Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

merge: upstream

Browse source
This commit is contained in:
hayzam 2023-02-22 07:50:47 +05:30
commit 6b1ee33b35
56 changed files with 2496 additions and 2696 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lang/node/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=node
PKG_VERSION:=v16.17.1
PKG_VERSION:=v16.19.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION)
PKG_HASH:=6721feb4152d56d2c6b358ce397abd5a7f1daf09ee2e25c5021b9b4d3f86a330
PKG_HASH:=17fb716406198125b30c94dd3d1756207b297705626afe16d8dc479a65a1d8b5
PKG_MAINTAINER:=Hirokazu MORIKAWA <morikw2@gmail.com>, Adrian Panella <ianchi74@outlook.com>
PKG_LICENSE:=MIT

2
lang/node/patches/003-path.patch
View file

@ -1,6 +1,6 @@
--- a/lib/internal/modules/cjs/loader.js
+++ b/lib/internal/modules/cjs/loader.js
@@ -1261,7 +1261,8 @@ Module._initPaths = function() {
@@ -1326,7 +1326,8 @@ Module._initPaths = function() {
path.resolve(process.execPath, '..') :
path.resolve(process.execPath, '..', '..');

4
lang/python/django/Makefile
View file

@ -8,11 +8,11 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=django
PKG_VERSION:=4.1.5
PKG_VERSION:=4.1.7
PKG_RELEASE:=1
PYPI_NAME:=Django
PKG_HASH:=ff56ebd7ead0fd5dbe06fe157b0024a7aaea2e0593bb3785fb594cf94dad58ef
PKG_HASH:=44f714b81c5f190d9d2ddad01a532fe502fa01c4cb8faf1d081f4264ed15dcd8
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
PKG_LICENSE:=BSD-3-Clause

18
libs/gost_engine/Makefile
View file

@ -1,19 +1,27 @@
include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/openssl-engine.mk
PKG_NAME:=gost_engine
PKG_VERSION:=1.1.0.3
PKG_RELEASE:=$(AUTORELEASE)
ifeq ($(ENGINES_DIR),engines-1.1)
PKG_VERSION:=1.1.0.3
PKG_HASH:=fff725052e82c9adb5b738729b30141f61ac91fa457a4f4b5de18b8b24092f75
PKG_LICENSE:=OpenSSL
PATCH_DIR=./patches-1.1
else
PKG_VERSION:=3.0.1
PKG_HASH:=bfeac85883724cfbe0ecc6d942ac0524b908143e019ab3d3b6abe47a3466a628
PKG_LICENSE:=Apache-2.0
PATCH_DIR=./patches-3
endif
PKG_RELEASE:=7
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION)
PKG_HASH:=fff725052e82c9adb5b738729b30141f61ac91fa457a4f4b5de18b8b24092f75
PKG_MAINTAINER:=Artur Petrov <github@phpchain.ru>
PKG_LICENSE:=OpenSSL
include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk
include $(INCLUDE_DIR)/openssl-engine.mk
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
PKG_INSTALL:=

0
libs/gost_engine/patches/010-openssl-deprecated.patch → libs/gost_engine/patches-1.1/010-openssl-deprecated.patch
View file

59
libs/gost_engine/patches-3/020-cmake-allow-cross-compile.patch Normal file
View file

@ -0,0 +1,59 @@
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -64,31 +64,35 @@ else()
add_definitions(-DL_ENDIAN)
endif()
-check_c_source_runs("
- #ifdef _MSC_VER
- # include <intrin.h>
- #else
- # include <x86intrin.h>
- #endif
- int main(void) {
- unsigned long long x = -1, y = 1, r;
- unsigned char cf;
- cf = _addcarry_u64(1, x, y, &r);
- return !(cf == 1 && r == 1);
- }
- " ADDCARRY_U64)
+if(NOT CMAKE_CROSSCOMPILING)
+ check_c_source_runs("
+ #ifdef _MSC_VER
+ # include <intrin.h>
+ #else
+ # include <x86intrin.h>
+ #endif
+ int main(void) {
+ unsigned long long x = -1, y = 1, r;
+ unsigned char cf;
+ cf = _addcarry_u64(1, x, y, &r);
+ return !(cf == 1 && r == 1);
+ }
+ " ADDCARRY_U64)
+
+ check_c_source_runs("
+ int main(void) {
+ char buf[16] = { 0, 1, 2 };
+ int *p = (int *)(buf + 1);
+ int *q = (int *)(buf + 2);
+ return (*p == *q);
+ }
+ " RELAXED_ALIGNMENT)
+endif()
+
if (ADDCARRY_U64)
add_definitions(-DHAVE_ADDCARRY_U64)
endif()
-check_c_source_runs("
- int main(void) {
- char buf[16] = { 0, 1, 2 };
- int *p = (int *)(buf + 1);
- int *q = (int *)(buf + 2);
- return (*p == *q);
- }
- " RELAXED_ALIGNMENT)
if (NOT RELAXED_ALIGNMENT)
add_definitions(-DSTRICT_ALIGNMENT)
endif()

56
libs/gost_engine/patches-3/030-dont-build-provider.patch Normal file
View file

@ -0,0 +1,56 @@
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -357,9 +357,11 @@ set_target_properties(lib_gost_engine PR
COMPILE_DEFINITIONS "BUILDING_ENGINE_AS_LIBRARY"
PUBLIC_HEADER gost-engine.h
OUTPUT_NAME "gost")
-target_link_libraries(lib_gost_engine PRIVATE gost_core gost_err)
+#target_link_libraries(lib_gost_engine PRIVATE gost_core gost_err)
+target_link_libraries(lib_gost_engine PRIVATE gost_core)
endif()
+if (0)
# The GOST provider uses this
add_subdirectory(libprov)
@@ -384,6 +386,7 @@ set_target_properties(lib_gost_prov PROP
)
target_link_libraries(lib_gost_prov PRIVATE gost_core libprov)
endif()
+endif()
set(GOST_SUM_SOURCE_FILES
gostsum.c
@@ -424,15 +427,15 @@ install(FILES gostsum.1 gost12sum.1 DEST
install(TARGETS gost_engine EXPORT GostEngineConfig
LIBRARY DESTINATION ${OPENSSL_ENGINES_DIR}
RUNTIME DESTINATION ${OPENSSL_ENGINES_DIR})
-install(TARGETS gost_prov EXPORT GostProviderConfig
- LIBRARY DESTINATION ${OPENSSL_MODULES_DIR}
- RUNTIME DESTINATION ${OPENSSL_MODULES_DIR})
+#install(TARGETS gost_prov EXPORT GostProviderConfig
+# LIBRARY DESTINATION ${OPENSSL_MODULES_DIR}
+# RUNTIME DESTINATION ${OPENSSL_MODULES_DIR})
if (NOT MSVC)
# install engine and provider in library form
install(TARGETS lib_gost_engine EXPORT GostEngineConfig
LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
-install(TARGETS lib_gost_prov EXPORT GostProviderConfig
- LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
+#install(TARGETS lib_gost_prov EXPORT GostProviderConfig
+# LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
endif()
if (MSVC)
@@ -440,8 +443,8 @@ if (MSVC)
EXPORT GostEngineConfig DESTINATION ${CMAKE_INSTALL_BINDIR} OPTIONAL)
install(FILES $<TARGET_PDB_FILE:gost_engine>
EXPORT GostEngineConfig DESTINATION ${OPENSSL_ENGINES_DIR} OPTIONAL)
- install(FILES $<TARGET_PDB_FILE:gost_prov>
- EXPORT GostProviderConfig DESTINATION ${OPENSSL_MODULES_DIR} OPTIONAL)
+# install(FILES $<TARGET_PDB_FILE:gost_prov>
+# EXPORT GostProviderConfig DESTINATION ${OPENSSL_MODULES_DIR} OPTIONAL)
endif()
install(EXPORT GostEngineConfig DESTINATION GostEngine/share/cmake/GostEngine)
-install(EXPORT GostProviderConfig DESTINATION GostEngine/share/cmake/GostProvider)
+#install(EXPORT GostProviderConfig DESTINATION GostEngine/share/cmake/GostProvider)

6
libs/libgpiod/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=libgpiod
PKG_VERSION:=1.6.3
PKG_RELEASE:=2
PKG_VERSION:=1.6.4
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@KERNEL/software/libs/libgpiod/
PKG_HASH:=841be9d788f00bab08ef22c4be5c39866f0e46cb100a3ae49ed816ac9c5dddc7
PKG_HASH:=7b146e12f28fbca3df7557f176eb778c5ccf952ca464698dba8a61b2e1e3f9b5
PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
PKG_LICENSE:=LGPL-2.1-or-later

3
libs/libuhttpd/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libuhttpd
PKG_VERSION:=3.14.1
PKG_RELEASE:=$(AUTORELEASE)
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL=https://github.com/zhaojh329/libuhttpd/releases/download/v$(PKG_VERSION)
@ -41,6 +41,7 @@ Package/libuhttpd-mbedtls=$(call Package/libuhttpd/Default,mbedtls,+PACKAGE_libu
Package/libuhttpd-nossl=$(call Package/libuhttpd/Default,nossl)
CMAKE_OPTIONS += -DBUILD_EXAMPLE=OFF
TARGET_CFLAGS += -Wno-error=deprecated-declarations
ifeq ($(BUILD_VARIANT),openssl)
CMAKE_OPTIONS += -DUSE_OPENSSL=ON

4
libs/nss/Makefile
View file

@ -7,14 +7,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=nss
PKG_VERSION:=3.85
PKG_VERSION:=3.88.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \
https://download.cdn.mozilla.net/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src \
https://archive.mozilla.org/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src
PKG_HASH:=afd9d64510b1154debbd6cab3571e9ff64a3373898e03483e4c85cdada13d297
PKG_HASH:=27d243edf87d1cf1bb9c861f03d387e0e9230ce5017f4308c941f558b54b3496
PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
PKG_LICENCE:=MPL-2.0

2
libs/nss/patches/010-nanosleep.patch
View file

@ -1,6 +1,6 @@
--- a/nss/lib/freebl/stubs.c
+++ b/nss/lib/freebl/stubs.c
@@ -500,7 +500,8 @@ extern PRStatus
@@ -501,7 +501,8 @@ extern PRStatus
PR_Sleep_stub(PRIntervalTime ticks)
{
STUB_SAFE_CALL1(PR_Sleep, ticks);

2
net/adblock/Makefile
View file

@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=adblock
PKG_VERSION:=4.1.5
PKG_RELEASE:=5
PKG_RELEASE:=6
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

2
net/adblock/files/README.md
View file

@ -30,7 +30,7 @@ A lot of people already use adblocker plugins within their desktop browsers, but
| lightswitch05 | | XL | compilation | [Link](https://github.com/lightswitch05/hosts) |
| notracking | | XL | tracking | [Link](https://github.com/notracking/hosts-blocklists) |
| oisd_big | | XXL | general | [Link](https://oisd.nl) |
| oisd_nsfw | | XL | general | [Link](https://oisd.nl) |
| oisd_nsfw | | XXL | porn | [Link](https://oisd.nl) |
| oisd_small | | L | general | [Link](https://oisd.nl) |
| openphish | | S | phishing | [Link](https://openphish.com) |
| phishing_army | | S | phishing | [Link](https://phishing.army) |

10
net/adblock/files/adblock.sources
View file

@ -133,21 +133,21 @@
"descurl": "https://github.com/notracking/hosts-blocklists"
},
"oisd_big": {
"url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_big.txt",
"url": "https://big.oisd.nl/domainswild",
"rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}",
"size": "XXL",
"focus": "general",
"descurl": "https://oisd.nl"
},
"oisd_nsfw": {
"url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_nsfw.txt",
"url": "https://nsfw.oisd.nl/domainswild",
"rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}",
"size": "XL",
"focus": "general",
"size": "XXL",
"focus": "porn",
"descurl": "https://oisd.nl"
},
"oisd_small": {
"url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_small.txt",
"url": "https://small.oisd.nl/domainswild",
"rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}",
"size": "L",
"focus": "general",

2
net/apfree-wifidog/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=apfree-wifidog
PKG_VERSION:=4.08.1771
PKG_RELEASE:=6
PKG_RELEASE:=7
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git

53
net/apfree-wifidog/patches/010-support-openssl-3.0.patch Normal file
View file

