banip: release 0.8.6-1
* made the fetch utility function/autodetection more bullet proof * no longer add suspicious IPs to the local blocklist when the nft set timeout has been set * restructure internal functions & small fixes Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
parent
e64c643fb9
commit
4920d96df0
3 changed files with 111 additions and 98 deletions
|
|
@ -5,8 +5,8 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=banip
|
||||
PKG_VERSION:=0.8.5
|
||||
PKG_RELEASE:=2
|
||||
PKG_VERSION:=0.8.6
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||
|
||||
|
|
|
|||
|
|
@ -75,6 +75,7 @@ ban_fetchinsecure=""
|
|||
ban_fetchretry="5"
|
||||
ban_cores=""
|
||||
ban_memory=""
|
||||
ban_packages=""
|
||||
ban_trigger=""
|
||||
ban_triggerdelay="10"
|
||||
ban_resolver=""
|
||||
|
|
@ -90,8 +91,9 @@ f_system() {
|
|||
ban_debug="$(uci_get banip global ban_debug)"
|
||||
ban_cores="$(uci_get banip global ban_cores)"
|
||||
fi
|
||||
ban_packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
|
||||
ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)"
|
||||
ban_ver="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null | jsonfilter -ql1 -e '@.packages.banip')"
|
||||
ban_ver="$(printf "%s" "${ban_packages}" | jsonfilter -ql1 -e '@.packages.banip')"
|
||||
ban_sysver="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' |
|
||||
"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')"
|
||||
if [ -z "${ban_cores}" ]; then
|
||||
|
|
@ -171,6 +173,19 @@ f_trim() {
|
|||
printf "%s" "${string}"
|
||||
}
|
||||
|
||||
# remove logservice
|
||||
#
|
||||
f_rmpid() {
|
||||
local ppid pid pids
|
||||
|
||||
ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
|
||||
[ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0
|
||||
for pid in ${pids}; do
|
||||
kill -INT "${pid}" >/dev/null 2>&1
|
||||
done
|
||||
: >"${ban_pidfile}"
|
||||
}
|
||||
|
||||
# write log messages
|
||||
#
|
||||
f_log() {
|
||||
|
|
@ -253,30 +268,54 @@ f_conf() {
|
|||
[ "${ban_action}" = "boot" ] && [ -z "${ban_trigger}" ] && sleep ${ban_triggerdelay}
|
||||
}
|
||||
|
||||
# prepare fetch utility
|
||||
# get nft/monitor actuals
|
||||
#
|
||||
f_fetch() {
|
||||
local item utils packages insecure
|
||||
f_actual() {
|
||||
local nft monitor
|
||||
|
||||
if [ -z "${ban_fetchcmd}" ] || [ ! -x "$(command -v "${ban_fetchcmd}")" ]; then
|
||||
packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
|
||||
[ -z "${packages}" ] && f_log "err" "no local package repository"
|
||||
if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
|
||||
nft="$(f_char "1")"
|
||||
else
|
||||
nft="$(f_char "0")"
|
||||
fi
|
||||
if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
|
||||
monitor="$(f_char "1")"
|
||||
else
|
||||
monitor="$(f_char "0")"
|
||||
fi
|
||||
printf "%s" "nft: ${nft}, monitor: ${monitor}"
|
||||
}
|
||||
|
||||
# get fetch utility
|
||||
#
|
||||
f_getfetch() {
|
||||
local item utils insecure update="0"
|
||||
|
||||
if { [ "${ban_fetchcmd}" = "uclient-fetch" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
|
||||
{ [ "${ban_fetchcmd}" = "wget" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } ||
|
||||
[ "${ban_fetchcmd}" = "curl" ] || [ "${ban_fetchcmd}" = "aria2c" ]; then
|
||||
ban_fetchcmd="$(command -v "${ban_fetchcmd}")"
|
||||
else
|
||||
ban_fetchcmd=""
|
||||
fi
|
||||
|
||||
if [ "${ban_autodetect}" = "1" ] && [ ! -x "${ban_fetchcmd}" ]; then
|
||||
utils="aria2c curl wget uclient-fetch"
|
||||
for item in ${utils}; do
|
||||
if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
|
||||
{ [ "${item}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } ||
|
||||
if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
|
||||
{ [ "${item}" = "wget" ] && printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } ||
|
||||
[ "${item}" = "curl" ] || [ "${item}" = "aria2c" ]; then
|
||||
ban_fetchcmd="$(command -v "${item}")"
|
||||
if [ -x "${ban_fetchcmd}" ]; then
|
||||
uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}"
|
||||
update="1"
|
||||
uci_set banip global ban_fetchcmd "${item}"
|
||||
uci_commit "banip"
|
||||
break
|
||||
fi
|
||||
fi
|
||||
done
|
||||
else
|
||||
ban_fetchcmd="$(command -v "${ban_fetchcmd}")"
|
||||
fi
|
||||
|
||||
[ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support"
|
||||
case "${ban_fetchcmd##*/}" in
|
||||
"aria2c")
|
||||
|
|
@ -297,38 +336,7 @@ f_fetch() {
|
|||
;;
|
||||
esac
|
||||
|
||||
f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}"
|
||||
}
|
||||
|
||||
# remove logservice
|
||||
#
|
||||
f_rmpid() {
|
||||
local ppid pid pids
|
||||
|
||||
ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
|
||||
[ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0
|
||||
for pid in ${pids}; do
|
||||
kill -INT "${pid}" >/dev/null 2>&1
|
||||
done
|
||||
: >"${ban_pidfile}"
|
||||
}
|
||||
|
||||
# get nft/monitor actuals
|
||||
#
|
||||
f_actual() {
|
||||
local nft monitor
|
||||
