Dernière activité 1 month ago

gistfile1.txt Brut
1function cmd::block::run() {
2 local name="" identity="" type="" block_name=""
3 local ips=() subnets=() ports=() services=()
4 local quiet=false force=false
5 local reason=""
6
7 while [[ $# -gt 0 ]]; do
8 case "$1" in
9 --name) name="$2"; shift 2 ;;
10 --identity) identity="$2"; shift 2 ;;
11 --type) type="$2"; shift 2 ;;
12 --ip) ips+=("$2"); shift 2 ;;
13 --block-name) block_name="$2"; shift 2 ;;
14 --service) services+=("$2"); shift 2 ;;
15 --force) force=true; shift ;;
16 --quiet) quiet=true; shift ;;
17 --subnet) subnets+=("$2"); shift 2 ;;
18 --port) ports+=("$2"); shift 2 ;;
19 --reason) reason="$2"; shift 2 ;;
20 --help) cmd::block::help; return ;;
21 *)
22 log::error "Unknown flag: $1"
23 cmd::block::help
24 return 1
25 ;;
26 esac
27 done
28
29 # --identity: block all peers for this identity
30 if [[ -n "$identity" ]]; then
31 cmd::block::_block_identity "$identity" "$quiet" \
32 "${ips[@]+"${ips[@]}"}" || return 1
33 return 0
34 fi
35
36 [[ -z "$name" ]] && {
37 log::error "Missing required flag: --name or --identity"
38 cmd::block::help
39 return 1
40 }
41
42 name=$(peers::resolve_and_require "$name" "$type") || return 1
43
44 local client_ip
45 client_ip=$(peers::get_ip "$name") || return 1
46
47 # Full block if no specific targets
48 if [[ ${#ips[@]} -eq 0 && ${#ports[@]} -eq 0 && \
49 ${#subnets[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then
50 if peers::is_blocked "$name"; then
51 log::wg_warning "Client is already blocked: ${name}"
52 return 0
53 fi
54 monitor::update_endpoint_cache
55 cmd::block::_block_all "$name" "$client_ip" "$quiet"
56 return 0
57 fi
58
59 # Specific rules — check if already fully blocked
60 if block::has_file "$name"; then
61 local direct
62 direct=$(block::is_blocked_direct "$name")
63 if [[ "$direct" == "true" ]]; then
64 log::wg_warning "${name} is fully blocked — unblock first to add specific rules"
65 return 1
66 fi
67 fi
68
69 local changed=false
70
71 # Block specific IPs
72 for ip in "${ips[@]}"; do
73 ip::require_valid "$ip"
74 fw::block_ip "$client_ip" "$ip"
75 block::add_rule "$name" "$client_ip" "ip" "${block_name:-}" "$ip"
76 $quiet || log::wg_success "${ip} has been blocked for ${name}"
77 done
78
79 # Block specific subnets
80 for subnet in "${subnets[@]}"; do
81 ip::require_valid "$subnet"
82 fw::block_subnet "$client_ip" "$subnet"
83 block::add_rule "$name" "$client_ip" "subnet" "${block_name:-}" "$subnet"
84 $quiet || log::wg_success "${subnet} has been blocked for ${name}"
85 done
86
87 # Block specific ports
88 for entry in "${ports[@]}"; do
89 local b_target b_port b_proto
90 IFS=":" read -r b_target b_port b_proto <<< "$entry"
91 ip::require_valid "$b_target"
92 fw::block_port "$client_ip" "$b_target" "$b_port" "${b_proto:-tcp}"
93 block::add_rule "$name" "$client_ip" "port" "${block_name:-}" \
94 "$b_target" "$b_port" "${b_proto:-tcp}"
95 $quiet || log::wg_success "${client_ip}:${b_port}:${b_proto:-tcp} has been blocked for ${name}"
96 done
97
98 # Block services
99 for svc in "${services[@]}"; do
100 local resolved_lines=()
101 mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null)
102 if [[ ${#resolved_lines[@]} -eq 0 ]]; then
103 log::error "Service not found or has no ports: ${svc}"
104 return 1
105 fi
106
107 local already_blocked=true
108 for resolved in "${resolved_lines[@]}"; do
109 if [[ "$resolved" == *:*:* ]]; then
110 local b_ip b_port b_proto
111 IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
112 fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null || \
113 { already_blocked=false; break; }
114 else
115 fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null || \
116 { already_blocked=false; break; }
117 fi
118 done
119
120 if $already_blocked; then
121 $quiet || log::wg_warning "${svc} is already blocked for ${name}"
122 continue
123 fi
124
125 for resolved in "${resolved_lines[@]}"; do
126 if [[ "$resolved" == *:*:* ]]; then
127 local b_ip b_port b_proto
128 IFS=":" read -r b_ip b_port b_proto <<< "$resolved"
129 fw::block_port "$client_ip" "$b_ip" "$b_port" "$b_proto"
130 block::add_rule "$name" "$client_ip" "port" "$svc" \
131 "$b_ip" "$b_port" "$b_proto"
132 else
133 fw::block_ip "$client_ip" "$resolved"
134 block::add_rule "$name" "$client_ip" "ip" "$svc" "$resolved"
135 fi
136 done
137
138 changed=true
139 $quiet || log::wg_success "${svc} has been blocked for ${name}"
140 done
141
142 [[ ${#ips[@]} -gt 0 || ${#ports[@]} -gt 0 || \
143 ${#subnets[@]} -gt 0 ]] && changed=true
144
145 if $changed; then
146 local peer_rule
147 peer_rule=$(peers::get_meta "$name" "rule")
148 if [[ -n "$peer_rule" ]] && rule::exists "$peer_rule"; then
149 fw::flush_peer "$client_ip"
150 rule::apply "$peer_rule" "$client_ip" "$name"
151 block::restore_rules_for "$name" "$client_ip"
152 fi
153 fi
154
155 log::debug "should call block history"
156 cmd::block::_record_history "$name" "$type" "manual" "$reason"
157
158 return 0
159}