@ -0,0 +1,53 @@
From 53a042836063e965f8df9fc85bb32e8e46da8a05 Mon Sep 17 00:00:00 2001
From: staylightblow8 <liudf0716@gmail.com>
Date: Thu, 20 Oct 2022 10:47:59 +0800
Subject: [PATCH] support openssl > 3.0
---
cmake/Modules/FindOpenSSL.cmake | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
--- a/cmake/Modules/FindOpenSSL.cmake
+++ b/cmake/Modules/FindOpenSSL.cmake
@@ -282,11 +282,11 @@ function(from_hex HEX DEC)
set(${DEC} ${_res} PARENT_SCOPE)
endfunction()
-if (OPENSSL_INCLUDE_DIR)
- if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
- file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
- REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
+if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
+ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
+ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
+ if(openssl_version_str)
# The version number is encoded as 0xMNNFFPPS: major minor fix patch status
# The status gives if this is a developer or prerelease and is ignored here.
# Major, minor, and fix directly translate into the version numbers shown in
@@ -315,6 +315,25 @@ if (OPENSSL_INCLUDE_DIR)
endif ()
set(OPENSSL_VERSION "${OPENSSL_VERSION_MAJOR}.${OPENSSL_VERSION_MINOR}.${OPENSSL_VERSION_FIX}${OPENSSL_VERSION_PATCH_STRING}")
+ else ()
+ # Since OpenSSL 3.0.0, the new version format is MAJOR.MINOR.PATCH and
+ # a new OPENSSL_VERSION_STR macro contains exactly that
+ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_STR
+ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*")
+ string(REGEX REPLACE "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+\\.[0-9]+\\.[0-9]+)\".*$"
+ "\\1" OPENSSL_VERSION_STR "${OPENSSL_VERSION_STR}")
+
+ set(OPENSSL_VERSION "${OPENSSL_VERSION_STR}")
+
+ # Setting OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR and OPENSSL_VERSION_FIX
+ string(REGEX MATCHALL "([0-9])+" OPENSSL_VERSION_NUMBER "${OPENSSL_VERSION}")
+ list(POP_FRONT OPENSSL_VERSION_NUMBER
+ OPENSSL_VERSION_MAJOR
+ OPENSSL_VERSION_MINOR
+ OPENSSL_VERSION_FIX)
+
+ unset(OPENSSL_VERSION_NUMBER)
+ unset(OPENSSL_VERSION_STR)
endif ()
endif ()

42
net/banip/Makefile
View file

@ -1,13 +1,14 @@
#
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
# banIP - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
#
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.7.10
PKG_RELEASE:=6
PKG_VERSION:=0.8.0
PKG_RELEASE:=4
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -16,23 +17,22 @@ include $(INCLUDE_DIR)/package.mk
define Package/banip
SECTION:=net
CATEGORY:=Network
TITLE:=Ban incoming and outgoing ip adresses via ipsets
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle @BROKEN
TITLE:=banIP blocks IP addresses via named nftables sets
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
PKGARCH:=all
endef
define Package/banip/description
Powerful banIP script to block ip addresses via ipsets.
The script supports many ip blacklist sites plus manual black- and whitelist overrides.
banIP blocks IP addresses via named nftables sets.
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
endef
define Package/banip/conffiles
/etc/config/banip
/etc/banip/banip.maclist
/etc/banip/banip.blacklist
/etc/banip/banip.whitelist
/etc/banip/banip.allowlist
/etc/banip/banip.blocklist
endef
define Build/Prepare
@ -46,27 +46,23 @@ endef
define Package/banip/install
$(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin
$(INSTALL_BIN) ./files/banip-service.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_CONF) ./files/banip-functions.sh $(1)/usr/lib
$(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
$(INSTALL_DIR) $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.dns $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.sources $(1)/etc/banip
gzip -9n $(1)/etc/banip/banip.sources
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip
$(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
gzip -9n $(1)/etc/banip/banip.feeds
endef
$(eval $(call BuildPackage,banip))

