packages/net/banip/files/banip.sh

#!/bin/sh
# banIP - ban incoming and outgoing ip adresses/subnets via ipset
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.

# (s)hellcheck exceptions
# shellcheck disable=1091,2030,2031,2086,2183,3040,3043,3060

# set initial defaults
#
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_ver="0.7.10"
ban_status=""
ban_enabled="0"
ban_mail_enabled="0"
ban_proto4_enabled="0"
ban_proto6_enabled="0"
ban_logsrc_enabled="0"
ban_logdst_enabled="0"
ban_monitor_enabled="0"
ban_autodetect="1"
ban_autoblacklist="1"
ban_autowhitelist="1"
ban_whitelistonly="0"
ban_logterms=""
ban_loglimit="100"
ban_ssh_logcount="3"
ban_luci_logcount="3"
ban_nginx_logcount="5"
ban_mailactions=""
ban_search=""
ban_devs=""
ban_ifaces=""
ban_debug="0"
ban_maxqueue="4"
ban_fetchutil=""
ban_fetchinsecure="0"
ban_ip_cmd="$(command -v ip)"
ban_ipt4_cmd="$(command -v iptables)"
ban_ipt4_savecmd="$(command -v iptables-save)"
ban_ipt4_restorecmd="$(command -v iptables-restore)"
ban_ipt6_cmd="$(command -v ip6tables)"
ban_ipt6_savecmd="$(command -v ip6tables-save)"
ban_ipt6_restorecmd="$(command -v ip6tables-restore)"
ban_ipset_cmd="$(command -v ipset)"
ban_logger_cmd="$(command -v logger)"
ban_logread_cmd="$(command -v logread)"
ban_allsources=""
ban_extrasources=""
ban_sources=""
ban_asns=""
ban_countries=""
ban_settype_src=""
ban_settype_dst=""
ban_settype_all=""
ban_lan_inputchains_4=""
ban_lan_inputchains_6=""
ban_lan_forwardchains_4=""
ban_lan_forwardchains_6=""
ban_wan_inputchains_4=""
ban_wan_inputchains_6=""
ban_wan_forwardchains_4=""
ban_wan_forwardchains_6=""
ban_action="${1:-"start"}"
ban_pidfile="/var/run/banip.pid"
ban_bgpidfile="/var/run/banip_bg.pid"
ban_tmpbase="/tmp"
ban_rtfile="${ban_tmpbase}/ban_runtime.json"
ban_srcfile="${ban_tmpbase}/ban_sources.json"
ban_reportdir="${ban_tmpbase}/banIP-Report"
ban_backupdir="${ban_tmpbase}/banIP-Backup"
ban_srcarc="/etc/banip/banip.sources.gz"
ban_dnsservice="/etc/banip/banip.dns"
ban_mailservice="/etc/banip/banip.mail"
ban_logservice="/etc/banip/banip.service"
ban_maclist="/etc/banip/banip.maclist"
ban_blacklist="/etc/banip/banip.blacklist"
ban_whitelist="/etc/banip/banip.whitelist"
ban_setcnt="0"
ban_cnt="0"

# load environment
#
f_load() {
	ban_sysver="$(ubus -S call system board 2>/dev/null | jsonfilter -q -e '@.model' -e '@.release.description' |
		awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"

	f_conf
	if [ "${ban_enabled}" = "0" ]; then
		f_bgsrv "stop"
		f_ipset "destroy"
		f_jsnup "disabled"
		f_rmbckp
		f_rmtmp
		f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
		exit 0
	fi
	f_dir "${ban_backupdir}"
	f_dir "${ban_reportdir}"
}

# check/create directories
#
f_dir() {
	local dir="${1}"

	if [ -d "${dir}" ]; then
		f_log "debug" "directory '${dir}' is used"
	else
		rm -f "${dir}"
		mkdir -p "${dir}"
		f_log "debug" "directory '${dir}' created"		
	fi
}

# load banIP config
#
f_conf() {
	if [ ! -r "/etc/config/banip" ] || [ -z "$(uci -q show banip.global.ban_autodetect)" ]; then
		f_log "err" "no valid banIP config found, please re-install the package via opkg with the '--force-reinstall --force-maintainer' options"
	fi

	config_cb() {
		option_cb() {
			local option="${1}"
			local value="${2}"
			eval "${option}=\"${value}\""
		}
		list_cb() {
			local option="${1}"
			local value="${2}"
			if [ "${option}" = "ban_ifaces" ]; then
				eval "${option}=\"$(printf "%s" "${ban_ifaces}")${value} \""
			elif [ "${option}" = "ban_sources" ]; then
				eval "${option}=\"$(printf "%s" "${ban_sources}")${value} \""
			elif [ "${option}" = "ban_localsources" ]; then
				eval "${option}=\"$(printf "%s" "${ban_localsources}")${value} \""
			elif [ "${option}" = "ban_extrasources" ]; then
				eval "${option}=\"$(printf "%s" "${ban_extrasources}")${value} \""
			elif [ "${option}" = "ban_settype_src" ]; then
				eval "${option}=\"$(printf "%s" "${ban_settype_src}")${value} \""
			elif [ "${option}" = "ban_settype_dst" ]; then
				eval "${option}=\"$(printf "%s" "${ban_settype_dst}")${value} \""
			elif [ "${option}" = "ban_settype_all" ]; then
				eval "${option}=\"$(printf "%s" "${ban_settype_all}")${value} \""
			elif [ "${option}" = "ban_mailactions" ]; then
				eval "${option}=\"$(printf "%s" "${ban_mailactions}")${value} \""
			elif [ "${option}" = "ban_logterms" ]; then
				eval "${option}=\"$(printf "%s" "${ban_logterms}")${value} \""
			elif [ "${option}" = "ban_countries" ]; then
				eval "${option}=\"$(printf "%s" "${ban_countries}")${value} \""
			elif [ "${option}" = "ban_asns" ]; then
				eval "${option}=\"$(printf "%s" "${ban_asns}")${value} \""
			elif [ "${option}" = "ban_lan_inputchains_4" ]; then
				eval "${option}=\"$(printf "%s" "${ban_lan_inputchains_4}")${value} \""
			elif [ "${option}" = "ban_lan_inputchains_6" ]; then
				eval "${option}=\"$(printf "%s" "${ban_lan_inputchains_6}")${value} \""
			elif [ "${option}" = "ban_lan_forwardchains_4" ]; then
				eval "${option}=\"$(printf "%s" "${ban_lan_forwardchains_4}")${value} \""
			elif [ "${option}" = "ban_lan_forwardchains_6" ]; then
				eval "${option}=\"$(printf "%s" "${ban_lan_forwardchains_6}")${value} \""
			elif [ "${option}" = "ban_wan_inputchains_4" ]; then
				eval "${option}=\"$(printf "%s" "${ban_wan_inputchains_4}")${value} \""
			elif [ "${option}" = "ban_wan_inputchains_6" ]; then
				eval "${option}=\"$(printf "%s" "${ban_wan_inputchains_6}")${value} \""
			elif [ "${option}" = "ban_wan_forwardchains_4" ]; then
				eval "${option}=\"$(printf "%s" "${ban_wan_forwardchains_4}")${value} \""
			elif [ "${option}" = "ban_wan_forwardchains_6" ]; then
				eval "${option}=\"$(printf "%s" "${ban_wan_forwardchains_6}")${value} \""
			fi
		}
	}
	config_load banip

