wgctl/commands/block.command.sh

170 lines
No EOL
4.6 KiB
Bash

#!/usr/bin/env bash
# ============================================
# Lifecycle
# ============================================
function cmd::block::on_load() {
flag::register --name
flag::register --type
flag::register --force
flag::register --quiet
flag::register --ip
flag::register --port
flag::register --proto
flag::register --subnet
}
# ============================================
# Help
# ============================================
function cmd::block::help() {
cat <<EOF
Usage: wgctl block --name <name> [options]
Block a client entirely or restrict access to specific IPs/ports/subnets.
Block rules are persisted and restored on WireGuard restart.
Options:
--name <name> Client name (e.g. phone-nuno)
--type <type> Device type (optional, combines with --name)
--ip <ip> Block access to specific IP (repeatable)
--subnet <cidr> Block access to subnet (repeatable)
--port <ip:port:proto> Block specific port, e.g. 10.0.0.210:9000:tcp (repeatable)
--force Skip confirmation prompt
--quiet Suppress output (used by group block)
Examples:
wgctl block --name phone-nuno
wgctl block --name nuno --type phone
wgctl block --name phone-nuno --ip 10.0.0.210
wgctl block --name phone-nuno --subnet 10.0.0.0/24
wgctl block --name phone-nuno --port 10.0.0.210:9000:tcp
wgctl ban --name phone-nuno
EOF
}
# ============================================
# Block Run
# ============================================
function cmd::block::run() {
local name=""
local type=""
local ips=()
local subnets=()
local ports=()
local quiet=false
while [[ $# -gt 0 ]]; do
case "$1" in
--name) name="$2"; shift 2 ;;
--type) type="$2"; shift 2 ;;
--ip) ips+=("$2"); shift 2 ;;
--force) force=true; shift ;;
--quiet) quiet=true; shift ;;
--subnet) subnets+=("$2"); shift 2 ;;
--port) ports+=("$2"); shift 2 ;;
--help) cmd::block::help; return ;;
*)
log::error "Unknown flag: $1"
cmd::block::help
return 1
;;
esac
done
if [[ -z "$name" ]]; then
log::error "Missing required flag: --name"
cmd::block::help
return 1
fi
name=$(peers::resolve_and_require "$name" "$type") || return 1
# Check if actually blocked
if peers::is_blocked "$name" || [[ -f "$(ctx::block::path "${name}.block")" ]]; then
log::wg_warning "Client is already blocked: ${name}"
return 0
fi
# Update cache first
monitor::update_endpoint_cache
local public_key
public_key=$(keys::public "$name") || return 1
local endpoint
endpoint=$(cmd::block::_get_endpoint "$name" "$public_key")
local client_ip
client_ip=$(peers::get_ip "$name") || return 1
# $quiet || log::section "Blocking client: ${name} (${client_ip})"
# No specific target — block everything
cmd::block::_block_all "$name" "$client_ip" "$quiet"
# Block specific IPs
for ip in "${ips[@]}"; do
ip::require_valid "$ip"
fw::block_ip "$client_ip" "$ip"
fw::save_block "$name" "$client_ip" "$ip"
done
# Block specific subnets
for subnet in "${subnets[@]}"; do
ip::require_valid "$subnet"
fw::block_subnet "$client_ip" "$subnet"
fw::save_block "$name" "$client_ip" "$subnet"
done
# Block specific ports
for entry in "${ports[@]}"; do
local target port proto
IFS=":" read -r target port proto <<< "$entry"
proto="${proto:-tcp}"
ip::require_valid "$target"
fw::block_port "$client_ip" "$target" "$port" "$proto"
fw::save_block "$name" "$client_ip" "$target" "$port" "$proto"
done
log::debug "Block rules applied for: ${name}"
}
function cmd::block::_get_endpoint() {
local name="$1" public_key="$2"
local endpoint
endpoint=$(monitor::endpoint_for_key "$public_key")
if [[ -z "$endpoint" || "$endpoint" == "(none)" ]]; then
endpoint=$(monitor::get_cached_endpoint "$name")
fi
echo "$endpoint"
}
function cmd::block::_block_all() {
local name="${1:-}"
local client_ip="${2:-}"
local quiet="${3:-false}"
[[ -z "$name" ]] && log::error "name required" && return 1
[[ -z "$client_ip" ]] && log::error "client_ip required" && return 1
local public_key endpoint
public_key=$(keys::public "$name") || return 1
endpoint=$(cmd::block::_get_endpoint "$name" "$public_key")
fw::block_all "$client_ip" "$name"
fw::save_block "$name" "$client_ip"
if [[ -n "$endpoint" ]]; then
monitor::unwatch "$client_ip"
monitor::watch "$endpoint" "$name"
fi
peers::remove_from_server "$name"
peers::reload
$quiet || log::wg_success "${name} has been blocked."
}