rc.update_bogons 4.55 KB
Newer Older
Ad Schellevis's avatar
Ad Schellevis committed
1 2 3
#!/bin/sh

#
4
# TODO: opnSense, drop/replace?
Ad Schellevis's avatar
Ad Schellevis committed
5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
#

sys.exit(0)
# Update bogons file
# Part of the pfSense project
# https://www.pfsense.org

# Global variables
proc_error=""

# Download and extract if necessary
process_url() {
	local file=$1
	local url=$2
	local filename=${url##*/}
	local ext=${filename#*.}
21

Ad Schellevis's avatar
Ad Schellevis committed
22
	/usr/bin/fetch -a -T 30 -q -o $file "${url}"
23

Ad Schellevis's avatar
Ad Schellevis committed
24 25 26 27
	if [ ! -f $file ]; then
		echo "Could not download ${url}" | logger
		proc_error="true"
	fi
28

Ad Schellevis's avatar
Ad Schellevis committed
29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
	case "$ext" in
		tar)
			mv $file $file.tmp
			/usr/bin/tar -xf $file.tmp -O > $file 2> /dev/null
			;;
		tar.gz)
			mv $file $file.tmp
			/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
			;;
		tgz)
			mv $file $file.tmp
			/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
			;;
		tar.bz2)
			mv $file $file.tmp
			/usr/bin/tar -xjf $file.tmp -O > $file 2> /dev/null
			;;
		*)
			;;
	esac
49

Ad Schellevis's avatar
Ad Schellevis committed
50 51 52
	if [ -f $file.tmp ]; then
		rm $file.tmp
	fi
53

Ad Schellevis's avatar
Ad Schellevis committed
54 55 56 57 58 59
	if [ ! -f $file ]; then
		echo "Could not extract ${filename}" | logger
		proc_error="true"
	fi
}

60
echo "rc.update_bogons is starting up." | logger
Ad Schellevis's avatar
Ad Schellevis committed
61 62 63

# Sleep for some time, unless an argument is specified.
if [ "$1" = "" ]; then
64
    # Grab a random value
Ad Schellevis's avatar
Ad Schellevis committed
65
    value=`od -A n -d -N2 /dev/random | awk '{ print $1 }'`
66
    echo "rc.update_bogons is sleeping for $value" | logger
Ad Schellevis's avatar
Ad Schellevis committed
67
    sleep $value
68
fi
Ad Schellevis's avatar
Ad Schellevis committed
69

70
echo "rc.update_bogons is beginning the update cycle." | logger
Ad Schellevis's avatar
Ad Schellevis committed
71 72

# Set default values if not overriden
73 74
v4url=${v4url:-"https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt"}
v6url=${v6url:-"https://pkg.opnsense.org/bogons/fullbogons-ipv6.txt"}
Ad Schellevis's avatar
Ad Schellevis committed
75 76 77 78 79 80 81 82
v4urlcksum=${v4urlcksum:-"${v4url}.md5"}
v6urlcksum=${v6urlcksum:-"${v6url}.md5"}

process_url /tmp/bogons "${v4url}"
process_url /tmp/bogonsv6 "${v6url}"

if [ "$proc_error" != "" ]; then
	# Relaunch and sleep
83
	sh /usr/local/etc/rc.update_bogons &
Ad Schellevis's avatar
Ad Schellevis committed
84 85 86 87 88 89 90 91 92 93
	exit
fi

BOGON_V4_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v4urlcksum}" | awk '{ print $4 }'`
ON_DISK_V4_CKSUM=`md5 /tmp/bogons | awk '{ print $4 }'`
BOGON_V6_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v6urlcksum}" | awk '{ print $4 }'`
ON_DISK_V6_CKSUM=`md5 /tmp/bogonsv6 | awk '{ print $4 }'`

if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
	# At least one of the downloaded checksums matches, so mount RW
94
	/usr/local/etc/rc.conf_mount_rw
95

Ad Schellevis's avatar
Ad Schellevis committed
96
	ENTRIES_MAX=`pfctl -s memory | awk '/table-entries/ { print $4 }'`
97

Ad Schellevis's avatar
Ad Schellevis committed
98 99 100 101 102
	if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ]; then
		ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
		ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'`
		LINES_V4=`wc -l /tmp/bogons | awk '{ print $1 }'`
		if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
Franco Fichtner's avatar
Franco Fichtner committed
103 104
			egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /usr/local/etc/bogons
			RESULT=`/sbin/pfctl -t bogons -T replace -f /usr/local/etc/bogons 2>&1`
Ad Schellevis's avatar
Ad Schellevis committed
105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121
			echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger
		else
			echo "Not updating IPv4 bogons (increase table-entries limit)" | logger
		fi
		rm /tmp/bogons
	else
		echo "Could not download ${v4url} (checksum mismatch)" | logger
		checksum_error="true"
	fi

	if [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
		BOGONS_V6_TABLE_COUNT=`pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'`
		ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
		LINES_V6=`wc -l /tmp/bogonsv6 | awk '{ print $1 }'`
		if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then
			ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'`
			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then
Franco Fichtner's avatar
Franco Fichtner committed
122 123
				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /usr/local/etc/bogonsv6
				RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /usr/local/etc/bogonsv6 2>&1`
Ad Schellevis's avatar
Ad Schellevis committed
124 125 126 127 128 129
				echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger
			else
				echo "Not saving or updating IPv6 bogons (increase table-entries limit)" | logger
			fi
		else
			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then
Franco Fichtner's avatar
Franco Fichtner committed
130
				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /usr/local/etc/bogonsv6
Ad Schellevis's avatar
Ad Schellevis committed
131 132 133 134 135 136 137 138 139 140
				echo "Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off" | logger
			else
				echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger
			fi
		fi
		rm /tmp/bogonsv6
	else
		echo "Could not download ${v6url} (checksum mismatch)" | logger
		checksum_error="true"
	fi
141

Ad Schellevis's avatar
Ad Schellevis committed
142
	# We mounted RW, so switch back to RO
143
	/usr/local/etc/rc.conf_mount_ro
Ad Schellevis's avatar
Ad Schellevis committed
144 145 146 147
fi

if [ "$checksum_error" != "" ]; then
	# Relaunch and sleep
148
	sh /usr/local/etc/rc.update_bogons &
Ad Schellevis's avatar
Ad Schellevis committed
149 150 151
	exit
fi

152
echo "rc.update_bogons is ending the update cycle." | logger