From 63dc13d7d2f5150bf3cf4b6648d8c7f10975381f Mon Sep 17 00:00:00 2001 From: Salim B Date: Sun, 12 Feb 2023 22:20:00 +0100 Subject: [PATCH 01/28] transmission: retrieve boolean config opts using `config_get_bool` The tranmission UCI config options - `config_overwrite` - `incomplete_dir_enabled` - `watch_dir_enabled` are all booleans, so we have to retrieve them using `config_get_bool` in order to make sure they are properly interpreted in case the user sets them to a keyword (`true`/`false`, `on`/`off` etc.) and not an integer (`0`/`1`). Signed-off-by: Salim B --- net/transmission/files/transmission.init | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/net/transmission/files/transmission.init b/net/transmission/files/transmission.init index 0e6e043d9..a6bc00f01 100644 --- a/net/transmission/files/transmission.init +++ b/net/transmission/files/transmission.init @@ -58,15 +58,15 @@ transmission() { local incomplete_dir config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission' local incomplete_dir_enabled - config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 + config_get_bool incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 local watch_dir config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission' local watch_dir_enabled - config_get watch_dir_enabled "$cfg" 'watch_dir_enabled' 0 + config_get_bool watch_dir_enabled "$cfg" 'watch_dir_enabled' 0 local mem_percentage config_get mem_percentage "$cfg" 'mem_percentage' '50' local config_overwrite - config_get config_overwrite "$cfg" config_overwrite 1 + config_get_bool config_overwrite "$cfg" config_overwrite 1 local nice config_get nice "$cfg" nice 0 local web_home @@ -196,9 +196,9 @@ transmission_mount_triggers() { watch_dir watch_dir_enabled web_home service_dirs config_get config_dir "$cfg" 'config_dir' '/var/etc/transmission' config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission' - config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 + config_get_bool incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission' - config_get watch_dir_enabled "$cfg" 'watch_dir_enabled' 0 + config_get_bool watch_dir_enabled "$cfg" 'watch_dir_enabled' 0 config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission' config_get web_home "$cfg" 'web_home' From ab6fbdc44a4fa83b5696a497752bd71313a8d513 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 10:52:59 -0300 Subject: [PATCH 02/28] gost_engine: add version 3.0.0.1 With OpenSSL soon to be updated to 3.0, the gost engine will have to be bumped as well. Gost 3.0.0.1 will not build with OpenSSL 1.1. To avoid disruption, this commit detects the OpenSSL version from ENGINES_DIR in include/openssl-engin, and sets the package version accordingly. Signed-off-by: Eneas U de Queiroz --- libs/gost_engine/Makefile | 18 ++++-- .../010-openssl-deprecated.patch | 0 .../020-cmake-allow-cross-compile.patch | 59 +++++++++++++++++++ .../patches-3/030-dont-build-provider.patch | 56 ++++++++++++++++++ 4 files changed, 128 insertions(+), 5 deletions(-) rename libs/gost_engine/{patches => patches-1.1}/010-openssl-deprecated.patch (100%) create mode 100644 libs/gost_engine/patches-3/020-cmake-allow-cross-compile.patch create mode 100644 libs/gost_engine/patches-3/030-dont-build-provider.patch diff --git a/libs/gost_engine/Makefile b/libs/gost_engine/Makefile index 0ba69f726..94f6c990e 100644 --- a/libs/gost_engine/Makefile +++ b/libs/gost_engine/Makefile @@ -1,19 +1,27 @@ include $(TOPDIR)/rules.mk +include $(INCLUDE_DIR)/openssl-engine.mk PKG_NAME:=gost_engine -PKG_VERSION:=1.1.0.3 -PKG_RELEASE:=$(AUTORELEASE) +ifeq ($(ENGINES_DIR),engines-1.1) + PKG_VERSION:=1.1.0.3 + PKG_HASH:=fff725052e82c9adb5b738729b30141f61ac91fa457a4f4b5de18b8b24092f75 + PKG_LICENSE:=OpenSSL + PATCH_DIR=./patches-1.1 +else + PKG_VERSION:=3.0.1 + PKG_HASH:=bfeac85883724cfbe0ecc6d942ac0524b908143e019ab3d3b6abe47a3466a628 + PKG_LICENSE:=Apache-2.0 + PATCH_DIR=./patches-3 +endif +PKG_RELEASE:=7 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION) -PKG_HASH:=fff725052e82c9adb5b738729b30141f61ac91fa457a4f4b5de18b8b24092f75 PKG_MAINTAINER:=Artur Petrov -PKG_LICENSE:=OpenSSL include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/cmake.mk -include $(INCLUDE_DIR)/openssl-engine.mk PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" PKG_INSTALL:= diff --git a/libs/gost_engine/patches/010-openssl-deprecated.patch b/libs/gost_engine/patches-1.1/010-openssl-deprecated.patch similarity index 100% rename from libs/gost_engine/patches/010-openssl-deprecated.patch rename to libs/gost_engine/patches-1.1/010-openssl-deprecated.patch diff --git a/libs/gost_engine/patches-3/020-cmake-allow-cross-compile.patch b/libs/gost_engine/patches-3/020-cmake-allow-cross-compile.patch new file mode 100644 index 000000000..e1a0e3d88 --- /dev/null +++ b/libs/gost_engine/patches-3/020-cmake-allow-cross-compile.patch @@ -0,0 +1,59 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -64,31 +64,35 @@ else() + add_definitions(-DL_ENDIAN) + endif() + +-check_c_source_runs(" +- #ifdef _MSC_VER +- # include +- #else +- # include +- #endif +- int main(void) { +- unsigned long long x = -1, y = 1, r; +- unsigned char cf; +- cf = _addcarry_u64(1, x, y, &r); +- return !(cf == 1 && r == 1); +- } +- " ADDCARRY_U64) ++if(NOT CMAKE_CROSSCOMPILING) ++ check_c_source_runs(" ++ #ifdef _MSC_VER ++ # include ++ #else ++ # include ++ #endif ++ int main(void) { ++ unsigned long long x = -1, y = 1, r; ++ unsigned char cf; ++ cf = _addcarry_u64(1, x, y, &r); ++ return !(cf == 1 && r == 1); ++ } ++ " ADDCARRY_U64) ++ ++ check_c_source_runs(" ++ int main(void) { ++ char buf[16] = { 0, 1, 2 }; ++ int *p = (int *)(buf + 1); ++ int *q = (int *)(buf + 2); ++ return (*p == *q); ++ } ++ " RELAXED_ALIGNMENT) ++endif() ++ + if (ADDCARRY_U64) + add_definitions(-DHAVE_ADDCARRY_U64) + endif() + +-check_c_source_runs(" +- int main(void) { +- char buf[16] = { 0, 1, 2 }; +- int *p = (int *)(buf + 1); +- int *q = (int *)(buf + 2); +- return (*p == *q); +- } +- " RELAXED_ALIGNMENT) + if (NOT RELAXED_ALIGNMENT) + add_definitions(-DSTRICT_ALIGNMENT) + endif() diff --git a/libs/gost_engine/patches-3/030-dont-build-provider.patch b/libs/gost_engine/patches-3/030-dont-build-provider.patch new file mode 100644 index 000000000..e0e1f5ddc --- /dev/null +++ b/libs/gost_engine/patches-3/030-dont-build-provider.patch @@ -0,0 +1,56 @@ +--- a/CMakeLists.txt ++++ b/CMakeLists.txt +@@ -357,9 +357,11 @@ set_target_properties(lib_gost_engine PR + COMPILE_DEFINITIONS "BUILDING_ENGINE_AS_LIBRARY" + PUBLIC_HEADER gost-engine.h + OUTPUT_NAME "gost") +-target_link_libraries(lib_gost_engine PRIVATE gost_core gost_err) ++#target_link_libraries(lib_gost_engine PRIVATE gost_core gost_err) ++target_link_libraries(lib_gost_engine PRIVATE gost_core) + endif() + ++if (0) + # The GOST provider uses this + add_subdirectory(libprov) + +@@ -384,6 +386,7 @@ set_target_properties(lib_gost_prov PROP + ) + target_link_libraries(lib_gost_prov PRIVATE gost_core libprov) + endif() ++endif() + + set(GOST_SUM_SOURCE_FILES + gostsum.c +@@ -424,15 +427,15 @@ install(FILES gostsum.1 gost12sum.1 DEST + install(TARGETS gost_engine EXPORT GostEngineConfig + LIBRARY DESTINATION ${OPENSSL_ENGINES_DIR} + RUNTIME DESTINATION ${OPENSSL_ENGINES_DIR}) +-install(TARGETS gost_prov EXPORT GostProviderConfig +- LIBRARY DESTINATION ${OPENSSL_MODULES_DIR} +- RUNTIME DESTINATION ${OPENSSL_MODULES_DIR}) ++#install(TARGETS gost_prov EXPORT GostProviderConfig ++# LIBRARY DESTINATION ${OPENSSL_MODULES_DIR} ++# RUNTIME DESTINATION ${OPENSSL_MODULES_DIR}) + if (NOT MSVC) + # install engine and provider in library form + install(TARGETS lib_gost_engine EXPORT GostEngineConfig + LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}) +-install(TARGETS lib_gost_prov EXPORT GostProviderConfig +- LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}) ++#install(TARGETS lib_gost_prov EXPORT GostProviderConfig ++# LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR}) + endif() + + if (MSVC) +@@ -440,8 +443,8 @@ if (MSVC) + EXPORT GostEngineConfig DESTINATION ${CMAKE_INSTALL_BINDIR} OPTIONAL) + install(FILES $ + EXPORT GostEngineConfig DESTINATION ${OPENSSL_ENGINES_DIR} OPTIONAL) +- install(FILES $ +- EXPORT GostProviderConfig DESTINATION ${OPENSSL_MODULES_DIR} OPTIONAL) ++# install(FILES $ ++# EXPORT GostProviderConfig DESTINATION ${OPENSSL_MODULES_DIR} OPTIONAL) + endif() + install(EXPORT GostEngineConfig DESTINATION GostEngine/share/cmake/GostEngine) +-install(EXPORT GostProviderConfig DESTINATION GostEngine/share/cmake/GostProvider) ++#install(EXPORT GostProviderConfig DESTINATION GostEngine/share/cmake/GostProvider) From c4f3f54386b177b893ca4add268a5076aef5ce4a Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 11:25:47 -0300 Subject: [PATCH 03/28] nginx-util: allow building with OpenSSL 3.0 Add -Wno-error=deprecated-declarations to CFLAGS to allow usage of deprecated API. Signed-off-by: Eneas U de Queiroz --- net/nginx-util/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/nginx-util/Makefile b/net/nginx-util/Makefile index f5bb54d11..2ff4da194 100644 --- a/net/nginx-util/Makefile +++ b/net/nginx-util/Makefile @@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nginx-util PKG_VERSION:=1.6 -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=15 PKG_MAINTAINER:=Peter Stadler include $(INCLUDE_DIR)/package.mk @@ -11,6 +11,7 @@ include $(INCLUDE_DIR)/cmake.mk CMAKE_OPTIONS+= -DUBUS=y CMAKE_OPTIONS+= -DVERSION=$(PKG_VERSION) +TARGET_CFLAGS+= -Wno-error=deprecated-declarations define Package/nginx-ssl-util/default SECTION:=net From 94b06478ed6d2c20b75b2dc5eb81e0de2cdb98c5 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 13:40:16 -0300 Subject: [PATCH 04/28] nsd: bump to 4.6.1 This version adds compatibility with OpenSSL 3.0. There's a patch, submitted upstream, to fix building without SSL. Signed-off-by: Eneas U de Queiroz --- net/nsd/Makefile | 5 ++- .../010-Fix-build-with-without-ssl.patch | 43 +++++++++++++++++++ 2 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 net/nsd/patches/010-Fix-build-with-without-ssl.patch diff --git a/net/nsd/Makefile b/net/nsd/Makefile index d1469b9b5..33cd8b8b4 100644 --- a/net/nsd/Makefile +++ b/net/nsd/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nsd -PKG_VERSION:=4.2.4 +PKG_VERSION:=4.6.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://www.nlnetlabs.nl/downloads/nsd -PKG_HASH:=9ebd6d766765631a56c0eb332eac26b310fa39f662e5582c8210488cf91ef27c +PKG_HASH:=3f60a3a13ec3f68e84bfa7e19daff663c82bcf1de96e4f53f2246525e773a27a PKG_MAINTAINER:=Vasilis Tsiligiannis PKG_LICENSE:=BSD-3-Clause @@ -21,6 +21,7 @@ PKG_LICENSE_FILES:=LICENSE PKG_INSTALL:=1 PKG_BUILD_PARALLEL:=1 +PKG_FIXUP:=autoreconf include $(INCLUDE_DIR)/package.mk diff --git a/net/nsd/patches/010-Fix-build-with-without-ssl.patch b/net/nsd/patches/010-Fix-build-with-without-ssl.patch new file mode 100644 index 000000000..71cb67bf9 --- /dev/null +++ b/net/nsd/patches/010-Fix-build-with-without-ssl.patch @@ -0,0 +1,43 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Eneas U de Queiroz +Date: Thu, 9 Feb 2023 13:48:31 -0300 +Subject: [PATCH] Fix build with --without-ssl + +Don't include COMMON_OBJ when compiling nsd-control without SSL. + +Without SSL, nsd-control's only purpose is to print out an error +message. There's no need to include any other object files then. + +*** THIS PATCH SHOULD NOT BE APPLIED TO NSD'S NEXT RELEASE *** + +Signed-off-by: Eneas U de Queiroz + +--- a/Makefile.in ++++ b/Makefile.in +@@ -85,7 +85,7 @@ NSD_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) difffi + ALL_OBJ=$(NSD_OBJ) nsd-checkconf.o nsd-checkzone.o nsd-control.o nsd-mem.o xfr-inspect.o + NSD_CHECKCONF_OBJ=$(COMMON_OBJ) nsd-checkconf.o + NSD_CHECKZONE_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o server.o zonec.o zparser.o zlexer.o nsd-checkzone.o verify.o +-NSD_CONTROL_OBJ=$(COMMON_OBJ) nsd-control.o ++NSD_CONTROL_OBJ=@NSD_CONTROL_COMMON_OBJ@ nsd-control.o + CUTEST_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o server.o verify.o zonec.o zparser.o zlexer.o cutest_dname.o cutest_dns.o cutest_iterated_hash.o cutest_run.o cutest_radtree.o cutest_rbtree.o cutest_namedb.o cutest_options.o cutest_region.o cutest_rrl.o cutest_udb.o cutest_udbrad.o cutest_util.o cutest_bitset.o cutest_popen3.o cutest_iter.o cutest_event.o cutest.o qtest.o + NSD_MEM_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o verify.o server.o zonec.o zparser.o zlexer.o nsd-mem.o + all: $(TARGETS) $(MANUALS) +--- a/configure.ac ++++ b/configure.ac +@@ -1015,6 +1015,7 @@ AC_SUBST(ratelimit_default) + # we need SSL for TSIG (and maybe also for NSEC3). + CHECK_SSL + if test x$HAVE_SSL = x"yes"; then ++ AC_SUBST(NSD_CONTROL_COMMON_OBJ,'$(COMMON_OBJ)') + ACX_LIB_SSL + # remove space after -ldl if there. + LIBS=`echo "$LIBS" | sed -e 's/ $//'` +@@ -1091,6 +1092,7 @@ AC_INCLUDES_DEFAULT + else + AC_MSG_WARN([No SSL, therefore remote-control is disabled]) + AC_MSG_WARN([No SSL, therefore TLS is disabled]) ++ AC_SUBST(NSD_CONTROL_COMMON_OBJ,) + fi + + AC_ARG_ENABLE(nsec3, AS_HELP_STRING([--disable-nsec3],[Disable NSEC3 support])) From 78dcc29e47079b6f5aad917dcdf935325b5e4fdf Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 15:05:30 -0300 Subject: [PATCH 05/28] squid: bump to release 5.7 This is the latest version and brings compatibility with OpenSSL 3.0. Signed-off-by: Eneas U de Queiroz --- net/squid/Makefile | 10 +++++----- net/squid/patches/001-glibc-compile.patch | 12 ------------ ...uildbxxflags.patch => 010-no-buildcxxflags.patch} | 2 +- .../patches/020-libxml-drop-xmlSetFeature.patch | 10 ---------- 4 files changed, 6 insertions(+), 28 deletions(-) delete mode 100644 net/squid/patches/001-glibc-compile.patch rename net/squid/patches/{010-no-buildbxxflags.patch => 010-no-buildcxxflags.patch} (91%) delete mode 100644 net/squid/patches/020-libxml-drop-xmlSetFeature.patch diff --git a/net/squid/Makefile b/net/squid/Makefile index f55dcf841..79299e0b7 100644 --- a/net/squid/Makefile +++ b/net/squid/Makefile @@ -8,13 +8,13 @@ include $(TOPDIR)/rules.mk PKG_NAME:=squid -PKG_VERSION:=4.17 -PKG_RELEASE:=$(AUTORELEASE) +PKG_VERSION:=5.7 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz -PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v4/ \ - http://www.squid-cache.org/Versions/v4/ -PKG_HASH:=cb928ac08c7c86b151b1c8f827abe1a84d83181a2a86e0d512286163e1e31418 +PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v5/ \ + http://www.squid-cache.org/Versions/v5/ +PKG_HASH:=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81 PKG_MAINTAINER:=Marko Ratkaj PKG_LICENSE:=GPL-2.0-or-later diff --git a/net/squid/patches/001-glibc-compile.patch b/net/squid/patches/001-glibc-compile.patch deleted file mode 100644 index fd11e85ce..000000000 --- a/net/squid/patches/001-glibc-compile.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- a/src/tools.cc -+++ b/src/tools.cc -@@ -582,7 +582,8 @@ enter_suid(void) - } - #else - -- setuid(0); -+ if (setuid(0) < 0) -+ debugs(50, 1, "no_suid: setuid (0)"); - #endif - #if HAVE_PRCTL && defined(PR_SET_DUMPABLE) - /* Set Linux DUMPABLE flag */ diff --git a/net/squid/patches/010-no-buildbxxflags.patch b/net/squid/patches/010-no-buildcxxflags.patch similarity index 91% rename from net/squid/patches/010-no-buildbxxflags.patch rename to net/squid/patches/010-no-buildcxxflags.patch index 163248545..c5a5eb61b 100644 --- a/net/squid/patches/010-no-buildbxxflags.patch +++ b/net/squid/patches/010-no-buildcxxflags.patch @@ -1,6 +1,6 @@ --- a/src/Makefile.am +++ b/src/Makefile.am -@@ -765,7 +765,7 @@ cache_cf.o: cf_parser.cci +@@ -761,7 +761,7 @@ cache_cf.o: cf_parser.cci # cf_gen builds the configuration files. cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci diff --git a/net/squid/patches/020-libxml-drop-xmlSetFeature.patch b/net/squid/patches/020-libxml-drop-xmlSetFeature.patch deleted file mode 100644 index 02be06ab0..000000000 --- a/net/squid/patches/020-libxml-drop-xmlSetFeature.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- a/src/esi/Libxml2Parser.cc -+++ b/src/esi/Libxml2Parser.cc -@@ -91,7 +91,6 @@ ESILibxml2Parser::ESILibxml2Parser(ESIPa - - /* TODO: grab the document encoding from the headers */ - parser = xmlCreatePushParserCtxt(&sax, static_cast(this), NULL, 0, NULL); -- xmlSetFeature(parser, "substitute entities", 0); - - if (entity_doc == NULL) - entity_doc = htmlNewDoc(NULL, NULL); From 6b40dccedf068f69c6886fe8d024846dbceb01da Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 15:15:21 -0300 Subject: [PATCH 06/28] umurmur: fix compilation with OpenSSL 3.0 Remove a call to CRYPTO_mem_ctrl(), which is used only for debugging, Signed-off-by: Eneas U de Queiroz --- net/umurmur/Makefile | 2 +- net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch diff --git a/net/umurmur/Makefile b/net/umurmur/Makefile index 5f5c3fae8..30ed23654 100644 --- a/net/umurmur/Makefile +++ b/net/umurmur/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=umurmur PKG_VERSION:=0.2.20 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/umurmur/umurmur/tar.gz/$(PKG_VERSION)? diff --git a/net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch b/net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch new file mode 100644 index 000000000..c82541aba --- /dev/null +++ b/net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch @@ -0,0 +1,11 @@ +--- a/src/ssli_openssl.c ++++ b/src/ssli_openssl.c +@@ -142,8 +142,6 @@ static EVP_PKEY *SSL_generate_cert_and_k + + Log_info("Generating new server certificate."); + +- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); +- + x509 = X509_new(); + if (!x509) + goto err_out; From 51fda9dde7b3a802c7e8d042b35a452e28fea4ca Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 12:03:32 -0300 Subject: [PATCH 07/28] boinc: Add compatibility with OpenSSL 3.0 This adds a patch from upstream allowing to build with OpenSSL 3.0. Signed-off-by: Eneas U de Queiroz --- net/boinc/Makefile | 2 +- .../patches/003-update-to-openssl-3.0.0.patch | 34 +++++++++++++++++++ 2 files changed, 35 insertions(+), 1 deletion(-) create mode 100644 net/boinc/patches/003-update-to-openssl-3.0.0.patch diff --git a/net/boinc/Makefile b/net/boinc/Makefile index 694acd70d..cb9115512 100644 --- a/net/boinc/Makefile +++ b/net/boinc/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=boinc PKG_VERSION:=7.16.16 PKG_VERSION_SHORT:=$(shell echo $(PKG_VERSION)| cut -f1,2 -d.) -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_SOURCE_DATE:=2020-02-25 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz diff --git a/net/boinc/patches/003-update-to-openssl-3.0.0.patch b/net/boinc/patches/003-update-to-openssl-3.0.0.patch new file mode 100644 index 000000000..75fab9058 --- /dev/null +++ b/net/boinc/patches/003-update-to-openssl-3.0.0.patch @@ -0,0 +1,34 @@ +From 689dc20ede9768377d4032ff8c70b58269c8dc9c Mon Sep 17 00:00:00 2001 +From: Charlie Fenton +Date: Mon, 18 Oct 2021 01:43:08 -0700 +Subject: [PATCH] Mac: update dependent libraries to latest: c-ares-1.17.2, + curl-7.79.1, freetype-2.11.0, openssl-3.0.0 Previously updated to + wxWidgets-3.1.5. FTGL version ftgl-2.1.3~rc5 is still the current version. + +--- +cotequeiroz: Trimming original commit to lib/crypt.cpp only + + lib/crypt.cpp | 7 +- + +--- a/lib/crypt.cpp ++++ b/lib/crypt.cpp +@@ -1,6 +1,6 @@ + // This file is part of BOINC. + // http://boinc.berkeley.edu +-// Copyright (C) 2008 University of California ++// Copyright (C) 2021 University of California + // + // BOINC is free software; you can redistribute it and/or modify it + // under the terms of the GNU Lesser General Public License +@@ -670,7 +670,10 @@ int check_validity_of_cert( + } + #ifdef HAVE_OPAQUE_RSA_DSA_DH + RSA *rsa; +- rsa = EVP_PKEY_get0_RSA(pubKey); ++ // CAUTION: In OpenSSL 3.0.0, EVP_PKEY_get0_RSA() now returns a ++ // pointer of type "const struct rsa_st*" to an immutable value. ++ // Do not try to modify the contents of the returned struct. ++ rsa = (rsa_st*)EVP_PKEY_get0_RSA(pubKey); + if (!RSA_blinding_on(rsa, c)) { + #else + if (!RSA_blinding_on(pubKey->pkey.rsa, c)) { From d0d2f1862bbb4e0780bd73cbe1ae3ba8844521ca Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 11:25:47 -0300 Subject: [PATCH 08/28] libuhttpd: allow building with OpenSSL 3.0 Add -Wno-error=deprecated-declarations to CFLAGS to allow usage of deprecated API. Signed-off-by: Eneas U de Queiroz --- libs/libuhttpd/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/libs/libuhttpd/Makefile b/libs/libuhttpd/Makefile index 362a0c56e..fabe63b89 100644 --- a/libs/libuhttpd/Makefile +++ b/libs/libuhttpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libuhttpd PKG_VERSION:=3.14.1 -PKG_RELEASE:=$(AUTORELEASE) +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL=https://github.com/zhaojh329/libuhttpd/releases/download/v$(PKG_VERSION) @@ -41,6 +41,7 @@ Package/libuhttpd-mbedtls=$(call Package/libuhttpd/Default,mbedtls,+PACKAGE_libu Package/libuhttpd-nossl=$(call Package/libuhttpd/Default,nossl) CMAKE_OPTIONS += -DBUILD_EXAMPLE=OFF +TARGET_CFLAGS += -Wno-error=deprecated-declarations ifeq ($(BUILD_VARIANT),openssl) CMAKE_OPTIONS += -DUSE_OPENSSL=ON From ac547f5af8cfcd0cc75c3bf375859099d9a24de8 Mon Sep 17 00:00:00 2001 From: Eneas U de Queiroz Date: Thu, 9 Feb 2023 11:33:24 -0300 Subject: [PATCH 09/28] apfree-wifidog: add support for OpenSSL 3.0 This adds an upstream commit to allow building with OpenSSL 3.0. Signed-off-by: Eneas U de Queiroz --- net/apfree-wifidog/Makefile | 2 +- .../patches/010-support-openssl-3.0.patch | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 net/apfree-wifidog/patches/010-support-openssl-3.0.patch diff --git a/net/apfree-wifidog/Makefile b/net/apfree-wifidog/Makefile index 876f6107f..d15d8493d 100644 --- a/net/apfree-wifidog/Makefile +++ b/net/apfree-wifidog/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=apfree-wifidog PKG_VERSION:=4.08.1771 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_SOURCE_PROTO:=git PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git diff --git a/net/apfree-wifidog/patches/010-support-openssl-3.0.patch b/net/apfree-wifidog/patches/010-support-openssl-3.0.patch new file mode 100644 index 000000000..4c8147e0a --- /dev/null +++ b/net/apfree-wifidog/patches/010-support-openssl-3.0.patch @@ -0,0 +1,53 @@ +From 53a042836063e965f8df9fc85bb32e8e46da8a05 Mon Sep 17 00:00:00 2001 +From: staylightblow8 +Date: Thu, 20 Oct 2022 10:47:59 +0800 +Subject: [PATCH] support openssl > 3.0 + +--- + cmake/Modules/FindOpenSSL.cmake | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +--- a/cmake/Modules/FindOpenSSL.cmake ++++ b/cmake/Modules/FindOpenSSL.cmake +@@ -282,11 +282,11 @@ function(from_hex HEX DEC) + set(${DEC} ${_res} PARENT_SCOPE) + endfunction() + +-if (OPENSSL_INCLUDE_DIR) +- if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") +- file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str +- REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") ++if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h") ++ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str ++ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*") + ++ if(openssl_version_str) + # The version number is encoded as 0xMNNFFPPS: major minor fix patch status + # The status gives if this is a developer or prerelease and is ignored here. + # Major, minor, and fix directly translate into the version numbers shown in +@@ -315,6 +315,25 @@ if (OPENSSL_INCLUDE_DIR) + endif () + + set(OPENSSL_VERSION "${OPENSSL_VERSION_MAJOR}.${OPENSSL_VERSION_MINOR}.${OPENSSL_VERSION_FIX}${OPENSSL_VERSION_PATCH_STRING}") ++ else () ++ # Since OpenSSL 3.0.0, the new version format is MAJOR.MINOR.PATCH and ++ # a new OPENSSL_VERSION_STR macro contains exactly that ++ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_STR ++ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*") ++ string(REGEX REPLACE "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+\\.[0-9]+\\.[0-9]+)\".*$" ++ "\\1" OPENSSL_VERSION_STR "${OPENSSL_VERSION_STR}") ++ ++ set(OPENSSL_VERSION "${OPENSSL_VERSION_STR}") ++ ++ # Setting OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR and OPENSSL_VERSION_FIX ++ string(REGEX MATCHALL "([0-9])+" OPENSSL_VERSION_NUMBER "${OPENSSL_VERSION}") ++ list(POP_FRONT OPENSSL_VERSION_NUMBER ++ OPENSSL_VERSION_MAJOR ++ OPENSSL_VERSION_MINOR ++ OPENSSL_VERSION_FIX) ++ ++ unset(OPENSSL_VERSION_NUMBER) ++ unset(OPENSSL_VERSION_STR) + endif () + endif () + From 6c45b403177bcb72f4a53fb63e8998a99437b150 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Thu, 16 Feb 2023 22:59:10 +0000 Subject: [PATCH 10/28] simple-adblock: update to 1.9.4-1 * update default config for new oisd.nl lists * conf.update file to migrate oisd.nl lists to the new format * introduce AdBlockPlus lists support (new oisd.nl format) * longer wait for WAN up/gateway detection * make load_environemnt only execute once to suppress duplicate warnings/errors PS. While I was testing this, oisd.nl has brought back the old domains lists as well, so this version supports both as I'm unclear as to why the "big" ABPlus list is only 6.2Mb where as the "big" domains list is whopping 19.9Mb. Signed-off-by: Stan Grishin --- net/simple-adblock/Makefile | 4 +- .../files/simple-adblock.conf.update | 8 + net/simple-adblock/files/simple-adblock.init | 192 +++++++++++++----- 3 files changed, 153 insertions(+), 51 deletions(-) diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index 497c6c3bd..012b84fe2 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock -PKG_VERSION:=1.9.3 -PKG_RELEASE:=7 +PKG_VERSION:=1.9.4 +PKG_RELEASE:=1 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.conf.update b/net/simple-adblock/files/simple-adblock.conf.update index 2d42d1712..3a3d7beac 100644 --- a/net/simple-adblock/files/simple-adblock.conf.update +++ b/net/simple-adblock/files/simple-adblock.conf.update @@ -8,8 +8,16 @@ s|raw.githubusercontent.com/StevenBlack/hosts/|cdn.jsdelivr.net/gh/StevenBlack/h s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g s|http://winhelp2002.mvps.org/hosts.txt|https://winhelp2002.mvps.org/hosts.txt|g +s|list blocked_domains_url 'https://dbl.oisd.nl/basic'|list blocked_adblockplus_url 'https://small.oisd.nl/'|g +s|list blocked_domains_url 'https://dbl.oisd.nl/nsfw'|list blocked_adblockplus_url 'https://nsfw.oisd.nl/'|g +s|list blocked_domains_url 'https://dbl.oisd.nl/'|list blocked_adblockplus_url 'https://big.oisd.nl/'|g +s|list blocked_hosts_url 'https://hosts.oisd.nl/basic'|list blocked_adblockplus_url 'https://small.oisd.nl/'|g +s|list blocked_hosts_url 'https://hosts.oisd.nl/nsfw'|list blocked_adblockplus_url 'https://nsfw.oisd.nl/'|g +s|list blocked_hosts_url 'https://hosts.oisd.nl/'|list blocked_adblockplus_url 'https://big.oisd.nl/'|g \|dshield.org|d \|www.malwaredomainlist.com/hostslist/hosts.txt|d \|https://mirror1.malwaredomains.com/files/justdomains|d \|lists.disconnect.me|d \|https://cdn.jsdelivr.net/gh/paulgb/BarbBlock/blacklists/domain-list.txt|d +\|dnsmasq.oisd.nl|d +\|dnsmasq2.oisd.nl|d diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index 89ef3fd7b..0876e218c 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -62,7 +62,8 @@ readonly sharedMemoryError="/dev/shm/$packageName-error" readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' -readonly dnsmasqOISDFilter='\|^server=/[[:alnum:]_.-].*/|!d' +readonly adBlockPlusFilter='/^#/d;/^!/d;s/[[:space:]]*#.*$//;s/^||//;s/\^$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' +readonly dnsmasqFileFilter='\|^server=/[[:alnum:]_.-].*/|!d' readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' @@ -76,6 +77,20 @@ readonly nft="$(command -v nft)" readonly canaryDomainsMozilla='use-application-dns.net' readonly canaryDomainsiCloud='mask.icloud.com mask-h2.icloud.com' +dl_command= +dl_flag= +isSSLSupported= +outputFilter= +outputFilterIPv6= +outputFile= +outputGzip= +outputCache= +awk='awk' +load_environment_flag= + +. /lib/functions/network.sh +. /usr/share/libubox/jshn.sh + debug() { local i j; for i in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; } uci_add_list_if_new() { @@ -112,8 +127,7 @@ get_text() { errorNoDnsmasqNftset) r="dnsmasq nft set support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft set";; errorNoNft) r="dnsmasq nft sets support is enabled in $packageName, but nft is not installed";; - errorMkdirFail) r="Unable to create directory for";; - errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";; + errorNoWanGateway) r="The ${serviceName} failed to discover WAN gateway";; errorOutputDirCreate) r="failed to create directory for %s file";; errorOutputFileCreate) r="failed to create $outputFile file";; errorFailDNSReload) r="failed to restart/reload DNS resolver";; @@ -193,9 +207,53 @@ output() { fi } +load_network() { + local param="$1" + local i j wan_if wan_gw wan_proto + local counter wan_if_timeout='20' wan_gw_timeout='5' + counter=0 + while [ -z "$wan_if" ]; do + network_flush_cache + network_find_wan wan_if + if [ -n "$wan_if" ]; then + output "WAN Interface found: '${wan_if}'.\\n" + break + fi + if [ "$counter" -gt "$wan_if_timeout" ]; then + output "WAN Interface timeout, assuming 'wan'.\\n" + wan_if='wan' + break + fi + counter=$((counter+1)) + output "Waiting to discover WAN Interface...\\n" + sleep 1 + done + + counter=0 + wan_proto="$(uci -q get "network.${wan_if}.proto")" + if [ "$wan_proto" = 'pppoe' ]; then + wan_gw_timeout=$((wan_gw_timeout+10)) + fi + while [ "$counter" -le "$wan_gw_timeout" ]; do + network_flush_cache + network_get_gateway wan_gw "$wan_if" + if [ -n "$wan_gw" ]; then + output "WAN Gateway found: '${wan_gw}.'\\n" + return 0 + fi + counter=$((counter+1)) + output "Waiting to discover $wan_if Gateway...\\n" + sleep 1 + done + json add error "errorNoWanGateway" + output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1; +} + load_environment() { - local i j wan_if wan_gw - local validation_result="$1" quiet="$2" + local i j + local validation_result="$1" param="$2" + + [ -z "$load_environment_flag" ] || return 0 if [ "$validation_result" != '0' ]; then json add error "errorConfigValidationFail" @@ -222,7 +280,7 @@ load_environment() { case "$dns" in dnsmasq.conf) :;; *) - if [ -z "$quiet" ]; then + if [ "$param" != 'quiet' ]; then json add warning "warningExternalDnsmasqConfig" output "${_WARNING_}: $(get_text 'warningExternalDnsmasqConfig')!