	ban_chain="${ban_chain:-"banIP"}"
	ban_global_settype="${ban_global_settype:-"src+dst"}"
	ban_target_src="${ban_target_src:-"DROP"}"
	ban_target_dst="${ban_target_dst:-"REJECT"}"
	ban_lan_inputchains_4="${ban_lan_inputchains_4:-"input_lan_rule"}"
	ban_lan_inputchains_6="${ban_lan_inputchains_6:-"input_lan_rule"}"
	ban_lan_forwardchains_4="${ban_lan_forwardchains_4:-"forwarding_lan_rule"}"
	ban_lan_forwardchains_6="${ban_lan_forwardchains_6:-"forwarding_lan_rule"}"
	ban_wan_inputchains_4="${ban_wan_inputchains_4:-"input_wan_rule"}"
	ban_wan_inputchains_6="${ban_wan_inputchains_6:-"input_wan_rule"}"
	ban_wan_forwardchains_4="${ban_wan_forwardchains_4:-"forwarding_wan_rule"}"
	ban_wan_forwardchains_6="${ban_wan_forwardchains_6:-"forwarding_wan_rule"}"
	ban_logchain_src="${ban_logchain_src:-"${ban_chain}_log_src"}"
	ban_logchain_dst="${ban_logchain_dst:-"${ban_chain}_log_dst"}"
	ban_logtarget_src="${ban_target_src}"
	ban_logtarget_dst="${ban_target_dst}"
	if [ "${ban_logsrc_enabled}" = "1" ]; then
		ban_logprefix_src="${ban_logprefix_src:-"[banIP-${ban_ver%-*}, src/${ban_target_src}] "}"
		ban_logopts_src="${ban_logopts_src:-"-m limit --limit 2/sec"}"
		ban_target_src="${ban_logchain_src}"
	fi
	if [ "${ban_logdst_enabled}" = "1" ]; then
		ban_logprefix_dst="${ban_logprefix_dst:-"[banIP-${ban_ver%-*}, dst/${ban_target_dst}] "}"
		ban_logopts_dst="${ban_logopts_dst:-"-m limit --limit 2/sec"}"
		ban_target_dst="${ban_logchain_dst}"
	fi
	ban_localsources="${ban_localsources:-"maclist whitelist blacklist"}"
	ban_logterms="${ban_logterms:-"dropbear sshd luci nginx"}"
	f_log "debug" "f_conf  ::: ifaces: ${ban_ifaces:-"-"}, chain: ${ban_chain}, set_type: ${ban_global_settype}, log_chains (src/dst): ${ban_logchain_src}/${ban_logchain_dst}, targets (src/dst): ${ban_target_src}/${ban_target_dst}, whitelist_only: ${ban_whitelistonly}"
	f_log "debug" "f_conf  ::: lan_inputs (4/6): ${ban_lan_inputchains_4}/${ban_lan_inputchains_6}, lan_forwards (4/6): ${ban_lan_forwardchains_4}/${ban_lan_forwardchains_6}, wan_inputs (4/6): ${ban_wan_inputchains_4}/${ban_wan_inputchains_6}, wan_forwards (4/6): ${ban_wan_forwardchains_4}/${ban_wan_forwardchains_6}"
	f_log "debug" "f_conf  ::: local_sources: ${ban_localsources:-"-"}, extra_sources: ${ban_extrasources:-"-"}, log_terms: ${ban_logterms:-"-"}, log_prefixes (src/dst): ${ban_logprefix_src}/${ban_logprefix_dst}, log_options (src/dst): ${ban_logopts_src}/${ban_logopts_dst}"
}

# check environment
#
f_env() {
	local util utils packages iface insecure tmp cnt="0" cnt_max="10"

	ban_starttime="$(date "+%s")"
	f_jsnup "running"
	f_log "info" "start banIP processing (${ban_action})"

	f_tmp

	if [ "${ban_autodetect}" = "1" ] && [ -z "${ban_ifaces}" ]; then
		while [ "${cnt}" -le "${cnt_max}" ]; do
			network_find_wan iface
			if [ -n "${iface}" ] && ! printf "%s\n" "${ban_ifaces}" | grep -q "${iface}"; then
				ban_proto4_enabled="1"
				ban_ifaces="${ban_ifaces}${iface} "
				uci_set banip global ban_proto4_enabled "1"
				uci_add_list banip global ban_ifaces "${iface}"
			fi
			network_find_wan6 iface
			if [ -n "${iface}" ] && ! printf "%s\n" "${ban_ifaces}" | grep -q "${iface}"; then
				ban_proto6_enabled="1"
				ban_ifaces="${ban_ifaces}${iface} "
				uci_set banip global ban_proto6_enabled "1"
				uci_add_list banip global ban_ifaces "${iface}"
			fi
			if [ -z "${ban_ifaces}" ]; then
				if [ "${cnt}" -le "${cnt_max}" ]; then
					network_flush_cache
					cnt=$((cnt + 1))
					sleep 1
				else
					break
				fi
			else
				if [ -n "$(uci -q changes "banip")" ]; then
					uci_commit "banip"
				fi
				break
			fi
		done
	fi

	while [ "${cnt}" -le "${cnt_max}" ]; do
		for iface in ${ban_ifaces}; do
			network_get_device tmp "${iface}"
			if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_devs}" | grep -q "${tmp}"; then
				ban_devs="${ban_devs} ${tmp}"
			else
				network_get_physdev tmp "${iface}"
				if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_devs}" | grep -q "${tmp}"; then
					ban_devs="${ban_devs} ${tmp}"
				fi
			fi
			network_get_subnet tmp "${iface}"
			if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_subnets}" | grep -q "${tmp}"; then
				ban_subnets="${ban_subnets} ${tmp}"
			fi
			network_get_subnet6 tmp "${iface}"
			if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_subnets}" | grep -q "${tmp}"; then
				ban_subnets="${ban_subnets} ${tmp}"
			fi
		done
		if [ -z "${ban_devs}" ] || [ -z "${ban_subnets}" ]; then
			if [ "${cnt}" -le "${cnt_max}" ]; then
				network_flush_cache
				cnt=$((cnt + 1))
				sleep 1
			else
				break
			fi
		else
			break
		fi
	done
	ban_ipdevs="$("${ban_ip_cmd}" link show 2>/dev/null | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){ORS=" ";print $3}}')"

	if [ -z "${ban_ifaces}" ] || [ -z "${ban_devs}" ] || [ -z "${ban_ipdevs}" ]; then
		f_log "err" "logical wan interface(s)/device(s) '${ban_ifaces:-"-"}/${ban_devs:-"-"}' not found, please check your configuration"
	elif [ -z "${ban_ipdevs}" ]; then
		f_log "err" "ip device(s) '${ban_ipdevs:-"-"}' not found, please check your configuration"
	fi

	if [ ! -x "${ban_ipset_cmd}" ]; then
		f_log "err" "ipset utility '${ban_ipset_cmd:-"-"}' not executable, please install package 'ipset'"
	fi
	if { [ "${ban_proto4_enabled}" = "1" ] && { [ ! -x "${ban_ipt4_cmd}" ] || [ ! -x "${ban_ipt4_savecmd}" ] || [ ! -x "${ban_ipt4_restorecmd}" ]; }; } ||
		{ [ "${ban_proto6_enabled}" = "1" ] && { [ ! -x "${ban_ipt6_cmd}" ] || [ ! -x "${ban_ipt6_savecmd}" ] || [ ! -x "${ban_ipt6_restorecmd}" ]; }; }; then
		f_log "err" "iptables utilities '${ban_ipt4_cmd:-"-"}, ${ban_ipt4_savecmd:-"-"}, ${ban_ipt4_restorecmd:-"-"}/${ban_ipt6_cmd:-"-"}', ${ban_ipt6_savecmd:-"-"}, ${ban_ipt6_restorecmd:-"-"} not executable, please install the relevant iptables packages"
	fi

	if [ -z "${ban_fetchutil}" ]; then
		while [ -z "${packages}" ] && [ "${cnt}" -le "${cnt_max}" ]; do
			packages="$(opkg list-installed 2>/dev/null)"
			cnt=$((cnt + 1))
			sleep 1
		done
		if [ -z "${packages}" ]; then
			f_log "err" "local opkg package repository is not available, please set 'ban_fetchutil' manually"
		fi

