Menu
▾
▴
[Astlinux-commits] SF.net SVN: astlinux:[7832] branches/1.0/package/arnofw
|
From: <abe...@us...> - 2016-09-14 18:15:58
|
Revision: 7832
http://sourceforge.net/p/astlinux/code/7832
Author: abelbeck
Date: 2016-09-14 18:15:56 +0000 (Wed, 14 Sep 2016)
Log Message:
-----------
arnofw, version bump to 2.0.1g-RC3, added BLOCK_NETSET_DIR which efficiently creates ipset's for blocklists using .netset files. Additionally added reload-blocklist-netset script to generate the .netset files
Modified Paths:
--------------
branches/1.0/package/arnofw/arnofw.mk
Added Paths:
-----------
branches/1.0/package/arnofw/reload-blocklist-netset
Removed Paths:
-------------
branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch
Deleted: branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch
===================================================================
--- branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch 2016-09-11 19:08:52 UTC (rev 7831)
+++ branches/1.0/package/arnofw/arnofw-0001-handle-ipset-errors.patch 2016-09-14 18:15:56 UTC (rev 7832)
@@ -1,81 +0,0 @@
-From d06e18113b683ff6b19810eae25db5e4dd11ce2e Mon Sep 17 00:00:00 2001
-From: Lonnie Abelbeck <lo...@ab...>
-Date: Sun, 11 Sep 2016 13:26:55 -0500
-Subject: [PATCH] added: handle errors for ipset BLOCK_HOSTS and
- BLOCK_HOSTS_FILE
-
----
- bin/arno-iptables-firewall | 30 +++++++++++++++++++++++++++---
- 1 file changed, 27 insertions(+), 3 deletions(-)
-
-diff --git a/bin/arno-iptables-firewall b/bin/arno-iptables-firewall
-index aacf489..0e8739b 100755
---- a/bin/arno-iptables-firewall
-+++ b/bin/arno-iptables-firewall
-@@ -4158,7 +4158,7 @@ setup_output_log()
- ######################################
- setup_hostblock_chain()
- {
-- local hashsize maxelem
-+ local hashsize maxelem swap4_err=0 swap6_err=0
-
- if iptables -F HOST_BLOCK_SRC 2>&1 |grep -q "No chain" || \
- iptables -F HOST_BLOCK_DST 2>&1 |grep -q "No chain"; then
-@@ -4216,10 +4216,18 @@ if ipset_check; then
- case $? in
- 4)
- ipset add -exist aif_blocklist_tmp $host
-+ if [ $? -ne 0 ]; then
-+ swap4_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- ;;
- 6)
- if [ "$IPV6_SUPPORT" = "1" ]; then
- ipset add -exist aif_blocklist6_tmp $host
-+ if [ $? -ne 0 ]; then
-+ swap6_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- fi
- ;;
- esac
-@@ -4273,9 +4281,17 @@ if ipset_check; then
- echo "$total_cnt host line(s) read"
-
- ipset restore < "$IP4TABLES_BATCH_FILE"
-+ if [ $? -ne 0 ]; then
-+ swap4_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- rm -f "$IP4TABLES_BATCH_FILE"
- if [ "$IPV6_SUPPORT" = "1" ]; then
- ipset restore < "$IP6TABLES_BATCH_FILE"
-+ if [ $? -ne 0 ]; then
-+ swap6_err=1
-+ RULE_WARNING=$((RULE_WARNING + 1))
-+ fi
- rm -f "$IP6TABLES_BATCH_FILE"
- fi
- else
-@@ -4283,10 +4299,18 @@ if ipset_check; then
- fi
- fi
-
-- ipset swap aif_blocklist aif_blocklist_tmp
-+ if [ $swap4_err -eq 0 ]; then
-+ ipset swap aif_blocklist aif_blocklist_tmp
-+ else
-+ printf "\033[40m\033[1;31mERROR: IPv4 \"ipset swap ...\" not applied.\033[0m\n" >&2
