Primera subida

iptag

@@ -0,0 +1,261 @@
+#!/bin/bash
+
+# =============== CONFIGURATION =============== #
+
+CIDR_LIST=(
+    192.168.0.0/16
+    100.64.0.0/10
+    10.0.0.0/8
+)
+LOOP_INTERVAL=60
+FW_NET_INTERFACE_CHECK_INTERVAL=60
+LXC_STATUS_CHECK_INTERVAL=-1
+FORCE_UPDATE_INTERVAL=1800
+VM_STATUS_CHECK_INTERVAL=60
+
+if [ -f "/usr/local/etc/lxc-iptag.conf" ]; then
+    # shellcheck source=./lxc-iptag.conf
+    # shellcheck source=/usr/local/etc/lxc-iptag.conf
+    source /usr/local/etc/lxc-iptag.conf
+fi
+
+# =============== UTIL_FUNCTION =============== #
+
+# Convert IP to integer for comparison
+ip_to_int() {
+    local ip="${1}"
+    local a b c d
+
+    IFS=. read -r a b c d <<< "${ip}"
+    echo "$((a << 24 | b << 16 | c << 8 | d))"
+}
+
+# Check if IP is in CIDR
+ip_in_cidr() {
+    local ip="${1}"
+    local cidr="${2}"
+
+    ip_int=$(ip_to_int "${ip}")
+    netmask_int=$(ip_to_int "$(ipcalc -b "${cidr}" | grep Broadcast | awk '{print $2}')")
+    masked_ip_int=$(( "${ip_int}" & "${netmask_int}" ))
+    [[ ${ip_int} -eq ${masked_ip_int} ]] && return 0 || return 1
+}
+
+# Check if IP is in any CIDRs
+ip_in_cidrs() {
+    local ip="${1}"
+    local cidrs=()
+
+    mapfile -t cidrs < <(echo "${2}" | tr ' ' '\n')
+    for cidr in "${cidrs[@]}"; do
+        ip_in_cidr "${ip}" "${cidr}" && return 0
+    done
+
+    return 1
+}
+
+# Check if IP is valid
+is_valid_ipv4() {
+    local ip=$1
+    local regex="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
+
+    if [[ $ip =~ $regex ]]; then
+        IFS='.' read -r -a parts <<< "$ip"
+        for part in "${parts[@]}"; do
+            if ! [[ $part =~ ^[0-9]+$ ]] || ((part < 0 || part > 255)); then
+                return 1
+            fi
+        done
+        return 0
+    else
+        return 1
+    fi
+}
+
+lxc_status_changed() {
+    current_lxc_status=$(pct list 2>/dev/null)
+    if [ "${last_lxc_status}" == "${current_lxc_status}" ]; then
+        return 1
+    else
+        last_lxc_status="${current_lxc_status}"
+        return 0
+    fi
+}
+
+fw_net_interface_changed() {
+    current_net_interface=$(ip link | grep "^[0-9]*: fw")
+    if [ "${last_net_interface}" == "${current_net_interface}" ]; then
+        return 1
+    else
+        last_net_interface="${current_net_interface}"
+        return 0
+    fi
+}
+
+# =============== MAIN =============== #
+
+update_vm_iptags() {
+    vmid_list=$(qm list 2>/dev/null | grep -v VMID | awk '{print $1}')
+    for vmid in ${vmid_list}; do
+        # Check if the VM ID is in the exclusion list
+        if [[ " ${EXCLUSION_LIST[*]} " == *" ${vmid} "* ]]; then
+            echo "Skipping ${vmid} as it is in the exclusion list"
+            continue
+        fi
+
+        last_tagged_ips=()
+        current_valid_ips=()
+        next_tags=()
+
+        # Parse current tags
+        mapfile -t current_tags < <(qm config "${vmid}" | grep tags | awk '{print $2}' | sed 's/;/\n/g')
+        for current_tag in "${current_tags[@]}"; do
+            if is_valid_ipv4 "${current_tag}"; then
+                last_tagged_ips+=("${current_tag}")
+                continue
+            fi
+            next_tags+=("${current_tag}")
+        done
+
+        # Get current IPs
+        current_ips_full=$(qm guest cmd "${vmid}" network-get-interfaces | jq -r '.[] | .["ip-addresses"][]? | ."ip-address"')
+        for ip in ${current_ips_full}; do
