function reload_cidr_sets(){
local set_name="$1"
+ shift
# init new temporary sets
echo "updating set '${set_name}'"
- create_set "${set_name}-tmp" hash:net
- create_set "${set_name}6-tmp" hash:net family inet6
+ create_set "${set_name}-tmp" hash:net "$@"
+ create_set "${set_name}6-tmp" hash:net "$@" family inet6
# populate them
for sfx in '' .$(hostname -s)
}
function allow_services(){
- local s proto port
+ local s
for s in "$@"
do
case "${s}" in
$IPTABLES -L "${chain}"
fi
-create_set sinokorea hash:net
-create_set sinokorea6 hash:net family inet6
+create_set sinokorea hash:net counters
+create_set sinokorea6 hash:net counters family inet6
CURL_OPTS=''
if [ -e "${cidr_file}" ]
(set -o pipefail; curl -sfL ${CURL_OPTS} "${badcidrs_url}" | decommentcat | awk '{print $1}' > "${cidr_file}") || die 1 "failed to fetch list"
insert_setmatch_rules sinokorea -m multiport -p tcp --dports ssh,smtp -j xenophobe
-reload_cidr_sets sinokorea
+reload_cidr_sets sinokorea counters
exit 0
fi
-create_set "${set_name}" hash:net
-create_set "${set_name}6" hash:net family inet6
+create_set "${set_name}" hash:net counters
+create_set "${set_name}6" hash:net counters family inet6
# create or re-init chains
if ! $IPTABLES -L "${chain}" >/dev/null 2>&1
insert_setmatch_rules "${set_name}" -j "${chain}"
-reload_cidr_sets "${set_name}"
+reload_cidr_sets "${set_name}" counters
projects / firewall-squeep / commitdiff