Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: release 0.8.1-1

Browse source 
* add missing wan-forward chain (incl. report/mail adaption)
* changed options:
  - old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan
  - old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan
* add missing dhcp(v6) rules/exceptions
* update readme

Previously run tested by certain forum users (and by me).

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-02-25 09:33:50 +01:00
parent 8885636b4e
commit 02c2587f9d
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
4 changed files with 237 additions and 164 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
net/banip/Makefile
View file

@ -7,8 +7,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.0 PKG_VERSION:=0.8.1
PKG_RELEASE:=4 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

179
net/banip/files/README.md
View file

@ -7,52 +7,52 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Main Features ## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below. **Please note:** the columns "WAN-INP", "WAN-FWD" and "LAN_FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
| Feed | Focus | INP | FWD | Information | | Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- | | :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) | | asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) | | backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) | | bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) | | country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) | | cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) | | darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) | | debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) | | doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) | | drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) | | dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) | | edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) | | feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | | firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | | firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | | firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | | firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) | | greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) | | iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) | | iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) | | myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) | | nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) | | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) | | ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) | | talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) | | threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | [Link](https://threatview.io) | | threatview | malicious IPs | x | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | | tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) | | urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) | | urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | | webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) | | voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* zero-conf like automatic installation & setup, usually no manual changes needed * zero-conf like automatic installation & setup, usually no manual changes needed
* all sets are handled in a separate nft table/namespace 'banIP' * all sets are handled in a separate nft table/namespace 'banIP'
@ -128,8 +128,9 @@ Available commands:
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging | | ban_debug | option | 0 | enable banIP related debug logging |
| ban_loginput | option | 1 | log drops in the input chain | | ban_loginput | option | 1 | log drops in the wan-input chain |
| ban_logforward | option | 0 | log rejects in the forward chain | | ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist | | ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist | | ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
@ -150,8 +151,9 @@ Available commands:
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' | | ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' | | ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
@ -169,44 +171,65 @@ Available commands:
::: :::
::: banIP Set Statistics ::: banIP Set Statistics
::: :::
Timestamp: 2023-02-08 22:12:40 Timestamp: 2023-02-25 08:35:37
------------------------------ ------------------------------
auto-added to allowlist: 1 auto-added to allowlist: 0
auto-added to blocklist: 0 auto-added to blocklist: 4
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
---------------------+---------------+---------------+---------------+---------------+---------------- ---------------------+--------------+-----------------------+-----------------------+------------------------
allowlistvMAC | 0 | n/a | OK | n/a | 0 allowlistvMAC | 0 | - | - | OK: 0
