2 # banIP main service script - ban incoming and outgoing IPs via named nftables Sets
3 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
4 # This is free software, licensed under the GNU General Public License v3.
6 # (s)hellcheck exceptions
7 # shellcheck disable=all
10 ban_starttime
="$(date "+%s
")"
11 ban_funlib
="/usr/lib/banip-functions.sh"
12 [ -z "${ban_ver}" ] && .
"${ban_funlib}"
14 # load config and set banIP environment
16 [ "${ban_action}" = "boot" ] && sleep "$(uci_get banip global ban_triggerdelay "20")"
18 f_log
"info" "start banIP processing (${ban_action})"
19 f_log
"debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
20 f_genstatus
"processing"
26 f_mkdir
"${ban_backupdir}"
27 f_mkfile
"${ban_blocklist}"
28 f_mkfile
"${ban_allowlist}"
32 if [ "${ban_action}" != "reload" ]; then
33 if [ -x "${ban_fw4cmd}" ]; then
35 while [ "${cnt}" -lt "30" ] && ! /etc
/init.d
/firewall status
>/dev
/null
2>&1; do
39 if ! /etc
/init.d
/firewall status
>/dev
/null
2>&1; then
40 f_log
"err" "error in nft based firewall/fw4"
43 f_log
"err" "no nft based firewall/fw4"
49 if [ "${ban_action}" != "reload" ] ||
! "${ban_nftcmd}" -t list
set inet banIP allowlistv4MAC
>/dev
/null
2>&1; then
50 if f_nftinit
"${ban_tmpfile}".init.nft
; then
51 f_log
"info" "initialize nft namespace"
53 f_log
"err" "can't initialize nft namespace"
59 f_log
"info" "start banIP download processes"
60 if [ "${ban_allowlistonly}" = "1" ]; then
65 [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
68 for feed
in allowlist
${ban_feed} blocklist
; do
69 # local feeds (sequential processing)
71 if [ "${feed}" = "allowlist" ] ||
[ "${feed}" = "blocklist" ]; then
72 for proto
in 4MAC
6MAC
4 6; do
73 [ "${feed}" = "blocklist" ] && wait
74 f_down
"${feed}" "${proto}"
79 # external feeds (parallel processing on multicore hardware)
81 if ! json_select
"${feed}" >/dev
/null
2>&1; then
82 f_log
"info" "remove unknown feed '${feed}'"
83 uci_remove_list banip global ban_feed
"${feed}"
87 json_objects
="url_4 rule_4 url_6 rule_6 flag"
88 for object
in ${json_objects}; do
89 eval json_get_var feed_
"${object}" '${object}' >/dev
/null
2>&1
93 # skip incomplete feeds
95 if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } ||
96 { { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } ||
97 { [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then
98 f_log "info
" "skip incomplete feed
'${feed}'"
102 # handle IPv4/IPv6 feeds with the same/single download URL
104 if [ "${feed_url_4}" = "${feed_url_6}" ]; then
105 if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
106 (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
110 if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
111 (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
112 hold="$
((cnt
% ban_cores
))"
113 [ "${hold}" = "0" ] && wait
118 # handle IPv4/IPv6 feeds with separated download URLs
120 if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
121 (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
122 hold="$
((cnt
% ban_cores
))"
123 [ "${hold}" = "0" ] && wait
126 if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
127 (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
128 hold="$
((cnt
% ban_cores
))"
129 [ "${hold}" = "0" ] && wait
135 f_rmdir "${ban_tmpdir}"
138 # start domain lookup
140 f_log "info
" "start banIP domain lookup
"
142 for list in allowlist blocklist; do
143 (f_lookup "${list}") &
144 hold="$
((cnt
% ban_cores
))"
145 [ "${hold}" = "0" ] && wait
152 if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
161 # start detached log service (infinite loop)