gistfile1.txt
· 14 KiB · Text
Исходник
#!/usr/bin/env bash
# ============================================
# Rule File Parsing
# ============================================
function rule::is_base() {
local name="${1:-}"
[[ -f "$(ctx::rules::base)/${name}.rule" ]]
}
function rule::exists() {
local name="${1:-}"
local path
path=$(json::find_rule_file "$(ctx::rules)" "$name")
[[ -n "$path" ]]
}
function rule::require_assignable() {
local name="${1:-}"
if rule::is_base "$name"; then
log::error "Cannot assign base rule '${name}' — base rules cannot be assigned directly"
return 1
fi
}
function rule::require_exists() {
local name="${1:-}"
if ! rule::exists "$name"; then
log::error "Rule not found: ${name}"
return 1
fi
}
function rule::get() {
local name="${1:-}" key="${2:-}"
json::rule_resolve_field "$(ctx::rules)" "$name" "$key"
}
function rule::get_own() {
local name="${1:-}" key="${2:-}"
local file
file=$(rule::path "$name") || return 0
json::get_raw "$file" "$key"
}
function rule::get_resolved() {
local name="${1:-}"
json::rule_resolve "$(ctx::rules)" "$name"
}
function rule::path() {
local name="${1:-}"
local path
path=$(json::find_rule_file "$(ctx::rules)" "$name")
[[ -n "$path" ]] && echo "$path" || return 1
}
function rule::get_all() {
local name="${1:-}"
rule::get_resolved "$name"
}
function rule::is_applied() {
local rule_name="${1:-}" client_ip="${2:-}"
local first_port
first_port=$(rule::get "$rule_name" "block_ports" | head -1)
if [[ -n "$first_port" ]]; then
local target port proto
IFS=":" read -r target port proto <<< "$first_port"
proto="${proto:-tcp}"
fw::has_block_rule "$client_ip" "$target" "$proto" "$port"
return $?
fi
local first_ip
first_ip=$(rule::get "$rule_name" "block_ips" | head -1)
if [[ -n "$first_ip" ]]; then
fw::has_block_rule "$client_ip" "$first_ip"
return $?
fi
local first_allow
first_allow=$(rule::get "$rule_name" "allow_ports" | head -1)
if [[ -n "$first_allow" ]]; then
local target port proto
IFS=":" read -r target port proto <<< "$first_allow"
proto="${proto:-tcp}"
fw::_forward_exists -s "$client_ip" -d "$target" \
-p "$proto" --dport "$port" -j ACCEPT
return $?
fi
return 1
}
# ============================================
# Rule Application
# ============================================
function rule::apply() {
local rule_name="${1:?rule_name required}"
local client_ip="${2:?client_ip required}"
local peer_name="${3:-}"
rule::require_exists "$rule_name" || return 1
if [[ -z "$peer_name" ]]; then
peer_name=$(peers::find_by_ip "$client_ip")
fi
log::debug "rule::apply: peer_name=$peer_name ip=$client_ip"
if rule::is_applied "$rule_name" "$client_ip"; then
log::wg "Rule '${rule_name}' already applied to: ${client_ip}"
[[ -n "$peer_name" ]] && peers::set_meta "$peer_name" "rule" "$rule_name"
return 0
fi
# Process block_ips
while IFS= read -r block_ip; do
[[ -z "$block_ip" ]] && continue
fw::block_ip "$client_ip" "$block_ip"
done < <(rule::get "$rule_name" "block_ips")
# Process block_ports
while IFS= read -r entry; do
[[ -z "$entry" ]] && continue
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
fw::block_port "$client_ip" "$target" "$port" "$proto"
done < <(rule::get "$rule_name" "block_ports")
# Process allow_ips (inserted before blocks)
while IFS= read -r allow_ip; do
[[ -z "$allow_ip" ]] && continue
fw::allow_ip "$client_ip" "$allow_ip"
done < <(rule::get "$rule_name" "allow_ips")
# Process allow_ports (highest priority)
while IFS= read -r entry; do
[[ -z "$entry" ]] && continue