|
||||
if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
|
||||
nft="$(f_char "1")"
|
||||
else
|
||||
nft="$(f_char "0")"
|
||||
fi
|
||||
if pgrep -f "logread" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
|
||||
monitor="$(f_char "1")"
|
||||
else
|
||||
monitor="$(f_char "0")"
|
||||
fi
|
||||
printf "%s" "nft: ${nft}, monitor: ${monitor}"
|
||||
f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}"
|
||||
}
|
||||
|
||||
# get wan interfaces
|
||||
|
|
@ -1355,6 +1363,59 @@ f_mail() {
|
|||
f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
|
||||
}
|
||||
|
||||
# log monitor
|
||||
#
|
||||
f_monitor() {
|
||||
local nft_expiry line proto ip log_raw log_count
|
||||
|
||||
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
|
||||
f_log "info" "start detached banIP log service"
|
||||
[ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")"
|
||||
# read log continuously with given logterms
|
||||
#
|
||||
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
|
||||
while read -r line; do
|
||||
proto=""
|
||||
# IPv4 log parsing
|
||||
#
|
||||
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
|
||||
ip="$(f_trim "${ip}")"
|
||||
ip="${ip##* }"
|
||||
[ -n "${ip}" ] && proto="v4"
|
||||
if [ -z "${proto}" ]; then
|
||||
# IPv6 log parsing
|
||||
#
|
||||
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')"
|
||||
ip="$(f_trim "${ip}")"
|
||||
ip="${ip##* }"
|
||||
[ -n "${ip}" ] && proto="v6"
|
||||
fi
|
||||
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
|
||||
f_log "info" "suspicious IP${proto} '${ip}'"
|
||||
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
|
||||
log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP${proto} '${ip}'")"
|
||||
if [ "${log_count}" -ge "${ban_logcount}" ]; then
|
||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
|
||||
f_log "info" "add IP${proto} '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
|
||||
if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then
|
||||
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
|
||||
f_log "info" "add IP${proto} '${ip}' to local blocklist"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# start detached no-op service loop
|
||||
#
|
||||
else
|
||||
f_log "info" "start detached no-op banIP service"
|
||||
while :; do
|
||||
sleep 1
|
||||
done
|
||||
fi
|
||||
}
|
||||
|
||||
# initial sourcing
|
||||
#
|
||||
if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ f_log "info" "start banIP processing (${ban_action})"
|
|||
f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
|
||||
f_genstatus "processing"
|
||||
f_tmp
|
||||
f_fetch
|
||||
f_getfetch
|
||||
f_getif
|
||||
f_getdev
|
||||
f_getuplink
|
||||
|
|
@ -93,7 +93,7 @@ for feed in allowlist ${ban_feed} blocklist; do
|
|||
eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1
|
||||
done
|
||||
json_select ..
|
||||
|
||||
|
||||
# skip incomplete feeds
|
||||
#
|
||||
if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } ||
|
||||
|
|
@ -162,54 +162,6 @@ fi
|
|||
json_cleanup
|
||||
rm -rf "${ban_lock}"
|
||||
|
||||
# start detached log service
|
||||
# start detached log service (infinite loop)
|
||||
#
|
||||
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
|
||||
f_log "info" "start detached banIP log service"
|
||||
|
||||
nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")"
|
||||
[ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}"
|
||||
|
||||
# read log continuously with given logterms
|
||||
#
|
||||
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
|
||||
while read -r line; do
|
||||
proto=""
|
||||
# IPv4 log parsing
|
||||
#
|
||||
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
|
||||
ip="$(f_trim "${ip}")"
|
||||
ip="${ip##* }"
|
||||
[ -n "${ip}" ] && proto="v4"
|
||||
if [ -z "${proto}" ]; then
|
||||
# IPv6 log parsing
|
||||
#
|
||||
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')"
|
||||
ip="$(f_trim "${ip}")"
|
||||
ip="${ip##* }"
|
||||
[ -n "${ip}" ] && proto="v6"
|
||||
fi
|
||||
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
|
||||
f_log "info" "suspicious IP${proto} '${ip}'"
|
||||
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
|
||||
log_count="$(printf "%s\n" "${log_raw}" | grep -c "suspicious IP${proto} '${ip}'")"
|
||||
if [ "${log_count}" -ge "${ban_logcount}" ]; then
|
||||
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
|
||||
f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
|
||||
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
|
||||
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
|
||||
f_log "info" "add IP${proto} '${ip}' to local blocklist"
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
done
|
||||
|
||||
# start detached no-op service loop
|
||||
#
|
||||
else
|
||||
f_log "info" "start detached no-op banIP service"
|
||||
while :; do
|
||||
sleep 1
|
||||
done
|
||||
fi
|
||||
f_monitor
|
||||
|
|
|
|||
Loading…
Reference in a new issue