\\n" fi @@ -243,14 +301,14 @@ load_environment() { case "$dns" in dnsmasq.ipset) if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then - if [ -z "$quiet" ]; then + if [ "$param" != 'quiet' ]; then json add error "errorNoDnsmasqIpset" output "${_ERROR_}: $(get_text 'errorNoDnsmasqIpset')!\\n" fi dns='dnsmasq.servers' fi if ! ipset help hash:net; then - if [ -z "$quiet" ]; then + if [ "$param" != 'quiet' ]; then json add error "errorNoIpset" output "${_ERROR_}: $(get_text 'errorNoIpset')!\\n" fi @@ -259,14 +317,14 @@ load_environment() { ;; dnsmasq.nftset) if dnsmasq -v 2>/dev/null | grep -q 'no-nftset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'nftset'; then - if [ -z "$quiet" ]; then + if [ "$param" != 'quiet' ]; then json add error "errorNoDnsmasqNftset" output "${_ERROR_}: $(get_text 'errorNoDnsmasqNftset')!\\n" fi dns='dnsmasq.servers' fi if [ -z "$nft" ]; then - if [ -z "$quiet" ]; then + if [ "$param" != 'quiet' ]; then json add error "errorNoNft" output "${_ERROR_}: $(get_text 'errorNoNft')!\\n" fi @@ -353,14 +411,13 @@ load_environment() { for i in "$outputFile" "$outputCache" "$outputGzip"; do if ! mkdir -p "$(dirname "$i")"; then - json add error "errorOutputDirCreate" "$i" - output "${_ERROR_}: $(get_text 'errorMkdirFail' "$i")!\\n" + if [ "$param" != 'quiet' ]; then + json add error "errorOutputDirCreate" "$i" + output "${_ERROR_}: $(get_text 'errorOutputDirCreate' "$i")!\\n" + fi fi done - . /lib/functions/network.sh - . /usr/share/libubox/jshn.sh - is_present 'gawk' && awk='gawk' if ! is_present '/usr/libexec/grep-gnu' || ! is_present '/usr/libexec/sed-gnu' || \ ! is_present '/usr/libexec/sort-coreutils' || ! is_present 'gawk'; then @@ -369,8 +426,8 @@ load_environment() { is_present '/usr/libexec/grep-gnu' || s="$s grep" is_present '/usr/libexec/sed-gnu' || s="$s sed" is_present '/usr/libexec/sort-coreutils' || s="$s coreutils-sort" - if [ -z "$quiet" ]; then - json add warning "errorOutputFileCreate" "${i}" + if [ "$param" != 'quiet' ]; then + json add warning "warningMissingRecommendedPackages" "${i}" output "${_WARNING_}: $(get_text 'warningMissingRecommendedPackages'), install them by running:\\n" output "$s;\\n" fi @@ -405,12 +462,15 @@ load_environment() { else unset isSSLSupported fi + load_environment_flag=1 cache 'test' && return 0 cache 'test_gzip' && return 0 - network_flush_cache; network_find_wan wan_if; network_get_gateway wan_gw "$wan_if"; - [ -n "$wan_gw" ] && return 0 - json add error "errorNoWanGateway" - output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1; + if [ "$param" = 'on_boot' ]; then + load_network "$param" + return "$?" + else + return 0 + fi } resolver() { @@ -555,7 +615,7 @@ json() { case "$param" in triggers) curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ - $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ + $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ $dnsmasq_config_file_url $curl_max_file_size $curl_retry" curRestart="$compressed_cache $force_dns $led $force_dns_port" if [ ! -s "$jsonFile" ]; then @@ -589,7 +649,7 @@ json() { case "$param" in triggers) reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ - $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ + $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ $dnsmasq_config_file_url $curl_max_file_size $curl_retry" restart="$compressed_cache $force_dns $led $force_dns_port" ;; @@ -658,14 +718,22 @@ process_url() { if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then return 1; fi label="${1##*//}"; label="${label%%/*}"; case "$2" in - dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqOISDFilter";; - domains) label="Domains: $label"; filter="$domainsFilter";; - hosts) label="Hosts: $label"; filter="$hostsFilter";; + adbp) label="ADBPlus: $label"; filter="$adBlockPlusFilter" + ;; + dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqFileFilter" + ;; + domains) label="Domains: $label"; filter="$domainsFilter" + ;; + hosts) label="Hosts: $label"; filter="$hostsFilter" + ;; esac case "$3" in - allowed) type='Allowed'; D_TMP="$A_TMP";; - blocked) type='Blocked'; D_TMP="$B_TMP";; - file) type='File'; D_TMP="$B_TMP";; + allowed) type='Allowed'; D_TMP="$A_TMP" + ;; + blocked) type='Blocked'; D_TMP="$B_TMP" + ;; + file) type='File'; D_TMP="$B_TMP" + ;; esac if [ "${1:0:5}" = "https" ] && [ -z "$isSSLSupported" ]; then output 1 "$_FAIL_" @@ -676,7 +744,7 @@ process_url() { while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)" done - if ! $dl_command "$1" $dl_flag "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then + if ! $dl_command "$1" "$dl_flag" "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then output 1 "$_FAIL_" output 2 "[DL] $type $label $__FAIL__\\n" echo "errorDownloadingList|${1}" >> "$sharedMemoryError" @@ -757,6 +825,13 @@ download_lists() { process_url "$hf" 'hosts' 'blocked' fi done + for hf in ${blocked_adblockplus_url}; do + if [ "$parallel_downloads" -gt 0 ]; then + process_url "$hf" 'adbp' 'blocked' & + else + process_url "$hf" 'adbp' 'blocked' + fi + done for hf in ${blocked_domains_url}; do if [ "$parallel_downloads" -gt 0 ]; then process_url "$hf" 'domains' 'blocked' & @@ -1080,8 +1155,12 @@ adb_check() { adb_config_update() { local R_TMP label - local param="$1" validation_result="$3" - load_environment "$validation_result" 'quiet' || return 1 + local param validation_result="$3" + case "$1" in + on_boot) param="$1";; + *) param='quiet';; + esac + load_environment "$validation_result" "$param" || return 1 label="${config_update_url##*//}" label="${label%%/*}"; [ "$config_update_enabled" -ne 0 ] || return 0 @@ -1094,7 +1173,7 @@ adb_config_update() { while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)" done - if ! $dl_command "$config_update_url" $dl_flag "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then + if ! $dl_command "$config_update_url" "$dl_flag" "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then output 1 "$_FAIL_\\n" output 2 "[DL] Config Update: $label $__FAIL__\\n" json add error "errorDownloadingConfigUpdate" @@ -1118,9 +1197,27 @@ adb_sizes() { load_environment "$validation_result" 'quiet' || return 1 echo "# $(date)" - for i in $blocked_domains_url; do + for i in ${blocked_adblockplus_url}; do [ "${i//melmac}" != "$i" ] && continue - if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then + if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then + echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')" + if is_greater "$(du -sk /tmp/sast)" "500"; then + echo "# block-list too big for most routers" + elif is_greater "$(du -sk /tmp/sast)" "100"; then + echo "# block-list may be too big for some routers" + fi + rm -rf /tmp/sast + echo " list blocked_adblockplus_url '$i'" + echo "" + else + echo "# site was down on last check" + echo "# list blocked_adblockplus_url '$i'" + echo "" + fi + done + for i in ${blocked_domains_url}; do + [ "${i//melmac}" != "$i" ] && continue + if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')" if is_greater "$(du -sk /tmp/sast)" "500"; then echo "# block-list too big for most routers" @@ -1136,8 +1233,8 @@ adb_sizes() { echo "" fi done - for i in $blocked_hosts_url; do - if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then + for i in ${blocked_hosts_url}; do + if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')" if is_greater "$(du -sk /tmp/sast)" "500"; then echo "# block-list too big for most routers" @@ -1157,9 +1254,9 @@ adb_sizes() { adb_start() { local action status error message stats c - local validation_result="$3" + local param="$1" validation_result="$3" - load_environment "$validation_result" || return 1 + load_environment "$validation_result" "$param" || return 1 status="$(json get status)" error="$(json get error)" @@ -1272,7 +1369,11 @@ adb_start() { procd_open_data json_add_string 'status' "$(json get status)" json_add_string 'errors' "$(json get errors)" - json_add_int 'entries' "$(wc -l < "$outputFile")" + if [ -s "$outputFile" ]; then + json_add_int 'entries' "$(wc -l < "$outputFile")" + else + json_add_int 'entries' '0' + fi json_add_array firewall if [ "$force_dns" -ne 0 ]; then for c in $force_dns_port; do @@ -1460,15 +1561,6 @@ stop_service() { load_validate_config 'config' adb_stop "'$*'"; } version() { echo "$PKG_VERSION"; } load_validate_config() { - local dl_command - local dl_flag - local isSSLSupported - local outputFilter - local outputFilterIPv6 - local outputFile - local outputGzip - local outputCache - local awk='awk' local enabled local force_dns local force_dns_port @@ -1491,6 +1583,7 @@ load_validate_config() { local dns_instance local allowed_domain local allowed_domains_url + local blocked_adblockplus_url local blocked_domain local blocked_domains_url local blocked_hosts_url @@ -1519,6 +1612,7 @@ load_validate_config() { 'allowed_domain:list(string)' \ 'allowed_domains_url:list(string)' \ 'blocked_domain:list(string)' \ + 'blocked_adblockplus_url:list(string)' \ 'blocked_domains_url:list(string)' \ 'blocked_hosts_url:list(string)' \ 'dnsmasq_config_file_url:string' From 6cd5a2c57f8120d4b65518ee0dee559d4fe2c75c Mon Sep 17 00:00:00 2001 From: Hirokazu MORIKAWA Date: Fri, 17 Feb 2023 11:51:35 +0900 Subject: [PATCH 11/28] node: bump to v16.19.1 Thursday February 16 2023 Security Releases Notable Changes The following CVEs are fixed in this release: * CVE-2023-23918: Node.js Permissions policies can be bypassed via process.mainModule (High) * CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto library (Medium) * CVE-2023-23936: Fetch API in Node.js did not protect against CRLF injection in host headers (Medium) * CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js fetch API (Low) * CVE-2023-23920: Node.js insecure loading of ICU data through ICU_DATA environment variable (Low) More detailed information on each of the vulnerabilities can be found in February 2023 Security Releases blog post. Signed-off-by: Hirokazu MORIKAWA --- lang/node/Makefile | 4 ++-- lang/node/patches/003-path.patch | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lang/node/Makefile b/lang/node/Makefile index 52c513ddc..f292d1565 100644 --- a/lang/node/Makefile +++ b/lang/node/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=node -PKG_VERSION:=v16.19.0 +PKG_VERSION:=v16.19.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION) -PKG_HASH:=4f1fec1aea2392f6eb6d1d040b01e7ee3e51e762a9791dfea590920bc1156706 +PKG_HASH:=17fb716406198125b30c94dd3d1756207b297705626afe16d8dc479a65a1d8b5 PKG_MAINTAINER:=Hirokazu MORIKAWA , Adrian Panella PKG_LICENSE:=MIT diff --git a/lang/node/patches/003-path.patch b/lang/node/patches/003-path.patch index 42e07f2cd..d3183cb66 100644 --- a/lang/node/patches/003-path.patch +++ b/lang/node/patches/003-path.patch @@ -1,6 +1,6 @@ --- a/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js -@@ -1300,7 +1300,8 @@ Module._initPaths = function() { +@@ -1326,7 +1326,8 @@ Module._initPaths = function() { path.resolve(process.execPath, '..') : path.resolve(process.execPath, '..', '..'); From 2ecde63118f903345562ea5404d71c039d757fb4 Mon Sep 17 00:00:00 2001 From: Alexandru Ardelean Date: Fri, 17 Feb 2023 19:32:46 +0200 Subject: [PATCH 12/28] django: bump to version 4.1.7 Fixes: https://nvd.nist.gov/vuln/detail/CVE-2023-23969 Signed-off-by: Alexandru Ardelean --- lang/python/django/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lang/python/django/Makefile b/lang/python/django/Makefile index 1249f3e55..616c7f3de 100644 --- a/lang/python/django/Makefile +++ b/lang/python/django/Makefile @@ -8,11 +8,11 @@ include $(TOPDIR)/rules.mk PKG_NAME:=django -PKG_VERSION:=4.1.5 +PKG_VERSION:=4.1.7 PKG_RELEASE:=1 PYPI_NAME:=Django -PKG_HASH:=ff56ebd7ead0fd5dbe06fe157b0024a7aaea2e0593bb3785fb594cf94dad58ef +PKG_HASH:=44f714b81c5f190d9d2ddad01a532fe502fa01c4cb8faf1d081f4264ed15dcd8 PKG_MAINTAINER:=Alexandru Ardelean , Peter Stadler PKG_LICENSE:=BSD-3-Clause From 0b222b7e10ebc8a775d603808e72a7d70ac90972 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 18 Feb 2023 20:17:34 +0100 Subject: [PATCH 13/28] adblock: update 4.1.5-6 * adapted changed oisd downloads (again), fixed #20516 Signed-off-by: Dirk Brenken --- net/adblock/Makefile | 2 +- net/adblock/files/README.md | 2 +- net/adblock/files/adblock.sources | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/net/adblock/Makefile b/net/adblock/Makefile index bd549920a..22a59a926 100644 --- a/net/adblock/Makefile +++ b/net/adblock/Makefile @@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=adblock PKG_VERSION:=4.1.5 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/adblock/files/README.md b/net/adblock/files/README.md index 5bb1ecea2..95cbfeedc 100644 --- a/net/adblock/files/README.md +++ b/net/adblock/files/README.md @@ -30,7 +30,7 @@ A lot of people already use adblocker plugins within their desktop browsers, but | lightswitch05 | | XL | compilation | [Link](https://github.com/lightswitch05/hosts) | | notracking | | XL | tracking | [Link](https://github.com/notracking/hosts-blocklists) | | oisd_big | | XXL | general | [Link](https://oisd.nl) | -| oisd_nsfw | | XL | general | [Link](https://oisd.nl) | +| oisd_nsfw | | XXL | porn | [Link](https://oisd.nl) | | oisd_small | | L | general | [Link](https://oisd.nl) | | openphish | | S | phishing | [Link](https://openphish.com) | | phishing_army | | S | phishing | [Link](https://phishing.army) | diff --git a/net/adblock/files/adblock.sources b/net/adblock/files/adblock.sources index e46a007ac..d6f56f6d4 100644 --- a/net/adblock/files/adblock.sources +++ b/net/adblock/files/adblock.sources @@ -133,21 +133,21 @@ "descurl": "https://github.com/notracking/hosts-blocklists" }, "oisd_big": { - "url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_big.txt", + "url": "https://big.oisd.nl/domainswild", "rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}", "size": "XXL", "focus": "general", "descurl": "https://oisd.nl" }, "oisd_nsfw": { - "url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_nsfw.txt", + "url": "https://nsfw.oisd.nl/domainswild", "rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}", - "size": "XL", - "focus": "general", + "size": "XXL", + "focus": "porn", "descurl": "https://oisd.nl" }, "oisd_small": { - "url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_small.txt", + "url": "https://small.oisd.nl/domainswild", "rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}", "size": "L", "focus": "general", From 82a491bac85b8d106dc6057c1bd58c8e5dc3ed53 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 13 Feb 2023 17:56:57 +0100 Subject: [PATCH 14/28] banip: release 0.8.0 (nft rewrite) - complete rewrite of banIP to support nftables - all sets are handled in a separate nft table/namespace 'banIP' - for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook - full IPv4 and IPv6 support - supports nft atomic set loading - supports blocking by ASN numbers and by iso country codes - 42 preconfigured external feeds are available, plus local allow- and blocklist - supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) - auto-add the uplink subnet to the local allowlist - provides a small background log monitor to ban unsuccessful login attempts in real-time - the logterms for the log monitor service can be freely defined via regex - auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist - fast feed processing as they are handled in parallel as background jobs - per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains) - automatic blocklist backup & restore, the backups will be used in case of download errors or during startup - automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget - supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs - provides comprehensive runtime information - provides a detailed set report - provides a set search engine for certain IPs - feed parsing by fast & flexible regex rulesets - minimal status & error logging to syslog, enable debug logging to receive more output - procd based init system support (start/stop/restart/reload/status/report/search) - procd network interface trigger support - ability to add new banIP feeds on your own - add a readme with all available options/feeds to customize your installation to your needs - a new LuCI frontend will be available in due course Signed-off-by: Dirk Brenken --- net/banip/Makefile | 42 +- net/banip/files/README.md | 552 +++--- net/banip/files/banip-functions.sh | 1159 ++++++++++++ net/banip/files/banip-service.sh | 193 ++ .../{banip.blacklist => banip.allowlist} | 0 .../files/{banip.maclist => banip.blocklist} | 0 net/banip/files/banip.conf | 17 +- net/banip/files/banip.dns | 64 - net/banip/files/banip.feeds | 295 +++ net/banip/files/banip.hotplug | 10 - net/banip/files/banip.init | 282 +-- net/banip/files/banip.mail | 62 - net/banip/files/banip.service | 28 - net/banip/files/banip.sh | 1595 ----------------- net/banip/files/banip.sources | 191 -- net/banip/files/banip.tpl | 24 + net/banip/files/banip.whitelist | 0 17 files changed, 1966 insertions(+), 2548 deletions(-) create mode 100644 net/banip/files/banip-functions.sh create mode 100755 net/banip/files/banip-service.sh rename net/banip/files/{banip.blacklist => banip.allowlist} (100%) rename net/banip/files/{banip.maclist => banip.blocklist} (100%) delete mode 100755 net/banip/files/banip.dns create mode 100644 net/banip/files/banip.feeds delete mode 100644 net/banip/files/banip.hotplug delete mode 100755 net/banip/files/banip.mail delete mode 100755 net/banip/files/banip.service delete mode 100755 net/banip/files/banip.sh delete mode 100644 net/banip/files/banip.sources create mode 100644 net/banip/files/banip.tpl delete mode 100644 net/banip/files/banip.whitelist diff --git a/net/banip/Makefile b/net/banip/Makefile index 7da810862..a816ec858 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,13 +1,14 @@ # -# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org) +# banIP - ban incoming and outgoing ip adresses/subnets via sets in nftables +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.7.10 -PKG_RELEASE:=6 +PKG_VERSION:=0.8.0 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -16,23 +17,22 @@ include $(INCLUDE_DIR)/package.mk define Package/banip SECTION:=net CATEGORY:=Network - TITLE:=Ban incoming and outgoing ip adresses via ipsets - DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle @BROKEN + TITLE:=banIP blocks IP addresses via named nftables sets + DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys PKGARCH:=all endef define Package/banip/description -Powerful banIP script to block ip addresses via ipsets. -The script supports many ip blacklist sites plus manual black- and whitelist overrides. +banIP blocks IP addresses via named nftables sets. +banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. endef define Package/banip/conffiles /etc/config/banip -/etc/banip/banip.maclist -/etc/banip/banip.blacklist -/etc/banip/banip.whitelist +/etc/banip/banip.allowlist +/etc/banip/banip.blocklist endef define Build/Prepare @@ -46,27 +46,23 @@ endef define Package/banip/install $(INSTALL_DIR) $(1)/usr/bin - $(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin + $(INSTALL_BIN) ./files/banip-service.sh $(1)/usr/bin $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip + $(INSTALL_DIR) $(1)/usr/lib + $(INSTALL_CONF) ./files/banip-functions.sh $(1)/usr/lib + $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip $(INSTALL_DIR) $(1)/etc/banip - $(INSTALL_BIN) ./files/banip.dns $(1)/etc/banip - $(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip - $(INSTALL_BIN) ./files/banip.service $(1)/etc/banip - $(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip - $(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip - $(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip - $(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip - $(INSTALL_CONF) ./files/banip.sources $(1)/etc/banip - gzip -9n $(1)/etc/banip/banip.sources - - $(INSTALL_DIR) $(1)/etc/hotplug.d/firewall - $(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip + $(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip + $(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip + $(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip + $(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip + gzip -9n $(1)/etc/banip/banip.feeds endef $(eval $(call BuildPackage,banip)) diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 5f7a37c72..e0bf951f9 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -1,91 +1,103 @@ -# banIP - ban incoming and/or outgoing ip adresses via ipsets +# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables ## Description -IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. +IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh. ## Main Features -* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses) +* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). + **Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below. -| Source | Focus | Information | -| :------------------ | :----------------------------: | :-------------------------------------------------------------------------------- | -| asn | ASN block | [Link](https://asn.ipinfo.app) | -| bogon | Bogon prefixes | [Link](https://team-cymru.com) | -| country | Country blocks | [Link](https://www.ipdeny.com/ipblocks) | -| darklist | blocks suspicious attacker IPs | [Link](https://darklist.de) | -| debl | Fail2ban IP blacklist | [Link](https://www.blocklist.de) | -| doh | Public DoH-Provider | [Link](https://github.com/dibdot/DoH-IP-blocklists) | -| drop | Spamhaus drop compilation | [Link](https://www.spamhaus.org) | -| dshield | Dshield IP blocklist | [Link](https://www.dshield.org) | -| edrop | Spamhaus edrop compilation | [Link](https://www.spamhaus.org) | -| feodo | Feodo Tracker | [Link](https://feodotracker.abuse.ch) | -| firehol1 | Firehol Level 1 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | -| firehol2 | Firehol Level 2 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | -| firehol3 | Firehol Level 3 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | -| firehol4 | Firehol Level 4 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | -| greensnow | blocks suspicious server IPs | [Link](https://greensnow.co) | -| iblockads | Advertising blocklist | [Link](https://www.iblocklist.com) | -| iblockspy | Malicious spyware blocklist | [Link](https://www.iblocklist.com) | -| myip | Myip Live IP blacklist | [Link](https://myip.ms) | -| nixspam | iX spam protection | [Link](http://www.nixspam.org) | -| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) | -| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) | -| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) | -| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) | -| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) | -| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) | -| uceprotect2 | Spam protection level 2 | [Link](http://www.uceprotect.net/en/index.php) | -| voip | VoIP fraud blocklist | [Link](http://www.voipbl.org) | -| yoyo | Ad protection blacklist | [Link](https://pgl.yoyo.org/adservers/) | +| Feed | Focus | INP | FWD | Information | +| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- | +| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) | +| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) | +| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) | +| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) | +| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) | +| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) | +| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) | +| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) | +| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) | +| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) | +| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) | +| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) | +| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | +| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | +| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | +| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | +| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) | +| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) | +| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) | +| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) | +| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) | +| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) | +| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) | +| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | +| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) | +| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) | +| threatview | malicious IPs | x | x | [Link](https://threatview.io) | +| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | +| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) | +| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) | +| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) | +| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) | +| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) | +| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | +| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) | +| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | * zero-conf like automatic installation & setup, usually no manual changes needed -* automatically selects one of the following supported download utilities: aria2c, curl, uclient-fetch, wget -* fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue' +* all sets are handled in a separate nft table/namespace 'banIP' * full IPv4 and IPv6 support -* ipsets (one per source) are used to ban a large number of IP addresses -* supports blocking by ASN numbers -* supports blocking by iso country codes -* supports local black- & whitelist (IPv4, IPv6, CIDR notation or domain names) -* auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist -* auto-add the uplink subnet to local whitelist -* black- and whitelist also accept domain names as input to allow IP filtering based on these names -* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs +* supports nft atomic set loading +* supports blocking by ASN numbers and by iso country codes +* supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) +* auto-add the uplink subnet to the local allowlist * provides a small background log monitor to ban unsuccessful login attempts in real-time -* per source configuration of SRC (incoming) and DST (outgoing) -* integrated IPSet-Lookup -* integrated bgpview-Lookup -* blocklist source parsing by fast & flexible regex rulesets -* minimal status & error logging to syslog, enable debug logging to receive more output -* procd based init system support (start/stop/restart/reload/refresh/status) -* procd network interface trigger support -* automatic blocklist backup & restore, they will be used in case of download errors or during startup +* auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist +* fast feed processing as they are handled in parallel as background jobs +* per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains) +* automatic blocklist backup & restore, the backups will be used in case of download errors or during startup +* automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget +* supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs * provides comprehensive runtime information -* provides a detailed IPSet Report -* provides a powerful query function to quickly find blocked IPs/CIDR in banIP related IPSets -* provides an easily configurable blocklist update scheduler called 'Refresh Timer' -* strong LuCI support -* optional: add new banIP sources on your own +* provides a detailed set report +* provides a set search engine for certain IPs +* feed parsing by fast & flexible regex rulesets +* minimal status & error logging to syslog, enable debug logging to receive more output +* procd based init system support (start/stop/restart/reload/status/report/search) +* procd network interface trigger support +* ability to add new banIP feeds on your own ## Prerequisites -* [OpenWrt](https://openwrt.org), tested with the stable release series (21.02.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x - Please note: Ancient OpenWrt releases like 18.06.x or 17.01.x are _not_ supported! - Please note: Devices with less than 128 MByte RAM are _not_ supported! - Please note: If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start! -* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required -* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default -* Optional E-Mail notification support: for E-Mail notifications you need to install and setup the additional 'msmtp' package +* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support +* a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required +* a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default +* for E-Mail notifications you need to install and setup the additional 'msmtp' package + +**Please note the following:** +* Devices with less than 256Mb of RAM are **_not_** supported +* Any previous installation of banIP must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed) +* There is no LuCI frontend at this time ## Installation & Usage -* Update your local opkg repository (_opkg update_) -* Install 'banip' (_opkg install banip_). The banIP service is disabled by default -* Install the LuCI companion package 'luci-app-banip' (_opkg install luci-app-banip_) -* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu +* update your local opkg repository (_opkg update_) +* install banIP (_opkg install banip_) - the banIP service is disabled by default +* edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the config options below) +* start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status' -## banIP CLI -* All important banIP functions are accessible via CLI as well. -

-~# /etc/init.d/banip 
+## banIP CLI interface
+* All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course.
