Add -a to add with -S, mention ipt_recent limit

"Add" is limited by ipt_recent's limit (as are all block requests).
ipt_recent will delete the "oldest" entries when the limit is
exceeded.  Since this makes -a non-deterministic, a warning is
issued when a -S file is written that exceeds the limit.

README.md

@@ -2,7 +2,7 @@
 
 Quickly (and temporarily) block an IP address
 
-Copyright (C) 2017, 2018, 2019 Timothe Litt
+Copyright (C) 2017, 2018, 2019, 2020 Timothe Litt
 
 When your machine is under attack from an unexpected source, the last thing that you want to do is remember the `iptables` syntax for adding an immediate blocking rule.
 
@@ -13,8 +13,8 @@ When your machine is under attack from an unexpected source, the last thing that
 All packets from that address will be dropped.
 
 `ipblock` only adds a single rule to your `iptables` and/or `ip6tables` rulesets, no
-matter how many addresses are blocked.  This rule is inserted at the top of the chain,
-thus taking precedence over any other exceptions.
+matter how many addresses (up to the ipt_recent limit) are blocked.  This rule is
+inserted at the top of the chain, thus taking precedence over any other exceptions.
 
 The rule is only added the first time that `ipblock` is run, so your `iptables` rules are not reloaded.
 
@@ -52,7 +52,7 @@ Make sure that the directory containing `ipblock` is in your **PATH**
 Read the disclaimer before running the `ipblock` command.
 
 ## License and Disclaimer
-Copyright (c) 2017, 2018, 2019 Timothe Litt
+Copyright (c) 2017, 2018, 2019, 2020 Timothe Litt
 
 This is free software; the author disclaims all responsibility for its use, reliability and consequences.  The name of the author may not be used to endorse any product, but must be retained in the documentation and code.  Any modifications must be clearly documented and attributed, and are the responsibility of their author.
 

ipblock

@@ -1,10 +1,10 @@
 #!/bin/bash
 
-# Copyright (C) 2017, 2018 Timothe Litt litt at acm ddot org
+# Copyright (C) 2017, 2018, 2020 Timothe Litt litt at acm ddot org
 
 # Completely & quickly block specific ip address(es)
 
-VERSION="1.003"
+VERSION="1.004"
 
 SELF="`basename $0`"
 
@@ -41,6 +41,7 @@ Usage: $SELF [options] [addresses]
     -F        Flush block list
     -L        List currently blocked IP addresses and last seen time (default)
     -S file   Save current addresses as a script.  (use - for stdout)
+    -a        With -S, add to existing output file
     -X        Disable ipblock and remove rule.  Does not fluah list.
     -V        Display version
 
@@ -67,6 +68,11 @@ Maintains an ip_recent list - does not reload rules.
 Installs a single rule at the start of the specified chain, if not already present.
 Installing rule does not flush an existing list.
 
+Note that the iptables "recent" module limits the number of addresses that can
+be blocked.  The current limit is $MAXENT, but it can be changed with the
+module parameter "ip_list_tot" to modprobe.  Exceeding the limit will cause
+the oldest entries to be silently discarded.
+
 You can change the default options by specifying OPTIONS in
 /etc/sysconfig/$SELF or /etc/default/$SELF  In OPTIONS, values can not include spaces.
 Use underscore (_) instead. Currently, this only applies to -D.
@@ -79,8 +85,17 @@ IPV=
 ACTION=
 DEBUG=
 V=
+APPEND=
 
-while getopts "46AC:dD:hFLN:RS:vXV" opt; do
+if [ -f "/sys/module/ipt_recent/parameters/ip_list_tot" ]; then
+    MAXENT="`cat /sys/module/ipt_recent/parameters/ip_list_tot`"
+elif [ -f "/sys/module/xt_recent/parameters/ip_list_tot" ]; then
+    MAXENT="`cat /sys/module/xt_recent/parameters/ip_list_tot`"
+else
+    MAXENT=100
+fi
+
+while getopts "46AC:dD:hFLN:RaS:vXV" opt; do
     case $opt in
         4)
             IPV="4"
@@ -94,21 +109,21 @@ while getopts "46AC:dD:hFLN:RS:vXV" opt; do
         A)
             ACTION="add"
             ;;
-	d)
-	    DEBUG="Y"
+        d)
+            DEBUG="Y"
             V="Y"
-	    ;;
+            ;;
         D)
             if [ -n "$OPTARG" ]; then
                 DateFormat="+$( echo "$OPTARG" | sed -e's/_/ /g' )"
             else
                 DateFormat=
             fi
             ;;
-	h)
-	    displayHelp
-	    exit 0
-	    ;;
+        h)
+            displayHelp
+            exit 0
+            ;;
         F)
             ACTION="flush"
             ;;
@@ -125,6 +140,9 @@ while getopts "46AC:dD:hFLN:RS:vXV" opt; do
             ACTION="save"
             SCRIPT="$OPTARG"
             ;;
+        a)
+            APPEND="y"
+            ;;
         v)
             V="y"
             ;;
@@ -135,10 +153,10 @@ while getopts "46AC:dD:hFLN:RS:vXV" opt; do
             echo "$SELF V$VERSION"
             exit 0
             ;;
-	*)
-	    echo "$SELF -h for usage" >&2
-	    exit 1
-	    ;;
+        *)
+            echo "$SELF -h for usage" >&2
+            exit 1
+            ;;
     esac
 done
 shift $(( OPTIND - 1 ))
@@ -250,9 +268,29 @@ EOF
     if [ "$SCRIPT" = '-' ]; then
         save
     else
-        save >"$SCRIPT"
+        if [ -n "$APPEND" -a -f "$SCRIPT" ]; then
+            rm -f "$SCRIPT".tmp
+            mv "$SCRIPT" "$SCRIPT".tmp
+            cat >"$SCRIPT".tmph <<EOF
+#!/bin/bash
+
+# Auto-generated by $SELF V$VERSION
+
+EOF
+            save >>"$SCRIPT".tmp
+            grep -vh '^#' "$SCRIPT".tmp | sort -u | cat "$SCRIPT".tmph - >"$SCRIPT"
+            echo "# EOF" >>"$SCRIPT"
+            rm -f "$SCRIPT".tmp "$SCRIPT".tmph
+        else
+            save >"$SCRIPT"
+        fi
         chmod +x $SCRIPT
         [ -n "$V" ] && echo "Wrote `readlink -en $SCRIPT`"
+        CNT="` grep -- ' -4 \| -6 ' $SCRIPT | wc -l`"
+        if [ $CNT -gt "$MAXENT" ]; then
+            echo "`readlink -en $SCRIPT` lists $CNT addresses, but only $MAXENT will be retained.  See -h for more information."
+            exit 2
+        fi
     fi
 
     exit 0