rc.update_bogons 4.26 KB
Newer Older
Ad Schellevis's avatar
Ad Schellevis committed
1 2 3 4 5 6 7 8 9 10 11
#!/bin/sh

# Global variables
proc_error=""

# Download and extract if necessary
process_url() {
	local file=$1
	local url=$2
	local filename=${url##*/}
	local ext=${filename#*.}
12

Ad Schellevis's avatar
Ad Schellevis committed
13
	/usr/bin/fetch -a -T 30 -q -o $file "${url}"
14

Ad Schellevis's avatar
Ad Schellevis committed
15 16 17 18
	if [ ! -f $file ]; then
		echo "Could not download ${url}" | logger
		proc_error="true"
	fi
19

Ad Schellevis's avatar
Ad Schellevis committed
20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
	case "$ext" in
		tar)
			mv $file $file.tmp
			/usr/bin/tar -xf $file.tmp -O > $file 2> /dev/null
			;;
		tar.gz)
			mv $file $file.tmp
			/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
			;;
		tgz)
			mv $file $file.tmp
			/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
			;;
		tar.bz2)
			mv $file $file.tmp
			/usr/bin/tar -xjf $file.tmp -O > $file 2> /dev/null
			;;
		*)
			;;
	esac
40

Ad Schellevis's avatar
Ad Schellevis committed
41 42 43
	if [ -f $file.tmp ]; then
		rm $file.tmp
	fi
44

Ad Schellevis's avatar
Ad Schellevis committed
45 46 47 48 49 50
	if [ ! -f $file ]; then
		echo "Could not extract ${filename}" | logger
		proc_error="true"
	fi
}

51
echo "rc.update_bogons is starting up." | logger
Ad Schellevis's avatar
Ad Schellevis committed
52 53 54

# Sleep for some time, unless an argument is specified.
if [ "$1" = "" ]; then
55
    # Grab a random value
Ad Schellevis's avatar
Ad Schellevis committed
56
    value=`od -A n -d -N2 /dev/random | awk '{ print $1 }'`
57
    echo "rc.update_bogons is sleeping for $value" | logger
Ad Schellevis's avatar
Ad Schellevis committed
58
    sleep $value
59
fi
Ad Schellevis's avatar
Ad Schellevis committed
60

61
echo "rc.update_bogons is beginning the update cycle." | logger
Ad Schellevis's avatar
Ad Schellevis committed
62 63

# Set default values if not overriden
64 65
v4url=${v4url:-"https://pkg.opnsense.org/bogons/fullbogons-ipv4.txt"}
v6url=${v6url:-"https://pkg.opnsense.org/bogons/fullbogons-ipv6.txt"}
Ad Schellevis's avatar
Ad Schellevis committed
66 67 68 69 70 71 72 73
v4urlcksum=${v4urlcksum:-"${v4url}.md5"}
v6urlcksum=${v6urlcksum:-"${v6url}.md5"}

process_url /tmp/bogons "${v4url}"
process_url /tmp/bogonsv6 "${v6url}"

if [ "$proc_error" != "" ]; then
	# Relaunch and sleep
74
	sh /usr/local/etc/rc.update_bogons &
Ad Schellevis's avatar
Ad Schellevis committed
75 76 77 78 79 80 81 82 83
	exit
fi

BOGON_V4_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v4urlcksum}" | awk '{ print $4 }'`
ON_DISK_V4_CKSUM=`md5 /tmp/bogons | awk '{ print $4 }'`
BOGON_V6_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v6urlcksum}" | awk '{ print $4 }'`
ON_DISK_V6_CKSUM=`md5 /tmp/bogonsv6 | awk '{ print $4 }'`

if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] || [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
84

Ad Schellevis's avatar
Ad Schellevis committed
85
	ENTRIES_MAX=`pfctl -s memory | awk '/table-entries/ { print $4 }'`
86

Ad Schellevis's avatar
Ad Schellevis committed
87 88 89 90 91
	if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ]; then
		ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
		ENTRIES_V4=`pfctl -vvsTables | awk '/-\tbogons$/ {getline; print $2}'`
		LINES_V4=`wc -l /tmp/bogons | awk '{ print $1 }'`
		if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
Franco Fichtner's avatar
Franco Fichtner committed
92 93
			egrep -v "^192.168.0.0/16|^172.16.0.0/12|^10.0.0.0/8" /tmp/bogons > /usr/local/etc/bogons
			RESULT=`/sbin/pfctl -t bogons -T replace -f /usr/local/etc/bogons 2>&1`
Ad Schellevis's avatar
Ad Schellevis committed
94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110
			echo "$RESULT" | awk '{ print "Bogons V4 file downloaded: " $0 }' | logger
		else
			echo "Not updating IPv4 bogons (increase table-entries limit)" | logger
		fi
		rm /tmp/bogons
	else
		echo "Could not download ${v4url} (checksum mismatch)" | logger
		checksum_error="true"
	fi

	if [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
		BOGONS_V6_TABLE_COUNT=`pfctl -sTables | grep ^bogonsv6$ | wc -l | awk '{ print $1 }'`
		ENTRIES_TOT=`pfctl -vvsTables | awk '/Addresses/ {s+=$2}; END {print s}'`
		LINES_V6=`wc -l /tmp/bogonsv6 | awk '{ print $1 }'`
		if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then
			ENTRIES_V6=`pfctl -vvsTables | awk '/-\tbogonsv6$/ {getline; print $2}'`
			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then
Franco Fichtner's avatar
Franco Fichtner committed
111 112
				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /usr/local/etc/bogonsv6
				RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /usr/local/etc/bogonsv6 2>&1`
Ad Schellevis's avatar
Ad Schellevis committed
113 114 115 116 117 118
				echo "$RESULT" | awk '{ print "Bogons V6 file downloaded: " $0 }' | logger
			else
				echo "Not saving or updating IPv6 bogons (increase table-entries limit)" | logger
			fi
		else
			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then
Franco Fichtner's avatar
Franco Fichtner committed
119
				egrep -iv "^fc00::/7" /tmp/bogonsv6 > /usr/local/etc/bogonsv6
Ad Schellevis's avatar
Ad Schellevis committed
120 121 122 123 124 125 126 127 128 129
				echo "Bogons V6 file downloaded but not updating IPv6 bogons table because IPv6 Allow is off" | logger
			else
				echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" | logger
			fi
		fi
		rm /tmp/bogonsv6
	else
		echo "Could not download ${v6url} (checksum mismatch)" | logger
		checksum_error="true"
	fi
130

Ad Schellevis's avatar
Ad Schellevis committed
131 132 133 134
fi

if [ "$checksum_error" != "" ]; then
	# Relaunch and sleep
135
	sh /usr/local/etc/rc.update_bogons &
Ad Schellevis's avatar
Ad Schellevis committed
136 137 138
	exit
fi

139
echo "rc.update_bogons is ending the update cycle." | logger