From 9c725e566f6ae7404dfae8be26a1dbf9b6d71a2d Mon Sep 17 00:00:00 2001
From: Donald Buczek <buczek@molgen.mpg.de>
Date: Sun, 29 Sep 2019 14:09:28 +0200
Subject: [PATCH] mxrouter: Add primitive blacklist

With the current Emotet outbreak, I want at least temporarily
to maintain and apply a blacklist of the IP addresses of
its C&C servers.

https://www.dfn-cert.de/aktuell/emotet-aktuell.html

Add a rudimentary blacklist feature. IPs from
/etc/local/mxrouter/ip-blacklist are loaded into the ipset ip-blacklist
on router start or reload. This ipset can be used by netfilter rules to
block traffic to/from that ip.
---
 mxrouter/mxrouterctl | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/mxrouter/mxrouterctl b/mxrouter/mxrouterctl
index a0eb331..ecc6a44 100755
--- a/mxrouter/mxrouterctl
+++ b/mxrouter/mxrouterctl
@@ -358,6 +358,18 @@ sub disable_ipv4_rp_filter {
 	$disable_ipv4_rp_filter{$if}=1;
 }
 
+sub reload_ip_blacklist {
+	sys('ipset','flush','ip-blacklist');
+	if (-e '/etc/local/mxrouter/ip-blacklist') {
+		open my $in,'<','/etc/local/mxrouter/ip-blacklist' or die "/etc/local/mxrouter/ip-blacklist: $!\n";
+		while (<$in>) {
+			s/#.*//;
+			/^\s*(\d+\.\d+\.\d+\.\d+)\s*$/ or next;
+			system('ipset','add','ip-blacklist',$1);
+		}
+	}
+}
+
 sub start {
 
 	-d "/var/run/mxrouter/$NETNS" or sys ('mkdir','-p',"/var/run/mxrouter/$NETNS");
@@ -519,6 +531,8 @@ sub start {
 	start_process_if($process_radvd);
 
 	unless ($opt_noop) {
+		sys('ipset','create','-exist','ip-blacklist','hash:ip','counters');
+		reload_ip_blacklist();
 		open my $pipe,'|-','iptables-restore' or die "$!\n";
 		print $pipe rules_in_restore_format();
 		close $pipe or die "$!\n";