#!/usr/bin/env bash # ============================================ # Lifecycle # ============================================ function cmd::block::on_load() { flag::register --name flag::register --type flag::register --force flag::register --quiet flag::register --ip flag::register --port flag::register --proto flag::register --subnet } # ============================================ # Help # ============================================ function cmd::block::help() { cat < [options] Block a client entirely or restrict access to specific IPs/ports/subnets. Block rules are persisted and restored on WireGuard restart. Options: --name Client name (e.g. phone-nuno) --type Device type (optional, combines with --name) --ip Block access to specific IP (repeatable) --subnet Block access to subnet (repeatable) --port Block specific port, e.g. 10.0.0.210:9000:tcp (repeatable) --force Skip confirmation prompt --quiet Suppress output (used by group block) Examples: wgctl block --name phone-nuno wgctl block --name nuno --type phone wgctl block --name phone-nuno --ip 10.0.0.210 wgctl block --name phone-nuno --subnet 10.0.0.0/24 wgctl block --name phone-nuno --port 10.0.0.210:9000:tcp wgctl ban --name phone-nuno EOF } # ============================================ # Block Run # ============================================ function cmd::block::run() { local name="" local type="" local ips=() local subnets=() local ports=() local quiet=false while [[ $# -gt 0 ]]; do case "$1" in --name) name="$2"; shift 2 ;; --type) type="$2"; shift 2 ;; --ip) ips+=("$2"); shift 2 ;; --force) force=true; shift ;; --quiet) quiet=true; shift ;; --subnet) subnets+=("$2"); shift 2 ;; --port) ports+=("$2"); shift 2 ;; --help) cmd::block::help; return ;; *) log::error "Unknown flag: $1" cmd::block::help return 1 ;; esac done if [[ -z "$name" ]]; then log::error "Missing required flag: --name" cmd::block::help return 1 fi name=$(peers::resolve_and_require "$name" "$type") || return 1 # Check if actually blocked if peers::is_blocked "$name" || [[ -f "$(ctx::block::path "${name}.block")" ]]; then log::wg_warning "Client is already blocked: ${name}" return 0 fi # Update cache first monitor::update_endpoint_cache local public_key public_key=$(keys::public "$name") || return 1 local endpoint endpoint=$(cmd::block::_get_endpoint "$name" "$public_key") local client_ip client_ip=$(peers::get_ip "$name") || return 1 # $quiet || log::section "Blocking client: ${name} (${client_ip})" # No specific target — block everything cmd::block::_block_all "$name" "$client_ip" "$quiet" # Block specific IPs for ip in "${ips[@]}"; do ip::require_valid "$ip" fw::block_ip "$client_ip" "$ip" fw::save_block "$name" "$client_ip" "$ip" done # Block specific subnets for subnet in "${subnets[@]}"; do ip::require_valid "$subnet" fw::block_subnet "$client_ip" "$subnet" fw::save_block "$name" "$client_ip" "$subnet" done # Block specific ports for entry in "${ports[@]}"; do local target port proto IFS=":" read -r target port proto <<< "$entry" proto="${proto:-tcp}" ip::require_valid "$target" fw::block_port "$client_ip" "$target" "$port" "$proto" fw::save_block "$name" "$client_ip" "$target" "$port" "$proto" done log::debug "Block rules applied for: ${name}" } function cmd::block::_get_endpoint() { local name="$1" public_key="$2" local endpoint endpoint=$(monitor::endpoint_for_key "$public_key") if [[ -z "$endpoint" || "$endpoint" == "(none)" ]]; then endpoint=$(monitor::get_cached_endpoint "$name") fi echo "$endpoint" } function cmd::block::_block_all() { local name="${1:-}" local client_ip="${2:-}" local quiet="${3:-false}" [[ -z "$name" ]] && log::error "name required" && return 1 [[ -z "$client_ip" ]] && log::error "client_ip required" && return 1 local public_key endpoint public_key=$(keys::public "$name") || return 1 endpoint=$(cmd::block::_get_endpoint "$name" "$public_key") fw::block_all "$client_ip" "$name" fw::save_block "$name" "$client_ip" if [[ -n "$endpoint" ]]; then monitor::unwatch "$client_ip" monitor::watch "$endpoint" "$name" fi peers::remove_from_server "$name" peers::reload $quiet || log::wg_success "${name} has been blocked." }