#!/bin/bash

#
# This script will download the latest ipsum IP address list and add the
# addresses to the ufw-blocklist ipset
# Use memory instead of file system to reduce writes to sd card

# todo: better validation of new list, eg is valid IP address
#       whitelist to exclude from adding to the set

# install this file into /etc/cron.daily/ufw-blocklist-ipsum

## URL must return a text file with one IP address per line
ipsumurl='https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt'
# reject the new list if there are fewer than minlen number of ip addresses
minlen=1000

ipsetname=ufw-blocklist-ipsum
ipset_exe=/usr/sbin/ipset
logger="/usr/bin/logger -t ${ipsetname}"

## Check if ipsetname exists. exit if not - ie no set to update
ipsetstatus=$("${ipset_exe}" -t list "${ipsetname}" 2>/dev/null )
RET=$?
if [ $RET -ne 0 ]; then
	$logger -s "ipset named $ipsetname does not exist. is UFW started? exiting"
	exit 1
fi

ipsetcount=$(echo "$ipsetstatus" | grep '^Number of entries:' | cut -d' ' -f4)
$logger "starting update of ${ipsetname} with ${ipsetcount} entries from ${ipsumurl}"

## Download the latest list
rawlist=$(curl -sS -f --compressed "$ipsumurl" 2>/dev/null)
RET=$?
if [ $RET -ne 0 ]; then
	$logger -s "curl error code $RET for $ipsumurl"
	exit 1
fi

## Read the list into an array
declare -a scrublist
readarray -t scrublist < <(echo "$rawlist")

## Validate the list length
scrublistlen="${#scrublist[@]}"

#echo "length of scrublist array: $scrublistlen"
if [ "$scrublistlen" -lt $minlen ]; then
	$logger -s "$scrublistlen less than $minlen IPs. something must be wrong with $ipsumurl"
	exit 1
fi

## define a function to validate ip addresses
# isvalidip() {
# 	{
#         ipaddr="";
#         [[ ! $ipaddr =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && return 1;
#         for quad in $(echo "${ipaddr//./ }"); do
#             (( $quad >= 0 && $quad <= 255 )) && continue;
#             return 1;
#         done
#     }
# }

# isvalidip() {
# 	{
#         # return code + output version
#         ipaddr="";
#         local errmsg="ERROR: $ipaddr is not a valid IP address";
#         [[ ! $ipaddr =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]] && echo "$errmsg" && return 1;
#         for quad in $(echo "${ipaddr//./ }"); do
#             (( $quad >= 0 && $quad <= 255 )) && continue;
#             echo "$errmsg";
#             return 1;
#         done
#     }
# }

## create a temporary ipset
tmpsetname="$(mktemp -u | cut -f2 -d'.')-tmp"
$ipset_exe -q create "$tmpsetname" hash:net
RET=$?
if [ $RET -ne 0 ]; then
    $logger -s "error code $RET creating temporary ipset $tmpsetname"
	$ipset_exe -q destroy "$tmpsetname"
    exit 1
fi

## loop through each IP address in the scrublist array and add it to the temporary ipset
cnt=0
for i in "${scrublist[@]}"
	do
		# Add that IP to the ipset blocklist
		$ipset_exe add "$tmpsetname" "$i"
		cnt=$((cnt+1))
	done

## ipset swap FROM-SETNAME TO-SETNAME
## Swap the content of two existing sets
$ipset_exe swap "$tmpsetname" "$ipsetname"
RET=$?
if [ $RET -ne 0 ]; then
    $logger -s "error code $RET ipset swapping $tmpsetname to $ipsetname"
	$ipset_exe -q destroy "$tmpsetname"
        exit 1
fi

$ipset_exe -q destroy "$tmpsetname"
RET=$?
if [ $RET -ne 0 ]; then
	$logger -s "error code $RET destroying ipset $tmpsetname"
	exit 1
fi

$logger "finished updating $ipsetname. Old entry count: $ipsetcount New count: $cnt of $scrublistlen"