blob: 2b6a526c88b93fad0710d48d964408154242d10b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
|
#!/bin/sh /etc/rc.common
# banIP init script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=all
START=95
USE_PROCD=1
extra_command "report" "[text|json|mail] Print banIP related Set statistics"
extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
extra_command "survey" "[<Set name>] List all elements of a given banIP Set"
extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them"
ban_init="/etc/init.d/banip"
ban_service="/usr/bin/banip-service.sh"
ban_funlib="/usr/lib/banip-functions.sh"
ban_pidfile="/var/run/banip.pid"
ban_lock="/var/run/banip.lock"
[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
boot() {
: >"${ban_pidfile}"
rc_procd start_service "boot"
}
start_service() {
if "${ban_init}" enabled; then
f_rmpid
procd_open_instance "banip-service"
procd_set_param command "${ban_service}" "${@:-"${action}"}"
procd_set_param pidfile "${ban_pidfile}"
procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
procd_set_param stdout 1
procd_set_param stderr 1
procd_close_instance
else
f_log "err" "banIP service autostart is disabled"
rm -rf "${ban_lock}"
fi
}
reload_service() {
f_rmpid
rc_procd start_service "reload"
}
stop_service() {
"${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
f_genstatus "stopped"
f_rmpid
[ "${action}" = "stop" ] && rm -rf "${ban_lock}"
}
restart() {
stop_service
rc_procd start_service "restart"
}
status() {
status_service
}
status_service() {
f_getstatus
}
report() {
f_report "${1:-"text"}"
}
search() {
f_search "${1}"
rm -rf "${ban_lock}"
}
survey() {
f_survey "${1}"
}
lookup() {
local list hold cnt="1"
for list in allowlist blocklist; do
(f_lookup "${list}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
done
wait
rm -rf "${ban_lock}"
}
service_triggers() {
local iface trigger delay
delay="$(uci_get banip global ban_triggerdelay "20")"
trigger="$(uci_get banip global ban_trigger)"
PROCD_RELOAD_DELAY="$((delay * 1000))"
for iface in ${trigger}; do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" reload
done
PROCD_RELOAD_DELAY="$((2 * 1000))"
procd_add_reload_trigger "banip"
}
|