+```
+~# /etc/init.d/banip
 Syntax: /etc/init.d/banip [command]
 
 Available commands:
@@ -96,259 +108,151 @@ Available commands:
 	enable          Enable service autostart
 	disable         Disable service autostart
 	enabled         Check if service is started on boot
-	refresh         Refresh ipsets without new list downloads
-	suspend         Suspend banIP processing
-	resume          Resume banIP processing
-	query           <IP> Query active banIP IPSets for a specific IP address
-	report          [<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics
-	list            [<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources
-	timer           [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals
-	version         Print version information
+	report          [text|json|mail] Print banIP related set statistics
+	search          [|] Check if an element exists in the banIP sets
 	running         Check if service is running
 	status          Service status
 	trace           Start with syscall trace
-
+ info Dump procd service info +``` ## banIP config options -* Usually the auto pre-configured banIP setup works quite well and no manual overrides are needed | Option | Type | Default | Description | | :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ | | ban_enabled | option | 0 | enable the banIP service | +| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | +| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | +| ban_loglimit | option | 100 | the logread monitor scans only the last n lines of the logfile | +| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | +| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_debug | option | 0 | enable banIP related debug logging | -| ban_mail_enabled | option | 0 | enable the mail service | -| ban_monitor_enabled | option | 0 | enable the log monitor, e.g. to catch failed ssh/luci logins | -| ban_logsrc_enabled | option | 0 | enable the src-related logchain | -| ban_logdst_enabled | option | 0 | enable the dst-related logchain | -| ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist | -| ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist | -| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs | -| ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel | -| ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files | -| ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files | -| ban_ifaces | list | - | list option to add logical wan interfaces manually | -| ban_sources | list | - | list option to add banIP sources | -| ban_countries | list | - | list option to add certain countries as an alpha-2 ISO code, e.g. 'de' for germany | -| ban_asns | list | - | list option to add certain ASNs (autonomous system number), e.g. '32934' for facebook | -| ban_chain | option | banIP | name of the root chain used by banIP | -| ban_global_settype | option | src+dst | global settype as default for all sources | -| ban_settype_src | list | - | special SRC settype for a certain sources | -| ban_settype_dst | list | - | special DST settype for a certain sources | -| ban_settype_all | list | - | special SRC+DST settype for a certain sources | -| ban_target_src | option | DROP | default src action (used by log chains as well) | -| ban_target_dst | option | REJECT | default dst action (used by log chains as well) | -| ban_lan_inputchains_4 | list | input_lan_rule | list option to add IPv4 lan input chains | -| ban_lan_inputchains_6 | list | input_lan_rule | list option to add IPv6 lan input chains | -| ban_lan_forwardchains_4 | list | forwarding_lan_rule | list option to add IPv4 lan forward chains | -| ban_lan_forwardchains_6 | list | forwarding_lan_rule | list option to add IPv6 lan forward chains | -| ban_wan_inputchains_4 | list | input_wan_rule | list option to add IPv4 wan input chains | -| ban_wan_inputchains_6 | list | input_wan_rule | list option to add IPv6 wan input chains | -| ban_wan_forwardchains_4 | list | forwarding_wan_rule | list option to add IPv4 wan forward chains | -| ban_wan_forwardchains_6 | list | forwarding_wan_rule | list option to add IPv6 wan forward chains | -| ban_fetchutil | option | -, auto-detected | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | -| ban_fetchparm | option | -, auto-detected | manually override the config options for the selected download utility | -| ban_fetchinsecure | option | 0, disabled | don't check SSL server certificates during download | +| ban_loginput | option | 1 | log drops in the input chain | +| ban_logforward | option | 0 | log rejects in the forward chain | +| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist | +| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist | +| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | +| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | +| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files | +| ban_protov4 | option | - / autodetect | enable IPv4 support | +| ban_protov6 | option | - / autodetect | enable IPv4 support | +| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | +| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | +| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | +| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | +| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | +| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | +| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | +| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | +| ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) | +| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | +| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | +| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | +| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' | +| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' | +| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' | +| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | +| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | -| ban_srcarc | option | /etc/banip/banip.sources.gz | full path to the compressed source archive file used by banIP | -| ban_localsources | list | maclist, whitelist, blacklist | limit the selection to certain local sources | -| ban_extrasources | list | - | add additional, non-banIP related IPSets e.g. for reporting or queries | -| ban_maclist_timeout | option | - | individual maclist IPSet timeout | -| ban_whitelist_timeout | option | - | individual whitelist IPSet timeout | -| ban_blacklist_timeout | option | - | individual blacklist IPSet timeout | -| ban_logterms | list | dropbear, sshd, luci, nginx | limit the log monitor to certain log terms | -| ban_loglimit | option | 100 | parse only the last stated number of log entries for suspicious events | -| ban_ssh_logcount | option | 3 | number of the failed ssh login repetitions of the same ip in the log before banning | -| ban_luci_logcount | option | 3 | number of the failed luci login repetitions of the same ip in the log before banning | -| ban_nginx_logcount | option | 5 | number of the failed nginx requests of the same ip in the log before banning | - -## Examples -**list/edit banIP sources:** -

-~# /etc/init.d/banip list
-::: Available banIP sources
-:::
-    Name                 Enabled   Focus                               Info URL
-    ---------------------------------------------------------------------------
-  + asn                            ASN blocks                          https://asn.ipinfo.app
-  + bogon                          Bogon prefixes                      https://team-cymru.com
-  + country              x         Country blocks                      https://www.ipdeny.com/ipblocks
-  + darklist             x         Blocks suspicious attacker IPs      https://darklist.de
-  + debl                 x         Fail2ban IP blacklist               https://www.blocklist.de
-  + doh                  x         Public DoH-Provider                 https://github.com/dibdot/DoH-IP-blocklists
-  + drop                 x         Spamhaus drop compilation           https://www.spamhaus.org
-  + dshield              x         Dshield IP blocklist                https://www.dshield.org
-  + edrop                          Spamhaus edrop compilation          https://www.spamhaus.org
-  + feodo                x         Feodo Tracker                       https://feodotracker.abuse.ch
-  + firehol1             x         Firehol Level 1 compilation         https://iplists.firehol.org/?ipset=firehol_level1
-  + firehol2                       Firehol Level 2 compilation         https://iplists.firehol.org/?ipset=firehol_level2
-  + firehol3                       Firehol Level 3 compilation         https://iplists.firehol.org/?ipset=firehol_level3
-  + firehol4                       Firehol Level 4 compilation         https://iplists.firehol.org/?ipset=firehol_level4
-  + greensnow            x         Blocks suspicious server IPs        https://greensnow.co
-  + iblockads                      Advertising blocklist               https://www.iblocklist.com
-  + iblockspy            x         Malicious spyware blocklist         https://www.iblocklist.com
-  + myip                           Myip Live IP blacklist              https://myip.ms
-  + nixspam              x         iX spam protection                  http://www.nixspam.org
-  + proxy                          Firehol list of open proxies        https://iplists.firehol.org/?ipset=proxylists
-  + sslbl                x         SSL botnet IP blacklist             https://sslbl.abuse.ch
-  + talos                x         Cisco Talos IP Blacklist            https://talosintelligence.com/reputation_center
-  + threat               x         Emerging Threats                    https://rules.emergingthreats.net
-  + tor                  x         Tor exit nodes                      https://fissionrelays.net/lists
-  + uceprotect1          x         Spam protection level 1             http://www.uceprotect.net/en/index.php
-  + uceprotect2                    Spam protection level 2             http://www.uceprotect.net/en/index.php
-  + voip                 x         VoIP fraud blocklist                http://www.voipbl.org
-  + yoyo                 x         Ad protection blacklist             https://pgl.yoyo.org/adservers/
-    ---------------------------------------------------------------------------
-  * Configured ASNs: -
-  * Configured Countries: af, bd, br, cn, hk, hu, id, il, in, iq, ir, kp, kr, no, pk, pl, ro, ru, sa, th, tr, ua, gb
-
- -**receive banIP runtime information:** -

-~# /etc/init.d/banip status
-::: banIP runtime information
-  + status          : enabled
-  + version         : 0.7.7
-  + ipset_info      : 2 IPSets with 30 IPs/Prefixes
-  + active_sources  : whitelist
-  + active_devs     : wlan0
-  + active_ifaces   : trm_wwan, trm_wwan6
-  + active_logterms : dropbear, sshd, luci, nginx
-  + active_subnets  : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128
-  + run_infos       : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
-  + run_flags       : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔
-  + last_run        : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36
-  + system          : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc
-
- -**black-/whitelist handling:** -banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain names), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist. -Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above). -Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead. - -**whitelist-only mode:** -banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode. - -**Manually override the download options:** -By default banIP uses the following pre-configured download options: -* aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o -* curl: --connect-timeout 20 --silent --show-error --location -o -* uclient-fetch: --timeout=20 -O -* wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O +| ban_resolver | option | - | external resolver used for DNS lookups | +| ban_feedarchive | option | /etc/banip/banip.feeds.gz | full path to the compressed feed archive file used by banIP | -To override the default set 'ban_fetchparm' manually to your needs. - -**generate an IPSet report:** -

+## Examples
+**banIP report information**  
+```
 ~# /etc/init.d/banip report
 :::
-::: report on all banIP related IPSets
+::: banIP Set Statistics
 :::
-  + Report timestamp           ::: 04.02.2021 06:24:41
-  + Number of all IPSets       ::: 24
-  + Number of all entries      ::: 302448
-  + Number of IP entries       ::: 224748
-  + Number of CIDR entries     ::: 77700
-  + Number of MAC entries      ::: 0
-  + Number of accessed entries ::: 36
+    Timestamp: 2023-02-08 22:12:40
+    ------------------------------
+    auto-added to allowlist: 1
+    auto-added to blocklist: 0
+
+    Set                  | Set Elements  | Chain Input   | Chain Forward | Input Packets | Forward Packets
+    ---------------------+---------------+---------------+---------------+---------------+----------------
+    allowlistvMAC        | 0             | n/a           | OK            | n/a           | 0             
+    allowlistv4          | 1             | OK            | OK            | 0             | 0             
+    allowlistv6          | 0             | OK            | OK            | 0             | 0             
+    blocklistvMAC        | 0             | n/a           | OK            | n/a           | 0             
+    blocklistv4          | 0             | OK            | OK            | 0             | 0             
+    blocklistv6          | 0             | OK            | OK            | 0             | 0             
+    dohv4                | 542           | n/a           | OK            | n/a           | 22            
+    adguardv4            | 23007         | n/a           | OK            | n/a           | 18            
+    yoyov4               | 1936          | n/a           | OK            | n/a           | 1             
+    oisdbasicv4          | 26000         | n/a           | OK            | n/a           | 325           
+    ---------------------+---------------+---------------+---------------+---------------+----------------
+    10                   | 51486         | 4             | 10            | 0             | 366
+```
+
+**banIP runtime information**  
+```
+~# etc/init.d/banip status
+::: banIP runtime information
+  + status            : active
+  + version           : 0.8.0
+  + element_count     : 51486
+  + active_feeds      : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
+                        , yoyov4, oisdbasicv4
+  + active_devices    : eth2
+  + active_interfaces : wan
+  + active_subnets    : 192.168.98.107/24
+  + run_info          : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
+                        anip/banip.feeds.gz
+  + run_flags         : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
+  + last_run          : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
+  + system_info       : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
+```
+
+**banIP search information**  
+```
+~# /etc/init.d/banip search 221.228.105.173
 :::
-::: IPSet details
+::: banIP Search
 :::
-    Name                 Type        Count      Cnt_IP    Cnt_CIDR  Cnt_MAC   Cnt_ACC   Entry details (Entry/Count)
-    --------------------------------------------------------------------------------------------------------------------
-    whitelist_4          src+dst     1          0         1         0         1
-                                                                                        xxx.xxxx.xxx.xxxx/24     85
-    --------------------------------------------------------------------------------------------------------------------
-    whitelist_6          src+dst     2          0         2         0         1
-                                                                                        xxxx:xxxx:xxxx::/64      29
-    --------------------------------------------------------------------------------------------------------------------
-    blacklist_4          src+dst     513        513       0         0         2
-                                                                                        192.35.168.16            3
-                                                                                        80.82.65.74              1
-    --------------------------------------------------------------------------------------------------------------------
-    blacklist_6          src+dst     1          1         0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    country_4            src         52150      0         52150     0         23
-                                                                                        124.5.0.0/16             1
-                                                                                        95.188.0.0/14            1
-                                                                                        121.16.0.0/12            1
-                                                                                        46.161.0.0/18            1
-                                                                                        42.56.0.0/14             1
-                                                                                        113.64.0.0/10            1
-                                                                                        113.252.0.0/14           1
-                                                                                        5.201.128.0/17           1
-                                                                                        125.64.0.0/11            1
-                                                                                        90.188.0.0/15            1
-                                                                                        60.0.0.0/11              1
-                                                                                        78.160.0.0/11            1
-                                                                                        1.80.0.0/12              1
-                                                                                        183.184.0.0/13           1
-                                                                                        175.24.0.0/14            1
-                                                                                        119.176.0.0/12           1
-                                                                                        59.88.0.0/13             1
-                                                                                        103.78.12.0/22           1
-                                                                                        123.128.0.0/13           1
-                                                                                        116.224.0.0/12           1
-                                                                                        42.224.0.0/12            1
-                                                                                        82.80.0.0/15             1
-                                                                                        14.32.0.0/11             1
-    --------------------------------------------------------------------------------------------------------------------
-    country_6            src         20099      0         20099     0         0
-    --------------------------------------------------------------------------------------------------------------------
-    debl_4               src+dst     29389      29389     0         0         1
-                                                                                        5.182.210.16             4
-    --------------------------------------------------------------------------------------------------------------------
-    debl_6               src+dst     64         64        0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    doh_4                src+dst     168        168       0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    doh_6                src+dst     122        122       0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    drop_4               src+dst     965        0         965       0         0
-    --------------------------------------------------------------------------------------------------------------------
-    drop_6               src+dst     36         0         36        0         0
-    --------------------------------------------------------------------------------------------------------------------
-    dshield_4            src+dst     20         0         20        0         1
-                                                                                        89.248.165.0/24          1
-    --------------------------------------------------------------------------------------------------------------------
-    feodo_4              src+dst     325        325       0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    firehol1_4           src+dst     2763       403       2360      0         0
-    --------------------------------------------------------------------------------------------------------------------
-    iblockspy_4          src+dst     3650       2832      818       0         0
-    --------------------------------------------------------------------------------------------------------------------
-    nixspam_4            src+dst     9577       9577      0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    sslbl_4              src+dst     104        104       0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    threat_4             src+dst     1300       315       985       0         0
-    --------------------------------------------------------------------------------------------------------------------
-    tor_4                src+dst     1437       1437      0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    tor_6                src+dst     478        478       0         0         0
-    --------------------------------------------------------------------------------------------------------------------
-    uceprotect1_4        src+dst     156249     156249    0         0         6
-                                                                                        192.241.220.137          1
-                                                                                        128.14.137.178           1
-                                                                                        61.219.11.153            1
-                                                                                        138.34.32.33             1
-                                                                                        107.174.133.130          2
-                                                                                        180.232.99.46            1
-    --------------------------------------------------------------------------------------------------------------------
-    voip_4               src+dst     12563      12299     264       0         0
-    --------------------------------------------------------------------------------------------------------------------
-    yoyo_4               src+dst     10472      10472     0         0         1
-                                                                                        204.79.197.200           2
-    --------------------------------------------------------------------------------------------------------------------
-
- -**Enable E-Mail notification via 'msmtp':** -To use the email notification you have to install & configure the package 'msmtp'. + Looking for IP 221.228.105.173 on 2023-02-08 22:12:48 + --- + IP found in set oisdbasicv4 +``` + +**allow-/blocklist handling** +banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. +Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. +Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autowallowlist' option). +Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted in a detached background process and added to the sets. + +**allowlist-only mode** +banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. + +**redirect Asterisk security logs to lodg/logread** +banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration. + +**tweaks for low memory systems** +nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: + + * point 'ban_reportdir' and 'ban_backupdir' to an external usb drive + * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing + * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members + +**tweak the download options** +By default banIP uses the following pre-configured download options: +``` + * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o + * curl: --connect-timeout 20 --silent --show-error --location -o + * uclient-fetch: --timeout=20 -O + * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O +``` +To override the default set 'ban_fetchparm' manually to your needs. + +**send E-Mail notifications via 'msmtp'** +To use the email notification you must install & configure the package 'msmtp'. Modify the file '/etc/msmtprc', e.g.: -

+```
 [...]
 defaults
 auth            on
@@ -360,39 +264,37 @@ syslog          LOG_MAIL
 account         ban_notify
 host            smtp.gmail.com
 port            587
-from            <address>@gmail.com
-user            <gmail-user>
-password        <password>
-
-Finally enable E-Mail support and add a valid E-Mail receiver address in LuCI. - -**Edit, add new banIP sources:** -The banIP blocklist sources are stored in an external, compressed JSON file '/etc/banip/banip.sources.gz'. -This file is directly parsed in LuCI and accessible via CLI, just call _/etc/init.d/banip list_. +from
@gmail.com +user +password +``` +Finally add a valid E-Mail receiver address. -To add new or edit existing sources extract the compressed JSON file _gunzip /etc/banip/banip.sources.gz_. +**add new banIP feeds** +The banIP blocklist feeds are stored in an external, compressed JSON file '/etc/banip/banip.feeds.gz'. +To add a new or edit an existing feed extract the compressed JSON file _gunzip /etc/banip/banip.feeds.gz_. A valid JSON source object contains the following required information, e.g.: -

+```
 	[...]
 	"tor": {
-		"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
-		"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
-		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
-		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
-		"focus": "Tor exit nodes",
-		"descurl": "https://fissionrelays.net/lists"
+		"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
+		"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
+		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
+		"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
+		"focus": "tor exit nodes",
+		"descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
 	},
 	[...]
-
