/src/etc/rc.update_bogons.sh - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/rc.update_bogons.sh @ 55f0061a

1	14f9c43f	Scott Ullrich	#!/bin/sh
2	ac24dc24	Renato Botelho	#
3			# rc.update_bogons.sh
4			#
5			# part of pfSense (https://www.pfsense.org)
6	38809d47	Renato Botelho do Couto	# Copyright (c) 2004-2013 BSD Perimeter
7			# Copyright (c) 2013-2016 Electric Sheep Fencing
8	8f2f85c3	Luiz Otavio O Souza	# Copyright (c) 2014-2022 Rubicon Communications, LLC (Netgate)
9	ac24dc24	Renato Botelho	# All rights reserved.
10			#
11			# Based on src/etc/rc.d/savecore from FreeBSD
12			#
13	b12ea3fb	Renato Botelho	# Licensed under the Apache License, Version 2.0 (the "License");
14			# you may not use this file except in compliance with the License.
15			# You may obtain a copy of the License at
16	ac24dc24	Renato Botelho	#
17	b12ea3fb	Renato Botelho	# http://www.apache.org/licenses/LICENSE-2.0
18	ac24dc24	Renato Botelho	#
19	b12ea3fb	Renato Botelho	# Unless required by applicable law or agreed to in writing, software
20			# distributed under the License is distributed on an "AS IS" BASIS,
21			# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22			# See the License for the specific language governing permissions and
23			# limitations under the License.
24	14f9c43f	Scott Ullrich
25	7c05f800	bcyrill	# Global variables
26			proc_error=""
27
28	7fbb45be	Renato Botelho	do_not_send_uniqueid=$(/usr/local/sbin/read_xml_tag.sh boolean system/do_not_send_uniqueid)
29			if [ "${do_not_send_uniqueid}" != "true" ]; then
30			uniqueid=$(/usr/sbin/gnid)
31			export HTTP_USER_AGENT="${product}/${product_version}:${uniqueid}"
32			else
33			export HTTP_USER_AGENT="${product}/${product_version}"
34			fi
35
36	7c05f800	bcyrill	# Download and extract if necessary
37	c98951ce	bcyrill	process_url() {
38	7c05f800	bcyrill	local file=$1
39			local url=$2
40			local filename=${url##*/}
41			local ext=${filename#*.}
42	e173dd74	Phil Davis
43	690b557c	Chris Buechler	/usr/bin/fetch -a -w 600 -T 30 -q -o $file "${url}"
44	e173dd74	Phil Davis
45	7c05f800	bcyrill	if [ ! -f $file ]; then
46			echo "Could not download ${url}" \| logger
47			proc_error="true"
48			fi
49	e173dd74	Phil Davis
50	7c05f800	bcyrill	case "$ext" in
51			tar)
52			mv $file $file.tmp
53			/usr/bin/tar -xf $file.tmp -O > $file 2> /dev/null
54			;;
55			tar.gz)
56	c98951ce	bcyrill	mv $file $file.tmp
57			/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
58			;;
59	7c05f800	bcyrill	tgz)
60			mv $file $file.tmp
61			/usr/bin/tar -xzf $file.tmp -O > $file 2> /dev/null
62			;;
63			tar.bz2)
64			mv $file $file.tmp
65			/usr/bin/tar -xjf $file.tmp -O > $file 2> /dev/null
66			;;
67			*)
68			;;
69			esac
70	e173dd74	Phil Davis
71	7c05f800	bcyrill	if [ -f $file.tmp ]; then
72			rm $file.tmp
73			fi
74	e173dd74	Phil Davis
75	7c05f800	bcyrill	if [ ! -f $file ]; then
76			echo "Could not extract ${filename}" \| logger
77			proc_error="true"
78			fi
79			}
80
81	9c9b1833	Scott Ullrich	echo "rc.update_bogons.sh is starting up." \| logger
82
83	342a2f18	Phil Davis	# Sleep for some time, unless an argument is specified.
84	5de28171	Scott Ullrich	if [ "$1" = "" ]; then
85	e173dd74	Phil Davis	# Grab a random value
86			value=`od -A n -d -N2 /dev/random \| awk '{ print $1 }'`
87			echo "rc.update_bogons.sh is sleeping for $value" \| logger
88			sleep $value
89			fi
90	38b65b80	Scott Ullrich
91	9c9b1833	Scott Ullrich	echo "rc.update_bogons.sh is beginning the update cycle." \| logger
92
93	92276df6	bcyrill	# Load custom bogon configuration
94			if [ -f /var/etc/bogon_custom ]; then
95			. /var/etc/bogon_custom
96			fi
97
98			# Set default values if not overriden
99	4a30c608	jim-p	v4url=${v4url:-"https://files.netgate.com/lists/fullbogons-ipv4.txt"}
100			v6url=${v6url:-"https://files.netgate.com/lists/fullbogons-ipv6.txt"}
101	92276df6	bcyrill	v4urlcksum=${v4urlcksum:-"${v4url}.md5"}
