then
json_load_file "${ban_srcfile}"
json_get_keys ban_allsources
- ban_allsources="${ban_allsources} ${ban_localsources}"
+ ban_allsources="${ban_allsources} maclist blacklist whitelist"
else
f_log "err" "banIP source file not found"
fi
{
local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}"
- if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]
+ if [ "${ban_proto4_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]; }
then
rc="$("${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})"
if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \
rc=0
fi
fi
- if [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]
+ if [ "${ban_proto6_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]; }
then
rc="$("${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null; printf "%u" ${?})"
if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || \
if [ -n "${rc}" ] && [ "${rc}" != "0" ]
then
> "${tmp_err}"
- f_log "info" "iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'"
+ f_log "info" "${src_name}: iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'"
fi
}
fi
done
fi
- if [ -z "${destroy}" ] && [ "${cnt}" -gt "0" ]
+ if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; }
then
if [ "${src_settype}" != "dst" ]
then
#
f_ipset()
{
- local src src_list action rule ipt_cmd out_rc cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4"
+ local src src_list action rule ipt_cmd out_rc max="0" cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4"
case "${mode}" in
"backup")
if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] && \
{ [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; }
then
- cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
- cnt=$((cnt+262144))
+ max="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
+ max=$((max+262144))
if [ "${src_name}" = "maclist" ]
then
- "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}"
+ "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${max}" counters timeout "${ban_maclist_timeout:-"0"}"
out_rc="${?}"
elif [ "${src_name%_*}" = "whitelist" ]
then
- "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
+ "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
out_rc="${?}"
elif [ "${src_name%_*}" = "blacklist" ]
then
- "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
+ "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
out_rc="${?}"
else
- "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters
+ "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters
out_rc="${?}"
fi
elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
then
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
- cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
- cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+ cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
+ cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
printf "%s\n" "${cnt}" > "${tmp_cnt}"
fi
out_rc=0
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
- cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
- cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+ cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
+ cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
printf "%s\n" "${cnt}" > "${tmp_cnt}"
f_iptables
rm -f "${ban_backupdir}/${src_name}.file"
src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
- cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
- cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+ cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
+ cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
printf "%s\n" "${cnt}" > "${tmp_cnt}"
fi
"${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null
fi
done
- for src in ${ban_sources} ${ban_localsources}
+ for src in ${ban_sources} maclist blacklist whitelist
do
if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]
then
f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}"
)&
fi
+ else
+ (
+ src_name="${src_name}_4"
+ f_ipset "flush"
+ )&
fi
if [ "${ban_proto6_enabled}" = "1" ]
then
f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}"
)&
fi
+ else
+ (
+ src_name="${src_name}_6"
+ f_ipset "flush"
+ )&
fi
done
wait
if [ -z "$(printf "%s" "${ban_sources}" | grep -F "${src_name%_*}")" ]
then
ban_sources="${ban_sources} ${src_name%_*}"
- ban_allsources="${ban_allsources/${src_name%_*}/}"
+ ban_allsources="${ban_allsources//${src_name%_*}/}"
fi
fi
done
if [ -n "${src_list}" ]
then
cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')"
- cnt_acc="$(printf "%s" "${src_list}" | grep -cE " packets [1-9]+")"
+ cnt_acc="$(printf "%s" "${src_list}" | grep -cE "packets [1-9]+")"
cnt_acc_sum=$((cnt_acc_sum+cnt_acc))
cnt_mac_sum="${cnt}"
cnt_sum=$((cnt_sum+cnt))
if [ -n "${src_list}" ]
then
cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
- cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} packets [0-9]+")"
+ cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} ")"
cnt_ip=$((cnt-cnt_cidr-cnt_mac))
- cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE " packets [1-9]+")"
+ cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE "packets [1-9]+")"
cnt_cidr_sum=$((cnt_cidr_sum+cnt_cidr))
cnt_ip_sum=$((cnt_ip_sum+cnt_ip))
cnt_acc_sum=$((cnt_acc_sum+cnt_acc))