banip: update 0.0.6
* support multiple WAN interfaces in iptables rules, set 'ban_iface' option accordingly (as space separated list) or use the LuCI frontend * add new "refresh" mode while triggered by fw changes (no download) * add required ip dependency * fix wrong 'settype' definition for firehol1 in config Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
parent
58f79231ed
commit
dcaddb5297
|
|
@ -6,7 +6,7 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=banip
|
||||
PKG_VERSION:=0.0.5
|
||||
PKG_VERSION:=0.0.6
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=GPL-3.0+
|
||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||
|
|
@ -17,7 +17,7 @@ define Package/banip
|
|||
SECTION:=net
|
||||
CATEGORY:=Network
|
||||
TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
|
||||
DEPENDS:=+jshn +jsonfilter +ipset +iptables
|
||||
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables
|
||||
PKGARCH:=all
|
||||
endef
|
||||
|
||||
|
|
|
|||
|
|
@ -170,7 +170,7 @@ config source 'firehol1'
|
|||
option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset'
|
||||
option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)'
|
||||
option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}'
|
||||
option ban_src_settype 'net_inet'
|
||||
option ban_src_settype 'net'
|
||||
option ban_src_ruletype 'src'
|
||||
option ban_src_on '0'
|
||||
|
||||
|
|
|
|||
|
|
@ -9,4 +9,4 @@ then
|
|||
exit 0
|
||||
fi
|
||||
|
||||
/etc/init.d/banip start
|
||||
/etc/init.d/banip refresh
|
||||
|
|
|
|||
|
|
@ -4,8 +4,9 @@
|
|||
START=30
|
||||
USE_PROCD=1
|
||||
|
||||
EXTRA_COMMANDS="status"
|
||||
EXTRA_HELP=" status Print runtime information"
|
||||
EXTRA_COMMANDS="refresh status"
|
||||
EXTRA_HELP=" refresh Refresh ipsets only (no new download!)
|
||||
status Print runtime information"
|
||||
|
||||
ban_init="/etc/init.d/banip"
|
||||
ban_script="/usr/bin/banip.sh"
|
||||
|
|
@ -42,6 +43,11 @@ stop_service()
|
|||
rc_procd start_service
|
||||
}
|
||||
|
||||
refresh()
|
||||
{
|
||||
rc_procd start_service "refresh"
|
||||
}
|
||||
|
||||
status()
|
||||
{
|
||||
local key keylist value rtfile="$(uci_get banip global ban_rtfile)"
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@
|
|||
#
|
||||
LC_ALL=C
|
||||
PATH="/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
ban_ver="0.0.5"
|
||||
ban_ver="0.0.6"
|
||||
ban_sysver="unknown"
|
||||
ban_enabled=0
|
||||
ban_automatic="1"
|
||||
|
|
@ -18,6 +18,7 @@ ban_iface=""
|
|||
ban_debug=0
|
||||
ban_maxqueue=8
|
||||
ban_fetchutil="uclient-fetch"
|
||||
ban_ip="$(command -v ip)"
|
||||
ban_ipt="$(command -v iptables)"
|
||||
ban_ipt_save="$(command -v iptables-save)"
|
||||
ban_ipt_restore="$(command -v iptables-restore)"
|
||||
|
|
@ -114,7 +115,7 @@ f_envload()
|
|||
#
|
||||
f_envcheck()
|
||||
{
|
||||
local ssl_lib
|
||||
local ssl_lib tmp
|
||||
|
||||
# check fetch utility
|
||||
#
|
||||
|
|
@ -165,14 +166,31 @@ f_envcheck()
|
|||
network_find_wan6 ban_iface
|
||||
fi
|
||||
fi
|
||||
network_get_device ban_dev "${ban_iface}"
|
||||
network_get_subnets ban_subnets "${ban_iface}"
|
||||
network_get_subnets6 ban_subnets6 "${ban_iface}"
|
||||
|
||||
for iface in ${ban_iface}
|
||||
do
|
||||
network_get_physdev tmp "${iface}"
|
||||
if [ -n "${tmp}" ]
|
||||
then
|
||||
ban_dev="${ban_dev} ${tmp}"