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
fw::allow_port "$client_ip" "$target" "$port" "$proto"
done < <(rule::get "$rule_name" "allow_ports")
[[ -n "$peer_name" ]] && peers::set_meta "$peer_name" "rule" "$rule_name"
# DNS redirect
local dns_redirect
dns_redirect=$(rule::get "$rule_name" "dns_redirect")
if [[ "$dns_redirect" == "true" ]]; then
local peer_subnet
peer_subnet=$(peers::get_ip "$peer_name" | cut -d'.' -f1-3)
if ! fw::_nat_exists -i wg0 -s "${peer_subnet}.0/24" \
-p udp --dport 53 -j DNAT \
--to-destination "$(config::dns):53" 2>/dev/null; then
rule::apply_dns_redirect "${peer_subnet}.0/24"
log::debug "dns_redirect: applied for ${peer_subnet}.0/24"
else
log::debug "dns_redirect: already applied for ${peer_subnet}.0/24"
fi
fi
log::debug "Applied rule '${rule_name}' to: ${client_ip}"
}
function rule::unapply() {
local rule_name="${1:-}" client_ip="${2:-}"
rule::require_exists "$rule_name" || return 1
local peer_name
peer_name=$(peers::find_by_ip "$client_ip")
# Remove allow_ports first (reverse order of apply)
while IFS= read -r entry; do
[[ -z "$entry" ]] && continue
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
fw::unallow_port "$client_ip" "$target" "$port" "$proto"
done < <(rule::get "$rule_name" "allow_ports")
# Remove allow_ips
while IFS= read -r allow_ip; do
[[ -z "$allow_ip" ]] && continue
if [[ "$allow_ip" == *"/"* ]]; then
fw::unallow_subnet "$client_ip" "$allow_ip"
else
fw::unallow_ip "$client_ip" "$allow_ip"
fi
done < <(rule::get "$rule_name" "allow_ips")
# Remove block_ports
while IFS= read -r entry; do
[[ -z "$entry" ]] && continue
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
fw::unblock_port "$client_ip" "$target" "$port" "$proto"
done < <(rule::get "$rule_name" "block_ports")
# Remove block_ips
while IFS= read -r block_ip; do
[[ -z "$block_ip" ]] && continue
if [[ "$block_ip" == *"/"* ]]; then
fw::unblock_subnet "$client_ip" "$block_ip"
else
fw::unblock_ip "$client_ip" "$block_ip"
fi
done < <(rule::get "$rule_name" "block_ips")
# Remove DNS redirect if applicable
local dns_redirect
dns_redirect=$(rule::get "$rule_name" "dns_redirect")
if [[ "$dns_redirect" == "true" ]]; then
local peer_ip peer_subnet
peer_ip=$(peers::get_ip "$peer_name")
peer_subnet=$(echo "$peer_ip" | cut -d'.' -f1-3)
rule::remove_dns_redirect "${peer_subnet}.0/24"
fi
[[ -n "$peer_name" ]] && peers::set_meta "$peer_name" "rule" ""
log::debug "Removed rule '${rule_name}' from: ${client_ip}"
}
# ============================================
# Bulk Operations
# ============================================
function rule::_apply_identity_rule() {
local peer_name="${1:-}" client_ip="${2:-}"
local identity_name
identity_name=$(identity::get_name "$peer_name")
[[ -z "$identity_name" ]] && return 0
local rules
rules=$(identity::rules "$identity_name")
[[ -z "$rules" ]] && return 0
local strict
strict=$(identity::rule_flags "$identity_name" "strict_rule")
if [[ "$strict" == "true" ]]; then
# Strict: flush and apply only identity rules — peer rule ignored
fw::flush_peer "$client_ip"
while IFS= read -r rule_name; do
[[ -z "$rule_name" ]] && continue
rule::exists "$rule_name" && rule::apply "$rule_name" "$client_ip" "$peer_name" || true
done <<< "$rules"
else
# Additive: apply identity rules on top of peer rule
while IFS= read -r rule_name; do
[[ -z "$rule_name" ]] && continue
rule::exists "$rule_name" && rule::apply "$rule_name" "$client_ip" "$peer_name" || true
done <<< "$rules"
