diff options
| author | Dirk Brenken <dev@brenken.org> | 2019-11-03 20:37:06 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-11-03 20:37:06 +0100 |
| commit | a4285b8bccff45b8d5abe4d7b58d2edcdb648cf2 (patch) | |
| tree | 7e19ff4bece71ee3f947eff31786c95a68abee5e /net | |
| parent | c1b6b03108642d18b58798d5b0c47780e77eea86 (diff) | |
| parent | fcea2f75c3f071b7abf9396d9e052a162dab4cef (diff) | |
Merge pull request #10444 from dibdot/banIP
banip: update 0.3.5
Diffstat (limited to 'net')
| -rw-r--r-- | net/banip/Makefile | 2 | ||||
| -rwxr-xr-x | net/banip/files/banip.init | 26 | ||||
| -rwxr-xr-x | net/banip/files/banip.service | 26 | ||||
| -rwxr-xr-x | net/banip/files/banip.sh | 203 |
4 files changed, 159 insertions, 98 deletions
diff --git a/net/banip/Makefile b/net/banip/Makefile index a9aaf7abe..d2a555974 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.3.1 +PKG_VERSION:=0.3.5 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 25f2f72cd..be60bec97 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -12,6 +12,11 @@ ban_init="/etc/init.d/banip" ban_script="/usr/bin/banip.sh" ban_pidfile="/var/run/banip.pid" +if [ -s "${ban_pidfile}" ] && [ "${action}" != "help" ] && [ "${action}" != "status" ] +then + exit 1 +fi + boot() { ban_boot="1" @@ -39,7 +44,6 @@ start_service() refresh() { - [ -s "${ban_pidfile}" ] && return 1 rc_procd start_service refresh } @@ -53,6 +57,11 @@ stop_service() rc_procd "${ban_script}" stop } +restart() +{ + rc_procd start_service restart +} + status_service() { local key keylist value @@ -76,16 +85,23 @@ status_service() service_triggers() { - local iface iface_list="$(uci_get banip global ban_iface)" + local trigger trigger_list="$(uci_get banip global ban_trigger)" local delay="$(uci_get banip extra ban_triggerdelay "2")" local type="$(uci_get banip extra ban_starttype "start")" PROCD_RELOAD_DELAY=$((${delay}*1000)) - if [ -n "${iface_list}" ] + + if [ -z "${trigger_list}" ] && [ -r "/lib/functions/network.sh" ] + then + . "/lib/functions/network.sh" + network_find_wan trigger_list + fi + + if [ -n "${trigger_list}" ] then - for iface in ${iface_list} + for trigger in ${trigger_list} do - procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}" + procd_add_interface_trigger "interface.*.up" "${trigger}" "${ban_init}" "${type}" done else procd_add_raw_trigger "interface.*.up" ${PROCD_RELOAD_DELAY} "${ban_init}" "${type}" diff --git a/net/banip/files/banip.service b/net/banip/files/banip.service index 1c44be3ba..e4213b072 100755 --- a/net/banip/files/banip.service +++ b/net/banip/files/banip.service @@ -8,20 +8,24 @@ LC_ALL=C PATH="/usr/sbin:/usr/bin:/sbin:/bin" - -if [ -r "/lib/functions.sh" ] -then - . "/lib/functions.sh" - ban_sshdaemon="$(uci_get banip extra ban_sshdaemon "dropbear")" -fi ban_ver="${1}" -ban_log="$(command -v logread)" +ban_sshdaemon="${2}" +ban_logger="$(command -v logger)" +ban_logread="$(command -v logread)" -if [ -x "${ban_log}" ] +if [ -x "${ban_logread}" ] then - logger -p "info" -t "banIP-${ban_ver}[${$}]" "log/banIP service started" - "${ban_log}" -f -e "${ban_sshdaemon}\|luci: failed login" | \ + "${ban_logread}" -f -e "${ban_sshdaemon}\|luci: failed login" | \ { grep -qE "Exit before auth|luci: failed login|[0-9]+ \[preauth\]$"; [ $? -eq 0 ] && /etc/init.d/banip refresh; } + class="info" + log_msg="log/banIP service started" +else + class="err" + log_msg="can't start log/banIP service" +fi +if [ -x "${ban_logger}" ] +then + "${ban_logger}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" else - logger -p "err" -t "banIP-${ban_ver}[${$}]" "can't start log/banIP service" + printf "%s %s %s\\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}" fi diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index bf322444d..87d79eac4 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -13,7 +13,7 @@ # LC_ALL=C PATH="/usr/sbin:/usr/bin:/sbin:/bin" -ban_ver="0.3.1" +ban_ver="0.3.5" ban_basever="" ban_enabled=0 ban_automatic="1" @@ -26,7 +26,6 @@ ban_autoblacklist=1 ban_autowhitelist=1 ban_realtime="false" ban_fetchutil="" -ban_ip="$(command -v ip)" ban_ipt="$(command -v iptables)" ban_ipt_save="$(command -v iptables-save)" ban_ipt_restore="$(command -v iptables-restore)" @@ -34,12 +33,13 @@ ban_ipt6="$(command -v ip6tables)" ban_ipt6_save="$(command -v ip6tables-save)" ban_ipt6_restore="$(command -v ip6tables-restore)" ban_ipset="$(command -v ipset)" +ban_logger="$(command -v logger)" ban_chain="banIP" ban_action="${1:-"start"}" ban_pidfile="/var/run/banip.pid" ban_rtfile="/tmp/ban_runtime.json" ban_logservice="/etc/banip/banip.service" -ban_sshdaemon="dropbear" +ban_sshdaemon="" ban_setcnt=0 ban_cnt=0 @@ -102,6 +102,7 @@ f_envload() if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ] then f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option" + f_rmtemp exit 0 fi @@ -129,61 +130,17 @@ f_envcheck() { local util utils packages iface tmp cnt=0 cnt_max=0 + f_jsnup "running" + f_log "info" "start banIP processing (${ban_action})" + # check backup directory # if [ ! -d "${ban_backupdir}" ] then - f_log "err" "the backup directory '${ban_backupdir}' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start" + f_log "err" "the backup directory '${ban_backupdir}' does not exist or has not been mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start" fi - # check fetch utility - # - if [ -z "${ban_fetchutil}" ] - then - utils="aria2c curl wget uclient-fetch" - packages="$(opkg list-installed 2>/dev/null)" - for util in ${utils} - do - if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \ - { [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \ - { [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; } - then - ban_fetchutil="$(command -v "${util}")" - if [ -x "${ban_fetchutil}" ] - then - break - fi - fi - unset ban_fetchutil util - done - else - util="${ban_fetchutil}" - ban_fetchutil="$(command -v "${util}")" - if [ ! -x "${ban_fetchutil}" ] - then - unset ban_fetchutil util - fi - fi - case "${util}" in - "aria2c") - ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}" - ;; - "curl") - ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}" - ;; - "uclient-fetch") - ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}" - ;; - "wget") - ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" - ;; - esac - if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ] - then - f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'" - fi - - # get wan device and wan subnets + # get wan devices and wan subnets # if [ "${ban_automatic}" = "1" ] then @@ -242,14 +199,87 @@ f_envcheck() ban_subnets6="${ban_subnets6} ${tmp}" fi done + ban_dev_all="$(ip link show 2>/dev/null | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')" - if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ] + if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ] || [ -z "${ban_dev_all}" ] then f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration" + fi + + # check fetch utility + # + if [ -z "${ban_fetchutil}" ] + then + cnt_max=$((cnt+5)) + while [ -z "${packages}" ] + do + packages="$(opkg list-installed 2>/dev/null)" + if [ "${cnt}" -gt "${cnt_max}" ] + then + break + fi + cnt=$((cnt+1)) + sleep 1 + done + utils="aria2c curl wget uclient-fetch" + for util in ${utils} + do + if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \ + { [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \ + { [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; } + then + ban_fetchutil="$(command -v "${util}")" + if [ -x "${ban_fetchutil}" ] + then + break + fi + fi + unset ban_fetchutil util + done else - ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')" - f_jsnup "running" - f_log "info" "start banIP processing (${ban_action})" + util="${ban_fetchutil}" + ban_fetchutil="$(command -v "${util}")" + if [ ! -x "${ban_fetchutil}" ] + then + unset ban_fetchutil util + fi + fi + case "${util}" in + "aria2c") + ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}" + ;; + "curl") + ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}" + ;; + "uclient-fetch") + ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}" + ;; + "wget") + ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" + ;; + esac + if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ] + then + f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'" + fi + + # check ssh daemon + # + if [ -z "${ban_sshdaemon}" ] + then + utils="dropbear sshd" + for util in ${utils} + do + if [ -x "$(command -v "${util}")" ] + then + ban_sshdaemon="${util}" + break + fi + done + fi + if [ -z "${ban_sshdaemon}" ] + then + f_log "err" "ssh daemon not found, please install 'dropbear' or 'sshd'" fi } @@ -260,11 +290,10 @@ f_temp() if [ -d "/tmp" ] && [ -z "${ban_tmpdir}" ] then ban_tmpdir="$(mktemp -p /tmp -d)" - ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" elif [ ! -d "/tmp" ] then - f_log "err" "the temp directory '/tmp' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start" + f_log "err" "the temp directory '/tmp' does not exist or has not been mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start" fi if [ ! -s "${ban_pidfile}" ] @@ -453,19 +482,23 @@ f_ipset() if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset}" -q -n list "${src_name}")" ] then "${ban_ipset}" -q create "${src_name}" hash:"${src_settype}" hashsize 64 maxelem 262144 family "${src_setipv}" counters + out_rc="${?}" else "${ban_ipset}" -q flush "${src_name}" + out_rc="${?}" fi - if [ -s "${tmp_file}" ] + if [ -s "${tmp_file}" ] && [ "${out_rc}" -eq 0 ] then - "${ban_ipset}" -! restore < "${tmp_file}" + "${ban_ipset}" -q -! restore < "${tmp_file}" out_rc="${?}" - "${ban_ipset}" -q save "${src_name}" > "${tmp_file}" - cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))" - cnt_cidr="$(grep -cF "/" "${tmp_file}")" - cnt_ip="$((cnt-cnt_cidr))" - printf "%s\\n" "1" > "${tmp_set}" - printf "%s\\n" "${cnt}" > "${tmp_cnt}" + if [ "${out_rc}" -eq 0 ] + then + "${ban_ipset}" -q save "${src_name}" > "${tmp_file}" + cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))" + cnt_cidr="$(grep -cF "/" "${tmp_file}")" + cnt_ip="$((cnt-cnt_cidr))" + printf "%s\\n" "${cnt}" > "${tmp_cnt}" + fi fi f_iptadd fi @@ -478,12 +511,11 @@ f_ipset() then "${ban_ipset}" -q save "${src_name}" > "${tmp_file}" out_rc="${?}" - if [ -s "${tmp_file}" ] + if [ -s "${tmp_file}" ] && [ "${out_rc}" -eq 0 ] then cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))" cnt_cidr="$(grep -cF "/" "${tmp_file}")" cnt_ip="$((cnt-cnt_cidr))" - printf "%s\\n" "1" > "${tmp_set}" printf "%s\\n" "${cnt}" > "${tmp_cnt}" fi f_iptadd @@ -538,14 +570,25 @@ f_log() if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; } then - logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" + if [ -x "${ban_logger}" ] + then + "${ban_logger}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" + else + printf "%s %s %s\\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}" + fi if [ "${class}" = "err" ] then f_jsnup error f_ipset destroy f_rmbackup f_rmtemp - logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'" + log_msg="Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'" + if [ -x "${ban_logger}" ] + then + "${ban_logger}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" + else + printf "%s %s %s\\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}" + fi exit 1 fi fi @@ -561,8 +604,8 @@ f_bgserv() if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \ && [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ] then - ( "${ban_logservice}" "${ban_ver}" &) - elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ] + ( "${ban_logservice}" "${ban_ver}" "${ban_sshdaemon}" & ) + elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ] then kill -HUP "${bg_pid}" 2>/dev/null fi @@ -624,12 +667,10 @@ f_main() src_cat="$(eval printf "%s" \"\$\{ban_src_cat_${src_name%_6*}\}\")" src_addon="" src_rc=4 - tmp_load="${ban_tmpload}.${src_name}" - tmp_file="${ban_tmpfile}.${src_name}" - tmp_raw="${tmp_load}.raw" + tmp_load="${ban_tmpfile}.${src_name}.load" + tmp_file="${ban_tmpfile}.${src_name}.file" + tmp_raw="${tmp_file}.raw" tmp_cnt="${tmp_file}.cnt" - tmp_set="${tmp_file}.setcnt" - # basic pre-checks # f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}" @@ -818,14 +859,14 @@ f_main() done wait - for cnt in $(cat "${ban_tmpfile}".*.setcnt 2>/dev/null) - do - ban_setcnt="$((ban_setcnt+cnt))" - done for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null) do ban_cnt="$((ban_cnt+cnt))" done + if [ "${ban_cnt}" -gt 0 ] + then + ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)" + fi f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" f_bgserv "start" f_jsnup |