+            # Check if the IP is in the exclusion list
+            if [[ " ${EXCLUSION_LIST[*]} " == *" ${ip} "* ]]; then
+                echo "Skipping IP ${ip} for VM ${vmid} as it is in the exclusion list"
+                continue
+            fi
+
+            if is_valid_ipv4 "${ip}" && ip_in_cidrs "${ip}" "${CIDR_LIST[*]}"; then
+                current_valid_ips+=("${ip}")
+                next_tags+=("${ip}")
+            fi
+        done
+
+        # Skip if no ip change
+        if [[ "$(echo "${last_tagged_ips[@]}" | tr ' ' '\n' | sort -u)" == "$(echo "${current_valid_ips[@]}" | tr ' ' '\n' | sort -u)" ]]; then
+            echo "Skipping ${vmid} cause ip no changes"
+            continue
+        fi
+
+        # Set tags
+        echo "Setting ${vmid} tags from ${current_tags[*]} to ${next_tags[*]}"
+        qm set "${vmid}" -tags "$(IFS=';'; echo "${next_tags[*]}")"
+    done
+}
+
+update_lxc_iptags() {
+    vmid_list=$(pct list 2>/dev/null | grep -v VMID | awk '{print $1}')
+    for vmid in ${vmid_list}; do
+        # Check if the container ID is in the exclusion list
+        if [[ " ${EXCLUSION_LIST[*]} " == *" ${vmid} "* ]]; then
+            echo "Skipping ${vmid} as it is in the exclusion list"
+            continue
+        fi
+
+        last_tagged_ips=()
+        current_valid_ips=()
+        next_tags=()
+
+        # Parse current tags
+        mapfile -t current_tags < <(pct config "${vmid}" | grep tags | awk '{print $2}' | sed 's/;/\n/g')
+        for current_tag in "${current_tags[@]}"; do
+            if is_valid_ipv4 "${current_tag}"; then
+                last_tagged_ips+=("${current_tag}")
+                continue
+            fi
+            next_tags+=("${current_tag}")
+        done
+
+        # Get current IPs
+        current_ips_full=$(lxc-info -n "${vmid}" -i | awk '{print $2}')
+        for ip in ${current_ips_full}; do
+            # Check if the IP is in the exclusion list
+            if [[ " ${EXCLUSION_LIST[*]} " == *" ${ip} "* ]]; then
+                echo "Skipping IP ${ip} for container ${vmid} as it is in the exclusion list"
+                continue
+            fi
+
+            if is_valid_ipv4 "${ip}" && ip_in_cidrs "${ip}" "${CIDR_LIST[*]}"; then
+                current_valid_ips+=("${ip}")
+                next_tags+=("${ip}")
+            fi
+        done
+
+        # Skip if no ip change
+        if [[ "$(echo "${last_tagged_ips[@]}" | tr ' ' '\n' | sort -u)" == "$(echo "${current_valid_ips[@]}" | tr ' ' '\n' | sort -u)" ]]; then
+            echo "Skipping ${vmid} cause ip no changes"
+            continue
+        fi
+
+        # Set tags
+        echo "Setting ${vmid} tags from ${current_tags[*]} to ${next_tags[*]}"
+        pct set "${vmid}" -tags "$(IFS=';'; echo "${next_tags[*]}")"
+    done
+}
+
+init() {
+    current_time=$(date +%s)
+    last_lxc_status_check_time=${current_time}
+    last_fw_net_interface_check_time=${current_time}
+    last_vm_status_check_time=${current_time}
+    fw_net_interface_changed
+    last_update_time=0
+}
+
+check() {
+    current_time=$(date +%s)
+
+    time_since_last_lxc_status_check=$((current_time - last_lxc_status_check_time))
+    if [[ "${LXC_STATUS_CHECK_INTERVAL}" -gt 0 ]] \
+        && [[ "${time_since_last_lxc_status_check}" -ge "${LXC_STATUS_CHECK_INTERVAL}" ]]; then
+        echo "Checking lxc status..."