552
net/banip/files/README.md
View file

@ -1,91 +1,103 @@
<!-- markdownlint-disable -->
# banIP - ban incoming and/or outgoing ip adresses via ipsets
# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.
## Main Features
* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses)
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below.
| Source | Focus | Information |
| :------------------ | :----------------------------: | :-------------------------------------------------------------------------------- |
| asn | ASN block | [Link](https://asn.ipinfo.app) |
| bogon | Bogon prefixes | [Link](https://team-cymru.com) |
| country | Country blocks | [Link](https://www.ipdeny.com/ipblocks) |
| darklist | blocks suspicious attacker IPs | [Link](https://darklist.de) |
| debl | Fail2ban IP blacklist | [Link](https://www.blocklist.de) |
| doh | Public DoH-Provider | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | Spamhaus drop compilation | [Link](https://www.spamhaus.org) |
| dshield | Dshield IP blocklist | [Link](https://www.dshield.org) |
| edrop | Spamhaus edrop compilation | [Link](https://www.spamhaus.org) |
| feodo | Feodo Tracker | [Link](https://feodotracker.abuse.ch) |
| firehol1 | Firehol Level 1 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | Firehol Level 2 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | Firehol Level 3 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | Firehol Level 4 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | blocks suspicious server IPs | [Link](https://greensnow.co) |
| iblockads | Advertising blocklist | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware blocklist | [Link](https://www.iblocklist.com) |
| myip | Myip Live IP blacklist | [Link](https://myip.ms) |
| nixspam | iX spam protection | [Link](http://www.nixspam.org) |
| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) |
| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) |
| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) |
| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) |
| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | Spam protection level 2 | [Link](http://www.uceprotect.net/en/index.php) |
| voip | VoIP fraud blocklist | [Link](http://www.voipbl.org) |
| yoyo | Ad protection blacklist | [Link](https://pgl.yoyo.org/adservers/) |
| Feed | Focus | INP | FWD | Information |
| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- |
| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) |
| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) |
| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) |
| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) |
| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) |
| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) |
| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) |
| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* zero-conf like automatic installation & setup, usually no manual changes needed
* automatically selects one of the following supported download utilities: aria2c, curl, uclient-fetch, wget
* fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* all sets are handled in a separate nft table/namespace 'banIP'
* full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses
* supports blocking by ASN numbers
* supports blocking by iso country codes
* supports local black- & whitelist (IPv4, IPv6, CIDR notation or domain names)
* auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist
* auto-add the uplink subnet to local whitelist
* black- and whitelist also accept domain names as input to allow IP filtering based on these names
* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs
* supports nft atomic set loading
* supports blocking by ASN numbers and by iso country codes
* supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
* auto-add the uplink subnet to the local allowlist
* provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing)
* integrated IPSet-Lookup
* integrated bgpview-Lookup
* blocklist source parsing by fast & flexible regex rulesets
* minimal status & error logging to syslog, enable debug logging to receive more output
* procd based init system support (start/stop/restart/reload/refresh/status)
* procd network interface trigger support
* automatic blocklist backup & restore, they will be used in case of download errors or during startup
* auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* fast feed processing as they are handled in parallel as background jobs
* per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
* automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
* supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
* provides comprehensive runtime information
* provides a detailed IPSet Report
* provides a powerful query function to quickly find blocked IPs/CIDR in banIP related IPSets
* provides an easily configurable blocklist update scheduler called 'Refresh Timer'
* strong LuCI support
* optional: add new banIP sources on your own
* provides a detailed set report
* provides a set search engine for certain IPs
* feed parsing by fast & flexible regex rulesets
* minimal status & error logging to syslog, enable debug logging to receive more output
* procd based init system support (start/stop/restart/reload/status/report/search)
* procd network interface trigger support
* ability to add new banIP feeds on your own
## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (21.02.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
<b>Please note:</b> Ancient OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!
<b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!
<b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!
* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* Optional E-Mail notification support: for E-Mail notifications you need to install and setup the additional 'msmtp' package
* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
* a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
* a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* for E-Mail notifications you need to install and setup the additional 'msmtp' package
**Please note the following:**
* Devices with less than 256Mb of RAM are **_not_** supported
* Any previous installation of banIP must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
* There is no LuCI frontend at this time
## Installation & Usage
* Update your local opkg repository (_opkg update_)
* Install 'banip' (_opkg install banip_). The banIP service is disabled by default
* Install the LuCI companion package 'luci-app-banip' (_opkg install luci-app-banip_)
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
* update your local opkg repository (_opkg update_)
* install banIP (_opkg install banip_) - the banIP service is disabled by default
* edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the config options below)
* start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
## banIP CLI
* All important banIP functions are accessible via CLI as well.
<pre><code>
~# /etc/init.d/banip
## banIP CLI interface
* All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course.
```
~# /etc/init.d/banip
Syntax: /etc/init.d/banip [command]
Available commands:
@ -96,259 +108,151 @@ Available commands:
enable Enable service autostart
disable Disable service autostart
enabled Check if service is started on boot
refresh Refresh ipsets without new list downloads
suspend Suspend banIP processing
resume Resume banIP processing
query &lt;IP&gt; Query active banIP IPSets for a specific IP address
report [&lt;cli&gt;|&lt;mail&gt;|&lt;gen&gt;|&lt;json&gt;] Print banIP related IPset statistics
list [&lt;add&gt;|&lt;add_asn&gt;|&lt;add_country&gt;|&lt;remove>|&lt;remove_asn&gt;|&lt;remove_country&gt;] &lt;source(s)&gt; List/Edit available sources
timer [&lt;add&gt; &lt;tasks&gt; &lt;hour&gt; [&lt;minute&gt;] [&lt;weekday&gt;]]|[&lt;remove&gt; &lt;line no.&gt;] List/Edit cron update intervals
version Print version information
report [text|json|mail] Print banIP related set statistics
search [<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets
running Check if service is running
status Service status
trace Start with syscall trace
</code></pre>
info Dump procd service info
```
## banIP config options
* Usually the auto pre-configured banIP setup works quite well and no manual overrides are needed
| Option | Type | Default | Description |
| :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ |
| ban_enabled | option | 0 | enable the banIP service |
| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
| ban_loglimit | option | 100 | the logread monitor scans only the last n lines of the logfile |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging |
| ban_mail_enabled | option | 0 | enable the mail service |
| ban_monitor_enabled | option | 0 | enable the log monitor, e.g. to catch failed ssh/luci logins |
| ban_logsrc_enabled | option | 0 | enable the src-related logchain |
| ban_logdst_enabled | option | 0 | enable the dst-related logchain |
| ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist |
| ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist |
| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs |
| ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel |
| ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files |
| ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files |
| ban_ifaces | list | - | list option to add logical wan interfaces manually |
| ban_sources | list | - | list option to add banIP sources |
| ban_countries | list | - | list option to add certain countries as an alpha-2 ISO code, e.g. 'de' for germany |
| ban_asns | list | - | list option to add certain ASNs (autonomous system number), e.g. '32934' for facebook |
| ban_chain | option | banIP | name of the root chain used by banIP |
| ban_global_settype | option | src+dst | global settype as default for all sources |
| ban_settype_src | list | - | special SRC settype for a certain sources |
| ban_settype_dst | list | - | special DST settype for a certain sources |
| ban_settype_all | list | - | special SRC+DST settype for a certain sources |
| ban_target_src | option | DROP | default src action (used by log chains as well) |
| ban_target_dst | option | REJECT | default dst action (used by log chains as well) |
| ban_lan_inputchains_4 | list | input_lan_rule | list option to add IPv4 lan input chains |
| ban_lan_inputchains_6 | list | input_lan_rule | list option to add IPv6 lan input chains |
| ban_lan_forwardchains_4 | list | forwarding_lan_rule | list option to add IPv4 lan forward chains |
| ban_lan_forwardchains_6 | list | forwarding_lan_rule | list option to add IPv6 lan forward chains |
| ban_wan_inputchains_4 | list | input_wan_rule | list option to add IPv4 wan input chains |
| ban_wan_inputchains_6 | list | input_wan_rule | list option to add IPv6 wan input chains |
| ban_wan_forwardchains_4 | list | forwarding_wan_rule | list option to add IPv4 wan forward chains |
| ban_wan_forwardchains_6 | list | forwarding_wan_rule | list option to add IPv6 wan forward chains |
| ban_fetchutil | option | -, auto-detected | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | -, auto-detected | manually override the config options for the selected download utility |
| ban_fetchinsecure | option | 0, disabled | don't check SSL server certificates during download |
| ban_loginput | option | 1 | log drops in the input chain |
| ban_logforward | option | 0 | log rejects in the forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
| ban_protov4 | option | - / autodetect | enable IPv4 support |
| ban_protov6 | option | - / autodetect | enable IPv4 support |
| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' |
| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' |
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_srcarc | option | /etc/banip/banip.sources.gz | full path to the compressed source archive file used by banIP |
| ban_localsources | list | maclist, whitelist, blacklist | limit the selection to certain local sources |
| ban_extrasources | list | - | add additional, non-banIP related IPSets e.g. for reporting or queries |
| ban_maclist_timeout | option | - | individual maclist IPSet timeout |
| ban_whitelist_timeout | option | - | individual whitelist IPSet timeout |
| ban_blacklist_timeout | option | - | individual blacklist IPSet timeout |
| ban_logterms | list | dropbear, sshd, luci, nginx | limit the log monitor to certain log terms |
| ban_loglimit | option | 100 | parse only the last stated number of log entries for suspicious events |
| ban_ssh_logcount | option | 3 | number of the failed ssh login repetitions of the same ip in the log before banning |
| ban_luci_logcount | option | 3 | number of the failed luci login repetitions of the same ip in the log before banning |
| ban_nginx_logcount | option | 5 | number of the failed nginx requests of the same ip in the log before banning |
## Examples
**list/edit banIP sources:**
<pre><code>
~# /etc/init.d/banip list
::: Available banIP sources
:::
Name Enabled Focus Info URL
---------------------------------------------------------------------------
+ asn ASN blocks https://asn.ipinfo.app
+ bogon Bogon prefixes https://team-cymru.com
+ country x Country blocks https://www.ipdeny.com/ipblocks
+ darklist x Blocks suspicious attacker IPs https://darklist.de
+ debl x Fail2ban IP blacklist https://www.blocklist.de
+ doh x Public DoH-Provider https://github.com/dibdot/DoH-IP-blocklists
+ drop x Spamhaus drop compilation https://www.spamhaus.org
+ dshield x Dshield IP blocklist https://www.dshield.org
+ edrop Spamhaus edrop compilation https://www.spamhaus.org
+ feodo x Feodo Tracker https://feodotracker.abuse.ch
+ firehol1 x Firehol Level 1 compilation https://iplists.firehol.org/?ipset=firehol_level1
+ firehol2 Firehol Level 2 compilation https://iplists.firehol.org/?ipset=firehol_level2
+ firehol3 Firehol Level 3 compilation https://iplists.firehol.org/?ipset=firehol_level3
+ firehol4 Firehol Level 4 compilation https://iplists.firehol.org/?ipset=firehol_level4
+ greensnow x Blocks suspicious server IPs https://greensnow.co
+ iblockads Advertising blocklist https://www.iblocklist.com
+ iblockspy x Malicious spyware blocklist https://www.iblocklist.com
+ myip Myip Live IP blacklist https://myip.ms
+ nixspam x iX spam protection http://www.nixspam.org
+ proxy Firehol list of open proxies https://iplists.firehol.org/?ipset=proxylists
+ sslbl x SSL botnet IP blacklist https://sslbl.abuse.ch
+ talos x Cisco Talos IP Blacklist https://talosintelligence.com/reputation_center
+ threat x Emerging Threats https://rules.emergingthreats.net
+ tor x Tor exit nodes https://fissionrelays.net/lists
+ uceprotect1 x Spam protection level 1 http://www.uceprotect.net/en/index.php
+ uceprotect2 Spam protection level 2 http://www.uceprotect.net/en/index.php
+ voip x VoIP fraud blocklist http://www.voipbl.org
+ yoyo x Ad protection blacklist https://pgl.yoyo.org/adservers/
---------------------------------------------------------------------------
* Configured ASNs: -
* Configured Countries: af, bd, br, cn, hk, hu, id, il, in, iq, ir, kp, kr, no, pk, pl, ro, ru, sa, th, tr, ua, gb
</code></pre>
**receive banIP runtime information:**
<pre><code>
~# /etc/init.d/banip status
::: banIP runtime information
+ status : enabled
+ version : 0.7.7
+ ipset_info : 2 IPSets with 30 IPs/Prefixes
+ active_sources : whitelist
+ active_devs : wlan0
+ active_ifaces : trm_wwan, trm_wwan6
+ active_logterms : dropbear, sshd, luci, nginx
+ active_subnets : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128
+ run_infos : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
+ run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔
+ last_run : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36
+ system : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc
</code></pre>
**black-/whitelist handling:**
banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain names), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist.
Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above).
Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead.
**whitelist-only mode:**
banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode.
**Manually override the download options:**
By default banIP uses the following pre-configured download options:
* aria2c: <code>--timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o</code>
* curl: <code>--connect-timeout 20 --silent --show-error --location -o</code>
* uclient-fetch: <code>--timeout=20 -O</code>
* wget: <code>--no-cache --no-cookies --max-redirect=0 --timeout=20 -O</code>
| ban_resolver | option | - | external resolver used for DNS lookups |
| ban_feedarchive | option | /etc/banip/banip.feeds.gz | full path to the compressed feed archive file used by banIP |
To override the default set 'ban_fetchparm' manually to your needs.
**generate an IPSet report:**
<pre><code>
## Examples
**banIP report information**
```
~# /etc/init.d/banip report
:::
::: report on all banIP related IPSets
::: banIP Set Statistics
:::
+ Report timestamp ::: 04.02.2021 06:24:41
+ Number of all IPSets ::: 24
+ Number of all entries ::: 302448
+ Number of IP entries ::: 224748
+ Number of CIDR entries ::: 77700
+ Number of MAC entries ::: 0
+ Number of accessed entries ::: 36
Timestamp: 2023-02-08 22:12:40
------------------------------
auto-added to allowlist: 1
auto-added to blocklist: 0
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
---------------------+---------------+---------------+---------------+---------------+----------------
allowlistvMAC | 0 | n/a | OK | n/a | 0
allowlistv4 | 1 | OK | OK | 0 | 0
allowlistv6 | 0 | OK | OK | 0 | 0
blocklistvMAC | 0 | n/a | OK | n/a | 0
blocklistv4 | 0 | OK | OK | 0 | 0
blocklistv6 | 0 | OK | OK | 0 | 0
dohv4 | 542 | n/a | OK | n/a | 22
adguardv4 | 23007 | n/a | OK | n/a | 18
yoyov4 | 1936 | n/a | OK | n/a | 1
oisdbasicv4 | 26000 | n/a | OK | n/a | 325
---------------------+---------------+---------------+---------------+---------------+----------------
10 | 51486 | 4 | 10 | 0 | 366
```
**banIP runtime information**
```
~# etc/init.d/banip status
::: banIP runtime information
+ status : active
+ version : 0.8.0
+ element_count : 51486
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
, yoyov4, oisdbasicv4
+ active_devices : eth2
+ active_interfaces : wan
+ active_subnets : 192.168.98.107/24
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
anip/banip.feeds.gz
+ run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
+ system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
```
**banIP search information**
```
~# /etc/init.d/banip search 221.228.105.173
:::
::: IPSet details
::: banIP Search
:::
Name Type Count Cnt_IP Cnt_CIDR Cnt_MAC Cnt_ACC Entry details (Entry/Count)
--------------------------------------------------------------------------------------------------------------------
whitelist_4 src+dst 1 0 1 0 1
xxx.xxxx.xxx.xxxx/24 85
--------------------------------------------------------------------------------------------------------------------
whitelist_6 src+dst 2 0 2 0 1
xxxx:xxxx:xxxx::/64 29
--------------------------------------------------------------------------------------------------------------------
blacklist_4 src+dst 513 513 0 0 2
192.35.168.16 3
80.82.65.74 1
--------------------------------------------------------------------------------------------------------------------
blacklist_6 src+dst 1 1 0 0 0
--------------------------------------------------------------------------------------------------------------------
country_4 src 52150 0 52150 0 23
124.5.0.0/16 1
95.188.0.0/14 1
121.16.0.0/12 1
46.161.0.0/18 1
42.56.0.0/14 1
113.64.0.0/10 1
113.252.0.0/14 1
5.201.128.0/17 1
125.64.0.0/11 1
90.188.0.0/15 1
60.0.0.0/11 1
78.160.0.0/11 1
1.80.0.0/12 1
183.184.0.0/13 1
175.24.0.0/14 1
119.176.0.0/12 1
59.88.0.0/13 1
103.78.12.0/22 1
123.128.0.0/13 1
116.224.0.0/12 1
42.224.0.0/12 1
82.80.0.0/15 1
14.32.0.0/11 1
--------------------------------------------------------------------------------------------------------------------
country_6 src 20099 0 20099 0 0
--------------------------------------------------------------------------------------------------------------------
debl_4 src+dst 29389 29389 0 0 1
5.182.210.16 4
--------------------------------------------------------------------------------------------------------------------
debl_6 src+dst 64 64 0 0 0
--------------------------------------------------------------------------------------------------------------------
doh_4 src+dst 168 168 0 0 0
--------------------------------------------------------------------------------------------------------------------
doh_6 src+dst 122 122 0 0 0
--------------------------------------------------------------------------------------------------------------------
drop_4 src+dst 965 0 965 0 0
--------------------------------------------------------------------------------------------------------------------
drop_6 src+dst 36 0 36 0 0
--------------------------------------------------------------------------------------------------------------------
dshield_4 src+dst 20 0 20 0 1
89.248.165.0/24 1
--------------------------------------------------------------------------------------------------------------------
feodo_4 src+dst 325 325 0 0 0
--------------------------------------------------------------------------------------------------------------------
firehol1_4 src+dst 2763 403 2360 0 0
--------------------------------------------------------------------------------------------------------------------
iblockspy_4 src+dst 3650 2832 818 0 0
--------------------------------------------------------------------------------------------------------------------
nixspam_4 src+dst 9577 9577 0 0 0
--------------------------------------------------------------------------------------------------------------------
sslbl_4 src+dst 104 104 0 0 0
--------------------------------------------------------------------------------------------------------------------
threat_4 src+dst 1300 315 985 0 0
--------------------------------------------------------------------------------------------------------------------
tor_4 src+dst 1437 1437 0 0 0
--------------------------------------------------------------------------------------------------------------------
tor_6 src+dst 478 478 0 0 0
--------------------------------------------------------------------------------------------------------------------
uceprotect1_4 src+dst 156249 156249 0 0 6
192.241.220.137 1
128.14.137.178 1
61.219.11.153 1
138.34.32.33 1
107.174.133.130 2
180.232.99.46 1
--------------------------------------------------------------------------------------------------------------------
voip_4 src+dst 12563 12299 264 0 0
--------------------------------------------------------------------------------------------------------------------
yoyo_4 src+dst 10472 10472 0 0 1
204.79.197.200 2
--------------------------------------------------------------------------------------------------------------------
</code></pre>
**Enable E-Mail notification via 'msmtp':**
To use the email notification you have to install & configure the package 'msmtp'.
Looking for IP 221.228.105.173 on 2023-02-08 22:12:48
---
IP found in set oisdbasicv4
```
**allow-/blocklist handling**
banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autowallowlist' option).
Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted in a detached background process and added to the sets.
**allowlist-only mode**
banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
**redirect Asterisk security logs to lodg/logread**
banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
**tweaks for low memory systems**
nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
* point 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
* set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
**tweak the download options**
By default banIP uses the following pre-configured download options:
```
* aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
* curl: --connect-timeout 20 --silent --show-error --location -o
* uclient-fetch: --timeout=20 -O
* wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
```
To override the default set 'ban_fetchparm' manually to your needs.
**send E-Mail notifications via 'msmtp'**
To use the email notification you must install & configure the package 'msmtp'.
Modify the file '/etc/msmtprc', e.g.:
<pre><code>
```
[...]
defaults
auth on
@ -360,39 +264,37 @@ syslog LOG_MAIL
account ban_notify
host smtp.gmail.com
port 587
from &lt;address&gt;@gmail.com
user &lt;gmail-user&gt;
password &lt;password&gt;
</code></pre>
Finally enable E-Mail support and add a valid E-Mail receiver address in LuCI.
**Edit, add new banIP sources:**
The banIP blocklist sources are stored in an external, compressed JSON file '/etc/banip/banip.sources.gz'.
This file is directly parsed in LuCI and accessible via CLI, just call _/etc/init.d/banip list_.
from <address>@gmail.com
user <gmail-user>
password <password>
```
Finally add a valid E-Mail receiver address.
To add new or edit existing sources extract the compressed JSON file _gunzip /etc/banip/banip.sources.gz_.
**add new banIP feeds**
The banIP blocklist feeds are stored in an external, compressed JSON file '/etc/banip/banip.feeds.gz'.
To add a new or edit an existing feed extract the compressed JSON file _gunzip /etc/banip/banip.feeds.gz_.
A valid JSON source object contains the following required information, e.g.:
<pre><code>
```
[...]
"tor": {
"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
"focus": "Tor exit nodes",
"descurl": "https://fissionrelays.net/lists"
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "tor exit nodes",
"descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
},
[...]
</code></pre>
Add an unique object name, make the required changes to 'url_4', 'rule_4' (and/or 'url_6', 'rule_6'), 'focus' and 'descurl' and finally compress the changed JSON file _gzip /etc/banip/banip.sources.gz_ to use the new source object in banIP.
<b>Please note:</b> if you're going to add new sources on your own, please make a copy of the default file and work with that copy further on, cause the default will be overwritten with every banIP update. To reference your copy set the option 'ban\_srcarc' which points by default to '/etc/banip/banip.sources.gz'
```
Add an unique object name, make the required changes and compress the changed JSON file finally with _gzip /etc/banip/banip.feeds_ to use the new feed file in banIP.
**Please note:** if you're going to add new feeds, **always** work with a copy of the default file; this file is always overwritten with every banIP update. To reference your own file set the option 'ban\_feedarchive' accordingly
## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
## Removal
* stop all banIP related services with _/etc/init.d/banip stop_
* optional: remove the banip package (_opkg remove banip_)
Have fun!
Dirk
Dirk