fi
}
# rule::full_restore_peer <peer_name> <client_ip>
# Flush and fully restore all fw rules for a peer — rule rules + block rules.
# Use this instead of calling rule::apply + block::restore_rules_for separately
# to ensure block rules are never left missing after a flush.
function rule::full_restore_peer() {
local peer_name="${1:-}" client_ip="${2:-}"
[[ -z "$peer_name" || -z "$client_ip" ]] && return 1
fw::flush_peer "$client_ip"
local peer_rule
peer_rule=$(peers::get_meta "$peer_name" "rule")
local strict
strict=$(rule::_get_identity_strict "$peer_name")
if [[ "$strict" == "true" ]]; then
# Strict mode: only identity rules apply
rule::_apply_identity_rule "$peer_name" "$client_ip"
else
# Normal mode: peer rule + identity rules (additive)
[[ -n "$peer_rule" ]] && rule::apply "$peer_rule" "$client_ip" "$peer_name"
rule::_apply_identity_rule "$peer_name" "$client_ip"
fi
block::restore_rules_for "$peer_name" "$client_ip"
}
function rule::_get_identity_strict() {
local peer_name="${1:-}"
local identity_name
identity_name=$(identity::get_name "$peer_name")
[[ -z "$identity_name" ]] && echo "false" && return 0
identity::rule_flags "$identity_name" "strict_rule"
}
function rule::restore_all() {
while IFS= read -r peer_name; do
block::is_blocked "$peer_name" && continue
local rule_name
rule_name=$(peers::get_meta "$peer_name" "rule")
[[ -z "$rule_name" ]] && continue
if ! rule::exists "$rule_name"; then
log::wg_warning "Rule '${rule_name}' not found for peer '${peer_name}', skipping"
continue
fi
local client_ip
client_ip=$(peers::get_ip "$peer_name")
[[ -z "$client_ip" ]] && continue
# full_restore_peer ensures block rules are restored alongside rule rules
rule::full_restore_peer "$peer_name" "$client_ip"
done < <(peers::all)
log::wg "Rules restored for all peers"
}
# ============================================
# Rendering
# ============================================
function rule::render_flat() {
local rule_name="${1:-}"
local allow_ports allow_ips block_ips block_ports dns
allow_ports=$(rule::get "$rule_name" "allow_ports")
allow_ips=$(rule::get "$rule_name" "allow_ips")
block_ips=$(rule::get "$rule_name" "block_ips")
block_ports=$(rule::get "$rule_name" "block_ports")
dns=$(rule::get_own "$rule_name" "dns_redirect")
local has_content=false
[[ -n "${allow_ports}${allow_ips}${block_ips}${block_ports}" ]] && \
has_content=true
if ! $has_content; then
printf "\n full access (no restrictions)\n"
return 0
fi
if [[ -n "$allow_ports" || -n "$allow_ips" ]]; then
printf "\n"
while IFS= read -r e; do
[[ -z "$e" ]] && continue
net::print_entry "+" "$e" 2
done <<< "$allow_ports"$'\n'"$allow_ips"
fi
if [[ -n "$block_ips" || -n "$block_ports" ]]; then
printf "\n"
while IFS= read -r e; do
[[ -z "$e" ]] && continue
net::print_entry "-" "$e" 2
done <<< "$block_ips"$'\n'"$block_ports"
fi
[[ "${dns,,}" == "true" ]] && \
net::print_dns_redirect "$(config::dns)" 6 "DNS"
return 0
}
function rule::render_entries() {
local rule_name="${1:-}" indent="${2:-4}"
local allow_ports allow_ips block_ips block_ports dns
allow_ports=$(rule::get "$rule_name" "allow_ports" 2>/dev/null || true)
allow_ips=$(rule::get "$rule_name" "allow_ips" 2>/dev/null || true)
block_ips=$(rule::get "$rule_name" "block_ips" 2>/dev/null || true)
block_ports=$(rule::get "$rule_name" "block_ports" 2>/dev/null || true)
dns=$(rule::get_own "$rule_name" "dns_redirect")
while IFS= read -r e; do
[[ -z "$e" ]] && continue
net::print_entry "+" "$e"
done <<< "$allow_ports"$'\n'"$allow_ips"
while IFS= read -r e; do
[[ -z "$e" ]] && continue
net::print_entry "-" "$e"
done <<< "$block_ips"$'\n'"$block_ports"
[[ "${dns,,}" == "true" ]] && \
net::print_dns_redirect "$(config::dns)" 6 "DNS"
}
function rule::render_own_entries() {
local rule_name="${1:-}"
local rule_file
rule_file="$(rule::path "$rule_name")"