allowlistv4 | 1 | OK | OK | 0 | 0 allowlistv4 | 15 | OK: 0 | OK: 0 | OK: 0
allowlistv6 | 0 | OK | OK | 0 | 0 allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
blocklistvMAC | 0 | n/a | OK | n/a | 0 torv4 | 800 | OK: 0 | OK: 0 | OK: 0
blocklistv4 | 0 | OK | OK | 0 | 0 torv6 | 432 | OK: 0 | OK: 0 | OK: 0
blocklistv6 | 0 | OK | OK | 0 | 0 countryv6 | 34282 | OK: 0 | OK: 1 | -
dohv4 | 542 | n/a | OK | n/a | 22 countryv4 | 35508 | OK: 1872 | OK: 0 | -
adguardv4 | 23007 | n/a | OK | n/a | 18 dohv6 | 343 | - | - | OK: 0
yoyov4 | 1936 | n/a | OK | n/a | 1 dohv4 | 540 | - | - | OK: 3
oisdbasicv4 | 26000 | n/a | OK | n/a | 325 firehol1v4 | 1670 | OK: 296 | OK: 0 | OK: 16
---------------------+---------------+---------------+---------------+---------------+---------------- deblv4 | 12402 | OK: 4 | OK: 0 | OK: 0
10 | 51486 | 4 | 10 | 0 | 366 deblv6 | 41 | OK: 0 | OK: 0 | OK: 0
adguardv6 | 12742 | - | - | OK: 161
adguardv4 | 23183 | - | - | OK: 212
adguardtrackersv6 | 169 | - | - | OK: 0
adguardtrackersv4 | 633 | - | - | OK: 0
adawayv6 | 2737 | - | - | OK: 15
adawayv4 | 6542 | - | - | OK: 137
oisdsmallv6 | 10569 | - | - | OK: 0
oisdsmallv4 | 18800 | - | - | OK: 74
stevenblackv6 | 11901 | - | - | OK: 4
stevenblackv4 | 16776 | - | - | OK: 139
yoyov6 | 215 | - | - | OK: 0
yoyov4 | 309 | - | - | OK: 0
antipopadsv4 | 1872 | - | - | OK: 0
urlhausv4 | 7431 | OK: 0 | OK: 0 | OK: 0
antipopadsv6 | 2081 | - | - | OK: 2
blocklistvMAC | 0 | - | - | OK: 0
blocklistv4 | 1174 | OK: 1 | OK: 0 | OK: 0
blocklistv6 | 40 | OK: 0 | OK: 0 | OK: 0
---------------------+--------------+-----------------------+-----------------------+------------------------
30 | 203208 | 12 (2173) | 12 (1) | 28 (763)
``` ```
**banIP runtime information** **banIP runtime information**
``` ```
~# etc/init.d/banip status ~# /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : active + status : active
+ version : 0.8.0 + version : 0.8.1-1
+ element_count : 51486 + element_count : 206644
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4 + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6,
, yoyov4, oisdbasicv4 adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack
v6, stevenblackv4, yoyov6, yoyov4, antipopadsv4, urlhausv4, antipopadsv6, blocklistvMAC, blocklistv4, blocklistv6
+ active_devices : eth2 + active_devices : eth2
+ active_interfaces : wan + active_interfaces : wan, wan6
+ active_subnets : 192.168.98.107/24 + active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b + run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_archive: /etc/banip/banip
anip/banip.feeds.gz .feeds.gz
+ run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘ + run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46 + last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55
+ system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd + system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469
``` ```
**banIP search information** **banIP search information**

216
net/banip/files/banip-functions.sh
View file

@ -41,8 +41,9 @@ ban_logcount="1"
ban_logterm="" ban_logterm=""
ban_country="" ban_country=""
ban_asn="" ban_asn=""
ban_loginput="0" ban_loginput="1"
ban_logforward="0" ban_logforwardwan="1"
ban_logforwardlan="0"
ban_allowlistonly="0" ban_allowlistonly="0"
ban_autoallowlist="1" ban_autoallowlist="1"
ban_autoblocklist="1" ban_autoblocklist="1"
@ -51,7 +52,8 @@ ban_splitsize="0"
ban_autodetect="" ban_autodetect=""
ban_feed="" ban_feed=""
ban_blockinput="" ban_blockinput=""
ban_blockforward="" ban_blockforwardwan=""
ban_blockforwardlan=""
ban_protov4="0" ban_protov4="0"
ban_protov6="0" ban_protov6="0"
ban_ifv4="" ban_ifv4=""
@ -172,7 +174,7 @@ f_log() {
# load config # load config
# #
f_conf() { f_conf() {
unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforward ban_logterm ban_country ban_asn unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
config_cb() { config_cb() {
option_cb() { option_cb() {
local option="${1}" local option="${1}"
@ -198,8 +200,11 @@ f_conf() {
"ban_blockinput") "ban_blockinput")
eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \""
;; ;;
"ban_blockforward") "ban_blockforwardwan")
eval "${option}=\"$(printf "%s" "${ban_blockforward}")${value} \"" eval "${option}=\"$(printf "%s" "${ban_blockforwardwan}")${value} \""
;;
"ban_blockforwardlan")
eval "${option}=\"$(printf "%s" "${ban_blockforwardlan}")${value} \""
;; ;;
"ban_logterm") "ban_logterm")
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\"" eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
@ -387,18 +392,26 @@ f_nftinit() {
fi fi
printf "%s\n" "add table inet banIP" printf "%s\n" "add table inet banIP"
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
# default input rules # default wan-input rules
# #
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept" printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
# default forward rules # default wan-forward rules
#
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${ban_dev// /, } } counter accept"
