Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

merge: upstream

Browse source
This commit is contained in:
hayzam 2023-02-22 07:50:47 +05:30
commit 6b1ee33b35
56 changed files with 2496 additions and 2696 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lang/node/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=node PKG_NAME:=node
PKG_VERSION:=v16.17.1 PKG_VERSION:=v16.19.1
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION) PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION)
PKG_HASH:=6721feb4152d56d2c6b358ce397abd5a7f1daf09ee2e25c5021b9b4d3f86a330 PKG_HASH:=17fb716406198125b30c94dd3d1756207b297705626afe16d8dc479a65a1d8b5
PKG_MAINTAINER:=Hirokazu MORIKAWA <morikw2@gmail.com>, Adrian Panella <ianchi74@outlook.com> PKG_MAINTAINER:=Hirokazu MORIKAWA <morikw2@gmail.com>, Adrian Panella <ianchi74@outlook.com>
PKG_LICENSE:=MIT PKG_LICENSE:=MIT

2
lang/node/patches/003-path.patch
View file

@ -1,6 +1,6 @@
--- a/lib/internal/modules/cjs/loader.js --- a/lib/internal/modules/cjs/loader.js
+++ b/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js
@@ -1261,7 +1261,8 @@ Module._initPaths = function() { @@ -1326,7 +1326,8 @@ Module._initPaths = function() {
path.resolve(process.execPath, '..') : path.resolve(process.execPath, '..') :
path.resolve(process.execPath, '..', '..'); path.resolve(process.execPath, '..', '..');

4
lang/python/django/Makefile
View file

@ -8,11 +8,11 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=django PKG_NAME:=django
PKG_VERSION:=4.1.5 PKG_VERSION:=4.1.7
PKG_RELEASE:=1 PKG_RELEASE:=1
PYPI_NAME:=Django PYPI_NAME:=Django
PKG_HASH:=ff56ebd7ead0fd5dbe06fe157b0024a7aaea2e0593bb3785fb594cf94dad58ef PKG_HASH:=44f714b81c5f190d9d2ddad01a532fe502fa01c4cb8faf1d081f4264ed15dcd8
PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at> PKG_MAINTAINER:=Alexandru Ardelean <ardeleanalex@gmail.com>, Peter Stadler <peter.stadler@student.uibk.ac.at>
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause

18
libs/gost_engine/Makefile
View file

@ -1,19 +1,27 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
include $(INCLUDE_DIR)/openssl-engine.mk
PKG_NAME:=gost_engine PKG_NAME:=gost_engine
PKG_VERSION:=1.1.0.3 ifeq ($(ENGINES_DIR),engines-1.1)
PKG_RELEASE:=$(AUTORELEASE) PKG_VERSION:=1.1.0.3
PKG_HASH:=fff725052e82c9adb5b738729b30141f61ac91fa457a4f4b5de18b8b24092f75
PKG_LICENSE:=OpenSSL
PATCH_DIR=./patches-1.1
else
PKG_VERSION:=3.0.1
PKG_HASH:=bfeac85883724cfbe0ecc6d942ac0524b908143e019ab3d3b6abe47a3466a628
PKG_LICENSE:=Apache-2.0
PATCH_DIR=./patches-3
endif
PKG_RELEASE:=7
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION) PKG_SOURCE_URL:=https://github.com/gost-engine/engine/archive/v$(PKG_VERSION)
PKG_HASH:=fff725052e82c9adb5b738729b30141f61ac91fa457a4f4b5de18b8b24092f75
PKG_MAINTAINER:=Artur Petrov <github@phpchain.ru> PKG_MAINTAINER:=Artur Petrov <github@phpchain.ru>
PKG_LICENSE:=OpenSSL
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
include $(INCLUDE_DIR)/cmake.mk include $(INCLUDE_DIR)/cmake.mk
include $(INCLUDE_DIR)/openssl-engine.mk
PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)" PKG_UNPACK:=$(HOST_TAR) -C "$(PKG_BUILD_DIR)" --strip-components=1 -xzf "$(DL_DIR)/$(PKG_SOURCE)"
PKG_INSTALL:= PKG_INSTALL:=

0
libs/gost_engine/patches/010-openssl-deprecated.patch → libs/gost_engine/patches-1.1/010-openssl-deprecated.patch
View file

59
libs/gost_engine/patches-3/020-cmake-allow-cross-compile.patch Normal file
View file

@ -0,0 +1,59 @@
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -64,31 +64,35 @@ else()
add_definitions(-DL_ENDIAN)
endif()
-check_c_source_runs("
- #ifdef _MSC_VER
- # include <intrin.h>
- #else
- # include <x86intrin.h>
- #endif
- int main(void) {
- unsigned long long x = -1, y = 1, r;
- unsigned char cf;
- cf = _addcarry_u64(1, x, y, &r);
- return !(cf == 1 && r == 1);
- }
- " ADDCARRY_U64)
+if(NOT CMAKE_CROSSCOMPILING)
+ check_c_source_runs("
+ #ifdef _MSC_VER
+ # include <intrin.h>
+ #else
+ # include <x86intrin.h>
+ #endif
+ int main(void) {
+ unsigned long long x = -1, y = 1, r;
+ unsigned char cf;
+ cf = _addcarry_u64(1, x, y, &r);
+ return !(cf == 1 && r == 1);
+ }
+ " ADDCARRY_U64)
+
+ check_c_source_runs("
+ int main(void) {
+ char buf[16] = { 0, 1, 2 };
+ int *p = (int *)(buf + 1);
+ int *q = (int *)(buf + 2);
+ return (*p == *q);
+ }
+ " RELAXED_ALIGNMENT)
+endif()
+
if (ADDCARRY_U64)
add_definitions(-DHAVE_ADDCARRY_U64)
endif()
-check_c_source_runs("
- int main(void) {
- char buf[16] = { 0, 1, 2 };
- int *p = (int *)(buf + 1);
- int *q = (int *)(buf + 2);
- return (*p == *q);
- }
- " RELAXED_ALIGNMENT)
if (NOT RELAXED_ALIGNMENT)
add_definitions(-DSTRICT_ALIGNMENT)
endif()

56
libs/gost_engine/patches-3/030-dont-build-provider.patch Normal file
View file

@ -0,0 +1,56 @@
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -357,9 +357,11 @@ set_target_properties(lib_gost_engine PR
COMPILE_DEFINITIONS "BUILDING_ENGINE_AS_LIBRARY"
PUBLIC_HEADER gost-engine.h
OUTPUT_NAME "gost")
-target_link_libraries(lib_gost_engine PRIVATE gost_core gost_err)
+#target_link_libraries(lib_gost_engine PRIVATE gost_core gost_err)
+target_link_libraries(lib_gost_engine PRIVATE gost_core)
endif()
+if (0)
# The GOST provider uses this
add_subdirectory(libprov)
@@ -384,6 +386,7 @@ set_target_properties(lib_gost_prov PROP
)
target_link_libraries(lib_gost_prov PRIVATE gost_core libprov)
endif()
+endif()
set(GOST_SUM_SOURCE_FILES
gostsum.c
@@ -424,15 +427,15 @@ install(FILES gostsum.1 gost12sum.1 DEST
install(TARGETS gost_engine EXPORT GostEngineConfig
LIBRARY DESTINATION ${OPENSSL_ENGINES_DIR}
RUNTIME DESTINATION ${OPENSSL_ENGINES_DIR})
-install(TARGETS gost_prov EXPORT GostProviderConfig
- LIBRARY DESTINATION ${OPENSSL_MODULES_DIR}
- RUNTIME DESTINATION ${OPENSSL_MODULES_DIR})
+#install(TARGETS gost_prov EXPORT GostProviderConfig
+# LIBRARY DESTINATION ${OPENSSL_MODULES_DIR}
+# RUNTIME DESTINATION ${OPENSSL_MODULES_DIR})
if (NOT MSVC)
# install engine and provider in library form
install(TARGETS lib_gost_engine EXPORT GostEngineConfig
LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
-install(TARGETS lib_gost_prov EXPORT GostProviderConfig
- LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
+#install(TARGETS lib_gost_prov EXPORT GostProviderConfig
+# LIBRARY DESTINATION ${CMAKE_INSTALL_LIBDIR})
endif()
if (MSVC)
@@ -440,8 +443,8 @@ if (MSVC)
EXPORT GostEngineConfig DESTINATION ${CMAKE_INSTALL_BINDIR} OPTIONAL)
install(FILES $<TARGET_PDB_FILE:gost_engine>
EXPORT GostEngineConfig DESTINATION ${OPENSSL_ENGINES_DIR} OPTIONAL)
- install(FILES $<TARGET_PDB_FILE:gost_prov>
- EXPORT GostProviderConfig DESTINATION ${OPENSSL_MODULES_DIR} OPTIONAL)
+# install(FILES $<TARGET_PDB_FILE:gost_prov>
+# EXPORT GostProviderConfig DESTINATION ${OPENSSL_MODULES_DIR} OPTIONAL)
endif()
install(EXPORT GostEngineConfig DESTINATION GostEngine/share/cmake/GostEngine)
-install(EXPORT GostProviderConfig DESTINATION GostEngine/share/cmake/GostProvider)
+#install(EXPORT GostProviderConfig DESTINATION GostEngine/share/cmake/GostProvider)

