@ -10,7 +10,7 @@
#
#
LC_ALL = C
LC_ALL = C
PATH = "/usr/sbin:/usr/bin:/sbin:/bin"
PATH = "/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver = "0.0.5 "
ban_ver = "0.0.6 "
ban_sysver = "unknown"
ban_sysver = "unknown"
ban_enabled = 0
ban_enabled = 0
ban_automatic = "1"
ban_automatic = "1"
@ -18,6 +18,7 @@ ban_iface=""
ban_debug = 0
ban_debug = 0
ban_maxqueue = 8
ban_maxqueue = 8
ban_fetchutil = "uclient-fetch"
ban_fetchutil = "uclient-fetch"
ban_ip = " $( command -v ip) "
ban_ipt = " $( command -v iptables) "
ban_ipt = " $( command -v iptables) "
ban_ipt_save = " $( command -v iptables-save) "
ban_ipt_save = " $( command -v iptables-save) "
ban_ipt_restore = " $( command -v iptables-restore) "
ban_ipt_restore = " $( command -v iptables-restore) "
@ -114,7 +115,7 @@ f_envload()
#
#
f_envcheck( )
f_envcheck( )
{
{
local ssl_lib
local ssl_lib tmp
# check fetch utility
# check fetch utility
#
#
@ -165,14 +166,31 @@ f_envcheck()
network_find_wan6 ban_iface
network_find_wan6 ban_iface
fi
fi
fi
fi
network_get_device ban_dev " ${ ban_iface } "
network_get_subnets ban_subnets " ${ ban_iface } "
network_get_subnets6 ban_subnets6 " ${ ban_iface } "
for iface in ${ ban_iface }
do
network_get_physdev tmp " ${ iface } "
if [ -n " ${ tmp } " ]
then
ban_dev = " ${ ban_dev } ${ tmp } "
fi
network_get_subnets tmp " ${ iface } "
if [ -n " ${ tmp } " ]
then
ban_subnets = " ${ ban_subnets } ${ tmp } "
fi
network_get_subnets6 tmp " ${ iface } "
if [ -n " ${ tmp } " ]
then
ban_subnets6 = " ${ ban_subnets6 } ${ tmp } "
fi
done
if [ -z " ${ ban_iface } " ] || [ -z " ${ ban_dev } " ]
if [ -z " ${ ban_iface } " ] || [ -z " ${ ban_dev } " ]
then
then
f_log "err" " wan interface/device ( ${ ban_iface :- "-" } / ${ ban_dev :- "-" } ) not found, please please check your configuration "
f_log "err" " wan interface(s) /device(s) ( ${ ban_iface :- "-" } / ${ ban_dev :- "-" } ) not found, please please check your configuration "
fi
fi
ban_dev_all = " $( ${ ban_ip } link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}' ) "
uci_set banip global ban_iface " ${ ban_iface } "
uci_set banip global ban_iface " ${ ban_iface } "
uci_commit banip
uci_commit banip
@ -238,10 +256,13 @@ f_iptrule()
#
#
f_iptadd( )
f_iptadd( )
{
{
local rm = " ${ 1 } "
local rm = " ${ 1 } " dev
f_iptrule "-D" " ${ ban_chain } -i ${ ban_dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } src -j ${ target_src } "
f_iptrule "-D" " ${ ban_chain } -o ${ ban_dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } dst -j ${ target_dst } "
for dev in ${ ban_dev_all }
do
f_iptrule "-D" " ${ ban_chain } -i ${ dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } src -j ${ target_src } "
f_iptrule "-D" " ${ ban_chain } -o ${ dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } dst -j ${ target_dst } "
done
if [ -z " ${ rm } " ] && [ ${ cnt } -gt 0 ]
if [ -z " ${ rm } " ] && [ ${ cnt } -gt 0 ]
then
then
@ -256,7 +277,10 @@ f_iptadd()
fi
fi
f_iptrule "-A" " ${ wan_input } -j ${ ban_chain } "
f_iptrule "-A" " ${ wan_input } -j ${ ban_chain } "
f_iptrule "-A" " ${ wan_forward } -j ${ ban_chain } "
f_iptrule "-A" " ${ wan_forward } -j ${ ban_chain } "
f_iptrule " ${ action :- "-A" } " " ${ ban_chain } -i ${ ban_dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } src -j ${ target_src } "
for dev in ${ ban_dev }
do
f_iptrule " ${ action :- "-A" } " " ${ ban_chain } -i ${ dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } src -j ${ target_src } "
done
fi
fi
if [ " ${ src_ruletype } " != "src" ]
if [ " ${ src_ruletype } " != "src" ]
then
then
@ -269,7 +293,10 @@ f_iptadd()
fi
fi
f_iptrule "-A" " ${ lan_input } -j ${ ban_chain } "
f_iptrule "-A" " ${ lan_input } -j ${ ban_chain } "
f_iptrule "-A" " ${ lan_forward } -j ${ ban_chain } "
f_iptrule "-A" " ${ lan_forward } -j ${ ban_chain } "
f_iptrule " ${ action :- "-A" } " " ${ ban_chain } -o ${ ban_dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } dst -j ${ target_dst } "
for dev in ${ ban_dev }
do
f_iptrule " ${ action :- "-A" } " " ${ ban_chain } -o ${ dev } -m conntrack --ctstate NEW -m set --match-set ${ src_name } dst -j ${ target_dst } "
done
fi
fi
else
else
if [ -n " $( " ${ ban_ipset } " -n list " ${ src_name } " 2>/dev/null) " ]
if [ -n " $( " ${ ban_ipset } " -n list " ${ src_name } " 2>/dev/null) " ]
@ -432,7 +459,7 @@ f_main()
mem_total = " $( awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null) "
mem_total = " $( awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null) "
mem_free = " $( awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null) "
mem_free = " $( awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null) "
f_log "debug" " f_main ::: fetch_util: ${ ban_fetchinfo :- "-" } , fetch_parm: ${ ban_fetchparm :- "-" } , iface: ${ ban_iface :- "-" } , dev: ${ ban_dev :- "-" } , mem_total: ${ mem_total :- 0 } , mem_free: ${ mem_free :- 0 } , max_queue: ${ ban_maxqueue } "
f_log "debug" " f_main ::: fetch_util: ${ ban_fetchinfo :- "-" } , fetch_parm: ${ ban_fetchparm :- "-" } , inter face(s) : ${ ban_iface :- "-" } , device(s) : ${ ban_dev :- "-" } , all_devices: ${ ban_dev_all :- "-" } , mem_total: ${ mem_total :- 0 } , mem_free: ${ mem_free :- 0 } , max_queue: ${ ban_maxqueue } "
f_ipset initial
f_ipset initial
@ -483,6 +510,10 @@ f_main()
then
then
f_ipset flush
f_ipset flush
continue
continue
elif [ " ${ ban_action } " = "refresh" ]
then
f_ipset refresh
continue
fi
fi
# download queue processing
# download queue processing
@ -664,7 +695,7 @@ case "${ban_action}" in
f_ipset destroy
f_ipset destroy
f_rmtemp
f_rmtemp
; ;
; ;
start| restart| reload)
start| restart| reload| refresh)
f_envcheck
f_envcheck
f_main
f_main
; ;
; ;