#!/bin/sh /etc/rc.common # banIP init script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions # shellcheck disable=all START=95 USE_PROCD=1 extra_command "report" "[text|json|mail] Print banIP related Set statistics" extra_command "search" "[|] Check if an element exists in a banIP Set" extra_command "survey" "[] List all elements of a given banIP Set" extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them" ban_init="/etc/init.d/banip" ban_service="/usr/bin/banip-service.sh" ban_funlib="/usr/lib/banip-functions.sh" ban_pidfile="/var/run/banip.pid" ban_lock="/var/run/banip.lock" [ "${action}" = "boot" ] && "${ban_init}" running && exit 0 { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0 [ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1 [ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1 [ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}" { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}" [ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1 boot() { : >"${ban_pidfile}" rc_procd start_service "boot" } start_service() { if "${ban_init}" enabled; then f_rmpid procd_open_instance "banip-service" procd_set_param command "${ban_service}" "${@:-"${action}"}" procd_set_param pidfile "${ban_pidfile}" procd_set_param nice "$(uci_get banip global ban_nicelimit "0")" procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")" procd_set_param stdout 1 procd_set_param stderr 1 procd_close_instance else f_log "err" "banIP service autostart is disabled" rm -rf "${ban_lock}" fi } reload_service() { f_rmpid rc_procd start_service "reload" } stop_service() { "${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1 f_genstatus "stopped" f_rmpid [ "${action}" = "stop" ] && rm -rf "${ban_lock}" } restart() { stop_service rc_procd start_service "restart" } status() { status_service } status_service() { f_getstatus } report() { f_report "${1:-"text"}" } search() { f_search "${1}" rm -rf "${ban_lock}" } survey() { f_survey "${1}" } lookup() { local list hold cnt="1" for list in allowlist blocklist; do (f_lookup "${list}") & hold="$((cnt % ban_cores))" [ "${hold}" = "0" ] && wait cnt="$((cnt + 1))" done wait rm -rf "${ban_lock}" } service_triggers() { local iface trigger delay delay="$(uci_get banip global ban_triggerdelay "20")" trigger="$(uci_get banip global ban_trigger)" PROCD_RELOAD_DELAY="$((delay * 1000))" for iface in ${trigger}; do procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" reload done PROCD_RELOAD_DELAY="$((2 * 1000))" procd_add_reload_trigger "banip" }