1159
net/banip/files/banip-functions.sh Normal file
View file

File diff suppressed because it is too large Load diff

194
net/banip/files/banip-service.sh Executable file
View file

@ -0,0 +1,194 @@
#!/bin/sh
# banIP main service script - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=all
ban_action="${1}"
ban_starttime="$(date "+%s")"
ban_funlib="/usr/lib/banip-functions.sh"
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
# load config and set banIP environment
#
f_conf
f_log "info" "start banIP processing (${ban_action})"
f_genstatus "processing"
f_tmp
f_fetch
f_getif
f_getdev
f_getsub
f_mkdir "${ban_backupdir}"
f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}"
# firewall check
#
if [ "${ban_action}" != "reload" ]; then
if [ -x "${ban_fw4cmd}" ]; then
cnt=0
while [ "${cnt}" -lt "10" ] && ! /etc/init.d/firewall status | grep -q "^active"; do
cnt="$((cnt + 1))"
sleep 1
done
if ! /etc/init.d/firewall status | grep -q "^active"; then
f_log "err" "nft based firewall/fw4 not functional"
fi
else
f_log "err" "nft based firewall/fw4 not found"
fi
fi
# init nft namespace
#
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then
f_log "info" "nft namespace initialized"
else
f_log "err" "nft namespace can't be initialized"
fi
fi
# handle downloads
#
f_log "info" "start banIP download processes"
if [ "${ban_allowlistonly}" = "1" ]; then
ban_feed=""
else
json_init
if ! json_load_file "${ban_basedir}/ban_feeds.json" >/dev/null 2>&1; then
f_log "err" "banIP feed file can't be loaded"
fi
[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
fi
cnt="1"
for feed in allowlist ${ban_feed} blocklist; do
# local feeds
#
if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then
for proto in MAC 4 6; do
[ "${feed}" = "blocklist" ] && wait
(f_down "${feed}" "${proto}") &
[ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && [ "${proto}" = "MAC" ]; } && wait
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
done
wait
continue
fi
# read external feed information
#
if ! json_select "${feed}" >/dev/null 2>&1; then
continue
fi
json_objects="url_4 rule_4 url_6 rule_6 flag"
for object in ${json_objects}; do
eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1
done
json_select ..
# handle IPv4/IPv6 feeds with the same/single download URL
#
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
feed_url_6="local"
wait
fi
if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
continue
fi
# handle IPv4/IPv6 feeds with separated download URLs
#
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
done
wait
# start domain lookup
#
f_log "info" "start detached banIP domain lookup"
(f_lookup "allowlist") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
(f_lookup "blocklist") &
# tidy up
#
f_rmset
f_rmdir "${ban_tmpdir}"
f_genstatus "active"
f_log "info" "finished banIP download processes"
rm -rf "${ban_lock}"
# start log service
#
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then
f_log "info" "start detached banIP log service"
nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")"
[ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}"
# read log continuously with given logterms
#
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
while read -r line; do
proto=""
# IPv4 log parsing
#
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
ip="${ip##* }"
[ -n "${ip}" ] && proto="v4"
if [ -z "${proto}" ]; then
# IPv6 log parsing
#
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
ip="${ip##* }"
[ -n "${ip}" ] && proto="v6"
fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
f_log "info" "suspicious IP${proto} found '${ip}'"
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "added IP${proto} '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
f_log "info" "added IP${proto} '${ip}' to local blocklist"
fi
fi
fi
fi
done
# start no-op service loop
#
else
f_log "info" "start detached no-op banIP service (logterms are missing)"
while :; do
sleep 1
done
fi

0
net/banip/files/banip.blacklist → net/banip/files/banip.allowlist
View file

0
net/banip/files/banip.maclist → net/banip/files/banip.blocklist
View file

17
net/banip/files/banip.conf
View file

@ -1,16 +1,9 @@
config banip 'global'
option ban_enabled '0'
option ban_debug '0'
option ban_mail_enabled '0'
option ban_monitor_enabled '0'
option ban_logsrc_enabled '0'
option ban_logdst_enabled '0'
option ban_autodetect '1'
option ban_autoblacklist '1'
option ban_autowhitelist '1'
option ban_nice '0'
option ban_maxqueue '4'
option ban_global_settype 'src+dst'
option ban_target_src 'DROP'
option ban_target_dst 'REJECT'
option ban_loglimit '100'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
list ban_logterm 'SecurityEvent=\"ChallengeResponseFailed\".*RemoteAddress='

64
net/banip/files/banip.dns
View file

@ -1,64 +0,0 @@
#!/bin/sh
# helper script to resolve domains for adding to banIP-related IPSets
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
. "/lib/functions.sh"
ban_src_name="${1}"
ban_src_file="${2}"
ban_tmpbase="$(uci_get banip global ban_tmpbase "/tmp")"
ban_backupdir="$(uci_get banip global ban_backupdir "${ban_tmpbase}/banIP-Backup")"
ban_proto4_enabled="$(uci_get banip global ban_proto4_enabled "0")"
ban_proto6_enabled="$(uci_get banip global ban_proto6_enabled "0")"
ban_ipset_cmd="$(command -v ipset)"
ban_lookup_cmd="$(command -v nslookup)"
ban_logger_cmd="$(command -v logger)"
ban_cnt_err="0"
ban_message=""
rm -f "${ban_backupdir}/banIP.${ban_src_name}_addon_4" "${ban_backupdir}/banIP.${ban_src_name}_addon_6"
while read -r domain; do
result="$(
"${ban_lookup_cmd}" "${domain}" 2>/dev/null
printf "%s" "${?}"
)"
if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]; then
ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')"
for ip in ${ips}; do
for proto in "4" "6"; do
if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } ||
{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print $1}')" ]; }; then
printf "%s\n" "add ${ban_src_name}_${proto} ${ip}" >>"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
fi
done
done
[ -n "${ips}" ] && "${ban_logger_cmd}" -p "debug" -t "banIP-resolve [${$}]" "added IPs of '${domain}' to ${ban_src_name} (${ips})" 2>/dev/null
else
ban_cnt_err=$((ban_cnt_err + 1))
fi
done <"${ban_src_file}"
for proto in "4" "6"; do
if { { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } || { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; } &&
[ ! -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" ]; then
gzip -df "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" 2>/dev/null
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
ban_message="backup used"
elif [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ]; then
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
ban_message="${ban_cnt_err} lookup errors"
fi
gzip -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" 2>/dev/null
done
"${ban_logger_cmd}" -p "info" -t "banIP-resolve [${$}]" "${ban_src_name} domain import has been finished (${ban_message:-"-"})" 2>/dev/null
rm -f "${ban_src_file}"

295
net/banip/files/banip.feeds Normal file
View file

@ -0,0 +1,295 @@
{
"adaway": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adaway IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"adguard": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adguard IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"adguardtrackers": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adguardtracker IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"antipopads": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "antipopads IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"asn": {
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "ASN IPs",
"descurl": "https://asn.ipinfo.app"
},
"backscatterer": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "backscatterer IPs",
"descurl": "https://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"bogon": {
"url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt",
"url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "bogon prefixes",
"descurl": "https://team-cymru.com"
},
"cinsscore": {
"url_4": "https://cinsscore.com/list/ci-badguys.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious attacker IPs",
"descurl": "https://cinsscore.com/#list"
},
"country": {
"url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "country blocks",
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious attacker IPs",
"descurl": "https://darklist.de"
},
"debl": {
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "fail2ban IP blacklist",
"descurl": "https://www.blocklist.de"
},
"doh": {
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "public DoH-Provider",
"descurl": "https://github.com/dibdot/DoH-IP-blocklists"
},
"drop": {
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"url_6": "https://www.spamhaus.org/drop/dropv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "spamhaus drop compilation",
"descurl": "https://www.spamhaus.org"
},
"dshield": {
"url_4": "https://feeds.dshield.org/block.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}",
"focus": "dshield IP blocklist",
"descurl": "https://www.dshield.org"
},
"edrop": {
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "spamhaus edrop compilation",
"descurl": "https://www.spamhaus.org"
},
"feodo": {
"url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
"rule_4": "BEGIN{RS=\"\\r\\n\"}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "feodo tracker",
"descurl": "https://feodotracker.abuse.ch"
},
"firehol1": {
"url_4": "https://iplists.firehol.org/files/firehol_level1.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 1 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level1"
},
"firehol2": {
"url_4": "https://iplists.firehol.org/files/firehol_level2.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 2 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level2"
},
"firehol3": {
"url_4": "https://iplists.firehol.org/files/firehol_level3.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 3 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level3"
},
"firehol4": {
"url_4": "https://iplists.firehol.org/files/firehol_level4.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}",
"focus": "firehol level 4 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level4"
},
"greensnow": {
"url_4": "https://blocklist.greensnow.co/greensnow.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious server IPs",
"descurl": "https://greensnow.co"
},
"iblockads": {
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "advertising IPs",
"descurl": "https://www.iblocklist.com",
"flag": "gz",
"login": true
},
"iblockspy": {
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malicious spyware IPs",
"descurl": "https://www.iblocklist.com",
"flag": "gz",
"login": true
},
"myip": {
"url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "real-time IP blocklist",
"descurl": "https://myip.ms"
},
"nixspam": {
"url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz",
"rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}",
"focus": "iX spam protection",
"descurl": "https://www.nixspam.net",
"flag": "gz"
},
"oisdnsfw": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-nsfw IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"oisdsmall": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-small IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"proxy": {
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "open proxies",
"descurl": "https://iplists.firehol.org/?ipset=proxylists"
},
"sslbl": {
"url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv",
"rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}",
"focus": "SSL botnet IPs",
"descurl": "https://sslbl.abuse.ch"
},
"stevenblack": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "stevenblack IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "talos IPs",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "emerging threats",
"descurl": "https://rules.emergingthreats.net"
},
"threatview": {
"url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malicious IPs",
"descurl": "https://threatview.io"
},
"tor": {
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "tor exit nodes",
"descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
},
"uceprotect1": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 1",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"uceprotect2": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 2",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"uceprotect3": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 3",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"urlhaus": {
"url_4": "https://urlhaus.abuse.ch/downloads/ids/",
"rule_4": "match($0,/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))/){printf \"%s,\\n\",substr($0,RSTART,RLENGTH)}",
"focus": "urlhaus IDS IPs",
"descurl": "https://urlhaus.abuse.ch"
},
"urlvir": {
"url_4": "https://iplists.firehol.org/files/urlvir.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malware related IPs",
"descurl": "https://iplists.firehol.org/?ipset=urlvir"
},
"voip": {
"url_4": "https://voipbl.org/update/",
"rule_4": "BEGIN{RS=\"(([0-9]{1,3}\\\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)\"}{if(RT)printf \"%s,\\n\",RT}",
"focus": "VoIP fraud blocklist",
"descurl": "https://voipbl.org"
},
"webclient": {
"url_4": "https://iplists.firehol.org/files/firehol_webclient.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malware related IPs",
"descurl": "https://iplists.firehol.org/?ipset=firehol_webclient"
},
"yoyo": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "yoyo IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
}
}

10
net/banip/files/banip.hotplug
View file

@ -1,10 +0,0 @@
#!/bin/sh
# firewall hotplug script for banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
if /etc/init.d/banip enabled && [ "${ACTION}" = "add" ] && [ -n "${INTERFACE}" ]; then
if [ ! -s "/var/run/banip.pid" ] && uci_get banip global ban_ifaces | grep -q "${INTERFACE}"; then
/etc/init.d/banip refresh
fi
fi