		utils="aria2c curl wget uclient-fetch"
		for util in ${utils}; do
			if { [ "${util}" = "uclient-fetch" ] && printf "%s" "${packages}" | grep -q "^libustream-"; } ||
				{ [ "${util}" = "wget" ] && printf "%s" "${packages}" | grep -q "^wget -"; } ||
				[ "${util}" = "curl" ] || [ "${util}" = "aria2c" ]; then
				if [ -x "$(command -v "${util}")" ]; then
					ban_fetchutil="${util}"
					uci_set banip global ban_fetchutil "${util}"
					uci_commit "banip"
					break
				fi
			fi
		done
	elif [ ! -x "$(command -v "${ban_fetchutil}")" ]; then
		unset ban_fetchutil
	fi
	case "${ban_fetchutil}" in
		"aria2c")
			if [ "${ban_fetchinsecure}" = "1" ]; then
				insecure="--check-certificate=false"
			fi
			ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
			;;
		"curl")
			if [ "${ban_fetchinsecure}" = "1" ]; then
				insecure="--insecure"
			fi
			ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --silent --show-error --location -o"}"
			;;
		"uclient-fetch")
			if [ "${ban_fetchinsecure}" = "1" ]; then
				insecure="--no-check-certificate"
			fi
			ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 -O"}"
			;;
		"wget")
			if [ "${ban_fetchinsecure}" = "1" ]; then
				insecure="--no-check-certificate"
			fi
			ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
			;;
	esac
	if [ -n "${ban_fetchutil}" ] && [ -n "${ban_fetchparm}" ]; then
		ban_fetchutil="$(command -v "${ban_fetchutil}")"
	else
		f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
	fi

	if [ ! -r "${ban_srcfile}" ]; then
		if [ -r "${ban_srcarc}" ]; then
			zcat "${ban_srcarc}" >"${ban_srcfile}"
		else
			f_log "err" "banIP source archive not found"
		fi
	fi
	if [ -r "${ban_srcfile}" ]; then
		json_init
		json_load_file "${ban_srcfile}"
		json_get_keys ban_allsources
		ban_allsources="${ban_allsources} maclist blacklist whitelist"
	else
		f_log "err" "banIP source file not found"
	fi
	f_log "debug" "f_env   ::: auto_detect: ${ban_autodetect}, fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, src_file: ${ban_srcfile:-"-"}, log_terms: ${ban_logterms}, interfaces: ${ban_ifaces:-"-"}, devices: ${ban_devs:-"-"}, subnets: ${ban_subnets:-"-"}, ip_devices: ${ban_ipdevs:-"-"}, protocols (4/6): ${ban_proto4_enabled}/${ban_proto6_enabled}"
}

# create temporary files and directories
#
f_tmp() {
	f_dir "${ban_tmpbase}"

	ban_tmpdir="$(mktemp -p "${ban_tmpbase}" -d)"
	ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"

	if [ ! -f "${ban_pidfile}" ] || [ ! -s "${ban_pidfile}" ]; then
		printf "%s" "${$}" >"${ban_pidfile}"
	fi
	f_log "debug" "f_tmp   ::: tmp_base: ${ban_tmpbase:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}, pid_file: ${ban_pidfile:-"-"}"
}

# remove temporary files and directories
#
f_rmtmp() {
	if [ -d "${ban_tmpdir}" ]; then
		rm -rf "${ban_tmpdir}"
	fi
	rm -f "${ban_srcfile}"
	: >"${ban_pidfile}"
	f_log "debug" "f_rmtmp ::: tmp_base: ${ban_tmpbase:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}, pid_file: ${ban_pidfile:-"-"}"
}

# remove backup files
#
f_rmbckp() {
	if [ -d "${ban_backupdir}" ]; then
		rm -f "${ban_backupdir}/banIP."*".gz"
	fi
}

# status helper function
#
f_char() {
	local result input="${1}"

	if [ "${input}" = "1" ]; then
		result="✔"
	else
		result="✘"
	fi
	printf "%s" "${result}"
}

# apply iptables rules
#
f_iptrule() {
	local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}"

	if [ "${ban_proto4_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]; }; then
		rc="$(
			"${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null
			printf "%u" ${?}
		)"
		if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } ||
			{ [ "${rc}" = "0" ] && [ "${action}" = "-D" ]; }; then
			"${ban_ipt4_cmd}" "${timeout}" "${action}" ${chain} ${pos} ${rule} 2>/dev/null
			rc="${?}"
		else
			rc=0
		fi
	fi
	if [ "${ban_proto6_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]; }; then
		rc="$(
			"${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null
			printf "%u" ${?}
		)"
		if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } ||
			{ [ "${rc}" = "0" ] && [ "${action}" = "-D" ]; }; then
			"${ban_ipt6_cmd}" "${timeout}" "${action}" ${chain} ${pos} ${rule} 2>/dev/null
			rc="${?}"
		else
			rc=0
		fi
	fi
	if [ -n "${rc}" ] && [ "${rc}" != "0" ]; then
		: >"${tmp_err}"
		f_log "info" "${src_name}: iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'"
	fi
}

# iptables controller
#
f_iptables() {
	local ipt_cmd chain chainsets dev pos timeout="-w 5" destroy="${1}"

	if [ "${ban_action}" != "refresh" ] && [ "${ban_action}" != "resume" ]; then
		for dev in ${ban_ipdevs}; do
			if [ "${src_name}" = "maclist" ]; then
				f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN"
			elif [ "${src_name%_*}" = "whitelist" ]; then
				f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logtarget_src}"
				f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logtarget_dst}"
				f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logchain_src}"
				f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logchain_dst}"
				f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN"
				f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN"
			else
				f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logtarget_src}"
				f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}"
				f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logchain_src}"
				f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logchain_dst}"
			fi
		done
	fi
	if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; }; then
		if [ "${src_name##*_}" = "4" ]; then
			ipt_cmd="${ban_ipt4_cmd}"
			if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]; then
				: >"${ban_tmpfile}.${src_name##*_}.chains"
				chainsets="${ban_lan_inputchains_4} ${ban_wan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_forwardchains_4}"
				for chain in ${chainsets}; do
					f_iptrule "-I" "${chain}" "-j ${ban_chain}"
				done
				f_iptrule "-A" "${ban_chain}" "-p udp --dport 67:68 --sport 67:68 -j RETURN"
				f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN"
			fi
		elif [ "${src_name##*_}" = "6" ]; then
			ipt_cmd="${ban_ipt6_cmd}"
			if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]; then
				: >"${ban_tmpfile}.${src_name##*_}.chains"
				chainsets="${ban_lan_inputchains_6} ${ban_wan_inputchains_6} ${ban_lan_forwardchains_6} ${ban_wan_forwardchains_6}"
				for chain in ${chainsets}; do
					f_iptrule "-I" "${chain}" "-j ${ban_chain}"
				done
				f_iptrule "-A" "${ban_chain}" "-p ipv6-icmp -s fe80::/10 -d fe80::/10 -j RETURN"
				f_iptrule "-A" "${ban_chain}" "-p udp -s fc00::/6 --sport 547 -d fc00::/6 --dport 546 -j RETURN"
				f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN"
			fi
		fi
		if [ "${src_settype}" != "dst" ]; then
			for dev in ${ban_devs}; do
				if [ "${src_name}" = "maclist" ]; then
					f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" "1"
				elif [ "${src_name%_*}" = "whitelist" ]; then
					pos="$(($("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN") + 1))"
					if [ "${ban_whitelistonly}" = "1" ]; then
						f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_target_src}" "${pos}"
					else
						f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}"
					fi
				else
					f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_target_src}"
				fi
			done
		fi
		if [ "${src_settype}" != "src" ]; then
			for dev in ${ban_devs}; do
				if [ "${src_name%_*}" = "whitelist" ]; then
					pos="$(($("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN") + 1))"
					if [ "${ban_whitelistonly}" = "1" ]; then
						f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_target_dst}" "${pos}"
					else
						f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}"
					fi
				elif [ "${src_name}" != "maclist" ]; then
					f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_target_dst}"
				fi
			done
		fi
	else
		"${ban_ipset_cmd}" -q destroy "${src_name}"
	fi
}