102			v6urlcksum=${v6urlcksum:-"${v6url}.md5"}
103
104	7c05f800	bcyrill	process_url /tmp/bogons "${v4url}"
105			process_url /tmp/bogonsv6 "${v6url}"
106	4a41dff7	smos
107	7c05f800	bcyrill	if [ "$proc_error" != "" ]; then
108	7de4359a	Seth Mos	# Relaunch and sleep
109	7c05f800	bcyrill	sh /etc/rc.update_bogons.sh &
110	7de4359a	Seth Mos	exit
111			fi
112
113	2076dc46	Ermal	BOGON_V4_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v4urlcksum}" \| awk '{ print $4 }'`
114	92276df6	bcyrill	ON_DISK_V4_CKSUM=`md5 /tmp/bogons \| awk '{ print $4 }'`
115	2076dc46	Ermal	BOGON_V6_CKSUM=`/usr/bin/fetch -T 30 -q -o - "${v6urlcksum}" \| awk '{ print $4 }'`
116	92276df6	bcyrill	ON_DISK_V6_CKSUM=`md5 /tmp/bogonsv6 \| awk '{ print $4 }'`
117	342a2f18	Phil Davis
118	92276df6	bcyrill	if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ] \|\| [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
119	45bc16b9	bcyrill	ENTRIES_MAX=`pfctl -s memory \| awk '/table-entries/ { print $4 }'`
120	e173dd74	Phil Davis
121	3cde94cf	bcyrill	if [ "$BOGON_V4_CKSUM" = "$ON_DISK_V4_CKSUM" ]; then
122	45bc16b9	bcyrill	ENTRIES_TOT=`pfctl -vvsTables \| awk '/Addresses/ {s+=$2}; END {print s}'`
123			ENTRIES_V4=`pfctl -vvsTables \| awk '/-\tbogons$/ {getline; print $2}'`
124			LINES_V4=`wc -l /tmp/bogons \| awk '{ print $1 }'`
125			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V4:-0}+LINES_V4)) ]; then
126			egrep -v "^192.168.0.0/16\|^172.16.0.0/12\|^10.0.0.0/8" /tmp/bogons > /etc/bogons
127			RESULT=`/sbin/pfctl -t bogons -T replace -f /etc/bogons 2>&1`
128			echo "$RESULT" \| awk '{ print "Bogons V4 file downloaded: " $0 }' \| logger
129			else
130			echo "Not updating IPv4 bogons (increase table-entries limit)" \| logger
131			fi
132	3cde94cf	bcyrill	rm /tmp/bogons
133			else
134			echo "Could not download ${v4url} (checksum mismatch)" \| logger
135			checksum_error="true"
136			fi
137	342a2f18	Phil Davis
138	3cde94cf	bcyrill	if [ "$BOGON_V6_CKSUM" = "$ON_DISK_V6_CKSUM" ]; then
139	8550a21c	phildd	BOGONS_V6_TABLE_COUNT=`pfctl -sTables \| grep ^bogonsv6$ \| wc -l \| awk '{ print $1 }'`
140	45bc16b9	bcyrill	ENTRIES_TOT=`pfctl -vvsTables \| awk '/Addresses/ {s+=$2}; END {print s}'`
141			LINES_V6=`wc -l /tmp/bogonsv6 \| awk '{ print $1 }'`
142	8550a21c	phildd	if [ $BOGONS_V6_TABLE_COUNT -gt 0 ]; then
143	c858c609	phildd	ENTRIES_V6=`pfctl -vvsTables \| awk '/-\tbogonsv6$/ {getline; print $2}'`
144			if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT-${ENTRIES_V6:-0}+LINES_V6)) ]; then
145	9b0adf13	N0YB	egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
146	c858c609	phildd	RESULT=`/sbin/pfctl -t bogonsv6 -T replace -f /etc/bogonsv6 2>&1`
147			echo "$RESULT" \| awk '{ print "Bogons V6 file downloaded: " $0 }' \| logger
148			else
149			echo "Not saving or updating IPv6 bogons (increase table-entries limit)" \| logger
150			fi
151	45bc16b9	bcyrill	else
152	c858c609	phildd	if [ $ENTRIES_MAX -gt $((2*ENTRIES_TOT+LINES_V6)) ]; then
153	9b0adf13	N0YB	egrep -iv "^fc00::/7" /tmp/bogonsv6 > /etc/bogonsv6
154	06ac4c7f	Chris Buechler	echo "Bogons V6 file downloaded but not updating IPv6 bogons table because it is not in use." \| logger
155	c858c609	phildd	else
156			echo "Not saving IPv6 bogons table (IPv6 Allow is off and table-entries limit is potentially too low)" \| logger
157			fi
158	3cde94cf	bcyrill	fi
159			rm /tmp/bogonsv6
160			else
161			echo "Could not download ${v6url} (checksum mismatch)" \| logger
162			checksum_error="true"
163			fi
164	342a2f18	Phil Davis	fi
165
166	7c05f800	bcyrill	if [ "$checksum_error" != "" ]; then
167	7de4359a	Seth Mos	# Relaunch and sleep
168	e173dd74	Phil Davis	sh /etc/rc.update_bogons.sh &
169	342a2f18	Phil Davis	exit
170	7de4359a	Seth Mos	fi
171
172	48e29ac9	sullrich	echo "rc.update_bogons.sh is ending the update cycle." \| logger

Project

General

Profile

pfSense