banip: update to 0.7.5-4 15276/head
authorDirk Brenken <dev@brenken.org>
Fri, 26 Mar 2021 18:19:57 +0000 (19:19 +0100)
committerDirk Brenken <dev@brenken.org>
Fri, 26 Mar 2021 18:19:57 +0000 (19:19 +0100)
* fix another IPv4/IPv6 related iptables chain creation problem
* fix counter during ipset creation
* fix regex for debug counters
* fix ipset housekeeping for local sources

Signed-off-by: Dirk Brenken <dev@brenken.org>
net/banip/Makefile
net/banip/files/banip.sh

index 3a3427c92174b62616ff6cec8929485c6eedfc4b..60a890acec8410f66240a291b5ac1c380a8d1e3e 100644 (file)
@@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=0.7.5
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 
index 17a25a24af248e01cdcd6df6da8c291f11acb50a..9252b449b4cbb77f2d9cd83a2a013819d16370a3 100755 (executable)
@@ -434,7 +434,7 @@ f_env()
        then
                json_load_file "${ban_srcfile}"
                json_get_keys ban_allsources
-               ban_allsources="${ban_allsources} ${ban_localsources}"
+               ban_allsources="${ban_allsources} maclist blacklist whitelist"
        else
                f_log "err" "banIP source file not found"
        fi
@@ -501,7 +501,7 @@ f_iptrule()
 {
        local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}"
 
-       if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]
+       if [ "${ban_proto4_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]; }
        then
                rc="$("${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})"
                if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \
@@ -513,7 +513,7 @@ f_iptrule()
                        rc=0
                fi
        fi
-       if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]
+       if [ "${ban_proto6_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]; }
        then
                rc="$("${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})"
                if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \
@@ -528,7 +528,7 @@ f_iptrule()
        if [ -n "${rc}" ] && [ "${rc}" != "0" ]
        then
                > "${tmp_err}"
-               f_log "info" "iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'"
+               f_log "info" "${src_name}: iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'"
        fi
 }
 
@@ -557,7 +557,7 @@ f_iptables()
                        fi
                done
        fi
-       if [ -z "${destroy}" ] && [ "${cnt}" -gt "0" ]
+       if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; }
        then
                if [ "${src_settype}" != "dst" ]
                then
@@ -644,7 +644,7 @@ f_iptables()
 #
 f_ipset()
 {
-       local src src_list action rule ipt_cmd out_rc cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4"
+       local src src_list action rule ipt_cmd out_rc max="0" cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4"
 
        case "${mode}" in
                "backup")
@@ -747,22 +747,22 @@ f_ipset()
                        if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] && \
                                { [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; }
                        then
-                               cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
-                               cnt=$((cnt+262144))
+                               max="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
+                               max=$((max+262144))
                                if [ "${src_name}" = "maclist" ]
                                then
-                                       "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}"
+                                       "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${max}" counters timeout "${ban_maclist_timeout:-"0"}"
                                        out_rc="${?}"
                                elif [ "${src_name%_*}" = "whitelist" ]
                                then
-                                       "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
+                                       "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
                                        out_rc="${?}"
                                elif [ "${src_name%_*}" = "blacklist" ]
                                then
-                                       "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
+                                       "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
                                        out_rc="${?}"
                                else
-                                       "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters
+                                       "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters
                                        out_rc="${?}"
                                fi
                        elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
@@ -778,8 +778,8 @@ f_ipset()
                                then
                                        src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
                                        cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
-                                       cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
-                                       cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+                                       cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
+                                       cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
                                        cnt_ip=$((cnt-cnt_cidr-cnt_mac))
                                        printf "%s\n" "${cnt}" > "${tmp_cnt}"
                                fi
@@ -796,8 +796,8 @@ f_ipset()
                                out_rc=0
                                src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
                                cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
-                               cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
-                               cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+                               cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
+                               cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
                                cnt_ip=$((cnt-cnt_cidr-cnt_mac))
                                printf "%s\n" "${cnt}" > "${tmp_cnt}"
                                f_iptables
@@ -839,8 +839,8 @@ f_ipset()
                                        rm -f "${ban_backupdir}/${src_name}.file"
                                        src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
                                        cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
-                                       cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
-                                       cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+                                       cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
+                                       cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
                                        cnt_ip=$((cnt-cnt_cidr-cnt_mac))
                                        printf "%s\n" "${cnt}" > "${tmp_cnt}"
                                fi
@@ -877,7 +877,7 @@ f_ipset()
                                        "${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null
                                fi
                        done
-                       for src in ${ban_sources} ${ban_localsources}
+                       for src in ${ban_sources} maclist blacklist whitelist
                        do
                                if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]
                                then
@@ -1298,6 +1298,11 @@ f_main()
                                        f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}"
                                )&
                        fi
+               else
+                       (
+                               src_name="${src_name}_4"
+                               f_ipset "flush"
+                       )&
                fi
                if [ "${ban_proto6_enabled}" = "1" ]
                then
@@ -1314,6 +1319,11 @@ f_main()
                                        f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}"
                                )&
                        fi
+               else
+                       (
+                               src_name="${src_name}_6"
+                               f_ipset "flush"
+                       )&
                fi
        done
        wait
@@ -1390,7 +1400,7 @@ f_main()
                        if [ -z "$(printf "%s" "${ban_sources}" | grep -F "${src_name%_*}")" ]
                        then
                                ban_sources="${ban_sources} ${src_name%_*}"
-                               ban_allsources="${ban_allsources/${src_name%_*}/}"
+                               ban_allsources="${ban_allsources//${src_name%_*}/}"
                        fi
                fi
        done
@@ -1511,7 +1521,7 @@ f_report()
                                if [ -n "${src_list}" ]
                                then
                                        cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')"
-                                       cnt_acc="$(printf "%s" "${src_list}" | grep -cE " packets [1-9]+")"
+                                       cnt_acc="$(printf "%s" "${src_list}" | grep -cE "packets [1-9]+")"
                                        cnt_acc_sum=$((cnt_acc_sum+cnt_acc))
                                        cnt_mac_sum="${cnt}"
                                        cnt_sum=$((cnt_sum+cnt))
@@ -1540,9 +1550,9 @@ f_report()
                                        if [ -n "${src_list}" ]
                                        then
                                                cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
-                                               cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} packets [0-9]+")"
+                                               cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} ")"
                                                cnt_ip=$((cnt-cnt_cidr-cnt_mac))
-                                               cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE " packets [1-9]+")"
+                                               cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE "packets [1-9]+")"
                                                cnt_cidr_sum=$((cnt_cidr_sum+cnt_cidr))
                                                cnt_ip_sum=$((cnt_ip_sum+cnt_ip))
                                                cnt_acc_sum=$((cnt_acc_sum+cnt_acc))