gistfile1.txt
· 5.0 KiB · Text
Originalformat
function cmd::block::run() {
local name="" identity="" type="" block_name=""
local ips=() subnets=() ports=() services=()
local quiet=false force=false
local reason=""
while [[ $# -gt 0 ]]; do
case "$1" in
--name) name="$2"; shift 2 ;;
--identity) identity="$2"; shift 2 ;;
--type) type="$2"; shift 2 ;;
--ip) ips+=("$2"); shift 2 ;;
--block-name) block_name="$2"; shift 2 ;;
--service) services+=("$2"); shift 2 ;;
--force) force=true; shift ;;
--quiet) quiet=true; shift ;;
--subnet) subnets+=("$2"); shift 2 ;;
--port) ports+=("$2"); shift 2 ;;
--reason) reason="$2"; shift 2 ;;
--help) cmd::block::help; return ;;
*)
log::error "Unknown flag: $1"
cmd::block::help
return 1
;;
esac
done
# --identity: block all peers for this identity
if [[ -n "$identity" ]]; then
cmd::block::_block_identity "$identity" "$quiet" \
"${ips[@]+"${ips[@]}"}" || return 1
return 0
fi
[[ -z "$name" ]] && {
log::error "Missing required flag: --name or --identity"
cmd::block::help
return 1
}
name=$(peers::resolve_and_require "$name" "$type") || return 1
local client_ip
client_ip=$(peers::get_ip "$name") || return 1
# Full block if no specific targets
if [[ ${#ips[@]} -eq 0 && ${#ports[@]} -eq 0 && \
${#subnets[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then
if peers::is_blocked "$name"; then
log::wg_warning "Client is already blocked: ${name}"
return 0
fi
monitor::update_endpoint_cache
cmd::block::_block_all "$name" "$client_ip" "$quiet"
return 0
fi
# Specific rules — check if already fully blocked
if block::has_file "$name"; then
local direct
direct=$(block::is_blocked_direct "$name")
if [[ "$direct" == "true" ]]; then
log::wg_warning "${name} is fully blocked — unblock first to add specific rules"
return 1
fi
fi
local changed=false
# Block specific IPs
for ip in "${ips[@]}"; do
ip::require_valid "$ip"
fw::block_ip "$client_ip" "$ip"
block::add_rule "$name" "$client_ip" "ip" "${block_name:-}" "$ip"
$quiet || log::wg_success "${ip} has been blocked for ${name}"
done
# Block specific subnets
for subnet in "${subnets[@]}"; do
ip::require_valid "$subnet"
fw::block_subnet "$client_ip" "$subnet"
block::add_rule "$name" "$client_ip" "subnet" "${block_name:-}" "$subnet"
$quiet || log::wg_success "${subnet} has been blocked for ${name}"
done
# Block specific ports
for entry in "${ports[@]}"; do
local b_target b_port b_proto
IFS=":" read -r b_target b_port b_proto <<< "$entry"
ip::require_valid "$b_target"
fw::block_port "$client_ip" "$b_target" "$b_port" "${b_proto:-tcp}"
block::add_rule "$name" "$client_ip" "port" "${block_name:-}" \
"$b_target" "$b_port" "${b_proto:-tcp}"
$quiet || log::wg_success "${client_ip}:${b_port}:${b_proto:-tcp} has been blocked for ${name}"
done
# Block services
for svc in "${services[@]}"; do
local resolved_lines=()
mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
if [[ ${#resolved_lines[@]} -eq 0 ]]; then
log::error "Service not found or has no ports: ${svc}"
return 1
fi
local already_blocked=true
for resolved in "${resolved_lines[@]}"; do
if [[ "$resolved" == *:*:* ]]; then
local b_ip b_port b_proto
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null || \
{ already_blocked=false; break; }
else
fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null || \
{ already_blocked=false; break; }
fi
done
if $already_blocked; then
$quiet || log::wg_warning "${svc} is already blocked for ${name}"
continue
