diff --git a/net/banip/Makefile b/net/banip/Makefile index a25f8b264..6428b9e8d 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -7,8 +7,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.0 -PKG_RELEASE:=4 +PKG_VERSION:=0.8.1 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index e0bf951f9..817b43c3d 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -7,52 +7,52 @@ IP address blocking is commonly used to protect against brute force attacks, pre ## Main Features * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). - **Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below. + **Please note:** the columns "WAN-INP", "WAN-FWD" and "LAN_FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below. -| Feed | Focus | INP | FWD | Information | -| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- | -| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) | -| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) | -| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) | -| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) | -| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) | -| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) | -| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) | -| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) | -| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) | -| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) | -| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) | -| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) | -| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | -| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | -| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | -| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | -| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) | -| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) | -| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) | -| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) | -| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) | -| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) | -| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) | -| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) | -| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) | -| threatview | malicious IPs | x | x | [Link](https://threatview.io) | -| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | -| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) | -| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) | -| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) | -| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) | -| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) | -| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | -| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) | -| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information | +| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- | +| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) | +| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) | +| bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) | +| country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) | +| cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) | +| darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) | +| debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) | +| doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) | +| drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) | +| dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) | +| edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) | +| feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) | +| firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | +| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | +| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | +| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | +| greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) | +| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) | +| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) | +| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) | +| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) | +| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | +| ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) | +| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) | +| threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) | +| threatview | malicious IPs | x | x | x | [Link](https://threatview.io) | +| tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | +| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | +| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | +| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | +| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) | +| urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) | +| webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | +| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) | +| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | * zero-conf like automatic installation & setup, usually no manual changes needed * all sets are handled in a separate nft table/namespace 'banIP' @@ -128,8 +128,9 @@ Available commands: | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_debug | option | 0 | enable banIP related debug logging | -| ban_loginput | option | 1 | log drops in the input chain | -| ban_logforward | option | 0 | log rejects in the forward chain | +| ban_loginput | option | 1 | log drops in the wan-input chain | +| ban_logforwardwan | option | 1 | log drops in the wan-forward chain | +| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | | ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist | | ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | @@ -150,8 +151,9 @@ Available commands: | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | -| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' | -| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' | +| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' | +| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' | +| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | @@ -169,44 +171,65 @@ Available commands: ::: ::: banIP Set Statistics ::: - Timestamp: 2023-02-08 22:12:40 + Timestamp: 2023-02-25 08:35:37 ------------------------------ - auto-added to allowlist: 1 - auto-added to blocklist: 0 + auto-added to allowlist: 0 + auto-added to