1 #!/bin/sh /etc/rc.common
2 # banIP init script - ban incoming and outgoing IPs via named nftables Sets
3 # Copyright (c) 2018-2024 Dirk Brenken (dev@brenken.org)
4 # This is free software, licensed under the GNU General Public License v3.
6 # (s)hellcheck exceptions
7 # shellcheck disable=all
12 extra_command
"report" "[text|json|mail] Print banIP related Set statistics"
13 extra_command
"search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
14 extra_command
"survey" "[<Set name>] List all elements of a given banIP Set"
15 extra_command
"lookup" "Lookup the IPs of domain names in the local lists and update them"
17 ban_init
="/etc/init.d/banip"
18 ban_service
="/usr/bin/banip-service.sh"
19 ban_funlib
="/usr/lib/banip-functions.sh"
20 ban_pidfile
="/var/run/banip.pid"
21 ban_lock
="/var/run/banip.lock"
23 [ "${action}" = "boot" ] && "${ban_init}" running
&& exit 0
24 { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
25 [ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
26 [ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
27 [ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir
-p "${ban_lock}"
28 { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
29 [ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
33 rc_procd start_service
"boot"
37 if "${ban_init}" enabled
; then
39 procd_open_instance
"banip-service"
40 procd_set_param
command "${ban_service}" "${@:-"${action}"}"
41 procd_set_param pidfile
"${ban_pidfile}"
42 procd_set_param nice
"$(uci_get banip global ban_nicelimit "0")"
43 procd_set_param limits nofile
="$(uci_get banip global ban_filelimit "1024")"
44 procd_set_param stdout
1
45 procd_set_param stderr
1
48 f_log
"err" "banIP service autostart is disabled"
55 rc_procd start_service
"reload"
59 "${ban_nftcmd}" delete table inet banIP
>/dev
/null
2>&1
62 [ "${action}" = "stop" ] && rm -rf "${ban_lock}"
67 rc_procd start_service
"restart"
79 f_report
"${1:-"text"}"
91 local list hold cnt
="1"
93 for list
in allowlist blocklist
; do
94 (f_lookup
"${list}") &
95 hold
="$((cnt % ban_cores))"
96 [ "${hold}" = "0" ] && wait
104 local iface trigger delay
106 delay
="$(uci_get banip global ban_triggerdelay "20")"
107 trigger
="$(uci_get banip global ban_trigger)"
109 PROCD_RELOAD_DELAY
="$((delay * 1000))"
110 for iface
in ${trigger}; do
111 procd_add_interface_trigger
"interface.*.up" "${iface}" "${ban_init}" reload
114 PROCD_RELOAD_DELAY
="$((2 * 1000))"
115 procd_add_reload_trigger
"banip"