fi
for resolved in "${resolved_lines[@]}"; do
if [[ "$resolved" == *:*:* ]]; then
local b_ip b_port b_proto
IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
fw::block_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
block::add_rule "$name" "$client_ip" "port" "$svc" \
"$b_ip" "$b_port" "$b_proto"
else
fw::block_ip "$client_ip" "$resolved"
block::add_rule "$name" "$client_ip" "ip" "$svc" "$resolved"
fi
done
changed=true
$quiet || log::wg_success "${svc} has been blocked for ${name}"
done
[[ ${#ips[@]} -gt 0 || ${#ports[@]} -gt 0 || \
${#subnets[@]} -gt 0 ]] && changed=true
if $changed; then
local peer_rule
peer_rule=$(peers::get_meta "$name" "rule")
if [[ -n "$peer_rule" ]] && rule::exists "$peer_rule"; then
fw::flush_peer "$client_ip"
rule::apply "$peer_rule" "$client_ip" "$name"
block::restore_rules_for "$name" "$client_ip"
fi
fi
log::debug "should call block history"
cmd::block::_record_history "$name" "$type" "manual" "$reason"
return 0
}
| 1 | function cmd::block::run() { |
| 2 | local name="" identity="" type="" block_name="" |
| 3 | local ips=() subnets=() ports=() services=() |
| 4 | local quiet=false force=false |
| 5 | local reason="" |
| 6 | |
| 7 | while [[ $# -gt 0 ]]; do |
| 8 | case "$1" in |
| 9 | --name) name="$2"; shift 2 ;; |
| 10 | --identity) identity="$2"; shift 2 ;; |
| 11 | --type) type="$2"; shift 2 ;; |
| 12 | --ip) ips+=("$2"); shift 2 ;; |
| 13 | --block-name) block_name="$2"; shift 2 ;; |
| 14 | --service) services+=("$2"); shift 2 ;; |
| 15 | --force) force=true; shift ;; |
| 16 | --quiet) quiet=true; shift ;; |
| 17 | --subnet) subnets+=("$2"); shift 2 ;; |
| 18 | --port) ports+=("$2"); shift 2 ;; |
| 19 | --reason) reason="$2"; shift 2 ;; |
| 20 | --help) cmd::block::help; return ;; |
| 21 | *) |
| 22 | log::error "Unknown flag: $1" |
| 23 | cmd::block::help |
| 24 | return 1 |
| 25 | ;; |
| 26 | esac |
| 27 | done |
| 28 | |
| 29 | # --identity: block all peers for this identity |
| 30 | if [[ -n "$identity" ]]; then |
| 31 | cmd::block::_block_identity "$identity" "$quiet" \ |
| 32 | "${ips[@]+"${ips[@]}"}" || return 1 |
| 33 | return 0 |
| 34 | fi |
| 35 | |
| 36 | [[ -z "$name" ]] && { |
| 37 | log::error "Missing required flag: --name or --identity" |
| 38 | cmd::block::help |
| 39 | return 1 |
| 40 | } |
| 41 | |
| 42 | name=$(peers::resolve_and_require "$name" "$type") || return 1 |
| 43 | |
| 44 | local client_ip |
| 45 | client_ip=$(peers::get_ip "$name") || return 1 |
| 46 | |
| 47 | # Full block if no specific targets |
| 48 | if [[ ${#ips[@]} -eq 0 && ${#ports[@]} -eq 0 && \ |
| 49 | ${#subnets[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then |
| 50 | if peers::is_blocked "$name"; then |
| 51 | log::wg_warning "Client is already blocked: ${name}" |
| 52 | return 0 |
| 53 | fi |
| 54 | monitor::update_endpoint_cache |
| 55 | cmd::block::_block_all "$name" "$client_ip" "$quiet" |
| 56 | return 0 |
| 57 | fi |
| 58 | |
| 59 | # Specific rules — check if already fully blocked |
| 60 | if block::has_file "$name"; then |
| 61 | local direct |
| 62 | direct=$(block::is_blocked_direct "$name") |
| 63 | if [[ "$direct" == "true" ]]; then |
| 64 | log::wg_warning "${name} is fully blocked — unblock first to add specific rules" |
| 65 | return 1 |
| 66 | fi |
| 67 | fi |
| 68 | |
| 69 | local changed=false |
| 70 | |
| 71 | # Block specific IPs |
| 72 | for ip in "${ips[@]}"; do |
| 73 | ip::require_valid "$ip" |
