Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.3.5

Browse source 
* fix race condition in download utility detection during boot
* fix multiple possible bugs in ipset creation
* prevent parallel service starts
* refine service trigger handling
* add ssh daemon auto detection
* print to stdout if 'logger' is not available

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2019-11-03 16:44:22 +01:00
parent 426ed75dbe
commit fcea2f75c3
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
4 changed files with 161 additions and 100 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/banip/Makefile
View file

@ -6,7 +6,7 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.3.1 PKG_VERSION:=0.3.5
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

26
net/banip/files/banip.init
View file

@ -12,6 +12,11 @@ ban_init="/etc/init.d/banip"
ban_script="/usr/bin/banip.sh" ban_script="/usr/bin/banip.sh"
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
if [ -s "${ban_pidfile}" ] && [ "${action}" != "help" ] && [ "${action}" != "status" ]
then
exit 1
fi
boot() boot()
{ {
ban_boot="1" ban_boot="1"
@ -39,7 +44,6 @@ start_service()
refresh() refresh()
{ {
[ -s "${ban_pidfile}" ] && return 1
rc_procd start_service refresh rc_procd start_service refresh
} }
@ -53,6 +57,11 @@ stop_service()
rc_procd "${ban_script}" stop rc_procd "${ban_script}" stop
} }
restart()
{
rc_procd start_service restart
}
status_service() status_service()
{ {
local key keylist value local key keylist value
@ -76,16 +85,23 @@ status_service()
service_triggers() service_triggers()
{ {
local iface iface_list="$(uci_get banip global ban_iface)" local trigger trigger_list="$(uci_get banip global ban_trigger)"
local delay="$(uci_get banip extra ban_triggerdelay "2")" local delay="$(uci_get banip extra ban_triggerdelay "2")"
local type="$(uci_get banip extra ban_starttype "start")" local type="$(uci_get banip extra ban_starttype "start")"
PROCD_RELOAD_DELAY=$((${delay}*1000)) PROCD_RELOAD_DELAY=$((${delay}*1000))
if [ -n "${iface_list}" ]
if [ -z "${trigger_list}" ] && [ -r "/lib/functions/network.sh" ]
then then
for iface in ${iface_list} . "/lib/functions/network.sh"
network_find_wan trigger_list
fi
if [ -n "${trigger_list}" ]
then
for trigger in ${trigger_list}
do do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${type}" procd_add_interface_trigger "interface.*.up" "${trigger}" "${ban_init}" "${type}"
done done
else else
procd_add_raw_trigger "interface.*.up" ${PROCD_RELOAD_DELAY} "${ban_init}" "${type}" procd_add_raw_trigger "interface.*.up" ${PROCD_RELOAD_DELAY} "${ban_init}" "${type}"

26
net/banip/files/banip.service
View file

@ -8,20 +8,24 @@
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
if [ -r "/lib/functions.sh" ]
then
. "/lib/functions.sh"
ban_sshdaemon="$(uci_get banip extra ban_sshdaemon "dropbear")"
fi
ban_ver="${1}" ban_ver="${1}"
ban_log="$(command -v logread)" ban_sshdaemon="${2}"
ban_logger="$(command -v logger)"
ban_logread="$(command -v logread)"
if [ -x "${ban_log}" ] if [ -x "${ban_logread}" ]
then then
logger -p "info" -t "banIP-${ban_ver}[${$}]" "log/banIP service started" "${ban_logread}" -f -e "${ban_sshdaemon}\|luci: failed login" | \
"${ban_log}" -f -e "${ban_sshdaemon}\|luci: failed login" | \
{ grep -qE "Exit before auth|luci: failed login|[0-9]+ \[preauth\]$"; [ $? -eq 0 ] && /etc/init.d/banip refresh; } { grep -qE "Exit before auth|luci: failed login|[0-9]+ \[preauth\]$"; [ $? -eq 0 ] && /etc/init.d/banip refresh; }
class="info"
log_msg="log/banIP service started"
else else
logger -p "err" -t "banIP-${ban_ver}[${$}]" "can't start log/banIP service" class="err"
log_msg="can't start log/banIP service"
fi
if [ -x "${ban_logger}" ]
then
"${ban_logger}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
else
printf "%s %s %s\\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}"
fi fi

