Can "loadfile" (in ipset) be used more than once?

senseivita · September 2, 2023, 11:21pm

I'm writing a script* to parse IP sets, specifically ASNs.

Originally I had listed the resolved IP ranges each in list entry options until I remembered that, even if less often, it will be needed to keep them up to date. I was nearly done.

So, to process them in place** either I finally get around learning awk — pass. — or I save them to files in a directory where they can be updated easily. I was about to do just that when mt floppy turned solid state again, but to implement such idea I would need to be able to specify option loadfile multiple times per IP set.

Once again. This was/is the output of what I thought was a near-finished script: (…)

config ipset
  option name    'testlist'           #  ╭ Or "dst_net" but 
  option match   'src_net'            # ←│ could it be just
  option enabled '1'                  #  ╰ directionless "net"?
  list entry     2a00:86c0:2086::/48
  list entry     45.57.40.0/23
  list entry     2a00:86c0:2091::/48
  list entry     2a00:86c0:2041::/48
  list entry     45.57.86.0/24
  list entry     2a00:86c0:2086::/47
  list entry     2a00:86c0:2008::/48
  list entry     45.57.8.0/24
  list entry     2a00:86c0:2008::/47
  list entry     45.57.8.0/23
  list entry     45.57.40.0/24
  list entry     2a00:86c0:2009::/48
  list entry     45.57.41.0/24
  list entry     2a00:86c0:2076::/47
  …
  list entry     45.57.76.0/23

To make it easier to maintain, I'd like it to output something like this: (…)

config ipset
  option name     'testlist'
  option match    'src_net'
  option enabled  '1'
  option loadfile '/etc/config/something/file1'
  option loadfile '/etc/config/something/file2' 
         
         # I haven't found a second line ⤴︎
         # of these in the exemplified or
         # mentioned in the OpenWRT docu yet

I can always concatenate the files, no biggie, except this way it would allow me to add some additional functionality I have in mind with ~~very little~~ no effort.

Will it work? Or will it error out or only take the first/last/one statement, undefined, etc? Any other tips/suggestions are also welcome, though maybe I should point out I'm not a dev, please keep it at an X-for-dummies level. =)

*/**

*: which I'll share when done. I already started documenting it.
**: meaning: in some big config file where they're stored, like /etc/config/firewall or something similar. I haven't gotten to that part yet. Thanks

vgaetera · September 2, 2023, 11:46pm

This already exists, tested and working:
https://openwrt.org/docs/guide-user/advanced/ipset_extras

No.

senseivita · September 4, 2023, 3:56pm

Yeah, that's one of the articles I used.

The syntax though,

# Configure IP sets, domains, CIDRs and ASNs
uci set dhcp.example="ipset"
uci add_list dhcp.example.name="example"
uci add_list dhcp.example.name="example6"
uci add_list dhcp.example.domain="example.com"
uci add_list dhcp.example.domain="example.net"
uci add_list dhcp.example.cidr="9.9.9.9/32"
uci add_list dhcp.example.cidr="2620:fe::fe/128"
uci add_list dhcp.example.asn="2906"
uci add_list dhcp.example.asn="40027"
uci commit dhcp

I have a couple of issues with it. They're mine though, which is why I'm doing my own:

While I suppose dhcp.example connects it all, otherwise it doesn't make much sense i.e; why is ipset, which seems like an option, entered like an argument, or key pair value just as example.com? It makes it harder to memorize, thus I'd probably script it anyway to having to look it up each time.
I've haven't touched uci yet. My script works with config files directly like I've been doing until now.
As I mentioned earlier, with no official solution, it would be easier to troubleshoot since it's within my current skill set, and may be a fun embarrassing story to tell in the future, if I had any programmer friends.

It is certainly more rudimentary, but easier to memorize with a simple one-liner bash-like syntax, e.g; root@hostname# stillunamedscript -i NAMEOFIPSET -s|-d|--src|--dst [--confirm] [-n] [*]1234 [[*]5678 …]

Partly because it's actually Bash. Did I mention I'm not a dev? bash is the only thing I know.…and I kinda forgot bash isn't preloaded before I was done.

But it does pretty much the same as the existing ones except it works directly with config files, not uci, performs plenty of error checking, has a safe mode, has a first run "varfuse" (like an efuse but not malicious) and it uses the standard config directory instead of /var which at least on my installation it seems like a RAM disk because it symlinks to /tmp. I figured, ASNs are long-lived, there's little benefit on re-fetching them too often, keeping it persistent would make the firewall ready sooner after boot.

Related to my question; what I wanted to do splitting ASNs was to use the filesystem as a database. I mean… for my admittedly low skill set I thought it was kind of clever; a zero-memory database and ASNs would be reusable too.

I could still do it but there would be no gain unless IP sets overlapped/reused ASNs, and probably I'd need to know a proper scripting language to make that efficient, like Python or something.

[ days later ]
I thought I had clicked on Reply, Just now I rediscovered the tab, my bad. =| Sorry, ADHD-"positive" here.