+        last_lxc_status_check_time=${current_time}
+        if lxc_status_changed; then
+            update_lxc_iptags
+            last_update_time=${current_time}
+            return
+        fi
+    fi
+
+    time_since_last_fw_net_interface_check=$((current_time - last_fw_net_interface_check_time))
+    if [[ "${FW_NET_INTERFACE_CHECK_INTERVAL}" -gt 0 ]] \
+        && [[ "${time_since_last_fw_net_interface_check}" -ge "${FW_NET_INTERFACE_CHECK_INTERVAL}" ]]; then
+        echo "Checking fw net interface..."
+        last_fw_net_interface_check_time=${current_time}
+        if fw_net_interface_changed; then
+            update_lxc_iptags
+            last_update_time=${current_time}
+            return
+        fi
+    fi
+
+    time_since_last_vm_status_check=$((current_time - last_vm_status_check_time))
+    if [[ "${VM_STATUS_CHECK_INTERVAL}" -gt 0 ]] \
+        && [[ "${time_since_last_vm_status_check}" -ge "${VM_STATUS_CHECK_INTERVAL}" ]]; then
+        echo "Checking VM status..."
+        last_vm_status_check_time=${current_time}
+        update_vm_iptags
+        last_update_time=${current_time}
+        return
+    fi
+
+    time_since_last_update=$((current_time - last_update_time))
+    if [ ${time_since_last_update} -ge ${FORCE_UPDATE_INTERVAL} ]; then
+        echo "Force updating lxc iptags..."
+        update_lxc_iptags
+        last_update_time=${current_time}
+        return
+    fi
+}
+
+# main: Set the IP tags for all LXC containers
+main() {
+    init
+    while true; do
+        check
+        sleep "${LOOP_INTERVAL}"
+    done
+}
+
+main

iptag.conf

@@ -0,0 +1,15 @@
+# Configuration file for LXC IP tagging
+
+# List of allowed CIDRs
+CIDR_LIST=(
+  192.168.0.0/16
+  172.16.0.0/12
+  10.0.0.0/8
+  100.64.0.0/10
+)
+
+# Interval settings (in seconds)
+LOOP_INTERVAL=60
+FW_NET_INTERFACE_CHECK_INTERVAL=60
+LXC_STATUS_CHECK_INTERVAL=-1
+FORCE_UPDATE_INTERVAL=1800

iptag.ori

@@ -0,0 +1,168 @@
+#!/bin/bash
+
+# =============== CONFIGURATION =============== #
+
+CONFIG_FILE="/opt/lxc-iptag/iptag.conf"
+
+# Load the configuration file if it exists
+if [ -f "$CONFIG_FILE" ]; then
+  # shellcheck source=./lxc-iptag.conf
+  source "$CONFIG_FILE"
+fi
+
+# Convert IP to integer for comparison
+ip_to_int() {
+  local ip="${1}"
+  local a b c d
+
+  IFS=. read -r a b c d <<< "${ip}"
+  echo "$((a << 24 | b << 16 | c << 8 | d))"
+}
+
+# Check if IP is in CIDR
+ip_in_cidr() {
+  local ip="${1}"
+  local cidr="${2}"
+
+  ip_int=$(ip_to_int "${ip}")
+  netmask_int=$(ip_to_int "$(ipcalc -b "${cidr}" | grep Broadcast | awk '{print $2}')")
+  masked_ip_int=$(( "${ip_int}" & "${netmask_int}" ))
+  [[ ${ip_int} -eq ${masked_ip_int} ]] && return 0 || return 1
+}
+
+# Check if IP is in any CIDRs
+ip_in_cidrs() {
+  local ip="${1}"
+  local cidrs=()
+
+  mapfile -t cidrs < <(echo "${2}" | tr ' ' '\n')
+  for cidr in "${cidrs[@]}"; do
+  ip_in_cidr "${ip}" "${cidr}" && return 0
+  done
+
+  return 1
+}
+
+# Check if IP is valid
+is_valid_ipv4() {
+  local ip=$1
+  local regex="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
+
+  if [[ $ip =~ $regex ]]; then
+    IFS='.' read -r -a parts <<< "$ip"
+    for part in "${parts[@]}"; do
+      if ! [[ $part =~ ^[0-9]+$ ]] || ((part < 0 || part > 255)); then