# default lan-forward rules
# #
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept" printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept" printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept"
@ -414,7 +427,7 @@ f_nftinit() {
} }
f_down() { f_down() {
local nft_loginput nft_logforward start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forward_handles handle local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forwardwan_handles forwardlan_handles handle
local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
start_ts="$(date +%s)" start_ts="$(date +%s)"
@ -426,27 +439,35 @@ f_down() {
tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_flush="${ban_tmpfile}.${feed}.flush"
tmp_nft="${ban_tmpfile}.${feed}.nft" tmp_nft="${ban_tmpfile}.${feed}.nft"
[ "${ban_loginput}" = "1" ] && nft_loginput="log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \"" [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforward}" = "1" ] && nft_logforward="log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \"" [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
# set source block direction # set source block direction
# #
if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="input" feed_direction="input"
elif printf "%s" "${ban_blockforward}" | "${ban_grepcmd}" -q "${feed%v*}"; then fi
feed_direction="forward" if printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="${feed_direction} forwardwan"
fi
if printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="${feed_direction} forwardlan"
fi fi
# chain/rule maintenance # chain/rule maintenance
# #
if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then
input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
{ {
printf "%s\n" "flush set inet banIP ${feed}" printf "%s\n" "flush set inet banIP ${feed}"
handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
} >"${tmp_flush}" } >"${tmp_flush}"
fi fi
@ -468,22 +489,27 @@ f_down() {
if [ "${proto}" = "MAC" ]; then if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "input" ]; then [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
fi
elif [ "${proto}" = "4" ]; then elif [ "${proto}" = "4" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${nft_loginput} counter drop" printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
else else
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept" printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
fi fi
fi fi
if [ "${feed_direction}" != "input" ]; then if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
else else
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept" printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept"
fi fi
@ -492,16 +518,23 @@ f_down() {
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${nft_loginput} counter drop" printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
else else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept" printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
fi fi
fi fi
if [ "${feed_direction}" != "input" ]; then if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
else else
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept" printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
fi fi
@ -516,9 +549,7 @@ f_down() {
if [ "${proto}" = "MAC" ]; then if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "input" ]; then [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject"
printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${nft_logforward} counter reject"
fi
elif [ "${proto}" = "4" ]; then elif [ "${proto}" = "4" ]; then
if [ "${ban_deduplicate}" = "1" ]; then if [ "${ban_deduplicate}" = "1" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
@ -530,12 +561,9 @@ f_down() {
fi fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
fi [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
fi
elif [ "${proto}" = "6" ]; then elif [ "${proto}" = "6" ]; then
if [ "${ban_deduplicate}" = "1" ]; then if [ "${ban_deduplicate}" = "1" ]; then
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
@ -549,12 +577,9 @@ f_down() {
fi fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
fi [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
fi
fi fi
} >"${tmp_nft}" } >"${tmp_nft}"
feed_rc="${?}" feed_rc="${?}"
@ -650,12 +675,9 @@ f_down() {
# input and forward rules # input and forward rules
# #
if [ "${feed_direction}" != "forward" ]; then [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
fi [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
fi
} >"${tmp_nft}" } >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
{ {
@ -667,12 +689,9 @@ f_down() {
# input and forward rules # input and forward rules
# #
if [ "${feed_direction}" != "forward" ]; then [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
fi [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
fi
} >"${tmp_nft}" } >"${tmp_nft}"
fi fi
fi fi
@ -741,12 +760,13 @@ f_restore() {
# remove disabled feeds # remove disabled feeds
# #
f_rmset() { f_rmset() {