-Add an unique object name, make the required changes to 'url_4', 'rule_4' (and/or 'url_6', 'rule_6'), 'focus' and 'descurl' and finally compress the changed JSON file _gzip /etc/banip/banip.sources.gz_ to use the new source object in banIP. -Please note: if you're going to add new sources on your own, please make a copy of the default file and work with that copy further on, cause the default will be overwritten with every banIP update. To reference your copy set the option 'ban\_srcarc' which points by default to '/etc/banip/banip.sources.gz' - +``` +Add an unique object name, make the required changes and compress the changed JSON file finally with _gzip /etc/banip/banip.feeds_ to use the new feed file in banIP. +**Please note:** if you're going to add new feeds, **always** work with a copy of the default file; this file is always overwritten with every banIP update. To reference your own file set the option 'ban\_feedarchive' accordingly + ## Support -Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail +Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail ## Removal * stop all banIP related services with _/etc/init.d/banip stop_ * optional: remove the banip package (_opkg remove banip_) Have fun! -Dirk +Dirk diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh new file mode 100644 index 000000000..532b3b183 --- /dev/null +++ b/net/banip/files/banip-functions.sh @@ -0,0 +1,1159 @@ +# banIP shared function library/include +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) +# This is free software, licensed under the GNU General Public License v3. + +# (s)hellcheck exceptions +# shellcheck disable=all + +# set initial defaults +# +export LC_ALL=C +export PATH="/usr/sbin:/usr/bin:/sbin:/bin" + +ban_basedir="/tmp" +ban_backupdir="${ban_basedir}/banIP-backup" +ban_reportdir="${ban_basedir}/banIP-report" +ban_feedarchive="/etc/banip/banip.feeds.gz" +ban_pidfile="/var/run/banip.pid" +ban_lock="/var/run/banip.lock" +ban_blocklist="/etc/banip/banip.blocklist" +ban_allowlist="/etc/banip/banip.allowlist" +ban_fetchcmd="" +ban_logreadcmd="$(command -v logread)" +ban_logcmd="$(command -v logger)" +ban_ubuscmd="$(command -v ubus)" +ban_nftcmd="$(command -v nft)" +ban_fw4cmd="$(command -v fw4)" +ban_awkcmd="$(command -v awk)" +ban_grepcmd="$(command -v grep)" +ban_lookupcmd="$(command -v nslookup)" +ban_mailcmd="$(command -v msmtp)" +ban_mailsender="no-reply@banIP" +ban_mailreceiver="" +ban_mailtopic="banIP notification" +ban_mailprofile="ban_notify" +ban_mailtemplate="/etc/banip/banip.tpl" +ban_nftpriority="-200" +ban_nftexpiry="" +ban_loglevel="warn" +ban_loglimit="100" +ban_logcount="1" +ban_logterm="" +ban_country="" +ban_asn="" +ban_loginput="0" +ban_logforward="0" +ban_allowlistonly="0" +ban_autoallowlist="1" +ban_autoblocklist="1" +ban_deduplicate="1" +ban_splitsize="0" +ban_autodetect="" +ban_feed="" +ban_blockinput="" +ban_blockforward="" +ban_protov4="0" +ban_protov6="0" +ban_ifv4="" +ban_ifv6="" +ban_dev="" +ban_sub="" +ban_fetchinsecure="" +ban_cores="" +ban_memory="" +ban_trigger="" +ban_triggerdelay="10" +ban_resolver="" +ban_enabled="0" +ban_debug="0" + +# gather system information +# +f_system() { + local cpu core + + ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)" + ban_ver="$(${ban_ubuscmd} -S call rpc-sys packagelist 2>/dev/null | jsonfilter -ql1 -e '@.packages.banip')" + ban_sysver="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' | + "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" + if [ -z "${ban_cores}" ]; then + cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)" + core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)" + [ "${cpu}" = "0" ] && cpu="1" + [ "${core}" = "0" ] && core="1" + ban_cores="$((cpu * core))" + fi + + f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" +} + +# create directories +# +f_mkdir() { + local dir="${1}" + + if [ ! -d "${dir}" ]; then + rm -f "${dir}" + mkdir -p "${dir}" + f_log "debug" "f_mkdir ::: created directory: ${dir}" + fi +} + +# create files +# +f_mkfile() { + local file="${1}" + + if [ ! -f "${file}" ]; then + : >"${file}" + f_log "debug" "f_mkfile ::: created file: ${file}" + fi +} + +# create temporary files and directories +# +f_tmp() { + f_mkdir "${ban_basedir}" + ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)" + ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" + + f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" +} + +# remove directories +# +f_rmdir() { + local dir="${1}" + + if [ -d "${dir}" ]; then + rm -rf "${dir}" + f_log "debug" "f_rmdir ::: deleted directory: ${dir}" + fi +} + +# convert chars +# +f_char() { + local char="${1}" + + [ "${char}" = "1" ] && printf "%s" "✔" || printf "%s" "✘" +} + +# trim strings +# +f_trim() { + local string="${1}" + + string="${string#"${string%%[![:space:]]*}"}" + string="${string%"${string##*[![:space:]]}"}" + printf "%s" "${string}" +} + +# write log messages +# +f_log() { + local class="${1}" log_msg="${2}" + + if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then + if [ -x "${ban_logcmd}" ]; then + "${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" + else + printf "%s %s %s\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}" + fi + fi + if [ "${class}" = "err" ]; then + f_genstatus "error" + f_rmdir "${ban_tmpdir}" + rm -rf "${ban_lock}" + exit 1 + fi +} + +# load config +# +f_conf() { + unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforward ban_logterm ban_country ban_asn + config_cb() { + option_cb() { + local option="${1}" + local value="${2}" + eval "${option}=\"${value}\"" + } + list_cb() { + local option="${1}" + local value="${2}" + case "${option}" in + "ban_dev") + eval "${option}=\"$(printf "%s" "${ban_dev}")${value} \"" + ;; + "ban_ifv4") + eval "${option}=\"$(printf "%s" "${ban_ifv4}")${value} \"" + ;; + "ban_ifv6") + eval "${option}=\"$(printf "%s" "${ban_ifv6}")${value} \"" + ;; + "ban_feed") + eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" + ;; + "ban_blockinput") + eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \"" + ;; + "ban_blockforward") + eval "${option}=\"$(printf "%s" "${ban_blockforward}")${value} \"" + ;; + "ban_logterm") + eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\"" + ;; + "ban_country") + eval "${option}=\"$(printf "%s" "${ban_country}")${value} \"" + ;; + "ban_asn") + eval "${option}=\"$(printf "%s" "${ban_asn}")${value} \"" + ;; + esac + } + } + config_load banip + + [ "${ban_action}" = "boot" ] && [ -z "${ban_trigger}" ] && sleep ${ban_triggerdelay} +} + +# prepare fetch utility +# +f_fetch() { + local ut utils packages insecure + + if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then + packages="$(${ban_ubuscmd} -S call rpc-sys packagelist 2>/dev/null)" + [ -z "${packages}" ] && f_log "err" "local opkg package repository is not available, please set the download utility 'ban_fetchcmd' manually" + utils="aria2c curl wget uclient-fetch" + for ut in ${utils}; do + if { [ "${ut}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || + { [ "${ut}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } || + [ "${ut}" = "curl" ] || [ "${ut}" = "aria2c" ]; then + ban_fetchcmd="$(command -v "${ut}")" + if [ -x "${ban_fetchcmd}" ]; then + uci_set banip global ban_fetchcmd "${ban_fetchcmd##*/}" + uci_commit "banip" + break + fi + fi + done + fi + [ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found" + case "${ban_fetchcmd##*/}" in + "aria2c") + [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" + ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" + ;; + "curl") + [ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure" + ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}" + ;; + "uclient-fetch") + [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" + ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 -O"}" + ;; + "wget") + [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" + ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" + ;; + esac + + f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" +} + +# remove logservice +# +f_rmpid() { + local ppid pid pids + + ppid="$(cat "${ban_pidfile}" 2>/dev/null)" + [ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)" || return 0 + for pid in ${pids}; do + kill -INT "${pid}" >/dev/null 2>&1 + done + : >"${ban_pidfile}" +} + +# get wan interfaces +# +f_getif() { + local iface + + "${ban_ubuscmd}" -t 5 wait_for network.device network.interface 2>/dev/null + if [ "${ban_autodetect}" = "1" ]; then + if [ -z "${ban_ifv4}" ]; then + network_find_wan iface + if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv4}" | "${ban_grepcmd}" -q "${iface}"; then + ban_protov4="1" + ban_ifv4="${ban_ifv4}${iface} " + uci_set banip global ban_protov4 "1" + uci_add_list banip global ban_ifv4 "${iface}" + fi + fi + if [ -z "${ban_ifv6}" ]; then + network_find_wan6 iface + if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv6}" | "${ban_grepcmd}" -q "${iface}"; then + ban_protov6="1" + ban_ifv6="${ban_ifv6}${iface} " + uci_set banip global ban_protov6 "1" + uci_add_list banip global ban_ifv6 "${iface}" + fi + fi + ban_ifv4="${ban_ifv4%%?}" + ban_ifv6="${ban_ifv6%%?}" + [ -n "$(uci -q changes "banip")" ] && uci_commit "banip" + fi + [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" + + f_log "debug" "f_getif ::: auto_detect: ${ban_autodetect}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" +} + +# get wan devices +# +f_getdev() { + local dev iface + + if [ "${ban_autodetect}" = "1" ] && [ -z "${ban_dev}" ]; then + for iface in ${ban_ifv4} ${ban_ifv6}; do + network_get_device dev "${iface}" + if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then + ban_dev="${ban_dev}${dev} " + uci_add_list banip global ban_dev "${dev}" + else + network_get_physdev dev "${iface}" + if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then + ban_dev="${ban_dev}${dev} " + uci_add_list banip global ban_dev "${dev}" + fi + fi + done + ban_dev="${ban_dev%%?}" + [ -n "$(uci -q changes "banip")" ] && uci_commit "banip" + fi + [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" + + f_log "debug" "f_getdev ::: auto_detect: ${ban_autodetect}, devices: ${ban_dev}" +} + +# get local subnets +# +f_getsub() { + local sub iface ip + + for iface in ${ban_ifv4} ${ban_ifv6}; do + network_get_subnet sub "${iface}" + if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then + ban_sub="${ban_sub} ${sub}" + fi + network_get_subnet6 sub "${iface}" + if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then + ban_sub="${ban_sub} ${sub}" + fi + done + if [ "${ban_autoallowlist}" = "1" ]; then + for ip in ${ban_sub}; do + if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then + printf "%-42s%s\n" "${ip}" "added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + f_log "info" "add subnet '${ip}' to local allowlist" + fi + done + fi + [ -z "${ban_sub}" ] && f_log "err" "wan subnet(s) not found, please check your configuration" + + f_log "debug" "f_getsub ::: auto_allowlist: ${ban_autoallowlist}, subnet(s): ${ban_sub:-"-"}" +} + +# get set elements +# +f_getelements() { + local file="${1}" + + [ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}") };" +} + +# build initial nft file with base table, chains and rules +# +f_nftinit() { + local feed_log feed_rc file="${1}" + + { + # nft header (tables and chains) + # + printf "%s\n\n" "#!/usr/sbin/nft -f" + if "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then + printf "%s\n" "delete table inet banIP" + fi + printf "%s\n" "add table inet banIP" + printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" + printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" + + # default input rules + # + printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept" + printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept" + + # default forward rules + # + printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept" + printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept" + } >"${file}" + + # load initial banIP table within nft (atomic load) + # + feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" + feed_rc="${?}" + + f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + return ${feed_rc} +} + +f_down() { + local nft_loginput nft_logforward start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forward_handles handle + local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" + + start_ts="$(date +%s)" + feed="${feed}v${proto}" + tmp_load="${ban_tmpfile}.${feed}.load" + tmp_raw="${ban_tmpfile}.${feed}.raw" + tmp_split="${ban_tmpfile}.${feed}.split" + tmp_file="${ban_tmpfile}.${feed}.file" + tmp_flush="${ban_tmpfile}.${feed}.flush" + tmp_nft="${ban_tmpfile}.${feed}.nft" + + [ "${ban_loginput}" = "1" ] && nft_loginput="limit rate 2/second log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \"" + [ "${ban_logforward}" = "1" ] && nft_logforward="limit rate 2/second log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \"" + + # set source block direction + # + if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then + feed_direction="input" + elif printf "%s" "${ban_blockforward}" | "${ban_grepcmd}" -q "${feed%v*}"; then + feed_direction="forward" + fi + + # chain/rule maintenance + # + if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then + input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" + forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" + { + printf "%s\n" "flush set inet banIP ${feed}" + handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" + handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" + } >"${tmp_flush}" + fi + + # restore local backups during init + # + if { [ "${ban_action}" != "reload" ] || [ "${feed_url}" = "local" ]; } && [ "${feed%v*}" != "allowlist" ] && [ "${feed%v*}" != "blocklist" ]; then + f_restore "${feed}" "${feed_url}" "${tmp_load}" + restore_rc="${?}" + feed_rc="${restore_rc}" + fi + + # handle local lists + # + if [ "${feed%v*}" = "allowlist" ]; then + { + printf "%s\n\n" "#!/usr/sbin/nft -f" + [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + if [ "${proto}" = "MAC" ]; then + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" + if [ "${feed_direction}" != "input" ]; then + printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" + fi + elif [ "${proto}" = "4" ]; then + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + if [ "${feed_direction}" != "forward" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${nft_loginput} counter drop" + else + printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept" + fi + fi + if [ "${feed_direction}" != "input" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" + else + printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept" + fi + fi + elif [ "${proto}" = "6" ]; then + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + if [ "${feed_direction}" != "forward" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${nft_loginput} counter drop" + else + printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept" + fi + fi + if [ "${feed_direction}" != "input" ]; then + if [ "${ban_allowlistonly}" = "1" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" + else + printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept" + fi + fi + fi + } >"${tmp_nft}" + feed_rc="${?}" + elif [ "${feed%v*}" = "blocklist" ]; then + { + printf "%s\n\n" "#!/usr/sbin/nft -f" + [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + if [ "${proto}" = "MAC" ]; then + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" + if [ "${feed_direction}" != "input" ]; then + printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${nft_logforward} counter reject" + fi + elif [ "${proto}" = "4" ]; then + if [ "${ban_deduplicate}" = "1" ]; then + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" + "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" + "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" + cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + else + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" + fi + "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + if [ "${feed_direction}" != "forward" ]; then + printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop" + fi + if [ "${feed_direction}" != "input" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" + fi + elif [ "${proto}" = "6" ]; then + if [ "${ban_deduplicate}" = "1" ]; then + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" + "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" + "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" + cat "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" + else + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" + fi + "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + if [ "${feed_direction}" != "forward" ]; then + printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop" + fi + if [ "${feed_direction}" != "input" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" + fi + fi + } >"${tmp_nft}" + feed_rc="${?}" + # handle external downloads + # + elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then + # handle country downloads + # + if [ "${feed%v*}" = "country" ]; then + for country in ${ban_country}; do + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>&1)" + feed_rc="${?}" + [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + done + rm -f "${tmp_raw}" + + # handle asn downloads + # + elif [ "${feed%v*}" = "asn" ]; then + for asn in ${ban_asn}; do + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)" + feed_rc="${?}" + [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + done + rm -f "${tmp_raw}" + + # handle compressed downloads + # + elif [ -n "${feed_flag}" ]; then + case "${feed_flag}" in + "gz") + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)" + feed_rc="${?}" + if [ "${feed_rc}" = "0" ]; then + zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}" + feed_rc="${?}" + fi + rm -f "${tmp_raw}" + ;; + esac + + # handle normal downloads + # + else + feed_log="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)" + feed_rc="${?}" + fi + fi + + # backup/restore + # + if [ "${restore_rc}" != "0" ] && [ "${feed_rc}" = "0" ] && [ "${feed_url}" != "local" ] && [ ! -s "${tmp_nft}" ]; then + f_backup "${feed}" "${tmp_load}" + feed_rc="${?}" + elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ] && [ "${feed_url}" != "local" ] && [ ! -s "${tmp_nft}" ]; then + f_restore "${feed}" "${feed_url}" "${tmp_load}" "${feed_rc}" + feed_rc="${?}" + fi + + # build nft file with set and rules for regular downloads + # + if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then + # deduplicate sets + # + if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then + "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}" + "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}" + else + "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}" + fi + feed_rc="${?}" + # split sets + # + if [ "${feed_rc}" = "0" ]; then + if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then + if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then + rm -f "${tmp_file}".* + f_log "info" "failed to split ${feed} set to size '${ban_splitsize//[![:digit]]/}'" + fi + else + "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" + fi + feed_rc="${?}" + fi + rm -f "${tmp_raw}" "${tmp_load}" + if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then + { + # nft header (IPv4 set) + # + printf "%s\n\n" "#!/usr/sbin/nft -f" + [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }" + + # input and forward rules + # + if [ "${feed_direction}" != "forward" ]; then + printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop" + fi + if [ "${feed_direction}" != "input" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited" + fi + } >"${tmp_nft}" + elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then + { + # nft header (IPv6 set) + # + printf "%s\n\n" "#!/usr/sbin/nft -f" + [ -s "${tmp_flush}" ] && cat "${tmp_flush}" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }" + + # input and forward rules + # + if [ "${feed_direction}" != "forward" ]; then + printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop" + fi + if [ "${feed_direction}" != "input" ]; then + printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited" + fi + } >"${tmp_nft}" + fi + fi + + # load generated nft file in banIP table + # + if [ "${feed_rc}" = "0" ]; then + cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)" + if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then + feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" + feed_rc="${?}" + # load additional split files + # + if [ "${feed_rc}" = "0" ]; then + for split_file in "${tmp_file}".*; do + [ ! -f "${split_file}" ] && break + if [ "${split_file##*.}" = "1" ]; then + rm -f "${split_file}" + continue + fi + if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then + f_log "info" "failed to add split file '${split_file##*.}' to ${feed} set" + fi + rm -f "${split_file}" + done + cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + fi + else + f_log "info" "empty feed ${feed} will be skipped" + fi + fi + rm -f "${tmp_split}" "${tmp_nft}" + end_ts="$(date +%s)" + + f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" +} + +# backup feeds +# +f_backup() { + local backup_rc feed="${1}" feed_file="${2}" + + gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz" + backup_rc="${?}" + + f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" + return ${backup_rc} +} + +# restore feeds +# +f_restore() { + local tmp_feed restore_rc="1" feed="${1}" feed_url="${2}" feed_file="${3}" feed_rc="${4:-"0"}" + + [ "${feed_rc}" != "0" ] && restore_rc="${feed_rc}" + [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}" + if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then + zcat "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" + restore_rc="${?}" + fi + + f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" + return ${restore_rc} +} + +# remove disabled feeds +# +f_rmset() { + local tmp_del table_sets input_handles forward_handles handle sets feed feed_log feed_rc + + tmp_del="${ban_tmpfile}.final.delete" + table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)" + input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)" + forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)" + { + printf "%s\n\n" "#!/usr/sbin/nft -f" + for feed in ${table_sets}; do + if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${feed%v*}"; then + sets="${sets}${feed}/" + rm -f "${ban_backupdir}/banIP.${feed}.gz" + printf "%s\n" "flush set inet banIP ${feed}" + handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" + handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)" + [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" + printf "%s\n\n" "delete set inet banIP ${feed}" + fi + done + } >"${tmp_del}" + + if [ -n "${sets}" ]; then + feed_log="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)" + feed_rc="${?}" + fi + rm -f "${tmp_del}" + + f_log "debug" "f_rmset ::: sets: ${sets:-"-"}, tmp: ${tmp_del}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" +} + +# generate status information +# +f_genstatus() { + local object duration nft_table nft_feeds cnt_elements="0" split="0" status="${1}" + + [ -z "${ban_dev}" ] && f_conf + if [ "${status}" = "active" ]; then + if [ -n "${ban_starttime}" ]; then + ban_endtime="$(date "+%s")" + duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s" + fi + nft_table="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null)" + nft_feeds="$(f_trim "$(printf "%s\n" "${nft_table}" | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}')")" + for object in ${nft_feeds}; do + cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" + done + runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")" + fi + f_system + [ ${ban_splitsize:-"0"} -gt "0" ] && split="1" + + : >"${ban_basedir}/ban_runtime.json" + json_init + json_load_file "${ban_basedir}/ban_runtime.json" >/dev/null 2>&1 + json_add_string "status" "${status}" + json_add_string "version" "${ban_ver}" + json_add_string "element_count" "${cnt_elements}" + json_add_array "active_feeds" + if [ "${status}" != "active" ]; then + json_add_object + json_add_string "feed" "-" + json_close_object + else + for object in ${nft_feeds}; do + json_add_object + json_add_string "feed" "${object}" + json_close_object + done + fi + json_close_array + json_add_array "active_devices" + if [ "${status}" != "active" ]; then + json_add_object + json_add_string "device" "-" + json_close_object + else + for object in ${ban_dev}; do + json_add_object + json_add_string "device" "${object}" + json_close_object + done + fi + json_close_array + json_add_array "active_interfaces" + if [ "${status}" != "active" ]; then + json_add_object + json_add_string "interface" "-" + json_close_object + else + for object in ${ban_ifv4} ${ban_ifv6}; do + json_add_object + json_add_string "interface" "${object}" + json_close_object + done + fi + json_close_array + json_add_array "active_subnets" + if [ "${status}" != "active" ]; then + json_add_object + json_add_string "subnet" "-" + json_close_object + else + for object in ${ban_sub}; do + json_add_object + json_add_string "subnet" "${object}" + json_close_object + done + fi + json_close_array + json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}" + json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (inp/fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforward}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" + json_add_string "last_run" "${runtime:-"-"}" + json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}" + json_dump >"${ban_basedir}/ban_runtime.json" +} + +# get status information +# +f_getstatus() { + local key keylist type value index_value + + [ -z "${ban_dev}" ] && f_conf + json_load_file "${ban_basedir}/ban_runtime.json" >/dev/null 2>&1 + if json_get_keys keylist; then + printf "%s\n" "::: banIP runtime information" + for key in ${keylist}; do + json_get_var value "${key}" >/dev/null 2>&1 + if [ "${key%_*}" = "active" ]; then + json_select "${key}" >/dev/null 2>&1 + index=1 + while json_get_type type "${index}" && [ "${type}" = "object" ]; do + json_get_values index_value "${index}" >/dev/null 2>&1 + if [ "${index}" = "1" ]; then + value="${index_value}" + else + value="${value}, ${index_value}" + fi + index=$((index + 1)) + done + json_select ".." + fi + value="$( + printf "%s" "${value}" | + awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}' + )" + printf " + %-17s : %s\n" "${key}" "${value:-"-"}" + done + else + printf "%s\n" "::: no banIP runtime information available" + fi +} + +# domain lookup +# +f_lookup() { + local cnt list domain lookup ip start_time end_time duration cnt_domain="0" cnt_ip="0" feed="${1}" + + start_time="$(date "+%s")" + if [ "${feed}" = "allowlist" ]; then + list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>/dev/null)" + elif [ "${feed}" = "blocklist" ]; then + list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_blocklist}" 2>/dev/null)" + fi + + for domain in ${list}; do + lookup="$("${ban_lookupcmd}" "${domain}" ${ban_resolver} 2>/dev/null | "${ban_awkcmd}" '/^Address[ 0-9]*: /{if(!seen[$NF]++)printf "%s ",$NF}' 2>/dev/null)" + for ip in ${lookup}; do + if [ "${ip%%.*}" = "0" ] || [ -z "${ip%%::*}" ]; then + continue + else + if { [ "${feed}" = "allowlist" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; } || + { [ "${feed}" = "blocklist" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; }; then + cnt_ip="$((cnt_ip + 1))" + if [ "${ip##*:}" = "${ip}" ]; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${ip} }" >/dev/null 2>&1; then + f_log "info" "failed to add IP '${ip}' (${domain}) to ${feed}v4 set" + continue + fi + else + if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${ip} }" >/dev/null 2>&1; then + f_log "info" "failed to add IP '${ip}' (${domain}) to ${feed}v6 set" + continue + fi + fi + if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ]; then + printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ]; then + printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" + fi + fi + fi + done + cnt_domain="$((cnt_domain + 1))" + done + end_time="$(date "+%s")" + duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" + + f_log "debug" "f_lookup ::: name: ${feed}, cnt_domain: ${cnt_domain}, cnt_ip: ${cnt_ip}, duration: ${duration}" +} + +# banIP table statistics +# +f_report() { + local report_jsn report_txt set nft_raw nft_sets set_cnt set_input set_forward set_cntinput set_cntforward output="${1}" + local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforward sum_setelements sum_cntinput sum_cntforward + + [ -z "${ban_dev}" ] && f_conf + f_mkdir "${ban_reportdir}" + report_jsn="${ban_reportdir}/ban_report.jsn" + report_txt="${ban_reportdir}/ban_report.txt" + + # json output preparation + # + nft_raw="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null)" + nft_sets="$(printf "%s" "${nft_raw}" | jsonfilter -qe '@.nftables[*].set.name')" + sum_sets="0" + sum_setinput="0" + sum_setforward="0" + sum_setelements="0" + sum_cntinput="0" + sum_cntforward="0" + timestamp="$(date "+%Y-%m-%d %H:%M:%S")" + : >"${report_jsn}" + { + printf "%s\n" "{" + printf "\t%s\n" '"sets": {' + for set in ${nft_sets}; do + set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + sum_setelements="$((sum_setelements + set_cnt))" + set_cntinput="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-input\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" + set_cntforward="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")" + if [ -n "${set_cntinput}" ]; then + set_input="OK" + sum_setinput="$((sum_setinput + 1))" + sum_cntinput="$((sum_cntinput + set_cntinput))" + else + set_input="n/a" + set_cntinput="n/a" + fi + if [ -n "${set_cntforward}" ]; then + set_forward="OK" + sum_setforward="$((sum_setforward + 1))" + sum_cntforward="$((sum_cntforward + set_cntforward))" + else + set_forward="n/a" + set_cntforward="n/a" + fi + [ "${sum_sets}" -gt "0" ] && printf "%s\n" "," + printf "\t\t%s\n" "\"${set}\": {" + printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\"," + printf "\t\t\t%s\n" "\"input\": \"${set_input}\"," + printf "\t\t\t%s\n" "\"forward\": \"${set_forward}\"," + printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\"," + printf "\t\t\t%s\n" "\"cnt_forward\": \"${set_cntforward}\"" + printf "\t\t%s" "}" + sum_sets="$((sum_sets + 1))" + done + printf "\n\t%s\n" "}," + printf "\t%s\n" "\"timestamp\": \"${timestamp}\"," + printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\"," + printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\"," + printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\"," + printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\"," + printf "\t%s\n" "\"sum_setforward\": \"${sum_setforward}\"," + printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\"," + printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\"," + printf "\t%s\n" "\"sum_cntforward\": \"${sum_cntforward}\"" + printf "%s\n" "}" + } >>"${report_jsn}" + + # text output preparation + # + if [ "${output}" != "json" ] && [ -s "${report_jsn}" ]; then + : >"${report_txt}" + json_init + if json_load_file "${report_jsn}" >/dev/null 2>&1; then + json_get_var timestamp "timestamp" >/dev/null 2>&1 + json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1 + json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1 + json_get_var sum_sets "sum_sets" >/dev/null 2>&1 + json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1 + json_get_var sum_setforward "sum_setforward" >/dev/null 2>&1 + json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1 + json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1 + json_get_var sum_cntforward "sum_cntforward" >/dev/null 2>&1 + { + printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::" + printf "%s\n" " Timestamp: ${timestamp}" + printf "%s\n" " ------------------------------" + printf "%s\n" " auto-added to allowlist: ${autoadd_allow}" + printf "%s\n\n" " auto-added to blocklist: ${autoadd_block}" + json_select "sets" >/dev/null 2>&1 + json_get_keys nft_sets >/dev/null 2>&1 + if [ -n "${nft_sets}" ]; then + printf "%-25s%-16s%-16s%-16s%-16s%s\n" " Set" "| Set Elements" "| Chain Input" "| Chain Forward" "| Input Packets" "| Forward Packets" + printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------" + for set in ${nft_sets}; do + printf " %-21s" "${set}" + json_select "${set}" + json_get_keys set_details + for detail in ${set_details}; do + json_get_var jsnval "${detail}" >/dev/null 2>&1 + printf "%-16s" "| ${jsnval}" + done + printf "\n" + json_select ".." + done + printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------" + printf "%-25s%-16s%-16s%-16s%-16s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput}" "| ${sum_setforward}" "| ${sum_cntinput}" "| ${sum_cntforward}" + fi + } >>"${report_txt}" + fi + fi + + # output channel (text|json|mail) + # + case "${output}" in + "text") + [ -s "${report_txt}" ] && cat "${report_txt}" + ;; + "json") + [ -s "${report_jsn}" ] && cat "${report_jsn}" + ;; + "mail") + [ -x "${ban_mailcmd}" ] && f_mail + ;; + esac +} + +# banIP set search +# +f_search() { + local nft_sets ip proto run_search search="${1}" + + f_system + run_search="/var/run/banIP.search" + + if [ -n "${search}" ]; then + ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" + [ -n "${ip}" ] && proto="v4" + if [ -z "${proto}" ]; then + ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" + [ -n "${ip}" ] && proto="v6" + fi + if [ -n "${proto}" ]; then + nft_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | jsonfilter -qe "@.nftables[@.set.type=\"ip${proto}_addr\"].set.name")" + else + printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::" + return + fi + else + printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::" + return + fi + printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" + printf "%s\n" " Looking for IP ${ip} on $(date "+%Y-%m-%d %H:%M:%S")" + printf "%s\n" " ---" + cnt=1 + for set in ${nft_sets}; do + ( + if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then + printf "%s\n" " IP found in set ${set}" + : >"${run_search}" + fi + ) & + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait + cnt="$((cnt + 1))" + done + wait + [ ! -f "${run_search}" ] && printf "%s\n" " IP not found" + rm -f "${run_search}" +} + +# send status mails +# +f_mail() { + local msmtp_debug + + # load mail template + # + [ ! -r "${ban_mailtemplate}" ] && f_log "err" "the mail template is missing" + . "${ban_mailtemplate}" + + [ -z "${ban_mailreceiver}" ] && f_log "err" "the option 'ban_mailreceiver' is missing" + [ -z "${mail_text}" ] && f_log "err" "the 'mail_text' is empty" + [ "${ban_debug}" = "1" ] && msmtp_debug="--debug" + + # send mail + # + ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n" + if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then + f_log "info" "status mail was sent successfully" + else + f_log "info" "failed to send status mail (${?