Closed lightmaster closed 10 months ago
Yea, I'll rework it tomorrow. I'm using this, plus some other code that does country blocks based on ipdeny.com lists, mainly cuz I found that first and am see a huge amount of hits from Brazil (around 10k per min). Using this on a weather site based in a small town in US, so there's no reason for anything from there period.
Those status lines were part of me marrying the 2 different bits of codes' statuses together and how it looked best with around 20 lines of status output.
I'm not sold on the the status display change though. It definitely would benefit from a header but currently it's 3 lines of iptables status and this change takes it to 12 lines. Could you remove the status changes and resubmit please?
What about status output like this? Adds a header line and adds descriptions on the end of each one for which is which.
>> /etc/ufw/after.init status
Name: ufw-blocklist-ipsum
Type: hash:net
Revision: 7
Header: family inet hashsize 8192 maxelem 65536 bucketsize 12 initval 0x9c448673
Size in memory: 553968
References: 3
Number of entries: 18953
pkts bytes target prot opt in out source destination
47623 2245K DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* ufw-blocklist-input */
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* ufw-blocklist-foward */
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 /* ufw-blocklist-output */
Oct 27 06:29:33 Adguard-Home ufw-blocklist-ipsum[88092]: starting update of ufw-blocklist-ipsum with 19504 entries from https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt
The header is a definite and formatting with printf I think is the way to go. I'm aiming to have multiple ipsets, with matching packets jumping to the shared targets. So the output of status might look something like this:
pkts bytes target prot opt in out source destination
0 0 ufw-blocklist-input all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-ipsum src
0 0 ufw-blocklist-input all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-bogons src
0 0 ufw-blocklist-input all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-countryA src
0 0 ufw-blocklist-forward all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-ipsum dst
0 0 ufw-blocklist-forward all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-bogons dst
0 0 ufw-blocklist-forward all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-countryA dst
0 0 ufw-blocklist-output all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-ipsum dst
0 0 ufw-blocklist-output all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-bogons dst
0 0 ufw-blocklist-output all -- * * 0.0.0.0/0 0.0.0.0/0 match-set ufw-blocklist-countryA dst
That's getting complicated as the status might come from each of the scripts
Add chain_exists function to check if an iptables chain already exists.
When enabling UFW, check if each blocklist chain already exists and for each one that does already exist, remove it and then recreate the chain. Prevents issues starting UFW if a chain already existed when you tried to enable UFW.
When disabling UFW, check to make sure each chain actually exists before removing them. Otherwise, if a chain was already removed,
ufw disable
will error and stop cleaning up the other blocklists.Reformat the status display so that it separates each chain and shows the column headers for what each value is.