| 74 | fw::block_ip "$client_ip" "$ip" |
| 75 | block::add_rule "$name" "$client_ip" "ip" "${block_name:-}" "$ip" |
| 76 | $quiet || log::wg_success "${ip} has been blocked for ${name}" |
| 77 | done |
| 78 | |
| 79 | # Block specific subnets |
| 80 | for subnet in "${subnets[@]}"; do |
| 81 | ip::require_valid "$subnet" |
| 82 | fw::block_subnet "$client_ip" "$subnet" |
| 83 | block::add_rule "$name" "$client_ip" "subnet" "${block_name:-}" "$subnet" |
| 84 | $quiet || log::wg_success "${subnet} has been blocked for ${name}" |
| 85 | done |
| 86 | |
| 87 | # Block specific ports |
| 88 | for entry in "${ports[@]}"; do |
| 89 | local b_target b_port b_proto |
| 90 | IFS=":" read -r b_target b_port b_proto <<< "$entry" |
| 91 | ip::require_valid "$b_target" |
| 92 | fw::block_port "$client_ip" "$b_target" "$b_port" "${b_proto:-tcp}" |
| 93 | block::add_rule "$name" "$client_ip" "port" "${block_name:-}" \ |
| 94 | "$b_target" "$b_port" "${b_proto:-tcp}" |
| 95 | $quiet || log::wg_success "${client_ip}:${b_port}:${b_proto:-tcp} has been blocked for ${name}" |
| 96 | done |
| 97 | |
| 98 | # Block services |
| 99 | for svc in "${services[@]}"; do |
| 100 | local resolved_lines=() |
| 101 | mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null) |
| 102 | if [[ ${#resolved_lines[@]} -eq 0 ]]; then |
| 103 | log::error "Service not found or has no ports: ${svc}" |
| 104 | return 1 |
| 105 | fi |
| 106 | |
| 107 | local already_blocked=true |
| 108 | for resolved in "${resolved_lines[@]}"; do |
| 109 | if [[ "$resolved" == *:*:* ]]; then |
| 110 | local b_ip b_port b_proto |
| 111 | IFS=":" read -r b_ip b_port b_proto <<< "$resolved" |
| 112 | fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null || \ |
| 113 | { already_blocked=false; break; } |
| 114 | else |
| 115 | fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null || \ |
| 116 | { already_blocked=false; break; } |
| 117 | fi |
| 118 | done |
| 119 | |
| 120 | if $already_blocked; then |
| 121 | $quiet || log::wg_warning "${svc} is already blocked for ${name}" |
| 122 | continue |
| 123 | fi |
| 124 | |
| 125 | for resolved in "${resolved_lines[@]}"; do |
| 126 | if [[ "$resolved" == *:*:* ]]; then |
| 127 | local b_ip b_port b_proto |
| 128 | IFS=":" read -r b_ip b_port b_proto <<< "$resolved" |
| 129 | fw::block_port "$client_ip" "$b_ip" "$b_port" "$b_proto" |
| 130 | block::add_rule "$name" "$client_ip" "port" "$svc" \ |
| 131 | "$b_ip" "$b_port" "$b_proto" |
| 132 | else |
| 133 | fw::block_ip "$client_ip" "$resolved" |
| 134 | block::add_rule "$name" "$client_ip" "ip" "$svc" "$resolved" |
| 135 | fi |
| 136 | done |
| 137 | |
| 138 | changed=true |
| 139 | $quiet || log::wg_success "${svc} has been blocked for ${name}" |
| 140 | done |
| 141 | |
| 142 | [[ ${#ips[@]} -gt 0 || ${#ports[@]} -gt 0 || \ |
| 143 | ${#subnets[@]} -gt 0 ]] && changed=true |
| 144 | |
| 145 | if $changed; then |
| 146 | local peer_rule |
| 147 | peer_rule=$(peers::get_meta "$name" "rule") |
| 148 | if [[ -n "$peer_rule" ]] && rule::exists "$peer_rule"; then |
| 149 | fw::flush_peer "$client_ip" |
| 150 | rule::apply "$peer_rule" "$client_ip" "$name" |
| 151 | block::restore_rules_for "$name" "$client_ip" |
| 152 | fi |
| 153 | fi |
| 154 | |
| 155 | log::debug "should call block history" |
| 156 | cmd::block::_record_history "$name" "$type" "manual" "$reason" |
| 157 | |
| 158 | return 0 |
| 159 | } |