From 480715f44c9e4072245a6442a70fe60e623395e6 Mon Sep 17 00:00:00 2001
From: Pawel Krawczyk <p.krawczyk@kainos.com>
Date: Tue, 2 Jun 2015 10:15:44 +0100
Subject: [PATCH] fix IP regexp to support CIDR subnets and split src,dst into
 two separate rules sent by Pierre Gaufillet

---
 blacklist.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/blacklist.sh b/blacklist.sh
index 98edcf6..115d434 100755
--- a/blacklist.sh
+++ b/blacklist.sh
@@ -83,7 +83,7 @@ for url in $urls; do
         fi
     fi
 
-    sort -u <"${unsorted_blocklist}" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$" >"${sorted_blocklist}"
+    sort -u <"${unsorted_blocklist}" | egrep "^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}(/[0-9]{1,2})?$" >"${sorted_blocklist}"
 
     # calculate performance parameters for the new set
     tmp_set_name="tmp_${RANDOM}"
@@ -112,9 +112,11 @@ for url in $urls; do
     ipset -! -q restore < "${new_set_file}"
 
     if [ "$1" = "log" ]; then
-        iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK ${set_name} "
+        iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src -m limit --limit 10/minute -j LOG --log-prefix "BLOCK src ${set_name} "
+        iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" dst -m limit --limit 10/minute -j LOG --log-prefix "BLOCK dst ${set_name} "
     fi
-    iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src,dst -j DROP
+    iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" src -j DROP
+    iptables -A ${blocklist_chain_name} -m set --match-set "${set_name}" dst -j DROP
 
     # clean up temp files
     rm "${unsorted_blocklist}" "${sorted_blocklist}" "${new_set_file}" "${headers}"