282
net/banip/files/banip.init
View file

@ -1,202 +1,69 @@
#!/bin/sh /etc/rc.common
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,2034,3043,3057,3060
# shellcheck disable=all
START=30
USE_PROCD=1
if type extra_command >/dev/null 2>&1; then
extra_command "refresh" "Refresh ipsets without new list downloads"
extra_command "suspend" "Suspend banIP processing"
extra_command "resume" "Resume banIP processing"
extra_command "query" "<IP> Query active banIP IPSets for a specific IP address"
extra_command "report" "[<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics"
extra_command "list" "[<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources"
extra_command "timer" "[<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
else
EXTRA_COMMANDS="status refresh suspend resume query report list timer version"
EXTRA_HELP=" status Service status
refresh Refresh ipsets without new list downloads
suspend Suspend banIP processing
resume Resume banIP processing
query <IP> Query active banIP IPSets for a specific IP address
report [<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics
list [<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources
timer [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
fi
extra_command "report" "[text|json|mail] Print banIP related set statistics"
extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets"
ban_init="/etc/init.d/banip"
ban_script="/usr/bin/banip.sh"
ban_service="/usr/bin/banip-service.sh"
ban_funlib="/usr/lib/banip-functions.sh"
ban_pidfile="/var/run/banip.pid"
ban_lock="/var/run/banip.lock"
if [ -s "${ban_pidfile}" ] && { [ "${action}" = "start" ] || [ "${action}" = "stop" ] ||
[ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "refresh" ] ||
[ "${action}" = "suspend" ] || [ "${action}" = "resume" ] || [ "${action}" = "query" ] ||
{ [ "${action}" = "list" ] && [ -n "${1}" ]; } || { [ "${action}" = "report" ] && [ "${1}" != "json" ]; }; }; then
exit 0
fi
[ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0
[ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "status" ]; } && exit 1
[ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}"
boot() {
: >"${ban_pidfile}"
rc_procd start_service
rc_procd start_service "boot"
}
start_service() {
if "${ban_init}" enabled; then
if [ "${action}" = "boot" ]; then
return 0
fi
procd_open_instance "banip"
procd_set_param command "${ban_script}" "${@}"
[ "${action}" = "boot" ] && [ -n "$(uci_get banip global ban_trigger)" ] && return 0
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
procd_open_instance "banip-service"
procd_set_param command "${ban_service}" "${@:-"${action}"}"
procd_set_param pidfile "${ban_pidfile}"
procd_set_param nice "$(uci_get banip global ban_nice "0")"
procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
procd_set_param stdout 1
procd_set_param stderr 1
procd_close_instance
else
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'"
rm -rf "${ban_lock}"
fi
}
version() {
rc_procd "${ban_script}" version
}
refresh() {
rc_procd start_service refresh
}
reload_service() {
rc_procd start_service reload
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
rc_procd start_service "reload"
}
stop_service() {
rc_procd "${ban_script}" stop
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
"${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
f_genstatus "stopped"
f_rmpid
}
restart() {
rc_procd start_service restart
}
suspend() {
rc_procd start_service suspend
}
resume() {
rc_procd start_service resume
}
query() {
rc_procd "${ban_script}" query "${1}"
}
list() {
local src_archive src_file src_enabled key name enabled focus descurl url_4 rule_4 url_6 rule_6 action="${1}"
if [ "${action%_*}" = "add" ] || [ "${action%_*}" = "remove" ]; then
shift
for name in "${@}"; do
case "${action}" in
"add")
if ! uci_get banip global ban_sources | grep -q "${name}"; then
uci_add_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' added to config"
fi
;;
"remove")
if uci_get banip global ban_sources | grep -q "${name}"; then
uci_remove_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' removed from config"
fi
;;
"add_asn")
if ! uci_get banip global ban_asns | grep -q "${name}"; then
uci_add_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' added to config"
fi
;;
"remove_asn")
if uci_get banip global ban_asns | grep -q "${name}"; then
uci_remove_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' removed from config"
fi
;;
"add_country")
if ! uci_get banip global ban_countries | grep -q "${name}"; then
uci_add_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' added to config"
fi
;;
"remove_country")
if uci_get banip global ban_countries | grep -q "${name}"; then
uci_remove_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' removed from config"
fi
;;
esac
done
if [ -n "$(uci -q changes banip)" ]; then
uci_commit banip
"${ban_init}" start
fi
else
src_archive="$(uci_get banip global ban_srcarc "/etc/banip/banip.sources.gz")"
src_file="$(uci_get banip global ban_srcfile "/tmp/ban_sources.json")"
src_enabled="$(uci -q show banip.global.ban_sources)"
if [ -r "${src_archive}" ]; then
zcat "${src_archive}" >"${src_file}"
else
printf "%s\n" "::: banIP source archive '${src_archive}' not found"
fi
if [ -r "${src_file}" ]; then
src_enabled="${src_enabled#*=}"
src_enabled="${src_enabled//\'/}"
printf "%s\n" "::: Available banIP sources"
printf "%s\n" ":::"
printf "%-25s%-10s%-36s%s\n" " Name" "Enabled" "Focus" "Info URL"
printf "%s\n" " ---------------------------------------------------------------------------"
json_load_file "${src_file}"
json_get_keys keylist
for key in ${keylist}; do
json_select "${key}"
json_get_var focus "focus"
json_get_var descurl "descurl"
json_get_var url_4 "url_4"
json_get_var rule_4 "rule_4"
json_get_var url_6 "url_6"
json_get_var rule_6 "rule_6"
if { [ -n "${url_4}" ] && [ -n "${rule_4}" ]; } || { [ -n "${url_6}" ] && [ -n "${rule_6}" ]; }; then
if printf "%s" "${src_enabled}" | grep -q "${key}"; then
enabled="x"
else
enabled=" "
fi
src_enabled="${src_enabled/${key}/}"
printf " + %-21s%-10s%-36s%s\n" "${key:0:20}" "${enabled}" "${focus:0:35}" "${descurl:0:50}"
else
src_enabled="${src_enabled} ${key}"
fi
json_select ..
done
asn_list="$(uci_get banip global ban_asns "-")"
country_list="$(uci_get banip global ban_countries "-")"
printf "%s\n" " ---------------------------------------------------------------------------"
printf " * %s\n" "Configured ASNs: ${asn_list// /, }"
printf " * %s\n" "Configured Countries: ${country_list// /, }"
if [ -n "${src_enabled// /}" ]; then
printf "%s\n" " ---------------------------------------------------------------------------"
printf "%s\n" " Sources without valid configuration"
printf "%s\n" " ---------------------------------------------------------------------------"
for key in ${src_enabled}; do
printf " - %s\n" "${key:0:20}"
done
fi
else
printf "%s\n" "::: banIP source file '${src_file}' not found"
fi
fi
stop_service
rc_procd start_service "restart"
}
status() {
@ -204,90 +71,29 @@ status() {
}
status_service() {
local key keylist type value index_value values rtfile
rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1
json_get_keys keylist
if [ -n "${keylist}" ]; then
printf "%s\n" "::: banIP runtime information"
for key in ${keylist}; do
json_get_var value "${key}" >/dev/null 2>&1
if [ "${key%_*}" = "active" ]; then
printf " + %-15s : " "${key}"
json_select "${key}" >/dev/null 2>&1
values=""
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_values index_value "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ]; then
values="${index_value}"
else
values="${values}, ${index_value}"
fi
index=$((index + 1))
done
values="$(printf "%s" "${values}" | awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-22s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
printf "%s\n" "${values:-"-"}"
json_select ".."
else
printf " + %-15s : %s\n" "${key}" "${value:-"-"}"
fi
done
else
printf "%s\n" "::: no banIP runtime information available"
fi
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_getstatus
}
report() {
rc_procd "${ban_script}" report "${1:-"cli"}"
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_report "${1:-"text"}"
}
timer() {
local cron_file cron_content cron_lineno action="${1:-"list"}" cron_tasks="${2}" hour="${3}" minute="${4:-0}" weekday="${5:-"*"}"
cron_file="/etc/crontabs/root"
if [ -s "${cron_file}" ] && [ "${action}" = "list" ]; then
awk '{print NR "> " $0}' "${cron_file}"
elif [ "${action}" = "add" ]; then
hour="${hour//[[:alpha:]]/}"
minute="${minute//[[:alpha:]]/}"
if [ -n "${cron_tasks}" ] && [ -n "${hour}" ] && [ -n "${minute}" ] && [ -n "${weekday}" ] &&
[ "${hour}" -ge 0 ] && [ "${hour}" -le 23 ] &&
[ "${minute}" -ge 0 ] && [ "${minute}" -le 59 ]; then
printf "%02d %02d %s\n" "${minute}" "${hour}" "* * ${weekday} ${ban_init} ${cron_tasks}" >>"${cron_file}"
/etc/init.d/cron restart
fi
elif [ -s "${cron_file}" ] && [ "${action}" = "remove" ]; then
cron_tasks="${cron_tasks//[[:alpha:]]/}"
cron_lineno="$(awk 'END{print NR}' "${cron_file}")"
cron_content="$(awk '{print $0}' "${cron_file}")"
if [ "${cron_tasks:-"0"}" -le "${cron_lineno:-"1"}" ] && [ -n "${cron_content}" ]; then
printf "%s\n" "${cron_content}" | awk "NR!~/^${cron_tasks}$/" >"${cron_file}"
/etc/init.d/cron restart
fi
fi
search() {
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_search "${1}"
}
service_triggers() {
local iface delay
local iface trigger delay
iface="$(uci_get banip global ban_trigger)"
trigger="$(uci_get banip global ban_trigger)"
delay="$(uci_get banip global ban_triggerdelay "5")"
PROCD_RELOAD_DELAY=$((delay * 1000))
if [ -z "${iface}" ]; then
. "/lib/functions/network.sh"
network_find_wan iface
if [ -n "${iface}" ]; then
uci_set banip global ban_trigger "${iface}"
uci_commit "banip"
fi
fi
if [ -n "${iface}" ]; then
for iface in ${trigger}; do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start"
fi
done
procd_add_reload_trigger "banip"
}

62
net/banip/files/banip.mail
View file

@ -1,62 +0,0 @@
#!/bin/sh
# send mail script for banIP notifications
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,3040
# Please note: you have to setup the package 'msmtp' before using this script
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
. "/lib/functions.sh"
ban_debug="$(uci_get banip global ban_debug "0")"
ban_loglimit="$(uci_get banip global ban_loglimit "100")"
ban_mailsender="$(uci_get banip global ban_mailsender "no-reply@banIP")"
ban_mailreceiver="$(uci_get banip global ban_mailreceiver)"
ban_mailtopic="$(uci_get banip global ban_mailtopic "banIP notification")"
ban_mailprofile="$(uci_get banip global ban_mailprofile "ban_notify")"
ban_mail="$(command -v msmtp)"
ban_logger="$(command -v logger)"
ban_logread="$(command -v logread)"
if [ -z "${ban_mailreceiver}" ]; then
f_log "err" "please set the mail receiver with the 'ban_mailreceiver' option"
exit 1
fi
if [ "${ban_debug}" = "1" ]; then
msmtp_debug="--debug"
fi
ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
# info preparation
#
sys_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
ban_info="$(/etc/init.d/banip "status" 2>/dev/null)"
rep_info="${1}"
log_info="$("${ban_logread}" -l "${ban_loglimit}" -e "banIP-" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
# mail body
#
ban_mailtext="<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>"
ban_mailtext="${ban_mailtext}\n<strong>++\n++ System Information ++\n++</strong>\n${sys_info}"
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${ban_info}"
if [ -n "${rep_info}" ]; then
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${rep_info}"
fi
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}"
ban_mailtext="${ban_mailtext}</pre></body></html>"
# send mail
#
printf "%b" "${ban_mailhead}${ban_mailtext}" 2>/dev/null | "${ban_mail}" ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
"${ban_logger}" -p "info" -t "banIP-mail [${$}]" "mail sent to '${ban_mailreceiver}' with rc '${?}'" 2>/dev/null

28
net/banip/files/banip.service
View file

@ -1,28 +0,0 @@
#!/bin/sh
# log service to trace suspicious logins and conditionally refresh banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_search="${1}"
ban_logger_cmd="$(command -v logger)"
ban_logread_cmd="$(command -v logread)"
if [ -x "${ban_logread_cmd}" ]; then
"${ban_logger_cmd}" -p "info" -t "banIP-service [${$}]" "log/banIP service started" 2>/dev/null
"${ban_logread_cmd}" -f |
{
grep -qE "${ban_search}" && {
/etc/init.d/banip refresh
exit 0
}
}
else
"${ban_logger_cmd}" -p "err" -t "banIP-service [${$}]" "can't start log/banIP service" 2>/dev/null
fi