|
||||
fi
|
||||
network_get_subnets tmp "${iface}"
|
||||
if [ -n "${tmp}" ]
|
||||
then
|
||||
ban_subnets="${ban_subnets} ${tmp}"
|
||||
fi
|
||||
network_get_subnets6 tmp "${iface}"
|
||||
if [ -n "${tmp}" ]
|
||||
then
|
||||
ban_subnets6="${ban_subnets6} ${tmp}"
|
||||
fi
|
||||
done
|
||||
|
||||
if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ]
|
||||
then
|
||||
f_log "err" "wan interface/device (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
|
||||
f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
|
||||
fi
|
||||
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
|
||||
uci_set banip global ban_iface "${ban_iface}"
|
||||
uci_commit banip
|
||||
|
||||
|
|
@ -238,10 +256,13 @@ f_iptrule()
|
|||
#
|
||||
f_iptadd()
|
||||
{
|
||||
local rm="${1}"
|
||||
local rm="${1}" dev
|
||||
|
||||
f_iptrule "-D" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
|
||||
f_iptrule "-D" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
|
||||
for dev in ${ban_dev_all}
|
||||
do
|
||||
f_iptrule "-D" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
|
||||
f_iptrule "-D" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
|
||||
done
|
||||
|
||||
if [ -z "${rm}" ] && [ ${cnt} -gt 0 ]
|
||||
then
|
||||
|
|
@ -256,7 +277,10 @@ f_iptadd()
|
|||
fi
|
||||
f_iptrule "-A" "${wan_input} -j ${ban_chain}"
|
||||
f_iptrule "-A" "${wan_forward} -j ${ban_chain}"
|
||||
f_iptrule "${action:-"-A"}" "${ban_chain} -i ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
|
||||
for dev in ${ban_dev}
|
||||
do
|
||||
f_iptrule "${action:-"-A"}" "${ban_chain} -i ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} src -j ${target_src}"
|
||||
done
|
||||
fi
|
||||
if [ "${src_ruletype}" != "src" ]
|
||||
then
|
||||
|
|
@ -269,7 +293,10 @@ f_iptadd()
|
|||
fi
|
||||
f_iptrule "-A" "${lan_input} -j ${ban_chain}"
|
||||
f_iptrule "-A" "${lan_forward} -j ${ban_chain}"
|
||||
f_iptrule "${action:-"-A"}" "${ban_chain} -o ${ban_dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
|
||||
for dev in ${ban_dev}
|
||||
do
|
||||
f_iptrule "${action:-"-A"}" "${ban_chain} -o ${dev} -m conntrack --ctstate NEW -m set --match-set ${src_name} dst -j ${target_dst}"
|
||||
done
|
||||
fi
|
||||
else
|
||||
if [ -n "$("${ban_ipset}" -n list "${src_name}" 2>/dev/null)" ]
|
||||
|
|
@ -432,7 +459,7 @@ f_main()
|
|||
|
||||
mem_total="$(awk '/^MemTotal/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
|
||||
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
|
||||
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, iface: ${ban_iface:-"-"}, dev: ${ban_dev:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
|
||||
f_log "debug" "f_main ::: fetch_util: ${ban_fetchinfo:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
|
||||
|
||||
f_ipset initial
|
||||
|
||||
|
|
@ -483,6 +510,10 @@ f_main()
|
|||
then
|
||||
f_ipset flush
|
||||
continue
|
||||
elif [ "${ban_action}" = "refresh" ]
|
||||
then
|
||||
f_ipset refresh
|
||||
continue
|
||||
fi
|
||||
|
||||
# download queue processing
|
||||
|
|
@ -664,7 +695,7 @@ case "${ban_action}" in
|
|||
f_ipset destroy
|
||||
f_rmtemp
|
||||
;;
|
||||
start|restart|reload)
|
||||
start|restart|reload|refresh)
|
||||
f_envcheck
|
||||
f_main
|
||||
;;
|
||||
|
|
|
|||
Loading…
Reference in New Issue