207
net/banip/files/banip.sh
View file

@ -13,7 +13,7 @@
# #
LC_ALL=C LC_ALL=C
PATH="/usr/sbin:/usr/bin:/sbin:/bin" PATH="/usr/sbin:/usr/bin:/sbin:/bin"
ban_ver="0.3.1" ban_ver="0.3.5"
ban_basever="" ban_basever=""
ban_enabled=0 ban_enabled=0
ban_automatic="1" ban_automatic="1"
@ -26,7 +26,6 @@ ban_autoblacklist=1
ban_autowhitelist=1 ban_autowhitelist=1
ban_realtime="false" ban_realtime="false"
ban_fetchutil="" ban_fetchutil=""
ban_ip="$(command -v ip)"
ban_ipt="$(command -v iptables)" ban_ipt="$(command -v iptables)"
ban_ipt_save="$(command -v iptables-save)" ban_ipt_save="$(command -v iptables-save)"
ban_ipt_restore="$(command -v iptables-restore)" ban_ipt_restore="$(command -v iptables-restore)"
@ -34,12 +33,13 @@ ban_ipt6="$(command -v ip6tables)"
ban_ipt6_save="$(command -v ip6tables-save)" ban_ipt6_save="$(command -v ip6tables-save)"
ban_ipt6_restore="$(command -v ip6tables-restore)" ban_ipt6_restore="$(command -v ip6tables-restore)"
ban_ipset="$(command -v ipset)" ban_ipset="$(command -v ipset)"
ban_logger="$(command -v logger)"
ban_chain="banIP" ban_chain="banIP"
ban_action="${1:-"start"}" ban_action="${1:-"start"}"
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_rtfile="/tmp/ban_runtime.json" ban_rtfile="/tmp/ban_runtime.json"
ban_logservice="/etc/banip/banip.service" ban_logservice="/etc/banip/banip.service"
ban_sshdaemon="dropbear" ban_sshdaemon=""
ban_setcnt=0 ban_setcnt=0
ban_cnt=0 ban_cnt=0
@ -102,6 +102,7 @@ f_envload()
if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ] if [ -z "${ban_basever}" ] || [ "${ban_ver%.*}" != "${ban_basever}" ]
then then
f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option" f_log "info" "your banIP config seems to be too old, please update your config with the '--force-maintainer' opkg option"
f_rmtemp
exit 0 exit 0
fi fi
@ -129,61 +130,17 @@ f_envcheck()
{ {
local util utils packages iface tmp cnt=0 cnt_max=0 local util utils packages iface tmp cnt=0 cnt_max=0
f_jsnup "running"
f_log "info" "start banIP processing (${ban_action})"
# check backup directory # check backup directory
# #
if [ ! -d "${ban_backupdir}" ] if [ ! -d "${ban_backupdir}" ]
then then
f_log "err" "the backup directory '${ban_backupdir}' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start" f_log "err" "the backup directory '${ban_backupdir}' does not exist or has not been mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"
fi fi
# check fetch utility # get wan devices and wan subnets
#
if [ -z "${ban_fetchutil}" ]
then
utils="aria2c curl wget uclient-fetch"
packages="$(opkg list-installed 2>/dev/null)"
for util in ${utils}
do
if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
{ [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
{ [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
then
ban_fetchutil="$(command -v "${util}")"
if [ -x "${ban_fetchutil}" ]
then
break
fi
fi
unset ban_fetchutil util
done
else
util="${ban_fetchutil}"
ban_fetchutil="$(command -v "${util}")"
if [ ! -x "${ban_fetchutil}" ]
then
unset ban_fetchutil util
fi
fi
case "${util}" in
"aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
;;
"curl")
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
;;
"uclient-fetch")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
;;
"wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
;;
esac
if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
then
f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
fi
# get wan device and wan subnets
# #
if [ "${ban_automatic}" = "1" ] if [ "${ban_automatic}" = "1" ]
then then
@ -242,14 +199,87 @@ f_envcheck()
ban_subnets6="${ban_subnets6} ${tmp}" ban_subnets6="${ban_subnets6} ${tmp}"
fi fi
done done