})" + fi + + f_log "debug" "f_mail ::: template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" +} + +# check banIP availability and initial sourcing +# +if [ "${ban_action}" != "stop" ]; then + if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then + . "/lib/functions.sh" + . "/lib/functions/network.sh" + . "/usr/share/libubox/jshn.sh" + else + f_log "err" "system libraries not found" + fi + [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package" + [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package" + [ ! -r "/etc/banip/banip.feeds.gz" ] || ! zcat "$(uci_get banip global ban_feedarchive "/etc/banip/banip.feeds.gz")" >"$(uci_get banip global ban_basedir "/tmp")/ban_feeds.json" && f_log "err" "banIP feed archive not found, please re-install the package" + [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" +fi diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh new file mode 100755 index 000000000..29a0436c9 --- /dev/null +++ b/net/banip/files/banip-service.sh @@ -0,0 +1,193 @@ +#!/bin/sh +# banIP main service script - ban incoming and outgoing ip adresses/subnets via sets in nftables +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) +# This is free software, licensed under the GNU General Public License v3. + +# (s)hellcheck exceptions +# shellcheck disable=all + +ban_action="${1}" +ban_starttime="$(date "+%s")" +ban_funlib="/usr/lib/banip-functions.sh" +[ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + +# load config and set banIP environment +# +f_conf +f_log "info" "start banIP processing (${ban_action})" +f_genstatus "processing" +f_tmp +f_fetch +f_getif +f_getdev +f_getsub +f_mkdir "${ban_backupdir}" +f_mkfile "${ban_blocklist}" +f_mkfile "${ban_allowlist}" + +# firewall check +# +if [ "${ban_action}" != "reload" ]; then + if [ -x "${ban_fw4cmd}" ]; then + cnt=0 + while [ "${cnt}" -lt "10" ] && ! /etc/init.d/firewall status | grep -q "^active"; do + cnt="$((cnt + 1))" + sleep 1 + done + if ! /etc/init.d/firewall status | grep -q "^active"; then + f_log "err" "nft based firewall/fw4 not functional" + fi + else + f_log "err" "nft based firewall/fw4 not found" + fi +fi + +# init nft namespace +# +if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then + if f_nftinit "${ban_tmpfile}".init.nft; then + f_log "info" "nft namespace initialized" + else + f_log "err" "nft namespace can't be initialized" + fi +fi + +# handle downloads +# +f_log "info" "start banIP download processes" +if [ "${ban_allowlistonly}" = "1" ]; then + ban_feed="" +else + json_init + if ! json_load_file "${ban_basedir}/ban_feeds.json" >/dev/null 2>&1; then + f_log "err" "banIP feed file can't be loaded" + fi + [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate" +fi + +cnt="1" +for feed in allowlist ${ban_feed} blocklist; do + # local feeds + # + if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then + for proto in MAC 4 6; do + [ "${feed}" = "blocklist" ] && wait + (f_down "${feed}" "${proto}") & + [ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && [ "${proto}" = "MAC" ]; } && wait + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait + cnt="$((cnt + 1))" + done + wait + continue + fi + + # read external feed information + # + if ! json_select "${feed}" >/dev/null 2>&1; then + continue + fi + json_objects="url_4 rule_4 url_6 rule_6 flag" + for object in ${json_objects}; do + eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1 + done + json_select .. + # handle IPv4/IPv6 feeds with the same/single download URL + # + if [ "${feed_url_4}" = "${feed_url_6}" ]; then + if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then + (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") & + feed_url_6="local" + wait + fi + if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then + (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") & + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait + cnt="$((cnt + 1))" + fi + continue + fi + # handle IPv4/IPv6 feeds with separated download URLs + # + if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then + (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") & + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait + cnt="$((cnt + 1))" + fi + if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then + (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") & + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait + cnt="$((cnt + 1))" + fi +done +wait + +# start domain lookup +# +f_log "info" "start detached banIP domain lookup" +(f_lookup "allowlist") & +hold="$((cnt % ban_cores))" +[ "${hold}" = "0" ] && wait +(f_lookup "blocklist") & + +# tidy up +# +f_rmset +f_rmdir "${ban_tmpdir}" +f_genstatus "active" +f_log "info" "finished banIP download processes" +rm -rf "${ban_lock}" + +# start log service +# +if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then + f_log "info" "start detached banIP log service" + + nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")" + [ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}" + + # read log continuously with given logterms + # + "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | + while read -r line; do + # IPv4 log parsing + # + ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" + ip="$(f_trim "${ip}")" + ip="${ip##* }" + [ -n "${ip}" ] && proto="v4" + if [ -z "${proto}" ]; then + # IPv6 log parsing + # + ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')" + ip="$(f_trim "${ip}")" + ip="${ip##* }" + [ -n "${ip}" ] && proto="v6" + fi + if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then + f_log "info" "suspicious IP found '${ip}'" + log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" + log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" + if [ "${log_count}" -ge "${ban_logcount}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then + f_log "info" "added IP '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set" + if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then + printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" + f_log "info" "added IP '${ip}' to local blocklist" + fi + fi + fi + fi + done + +# start no-op service loop +# +else + f_log "info" "start detached no-op banIP service (logterms are missing)" + while :; do + sleep 1 + done +fi diff --git a/net/banip/files/banip.blacklist b/net/banip/files/banip.allowlist similarity index 100% rename from net/banip/files/banip.blacklist rename to net/banip/files/banip.allowlist diff --git a/net/banip/files/banip.maclist b/net/banip/files/banip.blocklist similarity index 100% rename from net/banip/files/banip.maclist rename to net/banip/files/banip.blocklist diff --git a/net/banip/files/banip.conf b/net/banip/files/banip.conf index faae50538..ce0a9cac1 100644 --- a/net/banip/files/banip.conf +++ b/net/banip/files/banip.conf @@ -1,16 +1,9 @@ config banip 'global' option ban_enabled '0' option ban_debug '0' - option ban_mail_enabled '0' - option ban_monitor_enabled '0' - option ban_logsrc_enabled '0' - option ban_logdst_enabled '0' option ban_autodetect '1' - option ban_autoblacklist '1' - option ban_autowhitelist '1' - option ban_nice '0' - option ban_maxqueue '4' - option ban_global_settype 'src+dst' - option ban_target_src 'DROP' - option ban_target_dst 'REJECT' - option ban_loglimit '100' + list ban_logterm 'Exit before auth from' + list ban_logterm 'luci: failed login' + list ban_logterm 'error: maximum authentication attempts exceeded' + list ban_logterm 'sshd.*Connection closed by.*\[preauth\]' + list ban_logterm 'SecurityEvent=\"ChallengeResponseFailed\".*RemoteAddress=' diff --git a/net/banip/files/banip.dns b/net/banip/files/banip.dns deleted file mode 100755 index ab3365056..000000000 --- a/net/banip/files/banip.dns +++ /dev/null @@ -1,64 +0,0 @@ -#!/bin/sh -# helper script to resolve domains for adding to banIP-related IPSets -# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org) -# This is free software, licensed under the GNU General Public License v3. - -# (s)hellcheck exceptions -# shellcheck disable=1091,3040 - -export LC_ALL=C -export PATH="/usr/sbin:/usr/bin:/sbin:/bin" -set -o pipefail - -. "/lib/functions.sh" - -ban_src_name="${1}" -ban_src_file="${2}" -ban_tmpbase="$(uci_get banip global ban_tmpbase "/tmp")" -ban_backupdir="$(uci_get banip global ban_backupdir "${ban_tmpbase}/banIP-Backup")" -ban_proto4_enabled="$(uci_get banip global ban_proto4_enabled "0")" -ban_proto6_enabled="$(uci_get banip global ban_proto6_enabled "0")" -ban_ipset_cmd="$(command -v ipset)" -ban_lookup_cmd="$(command -v nslookup)" -ban_logger_cmd="$(command -v logger)" -ban_cnt_err="0" -ban_message="" - -rm -f "${ban_backupdir}/banIP.${ban_src_name}_addon_4" "${ban_backupdir}/banIP.${ban_src_name}_addon_6" -while read -r domain; do - result="$( - "${ban_lookup_cmd}" "${domain}" 2>/dev/null - printf "%s" "${?}" - )" - if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]; then - ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')" - for ip in ${ips}; do - for proto in "4" "6"; do - if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && - [ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } || - { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && - [ -n "$(printf "%s" "${ip}" | awk '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print $1}')" ]; }; then - printf "%s\n" "add ${ban_src_name}_${proto} ${ip}" >>"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" - fi - done - done - [ -n "${ips}" ] && "${ban_logger_cmd}" -p "debug" -t "banIP-resolve [${$}]" "added IPs of '${domain}' to ${ban_src_name} (${ips})" 2>/dev/null - else - ban_cnt_err=$((ban_cnt_err + 1)) - fi -done <"${ban_src_file}" - -for proto in "4" "6"; do - if { { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } || { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; } && - [ ! -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" ]; then - gzip -df "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" 2>/dev/null - "${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" - ban_message="backup used" - elif [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ]; then - "${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" - ban_message="${ban_cnt_err} lookup errors" - fi - gzip -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" 2>/dev/null -done -"${ban_logger_cmd}" -p "info" -t "banIP-resolve [${$}]" "${ban_src_name} domain import has been finished (${ban_message:-"-"})" 2>/dev/null -rm -f "${ban_src_file}" diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds new file mode 100644 index 000000000..8add8ebe9 --- /dev/null +++ b/net/banip/files/banip.feeds @@ -0,0 +1,295 @@ +{ + "adaway": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "adaway IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "adguard": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "adguard IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "adguardtrackers": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "adguardtracker IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "antipopads": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "antipopads IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "asn": { + "url_4": "https://asn.ipinfo.app/api/text/list/", + "url_6": "https://asn.ipinfo.app/api/text/list/", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "focus": "ASN IPs", + "descurl": "https://asn.ipinfo.app" + }, + "backscatterer": { + "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "backscatterer IPs", + "descurl": "https://www.uceprotect.net/en/index.php", + "flag": "gz" + }, + "bogon": { + "url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt", + "url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "focus": "bogon prefixes", + "descurl": "https://team-cymru.com" + }, + "cinsscore": { + "url_4": "https://cinsscore.com/list/ci-badguys.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "suspicious attacker IPs", + "descurl": "https://cinsscore.com/#list" + }, + "country": { + "url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/", + "url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "focus": "country blocks", + "descurl": "http://www.ipdeny.com/ipblocks" + }, + "darklist": { + "url_4": "https://darklist.de/raw.php", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "suspicious attacker IPs", + "descurl": "https://darklist.de" + }, + "debl": { + "url_4": "https://www.blocklist.de/downloads/export-ips_all.txt", + "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "focus": "fail2ban IP blacklist", + "descurl": "https://www.blocklist.de" + }, + "doh": { + "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "public DoH-Provider", + "descurl": "https://github.com/dibdot/DoH-IP-blocklists" + }, + "drop": { + "url_4": "https://www.spamhaus.org/drop/drop.txt", + "url_6": "https://www.spamhaus.org/drop/dropv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "spamhaus drop compilation", + "descurl": "https://www.spamhaus.org" + }, + "dshield": { + "url_4": "https://feeds.dshield.org/block.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}", + "focus": "dshield IP blocklist", + "descurl": "https://www.dshield.org" + }, + "edrop": { + "url_4": "https://www.spamhaus.org/drop/edrop.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "spamhaus edrop compilation", + "descurl": "https://www.spamhaus.org" + }, + "feodo": { + "url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt", + "rule_4": "BEGIN{RS=\"\\r\\n\"}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "feodo tracker", + "descurl": "https://feodotracker.abuse.ch" + }, + "firehol1": { + "url_4": "https://iplists.firehol.org/files/firehol_level1.netset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "firehol level 1 compilation", + "descurl": "https://iplists.firehol.org/?ipset=firehol_level1" + }, + "firehol2": { + "url_4": "https://iplists.firehol.org/files/firehol_level2.netset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "firehol level 2 compilation", + "descurl": "https://iplists.firehol.org/?ipset=firehol_level2" + }, + "firehol3": { + "url_4": "https://iplists.firehol.org/files/firehol_level3.netset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "firehol level 3 compilation", + "descurl": "https://iplists.firehol.org/?ipset=firehol_level3" + }, + "firehol4": { + "url_4": "https://iplists.firehol.org/files/firehol_level4.netset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}", + "focus": "firehol level 4 compilation", + "descurl": "https://iplists.firehol.org/?ipset=firehol_level4" + }, + "greensnow": { + "url_4": "https://blocklist.greensnow.co/greensnow.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "suspicious server IPs", + "descurl": "https://greensnow.co" + }, + "iblockads": { + "url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "advertising IPs", + "descurl": "https://www.iblocklist.com", + "flag": "gz", + "login": true + }, + "iblockspy": { + "url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "malicious spyware IPs", + "descurl": "https://www.iblocklist.com", + "flag": "gz", + "login": true + }, + "myip": { + "url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", + "url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "real-time IP blocklist", + "descurl": "https://myip.ms" + }, + "nixspam": { + "url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz", + "rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}", + "focus": "iX spam protection", + "descurl": "https://www.nixspam.net", + "flag": "gz" + }, + "oisdnsfw": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "OISD-nsfw IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "oisdsmall": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "OISD-small IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "proxy": { + "url_4": "https://iplists.firehol.org/files/proxylists.ipset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "open proxies", + "descurl": "https://iplists.firehol.org/?ipset=proxylists" + }, + "sslbl": { + "url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", + "rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}", + "focus": "SSL botnet IPs", + "descurl": "https://sslbl.abuse.ch" + }, + "stevenblack": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "stevenblack IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + }, + "talos": { + "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "talos IPs", + "descurl": "https://talosintelligence.com/reputation_center" + }, + "threat": { + "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "emerging threats", + "descurl": "https://rules.emergingthreats.net" + }, + "threatview": { + "url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "malicious IPs", + "descurl": "https://threatview.io" + }, + "tor": { + "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", + "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "focus": "tor exit nodes", + "descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses" + }, + "uceprotect1": { + "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "spam protection level 1", + "descurl": "http://www.uceprotect.net/en/index.php", + "flag": "gz" + }, + "uceprotect2": { + "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz", + "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}", + "focus": "spam protection level 2", + "descurl": "http://www.uceprotect.net/en/index.php", + "flag": "gz" + }, + "uceprotect3": { + "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz", + "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}", + "focus": "spam protection level 3", + "descurl": "http://www.uceprotect.net/en/index.php", + "flag": "gz" + }, + "urlhaus": { + "url_4": "https://urlhaus.abuse.ch/downloads/ids/", + "rule_4": "match($0,/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))/){printf \"%s,\\n\",substr($0,RSTART,RLENGTH)}", + "focus": "urlhaus IDS IPs", + "descurl": "https://urlhaus.abuse.ch" + }, + "urlvir": { + "url_4": "https://iplists.firehol.org/files/urlvir.ipset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "malware related IPs", + "descurl": "https://iplists.firehol.org/?ipset=urlvir" + }, + "voip": { + "url_4": "https://voipbl.org/update/", + "rule_4": "BEGIN{RS=\"(([0-9]{1,3}\\\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)\"}{if(RT)printf \"%s,\\n\",RT}", + "focus": "VoIP fraud blocklist", + "descurl": "https://voipbl.org" + }, + "webclient": { + "url_4": "https://iplists.firehol.org/files/firehol_webclient.netset", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "focus": "malware related IPs", + "descurl": "https://iplists.firehol.org/?ipset=firehol_webclient" + }, + "yoyo": { + "url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv4.txt", + "url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt", + "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", + "focus": "yoyo IPs", + "descurl": "https://github.com/dibdot/banIP-IP-blocklists" + } +} diff --git a/net/banip/files/banip.hotplug b/net/banip/files/banip.hotplug deleted file mode 100644 index 436a3a63c..000000000 --- a/net/banip/files/banip.hotplug +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/sh -# firewall hotplug script for banIP -# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org) -# This is free software, licensed under the GNU General Public License v3. - -if /etc/init.d/banip enabled && [ "${ACTION}" = "add" ] && [ -n "${INTERFACE}" ]; then - if [ ! -s "/var/run/banip.pid" ] && uci_get banip global ban_ifaces | grep -q "${INTERFACE}"; then - /etc/init.d/banip refresh - fi -fi diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 08405e608..ab126f230 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -1,202 +1,69 @@ #!/bin/sh /etc/rc.common -# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org) +# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # (s)hellcheck exceptions -# shellcheck disable=1091,2034,3043,3057,3060 +# shellcheck disable=all START=30 USE_PROCD=1 -if type extra_command >/dev/null 2>&1; then - extra_command "refresh" "Refresh ipsets without new list downloads" - extra_command "suspend" "Suspend banIP processing" - extra_command "resume" "Resume banIP processing" - extra_command "query" " Query active banIP IPSets for a specific IP address" - extra_command "report" "[|||] Print banIP related IPset statistics" - extra_command "list" "[|||||] List/Edit available sources" - extra_command "timer" "[ [] []]|[ ] List/Edit cron update intervals" -else - EXTRA_COMMANDS="status refresh suspend resume query report list timer version" - EXTRA_HELP=" status Service status - refresh Refresh ipsets without new list downloads - suspend Suspend banIP processing - resume Resume banIP processing - query Query active banIP IPSets for a specific IP address - report [|||] Print banIP related IPset statistics - list [|||||] List/Edit available sources - timer [ [] []]|[ ] List/Edit cron update intervals" -fi +extra_command "report" "[text|json|mail] Print banIP related set statistics" +extra_command "search" "[|] Check if an element exists in the banIP sets" ban_init="/etc/init.d/banip" -ban_script="/usr/bin/banip.sh" +ban_service="/usr/bin/banip-service.sh" +ban_funlib="/usr/lib/banip-functions.sh" ban_pidfile="/var/run/banip.pid" +ban_lock="/var/run/banip.lock" -if [ -s "${ban_pidfile}" ] && { [ "${action}" = "start" ] || [ "${action}" = "stop" ] || - [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "refresh" ] || - [ "${action}" = "suspend" ] || [ "${action}" = "resume" ] || [ "${action}" = "query" ] || - { [ "${action}" = "list" ] && [ -n "${1}" ]; } || { [ "${action}" = "report" ] && [ "${1}" != "json" ]; }; }; then - exit 0 -fi +[ ! -r "${ban_funlib}" ] && exit 1 +[ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0 +[ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1 +[ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}" boot() { : >"${ban_pidfile}" - rc_procd start_service + rc_procd start_service "boot" } start_service() { if "${ban_init}" enabled; then - if [ "${action}" = "boot" ]; then - return 0 - fi - procd_open_instance "banip" - procd_set_param command "${ban_script}" "${@}" + [ "${action}" = "boot" ] && [ -n "$(uci_get banip global ban_trigger)" ] && return 0 + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_rmpid + procd_open_instance "banip-service" + procd_set_param command "${ban_service}" "${@:-"${action}"}" procd_set_param pidfile "${ban_pidfile}" - procd_set_param nice "$(uci_get banip global ban_nice "0")" + procd_set_param nice "$(uci_get banip global ban_nicelimit "0")" + procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")" procd_set_param stdout 1 procd_set_param stderr 1 procd_close_instance + else + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'" + rm -rf "${ban_lock}" fi } -version() { - rc_procd "${ban_script}" version -} - -refresh() { - rc_procd start_service refresh -} - reload_service() { - rc_procd start_service reload + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_rmpid + rc_procd start_service "reload" } stop_service() { - rc_procd "${ban_script}" stop + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + "${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1 + f_genstatus "stopped" + f_rmpid } restart() { - rc_procd start_service restart -} - -suspend() { - rc_procd start_service suspend -} - -resume() { - rc_procd start_service resume -} - -query() { - rc_procd "${ban_script}" query "${1}" -} - -list() { - local src_archive src_file src_enabled key name enabled focus descurl url_4 rule_4 url_6 rule_6 action="${1}" - - if [ "${action%_*}" = "add" ] || [ "${action%_*}" = "remove" ]; then - shift - for name in "${@}"; do - case "${action}" in - "add") - if ! uci_get banip global ban_sources | grep -q "${name}"; then - uci_add_list banip global ban_sources "${name}" - printf "%s\n" "::: banIP source '${name}' added to config" - fi - ;; - "remove") - if uci_get banip global ban_sources | grep -q "${name}"; then - uci_remove_list banip global ban_sources "${name}" - printf "%s\n" "::: banIP source '${name}' removed from config" - fi - ;; - "add_asn") - if ! uci_get banip global ban_asns | grep -q "${name}"; then - uci_add_list banip global ban_asns "${name}" - printf "%s\n" "::: banIP asn '${name}' added to config" - fi - ;; - "remove_asn") - if uci_get banip global ban_asns | grep -q "${name}"; then - uci_remove_list banip global ban_asns "${name}" - printf "%s\n" "::: banIP asn '${name}' removed from config" - fi - ;; - "add_country") - if ! uci_get banip global ban_countries | grep -q "${name}"; then - uci_add_list banip global ban_countries "${name}" - printf "%s\n" "::: banIP country '${name}' added to config" - fi - ;; - "remove_country") - if uci_get banip global ban_countries | grep -q "${name}"; then - uci_remove_list banip global ban_countries "${name}" - printf "%s\n" "::: banIP country '${name}' removed from config" - fi - ;; - esac - done - if [ -n "$(uci -q changes banip)" ]; then - uci_commit banip - "${ban_init}" start - fi - else - src_archive="$(uci_get banip global ban_srcarc "/etc/banip/banip.sources.gz")" - src_file="$(uci_get banip global ban_srcfile "/tmp/ban_sources.json")" - src_enabled="$(uci -q show banip.global.ban_sources)" - if [ -r "${src_archive}" ]; then - zcat "${src_archive}" >"${src_file}" - else - printf "%s\n" "::: banIP source archive '${src_archive}' not found" - fi - if [ -r "${src_file}" ]; then - src_enabled="${src_enabled#*=}" - src_enabled="${src_enabled//\'/}" - printf "%s\n" "::: Available banIP sources" - printf "%s\n" ":::" - printf "%-25s%-10s%-36s%s\n" " Name" "Enabled" "Focus" "Info URL" - printf "%s\n" " ---------------------------------------------------------------------------" - json_load_file "${src_file}" - json_get_keys keylist - for key in ${keylist}; do - json_select "${key}" - json_get_var focus "focus" - json_get_var descurl "descurl" - json_get_var url_4 "url_4" - json_get_var rule_4 "rule_4" - json_get_var url_6 "url_6" - json_get_var rule_6 "rule_6" - if { [ -n "${url_4}" ] && [ -n "${rule_4}" ]; } || { [ -n "${url_6}" ] && [ -n "${rule_6}" ]; }; then - if printf "%s" "${src_enabled}" | grep -q "${key}"; then - enabled="x" - else - enabled=" " - fi - src_enabled="${src_enabled/${key}/}" - printf " + %-21s%-10s%-36s%s\n" "${key:0:20}" "${enabled}" "${focus:0:35}" "${descurl:0:50}" - else - src_enabled="${src_enabled} ${key}" - fi - json_select .. - done - asn_list="$(uci_get banip global ban_asns "-")" - country_list="$(uci_get banip global ban_countries "-")" - printf "%s\n" " ---------------------------------------------------------------------------" - printf " * %s\n" "Configured ASNs: ${asn_list// /, }" - printf " * %s\n" "Configured Countries: ${country_list// /, }" - - if [ -n "${src_enabled// /}" ]; then - printf "%s\n" " ---------------------------------------------------------------------------" - printf "%s\n" " Sources without valid configuration" - printf "%s\n" " ---------------------------------------------------------------------------" - for key in ${src_enabled}; do - printf " - %s\n" "${key:0:20}" - done - fi - else - printf "%s\n" "::: banIP source file '${src_file}' not found" - fi - fi + stop_service + rc_procd start_service "restart" } status() { @@ -204,90 +71,29 @@ status() { } status_service() { - local key keylist type value index_value values rtfile - - rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")" - - json_load_file "${rtfile}" >/dev/null 2>&1 - json_get_keys keylist - if [ -n "${keylist}" ]; then - printf "%s\n" "::: banIP runtime information" - for key in ${keylist}; do - json_get_var value "${key}" >/dev/null 2>&1 - if [ "${key%_*}" = "active" ]; then - printf " + %-15s : " "${key}" - json_select "${key}" >/dev/null 2>&1 - values="" - index=1 - while json_get_type type "${index}" && [ "${type}" = "object" ]; do - json_get_values index_value "${index}" >/dev/null 2>&1 - if [ "${index}" = "1" ]; then - values="${index_value}" - else - values="${values}, ${index_value}" - fi - index=$((index + 1)) - done - values="$(printf "%s" "${values}" | awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-22s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" - printf "%s\n" "${values:-"-"}" - json_select ".." - else - printf " + %-15s : %s\n" "${key}" "${value:-"-"}" - fi - done - else - printf "%s\n" "::: no banIP runtime information available" - fi + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_getstatus } report() { - rc_procd "${ban_script}" report "${1:-"cli"}" + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_report "${1:-"text"}" } -timer() { - local cron_file cron_content cron_lineno action="${1:-"list"}" cron_tasks="${2}" hour="${3}" minute="${4:-0}" weekday="${5:-"*"}" - - cron_file="/etc/crontabs/root" - - if [ -s "${cron_file}" ] && [ "${action}" = "list" ]; then - awk '{print NR "> " $0}' "${cron_file}" - elif [ "${action}" = "add" ]; then - hour="${hour//[[:alpha:]]/}" - minute="${minute//[[:alpha:]]/}" - if [ -n "${cron_tasks}" ] && [ -n "${hour}" ] && [ -n "${minute}" ] && [ -n "${weekday}" ] && - [ "${hour}" -ge 0 ] && [ "${hour}" -le 23 ] && - [ "${minute}" -ge 0 ] && [ "${minute}" -le 59 ]; then - printf "%02d %02d %s\n" "${minute}" "${hour}" "* * ${weekday} ${ban_init} ${cron_tasks}" >>"${cron_file}" - /etc/init.d/cron restart - fi - elif [ -s "${cron_file}" ] && [ "${action}" = "remove" ]; then - cron_tasks="${cron_tasks//[[:alpha:]]/}" - cron_lineno="$(awk 'END{print NR}' "${cron_file}")" - cron_content="$(awk '{print $0}' "${cron_file}")" - if [ "${cron_tasks:-"0"}" -le "${cron_lineno:-"1"}" ] && [ -n "${cron_content}" ]; then - printf "%s\n" "${cron_content}" | awk "NR!