Browse Source

banip: update 0.1.3

* change iptables whitelist target from 'ACCEPT' to 'RETURN'
  to stop traversing the banIP chain and resume at the next chain
* cosmetics

Signed-off-by: Dirk Brenken <dev@brenken.org>
lilik-openwrt-22.03
Dirk Brenken 6 years ago
parent
commit
f5de0439c1
No known key found for this signature in database GPG Key ID: 9D71CD547BFAE684
2 changed files with 34 additions and 33 deletions
  1. +1
    -1
      net/banip/Makefile
  2. +33
    -32
      net/banip/files/banip.sh

+ 1
- 1
net/banip/Makefile View File

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.1.2
PKG_VERSION:=0.1.3
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0+ PKG_LICENSE:=GPL-3.0+
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>


+ 33
- 32
net/banip/files/banip.sh View File

@ -10,10 +10,11 @@
# #
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.1.2"
ban_ver="0.1.3"
ban_sysver="unknown" ban_sysver="unknown"
ban_enabled=0 ban_enabled=0
ban_automatic="1" ban_automatic="1"
ban_sources=""
ban_iface="" ban_iface=""
ban_debug=0 ban_debug=0
ban_backup=0 ban_backup=0
@ -104,7 +105,7 @@ f_envload()
# check status # check status
# #
if [ ${ban_enabled} -eq 0 ]
if [ "${ban_enabled}" -eq 0 ]
then then
f_jsnup disabled f_jsnup disabled
f_ipset destroy f_ipset destroy
@ -215,8 +216,8 @@ f_temp()
if [ -z "${ban_tmpdir}" ] if [ -z "${ban_tmpdir}" ]
then then
ban_tmpdir="$(mktemp -p /tmp -d)" ban_tmpdir="$(mktemp -p /tmp -d)"
ban_tmpload="$(mktemp -p ${ban_tmpdir} -tu)"
ban_tmpfile="$(mktemp -p ${ban_tmpdir} -tu)"
ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)"
ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
fi fi
if [ ! -s "${ban_pidfile}" ] if [ ! -s "${ban_pidfile}" ]
@ -242,7 +243,7 @@ f_rmbackup()
{ {
if [ -d "${ban_backupdir}" ] if [ -d "${ban_backupdir}" ]
then then
rm -f "${ban_backupdir}/banIP."*.gz
rm -f "${ban_backupdir}"/banIP.*.gz
fi fi
} }
@ -258,8 +259,8 @@ f_iptrule()
then then
rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})" rc="$("${ban_ipt6}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
if { [ ${rc} -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ ${rc} -eq 0 ] && [ "${action}" = "-D" ]; }
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
then then
"${ban_ipt6}" "${timeout}" "${action}" ${rule} "${ban_ipt6}" "${timeout}" "${action}" ${rule}
fi fi
@ -269,8 +270,8 @@ f_iptrule()
then then
rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})" rc="$("${ban_ipt}" "${timeout}" -C ${rule} 2>/dev/null; printf '%u' ${?})"
if { [ ${rc} -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ ${rc} -eq 0 ] && [ "${action}" = "-D" ]; }
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
then then
"${ban_ipt}" "${timeout}" "${action}" ${rule} "${ban_ipt}" "${timeout}" "${action}" ${rule}
fi fi
@ -290,7 +291,7 @@ f_iptadd()
f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}" f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
done done
if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
if [ -z "${rm}" ] && [ "${cnt}" -gt 0 ]
then then
if [ "${src_ruletype}" != "dst" ] if [ "${src_ruletype}" != "dst" ]
then then
@ -340,8 +341,8 @@ f_ipset()
if [ "${src_name%_6*}" = "whitelist" ] if [ "${src_name%_6*}" = "whitelist" ]
then then
target_src="ACCEPT"
target_dst="ACCEPT"
target_src="RETURN"
target_dst="RETURN"
action="-I" action="-I"
fi fi
@ -397,15 +398,15 @@ f_ipset()