6
libs/libgpiod/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=libgpiod PKG_NAME:=libgpiod
PKG_VERSION:=1.6.3 PKG_VERSION:=1.6.4
PKG_RELEASE:=2 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@KERNEL/software/libs/libgpiod/ PKG_SOURCE_URL:=@KERNEL/software/libs/libgpiod/
PKG_HASH:=841be9d788f00bab08ef22c4be5c39866f0e46cb100a3ae49ed816ac9c5dddc7 PKG_HASH:=7b146e12f28fbca3df7557f176eb778c5ccf952ca464698dba8a61b2e1e3f9b5
PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de> PKG_MAINTAINER:=Michael Heimpold <mhei@heimpold.de>
PKG_LICENSE:=LGPL-2.1-or-later PKG_LICENSE:=LGPL-2.1-or-later

3
libs/libuhttpd/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=libuhttpd PKG_NAME:=libuhttpd
PKG_VERSION:=3.14.1 PKG_VERSION:=3.14.1
PKG_RELEASE:=$(AUTORELEASE) PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL=https://github.com/zhaojh329/libuhttpd/releases/download/v$(PKG_VERSION) PKG_SOURCE_URL=https://github.com/zhaojh329/libuhttpd/releases/download/v$(PKG_VERSION)
@ -41,6 +41,7 @@ Package/libuhttpd-mbedtls=$(call Package/libuhttpd/Default,mbedtls,+PACKAGE_libu
Package/libuhttpd-nossl=$(call Package/libuhttpd/Default,nossl) Package/libuhttpd-nossl=$(call Package/libuhttpd/Default,nossl)
CMAKE_OPTIONS += -DBUILD_EXAMPLE=OFF CMAKE_OPTIONS += -DBUILD_EXAMPLE=OFF
TARGET_CFLAGS += -Wno-error=deprecated-declarations
ifeq ($(BUILD_VARIANT),openssl) ifeq ($(BUILD_VARIANT),openssl)
CMAKE_OPTIONS += -DUSE_OPENSSL=ON CMAKE_OPTIONS += -DUSE_OPENSSL=ON

4
libs/nss/Makefile
View file

@ -7,14 +7,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=nss PKG_NAME:=nss
PKG_VERSION:=3.85 PKG_VERSION:=3.88.1
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:= \ PKG_SOURCE_URL:= \
https://download.cdn.mozilla.net/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src \ https://download.cdn.mozilla.net/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src \
https://archive.mozilla.org/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src https://archive.mozilla.org/pub/security/$(PKG_NAME)/releases/NSS_$(subst .,_,$(PKG_VERSION))_RTM/src
PKG_HASH:=afd9d64510b1154debbd6cab3571e9ff64a3373898e03483e4c85cdada13d297 PKG_HASH:=27d243edf87d1cf1bb9c861f03d387e0e9230ce5017f4308c941f558b54b3496
PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com> PKG_MAINTAINER:=Lucian Cristian <lucian.cristian@gmail.com>
PKG_LICENCE:=MPL-2.0 PKG_LICENCE:=MPL-2.0

2
libs/nss/patches/010-nanosleep.patch
View file

@ -1,6 +1,6 @@
--- a/nss/lib/freebl/stubs.c --- a/nss/lib/freebl/stubs.c
+++ b/nss/lib/freebl/stubs.c +++ b/nss/lib/freebl/stubs.c
@@ -500,7 +500,8 @@ extern PRStatus @@ -501,7 +501,8 @@ extern PRStatus
PR_Sleep_stub(PRIntervalTime ticks) PR_Sleep_stub(PRIntervalTime ticks)
{ {
STUB_SAFE_CALL1(PR_Sleep, ticks); STUB_SAFE_CALL1(PR_Sleep, ticks);

2
net/adblock/Makefile
View file

@ -7,7 +7,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=adblock PKG_NAME:=adblock
PKG_VERSION:=4.1.5 PKG_VERSION:=4.1.5
PKG_RELEASE:=5 PKG_RELEASE:=6
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

2
net/adblock/files/README.md
View file

@ -30,7 +30,7 @@ A lot of people already use adblocker plugins within their desktop browsers, but
| lightswitch05 | | XL | compilation | [Link](https://github.com/lightswitch05/hosts) | | lightswitch05 | | XL | compilation | [Link](https://github.com/lightswitch05/hosts) |
| notracking | | XL | tracking | [Link](https://github.com/notracking/hosts-blocklists) | | notracking | | XL | tracking | [Link](https://github.com/notracking/hosts-blocklists) |
| oisd_big | | XXL | general | [Link](https://oisd.nl) | | oisd_big | | XXL | general | [Link](https://oisd.nl) |
| oisd_nsfw | | XL | general | [Link](https://oisd.nl) | | oisd_nsfw | | XXL | porn | [Link](https://oisd.nl) |
| oisd_small | | L | general | [Link](https://oisd.nl) | | oisd_small | | L | general | [Link](https://oisd.nl) |
| openphish | | S | phishing | [Link](https://openphish.com) | | openphish | | S | phishing | [Link](https://openphish.com) |
| phishing_army | | S | phishing | [Link](https://phishing.army) | | phishing_army | | S | phishing | [Link](https://phishing.army) |

10
net/adblock/files/adblock.sources
View file

@ -133,21 +133,21 @@
"descurl": "https://github.com/notracking/hosts-blocklists" "descurl": "https://github.com/notracking/hosts-blocklists"
}, },
"oisd_big": { "oisd_big": {
"url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_big.txt", "url": "https://big.oisd.nl/domainswild",
"rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}", "rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}",
"size": "XXL", "size": "XXL",
"focus": "general", "focus": "general",
"descurl": "https://oisd.nl" "descurl": "https://oisd.nl"
}, },
"oisd_nsfw": { "oisd_nsfw": {
"url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_nsfw.txt", "url": "https://nsfw.oisd.nl/domainswild",
"rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}", "rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}",
"size": "XL", "size": "XXL",
"focus": "general", "focus": "porn",
"descurl": "https://oisd.nl" "descurl": "https://oisd.nl"
}, },
"oisd_small": { "oisd_small": {
"url": "https://raw.githubusercontent.com/sjhgvr/oisd/main/dblw_small.txt", "url": "https://small.oisd.nl/domainswild",
"rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}", "rule": "BEGIN{FS=\"\\\\*.\"}/^\\*\\.([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower($2)}",
"size": "L", "size": "L",
"focus": "general", "focus": "general",

