#!/usr/bin/env bash # ============================================ # Lifecycle # ============================================ function cmd::unblock::on_load() { flag::register --name flag::register --type flag::register --force flag::register --quiet flag::register --ip flag::register --port flag::register --proto flag::register --subnet flag::register --all # System - NET Services flag::register --service } # ============================================ # Help # ============================================ function cmd::unblock::help() { cat < [options] Remove block rules for a client. Options: --name Client name (e.g. phone-nuno) --type Device type (optional, combines with --name) --ip Unblock specific IP (repeatable) --subnet Unblock specific subnet (repeatable) --port Unblock specific port (repeatable) --all Remove all block rules for this client --force Skip confirmation prompt --quiet Suppress output (used by group unblock) Examples: wgctl unblock --name phone-nuno wgctl unblock --name nuno --type phone wgctl unblock --name phone-nuno --ip 10.0.0.210 wgctl unban --name phone-nuno EOF } # ============================================ # Unblock Run # ============================================ function cmd::unblock::run() { local name="" local type="" local ips=() local subnets=() local ports=() local services=() local all=false local quiet=false while [[ $# -gt 0 ]]; do case "$1" in --name) name="$2"; shift 2 ;; --type) type="$2"; shift 2 ;; --ip) ips+=("$2"); shift 2 ;; --force) force=true; shift ;; --quiet) quiet=true; shift ;; --subnet) subnets+=("$2"); shift 2 ;; --port) ports+=("$2"); shift 2 ;; --service) services+=("$2"); shift 2 ;; --all) all=true; shift ;; --help) cmd::unblock::help; return ;; *) log::error "Unknown flag: $1" cmd::unblock::help return 1 ;; esac done if [[ -z "$name" ]]; then log::error "Missing required flag: --name" cmd::unblock::help return 1 fi name=$(peers::resolve_and_require "$name" "$type") || return 1 # Check if actually blocked if ! peers::is_blocked "$name" && ! block::has_file "$name"; then log::wg_warning "Client is not blocked: ${name}" return 0 fi # Default to full unblock if no specific flags given if [[ ${#ips[@]} -eq 0 && ${#subnets[@]} -eq 0 && ${#ports[@]} -eq 0 && ${#services[@]} -eq 0 ]]; then all=true fi local client_ip client_ip=$(peers::get_ip "$name") || return 1 # $quiet || log::section "Unblocking client: ${name} (${client_ip})" if $all; then cmd::unblock::_unblock_all "$name" "$client_ip" "$quiet" return 0 fi # Unblock specific IPs for ip in "${ips[@]}"; do fw::unblock_ip "$client_ip" "$ip" block::remove_rule "$name" "ip" "$ip" $quiet || log::wg_success "${ip} has been unblocked for ${name}" done # Unblock specific subnets for subnet in "${subnets[@]}"; do fw::unblock_subnet "$client_ip" "$subnet" block::remove_rule "$name" "subnet" "$subnet" $quiet || log::wg_success "${subnet} has been unblocked for ${name}" done # Unblock specific ports for entry in "${ports[@]}"; do local target port proto IFS=":" read -r target port proto <<< "$entry" proto="${proto:-tcp}" fw::unblock_port "$client_ip" "$target" "$port" "$proto" block::remove_rule "$name" "port" "$b_target" "$b_port" "$b_proto" $quiet || log::wg_success "${client_ip}:${b_port}:${b_proto:-tcp} has been unblocked for ${name}" done # Unblock services for svc in "${services[@]}"; do local resolved_lines=() mapfile -t resolved_lines < <(net::resolve "$svc" 2>/dev/null) if [[ ${#resolved_lines[@]} -eq 0 ]]; then log::error "Service not found: ${svc}" return 1 fi # Check if actually blocked local is_blocked=false for resolved in "${resolved_lines[@]}"; do if [[ "$resolved" == *:*:* ]]; then local b_ip b_port b_proto IFS=":" read -r b_ip b_port b_proto <<< "$resolved" fw::has_block_rule "$client_ip" "$b_ip" "$b_port" "$b_proto" 2>/dev/null && \ { is_blocked=true; break; } else fw::has_block_rule "$client_ip" "$resolved" 2>/dev/null && \ { is_blocked=true; break; } fi done if ! $is_blocked; then $quiet || log::wg_warning "${svc} is not blocked for ${name}" continue fi for resolved in "${resolved_lines[@]}"; do if [[ "$resolved" == *:*:* ]]; then local b_ip b_port b_proto IFS=":" read -r b_ip b_port b_proto <<< "$resolved" fw::unblock_port "$client_ip" "$b_ip" "$b_port" "$b_proto" block::remove_rule "$name" "port" "$b_ip" "$b_port" "$b_proto" else fw::unblock_ip "$client_ip" "$resolved" block::remove_rule "$name" "ip" "$resolved" fi done $quiet || log::wg_success "${svc} has been unblocked for ${name}" done # Clean up block file if now empty block::cleanup "$name" return 0 } function cmd::unblock::_unblock_all() { local name="${1:?}" client_ip="${2:?}" quiet="${3:-false}" # Direct unblock overrides everything — clear all block state block::set_direct "$name" "$client_ip" "false" # Force full unblock regardless of group blocks # (direct unblock = admin override) block::restore_peer "$name" "$client_ip" block::remove_file "$name" local rule rule=$(peers::get_meta "$name" "rule") [[ -n "$rule" ]] && rule::exists "$rule" && \ rule::apply "$rule" "$client_ip" "$name" local groups groups=$(block::get_groups "$name") if [[ -n "$groups" ]]; then log::wg_warning "${name} was blocked by group(s): ${groups} — unblocking anyway" fi $quiet || log::wg_success "${name} has been unblocked." return 0 }