# ipset controller
#
f_ipset() {
	local src src_list action rule ipt_cmd out_rc max="0" cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4"

	case "${mode}" in
		"backup")
			gzip -cf "${tmp_load}" 2>/dev/null >"${ban_backupdir}/banIP.${src_name}.gz"
			out_rc="${?}"
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"restore")
			if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]; then
				zcat "${ban_backupdir}/banIP.${src_name}.gz" 2>/dev/null >"${tmp_load}"
				out_rc="${?}"
			else
				out_rc="${in_rc}"
			fi
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"remove")
			if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]; then
				rm -f "${ban_backupdir}/banIP.${src_name}.gz"
				out_rc="${?}"
			else
				out_rc="${in_rc}"
			fi
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"initial")
			for proto in "4" "6"; do
				if [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; then
					ipt_cmd="${ban_ipt4_cmd}"
					chainsets="${ban_lan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_inputchains_4} ${ban_wan_forwardchains_4}"
				elif [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; then
					ipt_cmd="${ban_ipt6_cmd}"
					chainsets="${ban_lan_inputchains_6} ${ban_lan_forwardchains_6} ${ban_wan_inputchains_6} ${ban_wan_forwardchains_6}"
				fi

				if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } ||
					{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; then
					if [ -z "$("${ipt_cmd}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]; then
						"${ipt_cmd}" "${timeout}" -N "${ban_chain}" 2>/dev/null
						out_rc="${?}"
						f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, out_rc: ${out_rc}"
					else
						out_rc=0
						for chain in ${chainsets}; do
							f_iptrule "-D" "${chain}" "-j ${ban_chain}"
						done
					fi

					if [ "${ban_logsrc_enabled}" = "1" ] && [ "${out_rc}" = "0" ] && [ -z "$("${ipt_cmd}" "${timeout}" -nL "${ban_logchain_src}" 2>/dev/null)" ]; then
						"${ipt_cmd}" "${timeout}" -N "${ban_logchain_src}" 2>/dev/null
						out_rc="${?}"
						if [ "${out_rc}" = "0" ]; then
							"${ipt_cmd}" "${timeout}" -A "${ban_logchain_src}" -j LOG ${ban_logopts_src} --log-prefix "${ban_logprefix_src}"
							out_rc="${?}"
							if [ "${out_rc}" = "0" ]; then
								"${ipt_cmd}" "${timeout}" -A "${ban_logchain_src}" -j "${ban_logtarget_src}"
								out_rc="${?}"
							fi
						fi
						f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, logchain_src: ${ban_logchain_src:-"-"}, out_rc: ${out_rc}"
					fi

					if [ "${ban_logdst_enabled}" = "1" ] && [ "${out_rc}" = "0" ] && [ -z "$("${ipt_cmd}" "${timeout}" -nL "${ban_logchain_dst}" 2>/dev/null)" ]; then
						"${ipt_cmd}" "${timeout}" -N "${ban_logchain_dst}" 2>/dev/null
						out_rc="${?}"
						if [ "${out_rc}" = "0" ]; then
							"${ipt_cmd}" "${timeout}" -A "${ban_logchain_dst}" -j LOG ${ban_logopts_dst} --log-prefix "${ban_logprefix_dst}"
							out_rc="${?}"
							if [ "${out_rc}" = "0" ]; then
								"${ipt_cmd}" "${timeout}" -A "${ban_logchain_dst}" -j "${ban_logtarget_dst}"
								out_rc="${?}"
							fi
						fi
						f_log "debug" "f_ipset ::: name: initial, mode: ${mode:-"-"}, logchain_dst: ${ban_logchain_dst:-"-"}, out_rc: ${out_rc}"
					fi
				fi
			done
			out_rc="${out_rc:-"${in_rc}"}"
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"create")
			if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] &&
				{ [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; }; then
				max="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
				max=$((max + 262144))
				if [ "${src_name}" = "maclist" ]; then
					"${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${max}" counters timeout "${ban_maclist_timeout:-"0"}"
					out_rc="${?}"
				elif [ "${src_name%_*}" = "whitelist" ]; then
					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
					out_rc="${?}"
				elif [ "${src_name%_*}" = "blacklist" ]; then
					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
					out_rc="${?}"
				else
					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters
					out_rc="${?}"
				fi
			elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]; then
				"${ban_ipset_cmd}" -q flush "${src_name}"
				out_rc="${?}"
			fi
			if [ -s "${tmp_file}" ] && [ "${out_rc}" = "0" ]; then
				"${ban_ipset_cmd}" -q -! restore <"${tmp_file}"
				out_rc="${?}"
				if [ "${out_rc}" = "0" ]; then
					src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
					cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
					cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
					cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
					cnt_ip=$((cnt - cnt_cidr - cnt_mac))
					printf "%s\n" "${cnt}" >"${tmp_cnt}"
				fi
			fi
			f_iptables
			end_ts="$(date +%s)"
			out_rc="${out_rc:-"${in_rc}"}"
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts - start_ts)), out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"refresh")
			if [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]; then
				out_rc=0
				src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
				cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
				cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
				cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
				cnt_ip=$((cnt - cnt_cidr - cnt_mac))
				printf "%s\n" "${cnt}" >"${tmp_cnt}"
				f_iptables
			fi
			end_ts="$(date +%s)"
			out_rc="${out_rc:-"${in_rc}"}"
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts - start_ts)), out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"suspend")
			for src in ${ban_sources} ${ban_localsources}; do
				if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]; then
					tmp_file="${ban_backupdir}/${src}.file"
					"${ban_ipset_cmd}" -q save "${src}" | tail -n +2 >"${tmp_file}"
					"${ban_ipset_cmd}" -q flush "${src}"
				else
					for proto in "4" "6"; do
						if [ -n "$("${ban_ipset_cmd}" -q -n list "${src}_${proto}")" ]; then
							tmp_file="${ban_backupdir}/${src}_${proto}.file"
							"${ban_ipset_cmd}" -q save "${src}_${proto}" | tail -n +2 >"${tmp_file}"
							"${ban_ipset_cmd}" -q flush "${src}_${proto}"
						fi
					done
				fi
			done
			f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}"
			;;
		"resume")
			if [ -f "${ban_backupdir}/${src_name}.file" ]; then
				"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/${src_name}.file"
				out_rc="${?}"
				if [ "${out_rc}" = "0" ]; then
					rm -f "${ban_backupdir}/${src_name}.file"
					src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
					cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
					cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")"
					cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")"
					cnt_ip=$((cnt - cnt_cidr - cnt_mac))
					printf "%s\n" "${cnt}" >"${tmp_cnt}"
				fi
				f_iptables
			fi
			end_ts="$(date +%s)"
			out_rc="${out_rc:-"${in_rc}"}"
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts - start_ts)), out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"flush")
			if [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]; then
				f_iptables "destroy"
				out_rc=0
			fi
			out_rc="${out_rc:-"${in_rc}"}"
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}"
			return "${out_rc}"
			;;
		"destroy")
			for chain in ${ban_chain} ${ban_logchain_src} ${ban_logchain_dst}; do
				if [ -n "$("${ban_ipt4_cmd}" "${timeout}" -nL "${chain}" 2>/dev/null)" ]; then
					"${ban_ipt4_savecmd}" | grep -v -- "-j ${chain}" | "${ban_ipt4_restorecmd}"
					"${ban_ipt4_cmd}" "${timeout}" -F "${chain}" 2>/dev/null
					"${ban_ipt4_cmd}" "${timeout}" -X "${chain}" 2>/dev/null
				fi
				if [ -n "$("${ban_ipt6_cmd}" "${timeout}" -nL "${chain}" 2>/dev/null)" ]; then
					"${ban_ipt6_savecmd}" | grep -v -- "-j ${chain}" | "${ban_ipt6_restorecmd}"
					"${ban_ipt6_cmd}" "${timeout}" -F "${chain}" 2>/dev/null
					"${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null
				fi
			done
			for src in ${ban_sources} maclist blacklist whitelist; do
				if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]; then
					"${ban_ipset_cmd}" -q destroy "${src}"
				else
					for proto in "4" "6"; do
						if [ -n "$("${ban_ipset_cmd}" -q -n list "${src}_${proto}")" ]; then
							"${ban_ipset_cmd}" -q destroy "${src}_${proto}"
						fi
					done
				fi
			done
			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}"
			;;
	esac
}

# write to syslog
#
f_log() {
	local class="${1}" log_msg="${2}"

	if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then
		if [ -x "${ban_logger_cmd}" ]; then
			"${ban_logger_cmd}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
		else
			printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
		fi
		if [ "${class}" = "err" ]; then
			f_jsnup "error"
			f_ipset "destroy"
			f_rmbckp
			f_rmtmp
			exit 1
		fi
	fi
}

# kill all relevant background processes
#
f_pidx() {
	local pids ppid="${1}"

	pids="$(pgrep -P "${ppid}" 2>/dev/null | awk '{ORS=" ";print $0}')"
	kill -HUP "${ppid}" "${pids}" 2>/dev/null
	: >"${ban_bgpidfile}"
}

