banip: update 0.3.7

* fix a logical glitch in the hotplug event handler
* properly handle fatal iptables errors - even in subshells

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 49b43b81e8a8c32465d3de921d8289541de3e7e1)

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 111213b6a8f53f2926d03e8ee71a571438df9a34..cca5303b2e5cfee7fd621818b58e2c3e8a46e4df 100644 (file)
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.3.6
+PKG_VERSION:=0.3.7
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

diff --git a/net/banip/files/banip.hotplug b/net/banip/files/banip.hotplug
index 763c07baf593b6974ef8433c0ec4982e1addd3f9..f021fcff074e4c6e8289f9af5b18bbcf253d5fa4 100644 (file)
--- a/net/banip/files/banip.hotplug
+++ b/net/banip/files/banip.hotplug
@@ -1,11 +1,12 @@
 #!/bin/sh
 #
+
+[ "${ACTION}" != "add" ] && exit 0
+
 ban_pidfile="/var/run/banip.pid"
 ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")"
-
-if [ "${ban_enabled}" = "1" ] || [ ! -f "${ban_pidfile}" ] || [ -s "${ban_pidfile}" ] || [ "${ACTION}" != "add" ]
+if [ "${ban_enabled}" = "0" ] && [ ! -s "${ban_pidfile}" ]
 then
-       exit 0
-else
        /etc/init.d/banip refresh
 fi
+exit 0

diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh
index d4d5638cafb78a3d35e396cea63b530201e96919..743ea4d740aea07853bcf3745a631cc5af8ece7b 100755 (executable)
--- a/net/banip/files/banip.sh
+++ b/net/banip/files/banip.sh
@@ -13,7 +13,7 @@
 #
 LC_ALL=C
 PATH="/usr/sbin:/usr/bin:/sbin:/bin"
-ban_ver="0.3.6"
+ban_ver="0.3.7"
 ban_basever=""
 ban_enabled=0
 ban_automatic="1"
@@ -341,7 +341,7 @@ f_iptrule()
                        if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
                                { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
                        then
-                               "${ban_ipt6}" "${timeout}" "${action}" ${rule}
+                               "${ban_ipt6}" "${timeout}" "${action}" ${rule} 2>/dev/null
                        fi
                fi
        else
@@ -352,10 +352,15 @@ f_iptrule()
                        if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
                                { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
                        then
-                               "${ban_ipt}" "${timeout}" "${action}" ${rule}
+                               "${ban_ipt}" "${timeout}" "${action}" ${rule} 2>/dev/null
                        fi
                fi
        fi
+       if [ "${?}" -ne 0 ]
+       then
+               > "${tmp_err}"
+               f_log "info" "can't create iptables rule: action: '${action:-"-"}', rule: '${rule:-"-"}'"
+       fi
 }
 
 # remove/add iptables rules
@@ -455,7 +460,8 @@ f_ipset()
                "initial")
                        if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
                        then
-                               "${ban_ipt}" "${timeout}" -N "${ban_chain}"
+                               "${ban_ipt}" "${timeout}" -N "${ban_chain}" 2>/dev/null
+                               out_rc="${?}"
                        elif [ -x "${ban_ipt}" ]
                        then
                                src_name="ruleset"
@@ -467,7 +473,8 @@ f_ipset()
                        fi
                        if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
                        then
-                               "${ban_ipt6}" "${timeout}" -N "${ban_chain}"
+                               "${ban_ipt6}" "${timeout}" -N "${ban_chain}" 2>/dev/null
+                               out_rc="${?}"
                        elif [ -x "${ban_ipt6}" ]
                        then
                                src_name="ruleset_6"
@@ -477,7 +484,9 @@ f_ipset()
                                        f_iptrule "-D" "${rule} -j ${ban_chain}"
                                done
                        fi
-                       f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}"
+                       out_rc="${out_rc:-"${in_rc}"}"
+                       f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}, out_rc: ${out_rc}"
+                       return "${out_rc}"
                ;;
                "create")
                        if [ -x "${ban_ipset}" ]
@@ -508,6 +517,7 @@ f_ipset()
                        end_ts="$(date +%s)"
                        out_rc="${out_rc:-"${in_rc}"}"
                        f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
+                       return "${out_rc}"
                ;;
                "refresh")
                        if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
@@ -543,15 +553,15 @@ f_ipset()
                                [ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
                        then
                                "${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}"
-                               "${ban_ipt}" "${timeout}" -F "${ban_chain}"
-                               "${ban_ipt}" "${timeout}" -X "${ban_chain}"
+                               "${ban_ipt}" "${timeout}" -F "${ban_chain}" 2>/dev/null
+                               "${ban_ipt}" "${timeout}" -X "${ban_chain}" 2>/dev/null
                        fi
                        if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \
                                [ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
                        then
                                "${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}"
-                               "${ban_ipt6}" "${timeout}" -F "${ban_chain}"
-                               "${ban_ipt6}" "${timeout}" -X "${ban_chain}"
+                               "${ban_ipt6}" "${timeout}" -F "${ban_chain}" 2>/dev/null
+                               "${ban_ipt6}" "${timeout}" -X "${ban_chain}" 2>/dev/null
                        fi
                        for source in ${ban_sources}
                        do
@@ -622,9 +632,16 @@ f_main()
        mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
        f_log "debug" "f_main  ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
 
-       # main loop
+       # chain creation
        #
        f_ipset initial
+       if [ "${?}" -ne 0 ]
+       then
+               f_log "err" "banIP processing failed, fatal error during iptables chain creation (${ban_sysver})"
+       fi
+
+       # main loop
+       #
        for src_name in ${ban_sources}
        do
                unset src_on
@@ -667,6 +684,8 @@ f_main()
                tmp_file="${ban_tmpfile}.${src_name}.file"
                tmp_raw="${tmp_file}.raw"
                tmp_cnt="${tmp_file}.cnt"
+               tmp_err="${tmp_file}.err"
+
                # basic pre-checks
                #
                f_log "debug" "f_main  ::: name: ${src_name}, src_on: ${src_on:-"-"}"
@@ -855,18 +874,23 @@ f_main()
        done
        wait
 
-       for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
-       do
-               ban_cnt="$((ban_cnt+cnt))"
-       done
-       if [ "${ban_cnt}" -gt 0 ]
+       if [ -z "$(ls "${ban_tmpfile}".*.err 2>/dev/null)" ]
        then
-               ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)"
+               for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
+               do
+                       ban_cnt="$((ban_cnt+cnt))"
+               done
+               if [ "${ban_cnt}" -gt 0 ]
+               then
+                       ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)"
+               fi
+               f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
+               f_bgserv "start"
+               f_jsnup
+               f_rmtemp
+       else
+               f_log "err" "banIP processing failed, fatal iptables error(s) during subshell processing (${ban_sysver})"
        fi
-       f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
-       f_bgserv "start"
-       f_jsnup
-       f_rmtemp
 }
 
 # update runtime information