net/banip/files/banip.init

   1 #!/bin/sh /etc/rc.common
   2 # banIP init script - ban incoming and outgoing IPs via named nftables Sets
   3 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
   4 # This is free software, licensed under the GNU General Public License v3.
   5
   6 # (s)hellcheck exceptions
   7 # shellcheck disable=all
   8
   9 START=95
  10 USE_PROCD=1
  11
  12 extra_command "report" "[text|json|mail] Print banIP related Set statistics"
  13 extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
  14 extra_command "survey" "[<Set name>] List all elements of a given banIP Set"
  15 extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them"
  16
  17 ban_init="/etc/init.d/banip"
  18 ban_service="/usr/bin/banip-service.sh"
  19 ban_funlib="/usr/lib/banip-functions.sh"
  20 ban_pidfile="/var/run/banip.pid"
  21 ban_lock="/var/run/banip.lock"
  22
  23 [ "${action}" = "boot" ] && "${ban_init}" running && exit 0
  24 { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
  25 [ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
  26 [ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
  27 [ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}"
  28
  29 boot() {
  30         : >"${ban_pidfile}"
  31         rc_procd start_service "boot"
  32 }
  33
  34 start_service() {
  35         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  36         if "${ban_init}" enabled; then
  37                 f_rmpid
  38                 procd_open_instance "banip-service"
  39                 procd_set_param command "${ban_service}" "${@:-"${action}"}"
  40                 procd_set_param pidfile "${ban_pidfile}"
  41                 procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
  42                 procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
  43                 procd_set_param stdout 1
  44                 procd_set_param stderr 1
  45                 procd_close_instance
  46         else
  47                 f_log "err" "banIP service autostart is disabled"
  48                 rm -rf "${ban_lock}"
  49         fi
  50 }
  51
  52 reload_service() {
  53         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  54         f_rmpid
  55         rc_procd start_service "reload"
  56 }
  57
  58 stop_service() {
  59         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  60         "${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
  61         f_genstatus "stopped"
  62         f_rmpid
  63         [ "${action}" = "stop" ] && rm -rf "${ban_lock}"
  64 }
  65
  66 restart() {
  67         stop_service
  68         rc_procd start_service "restart"
  69 }
  70
  71 status() {
  72         status_service
  73 }
  74
  75 status_service() {
  76         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  77         f_getstatus
  78 }
  79
  80 report() {
  81         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  82         f_report "${1:-"text"}"
  83 }
  84
  85 search() {
  86         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  87         f_search "${1}"
  88 }
  89
  90 survey() {
  91         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  92         f_survey "${1}"
  93 }
  94
  95 lookup() {
  96         local list hold cnt="1"
  97
  98         [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
  99         for list in allowlist blocklist; do
 100                 (f_lookup "${list}") &
 101                 hold="$((cnt % ban_cores))"
 102                 [ "${hold}" = "0" ] && wait
 103                 cnt="$((cnt + 1))"
 104         done
 105         wait
 106         rm -rf "${ban_lock}"
 107 }
 108
 109 service_triggers() {
 110         local iface trigger delay
 111
 112         delay="$(uci_get banip global ban_triggerdelay "10")"
 113         trigger="$(uci_get banip global ban_trigger)"
 114
 115         PROCD_RELOAD_DELAY="$((delay * 1000))"
 116         for iface in ${trigger}; do
 117                 procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" reload
 118         done
 119
 120         PROCD_RELOAD_DELAY="$((2 * 1000))"
 121         procd_add_reload_trigger "banip"
 122 }