# start log service to trace failed ssh/luci logins
#
f_bgsrv() {
	local bg_pid action="${1}"

	bg_pid="$(cat "${ban_bgpidfile}" 2>/dev/null)"
	if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ] && [ "${ban_whitelistonly}" = "0" ]; then
		if [ -n "${bg_pid}" ]; then
			f_pidx "${bg_pid}"
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "dropbear"; then
			ban_search="Exit before auth from|"
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "sshd"; then
			ban_search="${ban_search}error: maximum authentication attempts exceeded|sshd.*Connection closed by.*\[preauth\]|"
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "luci"; then
			ban_search="${ban_search}luci: failed login|"
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "nginx"; then
			ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+|"
		fi
		(
			"${ban_logservice}" "${ban_search%?}" &
			printf "%s" "${!}" >"${ban_bgpidfile}"
		)
	elif { [ "${action}" = "stop" ] || [ "${ban_monitor_enabled}" = "0" ]; } && [ -n "${bg_pid}" ]; then
		f_pidx "${bg_pid}"
	fi
	f_log "debug" "f_bgsrv ::: action: ${action:-"-"}, bg_pid (old/new): ${bg_pid}/$(cat "${ban_bgpidfile}" 2>/dev/null), monitor_enabled: ${ban_monitor_enabled:-"-"}, log_service: ${ban_logservice:-"-"}"
}

# download controller
#
f_down() {
	local src_name="${1}" proto="${2}" src_ipver="${3}" src_url="${4}" src_rule="${5}" src_comp="${6}"
	local ip start_ts end_ts src_settype src_log src_rc tmp_load tmp_file tmp_raw tmp_cnt tmp_err

	start_ts="$(date +%s)"
	if printf "%s\n" "${ban_settype_src}" | grep -q "${src_name}"; then
		src_settype="src"
	elif printf "%s\n" "${ban_settype_dst}" | grep -q "${src_name}"; then
		src_settype="dst"
	elif printf "%s\n" "${ban_settype_all}" | grep -q "${src_name}"; then
		src_settype="src+dst"
	else
		src_settype="${ban_global_settype}"
	fi
	src_name="${src_name}_${proto}"
	tmp_load="${ban_tmpfile}.${src_name}.load"
	tmp_file="${ban_tmpfile}.${src_name}.file"
	tmp_raw="${tmp_file}.raw"
	tmp_cnt="${tmp_file}.cnt"
	tmp_err="${tmp_file}.err"

	# 'resume' mode
	#
	if [ "${ban_action}" = "resume" ]; then
		if [ "${src_name%_*}" = "maclist" ]; then
			src_name="maclist"
		fi
		f_ipset "resume"
		src_rc="${?}"
		if [ "${src_rc}" = "0" ]; then
			return
		fi
	fi

	# handle local downloads
	#
	case "${src_name%_*}" in
		"blacklist" | "whitelist")
			printf "%s\n" "0" >"${tmp_cnt}"
			awk "${src_rule}" "${src_url}" >"${tmp_file}"
			src_rc="${?}"
			if [ "${src_rc}" = "0" ]; then
				f_ipset "create"
				if [ ! -f "${tmp_dns}" ] && { { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } ||
					{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ "${ban_proto4_enabled}" = "0" ]; }; }; then
					tmp_dns="${ban_tmpbase}/${src_name%_*}.dns"
					src_rule="/^([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}"
					awk "${src_rule}" "${src_url}" >"${tmp_dns}"
					src_rc="${?}"
					if [ "${src_rc}" = "0" ] && [ -s "${tmp_dns}" ]; then
						("${ban_dnsservice}" "${src_name%_*}" "${tmp_dns}" &)
					else
						rm -f "${tmp_dns}"
					fi
				fi
			else
				f_log "debug" "f_down  ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}"
			fi
			return
			;;
		"maclist")
			src_name="${src_name%_*}"
			tmp_file="${ban_tmpfile}.${src_name}.file"
			tmp_cnt="${tmp_file}.cnt"
			tmp_err="${tmp_file}.err"
			awk "${src_rule}" "${src_url}" >"${tmp_file}"
			src_rc="${?}"
			if [ "${src_rc}" = "0" ]; then
				f_ipset "create"
			else
				f_log "debug" "f_down  ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}"
			fi
			return
			;;
	esac

	# 'refresh' mode
	#
	if [ "${ban_action}" = "refresh" ]; then
		f_ipset "refresh"
		src_rc="${?}"
		if [ "${src_rc}" = "0" ]; then
			return
		fi
	fi

	# 'start' mode
	#
	if [ "${ban_action}" = "start" ]; then
		f_ipset "restore"
	fi
	src_rc="${?}"
	if [ "${src_rc}" = "0" ]; then
		awk "${src_rule}" "${tmp_load}" 2>/dev/null >"${tmp_file}"
		src_rc="${?}"
		if [ "${src_rc}" = "0" ]; then
			f_ipset "create"
			src_rc="${?}"
			if [ "${src_rc}" = "0" ]; then
				return
			fi
		fi
	fi

	# handle country related downloads
	#
	if [ "${src_name%_*}" = "country" ]; then
		for country in ${ban_countries}; do
			src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${country}-aggregated.zone" 2>&1)"
			src_rc="${?}"
			if [ "${src_rc}" = "0" ]; then
				cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
			else
				continue
			fi
		done

	# handle asn related downloads
	#
	elif [ "${src_name%_*}" = "asn" ]; then
		for asn in ${ban_asns}; do
			src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${asn}" 2>&1)"
			src_rc="${?}"
			if [ "${src_rc}" = "0" ]; then
				cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
			else
				continue
			fi
		done

	# handle compressed downloads
	#
	elif [ -n "${src_comp}" ]; then
		case "${src_comp}" in
			"gz")
				src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)"
				src_rc="${?}"
				if [ "${src_rc}" -eq 0 ]; then
					zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}"
					src_rc="${?}"
				fi
				;;
		esac

	# handle normal downloads
	#
	else
		src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_load}" "${src_url}" 2>&1)"
		src_rc="${?}"
	fi

	# download post-processing
	#
	if [ "${src_rc}" = "0" ]; then
		f_ipset "backup"
		src_rc="${?}"
	elif [ "${ban_action}" != "start" ] && [ "${ban_action}" != "refresh" ]; then
		f_ipset "restore"
		src_rc="${?}"
	fi
	if [ "${src_rc}" = "0" ]; then
		awk "${src_rule}" "${tmp_load}" 2>/dev/null >"${tmp_file}"
		src_rc="${?}"
		if [ "${src_rc}" = "0" ]; then
			f_ipset "create"
			src_rc="${?}"
		elif [ "${ban_action}" != "refresh" ]; then
			f_ipset "refresh"
			src_rc="${?}"
		fi
	else
		src_log="$(printf "%s" "${src_log}" | awk '{ORS=" ";print $0}')"
		if [ "${ban_action}" != "refresh" ]; then
			f_ipset "refresh"
			src_rc="${?}"
		fi
		f_log "debug" "f_down  ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}, log: ${src_log:-"-"}"
	fi
}

# main controller
#
f_main() {
	local src_name src_url_4 src_rule_4 src_url_6 src_rule_6 src_comp src_rc src_ts log_raw log_merge log_ips log_count hold err_file cnt_file cnt=0