+        return 1
+      fi
+    done
+    return 0
+  else
+    return 1
+  fi
+}
+
+lxc_status_changed() {
+  current_lxc_status=$(pct list 2>/dev/null)
+  if [ "${last_lxc_status}" == "${current_lxc_status}" ]; then
+    return 1
+  else
+    last_lxc_status="${current_lxc_status}"
+    return 0
+  fi
+}
+
+fw_net_interface_changed() {
+  current_net_interface=$(ifconfig | grep "^fw")
+  if [ "${last_net_interface}" == "${current_net_interface}" ]; then
+    return 1
+  else
+    last_net_interface="${current_net_interface}"
+    return 0
+  fi
+}
+
+# =============== MAIN =============== #
+
+update_lxc_iptags() {
+  vmid_list=$(pct list 2>/dev/null | grep -v VMID | awk '{print $1}')
+  for vmid in ${vmid_list}; do
+    last_tagged_ips=()
+    current_valid_ips=()
+    next_tags=()
+
+    # Parse current tags
+    mapfile -t current_tags < <(pct config "${vmid}" | grep tags | awk '{print $2}' | sed 's/;/\n/g')
+    for current_tag in "${current_tags[@]}"; do
+      if is_valid_ipv4 "${current_tag}"; then
+        last_tagged_ips+=("${current_tag}")
+        continue
+      fi
+      next_tags+=("${current_tag}")
+    done
+
+    # Get current IPs
+    current_ips_full=$(lxc-info -n "${vmid}" -i | awk '{print $2}')
+    for ip in ${current_ips_full}; do
+      if is_valid_ipv4 "${ip}" && ip_in_cidrs "${ip}" "${CIDR_LIST[*]}"; then
+        current_valid_ips+=("${ip}")
+        next_tags+=("${ip}")
+      fi
+    done
+
+    # Skip if no ip change
+    if [[ "$(echo "${last_tagged_ips[@]}" | tr ' ' '\n' | sort -u)" == "$(echo "${current_valid_ips[@]}" | tr ' ' '\n' | sort -u)" ]]; then
+      echo "Skipping ${vmid} cause ip no changes"
+      continue
+    fi
+
+    # Set tags
+    echo "Setting ${vmid} tags from ${current_tags[*]} to ${next_tags[*]}"
+    pct set "${vmid}" -tags "$(IFS=';'; echo "${next_tags[*]}")"
+  done
+}
+
+check() {
+  current_time=$(date +%s)
+
+  time_since_last_lxc_status_check=$((current_time - last_lxc_status_check_time))
+  if [[ "${LXC_STATUS_CHECK_INTERVAL}" -gt 0 ]] \
+    && [[ "${time_since_last_lxc_status_check}" -ge "${STATUS_CHECK_INTERVAL}" ]]; then
+    echo "Checking lxc status..."
+    last_lxc_status_check_time=${current_time}
+    if lxc_status_changed; then
+      update_lxc_iptags
+      last_update_time=${current_time}
+      return
+    fi
+  fi
+
+  time_since_last_fw_net_interface_check=$((current_time - last_fw_net_interface_check_time))
+  if [[ "${FW_NET_INTERFACE_CHECK_INTERVAL}" -gt 0 ]] \
+    && [[ "${time_since_last_fw_net_interface_check}" -ge "${FW_NET_INTERFACE_CHECK_INTERVAL}" ]]; then
+    echo "Checking fw net interface..."
+    last_fw_net_interface_check_time=${current_time}
+    if fw_net_interface_changed; then
+      update_lxc_iptags
+      last_update_time=${current_time}
+      return
+    fi
+  fi
+
+  time_since_last_update=$((current_time - last_update_time))
+  if [ ${time_since_last_update} -ge ${FORCE_UPDATE_INTERVAL} ]; then
+    echo "Force updating lxc iptags..."
+    update_lxc_iptags
+    last_update_time=${current_time}
+    return
+  fi
+}
+
+# main: Set the IP tags for all LXC containers
+main() {
+  while true; do
+    check
+    sleep "${LOOP_INTERVAL}"
+  done
+}
+
+main