local allow_ports allow_ips block_ips block_ports dns
allow_ports=$(json::get "$rule_file" "allow_ports" 2>/dev/null || true)
allow_ips=$(json::get "$rule_file" "allow_ips" 2>/dev/null || true)
block_ips=$(json::get "$rule_file" "block_ips" 2>/dev/null || true)
block_ports=$(json::get "$rule_file" "block_ports" 2>/dev/null || true)
dns=$(json::get "$rule_file" "dns_redirect" 2>/dev/null || true)
local combined="${allow_ports}${allow_ips}${block_ips}${block_ports}"
[[ -z "${combined//[$'\n']/}" ]] && return 0
while IFS= read -r e; do
[[ -z "$e" ]] && continue
net::print_entry "+" "$e"
done <<< "$allow_ports"$'\n'"$allow_ips"
while IFS= read -r e; do
[[ -z "$e" ]] && continue
net::print_entry "-" "$e"
done <<< "$block_ips"$'\n'"$block_ports"
[[ "${dns,,}" == "true" ]] && \
net::print_dns_redirect "$(config::dns)" 6 "DNS"
return 0
}
function rule::render_extends_tree() {
local rule_name="${1:-}"
local rule_file
rule_file="$(rule::path "$rule_name")"
local extends_raw=()
mapfile -t extends_raw < <(json::get "$rule_file" "extends" 2>/dev/null || true)
[[ ${#extends_raw[@]} -eq 0 || -z "${extends_raw[0]:-}" ]] && return 1
for base_name in "${extends_raw[@]}"; do
[[ -z "$base_name" ]] && continue
printf "\n \033[0;37m↳ %s\033[0m\n" "$base_name"
rule::render_entries "$base_name"
done
local own_output
own_output=$(rule::render_own_entries "$rule_name")
if [[ -n "$own_output" ]]; then
printf "\n \033[0;37mOwn:\033[0m\n"
printf "%s\n" "$own_output"
fi
return 0
}
# ============================================
# DNS Redirect
# ============================================
function rule::apply_dns_redirect() {
local client_subnet="${1:-}"
fw::nat_add_dns_redirect "$client_subnet" "$(config::dns)" "$(config::interface)"
}
function rule::remove_dns_redirect() {
local client_subnet="${1:-}"
fw::nat_remove_dns_redirect "$client_subnet" "$(config::dns)" "$(config::interface)"
}
| 1 | #!/usr/bin/env bash |
| 2 | |
| 3 | # ============================================ |
| 4 | # Rule File Parsing |
| 5 | # ============================================ |
| 6 | |
| 7 | function rule::is_base() { |
| 8 | local name="${1:-}" |
| 9 | [[ -f "$(ctx::rules::base)/${name}.rule" ]] |
| 10 | } |
| 11 | |
| 12 | function rule::exists() { |
| 13 | local name="${1:-}" |
| 14 | local path |
| 15 | path=$(json::find_rule_file "$(ctx::rules)" "$name") |
| 16 | [[ -n "$path" ]] |
| 17 | } |
| 18 | |
| 19 | function rule::require_assignable() { |
| 20 | local name="${1:-}" |
| 21 | if rule::is_base "$name"; then |
| 22 | log::error "Cannot assign base rule '${name}' — base rules cannot be assigned directly" |
| 23 | return 1 |
| 24 | fi |
| 25 | } |
| 26 | |
| 27 | function rule::require_exists() { |
| 28 | local name="${1:-}" |
| 29 | if ! rule::exists "$name"; then |
| 30 | log::error "Rule not found: ${name}" |
| 31 | return 1 |
| 32 | fi |
| 33 | } |
| 34 | |
| 35 | function rule::get() { |
| 36 | local name="${1:-}" key="${2:-}" |
| 37 | json::rule_resolve_field "$(ctx::rules)" "$name" "$key" |
| 38 | } |
| 39 | |
| 40 | function rule::get_own() { |
| 41 | local name="${1:-}" key="${2:-}" |
| 42 | local file |
| 43 | file=$(rule::path "$name") || return 0 |
| 44 | json::get_raw "$file" "$key" |
| 45 | } |
| 46 | |
| 47 | function rule::get_resolved() { |
| 48 | local name="${1:-}" |
| 49 | json::rule_resolve "$(ctx::rules)" "$name" |
| 50 | } |
| 51 | |
| 52 | function rule::path() { |
| 53 | local name="${1:-}" |
| 54 | local path |
| 55 | path=$(json::find_rule_file "$(ctx::rules)" "$name") |
| 56 | [[ -n "$path" ]] && echo "$path" || return 1 |
| 57 | } |
| 58 | |
| 59 | function rule::get_all() { |
| 60 | local name="${1:-}" |
| 61 | rule::get_resolved "$name" |
| 62 | } |
| 63 | |
| 64 | function rule::is_applied() { |
| 65 | local rule_name="${1:-}" client_ip="${2:-}" |
| 66 | |
| 67 | local first_port |
