Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.3.7

Browse source 
* fix a logical glitch in the hotplug event handler
* properly handle fatal iptables errors - even in subshells

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 49b43b81e8)
This commit is contained in:
Dirk Brenken 2019-11-08 18:40:30 +01:00
parent 848589d758
commit 7a1f32f704
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
3 changed files with 51 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/banip/Makefile
View file

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.3.6 PKG_VERSION:=0.3.7
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

9
net/banip/files/banip.hotplug
View file

@ -1,11 +1,12 @@
#!/bin/sh #!/bin/sh
# #
[ "${ACTION}" != "add" ] && exit 0
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")" ban_enabled="$(/etc/init.d/banip enabled; printf "%u" "${?}")"
if [ "${ban_enabled}" = "0" ] && [ ! -s "${ban_pidfile}" ]
if [ "${ban_enabled}" = "1" ] || [ ! -f "${ban_pidfile}" ] || [ -s "${ban_pidfile}" ] || [ "${ACTION}" != "add" ]
then then
exit 0
else
/etc/init.d/banip refresh /etc/init.d/banip refresh
fi fi
exit 0

66
net/banip/files/banip.sh
View file

@ -13,7 +13,7 @@
# #
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.3.6" ban_ver="0.3.7"
ban_basever="" ban_basever=""
ban_enabled=0 ban_enabled=0
ban_automatic="1" ban_automatic="1"
@ -341,7 +341,7 @@ f_iptrule()
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \ if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; } { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
then then
"${ban_ipt6}" "${timeout}" "${action}" ${rule} "${ban_ipt6}" "${timeout}" "${action}" ${rule} 2>/dev/null
fi fi
fi fi
else else
@ -352,10 +352,15 @@ f_iptrule()
if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \ if { [ "${rc}" -ne 0 ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; } } || \
{ [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; } { [ "${rc}" -eq 0 ] && [ "${action}" = "-D" ]; }
then then
"${ban_ipt}" "${timeout}" "${action}" ${rule} "${ban_ipt}" "${timeout}" "${action}" ${rule} 2>/dev/null
fi fi
fi fi
fi fi
if [ "${?}" -ne 0 ]
then
> "${tmp_err}"
f_log "info" "can't create iptables rule: action: '${action:-"-"}', rule: '${rule:-"-"}'"
fi
} }
# remove/add iptables rules # remove/add iptables rules
@ -455,7 +460,8 @@ f_ipset()
"initial") "initial")
if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] if [ -x "${ban_ipt}" ] && [ -z "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
"${ban_ipt}" "${timeout}" -N "${ban_chain}" "${ban_ipt}" "${timeout}" -N "${ban_chain}" 2>/dev/null
out_rc="${?}"
elif [ -x "${ban_ipt}" ] elif [ -x "${ban_ipt}" ]
then then
src_name="ruleset" src_name="ruleset"
@ -467,7 +473,8 @@ f_ipset()
fi fi
if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] if [ -x "${ban_ipt6}" ] && [ -z "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
"${ban_ipt6}" "${timeout}" -N "${ban_chain}" "${ban_ipt6}" "${timeout}" -N "${ban_chain}" 2>/dev/null
out_rc="${?}"
elif [ -x "${ban_ipt6}" ] elif [ -x "${ban_ipt6}" ]
then then
src_name="ruleset_6" src_name="ruleset_6"
@ -477,7 +484,9 @@ f_ipset()
f_iptrule "-D" "${rule} -j ${ban_chain}" f_iptrule "-D" "${rule} -j ${ban_chain}"
done done
fi fi
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}" out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: -, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, ruleset: ${ruleset:-"-"}, ruleset_6: ${ruleset_6:-"-"}, out_rc: ${out_rc}"
return "${out_rc}"
;; ;;
"create") "create")
if [ -x "${ban_ipset}" ] if [ -x "${ban_ipset}" ]
@ -508,6 +517,7 @@ f_ipset()
end_ts="$(date +%s)" end_ts="$(date +%s)"
out_rc="${out_rc:-"${in_rc}"}" out_rc="${out_rc:-"${in_rc}"}"