~/^${cron_tasks}$/" >"${cron_file}" - /etc/init.d/cron restart - fi - fi +search() { + [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" + f_search "${1}" } service_triggers() { - local iface delay + local iface trigger delay - iface="$(uci_get banip global ban_trigger)" + trigger="$(uci_get banip global ban_trigger)" delay="$(uci_get banip global ban_triggerdelay "5")" PROCD_RELOAD_DELAY=$((delay * 1000)) - if [ -z "${iface}" ]; then - . "/lib/functions/network.sh" - network_find_wan iface - if [ -n "${iface}" ]; then - uci_set banip global ban_trigger "${iface}" - uci_commit "banip" - fi - fi - if [ -n "${iface}" ]; then + for iface in ${trigger}; do procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start" - fi + done procd_add_reload_trigger "banip" } diff --git a/net/banip/files/banip.mail b/net/banip/files/banip.mail deleted file mode 100755 index a89b92df3..000000000 --- a/net/banip/files/banip.mail +++ /dev/null @@ -1,62 +0,0 @@ -#!/bin/sh -# send mail script for banIP notifications -# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org) -# This is free software, licensed under the GNU General Public License v3. - -# (s)hellcheck exceptions -# shellcheck disable=1091,3040 - -# Please note: you have to setup the package 'msmtp' before using this script - -export LC_ALL=C -export PATH="/usr/sbin:/usr/bin:/sbin:/bin" -set -o pipefail - -. "/lib/functions.sh" -ban_debug="$(uci_get banip global ban_debug "0")" -ban_loglimit="$(uci_get banip global ban_loglimit "100")" -ban_mailsender="$(uci_get banip global ban_mailsender "no-reply@banIP")" -ban_mailreceiver="$(uci_get banip global ban_mailreceiver)" -ban_mailtopic="$(uci_get banip global ban_mailtopic "banIP notification")" -ban_mailprofile="$(uci_get banip global ban_mailprofile "ban_notify")" - -ban_mail="$(command -v msmtp)" -ban_logger="$(command -v logger)" -ban_logread="$(command -v logread)" - -if [ -z "${ban_mailreceiver}" ]; then - f_log "err" "please set the mail receiver with the 'ban_mailreceiver' option" - exit 1 -fi - -if [ "${ban_debug}" = "1" ]; then - msmtp_debug="--debug" -fi - -ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n" - -# info preparation -# -sys_info="$( - strings /etc/banner 2>/dev/null - ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}' -)" -ban_info="$(/etc/init.d/banip "status" 2>/dev/null)" -rep_info="${1}" -log_info="$("${ban_logread}" -l "${ban_loglimit}" -e "banIP-" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" - -# mail body -# -ban_mailtext="
"
-ban_mailtext="${ban_mailtext}\n++\n++ System Information ++\n++\n${sys_info}"
-ban_mailtext="${ban_mailtext}\n\n++\n++ banIP Status ++\n++\n${ban_info}"
-if [ -n "${rep_info}" ]; then
-	ban_mailtext="${ban_mailtext}\n\n++\n++ banIP Report ++\n++\n${rep_info}"
-fi
-ban_mailtext="${ban_mailtext}\n\n++\n++ Logfile Information ++\n++\n${log_info}"
-ban_mailtext="${ban_mailtext}
" - -# send mail -# -printf "%b" "${ban_mailhead}${ban_mailtext}" 2>/dev/null | "${ban_mail}" ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1 -"${ban_logger}" -p "info" -t "banIP-mail [${$}]" "mail sent to '${ban_mailreceiver}' with rc '${?}'" 2>/dev/null diff --git a/net/banip/files/banip.service b/net/banip/files/banip.service deleted file mode 100755 index 12e7bda2f..000000000 --- a/net/banip/files/banip.service +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/sh -# log service to trace suspicious logins and conditionally refresh banIP -# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org) -# This is free software, licensed under the GNU General Public License v3. - -# (s)hellcheck exceptions -# shellcheck disable=3040 - -export LC_ALL=C -export PATH="/usr/sbin:/usr/bin:/sbin:/bin" -set -o pipefail - -ban_search="${1}" -ban_logger_cmd="$(command -v logger)" -ban_logread_cmd="$(command -v logread)" - -if [ -x "${ban_logread_cmd}" ]; then - "${ban_logger_cmd}" -p "info" -t "banIP-service [${$}]" "log/banIP service started" 2>/dev/null - "${ban_logread_cmd}" -f | - { - grep -qE "${ban_search}" && { - /etc/init.d/banip refresh - exit 0 - } - } -else - "${ban_logger_cmd}" -p "err" -t "banIP-service [${$}]" "can't start log/banIP service" 2>/dev/null -fi diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh deleted file mode 100755 index 8672ead22..000000000 --- a/net/banip/files/banip.sh +++ /dev/null @@ -1,1595 +0,0 @@ -#!/bin/sh -# banIP - ban incoming and outgoing ip adresses/subnets via ipset -# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org) -# This is free software, licensed under the GNU General Public License v3. - -# (s)hellcheck exceptions -# shellcheck disable=1091,2030,2031,2086,2183,3040,3043,3060 - -# set initial defaults -# -export LC_ALL=C -export PATH="/usr/sbin:/usr/bin:/sbin:/bin" -set -o pipefail -ban_ver="0.7.10" -ban_status="" -ban_enabled="0" -ban_mail_enabled="0" -ban_proto4_enabled="0" -ban_proto6_enabled="0" -ban_logsrc_enabled="0" -ban_logdst_enabled="0" -ban_monitor_enabled="0" -ban_autodetect="1" -ban_autoblacklist="1" -ban_autowhitelist="1" -ban_whitelistonly="0" -ban_logterms="" -ban_loglimit="100" -ban_ssh_logcount="3" -ban_luci_logcount="3" -ban_nginx_logcount="5" -ban_mailactions="" -ban_search="" -ban_devs="" -ban_ifaces="" -ban_debug="0" -ban_maxqueue="4" -ban_fetchutil="" -ban_fetchinsecure="0" -ban_ip_cmd="$(command -v ip)" -ban_ipt4_cmd="$(command -v iptables)" -ban_ipt4_savecmd="$(command -v iptables-save)" -ban_ipt4_restorecmd="$(command -v iptables-restore)" -ban_ipt6_cmd="$(command -v ip6tables)" -ban_ipt6_savecmd="$(command -v ip6tables-save)" -ban_ipt6_restorecmd="$(command -v ip6tables-restore)" -ban_ipset_cmd="$(command -v ipset)" -ban_logger_cmd="$(command -v logger)" -ban_logread_cmd="$(command -v logread)" -ban_allsources="" -ban_extrasources="" -ban_sources="" -ban_asns="" -ban_countries="" -ban_settype_src="" -ban_settype_dst="" -ban_settype_all="" -ban_lan_inputchains_4="" -ban_lan_inputchains_6="" -ban_lan_forwardchains_4="" -ban_lan_forwardchains_6="" -ban_wan_inputchains_4="" -ban_wan_inputchains_6="" -ban_wan_forwardchains_4="" -ban_wan_forwardchains_6="" -ban_action="${1:-"start"}" -ban_pidfile="/var/run/banip.pid" -ban_bgpidfile="/var/run/banip_bg.pid" -ban_tmpbase="/tmp" -ban_rtfile="${ban_tmpbase}/ban_runtime.json" -ban_srcfile="${ban_tmpbase}/ban_sources.json" -ban_reportdir="${ban_tmpbase}/banIP-Report" -ban_backupdir="${ban_tmpbase}/banIP-Backup" -ban_srcarc="/etc/banip/banip.sources.gz" -ban_dnsservice="/etc/banip/banip.dns" -ban_mailservice="/etc/banip/banip.mail" -ban_logservice="/etc/banip/banip.service" -ban_maclist="/etc/banip/banip.maclist" -ban_blacklist="/etc/banip/banip.blacklist" -ban_whitelist="/etc/banip/banip.whitelist" -ban_setcnt="0" -ban_cnt="0" - -# load environment -# -f_load() { - ban_sysver="$(ubus -S call system board 2>/dev/null | jsonfilter -q -e '@.model' -e '@.release.description' | - awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" - - f_conf - if [ "${ban_enabled}" = "0" ]; then - f_bgsrv "stop" - f_ipset "destroy" - f_jsnup "disabled" - f_rmbckp - f_rmtmp - f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" - exit 0 - fi - f_dir "${ban_backupdir}" - f_dir "${ban_reportdir}" -} - -# check/create directories -# -f_dir() { - local dir="${1}" - - if [ -d "${dir}" ]; then - f_log "debug" "directory '${dir}' is used" - else - rm -f "${dir}" - mkdir -p "${dir}" - f_log "debug" "directory '${dir}' created" - fi -} - -# load banIP config -# -f_conf() { - if [ ! -r "/etc/config/banip" ] || [ -z "$(uci -q show banip.global.ban_autodetect)" ]; then - f_log "err" "no valid banIP config found, please re-install the package via opkg with the '--force-reinstall --force-maintainer' options" - fi - - config_cb() { - option_cb() { - local option="${1}" - local value="${2}" - eval "${option}=\"${value}\"" - } - list_cb() { - local option="${1}" - local value="${2}" - if [ "${option}" = "ban_ifaces" ]; then - eval "${option}=\"$(printf "%s" "${ban_ifaces}")${value} \"" - elif [ "${option}" = "ban_sources" ]; then - eval "${option}=\"$(printf "%s" "${ban_sources}")${value} \"" - elif [ "${option}" = "ban_localsources" ]; then - eval "${option}=\"$(printf "%s" "${ban_localsources}")${value} \"" - elif [ "${option}" = "ban_extrasources" ]; then - eval "${option}=\"$(printf "%s" "${ban_extrasources}")${value} \"" - elif [ "${option}" = "ban_settype_src" ]; then - eval "${option}=\"$(printf "%s" "${ban_settype_src}")${value} \"" - elif [ "${option}" = "ban_settype_dst" ]; then - eval "${option}=\"$(printf "%s" "${ban_settype_dst}")${value} \"" - elif [ "${option}" = "ban_settype_all" ]; then - eval "${option}=\"$(printf "%s" "${ban_settype_all}")${value} \"" - elif [ "${option}" = "ban_mailactions" ]; then - eval "${option}=\"$(printf "%s" "${ban_mailactions}")${value} \"" - elif [ "${option}" = "ban_logterms" ]; then - eval "${option}=\"$(printf "%s" "${ban_logterms}")${value} \"" - elif [ "${option}" = "ban_countries" ]; then - eval "${option}=\"$(printf "%s" "${ban_countries}")${value} \"" - elif [ "${option}" = "ban_asns" ]; then - eval "${option}=\"$(printf "%s" "${ban_asns}")${value} \"" - elif [ "${option}" = "ban_lan_inputchains_4" ]; then - eval "${option}=\"$(printf "%s" "${ban_lan_inputchains_4}")${value} \"" - elif [ "${option}" = "ban_lan_inputchains_6" ]; then - eval "${option}=\"$(printf "%s" "${ban_lan_inputchains_6}")${value} \"" - elif [ "${option}" = "ban_lan_forwardchains_4" ]; then - eval "${option}=\"$(printf "%s" "${ban_lan_forwardchains_4}")${value} \"" - elif [ "${option}" = "ban_lan_forwardchains_6" ]; then - eval "${option}=\"$(printf "%s" "${ban_lan_forwardchains_6}")${value} \"" - elif [ "${option}" = "ban_wan_inputchains_4" ]; then - eval "${option}=\"$(printf "%s" "${ban_wan_inputchains_4}")${value} \"" - elif [ "${option}" = "ban_wan_inputchains_6" ]; then - eval "${option}=\"$(printf "%s" "${ban_wan_inputchains_6}")${value} \"" - elif [ "${option}" = "ban_wan_forwardchains_4" ]; then - eval "${option}=\"$(printf "%s" "${ban_wan_forwardchains_4}")${value} \"" - elif [ "${option}" = "ban_wan_forwardchains_6" ]; then - eval "${option}=\"$(printf "%s" "${ban_wan_forwardchains_6}")${value} \"" - fi - } - } - config_load banip - - ban_chain="${ban_chain:-"banIP"}" - ban_global_settype="${ban_global_settype:-"src+dst"}" - ban_target_src="${ban_target_src:-"DROP"}" - ban_target_dst="${ban_target_dst:-"REJECT"}" - ban_lan_inputchains_4="${ban_lan_inputchains_4:-"input_lan_rule"}" - ban_lan_inputchains_6="${ban_lan_inputchains_6:-"input_lan_rule"}" - ban_lan_forwardchains_4="${ban_lan_forwardchains_4:-"forwarding_lan_rule"}" - ban_lan_forwardchains_6="${ban_lan_forwardchains_6:-"forwarding_lan_rule"}" - ban_wan_inputchains_4="${ban_wan_inputchains_4:-"input_wan_rule"}" - ban_wan_inputchains_6="${ban_wan_inputchains_6:-"input_wan_rule"}" - ban_wan_forwardchains_4="${ban_wan_forwardchains_4:-"forwarding_wan_rule"}" - ban_wan_forwardchains_6="${ban_wan_forwardchains_6:-"forwarding_wan_rule"}" - ban_logchain_src="${ban_logchain_src:-"${ban_chain}_log_src"}" - ban_logchain_dst="${ban_logchain_dst:-"${ban_chain}_log_dst"}" - ban_logtarget_src="${ban_target_src}" - ban_logtarget_dst="${ban_target_dst}" - if [ "${ban_logsrc_enabled}" = "1" ]; then - ban_logprefix_src="${ban_logprefix_src:-"[banIP-${ban_ver%-*}, src/${ban_target_src}] "}" - ban_logopts_src="${ban_logopts_src:-"-m limit --limit 2/sec"}" - ban_target_src="${ban_logchain_src}" - fi - if [ "${ban_logdst_enabled}" = "1" ]; then - ban_logprefix_dst="${ban_logprefix_dst:-"[banIP-${ban_ver%-*}, dst/${ban_target_dst}] "}" - ban_logopts_dst="${ban_logopts_dst:-"-m limit --limit 2/sec"}" - ban_target_dst="${ban_logchain_dst}" - fi - ban_localsources="${ban_localsources:-"maclist whitelist blacklist"}" - ban_logterms="${ban_logterms:-"dropbear sshd luci nginx"}" - f_log "debug" "f_conf ::: ifaces: ${ban_ifaces:-"-"}, chain: ${ban_chain}, set_type: ${ban_global_settype}, log_chains (src/dst): ${ban_logchain_src}/${ban_logchain_dst}, targets (src/dst): ${ban_target_src}/${ban_target_dst}, whitelist_only: ${ban_whitelistonly}" - f_log "debug" "f_conf ::: lan_inputs (4/6): ${ban_lan_inputchains_4}/${ban_lan_inputchains_6}, lan_forwards (4/6): ${ban_lan_forwardchains_4}/${ban_lan_forwardchains_6}, wan_inputs (4/6): ${ban_wan_inputchains_4}/${ban_wan_inputchains_6}, wan_forwards (4/6): ${ban_wan_forwardchains_4}/${ban_wan_forwardchains_6}" - f_log "debug" "f_conf ::: local_sources: ${ban_localsources:-"-"}, extra_sources: ${ban_extrasources:-"-"}, log_terms: ${ban_logterms:-"-"}, log_prefixes (src/dst): ${ban_logprefix_src}/${ban_logprefix_dst}, log_options (src/dst): ${ban_logopts_src}/${ban_logopts_dst}" -} - -# check environment -# -f_env() { - local util utils packages iface insecure tmp cnt="0" cnt_max="10" - - ban_starttime="$(date "+%s")" - f_jsnup "running" - f_log "info" "start banIP processing (${ban_action})" - - f_tmp - - if [ "${ban_autodetect}" = "1" ] && [ -z "${ban_ifaces}" ]; then - while [ "${cnt}" -le "${cnt_max}" ]; do - network_find_wan iface - if [ -n "${iface}" ] && ! printf "%s\n" "${ban_ifaces}" | grep -q "${iface}"; then - ban_proto4_enabled="1" - ban_ifaces="${ban_ifaces}${iface} " - uci_set banip global ban_proto4_enabled "1" - uci_add_list banip global ban_ifaces "${iface}" - fi - network_find_wan6 iface - if [ -n "${iface}" ] && ! printf "%s\n" "${ban_ifaces}" | grep -q "${iface}"; then - ban_proto6_enabled="1" - ban_ifaces="${ban_ifaces}${iface} " - uci_set banip global ban_proto6_enabled "1" - uci_add_list banip global ban_ifaces "${iface}" - fi - if [ -z "${ban_ifaces}" ]; then - if [ "${cnt}" -le "${cnt_max}" ]; then - network_flush_cache - cnt=$((cnt + 1)) - sleep 1 - else - break - fi - else - if [ -n "$(uci -q changes "banip")" ]; then - uci_commit "banip" - fi - break - fi - done - fi - - while [ "${cnt}" -le "${cnt_max}" ]; do - for iface in ${ban_ifaces}; do - network_get_device tmp "${iface}" - if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_devs}" | grep -q "${tmp}"; then - ban_devs="${ban_devs} ${tmp}" - else - network_get_physdev tmp "${iface}" - if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_devs}" | grep -q "${tmp}"; then - ban_devs="${ban_devs} ${tmp}" - fi - fi - network_get_subnet tmp "${iface}" - if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_subnets}" | grep -q "${tmp}"; then - ban_subnets="${ban_subnets} ${tmp}" - fi - network_get_subnet6 tmp "${iface}" - if [ -n "${tmp}" ] && ! printf "%s\n" "${ban_subnets}" | grep -q "${tmp}"; then - ban_subnets="${ban_subnets} ${tmp}" - fi - done - if [ -z "${ban_devs}" ] || [ -z "${ban_subnets}" ]; then - if [ "${cnt}" -le "${cnt_max}" ]; then - network_flush_cache - cnt=$((cnt + 1)) - sleep 1 - else - break - fi - else - break - fi - done - ban_ipdevs="$("${ban_ip_cmd}" link show 2>/dev/null | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){ORS=" ";print $3}}')" - - if [ -z "${ban_ifaces}" ] || [ -z "${ban_devs}" ] || [ -z "${ban_ipdevs}" ]; then - f_log "err" "logical wan interface(s)/device(s) '${ban_ifaces:-"-"}/${ban_devs:-"-"}' not found, please check your configuration" - elif [ -z "${ban_ipdevs}" ]; then - f_log "err" "ip device(s) '${ban_ipdevs:-"-"}' not found, please check your configuration" - fi - - if [ ! -x "${ban_ipset_cmd}" ]; then - f_log "err" "ipset utility '${ban_ipset_cmd:-"-"}' not executable, please install package 'ipset'" - fi - if { [ "${ban_proto4_enabled}" = "1" ] && { [ ! -x "${ban_ipt4_cmd}" ] || [ ! -x "${ban_ipt4_savecmd}" ] || [ ! -x "${ban_ipt4_restorecmd}" ]; }; } || - { [ "${ban_proto6_enabled}" = "1" ] && { [ ! -x "${ban_ipt6_cmd}" ] || [ ! -x "${ban_ipt6_savecmd}" ] || [ ! -x "${ban_ipt6_restorecmd}" ]; }; }; then - f_log "err" "iptables utilities '${ban_ipt4_cmd:-"-"}, ${ban_ipt4_savecmd:-"-"}, ${ban_ipt4_restorecmd:-"-"}/${ban_ipt6_cmd:-"-"}', ${ban_ipt6_savecmd:-"-"}, ${ban_ipt6_restorecmd:-"-"} not executable, please install the relevant iptables packages" - fi - - if [ -z "${ban_fetchutil}" ]; then - while [ -z "${packages}" ] && [ "${cnt}" -le "${cnt_max}" ]; do - packages="$(opkg list-installed 2>/dev/null)" - cnt=$((cnt + 1)) - sleep 1 - done - if [ -z "${packages}" ]; then - f_log "err" "local opkg package repository is not available, please set 'ban_fetchutil' manually" - fi - - utils="aria2c curl wget uclient-fetch" - for util in ${utils}; do - if { [ "${util}" = "uclient-fetch" ] && printf "%s" "${packages}" | grep -q "^libustream-"; } || - { [ "${util}" = "wget" ] && printf "%s" "${packages}" | grep -q "^wget -"; } || - [ "${util}" = "curl" ] || [ "${util}" = "aria2c" ]; then - if [ -x "$(command -v "${util}")" ]; then - ban_fetchutil="${util}" - uci_set banip global ban_fetchutil "${util}" - uci_commit "banip" - break - fi - fi - done - elif [ ! -x "$(command -v "${ban_fetchutil}")" ]; then - unset ban_fetchutil - fi - case "${ban_fetchutil}" in - "aria2c") - if [ "${ban_fetchinsecure}" = "1" ]; then - insecure="--check-certificate=false" - fi - ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" - ;; - "curl") - if [ "${ban_fetchinsecure}" = "1" ]; then - insecure="--insecure" - fi - ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --silent --show-error --location -o"}" - ;; - "uclient-fetch") - if [ "${ban_fetchinsecure}" = "1" ]; then - insecure="--no-check-certificate" - fi - ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 -O"}" - ;; - "wget") - if [ "${ban_fetchinsecure}" = "1" ]; then - insecure="--no-check-certificate" - fi - ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}" - ;; - esac - if [ -n "${ban_fetchutil}" ] && [ -n "${ban_fetchparm}" ]; then - ban_fetchutil="$(command -v "${ban_fetchutil}")" - else - f_log "err" "download utility with SSL support not found, please install 'uclient-fetch' with a 'libustream-*' variant or another download utility like 'wget', 'curl' or 'aria2'" - fi - - if [ ! -r "${ban_srcfile}" ]; then - if [ -r "${ban_srcarc}" ]; then - zcat "${ban_srcarc}" >"${ban_srcfile}" - else - f_log "err" "banIP source archive not found" - fi - fi - if [ -r "${ban_srcfile}" ]; then - json_init - json_load_file "${ban_srcfile}" - json_get_keys ban_allsources - ban_allsources="${ban_allsources} maclist blacklist whitelist" - else - f_log "err" "banIP source file not found" - fi - f_log "debug" "f_env ::: auto_detect: ${ban_autodetect}, fetch_util: ${ban_fetchutil:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, src_file: ${ban_srcfile:-"-"}, log_terms: ${ban_logterms}, interfaces: ${ban_ifaces:-"-"}, devices: ${ban_devs:-"-"}, subnets: ${ban_subnets:-"-"}, ip_devices: ${ban_ipdevs:-"-"}, protocols (4/6): ${ban_proto4_enabled}/${ban_proto6_enabled}" -} - -# create temporary files and directories -# -f_tmp() { - f_dir "${ban_tmpbase}" - - ban_tmpdir="$(mktemp -p "${ban_tmpbase}" -d)" - ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" - - if [ ! -f "${ban_pidfile}" ] || [ ! -s "${ban_pidfile}" ]; then - printf "%s" "${$}" >"${ban_pidfile}" - fi - f_log "debug" "f_tmp ::: tmp_base: ${ban_tmpbase:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}, pid_file: ${ban_pidfile:-"-"}" -} - -# remove temporary files and directories -# -f_rmtmp() { - if [ -d "${ban_tmpdir}" ]; then - rm -rf "${ban_tmpdir}" - fi - rm -f "${ban_srcfile}" - : >"${ban_pidfile}" - f_log "debug" "f_rmtmp ::: tmp_base: ${ban_tmpbase:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}, pid_file: ${ban_pidfile:-"-"}" -} - -# remove backup files -# -f_rmbckp() { - if [ -d "${ban_backupdir}" ]; then - rm -f "${ban_backupdir}/banIP."*".gz" - fi -} - -# status helper function -# -f_char() { - local result input="${1}" - - if [ "${input}" = "1" ]; then - result="✔" - else - result="✘" - fi - printf "%s" "${result}" -} - -# apply iptables rules -# -f_iptrule() { - local rc timeout="-w 5" action="${1}" chain="${2}" rule="${3}" pos="${4}" - - if [ "${ban_proto4_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "4" ]; }; then - rc="$( - "${ban_ipt4_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null - printf "%u" ${?} - )" - if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || - { [ "${rc}" = "0" ] && [ "${action}" = "-D" ]; }; then - "${ban_ipt4_cmd}" "${timeout}" "${action}" ${chain} ${pos} ${rule} 2>/dev/null - rc="${?}" - else - rc=0 - fi - fi - if [ "${ban_proto6_enabled}" = "1" ] && { [ "${src_name}" = "maclist" ] || [ "${src_name##*_}" = "6" ]; }; then - rc="$( - "${ban_ipt6_cmd}" "${timeout}" -C ${chain} ${rule} 2>/dev/null - printf "%u" ${?} - )" - if { [ "${rc}" != "0" ] && { [ "${action}" = "-A" ] || [ "${action}" = "-I" ]; }; } || - { [ "${rc}" = "0" ] && [ "${action}" = "-D" ]; }; then - "${ban_ipt6_cmd}" "${timeout}" "${action}" ${chain} ${pos} ${rule} 2>/dev/null - rc="${?}" - else - rc=0 - fi - fi - if [ -n "${rc}" ] && [ "${rc}" != "0" ]; then - : >"${tmp_err}" - f_log "info" "${src_name}: iptables action '${action:-"-"}' failed with '${chain}, ${pos:-"-"}, ${rule:-"-"}'" - fi -} - -# iptables controller -# -f_iptables() { - local ipt_cmd chain chainsets dev pos timeout="-w 5" destroy="${1}" - - if [ "${ban_action}" != "refresh" ] && [ "${ban_action}" != "resume" ]; then - for dev in ${ban_ipdevs}; do - if [ "${src_name}" = "maclist" ]; then - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" - elif [ "${src_name%_*}" = "whitelist" ]; then - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logtarget_src}" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logtarget_dst}" - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_logchain_src}" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_logchain_dst}" - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" - else - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logtarget_src}" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logtarget_dst}" - f_iptrule "-D" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_logchain_src}" - f_iptrule "-D" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_logchain_dst}" - fi - done - fi - if [ -z "${destroy}" ] && { [ "${cnt}" -gt "0" ] || [ "${src_name%_*}" = "blacklist" ] || [ "${src_name%_*}" = "whitelist" ]; }; then - if [ "${src_name##*_}" = "4" ]; then - ipt_cmd="${ban_ipt4_cmd}" - if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]; then - : >"${ban_tmpfile}.${src_name##*_}.chains" - chainsets="${ban_lan_inputchains_4} ${ban_wan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_forwardchains_4}" - for chain in ${chainsets}; do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - f_iptrule "-A" "${ban_chain}" "-p udp --dport 67:68 --sport 67:68 -j RETURN" - f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN" - fi - elif [ "${src_name##*_}" = "6" ]; then - ipt_cmd="${ban_ipt6_cmd}" - if [ ! -f "${ban_tmpfile}.${src_name##*_}.chains" ]; then - : >"${ban_tmpfile}.${src_name##*_}.chains" - chainsets="${ban_lan_inputchains_6} ${ban_wan_inputchains_6} ${ban_lan_forwardchains_6} ${ban_wan_forwardchains_6}" - for chain in ${chainsets}; do - f_iptrule "-I" "${chain}" "-j ${ban_chain}" - done - f_iptrule "-A" "${ban_chain}" "-p ipv6-icmp -s fe80::/10 -d fe80::/10 -j RETURN" - f_iptrule "-A" "${ban_chain}" "-p udp -s fc00::/6 --sport 547 -d fc00::/6 --dport 546 -j RETURN" - f_iptrule "-A" "${ban_chain}" "-m conntrack ! --ctstate NEW -j RETURN" - fi - fi - if [ "${src_settype}" != "dst" ]; then - for dev in ${ban_devs}; do - if [ "${src_name}" = "maclist" ]; then - f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} src -j RETURN" "1" - elif [ "${src_name%_*}" = "whitelist" ]; then - pos="$(($("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN") + 1))" - if [ "${ban_whitelistonly}" = "1" ]; then - f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set ! --match-set ${src_name} src -j ${ban_target_src}" "${pos}" - else - f_iptrule "-I" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j RETURN" "${pos}" - fi - else - f_iptrule "${action:-"-A"}" "${ban_chain}" "-i ${dev} -m set --match-set ${src_name} src -j ${ban_target_src}" - fi - done - fi - if [ "${src_settype}" != "src" ]; then - for dev in ${ban_devs}; do - if [ "${src_name%_*}" = "whitelist" ]; then - pos="$(($("${ipt_cmd}" "${timeout}" -vnL "${ban_chain}" --line-numbers | grep -cF "RETURN") + 1))" - if [ "${ban_whitelistonly}" = "1" ]; then - f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set ! --match-set ${src_name} dst -j ${ban_target_dst}" "${pos}" - else - f_iptrule "-I" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j RETURN" "${pos}" - fi - elif [ "${src_name}" != "maclist" ]; then - f_iptrule "${action:-"-A"}" "${ban_chain}" "-o ${dev} -m set --match-set ${src_name} dst -j ${ban_target_dst}" - fi - done - fi - else - "${ban_ipset_cmd}" -q destroy "${src_name}" - fi -} - -# ipset controller -# -f_ipset() { - local src src_list action rule ipt_cmd out_rc max="0" cnt="0" cnt_ip="0" cnt_cidr="0" cnt_mac="0" timeout="-w 5" mode="${1}" in_rc="4" - - case "${mode}" in - "backup") - gzip -cf "${tmp_load}" 2>/dev/null >"${ban_backupdir}/banIP.${src_name}.gz" - out_rc="${?}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}" - return "${out_rc}" - ;; - "restore") - if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]; then - zcat "${ban_backupdir}/banIP.${src_name}.gz" 2>/dev/null >"${tmp_load}" - out_rc="${?}" - else - out_rc="${in_rc}" - fi - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}" - return "${out_rc}" - ;; - "remove") - if [ -f "${ban_backupdir}/banIP.${src_name}.gz" ]; then - rm -f "${ban_backupdir}/banIP.${src_name}.gz" - out_rc="${?}" - else - out_rc="${in_rc}" - fi - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}" - return "${out_rc}" - ;; - "initial") - for proto in "4" "6"; do - if [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; then - ipt_cmd="${ban_ipt4_cmd}" - chainsets="${ban_lan_inputchains_4} ${ban_lan_forwardchains_4} ${ban_wan_inputchains_4} ${ban_wan_forwardchains_4}" - elif [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; then - ipt_cmd="${ban_ipt6_cmd}" - chainsets="${ban_lan_inputchains_6} ${ban_lan_forwardchains_6} ${ban_wan_inputchains_6} ${ban_wan_forwardchains_6}" - fi - - if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } || - { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; then - if [ -z "$("${ipt_cmd}" "${timeout}" -nL "${ban_chain}" 2>/dev/null)" ]; then - "${ipt_cmd}" "${timeout}" -N "${ban_chain}" 2>/dev/null - out_rc="${?}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, chain: ${ban_chain:-"-"}, out_rc: ${out_rc}" - else - out_rc=0 - for chain in ${chainsets}; do - f_iptrule "-D" "${chain}" "-j ${ban_chain}" - done - fi - - if [ "${ban_logsrc_enabled}" = "1" ] && [ "${out_rc}" = "0" ] && [ -z "$("${ipt_cmd}" "${timeout}" -nL "${ban_logchain_src}" 2>/dev/null)" ]; then - "${ipt_cmd}" "${timeout}" -N "${ban_logchain_src}" 2>/dev/null - out_rc="${?}" - if [ "${out_rc}" = "0" ]; then - "${ipt_cmd}" "${timeout}" -A "${ban_logchain_src}" -j LOG ${ban_logopts_src} --log-prefix "${ban_logprefix_src}" - out_rc="${?}" - if [ "${out_rc}" = "0" ]; then - "${ipt_cmd}" "${timeout}" -A "${ban_logchain_src}" -j "${ban_logtarget_src}" - out_rc="${?}" - fi - fi - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, logchain_src: ${ban_logchain_src:-"-"}, out_rc: ${out_rc}" - fi - - if [ "${ban_logdst_enabled}" = "1" ] && [ "${out_rc}" = "0" ] && [ -z "$("${ipt_cmd}" "${timeout}" -nL "${ban_logchain_dst}" 2>/dev/null)" ]; then - "${ipt_cmd}" "${timeout}" -N "${ban_logchain_dst}" 2>/dev/null - out_rc="${?