2
net/apfree-wifidog/Makefile
View file

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=apfree-wifidog PKG_NAME:=apfree-wifidog
PKG_VERSION:=4.08.1771 PKG_VERSION:=4.08.1771
PKG_RELEASE:=6 PKG_RELEASE:=7
PKG_SOURCE_PROTO:=git PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git PKG_SOURCE_URL:=https://github.com/liudf0716/apfree_wifidog.git

53
net/apfree-wifidog/patches/010-support-openssl-3.0.patch Normal file
View file

@ -0,0 +1,53 @@
From 53a042836063e965f8df9fc85bb32e8e46da8a05 Mon Sep 17 00:00:00 2001
From: staylightblow8 <liudf0716@gmail.com>
Date: Thu, 20 Oct 2022 10:47:59 +0800
Subject: [PATCH] support openssl > 3.0
---
cmake/Modules/FindOpenSSL.cmake | 27 +++++++++++++++++++++++----
1 file changed, 23 insertions(+), 4 deletions(-)
--- a/cmake/Modules/FindOpenSSL.cmake
+++ b/cmake/Modules/FindOpenSSL.cmake
@@ -282,11 +282,11 @@ function(from_hex HEX DEC)
set(${DEC} ${_res} PARENT_SCOPE)
endfunction()
-if (OPENSSL_INCLUDE_DIR)
- if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
- file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
- REGEX "^# *define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
+if(OPENSSL_INCLUDE_DIR AND EXISTS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h")
+ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" openssl_version_str
+ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_NUMBER[\t ]+0x([0-9a-fA-F])+.*")
+ if(openssl_version_str)
# The version number is encoded as 0xMNNFFPPS: major minor fix patch status
# The status gives if this is a developer or prerelease and is ignored here.
# Major, minor, and fix directly translate into the version numbers shown in
@@ -315,6 +315,25 @@ if (OPENSSL_INCLUDE_DIR)
endif ()
set(OPENSSL_VERSION "${OPENSSL_VERSION_MAJOR}.${OPENSSL_VERSION_MINOR}.${OPENSSL_VERSION_FIX}${OPENSSL_VERSION_PATCH_STRING}")
+ else ()
+ # Since OpenSSL 3.0.0, the new version format is MAJOR.MINOR.PATCH and
+ # a new OPENSSL_VERSION_STR macro contains exactly that
+ file(STRINGS "${OPENSSL_INCLUDE_DIR}/openssl/opensslv.h" OPENSSL_VERSION_STR
+ REGEX "^#[\t ]*define[\t ]+OPENSSL_VERSION_STR[\t ]+\"([0-9])+\\.([0-9])+\\.([0-9])+\".*")
+ string(REGEX REPLACE "^.*OPENSSL_VERSION_STR[\t ]+\"([0-9]+\\.[0-9]+\\.[0-9]+)\".*$"
+ "\\1" OPENSSL_VERSION_STR "${OPENSSL_VERSION_STR}")
+
+ set(OPENSSL_VERSION "${OPENSSL_VERSION_STR}")
+
+ # Setting OPENSSL_VERSION_MAJOR OPENSSL_VERSION_MINOR and OPENSSL_VERSION_FIX
+ string(REGEX MATCHALL "([0-9])+" OPENSSL_VERSION_NUMBER "${OPENSSL_VERSION}")
+ list(POP_FRONT OPENSSL_VERSION_NUMBER
+ OPENSSL_VERSION_MAJOR
+ OPENSSL_VERSION_MINOR
+ OPENSSL_VERSION_FIX)
+
+ unset(OPENSSL_VERSION_NUMBER)
+ unset(OPENSSL_VERSION_STR)
endif ()
endif ()

42
net/banip/Makefile
View file

@ -1,13 +1,14 @@
# #
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org) # banIP - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
# #
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.7.10 PKG_VERSION:=0.8.0
PKG_RELEASE:=6 PKG_RELEASE:=4
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -16,23 +17,22 @@ include $(INCLUDE_DIR)/package.mk
define Package/banip define Package/banip
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=Ban incoming and outgoing ip adresses via ipsets TITLE:=banIP blocks IP addresses via named nftables sets
DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle @BROKEN DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
PKGARCH:=all PKGARCH:=all
endef endef
define Package/banip/description define Package/banip/description
Powerful banIP script to block ip addresses via ipsets. banIP blocks IP addresses via named nftables sets.
The script supports many ip blacklist sites plus manual black- and whitelist overrides. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
endef endef
define Package/banip/conffiles define Package/banip/conffiles
/etc/config/banip /etc/config/banip
/etc/banip/banip.maclist /etc/banip/banip.allowlist
/etc/banip/banip.blacklist /etc/banip/banip.blocklist
/etc/banip/banip.whitelist
endef endef
define Build/Prepare define Build/Prepare
@ -46,27 +46,23 @@ endef
define Package/banip/install define Package/banip/install
$(INSTALL_DIR) $(1)/usr/bin $(INSTALL_DIR) $(1)/usr/bin
$(INSTALL_BIN) ./files/banip.sh $(1)/usr/bin $(INSTALL_BIN) ./files/banip-service.sh $(1)/usr/bin
$(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_DIR) $(1)/etc/init.d
$(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip $(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip
$(INSTALL_DIR) $(1)/usr/lib
$(INSTALL_CONF) ./files/banip-functions.sh $(1)/usr/lib
$(INSTALL_DIR) $(1)/etc/config $(INSTALL_DIR) $(1)/etc/config
$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip $(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
$(INSTALL_DIR) $(1)/etc/banip $(INSTALL_DIR) $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.dns $(1)/etc/banip $(INSTALL_CONF) ./files/banip.tpl $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip $(INSTALL_CONF) ./files/banip.allowlist $(1)/etc/banip
$(INSTALL_BIN) ./files/banip.service $(1)/etc/banip $(INSTALL_CONF) ./files/banip.blocklist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip $(INSTALL_CONF) ./files/banip.feeds $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip gzip -9n $(1)/etc/banip/banip.feeds
$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
$(INSTALL_CONF) ./files/banip.sources $(1)/etc/banip
gzip -9n $(1)/etc/banip/banip.sources
$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip
endef endef
$(eval $(call BuildPackage,banip)) $(eval $(call BuildPackage,banip))