blocklist: 4 - Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets - ---------------------+---------------+---------------+---------------+---------------+---------------- - allowlistvMAC | 0 | n/a | OK | n/a | 0 - allowlistv4 | 1 | OK | OK | 0 | 0 - allowlistv6 | 0 | OK | OK | 0 | 0 - blocklistvMAC | 0 | n/a | OK | n/a | 0 - blocklistv4 | 0 | OK | OK | 0 | 0 - blocklistv6 | 0 | OK | OK | 0 | 0 - dohv4 | 542 | n/a | OK | n/a | 22 - adguardv4 | 23007 | n/a | OK | n/a | 18 - yoyov4 | 1936 | n/a | OK | n/a | 1 - oisdbasicv4 | 26000 | n/a | OK | n/a | 325 - ---------------------+---------------+---------------+---------------+---------------+---------------- - 10 | 51486 | 4 | 10 | 0 | 366 + Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) + ---------------------+--------------+-----------------------+-----------------------+------------------------ + allowlistvMAC | 0 | - | - | OK: 0 + allowlistv4 | 15 | OK: 0 | OK: 0 | OK: 0 + allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0 + torv4 | 800 | OK: 0 | OK: 0 | OK: 0 + torv6 | 432 | OK: 0 | OK: 0 | OK: 0 + countryv6 | 34282 | OK: 0 | OK: 1 | - + countryv4 | 35508 | OK: 1872 | OK: 0 | - + dohv6 | 343 | - | - | OK: 0 + dohv4 | 540 | - | - | OK: 3 + firehol1v4 | 1670 | OK: 296 | OK: 0 | OK: 16 + deblv4 | 12402 | OK: 4 | OK: 0 | OK: 0 + deblv6 | 41 | OK: 0 | OK: 0 | OK: 0 + adguardv6 | 12742 | - | - | OK: 161 + adguardv4 | 23183 | - | - | OK: 212 + adguardtrackersv6 | 169 | - | - | OK: 0 + adguardtrackersv4 | 633 | - | - | OK: 0 + adawayv6 | 2737 | - | - | OK: 15 + adawayv4 | 6542 | - | - | OK: 137 + oisdsmallv6 | 10569 | - | - | OK: 0 + oisdsmallv4 | 18800 | - | - | OK: 74 + stevenblackv6 | 11901 | - | - | OK: 4 + stevenblackv4 | 16776 | - | - | OK: 139 + yoyov6 | 215 | - | - | OK: 0 + yoyov4 | 309 | - | - | OK: 0 + antipopadsv4 | 1872 | - | - | OK: 0 + urlhausv4 | 7431 | OK: 0 | OK: 0 | OK: 0 + antipopadsv6 | 2081 | - | - | OK: 2 + blocklistvMAC | 0 | - | - | OK: 0 + blocklistv4 | 1174 | OK: 1 | OK: 0 | OK: 0 + blocklistv6 | 40 | OK: 0 | OK: 0 | OK: 0 + ---------------------+--------------+-----------------------+-----------------------+------------------------ + 30 | 203208 | 12 (2173) | 12 (1) | 28 (763) ``` **banIP runtime information** ``` -~# etc/init.d/banip status +~# /etc/init.d/banip status ::: banIP runtime information + status : active - + version : 0.8.0 - + element_count : 51486 - + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4 - , yoyov4, oisdbasicv4 + + version : 0.8.1-1 + + element_count : 206644 + + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6, + adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack + v6, stevenblackv4, yoyov6, yoyov4, antipopadsv4, urlhausv4, antipopadsv6, blocklistvMAC, blocklistv4, blocklistv6 + active_devices : eth2 - + active_interfaces : wan - + active_subnets : 192.168.98.107/24 - + run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b - anip/banip.feeds.gz - + run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘ - + last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46 - + system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd + + active_interfaces : wan, wan6 + + active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128 + + run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_archive: /etc/banip/banip + .feeds.gz + + run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘ + + last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55 + + system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469 ``` **banIP search information** diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index f1a71dd8d..b5f966fde 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -41,8 +41,9 @@ ban_logcount="1" ban_logterm="" ban_country="" ban_asn="" -ban_loginput="0" -ban_logforward="0" +ban_loginput="1" +ban_logforwardwan="1" +ban_logforwardlan="0" ban_allowlistonly="0" ban_autoallowlist="1" ban_autoblocklist="1" @@ -51,7 +52,8 @@ ban_splitsize="0" ban_autodetect="" ban_feed="" ban_blockinput="" -ban_blockforward="" +ban_blockforwardwan="" +ban_blockforwardlan="" ban_protov4="0" ban_protov6="0" ban_ifv4="" @@ -172,7 +174,7 @@ f_log() { # load config # f_conf() { - unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforward ban_logterm ban_country ban_asn + unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn config_cb() { option_cb() { local option="${1}" @@ -198,8 +200,11 @@ f_conf() { "ban_blockinput") eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" ;; - "ban_blockforward") - eval "${option}=\"$(printf "%s" "${ban_blockforward}")${value} \"" + "ban_blockforwardwan") + eval "${option}=\"$(printf "%s" "${ban_blockforwardwan}")${value} \"" + ;; + "ban_blockforwardlan") + eval "${option}=\"$(printf "%s" "${ban_blockforwardlan}")${value} \"" ;; "ban_logterm") eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\"" @@ -387,18 +392,26 @@ f_nftinit() { fi printf "%s\n" "add table inet banIP" printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" + printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" - # default input rules + # default wan-input rules # printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept" - # default forward rules + # default wan-forward rules + # + printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept" + printf "%s\n" "add rule inet banIP wan-forward iifname != { ${ban_dev// /, } } counter accept" + + # default lan-forward rules # printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept" printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept" @@ -414,7 +427,7 @@ f_nftinit() { } f_down() { - local nft_loginput nft_logforward start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forward_handles handle + local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forwardwan_handles forwardlan_handles handle local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" start_ts="$(date +%s)" @@ -426,27 +439,35 @@ f_down() { tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" - [ "${ban_loginput}" = "1" ] && nft_loginput="log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \"" - [ "${ban_logforward}" = "1" ] && nft_logforward="log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \"" + [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" + [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" + [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \"" # set source block direction # if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then