}" - if [ "${out_rc}" = "0" ]; then - "${ipt_cmd}" "${timeout}" -A "${ban_logchain_dst}" -j LOG ${ban_logopts_dst} --log-prefix "${ban_logprefix_dst}" - out_rc="${?}" - if [ "${out_rc}" = "0" ]; then - "${ipt_cmd}" "${timeout}" -A "${ban_logchain_dst}" -j "${ban_logtarget_dst}" - out_rc="${?}" - fi - fi - f_log "debug" "f_ipset ::: name: initial, mode: ${mode:-"-"}, logchain_dst: ${ban_logchain_dst:-"-"}, out_rc: ${out_rc}" - fi - fi - done - out_rc="${out_rc:-"${in_rc}"}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}" - return "${out_rc}" - ;; - "create") - if [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ] && - { [ -s "${tmp_file}" ] || [ "${src_name%_*}" = "whitelist" ] || [ "${src_name%_*}" = "blacklist" ]; }; then - max="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)" - max=$((max + 262144)) - if [ "${src_name}" = "maclist" ]; then - "${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${max}" counters timeout "${ban_maclist_timeout:-"0"}" - out_rc="${?}" - elif [ "${src_name%_*}" = "whitelist" ]; then - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}" - out_rc="${?}" - elif [ "${src_name%_*}" = "blacklist" ]; then - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}" - out_rc="${?}" - else - "${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${max}" family "${src_ipver}" counters - out_rc="${?}" - fi - elif [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]; then - "${ban_ipset_cmd}" -q flush "${src_name}" - out_rc="${?}" - fi - if [ -s "${tmp_file}" ] && [ "${out_rc}" = "0" ]; then - "${ban_ipset_cmd}" -q -! restore <"${tmp_file}" - out_rc="${?}" - if [ "${out_rc}" = "0" ]; then - src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" - cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" - cnt_ip=$((cnt - cnt_cidr - cnt_mac)) - printf "%s\n" "${cnt}" >"${tmp_cnt}" - fi - fi - f_iptables - end_ts="$(date +%s)" - out_rc="${out_rc:-"${in_rc}"}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts - start_ts)), out_rc: ${out_rc}" - return "${out_rc}" - ;; - "refresh") - if [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]; then - out_rc=0 - src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" - cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" - cnt_ip=$((cnt - cnt_cidr - cnt_mac)) - printf "%s\n" "${cnt}" >"${tmp_cnt}" - f_iptables - fi - end_ts="$(date +%s)" - out_rc="${out_rc:-"${in_rc}"}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts - start_ts)), out_rc: ${out_rc}" - return "${out_rc}" - ;; - "suspend") - for src in ${ban_sources} ${ban_localsources}; do - if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]; then - tmp_file="${ban_backupdir}/${src}.file" - "${ban_ipset_cmd}" -q save "${src}" | tail -n +2 >"${tmp_file}" - "${ban_ipset_cmd}" -q flush "${src}" - else - for proto in "4" "6"; do - if [ -n "$("${ban_ipset_cmd}" -q -n list "${src}_${proto}")" ]; then - tmp_file="${ban_backupdir}/${src}_${proto}.file" - "${ban_ipset_cmd}" -q save "${src}_${proto}" | tail -n +2 >"${tmp_file}" - "${ban_ipset_cmd}" -q flush "${src}_${proto}" - fi - done - fi - done - f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}" - ;; - "resume") - if [ -f "${ban_backupdir}/${src_name}.file" ]; then - "${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/${src_name}.file" - out_rc="${?}" - if [ "${out_rc}" = "0" ]; then - rm -f "${ban_backupdir}/${src_name}.file" - src_list="$("${ban_ipset_cmd}" -q list "${src_name}")" - cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} )")" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} )")" - cnt_ip=$((cnt - cnt_cidr - cnt_mac)) - printf "%s\n" "${cnt}" >"${tmp_cnt}" - fi - f_iptables - fi - end_ts="$(date +%s)" - out_rc="${out_rc:-"${in_rc}"}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts - start_ts)), out_rc: ${out_rc}" - return "${out_rc}" - ;; - "flush") - if [ -n "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]; then - f_iptables "destroy" - out_rc=0 - fi - out_rc="${out_rc:-"${in_rc}"}" - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, out_rc: ${out_rc}" - return "${out_rc}" - ;; - "destroy") - for chain in ${ban_chain} ${ban_logchain_src} ${ban_logchain_dst}; do - if [ -n "$("${ban_ipt4_cmd}" "${timeout}" -nL "${chain}" 2>/dev/null)" ]; then - "${ban_ipt4_savecmd}" | grep -v -- "-j ${chain}" | "${ban_ipt4_restorecmd}" - "${ban_ipt4_cmd}" "${timeout}" -F "${chain}" 2>/dev/null - "${ban_ipt4_cmd}" "${timeout}" -X "${chain}" 2>/dev/null - fi - if [ -n "$("${ban_ipt6_cmd}" "${timeout}" -nL "${chain}" 2>/dev/null)" ]; then - "${ban_ipt6_savecmd}" | grep -v -- "-j ${chain}" | "${ban_ipt6_restorecmd}" - "${ban_ipt6_cmd}" "${timeout}" -F "${chain}" 2>/dev/null - "${ban_ipt6_cmd}" "${timeout}" -X "${chain}" 2>/dev/null - fi - done - for src in ${ban_sources} maclist blacklist whitelist; do - if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]; then - "${ban_ipset_cmd}" -q destroy "${src}" - else - for proto in "4" "6"; do - if [ -n "$("${ban_ipset_cmd}" -q -n list "${src}_${proto}")" ]; then - "${ban_ipset_cmd}" -q destroy "${src}_${proto}" - fi - done - fi - done - f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}" - ;; - esac -} - -# write to syslog -# -f_log() { - local class="${1}" log_msg="${2}" - - if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then - if [ -x "${ban_logger_cmd}" ]; then - "${ban_logger_cmd}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}" - else - printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}" - fi - if [ "${class}" = "err" ]; then - f_jsnup "error" - f_ipset "destroy" - f_rmbckp - f_rmtmp - exit 1 - fi - fi -} - -# kill all relevant background processes -# -f_pidx() { - local pids ppid="${1}" - - pids="$(pgrep -P "${ppid}" 2>/dev/null | awk '{ORS=" ";print $0}')" - kill -HUP "${ppid}" "${pids}" 2>/dev/null - : >"${ban_bgpidfile}" -} - -# start log service to trace failed ssh/luci logins -# -f_bgsrv() { - local bg_pid action="${1}" - - bg_pid="$(cat "${ban_bgpidfile}" 2>/dev/null)" - if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ] && [ "${ban_whitelistonly}" = "0" ]; then - if [ -n "${bg_pid}" ]; then - f_pidx "${bg_pid}" - fi - if printf "%s\n" "${ban_logterms}" | grep -q "dropbear"; then - ban_search="Exit before auth from|" - fi - if printf "%s\n" "${ban_logterms}" | grep -q "sshd"; then - ban_search="${ban_search}error: maximum authentication attempts exceeded|sshd.*Connection closed by.*\[preauth\]|" - fi - if printf "%s\n" "${ban_logterms}" | grep -q "luci"; then - ban_search="${ban_search}luci: failed login|" - fi - if printf "%s\n" "${ban_logterms}" | grep -q "nginx"; then - ban_search="${ban_search}nginx(\[[0-9]+\])?:.*\[error\].*open().*client: [[:alnum:].:]+|" - fi - ( - "${ban_logservice}" "${ban_search%?}" & - printf "%s" "${!}" >"${ban_bgpidfile}" - ) - elif { [ "${action}" = "stop" ] || [ "${ban_monitor_enabled}" = "0" ]; } && [ -n "${bg_pid}" ]; then - f_pidx "${bg_pid}" - fi - f_log "debug" "f_bgsrv ::: action: ${action:-"-"}, bg_pid (old/new): ${bg_pid}/$(cat "${ban_bgpidfile}" 2>/dev/null), monitor_enabled: ${ban_monitor_enabled:-"-"}, log_service: ${ban_logservice:-"-"}" -} - -# download controller -# -f_down() { - local src_name="${1}" proto="${2}" src_ipver="${3}" src_url="${4}" src_rule="${5}" src_comp="${6}" - local ip start_ts end_ts src_settype src_log src_rc tmp_load tmp_file tmp_raw tmp_cnt tmp_err - - start_ts="$(date +%s)" - if printf "%s\n" "${ban_settype_src}" | grep -q "${src_name}"; then - src_settype="src" - elif printf "%s\n" "${ban_settype_dst}" | grep -q "${src_name}"; then - src_settype="dst" - elif printf "%s\n" "${ban_settype_all}" | grep -q "${src_name}"; then - src_settype="src+dst" - else - src_settype="${ban_global_settype}" - fi - src_name="${src_name}_${proto}" - tmp_load="${ban_tmpfile}.${src_name}.load" - tmp_file="${ban_tmpfile}.${src_name}.file" - tmp_raw="${tmp_file}.raw" - tmp_cnt="${tmp_file}.cnt" - tmp_err="${tmp_file}.err" - - # 'resume' mode - # - if [ "${ban_action}" = "resume" ]; then - if [ "${src_name%_*}" = "maclist" ]; then - src_name="maclist" - fi - f_ipset "resume" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - return - fi - fi - - # handle local downloads - # - case "${src_name%_*}" in - "blacklist" | "whitelist") - printf "%s\n" "0" >"${tmp_cnt}" - awk "${src_rule}" "${src_url}" >"${tmp_file}" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - f_ipset "create" - if [ ! -f "${tmp_dns}" ] && { { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } || - { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ "${ban_proto4_enabled}" = "0" ]; }; }; then - tmp_dns="${ban_tmpbase}/${src_name%_*}.dns" - src_rule="/^([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}" - awk "${src_rule}" "${src_url}" >"${tmp_dns}" - src_rc="${?}" - if [ "${src_rc}" = "0" ] && [ -s "${tmp_dns}" ]; then - ("${ban_dnsservice}" "${src_name%_*}" "${tmp_dns}" &) - else - rm -f "${tmp_dns}" - fi - fi - else - f_log "debug" "f_down ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}" - fi - return - ;; - "maclist") - src_name="${src_name%_*}" - tmp_file="${ban_tmpfile}.${src_name}.file" - tmp_cnt="${tmp_file}.cnt" - tmp_err="${tmp_file}.err" - awk "${src_rule}" "${src_url}" >"${tmp_file}" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - f_ipset "create" - else - f_log "debug" "f_down ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}" - fi - return - ;; - esac - - # 'refresh' mode - # - if [ "${ban_action}" = "refresh" ]; then - f_ipset "refresh" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - return - fi - fi - - # 'start' mode - # - if [ "${ban_action}" = "start" ]; then - f_ipset "restore" - fi - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - awk "${src_rule}" "${tmp_load}" 2>/dev/null >"${tmp_file}" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - f_ipset "create" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - return - fi - fi - fi - - # handle country related downloads - # - if [ "${src_name%_*}" = "country" ]; then - for country in ${ban_countries}; do - src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}${country}-aggregated.zone" 2>&1)" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" - else - continue - fi - done - - # handle asn related downloads - # - elif [ "${src_name%_*}" = "asn" ]; then - for asn in ${ban_asns}; do - src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}AS${asn}" 2>&1)" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}" - else - continue - fi - done - - # handle compressed downloads - # - elif [ -n "${src_comp}" ]; then - case "${src_comp}" in - "gz") - src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_raw}" "${src_url}" 2>&1)" - src_rc="${?}" - if [ "${src_rc}" -eq 0 ]; then - zcat "${tmp_raw}" 2>/dev/null >"${tmp_load}" - src_rc="${?}" - fi - ;; - esac - - # handle normal downloads - # - else - src_log="$("${ban_fetchutil}" ${ban_fetchparm} "${tmp_load}" "${src_url}" 2>&1)" - src_rc="${?}" - fi - - # download post-processing - # - if [ "${src_rc}" = "0" ]; then - f_ipset "backup" - src_rc="${?}" - elif [ "${ban_action}" != "start" ] && [ "${ban_action}" != "refresh" ]; then - f_ipset "restore" - src_rc="${?}" - fi - if [ "${src_rc}" = "0" ]; then - awk "${src_rule}" "${tmp_load}" 2>/dev/null >"${tmp_file}" - src_rc="${?}" - if [ "${src_rc}" = "0" ]; then - f_ipset "create" - src_rc="${?}" - elif [ "${ban_action}" != "refresh" ]; then - f_ipset "refresh" - src_rc="${?}" - fi - else - src_log="$(printf "%s" "${src_log}" | awk '{ORS=" ";print $0}')" - if [ "${ban_action}" != "refresh" ]; then - f_ipset "refresh" - src_rc="${?}" - fi - f_log "debug" "f_down ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}, log: ${src_log:-"-"}" - fi -} - -# main controller -# -f_main() { - local src_name src_url_4 src_rule_4 src_url_6 src_rule_6 src_comp src_rc src_ts log_raw log_merge log_ips log_count hold err_file cnt_file cnt=0 - - # prepare logfile excerpts - # - if [ "${ban_autoblacklist}" = "1" ] || [ "${ban_monitor_enabled}" = "1" ]; then - log_raw="$(${ban_logread_cmd} -l "${ban_loglimit}")" - if printf "%s\n" "${ban_logterms}" | grep -q "dropbear"; then - log_ips="$(printf "%s\n" "${log_raw}" | grep -E "Exit before auth from" | - awk 'match($0,/<[0-9A-f:\.]+:/){printf "%s\n",substr($0,RSTART+1,RLENGTH-2)}' | awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')" - for ip in ${log_ips}; do - log_count="$(printf "%s\n" "${log_raw}" | grep -cE "Exit before auth from <${ip}")" - if [ "${log_count}" -ge "${ban_ssh_logcount}" ]; then - log_merge="${log_merge} ${ip}" - fi - done - fi - if printf "%s\n" "${ban_logterms}" | grep -q "sshd"; then - log_ips="$(printf "%s\n" "${log_raw}" | grep -E "error: maximum authentication attempts exceeded|sshd.*Connection closed by.*\[preauth\]" | - awk 'match($0,/[0-9A-f:\.]+ port/){printf "%s\n",substr($0,RSTART,RLENGTH-5)}' | awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')" - for ip in ${log_ips}; do - log_count="$(printf "%s\n" "${log_raw}" | grep -cE "error: maximum authentication attempts exceeded.*${ip}|sshd.*Connection closed by.*${ip}.*\[preauth\]")" - if [ "${log_count}" -ge "${ban_ssh_logcount}" ]; then - log_merge="${log_merge} ${ip}" - fi - done - fi - if printf "%s\n" "${ban_logterms}" | grep -q "luci"; then - log_ips="$(printf "%s\n" "${log_raw}" | grep -E "luci: failed login on " | - awk 'match($0,/[0-9A-f:\.]+$/){printf "%s\n",substr($0,RSTART,RLENGTH)}' | awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')" - for ip in ${log_ips}; do - log_count="$(printf "%s\n" "${log_raw}" | grep -cE "luci: failed login on .*from ${ip}")" - if [ "${log_count}" -ge "${ban_luci_logcount}" ]; then - log_merge="${log_merge} ${ip}" - fi - done - fi - if printf "%s\n" "${ban_logterms}" | grep -q "nginx"; then - log_ips="$(printf "%s\n" "${log_raw}" | grep -oE "nginx(\[[0-9]+\])?:.*\[error\].*open\(\).*client: [[:alnum:].:]+" | - awk '!seen[$NF]++' | awk '{ORS=" ";print $NF}')" - for ip in ${log_ips}; do - log_count="$(printf "%s\n" "${log_raw}" | grep -cE "nginx(\[[0-9]+\])?:.*\[error\].*open\(\).*client: ${ip}")" - if [ "${log_count}" -ge "${ban_nginx_logcount}" ]; then - log_merge="${log_merge} ${ip}" - fi - done - fi - fi - - # prepare new black- and whitelist entries - # - if [ "${ban_autowhitelist}" = "1" ] && [ -f "${ban_whitelist}" ]; then - for ip in ${ban_subnets}; do - if ! grep -q "${ip}" "${ban_whitelist}"; then - src_ts="# added on $(date "+%d.%m.%Y %H:%M:%S")" - printf "%-42s%s\n" "${ip}" "${src_ts}" >>"${ban_whitelist}" - f_log "info" "IP address '${ip}' added to whitelist" - fi - done - fi - if [ "${ban_autoblacklist}" = "1" ] && [ -f "${ban_blacklist}" ]; then - for ip in ${log_merge}; do - if ! grep -q "${ip}" "${ban_blacklist}"; then - src_ts="# added on $(date "+%d.%m.%Y %H:%M:%S")" - printf "%-42s%s\n" "${ip}" "${src_ts}" >>"${ban_blacklist}" - f_log "info" "IP address '${ip}' added to blacklist" - fi - done - fi - - # initial ipset/iptables creation - # - if ! f_ipset "initial"; then - f_log "err" "banIP processing failed, fatal error during ipset/iptables creation (${ban_sysver})" - fi - - # load local source files (maclist, blacklist, whitelist) - # - for src_name in ${ban_localsources}; do - if [ "${src_name}" = "maclist" ] && [ -s "${ban_maclist}" ]; then - ( - src_rule_4="/^([0-9A-z][0-9A-z]:){5}[0-9A-z]{2}([[:space:]]|$)/{print \"add ${src_name} \"toupper(\$1)}" - f_down "${src_name}" "mac" "mac" "${ban_maclist}" "${src_rule_4}" - ) & - fi - if [ "${ban_proto4_enabled}" = "1" ]; then - if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ]; then - ( - src_rule_4="/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add ${src_name}_4 \"\$1}" - f_down "${src_name}" "4" "inet" "${ban_blacklist}" "${src_rule_4}" - ) & - elif [ "${src_name}" = "whitelist" ] && [ -s "${ban_whitelist}" ]; then - ( - src_rule_4="/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add ${src_name}_4 \"\$1}" - f_down "${src_name}" "4" "inet" "${ban_whitelist}" "${src_rule_4}" - ) & - fi - else - ( - src_name="${src_name}_4" - f_ipset "flush" - ) & - fi - if [ "${ban_proto6_enabled}" = "1" ]; then - if [ "${src_name}" = "blacklist" ] && [ -s "${ban_blacklist}" ] && [ "${ban_whitelistonly}" = "0" ]; then - ( - src_rule_6="/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add ${src_name}_6 \"\$1}" - f_down "${src_name}" "6" "inet6" "${ban_blacklist}" "${src_rule_6}" - ) & - elif [ "${src_name}" = "whitelist" ] && [ -s "${ban_whitelist}" ]; then - ( - src_rule_6="/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add ${src_name}_6 \"\$1}" - f_down "${src_name}" "6" "inet6" "${ban_whitelist}" "${src_rule_6}" - ) & - fi - else - ( - src_name="${src_name}_6" - f_ipset "flush" - ) & - fi - done - wait - - # loop over all external sources - # - if [ "${ban_whitelistonly}" = "0" ]; then - for src_name in ${ban_sources}; do - # get source data from JSON file - # - if ! json_select "${src_name}" >/dev/null 2>&1; then - continue - fi - json_objects="url_4 rule_4 url_6 rule_6 comp" - for object in ${json_objects}; do - eval json_get_var src_${object} '${object}' >/dev/null 2>&1 - done - json_select .. - - # handle external IPv4 source downloads in a subshell - # - if [ "${ban_proto4_enabled}" = "1" ] && [ -n "${src_url_4}" ] && [ -n "${src_rule_4}" ]; then - ( - f_down "${src_name}" "4" "inet" "${src_url_4}" "${src_rule_4}" "${src_comp}" - ) & - fi - - # handle external IPv6 source downloads in a subshell - # - if [ "${ban_proto6_enabled}" = "1" ] && [ -n "${src_url_6}" ] && [ -n "${src_rule_6}" ]; then - ( - f_down "${src_name}" "6" "inet6" "${src_url_6}" "${src_rule_6}" "${src_comp}" - ) & - fi - - # control/limit download queues - # - hold=$((cnt % ban_maxqueue)) - if [ "${hold}" = "0" ]; then - wait - fi - cnt=$((cnt + 1)) - done - wait - fi - - # error out - # - for err_file in "${ban_tmpfile}."*".err"; do - if [ -f "${err_file}" ]; then - f_log "err" "banIP processing failed, fatal iptables errors during subshell processing (${ban_sysver})" - fi - done - - # finish processing - # - ban_sources="" - for cnt_file in "${ban_tmpfile}."*".cnt"; do - if [ -f "${cnt_file}" ]; then - read -r cnt <"${cnt_file}" - ban_cnt=$((ban_cnt + cnt)) - ban_setcnt=$((ban_setcnt + 1)) - src_name="$(printf "%s" "${cnt_file}" | grep -Eo "[a-z0-9_]+.file.cnt")" - src_name="${src_name%%.*}" - if ! printf "%s" "${ban_sources}" | grep -q "${src_name%_*}"; then - ban_sources="${ban_sources} ${src_name%_*}" - ban_allsources="${ban_allsources//${src_name%_*}/}" - fi - fi - done - for src_name in ${ban_allsources}; do - if [ "${src_name}" = "maclist" ]; then - f_ipset "flush" - else - for proto in "4" "6"; do - src_name="${src_name%_*}_${proto}" - f_ipset "flush" - if [ "${src_name%_*}" != "blacklist" ] && [ "${src_name%_*}" != "whitelist" ]; then - f_ipset "remove" - fi - done - fi - done - f_log "info" "${ban_setcnt} IPSets with overall ${ban_cnt} IPs/Prefixes loaded successfully (${ban_sysver})" - f_jsnup - f_rmtmp - f_bgsrv "start" -} - -# query ipsets for certain IP -# -f_query() { - local src proto result query_start query_end query_timeout="30" match="0" search="${1}" - - if [ -z "${search}" ]; then - printf "%s\n" "::: missing search term, please submit a single ip or mac address :::" - else - query_start="$(date "+%s")" - printf "%s\n%s\n%s\n" ":::" "::: search '${search}' in banIP related IPSets" ":::" - - for src in ${ban_localsources} ${ban_sources} ${ban_extrasources}; do - if [ "${src}" = "maclist" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${src}")" ]; then - result="$( - ipset -q test ${src} ${search} >/dev/null 2>&1 - printf "%u" "${?}" - )" - if [ "${result}" = "0" ]; then - match="1" - printf "%s\n" " - found in IPSet '${src}'" - break - fi - else - for proto in "4" "6"; do - if [ -n "$("${ban_ipset_cmd}" -q -n list "${src}_${proto}")" ]; then - result="$( - ipset -q test ${src}_${proto} ${search} >/dev/null 2>&1 - printf "%u" "${?}" - )" - if [ "${result}" = "0" ]; then - match="1" - printf "%s\n" " - found in IPSet '${src}_${proto}'" - fi - fi - done - fi - query_end="$(date "+%s")" - if [ "$((query_end - query_start))" -gt "${query_timeout}" ]; then - printf "%s\n\n" " - [...]" - break - fi - done - if [ "${match}" = "0" ]; then - printf "%s\n\n" " - no match" - fi - fi -} - -# generate statistics -# -f_report() { - local report_json report_txt bg_pid content proto src src_list detaillist type jsnval jsnvals jsnval1 jsnval2 jsnval3 jsnval4 jsnval5 jsnval6 jsnval7 - local cnt cnt_mac cnt_cidr cnt_ip cnt_acc cnt_sum="0" cnt_set_sum="1" cnt_acc_sum="0" cnt_mac_sum="0" cnt_ip_sum="0" cnt_cidr_sum="0" cnt_set_sum="0" action="${1}" - - report_json="${ban_reportdir}/ban_report.json" - report_txt="${ban_reportdir}/ban_mailreport.txt" - - # build json file - # - if [ "${action}" != "json" ] && { "${ban_ipt4_savecmd}" | grep -q " ${ban_chain} " || "${ban_ipt6_savecmd}" | grep -q " ${ban_chain} "; }; then - : >"${report_json}" - printf "%s\n" "{" >>"${report_json}" - printf "%s\n" '"ipsets": {' >>"${report_json}" - for src in ${ban_localsources} ${ban_sources} ${ban_extrasources}; do - if printf "%s" "${ban_extrasources}" | grep -q "${src}"; then - set_type="n/a" - else - if printf "%s\n" "${ban_settype_src}" | grep -q "${src}"; then - set_type="src" - elif printf "%s\n" "${ban_settype_dst}" | grep -q "${src}"; then - set_type="dst" - elif printf "%s\n" "${ban_settype_all}" | grep -q "${src}"; then - set_type="src+dst" - else - set_type="${ban_global_settype}" - fi - fi - if [ "${src}" = "maclist" ]; then - src_list="$("${ban_ipset_cmd}" -q list "${src}")" - if [ -n "${src_list}" ]; then - cnt="$(printf "%s" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_acc="$(printf "%s" "${src_list}" | grep -cE "packets [1-9]+")" - cnt_acc_sum=$((cnt_acc_sum + cnt_acc)) - cnt_mac_sum="${cnt}" - cnt_sum=$((cnt_sum + cnt)) - { - if [ "${cnt_set_sum}" != "0" ]; then - printf "%s\n" "," - fi - printf "\t%s\n" "\"${src}\": {" - printf "\t\t%s\n" "\"type\": \"${set_type}\"," - printf "\t\t%s\n" "\"count\": \"${cnt}\"," - printf "\t\t%s\n" '"count_ip": "0",' - printf "\t\t%s\n" '"count_cidr": "0",' - printf "\t\t%s\n" "\"count_mac\": \"${cnt}\"," - printf "\t\t%s" "\"count_acc\": \"${cnt_acc}\"" - printf ",\n\t\t%s" '"member_acc": [' - printf "%s" "${src_list}" | awk 'match($0,/ packets [1-9]+/){printf "%s %s\n",$1,substr($0,RSTART+9,RLENGTH-9)}' | - awk 'BEGIN{i=0};{i=i+1;if(i==1){printf "{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2} - else{printf ",\n\t\t{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2}}' - printf "%s\n" "]" - printf "\t%s" "}" - } >>"${report_json}" - cnt_set_sum=$((cnt_set_sum + 1)) - fi - else - for proto in "4" "6"; do - src_list="$("${ban_ipset_cmd}" -q list "${src}_${proto}")" - if [ -n "${src_list}" ]; then - cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')" - cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "/[0-9]{1,3} ")" - cnt_ip=$((cnt - cnt_cidr - cnt_mac)) - cnt_acc="$(printf "%s\n" "${src_list}" | grep -cE "packets [1-9]+")" - cnt_cidr_sum=$((cnt_cidr_sum + cnt_cidr)) - cnt_ip_sum=$((cnt_ip_sum + cnt_ip)) - cnt_acc_sum=$((cnt_acc_sum + cnt_acc)) - cnt_sum=$((cnt_sum + cnt)) - { - if [ "${cnt_set_sum}" != "0" ]; then - printf "%s\n" "," - fi - printf "\t%s\n" "\"${src}_${proto}\": {" - printf "\t\t%s\n" "\"type\": \"${set_type}\"," - printf "\t\t%s\n" "\"count\": \"${cnt}\"," - printf "\t\t%s\n" "\"count_ip\": \"${cnt_ip}\"," - printf "\t\t%s\n" "\"count_cidr\": \"${cnt_cidr}\"," - printf "\t\t%s\n" '"count_mac": "0",' - printf "\t\t%s" "\"count_acc\": \"${cnt_acc}\"" - printf ",\n\t\t%s" '"member_acc": [' - printf "%s" "${src_list}" | awk 'match($0,/ packets [1-9]+/){printf "%s %s\n",$1,substr($0,RSTART+9,RLENGTH-9)}' | - awk 'BEGIN{i=0};{i=i+1;if(i==1){printf "{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2} - else{printf ",\n\t\t{\n\t\t\t\"member\": \"%s\",\n\t\t\t\"packets\": \"%s\"\n\t\t}",$1,$2}}' - printf "%s\n" "]" - printf "\t%s" "}" - } >>"${report_json}" - cnt_set_sum=$((cnt_set_sum + 1)) - fi - done - fi - done - { - printf "\n%s" "}" - printf ",\n%s\n" "\"timestamp\": \"$(date "+%d.%m.%Y %H:%M:%S")\"," - printf "%s\n" "\"cnt_set_sum\": \"${cnt_set_sum}\"," - printf "%s\n" "\"cnt_ip_sum\": \"${cnt_ip_sum}\"," - printf "%s\n" "\"cnt_cidr_sum\": \"${cnt_cidr_sum}\"," - printf "%s\n" "\"cnt_mac_sum\": \"${cnt_mac_sum}\"," - printf "%s\n" "\"cnt_sum\": \"${cnt_sum}\"," - printf "%s\n" "\"cnt_acc_sum\": \"${cnt_acc_sum}\"" - printf "%s\n" "}" - } >>"${report_json}" - fi - - # output preparation - # - if [ -s "${report_json}" ] && { [ "${action}" = "cli" ] || [ "${action}" = "mail" ]; }; then - : >"${report_txt}" - json_init - if json_load_file "${report_json}" >/dev/null 2>&1; then - json_get_var jsnval1 "timestamp" >/dev/null 2>&1 - json_get_var jsnval2 "cnt_set_sum" >/dev/null 2>&1 - json_get_var jsnval3 "cnt_sum" >/dev/null 2>&1 - json_get_var jsnval4 "cnt_ip_sum" >/dev/null 2>&1 - json_get_var jsnval5 "cnt_cidr_sum" >/dev/null 2>&1 - json_get_var jsnval6 "cnt_mac_sum" >/dev/null 2>&1 - json_get_var jsnval7 "cnt_acc_sum" >/dev/null 2>&1 - { - printf "%s\n%s\n%s\n" ":::" "::: report on all banIP related IPSets" ":::" - printf " + %s\n" "Report timestamp ::: ${jsnval1:-"-"}" - printf " + %s\n" "Number of all IPSets ::: ${jsnval2:-"0"}" - printf " + %s\n" "Number of all entries ::: ${jsnval3:-"0"}" - printf " + %s\n" "Number of IP entries ::: ${jsnval4:-"0"}" - printf " + %s\n" "Number of CIDR entries ::: ${jsnval5:-"0"}" - printf " + %s\n" "Number of MAC entries ::: ${jsnval6:-"0"}" - printf " + %s\n" "Number of accessed entries ::: ${jsnval7:-"0"}" - } >>"${report_txt}" - - json_select "ipsets" - json_get_keys ipsetlist - if [ -n "${ipsetlist}" ]; then - { - printf "%s\n%s\n%s\n" ":::" "::: IPSet details" ":::" - printf "%-25s%-12s%-11s%-10s%-10s%-10s%-10s%s\n" " Name" "Type" "Count" "Cnt_IP" "Cnt_CIDR" "Cnt_MAC" "Cnt_ACC" "Entry details (Entry/Count)" - printf "%s\n" " --------------------------------------------------------------------------------------------------------------------" - } >>"${report_txt}" - fi - for ipset in ${ipsetlist}; do - set_info="${ipset}" - acc_info="" - json_select "${ipset}" - json_get_keys detaillist - for detail in ${detaillist}; do - if [ "${detail}" != "member_acc" ]; then - json_get_var jsnval "${detail}" >/dev/null 2>&1 - set_info="${set_info} ${jsnval}" - elif [ "${detail}" = "member_acc" ]; then - index=1 - json_select "${detail}" - while json_get_type type "${index}" && [ "${type}" = "object" ]; do - json_get_values jsnvals "${index}" >/dev/null 2>&1 - acc_info="${acc_info} ${jsnvals}" - index=$((index + 1)) - done - json_select ".." - fi - done - { - printf " %-21s%-12s%-11s%-10s%-10s%-10s%s\n" ${set_info} - if [ -n "${acc_info}" ]; then - printf " %-25s%s\n" ${acc_info} - fi - printf "%s\n" " --------------------------------------------------------------------------------------------------------------------" - } >>"${report_txt}" - json_select ".." - done - content="$(cat "${report_txt}" 2>/dev/null)" - rm -f "${report_txt}" - fi - fi - - # report output - # - if [ "${action}" = "cli" ]; then - printf "%s\n" "${content}" - elif [ "${action}" = "json" ]; then - cat "${ban_reportdir}/ban_report.json" - elif [ "${action}" = "mail" ] && [ "${ban_mail_enabled}" = "1" ] && [ -x "${ban_mailservice}" ]; then - ("${ban_mailservice}" "${content}" >/dev/null 2>&1) & - bg_pid="${!}" - fi - f_log "debug" "f_report ::: action: ${action}, report_json: ${report_json}, report_txt: ${report_txt}, bg_pid: ${bg_pid:-"-"}" -} - -# update runtime information -# -f_jsnup() { - local memory entry runtime cnt_info status="${1:-"enabled"}" - - if [ "${status}" = "enabled" ] || [ "${status}" = "error" ]; then - ban_endtime="$(date "+%s")" - cnt_info="${ban_setcnt} IPSets with ${ban_cnt} IPs/Prefixes" - memory="$(awk '/^MemTotal|^MemFree|^MemAvailable/{ORS="/"; print int($2/1000)}' "/proc/meminfo" 2>/dev/null | awk '{print substr($0,1,length($0)-1)}')" - if [ "$(((ban_endtime - ban_starttime) / 60))" -lt "60" ]; then - runtime="${ban_action}, $(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s, ${memory:-0}, $(date "+%d.%m.%Y %H:%M:%S")" - else - runtime="${ban_action}, n/a, ${memory:-0}, $(date "+%d.%m.%Y %H:%M:%S")" - fi - fi - - : >"${ban_rtfile}" - json_init - json_load_file "${ban_rtfile}" >/dev/null 2>&1 - json_add_string "status" "${status}" - json_add_string "version" "${ban_ver}" - json_add_string "ipset_info" "${cnt_info:-"-"}" - json_add_array "active_sources" - if [ "${status}" = "running" ] || [ "${status}" = "error" ]; then - json_add_object - json_add_string "source" "-" - json_close_object - else - for entry in ${ban_sources}; do - json_add_object - json_add_string "source" "${entry}" - json_close_object - done - fi - json_close_array - json_add_array "active_devs" - for entry in ${ban_devs}; do - json_add_object - json_add_string "dev" "${entry}" - json_close_object - done - json_close_array - json_add_array "active_ifaces" - for entry in ${ban_ifaces}; do - json_add_object - json_add_string "iface" "${entry}" - json_close_object - done - json_close_array - json_add_array "active_logterms" - for entry in ${ban_logterms}; do - json_add_object - json_add_string "term" "${entry}" - json_close_object - done - json_close_array - json_add_array "active_subnets" - for entry in ${ban_subnets}; do - json_add_object - json_add_string "subnet" "${entry}" - json_close_object - done - json_close_array - json_add_string "run_infos" "settype: ${ban_global_settype}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}" - json_add_string "run_flags" "protocols (4/6): $(f_char ${ban_proto4_enabled})/$(f_char ${ban_proto6_enabled}), log (src/dst): $(f_char ${ban_logsrc_enabled})/$(f_char ${ban_logdst_enabled}), monitor: $(f_char ${ban_monitor_enabled}), mail: $(f_char ${ban_mail_enabled}), whitelist only: $(f_char ${ban_whitelistonly})" - json_add_string "last_run" "${runtime:-"-"}" - json_add_string "system" "${ban_sysver}" - json_dump >"${ban_rtfile}" - - if [ "${ban_mail_enabled}" = "1" ] && [ -x "${ban_mailservice}" ] && { [ "${status}" = "error" ] || - { [ "${status}" = "enabled" ] && { [ -z "${ban_mailactions}" ] || printf "%s\n" "${ban_mailactions}" | grep -q "${ban_action}"; }; }; }; then - ("${ban_mailservice}" "${ban_ver}" >/dev/null 2>&1) & - bg_pid="${!