Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:advanced:ipset_extras [2021/10/20 03:26] – moved from docs:guide-user:firewall:fw3_configurations:ipset vgaeteradocs:guide-user:advanced:ipset_extras [2023/10/18 07:56] – consolidate terminology vgaetera
Line 1: Line 1:
 ====== IP set extras ====== ====== IP set extras ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This instruction extends the functionality of [[https://ipset.netfilter.org/|IP sets]].+  * This instruction extends the functionality of [[docs:guide-user:firewall:start|Firewall]].
   * Follow the [[docs:guide-user:advanced:ipset_extras#automated|automated]] section for quick setup.   * Follow the [[docs:guide-user:advanced:ipset_extras#automated|automated]] section for quick setup.
  
 ===== Features ===== ===== Features =====
-  * Create and populate IP sets with domains, CIDRs and ASNs.+  * Create and populate IP sets with domains, CIDRsASNs and GeoIP.
   * Populate IP sets automatically at startup.   * Populate IP sets automatically at startup.
  
 ===== Implementation ===== ===== Implementation =====
-  * Rely on [[docs:guide-user:base-system:dhcp#ip_sets|UCI configuration]] for IP sets.+  * Rely on [[docs:guide-user:base-system:dhcp#ip_sets|DNS]]/[[docs:guide-user:firewall:firewall_configuration#ip_sets|Firewall]] IP set UCI configurations.
   * Process settings with [[https://github.com/openwrt/openwrt/blob/master/package/base-files/files/lib/functions.sh|OpenWrt functions]].   * Process settings with [[https://github.com/openwrt/openwrt/blob/master/package/base-files/files/lib/functions.sh|OpenWrt functions]].
-  * Utilize [[https://github.com/openwrt/openwrt/blob/master/package/network/utils/resolveip/src/resolveip.c|resolveip]] to resolve domains.+  * Utilize [[packages:pkgdata:resolveip]] to resolve domains.
   * Fetch ASN prefixes using [[https://stat.ripe.net/docs/data_api|RIPEstat Data API]].   * Fetch ASN prefixes using [[https://stat.ripe.net/docs/data_api|RIPEstat Data API]].
-  * Use [[docs:guide-user:base-system:hotplug|Hotplug]] to trigger setup automatically.+  * Fetch GeoIP data using [[https://www.ipdeny.com/ipblocks/|IPdeny GeoIP Data]]. 
 +  * Use [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to trigger setup automatically.
  
 ===== Commands ===== ===== Commands =====
Line 30: Line 31:
 local IPSET_CMD="${1}" local IPSET_CMD="${1}"
 case "${IPSET_CMD}" in case "${IPSET_CMD}" in
-(setup|unset)+(setup|unset) ipset_proc ;; 
 +(*) command ipset "${@}" ;; 
 +esac 
 +
 + 
 +ipset_proc() {
 . /lib/functions.sh . /lib/functions.sh
 config_load dhcp config_load dhcp
 config_foreach ipset_proc_"${IPSET_CMD}" ipset config_foreach ipset_proc_"${IPSET_CMD}" ipset
 uci_commit firewall uci_commit firewall
-/etc/init.d/firewall reload 2> /dev/null ;; +service firewall reload 
-(*) command ipset "${@}" ;; +fw4 reload-sets
-esac+
 } }
  