1595
net/banip/files/banip.sh
View file

File diff suppressed because it is too large Load diff

191
net/banip/files/banip.sources
View file

@ -1,191 +0,0 @@
{
"asn": {
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add asn_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add asn_6 \"$1}",
"focus": "ASN blocks",
"descurl": "https://asn.ipinfo.app"
},
"bogon": {
"url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt",
"url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add bogon_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add bogon_6 \"$1}",
"focus": "Bogon prefixes",
"descurl": "https://team-cymru.com"
},
"country": {
"url_4": "http://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "http://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add country_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add country_6 \"$1}",
"focus": "Country blocks",
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add darklist_4 \"$1}",
"focus": "Blocks suspicious attacker IPs",
"descurl": "https://darklist.de"
},
"debl": {
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add debl_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add debl_6 \"$1}",
"focus": "Fail2ban IP blacklist",
"descurl": "https://www.blocklist.de"
},
"doh": {
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add doh_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add doh_6 \"$1}",
"focus": "Public DoH-Provider",
"descurl": "https://github.com/dibdot/DoH-IP-blocklists"
},
"drop": {
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"url_6": "https://www.spamhaus.org/drop/dropv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add drop_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add drop_6 \"$1}",
"focus": "Spamhaus drop compilation",
"descurl": "https://www.spamhaus.org"
},
"dshield": {
"url_4": "https://feeds.dshield.org/block.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add dshield_4 \"$1 \"/\"$3}",
"focus": "Dshield IP blocklist",
"descurl": "https://www.dshield.org"
},
"edrop": {
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add edrop_4 \"$1}",
"focus": "Spamhaus edrop compilation",
"descurl": "https://www.spamhaus.org"
},
"feodo": {
"url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add feodo_4 \"$1}",
"focus": "Feodo Tracker",
"descurl": "https://feodotracker.abuse.ch"
},
"firehol1": {
"url_4": "https://iplists.firehol.org/files/firehol_level1.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol1_4 \"$1}",
"focus": "Firehol Level 1 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level1"
},
"firehol2": {
"url_4": "https://iplists.firehol.org/files/firehol_level2.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol2_4 \"$1}",
"focus": "Firehol Level 2 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level2"
},
"firehol3": {
"url_4": "https://iplists.firehol.org/files/firehol_level3.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol3_4 \"$1}",
"focus": "Firehol Level 3 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level3"
},
"firehol4": {
"url_4": "https://iplists.firehol.org/files/firehol_level4.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol4_4 \"$1}",
"focus": "Firehol Level 4 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level4"
},
"greensnow": {
"url_4": "https://blocklist.greensnow.co/greensnow.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add greensnow_4 \"$1}",
"focus": "Blocks suspicious server IPs",
"descurl": "https://greensnow.co"
},
"iblockads": {
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockads_4 \"$1}",
"focus": "Advertising blocklist",
"descurl": "https://www.iblocklist.com",
"comp": "gz"
},
"iblockspy": {
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockspy_4 \"$1}",
"focus": "Malicious spyware blocklist",
"descurl": "https://www.iblocklist.com",
"comp": "gz"
},
"myip": {
"url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add myip_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add myip_6 \"$1}",
"focus": "Myip Live IP blacklist",
"descurl": "https://myip.ms"
},
"nixspam": {
"url_4": "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz",
"rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add nixspam_4 \"$2}",
"focus": "iX spam protection",
"descurl": "http://www.nixspam.org",
"comp": "gz"
},
"proxy": {
"url_4": "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add proxy_4 \"$1}",
"focus": "Firehol list of open proxies",
"descurl": "https://iplists.firehol.org/?ipset=proxylists"
},
"sslbl": {
"url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv",
"rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{print \"add sslbl_4 \"$2}",
"focus": "SSL botnet IP blacklist",
"descurl": "https://sslbl.abuse.ch"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}",
"focus": "Cisco Talos IP Blacklist",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",
"focus": "Emerging Threats",
"descurl": "https://rules.emergingthreats.net"
},
"tor": {
"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
"focus": "Tor exit nodes",
"descurl": "https://fissionrelays.net/lists"
},
"uceprotect1": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{print \"add uceprotect1_4 \"$1}",
"focus": "Spam protection level 1",
"descurl": "http://www.uceprotect.net/en/index.php",
"comp": "gz"
},
"uceprotect2": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]+NET[[:space:]]+)/{print \"add uceprotect2_4 \"$1}",
"focus": "Spam protection level 2",
"descurl": "http://www.uceprotect.net/en/index.php",
"comp": "gz"
},
"voip": {
"url_4": "http://www.voipbl.org/update/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add voip_4 \"$1}",
"focus": "VoIP fraud blocklist",
"descurl": "http://www.voipbl.org"
},
"yoyo": {
"url_4": "https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add yoyo_4 \"$1}",
"focus": "Ad protection blacklist",
"descurl": "https://pgl.yoyo.org/adservers/"
}
}

24
net/banip/files/banip.tpl Normal file
View file

@ -0,0 +1,24 @@
# banIP mail template/include
# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# info preparation
#
local banip_info report_info log_info system_info mail_text
banip_info="$(/etc/init.d/banip status 2>/dev/null)"
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
system_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
# mail body
#
mail_text="$(printf "%s\n" "<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>")"
mail_text="$(printf "%s\n" "${mail_text}\n<strong>++\n++ System Information ++\n++</strong>\n${system_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${banip_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${report_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}")"
mail_text="$(printf "%s\n" "${mail_text}</pre></body></html>")"

0
net/banip/files/banip.whitelist
View file

2
net/boinc/Makefile
View file

@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=boinc
PKG_VERSION:=7.16.16
PKG_VERSION_SHORT:=$(shell echo $(PKG_VERSION)| cut -f1,2 -d.)
PKG_RELEASE:=2
PKG_RELEASE:=3
PKG_SOURCE_DATE:=2020-02-25
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz

34
net/boinc/patches/003-update-to-openssl-3.0.0.patch Normal file
View file

@ -0,0 +1,34 @@
From 689dc20ede9768377d4032ff8c70b58269c8dc9c Mon Sep 17 00:00:00 2001
From: Charlie Fenton <charlief@example.com>
Date: Mon, 18 Oct 2021 01:43:08 -0700
Subject: [PATCH] Mac: update dependent libraries to latest: c-ares-1.17.2,
curl-7.79.1, freetype-2.11.0, openssl-3.0.0 Previously updated to
wxWidgets-3.1.5. FTGL version ftgl-2.1.3~rc5 is still the current version.
---
cotequeiroz: Trimming original commit to lib/crypt.cpp only
lib/crypt.cpp | 7 +-
--- a/lib/crypt.cpp
+++ b/lib/crypt.cpp
@@ -1,6 +1,6 @@
// This file is part of BOINC.
// http://boinc.berkeley.edu
-// Copyright (C) 2008 University of California
+// Copyright (C) 2021 University of California
//
// BOINC is free software; you can redistribute it and/or modify it
// under the terms of the GNU Lesser General Public License
@@ -670,7 +670,10 @@ int check_validity_of_cert(
}
#ifdef HAVE_OPAQUE_RSA_DSA_DH
RSA *rsa;
- rsa = EVP_PKEY_get0_RSA(pubKey);
+ // CAUTION: In OpenSSL 3.0.0, EVP_PKEY_get0_RSA() now returns a
+ // pointer of type "const struct rsa_st*" to an immutable value.
+ // Do not try to modify the contents of the returned struct.
+ rsa = (rsa_st*)EVP_PKEY_get0_RSA(pubKey);
if (!RSA_blinding_on(rsa, c)) {
#else
if (!RSA_blinding_on(pubKey->pkey.rsa, c)) {

4
net/dnsproxy/Makefile
View file

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=dnsproxy
PKG_VERSION:=0.47.0
PKG_VERSION:=0.48.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=be88e9db73b7d5fa42afd4bc38c901a7e589c503bfb091c43362c956e2669915
PKG_HASH:=b63d10b0f7d4ede68aae9bda9ef306a0673c8ca97ef9d57b838edb53e0023f8b
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=Apache-2.0

6
net/knot/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=knot
PKG_VERSION:=3.2.4
PKG_RELEASE:=2
PKG_VERSION:=3.2.5
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/
PKG_HASH:=299e8de918f9fc7ecbe625b41cb085e47cdda542612efbd51cd5ec60deb9dd13
PKG_HASH:=c6b122e92baa179d09ba4c8ce5b0d42fb7475805f4ff9c81d5036acfaa161820
PKG_MAINTAINER:=Daniel Salzman <daniel.salzman@nic.cz>
PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD BSD-3-Clause OLDAP-2.8

5
net/lighttpd/Makefile
View file

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=lighttpd
PKG_VERSION:=1.4.68
PKG_VERSION:=1.4.69
PKG_RELEASE:=1
# release candidate ~rcX testing; remove for release
#PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x
PKG_HASH:=e56f37ae52b63e1ada4d76ce78005affb6e56eea2f6bdb0ce17d6d36e9583384
PKG_HASH:=16ac8db95e719629ba61949b99f8a26feba946a81d185215b28379bb4116b0b4
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
PKG_LICENSE:=BSD-3-Clause
@ -270,6 +270,7 @@ $(eval $(call BuildPlugin,vhostdb_ldap,Virtual Host Database (LDAP),lighttpd-mod
$(eval $(call BuildPlugin,vhostdb_mysql,Virtual Host Database (MariaDB),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_mysql:libmariadb,30))
$(eval $(call BuildPlugin,vhostdb_pgsql,Virtual Host Database (PostgreSQL),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_pgsql:libpq,30))
$(eval $(call BuildPlugin,webdav,WebDAV,+PACKAGE_lighttpd-mod-webdav:libsqlite3 +PACKAGE_lighttpd-mod-webdav:libuuid +PACKAGE_lighttpd-mod-webdav:libxml2,30))
$(eval $(call BuildPlugin,webdav_min,WebDAV,,30))
$(eval $(call BuildPlugin,wolfssl,TLS using wolfssl,@LIGHTTPD_SSL +PACKAGE_lighttpd-mod-wolfssl:libwolfssl,30))
$(eval $(call BuildPlugin,wstunnel,Websocket tunneling,$(if $(cryptolib),+PACKAGE_lighttpd-mod-wstunnel:$(cryptolib),),30))

28
net/lighttpd/patches/020-meson-mod_webdav_min.patch Normal file
View file

@ -0,0 +1,28 @@
From fe6895e5eb2c17ddad6e95faaac7d56d4dd73256 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Fri, 20 Jan 2023 18:48:14 -0500
Subject: [PATCH] [meson] mod_webdav_min w/o deps: xml2 sqlite3 uuid
---
src/meson.build | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/src/meson.build
+++ b/src/meson.build
@@ -865,6 +865,16 @@ if libsasl.found()
]
endif
+modules += [
+ [ 'mod_webdav_min', [ 'mod_webdav.c' ],
+ [ libelftc,
+ declare_dependency(compile_args: [
+ '-DMOD_WEBDAV_BUILD_MINIMAL',
+ '-Dmod_webdav_plugin_init=mod_webdav_min_plugin_init' ] )
+ ]
+ ]
+]
+
foreach mod: modules
mod_name = mod.get(0)
mod_sources = mod.get(1)

19
net/lighttpd/patches/020-meson-tests.patch
View file

@ -1,19 +0,0 @@
From d809433d6d900e899f796606b11bdc6a73413ac5 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 3 Jan 2023 17:50:16 -0500
Subject: [PATCH] [meson] remove t/test_mod_evasive.c
---
src/meson.build | 1 -
1 file changed, 1 deletion(-)
--- a/src/meson.build
+++ b/src/meson.build
@@ -721,7 +721,6 @@ test('test_mod', executable('test_mod',
't/test_mod.c',
't/test_mod_access.c',
't/test_mod_alias.c',
- 't/test_mod_evasive.c',
't/test_mod_evhost.c',
't/test_mod_indexfile.c',
't/test_mod_simple_vhost.c',

3
net/nginx-util/Makefile
View file

@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=nginx-util
PKG_VERSION:=1.6
PKG_RELEASE:=$(AUTORELEASE)
PKG_RELEASE:=15
PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at>
include $(INCLUDE_DIR)/package.mk
@ -11,6 +11,7 @@ include $(INCLUDE_DIR)/cmake.mk
CMAKE_OPTIONS+= -DUBUS=y
CMAKE_OPTIONS+= -DVERSION=$(PKG_VERSION)
TARGET_CFLAGS+= -Wno-error=deprecated-declarations
define Package/nginx-ssl-util/default
SECTION:=net