f_iptrule "-D" "${rule} -j ${ban_chain}" f_iptrule "-D" "${rule} -j ${ban_chain}"
done done
fi fi
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset}, ruleset_6: ${ruleset_6}"
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}"
;; ;;
create) create)
cnt="$(wc -l 2>/dev/null < "${tmp_file}")" cnt="$(wc -l 2>/dev/null < "${tmp_file}")"
cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
cnt_ip="$(( cnt - cnt_cidr ))"
size="$(( cnt / 4 ))"
cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))"
size="$((cnt/4))"
if [ ${cnt} -gt 0 ]
if [ "${cnt}" -gt 0 ]
then then
if [ -x "${ban_ipset}" ] && [ -z "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ] if [ -x "${ban_ipset}" ] && [ -z "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
then then
@ -420,7 +421,7 @@ f_ipset()
fi fi
f_iptadd f_iptadd
end_ts="$(date +%s)" end_ts="$(date +%s)"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $((end_ts-start_ts))"
;; ;;
refresh) refresh)
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ] if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
@ -428,16 +429,16 @@ f_ipset()
"${ban_ipset}" save "${src_name}" > "${tmp_file}" "${ban_ipset}" save "${src_name}" > "${tmp_file}"
if [ -s "${tmp_file}" ] if [ -s "${tmp_file}" ]
then then
cnt="$(( $(wc -l 2>/dev/null < "${tmp_file}") - 1 ))"
cnt_cidr="$(grep -F "/" "${tmp_file}" | wc -l)"
cnt_ip="$(( cnt - cnt_cidr ))"
cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))"
printf "%s\n" "1" > "${tmp_set}" printf "%s\n" "1" > "${tmp_set}"
printf "%s\n" "${cnt}" > "${tmp_cnt}" printf "%s\n" "${cnt}" > "${tmp_cnt}"
fi fi
f_iptadd f_iptadd
fi fi
end_ts="$(date +%s)" end_ts="$(date +%s)"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $(( end_ts - start_ts ))"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count: ${cnt:-0}/${cnt_ip:-0}/${cnt_cidr:-0}, time(s): $((end_ts-start_ts))"
;; ;;
flush) flush)
f_iptadd "remove" f_iptadd "remove"
@ -484,7 +485,7 @@ f_log()
{ {
local class="${1}" log_msg="${2}" local class="${1}" log_msg="${2}"
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ ${ban_debug} -eq 1 ]; }
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
then then
logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}" logger -p "${class}" -t "banIP-[${ban_ver}]" "${log_msg}"
if [ "${class}" = "err" ] if [ "${class}" = "err" ]
@ -706,24 +707,24 @@ f_main()
f_ipset refresh f_ipset refresh
fi fi
) & ) &
hold=$(( cnt % ban_maxqueue ))
if [ ${hold} -eq 0 ]
hold="$((cnt%ban_maxqueue))"
if [ "${hold}" -eq 0 ]
then then
wait wait
fi fi
cnt=$(( cnt + 1 ))
cnt="$((cnt+1))"
done done
wait wait
if [ ${ban_rc} -eq 0 ]
if [ "${ban_rc}" -eq 0 ]
then then
for cnt in $(cat ${ban_tmpfile}.*.setcnt 2>/dev/null)
for cnt in $(cat "${ban_tmpfile}".*.setcnt 2>/dev/null)
do do
ban_setcnt=$(( ban_setcnt + cnt ))
ban_setcnt="$((ban_setcnt+cnt))"
done done
for cnt in $(cat ${ban_tmpfile}.*.cnt 2>/dev/null)
for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
do do
ban_cnt=$(( ban_cnt + cnt ))
ban_cnt="$((ban_cnt+cnt))"
done done
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
fi fi
@ -742,7 +743,7 @@ f_jsnup()
mode="normal mode" mode="normal mode"
ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes" ban_cntinfo="${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes"
if [ ${ban_backupboot} -eq 1 ]
if [ "${ban_backupboot}" -eq 1 ]
then then
mode="backup mode" mode="backup mode"
fi fi


Loading…
Cancel
Save