forked from brontide/usg-blacklist
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathblocklist.sh
170 lines (150 loc) · 5.15 KB
/
blocklist.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
#!/bin/bash
{
echo "Blocklist update started"
} > /config/scripts/blocklist-processing.txt
real_list=$(grep -B2 "FireHOL" /config/config.boot | head -n 1 | awk '{print $2}')
[[ -z "$real_list" ]] && { echo "aborting"; exit 1; } || echo "Will update FireHOL list ID $real_list"
ipset_list="temporary-list"
usgupt=$(uptime | awk '{print $4}')
backupexists="/config/scripts/blocklist-backup.bak"
if [ -e $backupexists ]
then
backupexists="TRUE"
else
backupexists="FALSE"
fi
process_blocklist () {
/sbin/ipset -! destroy $ipset_list
/sbin/ipset create $ipset_list hash:net
for url in https://iplists.firehol.org/files/firehol_level1.netset https://iplists.firehol.org/files/firehol_level2.netset https://iplists.firehol.org/files/iblocklist_onion_router.netset https://iplists.firehol.org/files/ciarmy.ipset https://iplists.firehol.org/files/tor_exits.ipset
do
echo "Fetching and processing $url"
{
echo "Processing blocklist"
date
echo $url
} >> /config/scripts/blocklist-processing.txt
curl "$url" | awk '/^[1-9]/ { print $1 }' | xargs -n1 /sbin/ipset -! add $ipset_list
done
tlcontents=$(/sbin/ipset list $ipset_list | grep -A1 "Members:" | sed -n '2p')
if [ -z "$tlcontents" ]
then
echo "Temporary list is empty, not backing up or swapping list. Leaving current list and contents in place."
{
echo "Temporary list is empty, not backing up or swapping list. Leaving current list and contents in place."
date
} >> /config/scripts/blocklist-processing.txt
else
/sbin/ipset save $ipset_list -f /config/scripts/blocklist-backup.bak
/sbin/ipset swap $ipset_list "$real_list"
echo "Blocklist is updated and backed up"
{
echo "Blocklist is updated and backed up"
date
} >> /config/scripts/blocklist-processing.txt
fi
{
echo "Blocklist contents"
/sbin/ipset list -s "$real_list"
} >> /config/scripts/blocklist-processing.txt
<<Disabled
if [ "$usgupt" != "min," ] && [ "$backupexists" == "TRUE" ]
then
echo "Processing changes compared to previous run"
echo "To see the changes check the log located at /config/scripts/blocklist-processing.txt"
{
echo "Blocklist changes compared to previous run"
} >> /config/scripts/blocklist-processing.txt
for Nip in $(/sbin/ipset list "$real_list" | awk '/^[1-9]/ { print }')
do
NTotal=$((NTotal+1));
if ! /sbin/ipset test $ipset_list "$Nip"
then
NChanges=$((NChanges+1));
{
echo "ADDED $Nip to the list"
} >> /config/scripts/blocklist-processing.txt
else
NoneAdded=$((NoneAdded+1));
fi
done
for Oip in $(/sbin/ipset list $ipset_list | awk '/^[1-9]/ { print }')
do
OTotal=$((OTotal+1));
if ! /sbin/ipset test "$real_list" "$Oip"
then
OChanges=$((OChanges+1));
{
echo "REMOVED $Oip from the list"
} >> /config/scripts/blocklist-processing.txt
else
NoneRemoved=$((NoneRemoved+1));
fi
done
if [ $((NTotal + OTotal)) == $((NoneAdded + NoneRemoved)) ]
then
{
echo "No changes"
} >> /config/scripts/blocklist-processing.txt
else
TChanges=$((NChanges + OChanges));
{
echo "$NChanges additions"
echo "$OChanges removals"
echo "$TChanges total changes"
} >> /config/scripts/blocklist-processing.txt
fi
echo "Blocklist comparison complete"
{
echo "Blocklist comparison complete"
} >> /config/scripts/blocklist-processing.txt
fi
Disabled
{
echo "Blocklist processing finished"
date
} >> /config/scripts/blocklist-processing.txt
/sbin/ipset destroy $ipset_list
echo "Blocklist processing finished"
}
if [ "$usgupt" == "min," ] && [ "$backupexists" = "TRUE" ]
then
echo "USG uptime is less than one hour, and backup list is found"
echo "Loading previous version of blocklist. This will speed up provisioning"
{
echo "USG uptime is less than one hour, and backup list is found"
echo "Loading previous version of blocklist. This will speed up provisioning"
date
} >> /config/scripts/blocklist-processing.txt
/sbin/ipset restore -f /config/scripts/blocklist-backup.bak
/sbin/ipset swap $ipset_list "$real_list"
/sbin/ipset -! destroy $ipset_list
{
echo "Blocklist contents"
/sbin/ipset list -s "$real_list"
echo "Restoration of blocklist backup complete"
date
} >> /config/scripts/blocklist-processing.txt
echo "Restoration of blocklist backup complete"
elif [ "$usgupt" == "min," ] && [ "$backupexists" == "FALSE" ]
then
echo "USG uptime is less than one hour, but backup list is not found"
echo "Proceeding to create new blocklist. This will delay provisioning, but ensure you are protected"
echo "Blocklist changes will not be compared as this is the first creation of the list"
{
echo "USG uptime is less than one hour, but backup list is not found"
echo "Proceeding to create new blocklist. This will delay provisioning, but ensure you are protected"
echo "Blocklist changes will not be compared as this is the first creation of the list"
date
} >> /config/scripts/blocklist-processing.txt
process_blocklist
echo "First time creation of blocklist complete"
else
echo "Routine processing of blocklist started"
{
echo "Routine processing of blocklist started"
date
} >> /config/scripts/blocklist-processing.txt
process_blocklist
echo "Routine processing of blocklist complete"
fi