5
net/nsd/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=nsd
PKG_VERSION:=4.2.4
PKG_VERSION:=4.6.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.nlnetlabs.nl/downloads/nsd
PKG_HASH:=9ebd6d766765631a56c0eb332eac26b310fa39f662e5582c8210488cf91ef27c
PKG_HASH:=3f60a3a13ec3f68e84bfa7e19daff663c82bcf1de96e4f53f2246525e773a27a
PKG_MAINTAINER:=Vasilis Tsiligiannis <acinonyx@openwrt.gr>
PKG_LICENSE:=BSD-3-Clause
@ -21,6 +21,7 @@ PKG_LICENSE_FILES:=LICENSE
PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk

43
net/nsd/patches/010-Fix-build-with-without-ssl.patch Normal file
View file

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
Date: Thu, 9 Feb 2023 13:48:31 -0300
Subject: [PATCH] Fix build with --without-ssl
Don't include COMMON_OBJ when compiling nsd-control without SSL.
Without SSL, nsd-control's only purpose is to print out an error
message. There's no need to include any other object files then.
*** THIS PATCH SHOULD NOT BE APPLIED TO NSD'S NEXT RELEASE ***
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
--- a/Makefile.in
+++ b/Makefile.in
@@ -85,7 +85,7 @@ NSD_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) difffi
ALL_OBJ=$(NSD_OBJ) nsd-checkconf.o nsd-checkzone.o nsd-control.o nsd-mem.o xfr-inspect.o
NSD_CHECKCONF_OBJ=$(COMMON_OBJ) nsd-checkconf.o
NSD_CHECKZONE_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o server.o zonec.o zparser.o zlexer.o nsd-checkzone.o verify.o
-NSD_CONTROL_OBJ=$(COMMON_OBJ) nsd-control.o
+NSD_CONTROL_OBJ=@NSD_CONTROL_COMMON_OBJ@ nsd-control.o
CUTEST_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o server.o verify.o zonec.o zparser.o zlexer.o cutest_dname.o cutest_dns.o cutest_iterated_hash.o cutest_run.o cutest_radtree.o cutest_rbtree.o cutest_namedb.o cutest_options.o cutest_region.o cutest_rrl.o cutest_udb.o cutest_udbrad.o cutest_util.o cutest_bitset.o cutest_popen3.o cutest_iter.o cutest_event.o cutest.o qtest.o
NSD_MEM_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o verify.o server.o zonec.o zparser.o zlexer.o nsd-mem.o
all: $(TARGETS) $(MANUALS)
--- a/configure.ac
+++ b/configure.ac
@@ -1015,6 +1015,7 @@ AC_SUBST(ratelimit_default)
# we need SSL for TSIG (and maybe also for NSEC3).
CHECK_SSL
if test x$HAVE_SSL = x"yes"; then
+ AC_SUBST(NSD_CONTROL_COMMON_OBJ,'$(COMMON_OBJ)')
ACX_LIB_SSL
# remove space after -ldl if there.
LIBS=`echo "$LIBS" | sed -e 's/ $//'`
@@ -1091,6 +1092,7 @@ AC_INCLUDES_DEFAULT
else
AC_MSG_WARN([No SSL, therefore remote-control is disabled])
AC_MSG_WARN([No SSL, therefore TLS is disabled])
+ AC_SUBST(NSD_CONTROL_COMMON_OBJ,)
fi
AC_ARG_ENABLE(nsec3, AS_HELP_STRING([--disable-nsec3],[Disable NSEC3 support]))

4
net/simple-adblock/Makefile
View file

@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=simple-adblock
PKG_VERSION:=1.9.3
PKG_RELEASE:=7
PKG_VERSION:=1.9.4
PKG_RELEASE:=3
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
PKG_LICENSE:=GPL-3.0-or-later

25
net/simple-adblock/files/simple-adblock.conf
View file

@ -27,6 +27,7 @@ config simple-adblock 'config'
option led 'none'
option parallel_downloads '1'
option procd_trigger_wan6 '0'
option procd_boot_wan_timeout '60'
option verbosity '2'
# File size: 16.0K
@ -71,9 +72,29 @@ config simple-adblock 'config'
# enabling this will disable processing of any other block/allow-lists
# option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/'
# File size: 19.0M
# File size: 1.4M
# block-list too big for most routers
# list blocked_domains_url 'https://dbl.oisd.nl/'
# list blocked_adblockplus_url 'https://small.oisd.nl/'
# File size: 6.2M
# block-list too big for most routers
# list blocked_adblockplus_url 'https://nsfw.oisd.nl/'
# File size: 6.2M
# block-list too big for most routers
# list blocked_adblockplus_url 'https://big.oisd.nl/'
# File size: 1.5M
# block-list too big for most routers
# list blocked_domains_url 'https://small.oisd.nl/domains'
# File size: 7.8M
# block-list too big for most routers
# list blocked_domains_url 'https://nsfw.oisd.nl/domains'
# File size: 19.9M
# block-list too big for most routers
# list blocked_domains_url 'https://big.oisd.nl/domains'
# site was down on last check
# list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt'

8
net/simple-adblock/files/simple-adblock.conf.update
View file

@ -8,8 +8,16 @@ s|raw.githubusercontent.com/StevenBlack/hosts/|cdn.jsdelivr.net/gh/StevenBlack/h
s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g
s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g
s|http://winhelp2002.mvps.org/hosts.txt|https://winhelp2002.mvps.org/hosts.txt|g
s|list blocked_domains_url 'https://dbl.oisd.nl/basic'|list blocked_adblockplus_url 'https://small.oisd.nl/'|g
s|list blocked_domains_url 'https://dbl.oisd.nl/nsfw'|list blocked_adblockplus_url 'https://nsfw.oisd.nl/'|g
s|list blocked_domains_url 'https://dbl.oisd.nl/'|list blocked_adblockplus_url 'https://big.oisd.nl/'|g
s|list blocked_hosts_url 'https://hosts.oisd.nl/basic'|list blocked_adblockplus_url 'https://small.oisd.nl/'|g
s|list blocked_hosts_url 'https://hosts.oisd.nl/nsfw'|list blocked_adblockplus_url 'https://nsfw.oisd.nl/'|g
s|list blocked_hosts_url 'https://hosts.oisd.nl/'|list blocked_adblockplus_url 'https://big.oisd.nl/'|g
\|dshield.org|d
\|www.malwaredomainlist.com/hostslist/hosts.txt|d
\|https://mirror1.malwaredomains.com/files/justdomains|d
\|lists.disconnect.me|d
\|https://cdn.jsdelivr.net/gh/paulgb/BarbBlock/blacklists/domain-list.txt|d
\|dnsmasq.oisd.nl|d
\|dnsmasq2.oisd.nl|d