feed_direction="input" - elif printf "%s" "${ban_blockforward}" | "${ban_grepcmd}" -q "${feed%v*}"; then - feed_direction="forward" + fi + if printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}"; then + feed_direction="${feed_direction} forwardwan" + fi + if printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then + feed_direction="${feed_direction} forwardlan" fi # chain/rule maintenance # if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" - forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" + forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)" + forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" { printf "%s\n" "flush set inet banIP ${feed}" handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" + handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" + handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" } >"${tmp_flush}" fi @@ -468,22 +489,27 @@ f_down() { if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" - if [ "${feed_direction}" != "input" ]; then - printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" - fi + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" - if [ "${feed_direction}" != "forward" ]; then + if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${nft_loginput} counter drop" + printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop" else printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept" fi fi - if [ "${feed_direction}" != "input" ]; then + if [ -z "${feed_direction##*forwardwan*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" + printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop" + else + printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept" + fi + fi + if [ -z "${feed_direction##*forwardlan*}" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited" else printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept" fi @@ -492,16 +518,23 @@ f_down() { "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" - if [ "${feed_direction}" != "forward" ]; then + if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${nft_loginput} counter drop" + printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop" else printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept" fi fi - if [ "${feed_direction}" != "input" ]; then + if [ -z "${feed_direction##*forwardwan*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" + printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop" + else + printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept" + fi + fi + if [ -z "${feed_direction##*forwardlan*}" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited" else printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept" fi @@ -516,9 +549,7 @@ f_down() { if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" - if [ "${feed_direction}" != "input" ]; then - printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${nft_logforward} counter reject" - fi + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject" elif [ "${proto}" = "4" ]; then if [ "${ban_deduplicate}" = "1" ]; then "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" @@ -530,12 +561,9 @@ f_down() { fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" - if [ "${feed_direction}" != "forward" ]; then - printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop" - fi - if [ "${feed_direction}" != "input" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited" elif [ "${proto}" = "6" ]; then if [ "${ban_deduplicate}" = "1" ]; then "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | @@ -549,12 +577,9 @@ f_down() { fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" - if [ "${feed_direction}" != "forward" ]; then - printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop" - fi - if [ "${feed_direction}" != "input" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited" fi } >"${tmp_nft}" feed_rc="${?}" @@ -650,12 +675,9 @@ f_down() { # input and forward rules # - if [ "${feed_direction}" != "forward" ]; then - printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop" - fi - if [ "${feed_direction}" != "input" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited" } >"${tmp_nft}" elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then { @@ -667,12 +689,9 @@ f_down() { # input and forward rules # - if [ "${feed_direction}" != "forward" ]; then - printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop" - fi - if [ "${feed_direction}" != "input" ]; then - printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" - fi + [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop" + [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited" } >"${tmp_nft}" fi fi @@ -741,12 +760,13 @@ f_restore() { # remove disabled feeds # f_rmset() { - local tmp_del table_sets input_handles forward_handles handle sets feed feed_log feed_rc + local tmp_del table_sets input_handles forwardwan_handles forwardlan_handles handle sets feed feed_log feed_rc tmp_del="${ban_tmpfile}.final.delete" table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)" input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" - forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" + forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)" + forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" { printf "%s\n\n" "#!/usr/sbin/nft -f" for feed in ${table_sets}; do @@ -756,7 +776,9 @@ f_rmset() { printf "%s\n" "flush set inet banIP ${feed}" handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" + handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" + handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" printf "%s\n\n" "delete set inet banIP ${feed}" fi @@ -852,7 +874,7 @@ f_genstatus() { fi json_close_array json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}" - json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (inp/fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforward}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" + json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}" json_dump >"${ban_basedir}/ban_runtime.json" @@ -885,7 +907,7 @@ f_getstatus() { fi value="$( printf "%s" "${value}" | - awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}' + awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}' )" printf " + %-17s : %s\n" "${key}" "${value:-"-"}" done @@ -945,8 +967,8 @@ f_lookup() { # banIP table statistics # f_report() { - local report_jsn report_txt set nft_raw nft_sets set_cnt set_input set_forward