Line 47: Line 52:
 config_list_foreach "${IPSET_CONF}" cidr ipset_cidr config_list_foreach "${IPSET_CONF}" cidr ipset_cidr
 config_list_foreach "${IPSET_CONF}" asn ipset_asn config_list_foreach "${IPSET_CONF}" asn ipset_asn
-} > "${IPSET_TEMP}"+config_list_foreach "${IPSET_CONF}" geoip ipset_geoip 
 +} | sort -u > "${IPSET_TEMP}"
 config_list_foreach "${IPSET_CONF}" name ipset_"${IPSET_CMD}" config_list_foreach "${IPSET_CONF}" name ipset_"${IPSET_CMD}"
 rm -f "${IPSET_TEMP}" rm -f "${IPSET_TEMP}"
Line 59: Line 65:
 ipset_setup() { ipset_setup() {
 local IPSET_NAME="${1}" local IPSET_NAME="${1}"
 +local IPSET_FILE="/var/ipset-${IPSET_NAME}"
 local IPSET_FAMILY local IPSET_FAMILY
-local IPSET_MATCH 
 case "${IPSET_NAME}" in case "${IPSET_NAME}" in
 (*6) IPSET_FAMILY="ipv6" (*6) IPSET_FAMILY="ipv6"
-IPSET_MATCH=":" ;;+sed -e "/\./d" ;;
 (*) IPSET_FAMILY="ipv4" (*) IPSET_FAMILY="ipv4"
-IPSET_MATCH="\." ;; +sed -e "/:/d" ;; 
-esac+esac < "${IPSET_TEMP}" > "${IPSET_FILE}"
 uci -q batch << EOI uci -q batch << EOI
 set firewall.'${IPSET_NAME}'='ipset' set firewall.'${IPSET_NAME}'='ipset'
 set firewall.'${IPSET_NAME}'.name='${IPSET_NAME}' set firewall.'${IPSET_NAME}'.name='${IPSET_NAME}'
 set firewall.'${IPSET_NAME}'.family='${IPSET_FAMILY}' set firewall.'${IPSET_NAME}'.family='${IPSET_FAMILY}'
-set firewall.'${IPSET_NAME}'.storage='hash' 
 set firewall.'${IPSET_NAME}'.match='net' set firewall.'${IPSET_NAME}'.match='net'
-$(sed -n -e "s/^.*${IPSET_MATCH}.*$/+set firewall.'${IPSET_NAME}'.loadfile='${IPSET_FILE}'
-del_list firewall.'${IPSET_NAME}'.entry='\0'\n\ +
-add_list firewall.'${IPSET_NAME}'.entry='\0'/p" "${IPSET_TEMP}")+
 EOI EOI
 } }
Line 81: Line 84:
 ipset_unset() { ipset_unset() {
 local IPSET_NAME="${1}" local IPSET_NAME="${1}"
 +local IPSET_FILE="/var/ipset-${IPSET_NAME}"
 +rm -f "${IPSET_FILE}"
 uci -q batch << EOI uci -q batch << EOI
-delete firewall.'${IPSET_NAME}'+delete firewall.'${IPSET_NAME}'.loadfile
 EOI EOI
 } }
Line 98: Line 103:
 ipset_asn() { ipset_asn() {
 local IPSET_ENTRY="${1}" local IPSET_ENTRY="${1}"
-uclient-fetch -O - "https://stat.ripe.net/data/\+wget -O - "https://stat.ripe.net/data/\
 announced-prefixes/data.json?resource=${IPSET_ENTRY}" \ announced-prefixes/data.json?resource=${IPSET_ENTRY}" \
-| jsonfilter -e "@['data']['prefixes'][*]['prefix']"+| jsonfilter -e "$['data']['prefixes'][*]['prefix']
 +
 + 
 +ipset_geoip() { 
 +local IPSET_ENTRY="${1}" 
 +wget -O - "https://www.ipdeny.com/ipblocks/data/
 +aggregated/${IPSET_ENTRY}-aggregated.zone"
 +"https://www.ipdeny.com/ipv6/ipaddresses/
 +aggregated/${IPSET_ENTRY}-aggregated.zone"
 } }
 EOF EOF
Line 108: Line 121:
 mkdir -p /etc/hotplug.d/online mkdir -p /etc/hotplug.d/online
 cat << "EOF" > /etc/hotplug.d/online/70-ipset-setup cat << "EOF" > /etc/hotplug.d/online/70-ipset-setup
-if [ ! -e /var/lock/ipset-setup ] \ +if [ -z "${TERM}" ] \ 
-&& lock -n /var/lock/ipset-setup+&& [ ! -e /var/lock/ipset-setup ] \ 
 +|| [ -n "${TERM}" ] \ 
 +&& lock -n /var/lock/ipset-setup 
 +&& sleep 10
 then . /etc/profile.d/ipset.sh then . /etc/profile.d/ipset.sh
 ipset setup ipset setup
Line 118: Line 134:
 /etc/hotplug.d/online/70-ipset-setup /etc/hotplug.d/online/70-ipset-setup
 EOF EOF
 +
 +# Configure cron
 +cat << "EOF" >> /etc/crontabs/root
 +0 */3 * * * . /etc/hotplug.d/online/70-ipset-setup
 +EOF
 +service cron restart
 </code> </code>
  
Line 124: Line 146:
 # Install packages # Install packages
 opkg update opkg update
-opkg remove dnsmasq +opkg install resolveip
-opkg install dnsmasq-full ipset resolveip+
  
 # Configure IP sets, domains, CIDRs and ASNs # Configure IP sets, domains, CIDRs and ASNs
Line 137: Line 158:
 uci add_list dhcp.example.asn="2906" uci add_list dhcp.example.asn="2906"
 uci add_list dhcp.example.asn="40027" uci add_list dhcp.example.asn="40027"
 +uci add_list dhcp.example.geoip="cn"
 +uci add_list dhcp.example.geoip="ru"
 uci commit dhcp uci commit dhcp
  
-Create and populate IP sets+Populate IP sets
 ipset setup ipset setup
 </code> </code>
Line 145: Line 168:
 ===== Automated ===== ===== Automated =====
 <code bash> <code bash>
-alias uclient-fetch="uclient-fetch --no-check-certificate" +wget -"" -O ipset-extras.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/ipset_extras?codeblock=0" 
-uclient-fetch -O ipset.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/ipset_extras?codeblock=0" +. ./ipset-extras.sh
-. ./ipset.sh+
 </code> </code>
  
  • Last modified: 2024/04/17 19:58
  • by fail-safe1