1 #!/bin/sh /etc/rc.common
2 # banIP init script - ban incoming and outgoing IPs via named nftables Sets
3 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
4 # This is free software, licensed under the GNU General Public License v3.
6 # (s)hellcheck exceptions
7 # shellcheck disable=all
12 extra_command
"report" "[text|json|mail] Print banIP related Set statistics"
13 extra_command
"search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
14 extra_command
"survey" "[<Set name>] List all elements of a given banIP Set"
15 extra_command
"lookup" "Lookup the IPs of domain names in the local lists and update them"
17 ban_init
="/etc/init.d/banip"
18 ban_service
="/usr/bin/banip-service.sh"
19 ban_funlib
="/usr/lib/banip-functions.sh"
20 ban_pidfile
="/var/run/banip.pid"
21 ban_lock
="/var/run/banip.lock"
23 [ "${action}" = "boot" ] && "${ban_init}" running
&& exit 0
24 { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
25 [ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
26 [ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
27 [ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir
-p "${ban_lock}"
31 rc_procd start_service
"boot"
35 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
36 if "${ban_init}" enabled
; then
38 procd_open_instance
"banip-service"
39 procd_set_param
command "${ban_service}" "${@:-"${action}"}"
40 procd_set_param pidfile
"${ban_pidfile}"
41 procd_set_param nice
"$(uci_get banip global ban_nicelimit "0")"
42 procd_set_param limits nofile
="$(uci_get banip global ban_filelimit "1024")"
43 procd_set_param stdout
1
44 procd_set_param stderr
1
47 f_log
"err" "banIP service autostart is disabled"
53 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
55 rc_procd start_service
"reload"
59 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
60 "${ban_nftcmd}" delete table inet banIP
>/dev
/null
2>&1
63 [ "${action}" = "stop" ] && rm -rf "${ban_lock}"
68 rc_procd start_service
"restart"
76 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
81 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
82 f_report
"${1:-"text"}"
86 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
91 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
96 local list hold cnt
="1"
98 [ -z "$(command -v "f_system
")" ] && .
"${ban_funlib}"
99 for list
in allowlist blocklist
; do
100 (f_lookup
"${list}") &
101 hold
="$((cnt % ban_cores))"
102 [ "${hold}" = "0" ] && wait
110 local iface trigger delay
112 delay
="$(uci_get banip global ban_triggerdelay "10")"
113 trigger
="$(uci_get banip global ban_trigger)"
115 PROCD_RELOAD_DELAY
="$((delay * 1000))"
116 for iface
in ${trigger}; do
117 procd_add_interface_trigger
"interface.*.up" "${iface}" "${ban_init}" reload
120 PROCD_RELOAD_DELAY
="$((2 * 1000))"
121 procd_add_reload_trigger
"banip"