ban_dev_all="$(ip link show 2>/dev/null | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')"
if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ] if [ -z "${ban_iface}" ] || [ -z "${ban_dev}" ] || [ -z "${ban_dev_all}" ]
then then
f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration" f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
fi
# check fetch utility
#
if [ -z "${ban_fetchutil}" ]
then
cnt_max=$((cnt+5))
while [ -z "${packages}" ]
do
packages="$(opkg list-installed 2>/dev/null)"
if [ "${cnt}" -gt "${cnt_max}" ]
then
break
fi
cnt=$((cnt+1))
sleep 1
done
utils="aria2c curl wget uclient-fetch"
for util in ${utils}
do
if { [ "${util}" = "uclient-fetch" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^libustream-")" ]; } || \
{ [ "${util}" = "wget" ] && [ -n "$(printf "%s\\n" "${packages}" | grep "^wget -")" ]; } || \
{ [ "${util}" != "uclient-fetch" ] && [ "${util}" != "wget" ]; }
then
ban_fetchutil="$(command -v "${util}")"
if [ -x "${ban_fetchutil}" ]
then
break
fi
fi
unset ban_fetchutil util
done
else else
ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')" util="${ban_fetchutil}"
f_jsnup "running" ban_fetchutil="$(command -v "${util}")"
f_log "info" "start banIP processing (${ban_action})" if [ ! -x "${ban_fetchutil}" ]
then
unset ban_fetchutil util
fi
fi
case "${util}" in
"aria2c")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 --allow-overwrite=true --auto-file-renaming=false --check-certificate=true --dir=" " -o"}"
;;
"curl")
ban_fetchparm="${ban_fetchparm:-"--connect-timeout 20 -o"}"
;;
"uclient-fetch")
ban_fetchparm="${ban_fetchparm:-"--timeout=20 -O"}"
;;
"wget")
ban_fetchparm="${ban_fetchparm:-"--no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
;;
esac
if [ -z "${ban_fetchutil}" ] || [ -z "${ban_fetchparm}" ]
then
f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'"
fi
# check ssh daemon
#
if [ -z "${ban_sshdaemon}" ]
then
utils="dropbear sshd"
for util in ${utils}
do
if [ -x "$(command -v "${util}")" ]
then
ban_sshdaemon="${util}"
break
fi
done
fi
if [ -z "${ban_sshdaemon}" ]
then
f_log "err" "ssh daemon not found, please install 'dropbear' or 'sshd'"
fi fi
} }
@ -260,11 +290,10 @@ f_temp()
if [ -d "/tmp" ] && [ -z "${ban_tmpdir}" ] if [ -d "/tmp" ] && [ -z "${ban_tmpdir}" ]
then then
ban_tmpdir="$(mktemp -p /tmp -d)" ban_tmpdir="$(mktemp -p /tmp -d)"
ban_tmpload="$(mktemp -p "${ban_tmpdir}" -tu)"
ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
elif [ ! -d "/tmp" ] elif [ ! -d "/tmp" ]
then then
f_log "err" "the temp directory '/tmp' does not exist/is not mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start" f_log "err" "the temp directory '/tmp' does not exist or has not been mounted yet, please create the directory or raise the 'ban_triggerdelay' to defer the banIP start"
fi fi
if [ ! -s "${ban_pidfile}" ] if [ ! -s "${ban_pidfile}" ]
@ -453,19 +482,23 @@ f_ipset()
if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset}" -q -n list "${src_name}")" ] if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset}" -q -n list "${src_name}")" ]
then then
"${ban_ipset}" -q create "${src_name}" hash:"${src_settype}" hashsize 64 maxelem 262144 family "${src_setipv}" counters "${ban_ipset}" -q create "${src_name}" hash:"${src_settype}" hashsize 64 maxelem 262144 family "${src_setipv}" counters
out_rc="${?}"
else else
"${ban_ipset}" -q flush "${src_name}" "${ban_ipset}" -q flush "${src_name}"
fi
if [ -s "${tmp_file}" ]
then
"${ban_ipset}" -! restore < "${tmp_file}"
out_rc="${?}" out_rc="${?}"
"${ban_ipset}" -q save "${src_name}" > "${tmp_file}" fi
cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))" if [ -s "${tmp_file}" ] && [ "${out_rc}" -eq 0 ]
cnt_cidr="$(grep -cF "/" "${tmp_file}")" then