f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}" f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, settype: ${src_settype:-"-"}, setipv: ${src_setipv:-"-"}, ruletype: ${src_ruletype:-"-"}, count(sum/ip/cidr): ${cnt}/${cnt_ip}/${cnt_cidr}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
return "${out_rc}"
;; ;;
"refresh") "refresh")
if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ] if [ -x "${ban_ipset}" ] && [ -n "$("${ban_ipset}" -q -n list "${src_name}")" ]
@ -543,15 +553,15 @@ f_ipset()
[ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] [ -n "$("${ban_ipt}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
"${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}" "${ban_ipt_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt_restore}"
"${ban_ipt}" "${timeout}" -F "${ban_chain}" "${ban_ipt}" "${timeout}" -F "${ban_chain}" 2>/dev/null
"${ban_ipt}" "${timeout}" -X "${ban_chain}" "${ban_ipt}" "${timeout}" -X "${ban_chain}" 2>/dev/null
fi fi
if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \ if [ -x "${ban_ipt6}" ] && [ -x "${ban_ipt6_save}" ] && [ -x "${ban_ipt6_restore}" ] && \
[ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ] [ -n "$("${ban_ipt6}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]
then then
"${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}" "${ban_ipt6_save}" | grep -v -- "-j ${ban_chain}" | "${ban_ipt6_restore}"
"${ban_ipt6}" "${timeout}" -F "${ban_chain}" "${ban_ipt6}" "${timeout}" -F "${ban_chain}" 2>/dev/null
"${ban_ipt6}" "${timeout}" -X "${ban_chain}" "${ban_ipt6}" "${timeout}" -X "${ban_chain}" 2>/dev/null
fi fi
for source in ${ban_sources} for source in ${ban_sources}
do do
@ -622,9 +632,16 @@ f_main()
mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)" mem_free="$(awk '/^MemFree/ {print int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}" f_log "debug" "f_main ::: fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, ssh_daemon: ${ban_sshdaemon}, interface(s): ${ban_iface:-"-"}, device(s): ${ban_dev:-"-"}, all_devices: ${ban_dev_all:-"-"}, backup_dir: ${ban_backupdir:-"-"}, mem_total: ${mem_total:-0}, mem_free: ${mem_free:-0}, max_queue: ${ban_maxqueue}"
# main loop # chain creation
# #
f_ipset initial f_ipset initial
if [ "${?}" -ne 0 ]
then
f_log "err" "banIP processing failed, fatal error during iptables chain creation (${ban_sysver})"
fi
# main loop
#
for src_name in ${ban_sources} for src_name in ${ban_sources}
do do
unset src_on unset src_on
@ -667,6 +684,8 @@ f_main()
tmp_file="${ban_tmpfile}.${src_name}.file" tmp_file="${ban_tmpfile}.${src_name}.file"
tmp_raw="${tmp_file}.raw" tmp_raw="${tmp_file}.raw"
tmp_cnt="${tmp_file}.cnt" tmp_cnt="${tmp_file}.cnt"
tmp_err="${tmp_file}.err"
# basic pre-checks # basic pre-checks
# #
f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}" f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}"
@ -855,18 +874,23 @@ f_main()
done done
wait wait
for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null) if [ -z "$(ls "${ban_tmpfile}".*.err 2>/dev/null)" ]
do
ban_cnt="$((ban_cnt+cnt))"
done
if [ "${ban_cnt}" -gt 0 ]
then then
ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)" for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
do
ban_cnt="$((ban_cnt+cnt))"
done
if [ "${ban_cnt}" -gt 0 ]
then
ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)"
fi
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start"
f_jsnup
f_rmtemp
else
f_log "err" "banIP processing failed, fatal iptables error(s) during subshell processing (${ban_sysver})"
fi fi
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start"
f_jsnup
f_rmtemp
} }
# update runtime information # update runtime information