-+ fi
- ipset destroy aif_blocklist_tmp
- if [ "$IPV6_SUPPORT" = "1" ]; then
-- ipset swap aif_blocklist6 aif_blocklist6_tmp
-+ if [ $swap6_err -eq 0 ]; then
-+ ipset swap aif_blocklist6 aif_blocklist6_tmp
-+ else
-+ printf "\033[40m\033[1;31mERROR: IPv6 \"ipset swap ...\" not applied.\033[0m\n" >&2
-+ fi
- ipset destroy aif_blocklist6_tmp
- fi
- else
Modified: branches/1.0/package/arnofw/arnofw.mk
===================================================================
--- branches/1.0/package/arnofw/arnofw.mk 2016-09-11 19:08:52 UTC (rev 7831)
+++ branches/1.0/package/arnofw/arnofw.mk 2016-09-14 18:15:56 UTC (rev 7832)
@@ -3,7 +3,7 @@
# Arno's IPtables Firewall Script
#
#############################################################
-ARNOFW_VER := 2.0.1g-RC2
+ARNOFW_VER := 2.0.1g-RC3
ARNOFW_ROOT := arno-iptables-firewall
ARNOFW_SOURCE := $(ARNOFW_ROOT)_$(ARNOFW_VER).tar.gz
#ARNOFW_SITE := http://rocky.eld.leidenuniv.nl/arno-iptables-firewall
@@ -64,6 +64,8 @@
$(TARGET_DIR)$(ARNOFW_CONFIG_SHIM)
$(INSTALL) -D -m 0755 package/arnofw/reload-spamhaus-drop \
$(TARGET_DIR)/usr/sbin/reload-spamhaus-drop
+ $(INSTALL) -D -m 0755 package/arnofw/reload-blocklist-netset \
+ $(TARGET_DIR)/usr/sbin/reload-blocklist-netset
@rm -f $(TARGET_DIR)$(ARNOFW_PLUGIN_SCRIPT_DIR)/*.CHANGELOG
@echo
@echo "Remove plugins that don't apply."
Added: branches/1.0/package/arnofw/reload-blocklist-netset
===================================================================
--- branches/1.0/package/arnofw/reload-blocklist-netset (rev 0)
+++ branches/1.0/package/arnofw/reload-blocklist-netset 2016-09-14 18:15:56 UTC (rev 7832)
@@ -0,0 +1,173 @@
+#!/bin/sh
+##
+## reload-blocklist-netset
+##
+## Cron may be used to run this script once or twice every day. Example:
+## 05 05,15 * * * reload-blocklist-netset /mnt/kd/blocklists firehol_level1 spamhaus_dropv6 >/dev/null 2>&1
+##
+## Multiple netset entries may be space or comma separated.
+##
+## In this example, a /mnt/kd/blocklists/firehol_level1.netset
+## and a /mnt/kd/blocklists/spamhaus_dropv6.netset file will be created.
+## Note: The specified directory must pre-exist, it will not be created.
+##
+## This script prevents any netset from being updated more often than
+## the defined 'AGE' value.
+##
+
+DIR="$1"
+
+UPDATES=0
+
+list_netsets()
+{
+ cat <<EOF
+
+Available IPv4 Blocklist Netsets:
+ firehol_level1: Blacklist composed from IP lists, providing maximum protection with minimum false positives.
+ firehol_level2: Blacklist that track attacks, during about the last 48 hours.
+ firehol_level3: Blacklist that track attacks, spyware, viruses, reported or detected in the last 30 days.
+ spamhaus_drop: Spamhaus DROP (Don't Route Or Peer), consisting of netblocks that are "hijacked" by cyber-crime operations.
+ spamhaus_edrop: Spamhaus EDROP is an extension of the DROP list that includes suballocated netblocks.
+
+Available IPv6 Blocklist Netsets:
+spamhaus_dropv6: Spamhaus DROPv6 list includes IPv6 ranges allocated to spammers or cyber criminals.
