()
 			fi
 			f_iptrule "-A" "${wan_input} -j ${ban_chain}"
 			f_iptrule "-A" "${wan_forward} -j ${ban_chain}"
-			f_iptrule "${action:-"-A"}" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
+			for dev in ${ban_dev}
+			do
+				f_iptrule "${action:-"-A"}" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
+			done
 		fi
 		if [ "${src_ruletype}" != "src" ]
 		then
@@ -269,7 +293,10 @@ f_iptadd()
 			fi
 			f_iptrule "-A" "${lan_input} -j ${ban_chain}"
 			f_iptrule "-A" "${lan_forward} -j ${ban_chain}"
-			f_iptrule "${action:-"-A"}" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
+			for dev in ${ban_dev}
+			do
+				f_iptrule "${action:-"-A"}" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
+			done
 		fi
 	else
 		if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
@@ -432,7 +459,7 @@ f_main()
 
 	mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
 	mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
-	f_log "debug" "f_main  ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, iface: ${ban_iface:-"-"}, dev: ${ban_dev:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
+	f_log "debug" "f_main  ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
 
 	f_ipset initial
 
@@ -483,6 +510,10 @@ f_main()
 		then
 			f_ipset flush
 			continue
+		elif [ "${ban_action}" = "refresh" ]
+		then
+			f_ipset refresh
+			continue
 		fi
 
 		# download queue processing
@@ -664,7 +695,7 @@ case "${ban_action}" in
 		f_ipset destroy
 		f_rmtemp
 	;;
-	start|restart|reload)
+	start|restart|reload|refresh)
 		f_envcheck
 		f_main
 	;;