Show pagesourceOld revisionsBacklinksBack to top × Table of Contents IP set extras Introduction Features Implementation Commands Instructions Examples Automated IP set extras This article relies on the following: Accessing web interface / command-line interface Managing configs / packages / services / logs Introduction This instruction extends the functionality of Firewall. Follow the automated section for quick setup. Features Create and populate IP sets with domains, CIDRs and ASNs. Populate IP sets automatically at startup. Implementation Rely on DNS/Firewall IP set UCI configurations. Process settings with OpenWrt functions. Utilize resolveip to resolve domains. Fetch ASN prefixes using RIPEstat Data API. Use Hotplug to trigger setup automatically. Commands Sub-command Description reset Reset IP sets. setup Set up IP sets. unset Unset IP sets. Instructions # Configure profile mkdir -p /etc/profile.d cat << "EOF" > /etc/profile.d/ipset.sh ipset() { local IPSET_CMD="${1}" case "${IPSET_CMD}" in (reset) ipset unset ipset setup ;; (setup|unset) . /lib/functions.sh config_load dhcp config_foreach ipset_proc_"${IPSET_CMD}" ipset uci_commit firewall /etc/init.d/firewall restart ;; (*) command ipset "${@}" ;; esac } ipset_proc_setup() { local IPSET_CONF="${1}" local IPSET_TEMP="$(mktemp -t ipset.XXXXXX)" { config_list_foreach "${IPSET_CONF}" domain ipset_domain config_list_foreach "${IPSET_CONF}" cidr ipset_cidr config_list_foreach "${IPSET_CONF}" asn ipset_asn } > "${IPSET_TEMP}" config_list_foreach "${IPSET_CONF}" name ipset_"${IPSET_CMD}" rm -f "${IPSET_TEMP}" } ipset_proc_unset() { local IPSET_CONF="${1}" config_list_foreach "${IPSET_CONF}" name ipset_"${IPSET_CMD}" } ipset_setup() { local IPSET_NAME="${1}" local IPSET_FAMILY case "${IPSET_NAME}" in (*6) IPSET_FAMILY="ipv6" ;; (*) IPSET_FAMILY="ipv4" ;; esac uci -q batch << EOI set firewall.'${IPSET_NAME}'='ipset' set firewall.'${IPSET_NAME}'.name='${IPSET_NAME}' set firewall.'${IPSET_NAME}'.family='${IPSET_FAMILY}' set firewall.'${IPSET_NAME}'.match='net' $(sed -e "/${IPSET_FAMILY/ipv6/\\.}/d /${IPSET_FAMILY/ipv4/:}/d;s/^.*$/\ del_list firewall.'${IPSET_NAME}'.entry='\0'\n\ add_list firewall.'${IPSET_NAME}'.entry='\0'/" "${IPSET_TEMP}") EOI } ipset_unset() { local IPSET_NAME="${1}" uci -q batch << EOI delete firewall.'${IPSET_NAME}'.entry EOI } ipset_domain() { local IPSET_ENTRY="${1}" resolveip "${IPSET_ENTRY}" } ipset_cidr() { local IPSET_ENTRY="${1}" echo "${IPSET_ENTRY}" } ipset_asn() { local IPSET_ENTRY="${1}" uclient-fetch -O - "https://stat.ripe.net/data/\ announced-prefixes/data.json?resource=${IPSET_ENTRY}" \ | jsonfilter -e "$['data']['prefixes'][*]['prefix']" } EOF . /etc/profile.d/ipset.sh # Configure hotplug mkdir -p /etc/hotplug.d/online cat << "EOF" > /etc/hotplug.d/online/70-ipset-setup if [ ! -e /var/lock/ipset-setup ] \ && lock -n /var/lock/ipset-setup then . /etc/profile.d/ipset.sh ipset setup lock -u /var/lock/ipset-setup fi EOF cat << "EOF" >> /etc/sysupgrade.conf /etc/hotplug.d/online/70-ipset-setup EOF Examples # Install packages opkg update opkg install resolveip # Configure IP sets, domains, CIDRs and ASNs uci set dhcp.example="ipset" uci add_list dhcp.example.name="example" uci add_list dhcp.example.name="example6" uci add_list dhcp.example.domain="example.com" uci add_list dhcp.example.domain="example.net" uci add_list dhcp.example.cidr="9.9.9.9/32" uci add_list dhcp.example.cidr="2620:fe::fe/128" uci add_list dhcp.example.asn="2906" uci add_list dhcp.example.asn="40027" uci commit dhcp # Populate IP sets ipset setup Automated uclient-fetch -O ipset-extras.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/ipset_extras?codeblock=0" . ./ipset-extras.sh This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.OKMore information about cookies Last modified: 2023/01/16 23:26by vgaetera