Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:advanced:ipset_extras [2021/10/20 03:36] – [Automated] vgaeteradocs:guide-user:advanced:ipset_extras [2023/10/18 07:56] – consolidate terminology vgaetera
Line 1: Line 1:
 ====== IP set extras ====== ====== IP set extras ======
-{{section>meta:infobox:howto_links#cli_skills&noheader&nofooter&noeditbutton}}+{{section>meta:infobox:howto_links#basic_skills&noheader&nofooter&noeditbutton}}
  
 ===== Introduction ===== ===== Introduction =====
-  * This instruction extends the functionality of [[https://ipset.netfilter.org/|IP sets]].+  * This instruction extends the functionality of [[docs:guide-user:firewall:start|Firewall]].
   * Follow the [[docs:guide-user:advanced:ipset_extras#automated|automated]] section for quick setup.   * Follow the [[docs:guide-user:advanced:ipset_extras#automated|automated]] section for quick setup.
  
 ===== Features ===== ===== Features =====
-  * Create and populate IP sets with domains, CIDRs and ASNs.+  * Create and populate IP sets with domains, CIDRsASNs and GeoIP.
   * Populate IP sets automatically at startup.   * Populate IP sets automatically at startup.
  
 ===== Implementation ===== ===== Implementation =====
-  * Rely on [[docs:guide-user:base-system:dhcp#ip_sets|UCI configuration]] for IP sets.+  * Rely on [[docs:guide-user:base-system:dhcp#ip_sets|DNS]]/[[docs:guide-user:firewall:firewall_configuration#ip_sets|Firewall]] IP set UCI configurations.
   * Process settings with [[https://github.com/openwrt/openwrt/blob/master/package/base-files/files/lib/functions.sh|OpenWrt functions]].   * Process settings with [[https://github.com/openwrt/openwrt/blob/master/package/base-files/files/lib/functions.sh|OpenWrt functions]].
-  * Utilize [[https://github.com/openwrt/openwrt/blob/master/package/network/utils/resolveip/src/resolveip.c|resolveip]] to resolve domains.+  * Utilize [[packages:pkgdata:resolveip]] to resolve domains.
   * Fetch ASN prefixes using [[https://stat.ripe.net/docs/data_api|RIPEstat Data API]].   * Fetch ASN prefixes using [[https://stat.ripe.net/docs/data_api|RIPEstat Data API]].
-  * Use [[docs:guide-user:base-system:hotplug|Hotplug]] to trigger setup automatically.+  * Fetch GeoIP data using [[https://www.ipdeny.com/ipblocks/|IPdeny GeoIP Data]]. 
 +  * Use [[docs:guide-user:advanced:hotplug_extras|Hotplug extras]] to trigger setup automatically.
  
 ===== Commands ===== ===== Commands =====
Line 30: Line 31:
 local IPSET_CMD="${1}" local IPSET_CMD="${1}"
 case "${IPSET_CMD}" in case "${IPSET_CMD}" in
-(setup|unset)+(setup|unset) ipset_proc ;; 
 +(*) command ipset "${@}" ;; 
 +esac 
 +
 + 
 +ipset_proc() {
 . /lib/functions.sh . /lib/functions.sh
 config_load dhcp config_load dhcp
 config_foreach ipset_proc_"${IPSET_CMD}" ipset config_foreach ipset_proc_"${IPSET_CMD}" ipset
 uci_commit firewall uci_commit firewall
-/etc/init.d/firewall reload 2> /dev/null ;; +service firewall reload 
-(*) command ipset "${@}" ;; +fw4 reload-sets
-esac+
 } }
  