	# prepare logfile excerpts
	#
	if [ "${ban_autoblacklist}" = "1" ] || [ "${ban_monitor_enabled}" = "1" ]; then
		log_raw="$(${ban_logread_cmd} -l "${ban_loglimit}")"
		if printf "%s\n" "${ban_logterms}" | grep -q "dropbear"; then
			log_ips="$(printf "%s\n" "${log_raw}" | grep -E "Exit before auth from" |
				awk 'match($0,/<[0-9A-f:\.]+:/){printf "%s\n",substr($0,RSTART+1,RLENGTH-2)}' | awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')"
			for ip in ${log_ips}; do
				log_count="$(printf "%s\n" "${log_raw}" | grep -cE "Exit before auth from <${ip}")"
				if [ "${log_count}" -ge "${ban_ssh_logcount}" ]; then
					log_merge="${log_merge} ${ip}"
				fi
			done
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "sshd"; then
			log_ips="$(printf "%s\n" "${log_raw}" | grep -E "error: maximum authentication attempts exceeded|sshd.*Connection closed by.*\[preauth\]" |
				awk 'match($0,/[0-9A-f:\.]+ port/){printf "%s\n",substr($0,RSTART,RLENGTH-5)}' | awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')"
			for ip in ${log_ips}; do
				log_count="$(printf "%s\n" "${log_raw}" | grep -cE "error: maximum authentication attempts exceeded.*${ip}|sshd.*Connection closed by.*${ip}.*\[preauth\]")"
				if [ "${log_count}" -ge "${ban_ssh_logcount}" ]; then
					log_merge="${log_merge} ${ip}"
				fi
			done
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "luci"; then
			log_ips="$(printf "%s\n" "${log_raw}" | grep -E "luci: failed login on " |
				awk 'match($0,/[0-9A-f:\.]+$/){printf "%s\n",substr($0,RSTART,RLENGTH)}' | awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')"
			for ip in ${log_ips}; do
				log_count="$(printf "%s\n" "${log_raw}" | grep -cE "luci: failed login on .*from ${ip}")"
				if [ "${log_count}" -ge "${ban_luci_logcount}" ]; then
					log_merge="${log_merge} ${ip}"
				fi
			done
		fi
		if printf "%s\n" "${ban_logterms}" | grep -q "nginx"; then
			log_ips="$(printf "%s\n" "${log_raw}" | grep -oE "nginx(\[[0-9]+\])?:.*\[error\].*open\(\).*client: [[:alnum:].:]+" |
				awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')"
			for ip in ${log_ips}; do
				log_count="$(printf "%s\n" "${log_raw}" | grep -cE "nginx(\[[0-9]+\])?:.*\[error\].*open\(\).*client: ${ip}")"
				if [ "${log_count}" -ge "${ban_nginx_logcount}" ]; then
					log_merge="${log_merge} ${ip}"
				fi
			done
		fi
	fi

	# prepare new black- and whitelist entries
	#
	if [ "${ban_autowhitelist}" = "1" ] && [ -f "${ban_whitelist}" ]; then
		for ip in ${ban_subnets}; do
			if ! grep -q "${ip}" "${ban_whitelist}"; then
				src_ts="# added on $(date "+%d.%m.%Y %H:%M:%S")"
				printf "%-42s%s\n" "${ip}" "${src_ts}" >>"${ban_whitelist}"
				f_log "info" "IP address '${ip}' added to whitelist"
			fi
		done
	fi
	if [ "${ban_autoblacklist}" = "1" ] && [ -f "${ban_blacklist}" ]; then
		for ip in ${log_merge}; do
			if ! grep -q "${ip}" "${ban_blacklist}"; then
				src_ts="# added on $(date "+%d.%m.%Y %H:%M:%S")"
				printf "%-42s%s\n" "${ip}" "${src_ts}" >>"${ban_blacklist}"
				f_log "info" "IP address '${ip}' added to blacklist"
			fi
		done
	fi

	# initial ipset/iptables creation
	#
	if ! f_ipset "initial"; then
		f_log "err" "banIP processing failed, fatal error during ipset/iptables creation (${ban_sysver})"
	fi

	# load local source files (maclist, blacklist, whitelist)
	#
	for src_name in ${ban_localsources}; do
		if [ "${src_name}" = "maclist" ] && [ -s "${ban_maclist}" ]; then
			(
				src_rule_4="/^([0-9A-z][0-9A-z]:){5}[0-9A-z]{2}([[:space:]]|$)/{print \"add ${src_name} \"toupper(\$1)}"
				f_down "${src_name}" "mac" "mac" "${ban_maclist}" "${src_rule_4}"
			) &
		fi
		if [ "${ban_proto4_enabled}" = "1" ]; then
			if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ]; then
				(
					src_rule_4="/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add ${src_name}_4 \"\$1}"
					f_down "${src_name}" "4" "inet" "${ban_blacklist}" "${src_rule_4}"
				) &
			elif [ "${src_name}" = "whitelist" ] && [ -s "${ban_whitelist}" ]; then
				(
					src_rule_4="/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add ${src_name}_4 \"\$1}"
					f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}"
				) &
			fi
		else
			(
				src_name="${src_name}_4"
				f_ipset "flush"
			) &
		fi
		if [ "${ban_proto6_enabled}" = "1" ]; then
			if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ]; then
				(
					src_rule_6="/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add ${src_name}_6 \"\$1}"
					f_down "${src_name}" "6" "inet6" "${ban_blacklist}" "${src_rule_6}"
				) &
			elif [ "${src_name}" = "whitelist" ] && [ -s "${ban_whitelist}" ]; then
				(
					src_rule_6="/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add ${src_name}_6 \"\$1}"
					f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}"
				) &
			fi
		else
			(
				src_name="${src_name}_6"
				f_ipset "flush"
			) &
		fi
	done
	wait

	# loop over all external sources
	#
	if [ "${ban_whitelistonly}" = "0" ]; then
		for src_name in ${ban_sources}; do
			# get source data from JSON file
			#
			if ! json_select "${src_name}" >/dev/null 2>&1; then
				continue
			fi
			json_objects="url_4 rule_4 url_6 rule_6 comp"
			for object in ${json_objects}; do
				eval json_get_var src_${object} '${object}' >/dev/null 2>&1
			done
			json_select ..

			# handle external IPv4 source downloads in a subshell
			#
			if [ "${ban_proto4_enabled}" = "1" ] && [ -n "${src_url_4}" ] && [ -n "${src_rule_4}" ]; then
				(
					f_down "${src_name}" "4" "inet" "${src_url_4}" "${src_rule_4}" "${src_comp}"
				) &
			fi

			# handle external IPv6 source downloads in a subshell
			#
			if [ "${ban_proto6_enabled}" = "1" ] && [ -n "${src_url_6}" ] && [ -n "${src_rule_6}" ]; then
				(
					f_down "${src_name}" "6" "inet6" "${src_url_6}" "${src_rule_6}" "${src_comp}"
				) &
			fi

			# control/limit download queues
			#
			hold=$((cnt % ban_maxqueue))
			if [ "${hold}" = "0" ]; then
				wait
			fi
			cnt=$((cnt + 1))
		done
		wait
	fi

	# error out
	#
	for err_file in "${ban_tmpfile}."*".err"; do
		if [ -f "${err_file}" ]; then
			f_log "err" "banIP processing failed, fatal iptables errors during subshell processing (${ban_sysver})"
		fi
	done

	# finish processing
	#
	ban_sources=""
	for cnt_file in "${ban_tmpfile}."*".cnt"; do
		if [ -f "${cnt_file}" ]; then
			read -r cnt <"${cnt_file}"
			ban_cnt=$((ban_cnt + cnt))
			ban_setcnt=$((ban_setcnt + 1))
			src_name="$(printf "%s" "${cnt_file}" | grep -Eo "[a-z0-9_]+.file.cnt")"
			src_name="${src_name%%.*}"
			if ! printf "%s" "${ban_sources}" | grep -q "${src_name%_*}"; then
				ban_sources="${ban_sources} ${src_name%_*}"
				ban_allsources="${ban_allsources//${src_name%_*}/}"
			fi
		fi
	done
	for src_name in ${ban_allsources}; do
		if [ "${src_name}" = "maclist" ]; then
			f_ipset "flush"
		else
			for proto in "4" "6"; do
				src_name="${src_name%_*}_${proto}"
				f_ipset "flush"
				if [ "${src_name%_*}" != "blacklist" ] && [ "${src_name%_*}" != "whitelist" ]; then
					f_ipset "remove"
				fi
			done
		fi
	done
	f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
	f_jsnup
	f_rmtmp
	f_bgsrv "start"
}