552
net/banip/files/README.md
View file

@ -1,91 +1,103 @@
<!-- markdownlint-disable --> <!-- markdownlint-disable -->
# banIP - ban incoming and/or outgoing ip adresses via ipsets # banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
## Description ## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.
## Main Features ## Main Features
* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses) * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below.
| Source | Focus | Information | | Feed | Focus | INP | FWD | Information |
| :------------------ | :----------------------------: | :-------------------------------------------------------------------------------- | | :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- |
| asn | ASN block | [Link](https://asn.ipinfo.app) | | adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| bogon | Bogon prefixes | [Link](https://team-cymru.com) | | adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| country | Country blocks | [Link](https://www.ipdeny.com/ipblocks) | | adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| darklist | blocks suspicious attacker IPs | [Link](https://darklist.de) | | antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| debl | Fail2ban IP blacklist | [Link](https://www.blocklist.de) | | asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) |
| doh | Public DoH-Provider | [Link](https://github.com/dibdot/DoH-IP-blocklists) | | backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) |
| drop | Spamhaus drop compilation | [Link](https://www.spamhaus.org) | | bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) |
| dshield | Dshield IP blocklist | [Link](https://www.dshield.org) | | country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) |
| edrop | Spamhaus edrop compilation | [Link](https://www.spamhaus.org) | | cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) |
| feodo | Feodo Tracker | [Link](https://feodotracker.abuse.ch) | | darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) |
| firehol1 | Firehol Level 1 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level1) | | debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) |
| firehol2 | Firehol Level 2 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | | doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| firehol3 | Firehol Level 3 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | | drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) |
| firehol4 | Firehol Level 4 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | | dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) |
| greensnow | blocks suspicious server IPs | [Link](https://greensnow.co) | | edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) |
| iblockads | Advertising blocklist | [Link](https://www.iblocklist.com) | | feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) |
| iblockspy | Malicious spyware blocklist | [Link](https://www.iblocklist.com) | | firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| myip | Myip Live IP blacklist | [Link](https://myip.ms) | | firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| nixspam | iX spam protection | [Link](http://www.nixspam.org) | | firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) | | firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) | | greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) |
| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) | | iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) |
| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) | | iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) |
| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) | | myip | real-time IP blocklist | x | x | [Link](https://myip.ms) |
| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) | | nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) |
| uceprotect2 | Spam protection level 2 | [Link](http://www.uceprotect.net/en/index.php) | | oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| voip | VoIP fraud blocklist | [Link](http://www.voipbl.org) | | oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| yoyo | Ad protection blacklist | [Link](https://pgl.yoyo.org/adservers/) | | proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* zero-conf like automatic installation & setup, usually no manual changes needed * zero-conf like automatic installation & setup, usually no manual changes needed
* automatically selects one of the following supported download utilities: aria2c, curl, uclient-fetch, wget * all sets are handled in a separate nft table/namespace 'banIP'
* fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
* full IPv4 and IPv6 support * full IPv4 and IPv6 support
* ipsets (one per source) are used to ban a large number of IP addresses * supports nft atomic set loading
* supports blocking by ASN numbers * supports blocking by ASN numbers and by iso country codes
* supports blocking by iso country codes * supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
* supports local black- & whitelist (IPv4, IPv6, CIDR notation or domain names) * auto-add the uplink subnet to the local allowlist
* auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist
* auto-add the uplink subnet to local whitelist
* black- and whitelist also accept domain names as input to allow IP filtering based on these names
* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs
* provides a small background log monitor to ban unsuccessful login attempts in real-time * provides a small background log monitor to ban unsuccessful login attempts in real-time
* per source configuration of SRC (incoming) and DST (outgoing) * auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
* integrated IPSet-Lookup * fast feed processing as they are handled in parallel as background jobs
* integrated bgpview-Lookup * per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
* blocklist source parsing by fast & flexible regex rulesets * automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* minimal status & error logging to syslog, enable debug logging to receive more output * automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
* procd based init system support (start/stop/restart/reload/refresh/status) * supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
* procd network interface trigger support
* automatic blocklist backup & restore, they will be used in case of download errors or during startup
* provides comprehensive runtime information * provides comprehensive runtime information
* provides a detailed IPSet Report * provides a detailed set report
* provides a powerful query function to quickly find blocked IPs/CIDR in banIP related IPSets * provides a set search engine for certain IPs
* provides an easily configurable blocklist update scheduler called 'Refresh Timer' * feed parsing by fast & flexible regex rulesets
* strong LuCI support * minimal status & error logging to syslog, enable debug logging to receive more output
* optional: add new banIP sources on your own * procd based init system support (start/stop/restart/reload/status/report/search)
* procd network interface trigger support
* ability to add new banIP feeds on your own
## Prerequisites ## Prerequisites
* [OpenWrt](https://openwrt.org), tested with the stable release series (21.02.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x * **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
<b>Please note:</b> Ancient OpenWrt releases like 18.06.x or 17.01.x are _not_ supported! * a download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' SSL libraries, 'aria2c' or 'curl' is required
<b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported! * a certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
<b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start! * for E-Mail notifications you need to install and setup the additional 'msmtp' package
* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default **Please note the following:**
* Optional E-Mail notification support: for E-Mail notifications you need to install and setup the additional 'msmtp' package * Devices with less than 256Mb of RAM are **_not_** supported
* Any previous installation of banIP must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
* There is no LuCI frontend at this time
## Installation & Usage ## Installation & Usage
* Update your local opkg repository (_opkg update_) * update your local opkg repository (_opkg update_)
* Install 'banip' (_opkg install banip_). The banIP service is disabled by default * install banIP (_opkg install banip_) - the banIP service is disabled by default
* Install the LuCI companion package 'luci-app-banip' (_opkg install luci-app-banip_) * edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the config options below)
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu * start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status'
## banIP CLI ## banIP CLI interface
* All important banIP functions are accessible via CLI as well. * All important banIP functions are accessible via CLI. A LuCI frontend will be available in due course.
<pre><code> ```
~# /etc/init.d/banip ~# /etc/init.d/banip
Syntax: /etc/init.d/banip [command] Syntax: /etc/init.d/banip [command]
Available commands: Available commands:
@ -96,259 +108,151 @@ Available commands:
enable Enable service autostart enable Enable service autostart
disable Disable service autostart disable Disable service autostart
enabled Check if service is started on boot enabled Check if service is started on boot
refresh Refresh ipsets without new list downloads report [text|json|mail] Print banIP related set statistics
suspend Suspend banIP processing search [<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets
resume Resume banIP processing