| 68 | first_port=$(rule::get "$rule_name" "block_ports" | head -1) |
| 69 | if [[ -n "$first_port" ]]; then |
| 70 | local target port proto |
| 71 | IFS=":" read -r target port proto <<< "$first_port" |
| 72 | proto="${proto:-tcp}" |
| 73 | fw::has_block_rule "$client_ip" "$target" "$proto" "$port" |
| 74 | return $? |
| 75 | fi |
| 76 | |
| 77 | local first_ip |
| 78 | first_ip=$(rule::get "$rule_name" "block_ips" | head -1) |
| 79 | if [[ -n "$first_ip" ]]; then |
| 80 | fw::has_block_rule "$client_ip" "$first_ip" |
| 81 | return $? |
| 82 | fi |
| 83 | |
| 84 | local first_allow |
| 85 | first_allow=$(rule::get "$rule_name" "allow_ports" | head -1) |
| 86 | if [[ -n "$first_allow" ]]; then |
| 87 | local target port proto |
| 88 | IFS=":" read -r target port proto <<< "$first_allow" |
| 89 | proto="${proto:-tcp}" |
| 90 | fw::_forward_exists -s "$client_ip" -d "$target" \ |
| 91 | -p "$proto" --dport "$port" -j ACCEPT |
| 92 | return $? |
| 93 | fi |
| 94 | |
| 95 | return 1 |
| 96 | } |
| 97 | |
| 98 | # ============================================ |
| 99 | # Rule Application |
| 100 | # ============================================ |
| 101 | |
| 102 | function rule::apply() { |
| 103 | local rule_name="${1:?rule_name required}" |
| 104 | local client_ip="${2:?client_ip required}" |
| 105 | local peer_name="${3:-}" |
| 106 | |
| 107 | rule::require_exists "$rule_name" || return 1 |
| 108 | |
| 109 | if [[ -z "$peer_name" ]]; then |
| 110 | peer_name=$(peers::find_by_ip "$client_ip") |
| 111 | fi |
| 112 | |
| 113 | log::debug "rule::apply: peer_name=$peer_name ip=$client_ip" |
| 114 | |
| 115 | if rule::is_applied "$rule_name" "$client_ip"; then |
| 116 | log::wg "Rule '${rule_name}' already applied to: ${client_ip}" |
| 117 | [[ -n "$peer_name" ]] && peers::set_meta "$peer_name" "rule" "$rule_name" |
| 118 | return 0 |
| 119 | fi |
| 120 | |
| 121 | # Process block_ips |
| 122 | while IFS= read -r block_ip; do |
| 123 | [[ -z "$block_ip" ]] && continue |
| 124 | fw::block_ip "$client_ip" "$block_ip" |
| 125 | done < <(rule::get "$rule_name" "block_ips") |
| 126 | |
| 127 | # Process block_ports |
| 128 | while IFS= read -r entry; do |
| 129 | [[ -z "$entry" ]] && continue |
| 130 | local target port proto |
| 131 | IFS=":" read -r target port proto <<< "$entry" |
| 132 | proto="${proto:-tcp}" |
| 133 | fw::block_port "$client_ip" "$target" "$port" "$proto" |
| 134 | done < <(rule::get "$rule_name" "block_ports") |
| 135 | |
| 136 | # Process allow_ips (inserted before blocks) |
| 137 | while IFS= read -r allow_ip; do |
| 138 | [[ -z "$allow_ip" ]] && continue |
| 139 | fw::allow_ip "$client_ip" "$allow_ip" |
| 140 | done < <(rule::get "$rule_name" "allow_ips") |
| 141 | |
| 142 | # Process allow_ports (highest priority) |
| 143 | while IFS= read -r entry; do |
| 144 | [[ -z "$entry" ]] && continue |
| 145 | local target port proto |
| 146 | IFS=":" read -r target port proto <<< "$entry" |
| 147 | proto="${proto:-tcp}" |
| 148 | fw::allow_port "$client_ip" "$target" "$port" "$proto" |
| 149 | done < <(rule::get "$rule_name" "allow_ports") |
| 150 | |
| 151 | [[ -n "$peer_name" ]] && peers::set_meta "$peer_name" "rule" "$rule_name" |
| 152 | |
| 153 | # DNS redirect |
| 154 | local dns_redirect |
| 155 | dns_redirect=$(rule::get "$rule_name" "dns_redirect") |
| 156 | if [[ "$dns_redirect" == "true" ]]; then |
| 157 | local peer_subnet |
| 158 | peer_subnet=$(peers::get_ip "$peer_name" | cut -d'.' -f1-3) |
| 159 | if ! fw::_nat_exists -i wg0 -s "${peer_subnet}.0/24" \ |
| 160 | -p udp --dport 53 -j DNAT \ |
| 161 | --to-destination "$(config::dns):53" 2>/dev/null; then |
| 162 | rule::apply_dns_redirect "${peer_subnet}.0/24" |
| 163 | log::debug "dns_redirect: applied for ${peer_subnet}.0/24" |
| 164 | else |
| 165 | log::debug "dns_redirect: already applied for ${peer_subnet}.0/24" |