cnt_ip="$((cnt-cnt_cidr))" "${ban_ipset}" -q -! restore < "${tmp_file}"
printf "%s\\n" "1" > "${tmp_set}" out_rc="${?}"
printf "%s\\n" "${cnt}" > "${tmp_cnt}" if [ "${out_rc}" -eq 0 ]
then
"${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))"
printf "%s\\n" "${cnt}" > "${tmp_cnt}"
fi
fi fi
f_iptadd f_iptadd
fi fi
@ -478,12 +511,11 @@ f_ipset()
then then
"${ban_ipset}" -q save "${src_name}" > "${tmp_file}" "${ban_ipset}" -q save "${src_name}" > "${tmp_file}"
out_rc="${?}" out_rc="${?}"
if [ -s "${tmp_file}" ] if [ -s "${tmp_file}" ] && [ "${out_rc}" -eq 0 ]
then then
cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))" cnt="$(($(wc -l 2>/dev/null < "${tmp_file}")-1))"
cnt_cidr="$(grep -cF "/" "${tmp_file}")" cnt_cidr="$(grep -cF "/" "${tmp_file}")"
cnt_ip="$((cnt-cnt_cidr))" cnt_ip="$((cnt-cnt_cidr))"
printf "%s\\n" "1" > "${tmp_set}"
printf "%s\\n" "${cnt}" > "${tmp_cnt}" printf "%s\\n" "${cnt}" > "${tmp_cnt}"
fi fi
f_iptadd f_iptadd
@ -538,14 +570,25 @@ f_log()
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; } if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" -eq 1 ]; }
then then
logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" if [ -x "${ban_logger}" ]
then
"${ban_logger}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
else
printf "%s %s %s\\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}"
fi
if [ "${class}" = "err" ] if [ "${class}" = "err" ]
then then
f_jsnup error f_jsnup error
f_ipset destroy f_ipset destroy
f_rmbackup f_rmbackup
f_rmtemp f_rmtemp
logger -p "${class}" -t "banIP-${ban_ver}[${$}]" "Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'" log_msg="Please also check 'https://github.com/openwrt/packages/blob/master/net/banip/files/README.md'"
if [ -x "${ban_logger}" ]
then
"${ban_logger}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
else
printf "%s %s %s\\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}"
fi
exit 1 exit 1
fi fi
fi fi
@ -561,8 +604,8 @@ f_bgserv()
if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \ if [ -z "${bg_pid}" ] && [ "${status}" = "start" ] \
&& [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ] && [ -x "${ban_logservice}" ] && [ "${ban_realtime}" = "true" ]
then then
( "${ban_logservice}" "${ban_ver}" &) ( "${ban_logservice}" "${ban_ver}" "${ban_sshdaemon}" & )
elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ] elif [ -n "${bg_pid}" ] && [ "${status}" = "stop" ]
then then
kill -HUP "${bg_pid}" 2>/dev/null kill -HUP "${bg_pid}" 2>/dev/null
fi fi
@ -624,12 +667,10 @@ f_main()
src_cat="$(eval printf "%s" \"\$\{ban_src_cat_${src_name%_6*}\}\")" src_cat="$(eval printf "%s" \"\$\{ban_src_cat_${src_name%_6*}\}\")"
src_addon="" src_addon=""
src_rc=4 src_rc=4
tmp_load="${ban_tmpload}.${src_name}" tmp_load="${ban_tmpfile}.${src_name}.load"
tmp_file="${ban_tmpfile}.${src_name}" tmp_file="${ban_tmpfile}.${src_name}.file"
tmp_raw="${tmp_load}.raw" tmp_raw="${tmp_file}.raw"
tmp_cnt="${tmp_file}.cnt" tmp_cnt="${tmp_file}.cnt"
tmp_set="${tmp_file}.setcnt"
# basic pre-checks # basic pre-checks
# #
f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}" f_log "debug" "f_main ::: name: ${src_name}, src_on: ${src_on:-"-"}"
@ -818,14 +859,14 @@ f_main()
done done
wait wait
for cnt in $(cat "${ban_tmpfile}".*.setcnt 2>/dev/null)
do
ban_setcnt="$((ban_setcnt+cnt))"
done
for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null) for cnt in $(cat "${ban_tmpfile}".*.cnt 2>/dev/null)
do do
ban_cnt="$((ban_cnt+cnt))" ban_cnt="$((ban_cnt+cnt))"
done done
if [ "${ban_cnt}" -gt 0 ]
then
ban_setcnt="$(ls "${ban_tmpfile}".*.cnt 2>/dev/null | wc -l)"
fi
f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})"
f_bgserv "start" f_bgserv "start"
f_jsnup f_jsnup