query &lt;IP&gt; Query active banIP IPSets for a specific IP address
report [&lt;cli&gt;|&lt;mail&gt;|&lt;gen&gt;|&lt;json&gt;] Print banIP related IPset statistics
list [&lt;add&gt;|&lt;add_asn&gt;|&lt;add_country&gt;|&lt;remove>|&lt;remove_asn&gt;|&lt;remove_country&gt;] &lt;source(s)&gt; List/Edit available sources
timer [&lt;add&gt; &lt;tasks&gt; &lt;hour&gt; [&lt;minute&gt;] [&lt;weekday&gt;]]|[&lt;remove&gt; &lt;line no.&gt;] List/Edit cron update intervals
version Print version information
running Check if service is running running Check if service is running
status Service status status Service status
trace Start with syscall trace trace Start with syscall trace
</code></pre> info Dump procd service info
```
## banIP config options ## banIP config options
* Usually the auto pre-configured banIP setup works quite well and no manual overrides are needed
| Option | Type | Default | Description | | Option | Type | Default | Description |
| :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ | | :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ |
| ban_enabled | option | 0 | enable the banIP service | | ban_enabled | option | 0 | enable the banIP service |
| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
| ban_loglimit | option | 100 | the logread monitor scans only the last n lines of the logfile |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging | | ban_debug | option | 0 | enable banIP related debug logging |
| ban_mail_enabled | option | 0 | enable the mail service | | ban_loginput | option | 1 | log drops in the input chain |
| ban_monitor_enabled | option | 0 | enable the log monitor, e.g. to catch failed ssh/luci logins | | ban_logforward | option | 0 | log rejects in the forward chain |
| ban_logsrc_enabled | option | 0 | enable the src-related logchain | | ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
| ban_logdst_enabled | option | 0 | enable the dst-related logchain | | ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
| ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
| ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs | | ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
| ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel | | ban_protov4 | option | - / autodetect | enable IPv4 support |
| ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files | | ban_protov6 | option | - / autodetect | enable IPv4 support |
| ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files | | ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
| ban_ifaces | list | - | list option to add logical wan interfaces manually | | ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
| ban_sources | list | - | list option to add banIP sources | | ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
| ban_countries | list | - | list option to add certain countries as an alpha-2 ISO code, e.g. 'de' for germany | | ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_asns | list | - | list option to add certain ASNs (autonomous system number), e.g. '32934' for facebook | | ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_chain | option | banIP | name of the root chain used by banIP | | ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
| ban_global_settype | option | src+dst | global settype as default for all sources | | ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
| ban_settype_src | list | - | special SRC settype for a certain sources | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_settype_dst | list | - | special DST settype for a certain sources | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_settype_all | list | - | special SRC+DST settype for a certain sources | | ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) |
| ban_target_src | option | DROP | default src action (used by log chains as well) | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_target_dst | option | REJECT | default dst action (used by log chains as well) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_lan_inputchains_4 | list | input_lan_rule | list option to add IPv4 lan input chains | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_lan_inputchains_6 | list | input_lan_rule | list option to add IPv6 lan input chains | | ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' |
| ban_lan_forwardchains_4 | list | forwarding_lan_rule | list option to add IPv4 lan forward chains | | ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' |
| ban_lan_forwardchains_6 | list | forwarding_lan_rule | list option to add IPv6 lan forward chains | | ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_wan_inputchains_4 | list | input_wan_rule | list option to add IPv4 wan input chains | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
| ban_wan_inputchains_6 | list | input_wan_rule | list option to add IPv6 wan input chains | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
| ban_wan_forwardchains_4 | list | forwarding_wan_rule | list option to add IPv4 wan forward chains |
| ban_wan_forwardchains_6 | list | forwarding_wan_rule | list option to add IPv6 wan forward chains |
| ban_fetchutil | option | -, auto-detected | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | -, auto-detected | manually override the config options for the selected download utility |
| ban_fetchinsecure | option | 0, disabled | don't check SSL server certificates during download |
| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_srcarc | option | /etc/banip/banip.sources.gz | full path to the compressed source archive file used by banIP | | ban_resolver | option | - | external resolver used for DNS lookups |
| ban_localsources | list | maclist, whitelist, blacklist | limit the selection to certain local sources | | ban_feedarchive | option | /etc/banip/banip.feeds.gz | full path to the compressed feed archive file used by banIP |
| ban_extrasources | list | - | add additional, non-banIP related IPSets e.g. for reporting or queries |
| ban_maclist_timeout | option | - | individual maclist IPSet timeout |
| ban_whitelist_timeout | option | - | individual whitelist IPSet timeout |
| ban_blacklist_timeout | option | - | individual blacklist IPSet timeout |
| ban_logterms | list | dropbear, sshd, luci, nginx | limit the log monitor to certain log terms |
| ban_loglimit | option | 100 | parse only the last stated number of log entries for suspicious events |
| ban_ssh_logcount | option | 3 | number of the failed ssh login repetitions of the same ip in the log before banning |
| ban_luci_logcount | option | 3 | number of the failed luci login repetitions of the same ip in the log before banning |
| ban_nginx_logcount | option | 5 | number of the failed nginx requests of the same ip in the log before banning |
## Examples
**list/edit banIP sources:**
<pre><code>
~# /etc/init.d/banip list
::: Available banIP sources
:::
Name Enabled Focus Info URL
---------------------------------------------------------------------------
+ asn ASN blocks https://asn.ipinfo.app
+ bogon Bogon prefixes https://team-cymru.com
+ country x Country blocks https://www.ipdeny.com/ipblocks
+ darklist x Blocks suspicious attacker IPs https://darklist.de
+ debl x Fail2ban IP blacklist https://www.blocklist.de
+ doh x Public DoH-Provider https://github.com/dibdot/DoH-IP-blocklists
+ drop x Spamhaus drop compilation https://www.spamhaus.org
+ dshield x Dshield IP blocklist https://www.dshield.org
+ edrop Spamhaus edrop compilation https://www.spamhaus.org
+ feodo x Feodo Tracker https://feodotracker.abuse.ch
+ firehol1 x Firehol Level 1 compilation https://iplists.firehol.org/?ipset=firehol_level1
+ firehol2 Firehol Level 2 compilation https://iplists.firehol.org/?ipset=firehol_level2
+ firehol3 Firehol Level 3 compilation https://iplists.firehol.org/?ipset=firehol_level3
+ firehol4 Firehol Level 4 compilation https://iplists.firehol.org/?ipset=firehol_level4
+ greensnow x Blocks suspicious server IPs https://greensnow.co
+ iblockads Advertising blocklist https://www.iblocklist.com
+ iblockspy x Malicious spyware blocklist https://www.iblocklist.com
+ myip Myip Live IP blacklist https://myip.ms
+ nixspam x iX spam protection http://www.nixspam.org
+ proxy Firehol list of open proxies https://iplists.firehol.org/?ipset=proxylists
+ sslbl x SSL botnet IP blacklist https://sslbl.abuse.ch
+ talos x Cisco Talos IP Blacklist https://talosintelligence.com/reputation_center
+ threat x Emerging Threats https://rules.emergingthreats.net
+ tor x Tor exit nodes https://fissionrelays.net/lists
+ uceprotect1 x Spam protection level 1 http://www.uceprotect.net/en/index.php
+ uceprotect2 Spam protection level 2 http://www.uceprotect.net/en/index.php
+ voip x VoIP fraud blocklist http://www.voipbl.org
+ yoyo x Ad protection blacklist https://pgl.yoyo.org/adservers/
---------------------------------------------------------------------------
* Configured ASNs: -
* Configured Countries: af, bd, br, cn, hk, hu, id, il, in, iq, ir, kp, kr, no, pk, pl, ro, ru, sa, th, tr, ua, gb
</code></pre>
**receive banIP runtime information:**
<pre><code>
~# /etc/init.d/banip status
::: banIP runtime information
+ status : enabled
+ version : 0.7.7
+ ipset_info : 2 IPSets with 30 IPs/Prefixes
+ active_sources : whitelist
+ active_devs : wlan0
+ active_ifaces : trm_wwan, trm_wwan6
+ active_logterms : dropbear, sshd, luci, nginx
+ active_subnets : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128
+ run_infos : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
+ run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔
+ last_run : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36
+ system : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc
</code></pre>
**black-/whitelist handling:**
banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain names), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist.
Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above).
Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead.
**whitelist-only mode:**
banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode.
**Manually override the download options:**
By default banIP uses the following pre-configured download options:
* aria2c: <code>--timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o</code>
* curl: <code>--connect-timeout 20 --silent --show-error --location -o</code>
* uclient-fetch: <code>--timeout=20 -O</code>
* wget: <code>--no-cache --no-cookies --max-redirect=0 --timeout=20 -O</code>
To override the default set 'ban_fetchparm' manually to your needs. ## Examples
**banIP report information**
**generate an IPSet report:** ```
<pre><code>
~# /etc/init.d/banip report ~# /etc/init.d/banip report
::: :::
::: report on all banIP related IPSets ::: banIP Set Statistics
::: :::
+ Report timestamp ::: 04.02.2021 06:24:41 Timestamp: 2023-02-08 22:12:40
+ Number of all IPSets ::: 24 ------------------------------
+ Number of all entries ::: 302448 auto-added to allowlist: 1
+ Number of IP entries ::: 224748 auto-added to blocklist: 0
+ Number of CIDR entries ::: 77700
+ Number of MAC entries ::: 0 Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
+ Number of accessed entries ::: 36 ---------------------+---------------+---------------+---------------+---------------+----------------
allowlistvMAC | 0 | n/a | OK | n/a | 0
allowlistv4 | 1 | OK | OK | 0 | 0
allowlistv6 | 0 | OK | OK | 0 | 0
blocklistvMAC | 0 | n/a | OK | n/a | 0
blocklistv4 | 0 | OK | OK | 0 | 0
blocklistv6 | 0 | OK | OK | 0 | 0
dohv4 | 542 | n/a | OK | n/a | 22
adguardv4 | 23007 | n/a | OK | n/a | 18
yoyov4 | 1936 | n/a | OK | n/a | 1
oisdbasicv4 | 26000 | n/a | OK | n/a | 325
---------------------+---------------+---------------+---------------+---------------+----------------
10 | 51486 | 4 | 10 | 0 | 366
```
**banIP runtime information**
```
~# etc/init.d/banip status
::: banIP runtime information
+ status : active
+ version : 0.8.0
+ element_count : 51486
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
, yoyov4, oisdbasicv4
+ active_devices : eth2
+ active_interfaces : wan
+ active_subnets : 192.168.98.107/24
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
anip/banip.feeds.gz
+ run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
+ system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
```
**banIP search information**
```
~# /etc/init.d/banip search 221.228.105.173
::: :::
::: IPSet details ::: banIP Search
::: :::
Name Type Count Cnt_IP Cnt_CIDR Cnt_MAC Cnt_ACC Entry details (Entry/Count) Looking for IP 221.228.105.173 on 2023-02-08 22:12:48
-------------------------------------------------------------------------------------------------------------------- ---
whitelist_4 src+dst 1 0 1 0 1 IP found in set oisdbasicv4
xxx.xxxx.xxx.xxxx/24 85 ```
--------------------------------------------------------------------------------------------------------------------
whitelist_6 src+dst 2 0 2 0 1 **allow-/blocklist handling**
xxxx:xxxx:xxxx::/64 29 banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
-------------------------------------------------------------------------------------------------------------------- Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
blacklist_4 src+dst 513 513 0 0 2 Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autowallowlist' option).
192.35.168.16 3 Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted in a detached background process and added to the sets.
80.82.65.74 1
-------------------------------------------------------------------------------------------------------------------- **allowlist-only mode**
blacklist_6 src+dst 1 1 0 0 0 banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
--------------------------------------------------------------------------------------------------------------------
country_4 src 52150 0 52150 0 23 **redirect Asterisk security logs to lodg/logread**
124.5.0.0/16 1 banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
95.188.0.0/14 1
121.16.0.0/12 1 **tweaks for low memory systems**
46.161.0.0/18 1 nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
42.56.0.0/14 1
113.64.0.0/10 1 * point 'ban_reportdir' and 'ban_backupdir' to an external usb drive
113.252.0.0/14 1 * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
5.201.128.0/17 1 * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
125.64.0.0/11 1
90.188.0.0/15 1 **tweak the download options**
60.0.0.0/11 1 By default banIP uses the following pre-configured download options:
78.160.0.0/11 1 ```
1.80.0.0/12 1 * aria2c: --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
183.184.0.0/13 1 * curl: --connect-timeout 20 --silent --show-error --location -o
175.24.0.0/14 1 * uclient-fetch: --timeout=20 -O
119.176.0.0/12 1 * wget: --no-cache --no-cookies --max-redirect=0 --timeout=20 -O
59.88.0.0/13 1 ```
103.78.12.0/22 1 To override the default set 'ban_fetchparm' manually to your needs.
123.128.0.0/13 1
116.224.0.0/12 1 **send E-Mail notifications via 'msmtp'**
42.224.0.0/12 1 To use the email notification you must install & configure the package 'msmtp'.
82.80.0.0/15 1
14.32.0.0/11 1
--------------------------------------------------------------------------------------------------------------------
country_6 src 20099 0 20099 0 0
--------------------------------------------------------------------------------------------------------------------
debl_4 src+dst 29389 29389 0 0 1
5.182.210.16 4
--------------------------------------------------------------------------------------------------------------------
debl_6 src+dst 64 64 0 0 0
--------------------------------------------------------------------------------------------------------------------
doh_4 src+dst 168 168 0 0 0
--------------------------------------------------------------------------------------------------------------------
doh_6 src+dst 122 122 0 0 0
--------------------------------------------------------------------------------------------------------------------
drop_4 src+dst 965 0 965 0 0
--------------------------------------------------------------------------------------------------------------------
drop_6 src+dst 36 0 36 0 0
--------------------------------------------------------------------------------------------------------------------
dshield_4 src+dst 20 0 20 0 1
89.248.165.0/24 1
--------------------------------------------------------------------------------------------------------------------
feodo_4 src+dst 325 325 0 0 0
--------------------------------------------------------------------------------------------------------------------
firehol1_4 src+dst 2763 403 2360 0 0
--------------------------------------------------------------------------------------------------------------------
iblockspy_4 src+dst 3650 2832 818 0 0
--------------------------------------------------------------------------------------------------------------------
nixspam_4 src+dst 9577 9577 0 0 0
--------------------------------------------------------------------------------------------------------------------
sslbl_4 src+dst 104 104 0 0 0
--------------------------------------------------------------------------------------------------------------------
threat_4 src+dst 1300 315 985 0 0
--------------------------------------------------------------------------------------------------------------------
tor_4 src+dst 1437 1437 0 0 0
--------------------------------------------------------------------------------------------------------------------
tor_6 src+dst 478 478 0 0 0
--------------------------------------------------------------------------------------------------------------------
uceprotect1_4 src+dst 156249 156249 0 0 6
192.241.220.137 1
128.14.137.178 1
61.219.11.153 1
138.34.32.33 1
107.174.133.130 2
180.232.99.46 1
--------------------------------------------------------------------------------------------------------------------
voip_4 src+dst 12563 12299 264 0 0
--------------------------------------------------------------------------------------------------------------------
yoyo_4 src+dst 10472 10472 0 0 1
204.79.197.200 2
--------------------------------------------------------------------------------------------------------------------
</code></pre>
**Enable E-Mail notification via 'msmtp':**
To use the email notification you have to install & configure the package 'msmtp'.
Modify the file '/etc/msmtprc', e.g.: Modify the file '/etc/msmtprc', e.g.:
<pre><code> ```
[...] [...]
defaults defaults
auth on auth on
@ -360,39 +264,37 @@ syslog LOG_MAIL
account ban_notify account ban_notify
host smtp.gmail.com host smtp.gmail.com
port 587 port 587
from &lt;address&gt;@gmail.com from <address>@gmail.com
user &lt;gmail-user&gt; user <gmail-user>
password &lt;password&gt; password <password>
</code></pre> ```
Finally enable E-Mail support and add a valid E-Mail receiver address in LuCI. Finally add a valid E-Mail receiver address.
**Edit, add new banIP sources:**
The banIP blocklist sources are stored in an external, compressed JSON file '/etc/banip/banip.sources.gz'.
This file is directly parsed in LuCI and accessible via CLI, just call _/etc/init.d/banip list_.
To add new or edit existing sources extract the compressed JSON file _gunzip /etc/banip/banip.sources.gz_. **add new banIP feeds**
The banIP blocklist feeds are stored in an external, compressed JSON file '/etc/banip/banip.feeds.gz'.
To add a new or edit an existing feed extract the compressed JSON file _gunzip /etc/banip/banip.feeds.gz_.
A valid JSON source object contains the following required information, e.g.: A valid JSON source object contains the following required information, e.g.:
<pre><code> ```
