186526/bgpq4-pve-ipset-updater.sh

## bgpq4-pve-ipset-updater.sh
#!/bin/bash

# This script is used to generate pve-ipset-fw by using bgpq4

function help() {
    echo "Usage: $0 <instance_id> <as_set> <interface_name>"
    echo "Example: $0 1000 ARIN::AS-SUNOAKI net0"
    exit 1
}


if [ -z "$1" ]; then
    help
fi

if [ -z "$2" ]; then
    help
fi

if [ -z "$3" ]; then
    help
fi

if ! command -v bgpq4 &> /dev/null; then
    echo "bgpq4 could not be found"
    exit 1
fi

instance_id=$1
as_set=$2
interface_name=$3

# Get the AS-SET's IPv4 prefix

ipv4_prefixes=$(bgpq4 -4 -F '%n/%l\n' -A "$as_set")

ipv6_prefixes=$(bgpq4 -6 -F '%n/%l\n' -A "$as_set")

function new_ipset() {
    tempfile="$(mktemp)"
    trap 'rm -rf -- "$tempfile"' EXIT

    printf "[IPSET ipfilter-$interface_name] # generated in $(date -I"seconds"), by bgpq4-pve-ipset-updater\n\n" > "$tempfile"

    for line in $ipv4_prefixes; do
        echo "$line # from $as_set" >> "$tempfile"
    done

    for line in $ipv6_prefixes; do
        echo "$line # from $as_set" >> "$tempfile"
    done

    echo "" >> "$tempfile"

    cat "$tempfile"
}


# Read Original pve-ipset-fw file

original_pve_fw_file="/etc/pve/firewall/$instance_id.fw"

if [ ! -f "$original_pve_fw_file" ]; then
    printf "[OPTIONS]\n\nipfilter: 1\nenable: 1\npolicy_in: ACCEPT\n" > "$original_pve_fw_file"
fi

# Check original pve-ipset-fw file does have the ipset

new_pve_fw_file="$(mktemp)"
trap 'rm -rf -- "$new_pve_fw_file"' EXIT

flag=0
isPrinted=0

while IFS= read -r line; do

    if [[ $line =~ "[IPSET ipfilter-$interface_name]" ]]; then
        echo "" >> "$new_pve_fw_file"
        new_ipset >> "$new_pve_fw_file"
        flag=1
        isPrinted=1
    fi

    if [[ $line =~ "[IPSET " && $flag == 1 ]]; then
        flag=0
    fi

    if [[ $flag == 0 ]]; then
        echo "$line" >> "$new_pve_fw_file"
    fi

done < "$original_pve_fw_file"

if [[ $isPrinted == 0 ]]; then
    new_ipset >> "$new_pve_fw_file"
fi

cat "$new_pve_fw_file" > "$original_pve_fw_file"

exit 0
	#!/bin/bash

	# This script is used to generate pve-ipset-fw by using bgpq4

	function help() {
	echo "Usage: $0 <instance_id> <as_set> <interface_name>"
	echo "Example: $0 1000 ARIN::AS-SUNOAKI net0"
	exit 1
	}


	if [ -z "$1" ]; then
	help
	fi

	if [ -z "$2" ]; then
	help
	fi

	if [ -z "$3" ]; then
	help
	fi

	if ! command -v bgpq4 &> /dev/null; then
	echo "bgpq4 could not be found"
	exit 1
	fi

	instance_id=$1
	as_set=$2
	interface_name=$3

	# Get the AS-SET's IPv4 prefix

	ipv4_prefixes=$(bgpq4 -4 -F '%n/%l\n' -A "$as_set")

	ipv6_prefixes=$(bgpq4 -6 -F '%n/%l\n' -A "$as_set")

	function new_ipset() {
	tempfile="$(mktemp)"
	trap 'rm -rf -- "$tempfile"' EXIT

	printf "[IPSET ipfilter-$interface_name] # generated in $(date -I"seconds"), by bgpq4-pve-ipset-updater\n\n" > "$tempfile"

	for line in $ipv4_prefixes; do
	echo "$line # from $as_set" >> "$tempfile"
	done

	for line in $ipv6_prefixes; do
	echo "$line # from $as_set" >> "$tempfile"
	done

	echo "" >> "$tempfile"

	cat "$tempfile"
	}


	# Read Original pve-ipset-fw file

	original_pve_fw_file="/etc/pve/firewall/$instance_id.fw"

	if [ ! -f "$original_pve_fw_file" ]; then
	printf "[OPTIONS]\n\nipfilter: 1\nenable: 1\npolicy_in: ACCEPT\n" > "$original_pve_fw_file"
	fi

	# Check original pve-ipset-fw file does have the ipset

	new_pve_fw_file="$(mktemp)"
	trap 'rm -rf -- "$new_pve_fw_file"' EXIT

	flag=0
	isPrinted=0

	while IFS= read -r line; do

	if [[ $line =~ "[IPSET ipfilter-$interface_name]" ]]; then
	echo "" >> "$new_pve_fw_file"
	new_ipset >> "$new_pve_fw_file"
	flag=1
	isPrinted=1
	fi

	if [[ $line =~ "[IPSET " && $flag == 1 ]]; then
	flag=0
	fi

	if [[ $flag == 0 ]]; then
	echo "$line" >> "$new_pve_fw_file"
	fi

	done < "$original_pve_fw_file"

	if [[ $isPrinted == 0 ]]; then
	new_ipset >> "$new_pve_fw_file"
	fi

	cat "$new_pve_fw_file" > "$original_pve_fw_file"

	exit 0
No results found