199
net/simple-adblock/files/simple-adblock.init
View file

@ -62,7 +62,8 @@ readonly sharedMemoryError="/dev/shm/$packageName-error"
readonly sharedMemoryOutput="/dev/shm/$packageName-output"
readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
readonly dnsmasqOISDFilter='\|^server=/[[:alnum:]_.-].*/|!d'
readonly adBlockPlusFilter='/^#/d;/^!/d;s/[[:space:]]*#.*$//;s/^||//;s/\^$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
readonly dnsmasqFileFilter='\|^server=/[[:alnum:]_.-].*/|!d'
readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
@ -76,6 +77,20 @@ readonly nft="$(command -v nft)"
readonly canaryDomainsMozilla='use-application-dns.net'
readonly canaryDomainsiCloud='mask.icloud.com mask-h2.icloud.com'
dl_command=
dl_flag=
isSSLSupported=
outputFilter=
outputFilterIPv6=
outputFile=
outputGzip=
outputCache=
awk='awk'
load_environment_flag=
. /lib/functions/network.sh
. /usr/share/libubox/jshn.sh
debug() { local i j; for i in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; }
uci_add_list_if_new() {
@ -112,8 +127,7 @@ get_text() {
errorNoDnsmasqNftset)
r="dnsmasq nft set support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft set";;
errorNoNft) r="dnsmasq nft sets support is enabled in $packageName, but nft is not installed";;
errorMkdirFail) r="Unable to create directory for";;
errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";;
errorNoWanGateway) r="The ${serviceName} failed to discover WAN gateway";;
errorOutputDirCreate) r="failed to create directory for %s file";;
errorOutputFileCreate) r="failed to create $outputFile file";;
errorFailDNSReload) r="failed to restart/reload DNS resolver";;
@ -193,9 +207,53 @@ output() {
fi
}
load_network() {
local param="$1"
local i j wan_if wan_gw wan_proto
local counter wan_if_timeout="$procd_boot_wan_timeout" wan_gw_timeout='5'
counter=0
while [ -z "$wan_if" ]; do
network_flush_cache
network_find_wan wan_if
if [ -n "$wan_if" ]; then
output "WAN interface found: '${wan_if}'.\\n"
break
fi
if [ "$counter" -gt "$wan_if_timeout" ]; then
output "WAN interface timeout, assuming 'wan'.\\n"
wan_if='wan'
break
fi
counter=$((counter+1))
output "Waiting to discover WAN Interface...\\n"
sleep 1
done
counter=0
wan_proto="$(uci -q get "network.${wan_if}.proto")"
if [ "$wan_proto" = 'pppoe' ]; then
wan_gw_timeout=$((wan_gw_timeout+10))
fi
while [ "$counter" -le "$wan_gw_timeout" ]; do
network_flush_cache
network_get_gateway wan_gw "$wan_if"
if [ -n "$wan_gw" ]; then
output "WAN gateway found: '${wan_gw}.'\\n"
return 0
fi
counter=$((counter+1))
output "Waiting to discover $wan_if gateway...\\n"
sleep 1
done
json add error "errorNoWanGateway"
output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1;
}
load_environment() {
local i j wan_if wan_gw
local validation_result="$1" quiet="$2"
local i j
local validation_result="$1" param="$2"
[ -z "$load_environment_flag" ] || return 0
if [ "$validation_result" != '0' ]; then
json add error "errorConfigValidationFail"
@ -222,7 +280,7 @@ load_environment() {
case "$dns" in
dnsmasq.conf) :;;
*)
if [ -z "$quiet" ]; then
if [ "$param" != 'quiet' ]; then
json add warning "warningExternalDnsmasqConfig"
output "${_WARNING_}: $(get_text 'warningExternalDnsmasqConfig')!\\n"
fi
@ -243,14 +301,14 @@ load_environment() {
case "$dns" in
dnsmasq.ipset)
if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then
if [ -z "$quiet" ]; then
if [ "$param" != 'quiet' ]; then
json add error "errorNoDnsmasqIpset"
output "${_ERROR_}: $(get_text 'errorNoDnsmasqIpset')!\\n"
fi
dns='dnsmasq.servers'
fi
if ! ipset help hash:net; then
if [ -z "$quiet" ]; then
if [ "$param" != 'quiet' ]; then
json add error "errorNoIpset"
output "${_ERROR_}: $(get_text 'errorNoIpset')!\\n"
fi
@ -259,14 +317,14 @@ load_environment() {
;;
dnsmasq.nftset)
if dnsmasq -v 2>/dev/null | grep -q 'no-nftset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'nftset'; then
if [ -z "$quiet" ]; then
if [ "$param" != 'quiet' ]; then
json add error "errorNoDnsmasqNftset"
output "${_ERROR_}: $(get_text 'errorNoDnsmasqNftset')!\\n"
fi
dns='dnsmasq.servers'
fi
if [ -z "$nft" ]; then
if [ -z "$quiet" ]; then
if [ "$param" != 'quiet' ]; then
json add error "errorNoNft"
output "${_ERROR_}: $(get_text 'errorNoNft')!\\n"
fi
@ -351,16 +409,15 @@ load_environment() {
;;
esac
for i in "$outputFile" "$outputCache" "$outputGzip"; do
for i in "$jsonFile" "$outputFile" "$outputCache" "$outputGzip"; do
if ! mkdir -p "$(dirname "$i")"; then
json add error "errorOutputDirCreate" "$i"
output "${_ERROR_}: $(get_text 'errorMkdirFail' "$i")!\\n"
if [ "$param" != 'quiet' ]; then
json add error "errorOutputDirCreate" "$i"
output "${_ERROR_}: $(get_text 'errorOutputDirCreate' "$i")!\\n"
fi
fi
done
. /lib/functions/network.sh
. /usr/share/libubox/jshn.sh
is_present 'gawk' && awk='gawk'
if ! is_present '/usr/libexec/grep-gnu' || ! is_present '/usr/libexec/sed-gnu' || \
! is_present '/usr/libexec/sort-coreutils' || ! is_present 'gawk'; then
@ -369,8 +426,8 @@ load_environment() {
is_present '/usr/libexec/grep-gnu' || s="$s grep"
is_present '/usr/libexec/sed-gnu' || s="$s sed"
is_present '/usr/libexec/sort-coreutils' || s="$s coreutils-sort"
if [ -z "$quiet" ]; then
json add warning "errorOutputFileCreate" "${i}"
if [ "$param" != 'quiet' ]; then
json add warning "warningMissingRecommendedPackages" "${i}"
output "${_WARNING_}: $(get_text 'warningMissingRecommendedPackages'), install them by running:\\n"
output "$s;\\n"
fi
@ -405,12 +462,15 @@ load_environment() {
else
unset isSSLSupported
fi
load_environment_flag=1
cache 'test' && return 0
cache 'test_gzip' && return 0
network_flush_cache; network_find_wan wan_if; network_get_gateway wan_gw "$wan_if";
[ -n "$wan_gw" ] && return 0
json add error "errorNoWanGateway"
output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1;
if [ "$param" = 'on_boot' ]; then
load_network "$param"
return "$?"
else
return 0
fi
}
resolver() {
@ -555,7 +615,7 @@ json() {
case "$param" in
triggers)
curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \
$blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
$blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
$dnsmasq_config_file_url $curl_max_file_size $curl_retry"
curRestart="$compressed_cache $force_dns $led $force_dns_port"
if [ ! -s "$jsonFile" ]; then
@ -589,7 +649,7 @@ json() {
case "$param" in
triggers)
reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \
$blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
$blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
$dnsmasq_config_file_url $curl_max_file_size $curl_retry"
restart="$compressed_cache $force_dns $led $force_dns_port"
;;
@ -608,6 +668,7 @@ json() {
json_add_string reload "$reload"
json_add_string restart "$restart"
json_close_object
mkdir -p "$(dirname "$jsonFile")"
json_dump > "$jsonFile"
sync
}
@ -658,14 +719,22 @@ process_url() {
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then return 1; fi
label="${1##*//}"; label="${label%%/*}";
case "$2" in
dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqOISDFilter";;
domains) label="Domains: $label"; filter="$domainsFilter";;
hosts) label="Hosts: $label"; filter="$hostsFilter";;
adbp) label="ADBPlus: $label"; filter="$adBlockPlusFilter"
;;
dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqFileFilter"
;;
domains) label="Domains: $label"; filter="$domainsFilter"
;;
hosts) label="Hosts: $label"; filter="$hostsFilter"
;;
esac
case "$3" in
allowed) type='Allowed'; D_TMP="$A_TMP";;
blocked) type='Blocked'; D_TMP="$B_TMP";;
file) type='File'; D_TMP="$B_TMP";;
allowed) type='Allowed'; D_TMP="$A_TMP"
;;
blocked) type='Blocked'; D_TMP="$B_TMP"
;;
file) type='File'; D_TMP="$B_TMP"
;;
esac
if [ "${1:0:5}" = "https" ] && [ -z "$isSSLSupported" ]; then
output 1 "$_FAIL_"
@ -676,7 +745,7 @@ process_url() {
while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do
R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)"
done
if ! $dl_command "$1" $dl_flag "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then
if ! $dl_command "$1" "$dl_flag" "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then
output 1 "$_FAIL_"
output 2 "[DL] $type $label $__FAIL__\\n"
echo "errorDownloadingList|${1}" >> "$sharedMemoryError"
@ -757,6 +826,13 @@ download_lists() {
process_url "$hf" 'hosts' 'blocked'
fi
done
for hf in ${blocked_adblockplus_url}; do
if [ "$parallel_downloads" -gt 0 ]; then
process_url "$hf" 'adbp' 'blocked' &
else
process_url "$hf" 'adbp' 'blocked'
fi
done
for hf in ${blocked_domains_url}; do
if [ "$parallel_downloads" -gt 0 ]; then
process_url "$hf" 'domains' 'blocked' &
@ -1080,8 +1156,12 @@ adb_check() {
adb_config_update() {
local R_TMP label
local param="$1" validation_result="$3"
load_environment "$validation_result" 'quiet' || return 1
local param validation_result="$3"
case "$1" in
on_boot) param="$1";;
*) param='quiet';;
esac
load_environment "$validation_result" "$param" || return 1
label="${config_update_url##*//}"
label="${label%%/*}";
[ "$config_update_enabled" -ne 0 ] || return 0
@ -1094,7 +1174,7 @@ adb_config_update() {
while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do
R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)"
done
if ! $dl_command "$config_update_url" $dl_flag "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then
if ! $dl_command "$config_update_url" "$dl_flag" "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then
output 1 "$_FAIL_\\n"
output 2 "[DL] Config Update: $label $__FAIL__\\n"
json add error "errorDownloadingConfigUpdate"
@ -1118,9 +1198,27 @@ adb_sizes() {
load_environment "$validation_result" 'quiet' || return 1
echo "# $(date)"
for i in $blocked_domains_url; do
for i in ${blocked_adblockplus_url}; do
[ "${i//melmac}" != "$i" ] && continue
if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')"
if is_greater "$(du -sk /tmp/sast)" "500"; then
echo "# block-list too big for most routers"
elif is_greater "$(du -sk /tmp/sast)" "100"; then
echo "# block-list may be too big for some routers"
fi
rm -rf /tmp/sast
echo " list blocked_adblockplus_url '$i'"
echo ""
else
echo "# site was down on last check"
echo "# list blocked_adblockplus_url '$i'"
echo ""
fi
done
for i in ${blocked_domains_url}; do
[ "${i//melmac}" != "$i" ] && continue
if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')"
if is_greater "$(du -sk /tmp/sast)" "500"; then
echo "# block-list too big for most routers"
@ -1136,8 +1234,8 @@ adb_sizes() {
echo ""
fi
done
for i in $blocked_hosts_url; do
if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
for i in ${blocked_hosts_url}; do
if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')"
if is_greater "$(du -sk /tmp/sast)" "500"; then
echo "# block-list too big for most routers"
@ -1157,9 +1255,9 @@ adb_sizes() {
adb_start() {
local action status error message stats c
local validation_result="$3"
local param="$1" validation_result="$3"
load_environment "$validation_result" || return 1
load_environment "$validation_result" "$param" || return 1
status="$(json get status)"
error="$(json get error)"
@ -1272,7 +1370,11 @@ adb_start() {
procd_open_data
json_add_string 'status' "$(json get status)"
json_add_string 'errors' "$(json get errors)"
json_add_int 'entries' "$(wc -l < "$outputFile")"
if [ -s "$outputFile" ]; then
json_add_int 'entries' "$(wc -l < "$outputFile")"
else
json_add_int 'entries' '0'
fi
json_add_array firewall
if [ "$force_dns" -ne 0 ]; then
for c in $force_dns_port; do
@ -1460,15 +1562,6 @@ stop_service() { load_validate_config 'config' adb_stop "'$*'"; }
version() { echo "$PKG_VERSION"; }
load_validate_config() {
local dl_command
local dl_flag
local isSSLSupported
local outputFilter
local outputFilterIPv6
local outputFile
local outputGzip
local outputCache
local awk='awk'
local enabled
local force_dns
local force_dns_port
@ -1481,16 +1574,18 @@ load_validate_config() {
local canary_domains_mozilla
local config_update_enabled
local config_update_url
local boot_delay
local download_timeout
local curl_max_file_size
local curl_retry
local verbosity
local procd_trigger_wan6
local procd_boot_wan_timeout
local led
local dns
local dns_instance
local allowed_domain
local allowed_domains_url
local blocked_adblockplus_url
local blocked_domain
local blocked_domains_url
local blocked_hosts_url
@ -1513,12 +1608,14 @@ load_validate_config() {
'curl_retry:range(0,30):3' \
'verbosity:range(0,2):2' \
'procd_trigger_wan6:bool:0' \
'procd_boot_wan_timeout:integer:60' \
'led:or("", "none", file, device, string)' \
'dns:or("dnsmasq.addnhosts", "dnsmasq.conf", "dnsmasq.ipset", "dnsmasq.nftset", "dnsmasq.servers", "unbound.adb_list"):dnsmasq.servers' \
'dns_instance:or(list(integer, string)):0' \
'allowed_domain:list(string)' \
'allowed_domains_url:list(string)' \
'blocked_domain:list(string)' \
'blocked_adblockplus_url:list(string)' \
'blocked_domains_url:list(string)' \
'blocked_hosts_url:list(string)' \
'dnsmasq_config_file_url:string'

10
net/squid/Makefile
View file

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=squid
PKG_VERSION:=4.17
PKG_RELEASE:=$(AUTORELEASE)
PKG_VERSION:=5.7
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v4/ \
http://www.squid-cache.org/Versions/v4/
PKG_HASH:=cb928ac08c7c86b151b1c8f827abe1a84d83181a2a86e0d512286163e1e31418
PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v5/ \
http://www.squid-cache.org/Versions/v5/
PKG_HASH:=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
PKG_MAINTAINER:=Marko Ratkaj <markoratkaj@gmail.com>
PKG_LICENSE:=GPL-2.0-or-later

12
net/squid/patches/001-glibc-compile.patch
View file

@ -1,12 +0,0 @@
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -582,7 +582,8 @@ enter_suid(void)
}
#else
- setuid(0);
+ if (setuid(0) < 0)
+ debugs(50, 1, "no_suid: setuid (0)");
#endif
#if HAVE_PRCTL && defined(PR_SET_DUMPABLE)
/* Set Linux DUMPABLE flag */

2
net/squid/patches/010-no-buildbxxflags.patch → net/squid/patches/010-no-buildcxxflags.patch
View file

@ -1,6 +1,6 @@
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -765,7 +765,7 @@ cache_cf.o: cf_parser.cci
@@ -761,7 +761,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci

10
net/squid/patches/020-libxml-drop-xmlSetFeature.patch
View file

@ -1,10 +0,0 @@
--- a/src/esi/Libxml2Parser.cc
+++ b/src/esi/Libxml2Parser.cc
@@ -91,7 +91,6 @@ ESILibxml2Parser::ESILibxml2Parser(ESIPa
/* TODO: grab the document encoding from the headers */
parser = xmlCreatePushParserCtxt(&sax, static_cast<void *>(this), NULL, 0, NULL);
- xmlSetFeature(parser, "substitute entities", 0);
if (entity_doc == NULL)
entity_doc = htmlNewDoc(NULL, NULL);

10
net/transmission/files/transmission.init
View file

@ -58,15 +58,15 @@ transmission() {
local incomplete_dir
config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission'
local incomplete_dir_enabled
config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
config_get_bool incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
local watch_dir
config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission'
local watch_dir_enabled
config_get watch_dir_enabled "$cfg" 'watch_dir_enabled' 0
config_get_bool watch_dir_enabled "$cfg" 'watch_dir_enabled' 0
local mem_percentage
config_get mem_percentage "$cfg" 'mem_percentage' '50'
local config_overwrite
config_get config_overwrite "$cfg" config_overwrite 1
config_get_bool config_overwrite "$cfg" config_overwrite 1
local nice
config_get nice "$cfg" nice 0
local web_home
@ -196,9 +196,9 @@ transmission_mount_triggers() {
watch_dir watch_dir_enabled web_home service_dirs
config_get config_dir "$cfg" 'config_dir' '/var/etc/transmission'
config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission'
config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
config_get_bool incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission'
config_get watch_dir_enabled "$cfg" 'watch_dir_enabled' 0
config_get_bool watch_dir_enabled "$cfg" 'watch_dir_enabled' 0
config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission'
config_get web_home "$cfg" 'web_home'

2
net/umurmur/Makefile
View file

@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=umurmur
PKG_VERSION:=0.2.20
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/umurmur/umurmur/tar.gz/$(PKG_VERSION)?

11
net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch Normal file
View file

@ -0,0 +1,11 @@
--- a/src/ssli_openssl.c
+++ b/src/ssli_openssl.c
@@ -142,8 +142,6 @@ static EVP_PKEY *SSL_generate_cert_and_k
Log_info("Generating new server certificate.");
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-
x509 = X509_new();
if (!x509)
goto err_out;

4
net/v2ray-core/Makefile
View file

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=v2ray-core
PKG_VERSION:=5.3.0
PKG_VERSION:=5.4.0
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=8e97e2647cb1dee8aa7e71df276c56d74258b2d97bb490a362afa84bdf1b9e25
PKG_HASH:=86be35461a9dc7d037e0045771d99f1eae284fdb7aa0818a6782d18b6b003fca
PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE

4
utils/yq/Makefile
View file

@ -1,12 +1,12 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=yq
PKG_VERSION:=4.30.8
PKG_VERSION:=4.31.1
PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/mikefarah/yq/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=aaf6c9f37968970413b8a6daf0b313a86efd1b8e3e5959e527b50636508eb776
PKG_HASH:=6481cd93fe9a773ea20f738a3340c88e691f3d073bc6d2fceee3f5b3867399fc
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=MIT