| 166 | fi |
| 167 | fi |
| 168 | |
| 169 | log::debug "Applied rule '${rule_name}' to: ${client_ip}" |
| 170 | } |
| 171 | |
| 172 | function rule::unapply() { |
| 173 | local rule_name="${1:-}" client_ip="${2:-}" |
| 174 | |
| 175 | rule::require_exists "$rule_name" || return 1 |
| 176 | |
| 177 | local peer_name |
| 178 | peer_name=$(peers::find_by_ip "$client_ip") |
| 179 | |
| 180 | # Remove allow_ports first (reverse order of apply) |
| 181 | while IFS= read -r entry; do |
| 182 | [[ -z "$entry" ]] && continue |
| 183 | local target port proto |
| 184 | IFS=":" read -r target port proto <<< "$entry" |
| 185 | proto="${proto:-tcp}" |
| 186 | fw::unallow_port "$client_ip" "$target" "$port" "$proto" |
| 187 | done < <(rule::get "$rule_name" "allow_ports") |
| 188 | |
| 189 | # Remove allow_ips |
| 190 | while IFS= read -r allow_ip; do |
| 191 | [[ -z "$allow_ip" ]] && continue |
| 192 | if [[ "$allow_ip" == *"/"* ]]; then |
| 193 | fw::unallow_subnet "$client_ip" "$allow_ip" |
| 194 | else |
| 195 | fw::unallow_ip "$client_ip" "$allow_ip" |
| 196 | fi |
| 197 | done < <(rule::get "$rule_name" "allow_ips") |
| 198 | |
| 199 | # Remove block_ports |
| 200 | while IFS= read -r entry; do |
| 201 | [[ -z "$entry" ]] && continue |
| 202 | local target port proto |
| 203 | IFS=":" read -r target port proto <<< "$entry" |
| 204 | proto="${proto:-tcp}" |
| 205 | fw::unblock_port "$client_ip" "$target" "$port" "$proto" |
| 206 | done < <(rule::get "$rule_name" "block_ports") |
| 207 | |
| 208 | # Remove block_ips |
| 209 | while IFS= read -r block_ip; do |
| 210 | [[ -z "$block_ip" ]] && continue |
| 211 | if [[ "$block_ip" == *"/"* ]]; then |
| 212 | fw::unblock_subnet "$client_ip" "$block_ip" |
| 213 | else |
| 214 | fw::unblock_ip "$client_ip" "$block_ip" |
| 215 | fi |
| 216 | done < <(rule::get "$rule_name" "block_ips") |
| 217 | |
| 218 | # Remove DNS redirect if applicable |
| 219 | local dns_redirect |
| 220 | dns_redirect=$(rule::get "$rule_name" "dns_redirect") |
| 221 | if [[ "$dns_redirect" == "true" ]]; then |
| 222 | local peer_ip peer_subnet |
| 223 | peer_ip=$(peers::get_ip "$peer_name") |
| 224 | peer_subnet=$(echo "$peer_ip" | cut -d'.' -f1-3) |
| 225 | rule::remove_dns_redirect "${peer_subnet}.0/24" |
| 226 | fi |
| 227 | |
| 228 | [[ -n "$peer_name" ]] && peers::set_meta "$peer_name" "rule" "" |
| 229 | |
| 230 | log::debug "Removed rule '${rule_name}' from: ${client_ip}" |
| 231 | } |
| 232 | |
| 233 | # ============================================ |
| 234 | # Bulk Operations |
| 235 | # ============================================ |
| 236 | |
| 237 | function rule::_apply_identity_rule() { |
| 238 | local peer_name="${1:-}" client_ip="${2:-}" |
| 239 | |
| 240 | local identity_name |
| 241 | identity_name=$(identity::get_name "$peer_name") |
| 242 | [[ -z "$identity_name" ]] && return 0 |
| 243 | |
| 244 | local rules |
| 245 | rules=$(identity::rules "$identity_name") |
| 246 | [[ -z "$rules" ]] && return 0 |
| 247 | |
| 248 | local strict |
| 249 | strict=$(identity::rule_flags "$identity_name" "strict_rule") |
| 250 | |
| 251 | if [[ "$strict" == "true" ]]; then |
| 252 | # Strict: flush and apply only identity rules — peer rule ignored |
| 253 | fw::flush_peer "$client_ip" |
| 254 | while IFS= read -r rule_name; do |
| 255 | [[ -z "$rule_name" ]] && continue |
| 256 | rule::exists "$rule_name" && rule::apply "$rule_name" "$client_ip" "$peer_name" || true |
| 257 | done <<< "$rules" |
| 258 | else |
| 259 | # Additive: apply identity rules on top of peer rule |
| 260 | while IFS= read -r rule_name; do |
| 261 | [[ -z "$rule_name" ]] && continue |
| 262 | rule::exists "$rule_name" && rule::apply "$rule_name" "$client_ip" "$peer_name" || true |
| 263 | done <<< "$rules" |
| 264 | fi |
| 265 | } |
| 266 | |