# query ipsets for certain IP
#
f_query() {
	local src proto result query_start query_end query_timeout="30" match="0" search="${1}"

	if [ -z "${search}" ]; then
		printf "%s\n" "::: missing search term, please submit a single ip or mac address :::"
	else
		query_start="$(date "+%s")"
		printf "%s\n%s\n%s\n" ":::" "::: search '${search}' in banIP related IPSets" ":::"

		for src in ${ban_localsources} ${ban_sources} ${ban_extrasources}; do
			if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]; then
				result="$(
					ipset -q test ${src} ${search} >/dev/null 2>&1
					printf "%u" "${?}"
				)"
				if [ "${result}" = "0" ]; then
					match="1"
					printf "%s\n" "  - found in IPSet '${src}'"
					break
				fi
			else
				for proto in "4" "6"; do
					if [ -n "$("${ban_ipset_cmd}" -q -n list "${src}_${proto}")" ]; then
						result="$(
							ipset -q test ${src}_${proto} ${search} >/dev/null 2>&1
							printf "%u" "${?}"
						)"
						if [ "${result}" = "0" ]; then
							match="1"
							printf "%s\n" "  - found in IPSet '${src}_${proto}'"
						fi
					fi
				done
			fi
			query_end="$(date "+%s")"
			if [ "$((query_end - query_start))" -gt "${query_timeout}" ]; then
				printf "%s\n\n" "  - [...]"
				break
			fi
		done
		if [ "${match}" = "0" ]; then
			printf "%s\n\n" "  - no match"
		fi
	fi
}

# generate statistics
#
f_report() {
	local report_json report_txt bg_pid content proto src src_list detaillist type jsnval jsnvals jsnval1 jsnval2 jsnval3 jsnval4 jsnval5 jsnval6 jsnval7
	local cnt cnt_mac cnt_cidr cnt_ip cnt_acc cnt_sum="0" cnt_set_sum="1" cnt_acc_sum="0" cnt_mac_sum="0" cnt_ip_sum="0" cnt_cidr_sum="0" cnt_set_sum="0" action="${1}"

	report_json="${ban_reportdir}/ban_report.json"
	report_txt="${ban_reportdir}/ban_mailreport.txt"

	# build json file
	#
	if [ "${action}" != "json" ] && { "${ban_ipt4_savecmd}" | grep -q " ${ban_chain} " || "${ban_ipt6_savecmd}" | grep -q " ${ban_chain} "; }; then
		: >"${report_json}"
		printf "%s\n" "{" >>"${report_json}"
		printf "%s\n" '"ipsets": {' >>"${report_json}"
		for src in ${ban_localsources} ${ban_sources} ${ban_extrasources}; do
			if printf "%s" "${ban_extrasources}" | grep -q "${src}"; then
				set_type="n/a"
			else
				if printf "%s\n" "${ban_settype_src}" | grep -q "${src}"; then
					set_type="src"
				elif printf "%s\n" "${ban_settype_dst}" | grep -q "${src}"; then
					set_type="dst"
				elif printf "%s\n" "${ban_settype_all}" | grep -q "${src}"; then
					set_type="src+dst"
				else
					set_type="${ban_global_settype}"
				fi
			fi
			if [ "${src}" = "maclist" ]; then
				src_list="$("${ban_ipset_cmd}" -q list "${src}")"
				if [ -n "${src_list}" ]; then
					cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')"
					cnt_acc="$(printf "%s" "${src_list}" | grep -cE "packets [1-9]+")"
					cnt_acc_sum=$((cnt_acc_sum + cnt_acc))
					cnt_mac_sum="${cnt}"
					cnt_sum=$((cnt_sum + cnt))
					{
						if [ "${cnt_set_sum}" != "0" ]; then
							printf "%s\n" ","
						fi
						printf "\t%s\n" "\"${src}\": {"
						printf "\t\t%s\n" "\"type\": \"${set_type}\","
						printf "\t\t%s\n" "\"count\": \"${cnt}\","
						printf "\t\t%s\n" '"count_ip": "0",'
						printf "\t\t%s\n" '"count_cidr": "0",'
						printf "\t\t%s\n" "\"count_mac\": \"${cnt}\","
						printf "\t\t%s" "\"count_acc\": \"${cnt_acc}\""
						printf ",\n\t\t%s" '"member_acc": ['
						printf "%s" "${src_list}" | awk 'match($0,/ packets [1-9]+/){printf "%s %s\n",$1,substr($0,RSTART+9,RLENGTH-9)}' |
							awk 'BEGIN{i=0};{i=i+1;if(i==1){printf "{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2}
								else{printf ",\n\t\t{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2}}'
						printf "%s\n" "]"
						printf "\t%s" "}"
					} >>"${report_json}"
					cnt_set_sum=$((cnt_set_sum + 1))
				fi
			else
				for proto in "4" "6"; do
					src_list="$("${ban_ipset_cmd}" -q list "${src}_${proto}")"
					if [ -n "${src_list}" ]; then
						cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
						cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} ")"
						cnt_ip=$((cnt - cnt_cidr - cnt_mac))
						cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE "packets [1-9]+")"
						cnt_cidr_sum=$((cnt_cidr_sum + cnt_cidr))
						cnt_ip_sum=$((cnt_ip_sum + cnt_ip))
						cnt_acc_sum=$((cnt_acc_sum + cnt_acc))
						cnt_sum=$((cnt_sum + cnt))
						{
							if [ "${cnt_set_sum}" != "0" ]; then
								printf "%s\n" ","
							fi
							printf "\t%s\n" "\"${src}_${proto}\": {"
							printf "\t\t%s\n" "\"type\": \"${set_type}\","
							printf "\t\t%s\n" "\"count\": \"${cnt}\","
							printf "\t\t%s\n" "\"count_ip\": \"${cnt_ip}\","
							printf "\t\t%s\n" "\"count_cidr\": \"${cnt_cidr}\","
							printf "\t\t%s\n" '"count_mac": "0",'
							printf "\t\t%s" "\"count_acc\": \"${cnt_acc}\""
							printf ",\n\t\t%s" '"member_acc": ['
							printf "%s" "${src_list}" | awk 'match($0,/ packets [1-9]+/){printf "%s %s\n",$1,substr($0,RSTART+9,RLENGTH-9)}' |
								awk 'BEGIN{i=0};{i=i+1;if(i==1){printf "{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2}
									else{printf ",\n\t\t{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2}}'
							printf "%s\n" "]"
							printf "\t%s" "}"
						} >>"${report_json}"
						cnt_set_sum=$((cnt_set_sum + 1))
					fi
				done
			fi
		done
		{
			printf "\n%s" "}"
			printf ",\n%s\n" "\"timestamp\": \"$(date "+%d.%m.%Y %H:%M:%S")\","
			printf "%s\n" "\"cnt_set_sum\": \"${cnt_set_sum}\","
			printf "%s\n" "\"cnt_ip_sum\": \"${cnt_ip_sum}\","
			printf "%s\n" "\"cnt_cidr_sum\": \"${cnt_cidr_sum}\","
			printf "%s\n" "\"cnt_mac_sum\": \"${cnt_mac_sum}\","
			printf "%s\n" "\"cnt_sum\": \"${cnt_sum}\","
			printf "%s\n" "\"cnt_acc_sum\": \"${cnt_acc_sum}\""
			printf "%s\n" "}"
		} >>"${report_json}"
	fi

	# output preparation
	#
	if [ -s "${report_json}" ] && { [ "${action}" = "cli" ] || [ "${action}" = "mail" ]; }; then
		: >"${report_txt}"
		json_init
		if json_load_file "${report_json}" >/dev/null 2>&1; then
			json_get_var jsnval1 "timestamp" >/dev/null 2>&1
			json_get_var jsnval2 "cnt_set_sum" >/dev/null 2>&1
			json_get_var jsnval3 "cnt_sum" >/dev/null 2>&1
			json_get_var jsnval4 "cnt_ip_sum" >/dev/null 2>&1
			json_get_var jsnval5 "cnt_cidr_sum" >/dev/null 2>&1
			json_get_var jsnval6 "cnt_mac_sum" >/dev/null 2>&1
			json_get_var jsnval7 "cnt_acc_sum" >/dev/null 2>&1
			{
				printf "%s\n%s\n%s\n" ":::" "::: report on all banIP related IPSets" ":::"
				printf "  + %s\n" "Report timestamp           ::: ${jsnval1:-"-"}"
				printf "  + %s\n" "Number of all IPSets       ::: ${jsnval2:-"0"}"
				printf "  + %s\n" "Number of all entries      ::: ${jsnval3:-"0"}"
				printf "  + %s\n" "Number of IP entries       ::: ${jsnval4:-"0"}"
				printf "  + %s\n" "Number of CIDR entries     ::: ${jsnval5:-"0"}"
				printf "  + %s\n" "Number of MAC entries      ::: ${jsnval6:-"0"}"
				printf "  + %s\n" "Number of accessed entries ::: ${jsnval7:-"0"}"
			} >>"${report_txt}"