}" - fi - f_log "debug" "f_jsnup ::: status: ${status:-"-"}, action: ${ban_action}, mail_enabled: ${ban_mail_enabled}, mail_actions: ${ban_mailactions}, mail_service: ${ban_mailservice}, mail_pid: ${bg_pid:-"-"}" -} - -# source required system libraries -# -if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then - . "/lib/functions.sh" - . "/lib/functions/network.sh" - . "/usr/share/libubox/jshn.sh" -else - f_log "err" "system libraries not found" -fi - -if [ "${ban_action}" = "suspend" ] || [ "${ban_action}" = "resume" ] || - [ "${ban_action}" = "report" ] || [ "${ban_action}" = "query" ]; then - json_init - json_load_file "${ban_rtfile}" >/dev/null 2>&1 - json_get_var ban_status "status" -fi - -# handle different banIP actions -# -f_load -case "${ban_action}" in - "stop") - f_bgsrv "stop" - f_ipset "destroy" - f_jsnup "stopped" - f_rmbckp - ;; - "restart") - f_ipset "destroy" - f_rmbckp - f_env - f_main - ;; - "suspend") - if [ "${ban_status}" = "enabled" ] && [ "${ban_whitelistonly}" = "0" ]; then - f_bgsrv "stop" - f_jsnup "running" - f_ipset "suspend" - f_jsnup "paused" - fi - f_rmtmp - ;; - "resume") - if [ "${ban_status}" = "paused" ] && [ "${ban_whitelistonly}" = "0" ]; then - f_env - f_main - else - f_rmtmp - fi - ;; - "query") - if [ "${ban_status}" = "enabled" ]; then - f_query "${2}" - fi - ;; - "report") - if [ "${ban_status}" = "enabled" ] || [ "${2}" = "json" ]; then - f_report "${2}" - fi - ;; - "start" | "reload" | "refresh") - f_env - f_main - ;; -esac diff --git a/net/banip/files/banip.sources b/net/banip/files/banip.sources deleted file mode 100644 index 5597c06a6..000000000 --- a/net/banip/files/banip.sources +++ /dev/null @@ -1,191 +0,0 @@ -{ - "asn": { - "url_4": "https://asn.ipinfo.app/api/text/list/", - "url_6": "https://asn.ipinfo.app/api/text/list/", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add asn_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add asn_6 \"$1}", - "focus": "ASN blocks", - "descurl": "https://asn.ipinfo.app" - }, - "bogon": { - "url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt", - "url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add bogon_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add bogon_6 \"$1}", - "focus": "Bogon prefixes", - "descurl": "https://team-cymru.com" - }, - "country": { - "url_4": "http://www.ipdeny.com/ipblocks/data/aggregated/", - "url_6": "http://www.ipdeny.com/ipv6/ipaddresses/aggregated/", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add country_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add country_6 \"$1}", - "focus": "Country blocks", - "descurl": "http://www.ipdeny.com/ipblocks" - }, - "darklist": { - "url_4": "https://darklist.de/raw.php", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add darklist_4 \"$1}", - "focus": "Blocks suspicious attacker IPs", - "descurl": "https://darklist.de" - }, - "debl": { - "url_4": "https://www.blocklist.de/downloads/export-ips_all.txt", - "url_6": "https://www.blocklist.de/downloads/export-ips_all.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add debl_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add debl_6 \"$1}", - "focus": "Fail2ban IP blacklist", - "descurl": "https://www.blocklist.de" - }, - "doh": { - "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", - "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add doh_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add doh_6 \"$1}", - "focus": "Public DoH-Provider", - "descurl": "https://github.com/dibdot/DoH-IP-blocklists" - }, - "drop": { - "url_4": "https://www.spamhaus.org/drop/drop.txt", - "url_6": "https://www.spamhaus.org/drop/dropv6.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add drop_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add drop_6 \"$1}", - "focus": "Spamhaus drop compilation", - "descurl": "https://www.spamhaus.org" - }, - "dshield": { - "url_4": "https://feeds.dshield.org/block.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add dshield_4 \"$1 \"/\"$3}", - "focus": "Dshield IP blocklist", - "descurl": "https://www.dshield.org" - }, - "edrop": { - "url_4": "https://www.spamhaus.org/drop/edrop.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add edrop_4 \"$1}", - "focus": "Spamhaus edrop compilation", - "descurl": "https://www.spamhaus.org" - }, - "feodo": { - "url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add feodo_4 \"$1}", - "focus": "Feodo Tracker", - "descurl": "https://feodotracker.abuse.ch" - }, - "firehol1": { - "url_4": "https://iplists.firehol.org/files/firehol_level1.netset", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol1_4 \"$1}", - "focus": "Firehol Level 1 compilation", - "descurl": "https://iplists.firehol.org/?ipset=firehol_level1" - }, - "firehol2": { - "url_4": "https://iplists.firehol.org/files/firehol_level2.netset", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol2_4 \"$1}", - "focus": "Firehol Level 2 compilation", - "descurl": "https://iplists.firehol.org/?ipset=firehol_level2" - }, - "firehol3": { - "url_4": "https://iplists.firehol.org/files/firehol_level3.netset", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol3_4 \"$1}", - "focus": "Firehol Level 3 compilation", - "descurl": "https://iplists.firehol.org/?ipset=firehol_level3" - }, - "firehol4": { - "url_4": "https://iplists.firehol.org/files/firehol_level4.netset", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol4_4 \"$1}", - "focus": "Firehol Level 4 compilation", - "descurl": "https://iplists.firehol.org/?ipset=firehol_level4" - }, - "greensnow": { - "url_4": "https://blocklist.greensnow.co/greensnow.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add greensnow_4 \"$1}", - "focus": "Blocks suspicious server IPs", - "descurl": "https://greensnow.co" - }, - "iblockads": { - "url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockads_4 \"$1}", - "focus": "Advertising blocklist", - "descurl": "https://www.iblocklist.com", - "comp": "gz" - }, - "iblockspy": { - "url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockspy_4 \"$1}", - "focus": "Malicious spyware blocklist", - "descurl": "https://www.iblocklist.com", - "comp": "gz" - }, - "myip": { - "url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", - "url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add myip_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add myip_6 \"$1}", - "focus": "Myip Live IP blacklist", - "descurl": "https://myip.ms" - }, - "nixspam": { - "url_4": "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz", - "rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add nixspam_4 \"$2}", - "focus": "iX spam protection", - "descurl": "http://www.nixspam.org", - "comp": "gz" - }, - "proxy": { - "url_4": "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add proxy_4 \"$1}", - "focus": "Firehol list of open proxies", - "descurl": "https://iplists.firehol.org/?ipset=proxylists" - }, - "sslbl": { - "url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv", - "rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{print \"add sslbl_4 \"$2}", - "focus": "SSL botnet IP blacklist", - "descurl": "https://sslbl.abuse.ch" - }, - "talos": { - "url_4": "https://www.talosintelligence.com/documents/ip-blacklist", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}", - "focus": "Cisco Talos IP Blacklist", - "descurl": "https://talosintelligence.com/reputation_center" - }, - "threat": { - "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}", - "focus": "Emerging Threats", - "descurl": "https://rules.emergingthreats.net" - }, - "tor": { - "url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt", - "url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}", - "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}", - "focus": "Tor exit nodes", - "descurl": "https://fissionrelays.net/lists" - }, - "uceprotect1": { - "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{print \"add uceprotect1_4 \"$1}", - "focus": "Spam protection level 1", - "descurl": "http://www.uceprotect.net/en/index.php", - "comp": "gz" - }, - "uceprotect2": { - "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz", - "rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]+NET[[:space:]]+)/{print \"add uceprotect2_4 \"$1}", - "focus": "Spam protection level 2", - "descurl": "http://www.uceprotect.net/en/index.php", - "comp": "gz" - }, - "voip": { - "url_4": "http://www.voipbl.org/update/", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add voip_4 \"$1}", - "focus": "VoIP fraud blocklist", - "descurl": "http://www.voipbl.org" - }, - "yoyo": { - "url_4": "https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext", - "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add yoyo_4 \"$1}", - "focus": "Ad protection blacklist", - "descurl": "https://pgl.yoyo.org/adservers/" - } -} diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl new file mode 100644 index 000000000..9a614d026 --- /dev/null +++ b/net/banip/files/banip.tpl @@ -0,0 +1,24 @@ +# banIP mail template/include +# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org) +# This is free software, licensed under the GNU General Public License v3. + +# info preparation +# +local banip_info report_info log_info system_info mail_text + +banip_info="$(/etc/init.d/banip status 2>/dev/null)" +report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)" +log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" +system_info="$( + strings /etc/banner 2>/dev/null + ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}' +)" + +# mail body +# +mail_text="$(printf "%s\n" "
")"
+mail_text="$(printf "%s\n" "${mail_text}\n++\n++ System Information ++\n++\n${system_info:-"-"}")"
+mail_text="$(printf "%s\n" "${mail_text}\n\n++\n++ banIP Status ++\n++\n${banip_info:-"-"}")"
+mail_text="$(printf "%s\n" "${mail_text}\n\n++\n++ banIP Report ++\n++\n${report_info:-"-"}")"
+mail_text="$(printf "%s\n" "${mail_text}\n\n++\n++ Logfile Information ++\n++\n${log_info}")"
+mail_text="$(printf "%s\n" "${mail_text}
")" diff --git a/net/banip/files/banip.whitelist b/net/banip/files/banip.whitelist deleted file mode 100644 index e69de29bb..000000000 From 53bb5cc13ecee439a92f643720f4c0a65db5b10c Mon Sep 17 00:00:00 2001 From: Michael Heimpold Date: Sat, 18 Feb 2023 22:18:07 +0100 Subject: [PATCH 15/28] libgpiod: update to 1.6.4 Signed-off-by: Michael Heimpold --- libs/libgpiod/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/libs/libgpiod/Makefile b/libs/libgpiod/Makefile index 9859dca27..ef15288b1 100644 --- a/libs/libgpiod/Makefile +++ b/libs/libgpiod/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=libgpiod -PKG_VERSION:=1.6.3 -PKG_RELEASE:=2 +PKG_VERSION:=1.6.4 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=@KERNEL/software/libs/libgpiod/ -PKG_HASH:=841be9d788f00bab08ef22c4be5c39866f0e46cb100a3ae49ed816ac9c5dddc7 +PKG_HASH:=7b146e12f28fbca3df7557f176eb778c5ccf952ca464698dba8a61b2e1e3f9b5 PKG_MAINTAINER:=Michael Heimpold PKG_LICENSE:=LGPL-2.1-or-later From 587cd4d0d7dbce12b4ba031477739f070a7c5873 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 19 Feb 2023 05:09:32 +0000 Subject: [PATCH 16/28] simple-adblock: implement procd_boot_wan_timeout support * implement procd_boot_wan_timeout support * update config with oisd ABPlus and domains lists Signed-off-by: Stan Grishin --- net/simple-adblock/Makefile | 2 +- net/simple-adblock/files/simple-adblock.conf | 25 ++++++++++++++++++-- net/simple-adblock/files/simple-adblock.init | 14 ++++++----- 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index 012b84fe2..abd030998 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock PKG_VERSION:=1.9.4 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.conf b/net/simple-adblock/files/simple-adblock.conf index 03b016fe1..46518c6ee 100644 --- a/net/simple-adblock/files/simple-adblock.conf +++ b/net/simple-adblock/files/simple-adblock.conf @@ -27,6 +27,7 @@ config simple-adblock 'config' option led 'none' option parallel_downloads '1' option procd_trigger_wan6 '0' + option procd_boot_wan_timeout '60' option verbosity '2' # File size: 16.0K @@ -71,9 +72,29 @@ config simple-adblock 'config' # enabling this will disable processing of any other block/allow-lists # option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/' -# File size: 19.0M +# File size: 1.4M # block-list too big for most routers -# list blocked_domains_url 'https://dbl.oisd.nl/' +# list blocked_adblockplus_url 'https://small.oisd.nl/' + +# File size: 6.2M +# block-list too big for most routers +# list blocked_adblockplus_url 'https://nsfw.oisd.nl/' + +# File size: 6.2M +# block-list too big for most routers +# list blocked_adblockplus_url 'https://big.oisd.nl/' + +# File size: 1.5M +# block-list too big for most routers +# list blocked_domains_url 'https://small.oisd.nl/domains' + +# File size: 7.8M +# block-list too big for most routers +# list blocked_domains_url 'https://nsfw.oisd.nl/domains' + +# File size: 19.9M +# block-list too big for most routers +# list blocked_domains_url 'https://big.oisd.nl/domains' # site was down on last check # list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt' diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index 0876e218c..10fb29532 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -210,17 +210,17 @@ output() { load_network() { local param="$1" local i j wan_if wan_gw wan_proto - local counter wan_if_timeout='20' wan_gw_timeout='5' + local counter wan_if_timeout="$procd_boot_wan_timeout" wan_gw_timeout='5' counter=0 while [ -z "$wan_if" ]; do network_flush_cache network_find_wan wan_if if [ -n "$wan_if" ]; then - output "WAN Interface found: '${wan_if}'.\\n" + output "WAN interface found: '${wan_if}'.\\n" break fi if [ "$counter" -gt "$wan_if_timeout" ]; then - output "WAN Interface timeout, assuming 'wan'.\\n" + output "WAN interface timeout, assuming 'wan'.\\n" wan_if='wan' break fi @@ -238,11 +238,11 @@ load_network() { network_flush_cache network_get_gateway wan_gw "$wan_if" if [ -n "$wan_gw" ]; then - output "WAN Gateway found: '${wan_gw}.'\\n" + output "WAN gateway found: '${wan_gw}.'\\n" return 0 fi counter=$((counter+1)) - output "Waiting to discover $wan_if Gateway...\\n" + output "Waiting to discover $wan_if gateway...\\n" sleep 1 done json add error "errorNoWanGateway" @@ -1573,11 +1573,12 @@ load_validate_config() { local canary_domains_mozilla local config_update_enabled local config_update_url - local boot_delay local download_timeout local curl_max_file_size local curl_retry local verbosity + local procd_trigger_wan6 + local procd_boot_wan_timeout local led local dns local dns_instance @@ -1606,6 +1607,7 @@ load_validate_config() { 'curl_retry:range(0,30):3' \ 'verbosity:range(0,2):2' \ 'procd_trigger_wan6:bool:0' \ + 'procd_boot_wan_timeout:integer:60' \ 'led:or("", "none", file, device, string)' \ 'dns:or("dnsmasq.addnhosts", "dnsmasq.conf", "dnsmasq.ipset", "dnsmasq.nftset", "dnsmasq.servers", "unbound.adb_list"):dnsmasq.servers' \ 'dns_instance:or(list(integer, string)):0' \ From 2bb10d0c2c9a2517acea9cadeaf2d390066f72f4 Mon Sep 17 00:00:00 2001 From: Stan Grishin Date: Sun, 19 Feb 2023 20:22:32 +0000 Subject: [PATCH 17/28] simple-adblock: bugfix: ensure directory for jsonFile is created Signed-off-by: Stan Grishin --- net/simple-adblock/Makefile | 2 +- net/simple-adblock/files/simple-adblock.init | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/net/simple-adblock/Makefile b/net/simple-adblock/Makefile index abd030998..bb4852502 100644 --- a/net/simple-adblock/Makefile +++ b/net/simple-adblock/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=simple-adblock PKG_VERSION:=1.9.4 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_MAINTAINER:=Stan Grishin PKG_LICENSE:=GPL-3.0-or-later diff --git a/net/simple-adblock/files/simple-adblock.init b/net/simple-adblock/files/simple-adblock.init index 10fb29532..1522569ab 100644 --- a/net/simple-adblock/files/simple-adblock.init +++ b/net/simple-adblock/files/simple-adblock.init @@ -409,7 +409,7 @@ load_environment() { ;; esac - for i in "$outputFile" "$outputCache" "$outputGzip"; do + for i in "$jsonFile" "$outputFile" "$outputCache" "$outputGzip"; do if ! mkdir -p "$(dirname "$i")"; then if [ "$param" != 'quiet' ]; then json add error "errorOutputDirCreate" "$i" @@ -668,6 +668,7 @@ json() { json_add_string reload "$reload" json_add_string restart "$restart" json_close_object + mkdir -p "$(dirname "$jsonFile")" json_dump > "$jsonFile" sync } From ed6fe528c1efc549891144967eefe51a73999511 Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 20 Jan 2023 20:07:36 -0500 Subject: [PATCH 18/28] lighttpd: add lighttpd-mod-webdav_min package add lighttpd-mod-webdav_min package alternative to lighttpd-mod-webdav lighttpd-mod-webdav_min is more minimal than full lighttpd-mod-webdav. lighttpd-mod-webdav_min does not support PROPPATCH, LOCK, UNLOCK, and by not supporting those methods, removes dependencies on libxml2, libsqlite3, and libuuid. Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 1 + .../patches/020-meson-mod_webdav_min.patch | 28 +++++++++++++++++++ 2 files changed, 29 insertions(+) create mode 100644 net/lighttpd/patches/020-meson-mod_webdav_min.patch diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index 86915d1ce..bd3ef7e71 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -270,6 +270,7 @@ $(eval $(call BuildPlugin,vhostdb_ldap,Virtual Host Database (LDAP),lighttpd-mod $(eval $(call BuildPlugin,vhostdb_mysql,Virtual Host Database (MariaDB),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_mysql:libmariadb,30)) $(eval $(call BuildPlugin,vhostdb_pgsql,Virtual Host Database (PostgreSQL),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_pgsql:libpq,30)) $(eval $(call BuildPlugin,webdav,WebDAV,+PACKAGE_lighttpd-mod-webdav:libsqlite3 +PACKAGE_lighttpd-mod-webdav:libuuid +PACKAGE_lighttpd-mod-webdav:libxml2,30)) +$(eval $(call BuildPlugin,webdav_min,WebDAV,,30)) $(eval $(call BuildPlugin,wolfssl,TLS using wolfssl,@LIGHTTPD_SSL +PACKAGE_lighttpd-mod-wolfssl:libwolfssl,30)) $(eval $(call BuildPlugin,wstunnel,Websocket tunneling,$(if $(cryptolib),+PACKAGE_lighttpd-mod-wstunnel:$(cryptolib),),30)) diff --git a/net/lighttpd/patches/020-meson-mod_webdav_min.patch b/net/lighttpd/patches/020-meson-mod_webdav_min.patch new file mode 100644 index 000000000..6c7ab078e --- /dev/null +++ b/net/lighttpd/patches/020-meson-mod_webdav_min.patch @@ -0,0 +1,28 @@ +From fe6895e5eb2c17ddad6e95faaac7d56d4dd73256 Mon Sep 17 00:00:00 2001 +From: Glenn Strauss +Date: Fri, 20 Jan 2023 18:48:14 -0500 +Subject: [PATCH] [meson] mod_webdav_min w/o deps: xml2 sqlite3 uuid + +--- + src/meson.build | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/src/meson.build ++++ b/src/meson.build +@@ -865,6 +865,16 @@ if libsasl.found() + ] + endif + ++modules += [ ++ [ 'mod_webdav_min', [ 'mod_webdav.c' ], ++ [ libelftc, ++ declare_dependency(compile_args: [ ++ '-DMOD_WEBDAV_BUILD_MINIMAL', ++ '-Dmod_webdav_plugin_init=mod_webdav_min_plugin_init' ] ) ++ ] ++ ] ++] ++ + foreach mod: modules + mod_name = mod.get(0) + mod_sources = mod.get(1) From c5297aca299524a0a2e44a40eebc85f06133784d Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Fri, 20 Jan 2023 20:13:39 -0500 Subject: [PATCH 19/28] lighttpd: remove patch included upstream Signed-off-by: Glenn Strauss --- net/lighttpd/patches/020-meson-tests.patch | 19 ------------------- 1 file changed, 19 deletions(-) delete mode 100644 net/lighttpd/patches/020-meson-tests.patch diff --git a/net/lighttpd/patches/020-meson-tests.patch b/net/lighttpd/patches/020-meson-tests.patch deleted file mode 100644 index c7db6efa1..000000000 --- a/net/lighttpd/patches/020-meson-tests.patch +++ /dev/null @@ -1,19 +0,0 @@ -From d809433d6d900e899f796606b11bdc6a73413ac5 Mon Sep 17 00:00:00 2001 -From: Glenn Strauss -Date: Tue, 3 Jan 2023 17:50:16 -0500 -Subject: [PATCH] [meson] remove t/test_mod_evasive.c - ---- - src/meson.build | 1 - - 1 file changed, 1 deletion(-) - ---- a/src/meson.build -+++ b/src/meson.build -@@ -721,7 +721,6 @@ test('test_mod', executable('test_mod', - 't/test_mod.c', - 't/test_mod_access.c', - 't/test_mod_alias.c', -- 't/test_mod_evasive.c', - 't/test_mod_evhost.c', - 't/test_mod_indexfile.c', - 't/test_mod_simple_vhost.c', From 8f2fbf093a42040dcc226dee4fcd493a215645ed Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Sun, 12 Feb 2023 00:29:06 -0500 Subject: [PATCH 20/28] lighttpd: update to lighttpd 1.4.69 release hash Signed-off-by: Glenn Strauss --- net/lighttpd/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/lighttpd/Makefile b/net/lighttpd/Makefile index bd3ef7e71..e021fcbc7 100644 --- a/net/lighttpd/Makefile +++ b/net/lighttpd/Makefile @@ -8,14 +8,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=lighttpd -PKG_VERSION:=1.4.68 +PKG_VERSION:=1.4.69 PKG_RELEASE:=1 # release candidate ~rcX testing; remove for release #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x -PKG_HASH:=e56f37ae52b63e1ada4d76ce78005affb6e56eea2f6bdb0ce17d6d36e9583384 +PKG_HASH:=16ac8db95e719629ba61949b99f8a26feba946a81d185215b28379bb4116b0b4 PKG_MAINTAINER:=W. Michael Petullo PKG_LICENSE:=BSD-3-Clause From 94512aba16e9bf4bc4a6dbc18bf67cbd97e035a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=A1k?= Date: Mon, 13 Feb 2023 15:35:42 +0100 Subject: [PATCH 21/28] knot: update to version 3.2.5 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan Hák --- net/knot/Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/knot/Makefile b/net/knot/Makefile index a19efe260..1515dd4b9 100644 --- a/net/knot/Makefile +++ b/net/knot/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=knot -PKG_VERSION:=3.2.4 -PKG_RELEASE:=2 +PKG_VERSION:=3.2.5 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/ -PKG_HASH:=299e8de918f9fc7ecbe625b41cb085e47cdda542612efbd51cd5ec60deb9dd13 +PKG_HASH:=c6b122e92baa179d09ba4c8ce5b0d42fb7475805f4ff9c81d5036acfaa161820 PKG_MAINTAINER:=Daniel Salzman PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD BSD-3-Clause OLDAP-2.8 From b50383e4d9daa313d55dcc42c19ce0b4d3725aea Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 20 Feb 2023 19:17:16 +0100 Subject: [PATCH 22/28] banip: update 0.8.0-2 * fix a potential race condition during initial startup (after flash) which leads to a "disabled" service Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip.init | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index a816ec858..5070d8aa6 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.0 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index ab126f230..61639acfb 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -18,8 +18,8 @@ ban_funlib="/usr/lib/banip-functions.sh" ban_pidfile="/var/run/banip.pid" ban_lock="/var/run/banip.lock" -[ ! -r "${ban_funlib}" ] && exit 1 [ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0 +[ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "status" ]; } && exit 1 [ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1 [ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}" From 92a696d960814d451c53b9311aa88b1d62371443 Mon Sep 17 00:00:00 2001 From: Lucian Cristian Date: Mon, 20 Feb 2023 15:02:05 +0000 Subject: [PATCH 23/28] nss: update to 3.88.1 Signed-off-by: Lucian Cristian --- libs/nss/Makefile | 4 ++-- libs/nss/patches/010-nanosleep.patch | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/libs/nss/Makefile b/libs/nss/Makefile index af399852c..c34bbc012 100644 --- a/libs/nss/Makefile +++ b/libs/nss/Makefile @@ -7,14 +7,14 @@ include $(TOPDIR)/rules.mk PKG_NAME:=nss -PKG_VERSION:=3.85 +PKG_VERSION:=3.88.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:= \ https://download.cdn.mozilla.net/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src \ https://archive.mozilla.org/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src -PKG_HASH:=afd9d64510b1154debbd6cab3571e9ff64a3373898e03483e4c85cdada13d297 +PKG_HASH:=27d243edf87d1cf1bb9c861f03d387e0e9230ce5017f4308c941f558b54b3496 PKG_MAINTAINER:=Lucian Cristian PKG_LICENCE:=MPL-2.0 diff --git a/libs/nss/patches/010-nanosleep.patch b/libs/nss/patches/010-nanosleep.patch index 36f67b708..ed5bfd05d 100644 --- a/libs/nss/patches/010-nanosleep.patch +++ b/libs/nss/patches/010-nanosleep.patch @@ -1,6 +1,6 @@ --- a/nss/lib/freebl/stubs.c +++ b/nss/lib/freebl/stubs.c -@@ -500,7 +500,8 @@ extern PRStatus +@@ -501,7 +501,8 @@ extern PRStatus PR_Sleep_stub(PRIntervalTime ticks) { STUB_SAFE_CALL1(PR_Sleep, ticks); From d40efc08119d1bb79313fda252e4450fb114615a Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Tue, 21 Feb 2023 15:57:28 +0800 Subject: [PATCH 24/28] v2ray-core: Update to 5.4.0 Signed-off-by: Tianling Shen --- net/v2ray-core/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/v2ray-core/Makefile b/net/v2ray-core/Makefile index db526da72..1263b9dcc 100644 --- a/net/v2ray-core/Makefile +++ b/net/v2ray-core/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=v2ray-core -PKG_VERSION:=5.3.0 +PKG_VERSION:=5.4.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=8e97e2647cb1dee8aa7e71df276c56d74258b2d97bb490a362afa84bdf1b9e25 +PKG_HASH:=86be35461a9dc7d037e0045771d99f1eae284fdb7aa0818a6782d18b6b003fca PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE From dbf66a3ae51a3b657ebf4c8be79780109ee4d694 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Tue, 21 Feb 2023 15:57:38 +0800 Subject: [PATCH 25/28] dnsproxy: Update to 0.48.0 Signed-off-by: Tianling Shen --- net/dnsproxy/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/dnsproxy/Makefile b/net/dnsproxy/Makefile index 26cdb3a1e..faf495f92 100644 --- a/net/dnsproxy/Makefile +++ b/net/dnsproxy/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=dnsproxy -PKG_VERSION:=0.47.0 +PKG_VERSION:=0.48.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=be88e9db73b7d5fa42afd4bc38c901a7e589c503bfb091c43362c956e2669915 +PKG_HASH:=b63d10b0f7d4ede68aae9bda9ef306a0673c8ca97ef9d57b838edb53e0023f8b PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=Apache-2.0 From b76bd94605c9c53b64935c78bba6ff98e2847e16 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Tue, 21 Feb 2023 15:57:46 +0800 Subject: [PATCH 26/28] yq: Update to 4.31.1 Signed-off-by: Tianling Shen --- utils/yq/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/utils/yq/Makefile b/utils/yq/Makefile index b386e94f0..51eb69e93 100644 --- a/utils/yq/Makefile +++ b/utils/yq/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=yq -PKG_VERSION:=4.30.8 +PKG_VERSION:=4.31.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/mikefarah/yq/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=aaf6c9f37968970413b8a6daf0b313a86efd1b8e3e5959e527b50636508eb776 +PKG_HASH:=6481cd93fe9a773ea20f738a3340c88e691f3d073bc6d2fceee3f5b3867399fc PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=MIT From eb3c89ceed2753cfd54fc7b5071155ee3ed2f4f3 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Tue, 21 Feb 2023 18:43:17 +0100 Subject: [PATCH 27/28] banip: update 0.8.0-3 * properly initialize the 'proto' variable in the log service Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip-service.sh | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 5070d8aa6..edfe0182d 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.0 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 29a0436c9..bfdf4c72c 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -153,6 +153,7 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then # "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | while read -r line; do + proto="" # IPv4 log parsing # ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" @@ -168,15 +169,15 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then [ -n "${ip}" ] && proto="v6" fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP found '${ip}'" + f_log "info" "suspicious IP${proto} found '${ip}'" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "added IP '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set" + f_log "info" "added IP${proto} '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set" if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "added IP '${ip}' to local blocklist" + f_log "info" "added IP${proto} '${ip}' to local blocklist" fi fi fi From 618dd4676d8fe2549f8ee0291dcf4f20c9134281 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Tue, 21 Feb 2023 21:42:24 +0100 Subject: [PATCH 28/28] banip: update 0.8.0-4 * remove bogus log limit Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip-functions.sh | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index edfe0182d..a25f8b264 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.0 -PKG_RELEASE:=3 +PKG_RELEASE:=4 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 532b3b183..f1a71dd8d 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -426,8 +426,8 @@ f_down() { tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" - [ "${ban_loginput}" = "1" ] && nft_loginput="limit rate 2/second log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \"" - [ "${ban_logforward}" = "1" ] && nft_logforward="limit rate 2/second log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \"" + [ "${ban_loginput}" = "1" ] && nft_loginput="log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \"" + [ "${ban_logforward}" = "1" ] && nft_logforward="log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \"" # set source block direction #