| 267 | # rule::full_restore_peer <peer_name> <client_ip> |
| 268 | # Flush and fully restore all fw rules for a peer — rule rules + block rules. |
| 269 | # Use this instead of calling rule::apply + block::restore_rules_for separately |
| 270 | # to ensure block rules are never left missing after a flush. |
| 271 | function rule::full_restore_peer() { |
| 272 | local peer_name="${1:-}" client_ip="${2:-}" |
| 273 | [[ -z "$peer_name" || -z "$client_ip" ]] && return 1 |
| 274 | |
| 275 | fw::flush_peer "$client_ip" |
| 276 | |
| 277 | local peer_rule |
| 278 | peer_rule=$(peers::get_meta "$peer_name" "rule") |
| 279 | |
| 280 | local strict |
| 281 | strict=$(rule::_get_identity_strict "$peer_name") |
| 282 | |
| 283 | if [[ "$strict" == "true" ]]; then |
| 284 | # Strict mode: only identity rules apply |
| 285 | rule::_apply_identity_rule "$peer_name" "$client_ip" |
| 286 | else |
| 287 | # Normal mode: peer rule + identity rules (additive) |
| 288 | [[ -n "$peer_rule" ]] && rule::apply "$peer_rule" "$client_ip" "$peer_name" |
| 289 | rule::_apply_identity_rule "$peer_name" "$client_ip" |
| 290 | fi |
| 291 | |
| 292 | block::restore_rules_for "$peer_name" "$client_ip" |
| 293 | } |
| 294 | |
| 295 | function rule::_get_identity_strict() { |
| 296 | local peer_name="${1:-}" |
| 297 | local identity_name |
| 298 | identity_name=$(identity::get_name "$peer_name") |
| 299 | [[ -z "$identity_name" ]] && echo "false" && return 0 |
| 300 | identity::rule_flags "$identity_name" "strict_rule" |
| 301 | } |
| 302 | |
| 303 | function rule::restore_all() { |
| 304 | while IFS= read -r peer_name; do |
| 305 | block::is_blocked "$peer_name" && continue |
| 306 | |
| 307 | local rule_name |
| 308 | rule_name=$(peers::get_meta "$peer_name" "rule") |
| 309 | [[ -z "$rule_name" ]] && continue |
| 310 | |
| 311 | if ! rule::exists "$rule_name"; then |
| 312 | log::wg_warning "Rule '${rule_name}' not found for peer '${peer_name}', skipping" |
| 313 | continue |
| 314 | fi |
| 315 | |
| 316 | local client_ip |
| 317 | client_ip=$(peers::get_ip "$peer_name") |
| 318 | [[ -z "$client_ip" ]] && continue |
| 319 | |
| 320 | # full_restore_peer ensures block rules are restored alongside rule rules |
| 321 | rule::full_restore_peer "$peer_name" "$client_ip" |
| 322 | done < <(peers::all) |
| 323 | log::wg "Rules restored for all peers" |
| 324 | } |
| 325 | |
| 326 | # ============================================ |
| 327 | # Rendering |
| 328 | # ============================================ |
| 329 | |
| 330 | function rule::render_flat() { |
| 331 | local rule_name="${1:-}" |
| 332 | |
| 333 | local allow_ports allow_ips block_ips block_ports dns |
| 334 | allow_ports=$(rule::get "$rule_name" "allow_ports") |
| 335 | allow_ips=$(rule::get "$rule_name" "allow_ips") |
| 336 | block_ips=$(rule::get "$rule_name" "block_ips") |
| 337 | block_ports=$(rule::get "$rule_name" "block_ports") |
| 338 | dns=$(rule::get_own "$rule_name" "dns_redirect") |
| 339 | |
| 340 | local has_content=false |
| 341 | [[ -n "${allow_ports}${allow_ips}${block_ips}${block_ports}" ]] && \ |
| 342 | has_content=true |
| 343 | |
| 344 | if ! $has_content; then |
| 345 | printf "\n full access (no restrictions)\n" |
| 346 | return 0 |
| 347 | fi |
| 348 | |
| 349 | if [[ -n "$allow_ports" || -n "$allow_ips" ]]; then |
| 350 | printf "\n" |
| 351 | while IFS= read -r e; do |
| 352 | [[ -z "$e" ]] && continue |
| 353 | net::print_entry "+" "$e" 2 |
| 354 | done <<< "$allow_ports"$'\n'"$allow_ips" |
| 355 | fi |
| 356 | |
| 357 | if [[ -n "$block_ips" || -n "$block_ports" ]]; then |
| 358 | printf "\n" |
| 359 | while IFS= read -r e; do |
| 360 | [[ -z "$e" ]] && continue |
| 361 | net::print_entry "-" "$e" 2 |
| 362 | done <<< "$block_ips"$'\n'"$block_ports" |
| 363 | fi |
| 364 | |
| 365 | [[ "${dns,,}" == "true" ]] && \ |