[...] [...]
"tor": { "tor": {
"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt", "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "Tor exit nodes", "focus": "tor exit nodes",
"descurl": "https://fissionrelays.net/lists" "descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
}, },
[...] [...]
</code></pre> ```
Add an unique object name, make the required changes to 'url_4', 'rule_4' (and/or 'url_6', 'rule_6'), 'focus' and 'descurl' and finally compress the changed JSON file _gzip /etc/banip/banip.sources.gz_ to use the new source object in banIP. Add an unique object name, make the required changes and compress the changed JSON file finally with _gzip /etc/banip/banip.feeds_ to use the new feed file in banIP.
<b>Please note:</b> if you're going to add new sources on your own, please make a copy of the default file and work with that copy further on, cause the default will be overwritten with every banIP update. To reference your copy set the option 'ban\_srcarc' which points by default to '/etc/banip/banip.sources.gz' **Please note:** if you're going to add new feeds, **always** work with a copy of the default file; this file is always overwritten with every banIP update. To reference your own file set the option 'ban\_feedarchive' accordingly
## Support ## Support
Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org> Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
## Removal ## Removal
* stop all banIP related services with _/etc/init.d/banip stop_ * stop all banIP related services with _/etc/init.d/banip stop_
* optional: remove the banip package (_opkg remove banip_) * optional: remove the banip package (_opkg remove banip_)
Have fun! Have fun!
Dirk Dirk

1159
net/banip/files/banip-functions.sh Normal file
View file

File diff suppressed because it is too large Load diff

194
net/banip/files/banip-service.sh Executable file
View file

@ -0,0 +1,194 @@
#!/bin/sh
# banIP main service script - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=all
ban_action="${1}"
ban_starttime="$(date "+%s")"
ban_funlib="/usr/lib/banip-functions.sh"
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
# load config and set banIP environment
#
f_conf
f_log "info" "start banIP processing (${ban_action})"
f_genstatus "processing"
f_tmp
f_fetch
f_getif
f_getdev
f_getsub
f_mkdir "${ban_backupdir}"
f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}"
# firewall check
#
if [ "${ban_action}" != "reload" ]; then
if [ -x "${ban_fw4cmd}" ]; then
cnt=0
while [ "${cnt}" -lt "10" ] && ! /etc/init.d/firewall status | grep -q "^active"; do
cnt="$((cnt + 1))"
sleep 1
done
if ! /etc/init.d/firewall status | grep -q "^active"; then
f_log "err" "nft based firewall/fw4 not functional"
fi
else
f_log "err" "nft based firewall/fw4 not found"
fi
fi
# init nft namespace
#
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then
f_log "info" "nft namespace initialized"
else
f_log "err" "nft namespace can't be initialized"
fi
fi
# handle downloads
#
f_log "info" "start banIP download processes"
if [ "${ban_allowlistonly}" = "1" ]; then
ban_feed=""
else
json_init
if ! json_load_file "${ban_basedir}/ban_feeds.json" >/dev/null 2>&1; then
f_log "err" "banIP feed file can't be loaded"
fi
[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
fi
cnt="1"
for feed in allowlist ${ban_feed} blocklist; do
# local feeds
#
if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then
for proto in MAC 4 6; do
[ "${feed}" = "blocklist" ] && wait
(f_down "${feed}" "${proto}") &
[ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && [ "${proto}" = "MAC" ]; } && wait
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
done
wait
continue
fi
# read external feed information
#
if ! json_select "${feed}" >/dev/null 2>&1; then
continue
fi
json_objects="url_4 rule_4 url_6 rule_6 flag"
for object in ${json_objects}; do
eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1
done
json_select ..
# handle IPv4/IPv6 feeds with the same/single download URL
#
if [ "${feed_url_4}" = "${feed_url_6}" ]; then
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
feed_url_6="local"
wait
fi
if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
continue
fi
# handle IPv4/IPv6 feeds with separated download URLs
#
if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
cnt="$((cnt + 1))"
fi
done
wait
# start domain lookup
#
f_log "info" "start detached banIP domain lookup"
(f_lookup "allowlist") &
hold="$((cnt % ban_cores))"
[ "${hold}" = "0" ] && wait
(f_lookup "blocklist") &
# tidy up
#
f_rmset
f_rmdir "${ban_tmpdir}"
f_genstatus "active"
f_log "info" "finished banIP download processes"
rm -rf "${ban_lock}"
# start log service
#
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then
f_log "info" "start detached banIP log service"
nft_expiry="$(printf "%s" "${ban_nftexpiry}" | grep -oE "([0-9]+[h|m|s]$)")"
[ -n "${nft_expiry}" ] && nft_expiry="timeout ${nft_expiry}"
# read log continuously with given logterms
#
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
while read -r line; do
proto=""
# IPv4 log parsing
#
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
ip="${ip##* }"
[ -n "${ip}" ] && proto="v4"
if [ -z "${proto}" ]; then
# IPv6 log parsing
#
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
ip="${ip##* }"
[ -n "${ip}" ] && proto="v6"
fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
f_log "info" "suspicious IP${proto} found '${ip}'"
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "added IP${proto} '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
f_log "info" "added IP${proto} '${ip}' to local blocklist"
fi
fi
fi
fi
done
# start no-op service loop
#
else
f_log "info" "start detached no-op banIP service (logterms are missing)"
while :; do
sleep 1
done
fi

0
net/banip/files/banip.blacklist → net/banip/files/banip.allowlist
View file

0
net/banip/files/banip.maclist → net/banip/files/banip.blocklist
View file

17
net/banip/files/banip.conf
View file

@ -1,16 +1,9 @@
config banip 'global' config banip 'global'
option ban_enabled '0' option ban_enabled '0'
option ban_debug '0' option ban_debug '0'
option ban_mail_enabled '0'
option ban_monitor_enabled '0'
option ban_logsrc_enabled '0'
option ban_logdst_enabled '0'
option ban_autodetect '1' option ban_autodetect '1'
option ban_autoblacklist '1' list ban_logterm 'Exit before auth from'
option ban_autowhitelist '1' list ban_logterm 'luci: failed login'
option ban_nice '0' list ban_logterm 'error: maximum authentication attempts exceeded'
option ban_maxqueue '4' list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
option ban_global_settype 'src+dst' list ban_logterm 'SecurityEvent=\"ChallengeResponseFailed\".*RemoteAddress='
option ban_target_src 'DROP'
option ban_target_dst 'REJECT'
option ban_loglimit '100'

64
net/banip/files/banip.dns
View file

@ -1,64 +0,0 @@
#!/bin/sh
# helper script to resolve domains for adding to banIP-related IPSets
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
. "/lib/functions.sh"
ban_src_name="${1}"
ban_src_file="${2}"
ban_tmpbase="$(uci_get banip global ban_tmpbase "/tmp")"
ban_backupdir="$(uci_get banip global ban_backupdir "${ban_tmpbase}/banIP-Backup")"
ban_proto4_enabled="$(uci_get banip global ban_proto4_enabled "0")"
ban_proto6_enabled="$(uci_get banip global ban_proto6_enabled "0")"
ban_ipset_cmd="$(command -v ipset)"
ban_lookup_cmd="$(command -v nslookup)"
ban_logger_cmd="$(command -v logger)"
ban_cnt_err="0"
ban_message=""
rm -f "${ban_backupdir}/banIP.${ban_src_name}_addon_4" "${ban_backupdir}/banIP.${ban_src_name}_addon_6"
while read -r domain; do
result="$(
"${ban_lookup_cmd}" "${domain}" 2>/dev/null
printf "%s" "${?}"
)"
if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]; then
ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')"
for ip in ${ips}; do
for proto in "4" "6"; do
if { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } ||
{ [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] &&
[ -n "$(printf "%s" "${ip}" | awk '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print $1}')" ]; }; then
printf "%s\n" "add ${ban_src_name}_${proto} ${ip}" >>"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
fi
done
done
[ -n "${ips}" ] && "${ban_logger_cmd}" -p "debug" -t "banIP-resolve [${$}]" "added IPs of '${domain}' to ${ban_src_name} (${ips})" 2>/dev/null
else
ban_cnt_err=$((ban_cnt_err + 1))
fi
done <"${ban_src_file}"
for proto in "4" "6"; do
if { { [ "${proto}" = "4" ] && [ "${ban_proto4_enabled}" = "1" ]; } || { [ "${proto}" = "6" ] && [ "${ban_proto6_enabled}" = "1" ]; }; } &&
[ ! -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" ]; then
gzip -df "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}.gz" 2>/dev/null
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
ban_message="backup used"
elif [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -s "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" ]; then
"${ban_ipset_cmd}" -q -! restore <"${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}"
ban_message="${ban_cnt_err} lookup errors"
fi
gzip -f "${ban_backupdir}/banIP.${ban_src_name}_addon_${proto}" 2>/dev/null
done
"${ban_logger_cmd}" -p "info" -t "banIP-resolve [${$}]" "${ban_src_name} domain import has been finished (${ban_message:-"-"})" 2>/dev/null
rm -f "${ban_src_file}"

295
net/banip/files/banip.feeds Normal file
View file

@ -0,0 +1,295 @@
{
"adaway": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adaway-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adaway IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"adguard": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguard-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adguard IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"adguardtrackers": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/adguardtrackers-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "adguardtracker IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"antipopads": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/antipopads-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "antipopads IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"asn": {