Line 47: Line 52:
 config_list_foreach "${IPSET_CONF}" cidr ipset_cidr config_list_foreach "${IPSET_CONF}" cidr ipset_cidr
 config_list_foreach "${IPSET_CONF}" asn ipset_asn config_list_foreach "${IPSET_CONF}" asn ipset_asn
-} > "${IPSET_TEMP}"+config_list_foreach "${IPSET_CONF}" geoip ipset_geoip 
 +} | sort -u > "${IPSET_TEMP}"
 config_list_foreach "${IPSET_CONF}" name ipset_"${IPSET_CMD}" config_list_foreach "${IPSET_CONF}" name ipset_"${IPSET_CMD}"
 rm -f "${IPSET_TEMP}" rm -f "${IPSET_TEMP}"
Line 59: Line 65:
 ipset_setup() { ipset_setup() {
 local IPSET_NAME="${1}" local IPSET_NAME="${1}"
 +local IPSET_FILE="/var/ipset-${IPSET_NAME}"
 local IPSET_FAMILY local IPSET_FAMILY
-local IPSET_MATCH 
 case "${IPSET_NAME}" in case "${IPSET_NAME}" in
 (*6) IPSET_FAMILY="ipv6" (*6) IPSET_FAMILY="ipv6"
-IPSET_MATCH=":" ;;+sed -e "/\./d" ;;
 (*) IPSET_FAMILY="ipv4" (*) IPSET_FAMILY="ipv4"
-IPSET_MATCH="\." ;; +sed -e "/:/d" ;; 
-esac+esac < "${IPSET_TEMP}" > "${IPSET_FILE}"
 uci -q batch << EOI uci -q batch << EOI
 set firewall.'${IPSET_NAME}'='ipset' set firewall.'${IPSET_NAME}'='ipset'
 set firewall.'${IPSET_NAME}'.name='${IPSET_NAME}' set firewall.'${IPSET_NAME}'.name='${IPSET_NAME}'
 set firewall.'${IPSET_NAME}'.family='${IPSET_FAMILY}' set firewall.'${IPSET_NAME}'.family='${IPSET_FAMILY}'
-set firewall.'${IPSET_NAME}'.storage='hash' 
 set firewall.'${IPSET_NAME}'.match='net' set firewall.'${IPSET_NAME}'.match='net'
-$(sed -n -e "s/^.*${IPSET_MATCH}.*$/+set firewall.'${IPSET_NAME}'.loadfile='${IPSET_FILE}'
-del_list firewall.'${IPSET_NAME}'.entry='\0'\n\ +
-add_list firewall.'${IPSET_NAME}'.entry='\0'/p" "${IPSET_TEMP}")+
 EOI EOI
 } }
Line 81: Line 84:
 ipset_unset() { ipset_unset() {
 local IPSET_NAME="${1}" local IPSET_NAME="${1}"
 +local IPSET_FILE="/var/ipset-${IPSET_NAME}"
 +rm -f "${IPSET_FILE}"
 uci -q batch << EOI uci -q batch << EOI
-delete firewall.'${IPSET_NAME}'+delete firewall.'${IPSET_NAME}'.loadfile
 EOI EOI
 } }
Line 98: Line 103:
 ipset_asn() { ipset_asn() {
 local IPSET_ENTRY="${1}" local IPSET_ENTRY="${1}"
-uclient-fetch -O - "https://stat.ripe.net/data/\+wget -O - "https://stat.ripe.net/data/\
 announced-prefixes/data.json?resource=${IPSET_ENTRY}" \ announced-prefixes/data.json?resource=${IPSET_ENTRY}" \
-| jsonfilter -e "@['data']['prefixes'][*]['prefix']"+| jsonfilter -e "$['data']['prefixes'][*]['prefix']
 +
 + 
 +ipset_geoip() { 
 +local IPSET_ENTRY="${1}" 
 +wget -O - "https://www.ipdeny.com/ipblocks/data/
 +aggregated/${IPSET_ENTRY}-aggregated.zone"
 +"https://www.ipdeny.com/ipv6/ipaddresses/
 +aggregated/${IPSET_ENTRY}-aggregated.zone"
 } }
 EOF EOF
Line 108: Line 121:
 mkdir -p /etc/hotplug.d/online mkdir -p /etc/hotplug.d/online
 cat << "EOF" > /etc/hotplug.d/online/70-ipset-setup cat << "EOF" > /etc/hotplug.d/online/70-ipset-setup
-if [ ! -e /var/lock/ipset-setup ] \ +if [ -z "${TERM}" ] \ 
-&& lock -n /var/lock/ipset-setup+&& [ ! -e /var/lock/ipset-setup ] \ 
 +|| [ -n "${TERM}" ] \ 
 +&& lock -n /var/lock/ipset-setup 
 +&& sleep 10
 then . /etc/profile.d/ipset.sh then . /etc/profile.d/ipset.sh
 ipset setup ipset setup
Line 118: Line 134:
 /etc/hotplug.d/online/70-ipset-setup /etc/hotplug.d/online/70-ipset-setup
 EOF EOF
 +
 +# Configure cron
 +cat << "EOF" >> /etc/crontabs/root
 +0 */3 * * * . /etc/hotplug.d/online/70-ipset-setup
 +EOF
 +service cron restart
 </code> </code>
  
Line 124: Line 146:
 # Install packages # Install packages
 opkg update opkg update
-opkg remove dnsmasq +opkg install resolveip
-opkg install dnsmasq-full ipset resolveip+
  
 # Configure IP sets, domains, CIDRs and ASNs # Configure IP sets, domains, CIDRs and ASNs
Line 137: Line 158:
 uci add_list dhcp.example.asn="2906" uci add_list dhcp.example.asn="2906"
 uci add_list dhcp.example.asn="40027" uci add_list dhcp.example.asn="40027"
 +uci add_list dhcp.example.geoip="cn"
 +uci add_list dhcp.example.geoip="ru"
 uci commit dhcp uci commit dhcp
  
-Create and populate IP sets+Populate IP sets
 ipset setup ipset setup
 </code> </code>
Line 145: Line 168:
 ===== Automated ===== ===== Automated =====
 <code bash> <code bash>
-alias uclient-fetch="uclient-fetch --no-check-certificate" +wget -"" -O ipset-extras.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/ipset_extras?codeblock=0" 
-uclient-fetch -O ipset-extras.sh "https://openwrt.org/_export/code/docs/guide-user/advanced/ipset_extras?codeblock=0" +. ./ipset-extras.sh
-. ./ipset.sh+
 </code> </code>
  
  • Last modified: 2024/04/17 19:58
  • by fail-safe1