local tmp_del table_sets input_handles forward_handles handle sets feed feed_log feed_rc local tmp_del table_sets input_handles forwardwan_handles forwardlan_handles handle sets feed feed_log feed_rc
tmp_del="${ban_tmpfile}.final.delete" tmp_del="${ban_tmpfile}.final.delete"
table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)" table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)"
input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
{ {
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
for feed in ${table_sets}; do for feed in ${table_sets}; do
@ -756,7 +776,9 @@ f_rmset() {
printf "%s\n" "flush set inet banIP ${feed}" printf "%s\n" "flush set inet banIP ${feed}"
handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
printf "%s\n\n" "delete set inet banIP ${feed}" printf "%s\n\n" "delete set inet banIP ${feed}"
fi fi
@ -852,7 +874,7 @@ f_genstatus() {
fi fi
json_close_array json_close_array
json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}" json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}"
json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (inp/fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforward}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}" json_add_string "last_run" "${runtime:-"-"}"
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}" json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
json_dump >"${ban_basedir}/ban_runtime.json" json_dump >"${ban_basedir}/ban_runtime.json"
@ -885,7 +907,7 @@ f_getstatus() {
fi fi
value="$( value="$(
printf "%s" "${value}" | printf "%s" "${value}" |
awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}' awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}'
)" )"
printf " + %-17s : %s\n" "${key}" "${value:-"-"}" printf " + %-17s : %s\n" "${key}" "${value:-"-"}"
done done
@ -945,8 +967,8 @@ f_lookup() {
# banIP table statistics # banIP table statistics
# #
f_report() { f_report() {
local report_jsn report_txt set nft_raw nft_sets set_cnt set_input set_forward set_cntinput set_cntforward output="${1}" local report_jsn report_txt set tmp_val nft_raw nft_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforward sum_setelements sum_cntinput sum_cntforward local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
[ -z "${ban_dev}" ] && f_conf [ -z "${ban_dev}" ] && f_conf
f_mkdir "${ban_reportdir}" f_mkdir "${ban_reportdir}"
@ -959,10 +981,12 @@ f_report() {
nft_sets="$(printf "%s" "${nft_raw}" | jsonfilter -qe '@.nftables[*].set.name')" nft_sets="$(printf "%s" "${nft_raw}" | jsonfilter -qe '@.nftables[*].set.name')"
sum_sets="0" sum_sets="0"
sum_setinput="0" sum_setinput="0"
sum_setforward="0" sum_setforwardwan="0"
sum_setforwardlan="0"
sum_setelements="0" sum_setelements="0"
sum_cntinput="0" sum_cntinput="0"
sum_cntforward="0" sum_cntforwardwan="0"
sum_cntforwardlan="0"
timestamp="$(date "+%Y-%m-%d %H:%M:%S")" timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
: >"${report_jsn}" : >"${report_jsn}"
{ {
@ -972,30 +996,41 @@ f_report() {
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
sum_setelements="$((sum_setelements + set_cnt))" sum_setelements="$((sum_setelements + set_cnt))"
set_cntinput="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-input\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" set_cntinput="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-input\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
set_cntforward="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" set_cntforwardwan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
set_cntforwardlan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
if [ -n "${set_cntinput}" ]; then if [ -n "${set_cntinput}" ]; then
set_input="OK" set_input="OK"
sum_setinput="$((sum_setinput + 1))" sum_setinput="$((sum_setinput + 1))"
sum_cntinput="$((sum_cntinput + set_cntinput))" sum_cntinput="$((sum_cntinput + set_cntinput))"
else else
set_input="n/a" set_input="-"
set_cntinput="n/a" set_cntinput=""
fi fi
if [ -n "${set_cntforward}" ]; then if [ -n "${set_cntforwardwan}" ]; then
set_forward="OK" set_forwardwan="OK"
sum_setforward="$((sum_setforward + 1))" sum_setforwardwan="$((sum_setforwardwan + 1))"
sum_cntforward="$((sum_cntforward + set_cntforward))" sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
else else
set_forward="n/a" set_forwardwan="-"
set_cntforward="n/a" set_cntforwardwan=""
fi
if [ -n "${set_cntforwardlan}" ]; then
set_forwardlan="OK"
sum_setforwardlan="$((sum_setforwardlan + 1))"
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
else
set_forwardlan="-"
set_cntforwardlan=""
fi fi
[ "${sum_sets}" -gt "0" ] && printf "%s\n" "," [ "${sum_sets}" -gt "0" ] && printf "%s\n" ","
printf "\t\t%s\n" "\"${set}\": {" printf "\t\t%s\n" "\"${set}\": {"
printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\"," printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\","
printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
printf "\t\t\t%s\n" "\"forward\": \"${set_forward}\","
printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\"," printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\","
printf "\t\t\t%s\n" "\"cnt_forward\": \"${set_cntforward}\"" printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\","
printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\","
printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\","
printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\""
printf "\t\t%s" "}" printf "\t\t%s" "}"
sum_sets="$((sum_sets + 1))" sum_sets="$((sum_sets + 1))"
done done
@ -1005,10 +1040,12 @@ f_report() {
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\"," printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\"," printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\"," printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
printf "\t%s\n" "\"sum_setforward\": \"${sum_setforward}\"," printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
printf "\t%s\n" "\"sum_setforwardlan\": \"${sum_setforwardlan}\","
printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\"," printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\","
printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\"," printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\","
printf "\t%s\n" "\"sum_cntforward\": \"${sum_cntforward}\"" printf "\t%s\n" "\"sum_cntforwardwan\": \"${sum_cntforwardwan}\","
printf "\t%s\n" "\"sum_cntforwardlan\": \"${sum_cntforwardlan}\""
printf "%s\n" "}" printf "%s\n" "}"
} >>"${report_jsn}" } >>"${report_jsn}"
@ -1023,10 +1060,12 @@ f_report() {
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1 json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
json_get_var sum_sets "sum_sets" >/dev/null 2>&1 json_get_var sum_sets "sum_sets" >/dev/null 2>&1
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1 json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
json_get_var sum_setforward "sum_setforward" >/dev/null 2>&1 json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
json_get_var sum_setforwardlan "sum_setforwardlan" >/dev/null 2>&1
json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1 json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1
json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1 json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1
json_get_var sum_cntforward "sum_cntforward" >/dev/null 2>&1 json_get_var sum_cntforwardwan "sum_cntforwardwan" >/dev/null 2>&1
json_get_var sum_cntforwardlan "sum_cntforwardlan" >/dev/null 2>&1
{ {
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::" printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
printf "%s\n" " Timestamp: ${timestamp}" printf "%s\n" " Timestamp: ${timestamp}"
@ -1036,21 +1075,32 @@ f_report() {
json_select "sets" >/dev/null 2>&1 json_select "sets" >/dev/null 2>&1
json_get_keys nft_sets >/dev/null 2>&1 json_get_keys nft_sets >/dev/null 2>&1
if [ -n "${nft_sets}" ]; then if [ -n "${nft_sets}" ]; then
printf "%-25s%-16s%-16s%-16s%-16s%s\n" " Set" "| Set Elements" "| Chain Input" "| Chain Forward" "| Input Packets" "| Forward Packets" printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)"
printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------" printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
for set in ${nft_sets}; do for set in ${nft_sets}; do
printf " %-21s" "${set}" printf " %-21s" "${set}"
json_select "${set}" json_select "${set}"
json_get_keys set_details json_get_keys set_details
for detail in ${set_details}; do for detail in ${set_details}; do
json_get_var jsnval "${detail}" >/dev/null 2>&1 json_get_var jsnval "${detail}" >/dev/null 2>&1
printf "%-16s" "| ${jsnval}" case "${detail}" in
"cnt_elements")
printf "%-15s" "| ${jsnval}"
;;
"cnt_input" | "cnt_forwardwan" | "cnt_forwardlan")
[ -n "${jsnval}" ] && tmp_val=": ${jsnval}"
;;
*)
printf "%-24s" "| ${jsnval}${tmp_val}"
tmp_val=""
;;
esac
done done
printf "\n" printf "\n"
json_select ".." json_select ".."
done done
printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------" printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
printf "%-25s%-16s%-16s%-16s%-16s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput}" "| ${sum_setforward}" "| ${sum_cntinput}" "| ${sum_cntforward}" printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})"
fi fi
} >>"${report_txt}" } >>"${report_txt}"
fi fi

2
net/banip/files/banip.tpl
View file

@ -8,7 +8,7 @@ local banip_info report_info log_info system_info mail_text
banip_info="$(/etc/init.d/banip status 2>/dev/null)" banip_info="$(/etc/init.d/banip status 2>/dev/null)"
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)" report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" log_info="$("${ban_logreadcmd}" -l 100 -e "banIP/" 2>/dev/null | awk '{NR=1;max=140;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
system_info="$( system_info="$(
strings /etc/banner 2>/dev/null strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}' ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'