| 366 | net::print_dns_redirect "$(config::dns)" 6 "DNS" |
| 367 | |
| 368 | return 0 |
| 369 | } |
| 370 | |
| 371 | function rule::render_entries() { |
| 372 | local rule_name="${1:-}" indent="${2:-4}" |
| 373 | |
| 374 | local allow_ports allow_ips block_ips block_ports dns |
| 375 | allow_ports=$(rule::get "$rule_name" "allow_ports" 2>/dev/null || true) |
| 376 | allow_ips=$(rule::get "$rule_name" "allow_ips" 2>/dev/null || true) |
| 377 | block_ips=$(rule::get "$rule_name" "block_ips" 2>/dev/null || true) |
| 378 | block_ports=$(rule::get "$rule_name" "block_ports" 2>/dev/null || true) |
| 379 | dns=$(rule::get_own "$rule_name" "dns_redirect") |
| 380 | |
| 381 | while IFS= read -r e; do |
| 382 | [[ -z "$e" ]] && continue |
| 383 | net::print_entry "+" "$e" |
| 384 | done <<< "$allow_ports"$'\n'"$allow_ips" |
| 385 | |
| 386 | while IFS= read -r e; do |
| 387 | [[ -z "$e" ]] && continue |
| 388 | net::print_entry "-" "$e" |
| 389 | done <<< "$block_ips"$'\n'"$block_ports" |
| 390 | |
| 391 | [[ "${dns,,}" == "true" ]] && \ |
| 392 | net::print_dns_redirect "$(config::dns)" 6 "DNS" |
| 393 | } |
| 394 | |
| 395 | function rule::render_own_entries() { |
| 396 | local rule_name="${1:-}" |
| 397 | local rule_file |
| 398 | rule_file="$(rule::path "$rule_name")" |
| 399 | |
| 400 | local allow_ports allow_ips block_ips block_ports dns |
| 401 | allow_ports=$(json::get "$rule_file" "allow_ports" 2>/dev/null || true) |
| 402 | allow_ips=$(json::get "$rule_file" "allow_ips" 2>/dev/null || true) |
| 403 | block_ips=$(json::get "$rule_file" "block_ips" 2>/dev/null || true) |
| 404 | block_ports=$(json::get "$rule_file" "block_ports" 2>/dev/null || true) |
| 405 | dns=$(json::get "$rule_file" "dns_redirect" 2>/dev/null || true) |
| 406 | |
| 407 | local combined="${allow_ports}${allow_ips}${block_ips}${block_ports}" |
| 408 | [[ -z "${combined//[$'\n']/}" ]] && return 0 |
| 409 | |
| 410 | while IFS= read -r e; do |
| 411 | [[ -z "$e" ]] && continue |
| 412 | net::print_entry "+" "$e" |
| 413 | done <<< "$allow_ports"$'\n'"$allow_ips" |
| 414 | |
| 415 | while IFS= read -r e; do |
| 416 | [[ -z "$e" ]] && continue |
| 417 | net::print_entry "-" "$e" |
| 418 | done <<< "$block_ips"$'\n'"$block_ports" |
| 419 | |
| 420 | [[ "${dns,,}" == "true" ]] && \ |
| 421 | net::print_dns_redirect "$(config::dns)" 6 "DNS" |
| 422 | |
| 423 | return 0 |
| 424 | } |
| 425 | |
| 426 | function rule::render_extends_tree() { |
| 427 | local rule_name="${1:-}" |
| 428 | local rule_file |
| 429 | rule_file="$(rule::path "$rule_name")" |
| 430 | |
| 431 | local extends_raw=() |
| 432 | mapfile -t extends_raw < <(json::get "$rule_file" "extends" 2>/dev/null || true) |
| 433 | |
| 434 | [[ ${#extends_raw[@]} -eq 0 || -z "${extends_raw[0]:-}" ]] && return 1 |
| 435 | |
| 436 | for base_name in "${extends_raw[@]}"; do |
| 437 | [[ -z "$base_name" ]] && continue |
| 438 | printf "\n \033[0;37m↳ %s\033[0m\n" "$base_name" |
| 439 | rule::render_entries "$base_name" |
| 440 | done |
| 441 | |
| 442 | local own_output |
| 443 | own_output=$(rule::render_own_entries "$rule_name") |
| 444 | if [[ -n "$own_output" ]]; then |
| 445 | printf "\n \033[0;37mOwn:\033[0m\n" |
| 446 | printf "%s\n" "$own_output" |
| 447 | fi |
| 448 | |
| 449 | return 0 |
| 450 | } |
| 451 | |
| 452 | # ============================================ |
| 453 | # DNS Redirect |
| 454 | # ============================================ |
| 455 | |
| 456 | function rule::apply_dns_redirect() { |
| 457 | local client_subnet="${1:-}" |
| 458 | fw::nat_add_dns_redirect "$client_subnet" "$(config::dns)" "$(config::interface)" |
| 459 | } |
| 460 | |
| 461 | function rule::remove_dns_redirect() { |
| 462 | local client_subnet="${1:-}" |
| 463 | fw::nat_remove_dns_redirect "$client_subnet" "$(config::dns)" "$(config::interface)" |
| 464 | } |