PROBLEM:
Live attack monitor was calling CSF unnecessarily for every block,
causing performance overhead during DDoS attacks. The code was creating
a new temporary IPset (live_monitor_$$) instead of using CSF's existing
chain_DENY IPset, resulting in:
- IPset add failures (IP already in CSF's set)
- Unnecessary CSF fallback calls
- Slower blocking due to CSF overhead
- Duplicate blocking attempts
ROOT CAUSE:
Lines 68-86: Created unique per-process IPset instead of detecting/using
CSF's existing chain_DENY IPset
THE FIX:
1. Smart IPset Detection (lines 67-103):
✓ Detects CSF's chain_DENY IPset FIRST (preferred)
✓ Uses chain_DENY directly if found
✓ Falls back to temporary live_monitor_$$ if no CSF
✓ Auto-detects timeout support capability
✓ Never destroys CSF's permanent IPset on cleanup (line 141)
2. Aggressive IPset Prioritization (lines 855-911):
block_ip_temporary():
✓ ALWAYS tries IPset first if available
✓ Uses -exist flag to handle duplicates gracefully
✓ For CSF chain_DENY without timeout: Adds to IPset immediately,
then calls CSF in background for timeout management
✓ CSF only used as fallback if IPset unavailable
block_ip_permanent():
✓ Adds to IPset immediately for instant blocking
✓ CSF called after for persistent management
✓ Handles both timeout/no-timeout IPsets
3. Subnet Blocking Optimization (lines 2307-2320):
✓ Uses $IPSET_NAME variable instead of hardcoded "blocklist"
✓ IPset subnet block happens FIRST (instant)
✓ CSF called in background after IPset
PERFORMANCE BENEFITS:
✓ Kernel-level blocking (IPset) instead of userspace (CSF)
✓ Instant blocking during DDoS attacks
✓ No CSF overhead for every block
✓ Integrates with CSF's existing infrastructure
✓ Backward compatible (works without CSF)
TESTED:
✓ Bash syntax validation passed
✓ Files synced (main + v2)
✓ All blocking paths prioritize IPset
cschantz
6b3b0ed503