From 79fb3747b42bcaf8a91832e41b64ba96abf1836a Mon Sep 17 00:00:00 2001 From: Donald Buczek Date: Tue, 13 May 2025 08:15:03 +0200 Subject: [PATCH] mxrouterctl: Implement hash:ip ipsets Support hash:ip type ipsets Example: ipset('mpg-netze', 'hash:net', '/etc/local/mxrouter/blacklists/mpg-netze', 'counters'); [...] rule('filter', 'wisnet-out', '-d 141.14.16.17 -p tcp --dport 80 -m set --match-set mpg-netze src -j ACCEPT'); # ohb.molgen.mpg.de With the file containing CIDR-Addresses and comments: [...] 141.5.255.252/31 141.5.255.254/31 141.14.8.0/23 [...] This change was done locally on bka on 8.5.2025, than forgotten, than disted away but was luckily collected by pbackup :-) --- mxrouter/mxrouterctl | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl index f16b2d0..eaa0810 100755 --- a/mxrouter/mxrouterctl +++ b/mxrouter/mxrouterctl @@ -342,16 +342,25 @@ sub reload_ipsets { my $tmp="$name-TMP"; warn "read ipset $name from $filename\n"; system('ipset','create',$tmp,$type,@options) and exit 1; - $type eq 'hash:ip' or die "read ipset type $type from file not implemented\n"; open my $in,'<',$filename or die "$filename: $!\n"; - while (<$in>) { - s/#.*//; - /^\s*(\d+\.\d+\.\d+\.\d+)\s*$/ or next; - system('ipset','add',$tmp,$1) and exit 1; - } + if ($type eq 'hash:ip') { + while (<$in>) { + s/#.*//; + /^\s*(\d+\.\d+\.\d+\.\d+)\s*$/ or next; + system('ipset','add',$tmp,$1) and exit 1; + } + } elsif ($type eq 'hash:net') { + while (<$in>) { + s/#.*//; + /^\s*(\d+\.\d+\.\d+\.\d+\/\d+)\s*$/ or next; + system('ipset', 'add', $tmp, $1) and exit 1; + } + } else { + die "read ipset type $type from file not implemented\n"; + } system('ipset','swap',$name,$tmp) and exit 1; system('ipset','destroy',$tmp) and exit 1; - } + } } our %radvd; # ( 'net03' => 'AdvSendAdvert on;prefix 2a02:d480:e08:20::/64;' , ...)