+
+EOF
+}
+
+netset_url()
+{
+ local netset="$1"
+
+ case $netset in
+ ## IPv4
+ firehol_level1)
+ URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset"
+ ALT_URL=""
+ AGE=3600
+ ;;
+ firehol_level2)
+ URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset"
+ ALT_URL=""
+ AGE=3600
+ ;;
+ firehol_level3)
+ URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset"
+ ALT_URL=""
+ AGE=3600
+ ;;
+ spamhaus_drop)
+ URL="https://www.spamhaus.org/drop/drop.txt"
+ ALT_URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_drop.netset"
+ AGE=43200
+ ;;
+ spamhaus_edrop)
+ URL="https://www.spamhaus.org/drop/edrop.txt"
+ ALT_URL="https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/spamhaus_edrop.netset"
+ AGE=43200
+ ;;
+
+ ## IPv6
+ spamhaus_dropv6)
+ URL="https://www.spamhaus.org/drop/dropv6.txt"
+ ALT_URL=""
+ AGE=43200
+ ;;
+
+ *)
+ URL=""
+ ALT_URL=""
+ AGE=0
+ ;;
+ esac
+}
+
+download_file()
+{
+ local file="$1" url="$2"
+
+ curl -sSfL --globoff --retry 1 --connect-timeout 15 --max-time 1800 -o "$file" "$url" >/dev/null
+}
+
+valid_update_age()
+{
+ local netset="$1" age="$2" file
+
+ file="$DIR/$netset.netset"
+
+ if [ -f "$file" ]; then
+ if [ $(( $(date +%s) - $(date -r "$file" +%s) )) -lt $age ]; then
+ return 1
+ fi
+ fi
+ return 0
+}
+
+blocklist_netset()
+{
+ local netset tmp_file count mesg IFS
+
+ IFS=' ,'
+ for netset in $*; do
+ unset IFS
+ netset_url $netset
+ if [ -z "$URL" ]; then
+ echo "reload-blocklist-netset: Unknown Netset: $netset" >&2
+ continue
+ fi
+ if ! valid_update_age $netset $AGE; then
+ echo "reload-blocklist-netset: The file '$netset.netset' has been updated within $AGE seconds, skipping." >&2
+ continue
+ fi
+ tmp_file="$(mktemp "/tmp/reload_blocklist.XXXXXX")"
+ if ! download_file "$tmp_file" "$URL"; then
+ if [ -z "$ALT_URL" ] || ! download_file "$tmp_file" "$ALT_URL"; then
+ rm -f "$tmp_file"
+ mesg="Retrieving '$netset' netset failed for '$URL', skipping."
+ logger -s -t reload-blocklist-netset -p kern.info "$mesg"
+ continue
+ fi
+ fi
+ if grep -q -i -e '^<!DOCTYPE HTML' -e '^<HTML' "$tmp_file"; then
+ rm -f "$tmp_file"
+ mesg="Netset '$netset' text format is invalid for '$URL', skipping."
+ logger -s -t reload-blocklist-netset -p kern.info "$mesg"
+ continue
+ fi
+
+ cp "$tmp_file" "$DIR/$netset.netset"
+ rm -f "$tmp_file"
+ UPDATES=$((UPDATES + 1))
+
+ count=$(grep -c '^[1-9a-fA-F]' "$DIR/$netset.netset")
+ mesg="Netset '$netset' has been updated. Contains $count addresses/nets."
+ logger -t reload-blocklist-netset -p kern.info "$mesg"
+ echo "$mesg"
+ done
+}
+
+if [ -z "$DIR" ]; then
+ echo "Usage: reload-blocklist-netset netset_dir netset_1 [ netset_2 ... ]"
+ list_netsets
+ exit 1
+fi
+
+if [ ! -d "$DIR" ]; then
+ echo "reload-blocklist-netset: Directory not found: $DIR"
+ exit 1
+fi
+
+shift 1
+
+if [ -z "$1" ]; then
+ list_netsets
+ exit 1
+fi
+
+blocklist_netset "$@"
+
+if [ $UPDATES -gt 0 ]; then
+ arno-iptables-firewall force-reload
+fi
+
Property changes on: branches/1.0/package/arnofw/reload-blocklist-netset
___________________________________________________________________
Added: svn:executable
## -0,0 +1 ##
+*
\ No newline at end of property
This was sent by the SourceForge.net collaborative development platform, the world's largest Open Source development site.
|