			json_select "ipsets"
			json_get_keys ipsetlist
			if [ -n "${ipsetlist}" ]; then
				{
					printf "%s\n%s\n%s\n" ":::" "::: IPSet details" ":::"
					printf "%-25s%-12s%-11s%-10s%-10s%-10s%-10s%s\n" "    Name" "Type" "Count" "Cnt_IP" "Cnt_CIDR" "Cnt_MAC" "Cnt_ACC" "Entry details (Entry/Count)"
					printf "%s\n" "    --------------------------------------------------------------------------------------------------------------------"
				} >>"${report_txt}"
			fi
			for ipset in ${ipsetlist}; do
				set_info="${ipset}"
				acc_info=""
				json_select "${ipset}"
				json_get_keys detaillist
				for detail in ${detaillist}; do
					if [ "${detail}" != "member_acc" ]; then
						json_get_var jsnval "${detail}" >/dev/null 2>&1
						set_info="${set_info} ${jsnval}"
					elif [ "${detail}" = "member_acc" ]; then
						index=1
						json_select "${detail}"
						while json_get_type type "${index}" && [ "${type}" = "object" ]; do
							json_get_values jsnvals "${index}" >/dev/null 2>&1
							acc_info="${acc_info} ${jsnvals}"
							index=$((index + 1))
						done
						json_select ".."
					fi
				done
				{
					printf "    %-21s%-12s%-11s%-10s%-10s%-10s%s\n" ${set_info}
					if [ -n "${acc_info}" ]; then
						printf "                                                                                        %-25s%s\n" ${acc_info}
					fi
					printf "%s\n" "    --------------------------------------------------------------------------------------------------------------------"
				} >>"${report_txt}"
				json_select ".."
			done
			content="$(cat "${report_txt}" 2>/dev/null)"
			rm -f "${report_txt}"
		fi
	fi

	# report output
	#
	if [ "${action}" = "cli" ]; then
		printf "%s\n" "${content}"
	elif [ "${action}" = "json" ]; then
		cat "${ban_reportdir}/ban_report.json"
	elif [ "${action}" = "mail" ] && [ "${ban_mail_enabled}" = "1" ] && [ -x "${ban_mailservice}" ]; then
		("${ban_mailservice}" "${content}" >/dev/null 2>&1) &
		bg_pid="${!}"
	fi
	f_log "debug" "f_report ::: action: ${action}, report_json: ${report_json}, report_txt: ${report_txt}, bg_pid: ${bg_pid:-"-"}"
}

# update runtime information
#
f_jsnup() {
	local memory entry runtime cnt_info status="${1:-"enabled"}"

	if [ "${status}" = "enabled" ] || [ "${status}" = "error" ]; then
		ban_endtime="$(date "+%s")"
		cnt_info="${ban_setcnt} IPSets with ${ban_cnt} IPs/Prefixes"
		memory="$(awk '/^MemTotal|^MemFree|^MemAvailable/{ORS="/"; print int($2/1000)}' "/proc/meminfo" 2>/dev/null | awk '{print substr($0,1,length($0)-1)}')"
		if [ "$(((ban_endtime - ban_starttime) / 60))" -lt "60" ]; then
			runtime="${ban_action}, $(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s, ${memory:-0}, $(date "+%d.%m.%Y %H:%M:%S")"
		else
			runtime="${ban_action}, n/a, ${memory:-0}, $(date "+%d.%m.%Y %H:%M:%S")"
		fi
	fi

	: >"${ban_rtfile}"
	json_init
	json_load_file "${ban_rtfile}" >/dev/null 2>&1
	json_add_string "status" "${status}"
	json_add_string "version" "${ban_ver}"
	json_add_string "ipset_info" "${cnt_info:-"-"}"
	json_add_array "active_sources"
	if [ "${status}" = "running" ] || [ "${status}" = "error" ]; then
		json_add_object
		json_add_string "source" "-"
		json_close_object
	else
		for entry in ${ban_sources}; do
			json_add_object
			json_add_string "source" "${entry}"
			json_close_object
		done
	fi
	json_close_array
	json_add_array "active_devs"
	for entry in ${ban_devs}; do
		json_add_object
		json_add_string "dev" "${entry}"
		json_close_object
	done
	json_close_array
	json_add_array "active_ifaces"
	for entry in ${ban_ifaces}; do
		json_add_object
		json_add_string "iface" "${entry}"
		json_close_object
	done
	json_close_array
	json_add_array "active_logterms"
	for entry in ${ban_logterms}; do
		json_add_object
		json_add_string "term" "${entry}"
		json_close_object
	done
	json_close_array
	json_add_array "active_subnets"
	for entry in ${ban_subnets}; do
		json_add_object
		json_add_string "subnet" "${entry}"
		json_close_object
	done
	json_close_array
	json_add_string "run_infos" "settype: ${ban_global_settype}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}"
	json_add_string "run_flags" "protocols (4/6): $(f_char ${ban_proto4_enabled})/$(f_char ${ban_proto6_enabled}), log (src/dst): $(f_char ${ban_logsrc_enabled})/$(f_char ${ban_logdst_enabled}), monitor: $(f_char ${ban_monitor_enabled}), mail: $(f_char ${ban_mail_enabled}), whitelist only: $(f_char ${ban_whitelistonly})"
	json_add_string "last_run" "${runtime:-"-"}"
	json_add_string "system" "${ban_sysver}"
	json_dump >"${ban_rtfile}"

	if [ "${ban_mail_enabled}" = "1" ] && [ -x "${ban_mailservice}" ] && { [ "${status}" = "error" ] ||
		{ [ "${status}" = "enabled" ] && { [ -z "${ban_mailactions}" ] || printf "%s\n" "${ban_mailactions}" | grep -q "${ban_action}"; }; }; }; then
		("${ban_mailservice}" "${ban_ver}" >/dev/null 2>&1) &
		bg_pid="${!}"
	fi
	f_log "debug" "f_jsnup ::: status: ${status:-"-"}, action: ${ban_action}, mail_enabled: ${ban_mail_enabled}, mail_actions: ${ban_mailactions}, mail_service: ${ban_mailservice}, mail_pid: ${bg_pid:-"-"}"
}

# source required system libraries
#
if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then
	. "/lib/functions.sh"
	. "/lib/functions/network.sh"
	. "/usr/share/libubox/jshn.sh"
else
	f_log "err" "system libraries not found"
fi

if [ "${ban_action}" = "suspend" ] || [ "${ban_action}" = "resume" ] ||
	[ "${ban_action}" = "report" ] || [ "${ban_action}" = "query" ]; then
	json_init
	json_load_file "${ban_rtfile}" >/dev/null 2>&1
	json_get_var ban_status "status"
fi

# handle different banIP actions
#
f_load
case "${ban_action}" in
	"stop")
		f_bgsrv "stop"
		f_ipset "destroy"
		f_jsnup "stopped"
		f_rmbckp
		;;
	"restart")
		f_ipset "destroy"
		f_rmbckp
		f_env
		f_main
		;;
	"suspend")
		if [ "${ban_status}" = "enabled" ] && [ "${ban_whitelistonly}" = "0" ]; then
			f_bgsrv "stop"
			f_jsnup "running"
			f_ipset "suspend"
			f_jsnup "paused"
		fi
		f_rmtmp
		;;
	"resume")
		if [ "${ban_status}" = "paused" ] && [ "${ban_whitelistonly}" = "0" ]; then
			f_env
			f_main
		else
			f_rmtmp
		fi
		;;
	"query")
		if [ "${ban_status}" = "enabled" ]; then
			f_query "${2}"
		fi
		;;
	"report")
		if [ "${ban_status}" = "enabled" ] || [ "${2}" = "json" ]; then
			f_report "${2}"
		fi
		;;
	"start" | "reload" | "refresh")
		f_env
		f_main
		;;
esac