From f5de0439c1c66fb03e3326bd76e3b5ffd236a59c Mon Sep 17 00:00:00 2001
From: Dirk Brenken <dev@brenken.org>
Date: Thu, 30 May 2019 16:09:38 +0200
Subject: [PATCH] banip: update 0.1.3

* change iptables whitelist target from 'ACCEPT' to 'RETURN'
  to stop traversing the banIP chain and resume at the next chain
* cosmetics

Signed-off-by: Dirk Brenken <dev@brenken.org>
---
 net/banip/Makefile       |  2 +-
 net/banip/files/banip.sh | 65 ++++++++++++++++++++--------------------
 2 files changed, 34 insertions(+), 33 deletions(-)

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 609f0fcf4..b553b6336 100644
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.1.2
+PKG_VERSION:=0.1.3
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0+
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh
index e47535b51..c86f74d70 100755
--- a/net/banip/files/banip.sh
+++ b/net/banip/files/banip.sh
@@ -10,10 +10,11 @@
 #
 LC_ALL=C
 PATH="/usr/sbin:/usr/bin:/sbin:/bin"
-ban_ver="0.1.2"
+ban_ver="0.1.3"
 ban_sysver="unknown"
 ban_enabled=0
 ban_automatic="1"
+ban_sources=""
 ban_iface=""
 ban_debug=0
 ban_backup=0
@@ -104,7 +105,7 @@ f_envload()
 
 	# check status
 	#
-	if [ ${ban_enabled} -eq 0 ]
+	if [ "${ban_enabled}" -eq 0 ]
 	then
 		f_jsnup disabled
 		f_ipset destroy
@@ -215,8 +216,8 @@ f_temp()
 	if [ -z "${ban_tmpdir}" ]
 	then
 		ban_tmpdir="$(mktemp -p /tmp -d)"
-		ban_tmpload="$(mktemp -p ${ban_tmpdir} -tu)"
-		ban_tmpfile="$(mktemp -p ${ban_tmpdir} -tu)"
+		ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)"
+		ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
 	fi
 
 	if [ ! -s "${ban_pidfile}" ]
@@ -242,7 +243,7 @@ f_rmbackup()
 {
 	if [ -d "${ban_backupdir}" ]
 	then
-		rm -f "${ban_backupdir}/banIP."*.gz
+		rm -f "${ban_backupdir}"/banIP.*.gz
 	fi
 }
 
@@ -258,8 +259,8 @@ f_iptrule()
 		then
 			rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
 
-			if { [ ${rc} -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
-				{ [ ${rc} -eq 0 ] && [ "${action}" = "-D" ]; }
+			if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
+				{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
 			then
 				"${ban_ipt6}" "${timeout}" "${action}" ${rule}
 			fi
@@ -269,8 +270,8 @@ f_iptrule()
 		then
 			rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
 
-			if { [ ${rc} -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
-				{ [ ${rc} -eq 0 ] && [ "${action}" = "-D" ]; }
+			if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
+				{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
 			then
 				"${ban_ipt}" "${timeout}" "${action}" ${rule}
 			fi
@@ -290,7 +291,7 @@ f_iptadd()
 		f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
 	done
 
-	if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
+	if [ -z "${rm}" ] && [ "${cnt}" -gt 0 ]
 	then
 		if [ "${src_ruletype}" != "dst" ]
 		then
@@ -340,8 +341,8 @@ f_ipset()
 
 	if [ "${src_name%_6*}" = "whitelist" ]
 	then
-		target_src="ACCEPT"
-		target_dst="ACCEPT"
+		target_src="RETURN"
+		target_dst="RETURN"
 		action="-I"
 	fi
 
@@ -397,15 +398,15 @@ f_ipset()
 					f_iptrule "-D" "${rule} -j ${ban_chain}"
 				done
 			fi
-			f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset}, ruleset_6: ${ruleset_6}"
+			f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}"
 		;;
 		create)
 			cnt="$(wc -l 2>/dev/null < "${tmp_file}")"
-			cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
-			cnt_ip="$(( cnt - cnt_cidr ))"
-			size="$(( cnt / 4 ))"
+			cnt_cidr="$(grep -cF "/" "${tmp_file}")"
+			cnt_ip="$((cnt-cnt_cidr))"
+			size="$((cnt/4))"
 
-			if [ ${cnt} -gt 0 ]
+			if [ "${cnt}" -gt 0 ]
 			then
 				if [ -x "${ban_ipset}" ] && [ -z "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
 				then
@@ -420,7 +421,7 @@ f_ipset()
 			fi
 			f_iptadd
 			end_ts="$(date +%s)"
-			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
+			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $((end_ts-start_ts))"
 		;;
 		refresh)
 			if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
@@ -428,16 +429,16 @@ f_ipset()
 				"${ban_ipset}" save "${src_name}" > "${tmp_file}"
 				if [ -s "${tmp_file}" ]
 				then
-					cnt="$(( $(wc -l 2>/dev/null < "${tmp_file}") - 1 ))"
-					cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
-					cnt_ip="$(( cnt - cnt_cidr ))"
+					cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
+					cnt_cidr="$(grep -cF "/" "${tmp_file}")"
+					cnt_ip="$((cnt-cnt_cidr))"
 					printf "%s\n" "1" > "${tmp_set}"
 					printf "%s\n" "${cnt}" > "${tmp_cnt}"
 				fi
 				f_iptadd
 			fi
 			end_ts="$(date +%s)"
-			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
+			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $((end_ts-start_ts))"
 		;;
 		flush)
 			f_iptadd "remove"
@@ -484,7 +485,7 @@ f_log()
 {
 	local class="${1}" log_msg="${2}"
 
-	if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ ${ban_debug} -eq 1 ]; }
+	if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
 	then
 		logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
 		if [ "${class}" = "err" ]
@@ -706,24 +707,24 @@ f_main()
 				f_ipset refresh
 			fi
 		) &
-		hold=$(( cnt % ban_maxqueue ))
-		if [ ${hold} -eq 0 ]
+		hold="$((cnt%ban_maxqueue))"
+		if [ "${hold}" -eq 0 ]
 		then
 			wait
 		fi
-		cnt=$(( cnt + 1 ))
+		cnt="$((cnt+1))"
 	done
 
 	wait
-	if [ ${ban_rc} -eq 0 ]
+	if [ "${ban_rc}" -eq 0 ]
 	then
-		for cnt in $(cat ${ban_tmpfile}.*.setcnt 2>/dev/null)
+		for cnt in $(cat "${ban_tmpfile}".*.setcnt 2>/dev/null)
 		do
-			ban_setcnt=$(( ban_setcnt + cnt ))
+			ban_setcnt="$((ban_setcnt+cnt))"
 		done
-		for cnt in $(cat ${ban_tmpfile}.*.cnt 2>/dev/null)
+		for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
 		do
-			ban_cnt=$(( ban_cnt + cnt ))
+			ban_cnt="$((ban_cnt+cnt))"
 		done
 		f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
 	fi
@@ -742,7 +743,7 @@ f_jsnup()
 	mode="normal mode"
 	ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
 
-	if [ ${ban_backupboot} -eq 1 ]
+	if [ "${ban_backupboot}" -eq 1 ]
 	then
 		mode="backup mode"
 	fi