Последняя активность 1 month ago

nuno ревизий этого фрагмента 1 month ago. К ревизии

1 file changed, 159 insertions

gistfile1.txt(файл создан)

@@ -0,0 +1,159 @@
1 + function cmd::block::run() {
2 + local name="" identity="" type="" block_name=""
3 + local ips=() subnets=() ports=() services=()
4 + local quiet=false force=false
5 + local reason=""
6 +
7 + while [[ $# -gt 0 ]]; do
8 + case "$1" in
9 + --name) name="$2"; shift 2 ;;
10 + --identity) identity="$2"; shift 2 ;;
11 + --type) type="$2"; shift 2 ;;
12 + --ip) ips+=("$2"); shift 2 ;;
13 + --block-name) block_name="$2"; shift 2 ;;
14 + --service) services+=("$2"); shift 2 ;;
15 + --force) force=true; shift ;;
16 + --quiet) quiet=true; shift ;;
17 + --subnet) subnets+=("$2"); shift 2 ;;
18 + --port) ports+=("$2"); shift 2 ;;
19 + --reason) reason="$2"; shift 2 ;;
20 + --help) cmd::block::help; return ;;
21 + *)
22 + log::error "Unknown flag: $1"
23 + cmd::block::help
24 + return 1
25 + ;;
26 + esac
27 + done
28 +
29 + # --identity: block all peers for this identity
30 + if [[ -n "$identity" ]]; then
31 + cmd::block::_block_identity "$identity" "$quiet" \
32 + "${ips[@]+"${ips[@]}"}" || return 1
33 + return 0
34 + fi
35 +
36 + [[ -z "$name" ]] && {
37 + log::error "Missing required flag: --name or --identity"
38 + cmd::block::help
39 + return 1
40 + }
41 +
42 + name=$(peers::resolve_and_require "$name" "$type") || return 1
43 +
44 + local client_ip
45 + client_ip=$(peers::get_ip "$name") || return 1
46 +
47 + # Full block if no specific targets
48 + if [[ ${#ips[@]} -eq 0 && ${#ports[@]} -eq 0 && \
49 + ${#subnets[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then
50 + if peers::is_blocked "$name"; then
51 + log::wg_warning "Client is already blocked: ${name}"
52 + return 0
53 + fi
54 + monitor::update_endpoint_cache
55 + cmd::block::_block_all "$name" "$client_ip" "$quiet"
56 + return 0
57 + fi
58 +
59 + # Specific rules — check if already fully blocked
60 + if block::has_file "$name"; then
61 + local direct
62 + direct=$(block::is_blocked_direct "$name")
63 + if [[ "$direct" == "true" ]]; then
64 + log::wg_warning "${name} is fully blocked — unblock first to add specific rules"
65 + return 1
66 + fi
67 + fi
68 +
69 + local changed=false
70 +
71 + # Block specific IPs
72 + for ip in "${ips[@]}"; do
73 + ip::require_valid "$ip"
74 + fw::block_ip "$client_ip" "$ip"
75 + block::add_rule "$name" "$client_ip" "ip" "${block_name:-}" "$ip"
76 + $quiet || log::wg_success "${ip} has been blocked for ${name}"
77 + done
78 +
79 + # Block specific subnets
80 + for subnet in "${subnets[@]}"; do
81 + ip::require_valid "$subnet"
82 + fw::block_subnet "$client_ip" "$subnet"
83 + block::add_rule "$name" "$client_ip" "subnet" "${block_name:-}" "$subnet"
84 + $quiet || log::wg_success "${subnet} has been blocked for ${name}"
85 + done
86 +
87 + # Block specific ports
88 + for entry in "${ports[@]}"; do
89 + local b_target b_port b_proto
90 + IFS=":" read -r b_target b_port b_proto <<< "$entry"
91 + ip::require_valid "$b_target"
92 + fw::block_port "$client_ip" "$b_target" "$b_port" "${b_proto:-tcp}"
93 + block::add_rule "$name" "$client_ip" "port" "${block_name:-}" \
94 + "$b_target" "$b_port" "${b_proto:-tcp}"
95 + $quiet || log::wg_success "${client_ip}:${b_port}:${b_proto:-tcp} has been blocked for ${name}"
96 + done
97 +
98 + # Block services
99 + for svc in "${services[@]}"; do
100 + local resolved_lines=()
101 + mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
102 + if [[ ${#resolved_lines[@]} -eq 0 ]]; then
103 + log::error "Service not found or has no ports: ${svc}"
104 + return 1
105 + fi
106 +
107 + local already_blocked=true
108 + for resolved in "${resolved_lines[@]}"; do
109 + if [[ "$resolved" == *:*:* ]]; then
110 + local b_ip b_port b_proto
111 + IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
112 + fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null || \
113 + { already_blocked=false; break; }
114 + else
115 + fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null || \
116 + { already_blocked=false; break; }
117 + fi
118 + done
119 +
120 + if $already_blocked; then
121 + $quiet || log::wg_warning "${svc} is already blocked for ${name}"
122 + continue
123 + fi
124 +
125 + for resolved in "${resolved_lines[@]}"; do
126 + if [[ "$resolved" == *:*:* ]]; then
127 + local b_ip b_port b_proto
128 + IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
129 + fw::block_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
130 + block::add_rule "$name" "$client_ip" "port" "$svc" \
131 + "$b_ip" "$b_port" "$b_proto"
132 + else
133 + fw::block_ip "$client_ip" "$resolved"
134 + block::add_rule "$name" "$client_ip" "ip" "$svc" "$resolved"
135 + fi
136 + done
137 +
138 + changed=true
139 + $quiet || log::wg_success "${svc} has been blocked for ${name}"
140 + done
141 +
142 + [[ ${#ips[@]} -gt 0 || ${#ports[@]} -gt 0 || \
143 + ${#subnets[@]} -gt 0 ]] && changed=true
144 +
145 + if $changed; then
146 + local peer_rule
147 + peer_rule=$(peers::get_meta "$name" "rule")
148 + if [[ -n "$peer_rule" ]] && rule::exists "$peer_rule"; then
149 + fw::flush_peer "$client_ip"
150 + rule::apply "$peer_rule" "$client_ip" "$name"
151 + block::restore_rules_for "$name" "$client_ip"
152 + fi
153 + fi
154 +
155 + log::debug "should call block history"
156 + cmd::block::_record_history "$name" "$type" "manual" "$reason"
157 +
158 + return 0
159 + }
Новее Позже