set_cntinput set_cntforward output="${1}" - local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforward sum_setelements sum_cntinput sum_cntforward + local report_jsn report_txt set tmp_val nft_raw nft_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}" + local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan [ -z "${ban_dev}" ] && f_conf f_mkdir "${ban_reportdir}" @@ -959,10 +981,12 @@ f_report() { nft_sets="$(printf "%s" "${nft_raw}" | jsonfilter -qe '@.nftables[*].set.name')" sum_sets="0" sum_setinput="0" - sum_setforward="0" + sum_setforwardwan="0" + sum_setforwardlan="0" sum_setelements="0" sum_cntinput="0" - sum_cntforward="0" + sum_cntforwardwan="0" + sum_cntforwardlan="0" timestamp="$(date "+%Y-%m-%d %H:%M:%S")" : >"${report_jsn}" { @@ -972,30 +996,41 @@ f_report() { set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" sum_setelements="$((sum_setelements + set_cnt))" set_cntinput="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-input\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" - set_cntforward="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" + set_cntforwardwan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" + set_cntforwardlan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" if [ -n "${set_cntinput}" ]; then set_input="OK" sum_setinput="$((sum_setinput + 1))" sum_cntinput="$((sum_cntinput + set_cntinput))" else - set_input="n/a" - set_cntinput="n/a" + set_input="-" + set_cntinput="" fi - if [ -n "${set_cntforward}" ]; then - set_forward="OK" - sum_setforward="$((sum_setforward + 1))" - sum_cntforward="$((sum_cntforward + set_cntforward))" + if [ -n "${set_cntforwardwan}" ]; then + set_forwardwan="OK" + sum_setforwardwan="$((sum_setforwardwan + 1))" + sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))" else - set_forward="n/a" - set_cntforward="n/a" + set_forwardwan="-" + set_cntforwardwan="" + fi + if [ -n "${set_cntforwardlan}" ]; then + set_forwardlan="OK" + sum_setforwardlan="$((sum_setforwardlan + 1))" + sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))" + else + set_forwardlan="-" + set_cntforwardlan="" fi [ "${sum_sets}" -gt "0" ] && printf "%s\n" "," printf "\t\t%s\n" "\"${set}\": {" printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\"," - printf "\t\t\t%s\n" "\"input\": \"${set_input}\"," - printf "\t\t\t%s\n" "\"forward\": \"${set_forward}\"," printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\"," - printf "\t\t\t%s\n" "\"cnt_forward\": \"${set_cntforward}\"" + printf "\t\t\t%s\n" "\"input\": \"${set_input}\"," + printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\"," + printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\"," + printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\"," + printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\"" printf "\t\t%s" "}" sum_sets="$((sum_sets + 1))" done @@ -1005,10 +1040,12 @@ f_report() { printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\"," printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\"," printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\"," - printf "\t%s\n" "\"sum_setforward\": \"${sum_setforward}\"," + printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\"," + printf "\t%s\n" "\"sum_setforwardlan\": \"${sum_setforwardlan}\"," printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\"," printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\"," - printf "\t%s\n" "\"sum_cntforward\": \"${sum_cntforward}\"" + printf "\t%s\n" "\"sum_cntforwardwan\": \"${sum_cntforwardwan}\"," + printf "\t%s\n" "\"sum_cntforwardlan\": \"${sum_cntforwardlan}\"" printf "%s\n" "}" } >>"${report_jsn}" @@ -1023,10 +1060,12 @@ f_report() { json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1 json_get_var sum_sets "sum_sets" >/dev/null 2>&1 json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1 - json_get_var sum_setforward "sum_setforward" >/dev/null 2>&1 + json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1 + json_get_var sum_setforwardlan "sum_setforwardlan" >/dev/null 2>&1 json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1 json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1 - json_get_var sum_cntforward "sum_cntforward" >/dev/null 2>&1 + json_get_var sum_cntforwardwan "sum_cntforwardwan" >/dev/null 2>&1 + json_get_var sum_cntforwardlan "sum_cntforwardlan" >/dev/null 2>&1 { printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::" printf "%s\n" " Timestamp: ${timestamp}" @@ -1036,21 +1075,32 @@ f_report() { json_select "sets" >/dev/null 2>&1 json_get_keys nft_sets >/dev/null 2>&1 if [ -n "${nft_sets}" ]; then - printf "%-25s%-16s%-16s%-16s%-16s%s\n" " Set" "| Set Elements" "| Chain Input" "| Chain Forward" "| Input Packets" "| Forward Packets" - printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------" + printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)" + printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------" for set in ${nft_sets}; do printf " %-21s" "${set}" json_select "${set}" json_get_keys set_details for detail in ${set_details}; do json_get_var jsnval "${detail}" >/dev/null 2>&1 - printf "%-16s" "| ${jsnval}" + case "${detail}" in + "cnt_elements") + printf "%-15s" "| ${jsnval}" + ;; + "cnt_input" | "cnt_forwardwan" | "cnt_forwardlan") + [ -n "${jsnval}" ] && tmp_val=": ${jsnval}" + ;; + *) + printf "%-24s" "| ${jsnval}${tmp_val}" + tmp_val="" + ;; + esac done printf "\n" json_select ".." done - printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------" - printf "%-25s%-16s%-16s%-16s%-16s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput}" "| ${sum_setforward}" "| ${sum_cntinput}" "| ${sum_cntforward}" + printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------" + printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})" fi } >>"${report_txt}" fi diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl index 9a614d026..0474eb344 100644 --- a/net/banip/files/banip.tpl +++ b/net/banip/files/banip.tpl @@ -8,7 +8,7 @@ local banip_info report_info log_info system_info mail_text banip_info="$(/etc/init.d/banip status 2>/dev/null)" report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)" -log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" +log_info="$("${ban_logreadcmd}" -l 100 -e "banIP/" 2>/dev/null | awk '{NR=1;max=140;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" system_info="$( strings /etc/banner 2>/dev/null ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'