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "ASN IPs",
"descurl": "https://asn.ipinfo.app"
},
"backscatterer": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "backscatterer IPs",
"descurl": "https://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"bogon": {
"url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt",
"url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "bogon prefixes",
"descurl": "https://team-cymru.com"
},
"cinsscore": {
"url_4": "https://cinsscore.com/list/ci-badguys.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious attacker IPs",
"descurl": "https://cinsscore.com/#list"
},
"country": {
"url_4": "https://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "https://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "country blocks",
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious attacker IPs",
"descurl": "https://darklist.de"
},
"debl": {
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "fail2ban IP blacklist",
"descurl": "https://www.blocklist.de"
},
"doh": {
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "public DoH-Provider",
"descurl": "https://github.com/dibdot/DoH-IP-blocklists"
},
"drop": {
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"url_6": "https://www.spamhaus.org/drop/dropv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "spamhaus drop compilation",
"descurl": "https://www.spamhaus.org"
},
"dshield": {
"url_4": "https://feeds.dshield.org/block.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s/%s,\\n\",$1,$3}",
"focus": "dshield IP blocklist",
"descurl": "https://www.dshield.org"
},
"edrop": {
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "spamhaus edrop compilation",
"descurl": "https://www.spamhaus.org"
},
"feodo": {
"url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
"rule_4": "BEGIN{RS=\"\\r\\n\"}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "feodo tracker",
"descurl": "https://feodotracker.abuse.ch"
},
"firehol1": {
"url_4": "https://iplists.firehol.org/files/firehol_level1.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 1 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level1"
},
"firehol2": {
"url_4": "https://iplists.firehol.org/files/firehol_level2.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 2 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level2"
},
"firehol3": {
"url_4": "https://iplists.firehol.org/files/firehol_level3.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "firehol level 3 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level3"
},
"firehol4": {
"url_4": "https://iplists.firehol.org/files/firehol_level4.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{if(!seen[$1]++)printf \"%s,\\n\",$1}",
"focus": "firehol level 4 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level4"
},
"greensnow": {
"url_4": "https://blocklist.greensnow.co/greensnow.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "suspicious server IPs",
"descurl": "https://greensnow.co"
},
"iblockads": {
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "advertising IPs",
"descurl": "https://www.iblocklist.com",
"flag": "gz",
"login": true
},
"iblockspy": {
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malicious spyware IPs",
"descurl": "https://www.iblocklist.com",
"flag": "gz",
"login": true
},
"myip": {
"url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "real-time IP blocklist",
"descurl": "https://myip.ms"
},
"nixspam": {
"url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz",
"rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$2}",
"focus": "iX spam protection",
"descurl": "https://www.nixspam.net",
"flag": "gz"
},
"oisdnsfw": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdnsfw-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-nsfw IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"oisdsmall": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/oisdsmall-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "OISD-small IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"proxy": {
"url_4": "https://iplists.firehol.org/files/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "open proxies",
"descurl": "https://iplists.firehol.org/?ipset=proxylists"
},
"sslbl": {
"url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv",
"rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$2}",
"focus": "SSL botnet IPs",
"descurl": "https://sslbl.abuse.ch"
},
"stevenblack": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/stevenblack-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "stevenblack IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "talos IPs",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "emerging threats",
"descurl": "https://rules.emergingthreats.net"
},
"threatview": {
"url_4": "https://threatview.io/Downloads/IP-High-Confidence-Feed.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malicious IPs",
"descurl": "https://threatview.io"
},
"tor": {
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"focus": "tor exit nodes",
"descurl": "https://github.com/SecOps-Institute/Tor-IP-Addresses"
},
"uceprotect1": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 1",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"uceprotect2": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]NET)/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 2",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"uceprotect3": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-3.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]YOUR)/{printf \"%s,\\n\",$1}",
"focus": "spam protection level 3",
"descurl": "http://www.uceprotect.net/en/index.php",
"flag": "gz"
},
"urlhaus": {
"url_4": "https://urlhaus.abuse.ch/downloads/ids/",
"rule_4": "match($0,/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]))/){printf \"%s,\\n\",substr($0,RSTART,RLENGTH)}",
"focus": "urlhaus IDS IPs",
"descurl": "https://urlhaus.abuse.ch"
},
"urlvir": {
"url_4": "https://iplists.firehol.org/files/urlvir.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malware related IPs",
"descurl": "https://iplists.firehol.org/?ipset=urlvir"
},
"voip": {
"url_4": "https://voipbl.org/update/",
"rule_4": "BEGIN{RS=\"(([0-9]{1,3}\\\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)\"}{if(RT)printf \"%s,\\n\",RT}",
"focus": "VoIP fraud blocklist",
"descurl": "https://voipbl.org"
},
"webclient": {
"url_4": "https://iplists.firehol.org/files/firehol_webclient.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"focus": "malware related IPs",
"descurl": "https://iplists.firehol.org/?ipset=firehol_webclient"
},
"yoyo": {
"url_4": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/banIP-IP-blocklists/main/yoyo-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"focus": "yoyo IPs",
"descurl": "https://github.com/dibdot/banIP-IP-blocklists"
}
}

10
net/banip/files/banip.hotplug
View file

@ -1,10 +0,0 @@
#!/bin/sh
# firewall hotplug script for banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
if /etc/init.d/banip enabled && [ "${ACTION}" = "add" ] && [ -n "${INTERFACE}" ]; then
if [ ! -s "/var/run/banip.pid" ] && uci_get banip global ban_ifaces | grep -q "${INTERFACE}"; then
/etc/init.d/banip refresh
fi
fi

282
net/banip/files/banip.init
View file

@ -1,202 +1,69 @@
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org) # banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions # (s)hellcheck exceptions
# shellcheck disable=1091,2034,3043,3057,3060 # shellcheck disable=all
START=30 START=30
USE_PROCD=1 USE_PROCD=1
if type extra_command >/dev/null 2>&1; then extra_command "report" "[text|json|mail] Print banIP related set statistics"
extra_command "refresh" "Refresh ipsets without new list downloads" extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in the banIP sets"
extra_command "suspend" "Suspend banIP processing"
extra_command "resume" "Resume banIP processing"
extra_command "query" "<IP> Query active banIP IPSets for a specific IP address"
extra_command "report" "[<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics"
extra_command "list" "[<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources"
extra_command "timer" "[<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
else
EXTRA_COMMANDS="status refresh suspend resume query report list timer version"
EXTRA_HELP=" status Service status
refresh Refresh ipsets without new list downloads
suspend Suspend banIP processing
resume Resume banIP processing
query <IP> Query active banIP IPSets for a specific IP address
report [<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics
list [<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources
timer [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals"
fi
ban_init="/etc/init.d/banip" ban_init="/etc/init.d/banip"
ban_script="/usr/bin/banip.sh" ban_service="/usr/bin/banip-service.sh"
ban_funlib="/usr/lib/banip-functions.sh"
ban_pidfile="/var/run/banip.pid" ban_pidfile="/var/run/banip.pid"
ban_lock="/var/run/banip.lock"
if [ -s "${ban_pidfile}" ] && { [ "${action}" = "start" ] || [ "${action}" = "stop" ] || [ "${action}" = "stop" ] && ! /etc/init.d/banip running && exit 0
[ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "refresh" ] || [ ! -r "${ban_funlib}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "status" ]; } && exit 1
[ "${action}" = "suspend" ] || [ "${action}" = "resume" ] || [ "${action}" = "query" ] || [ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && exit 1
{ [ "${action}" = "list" ] && [ -n "${1}" ]; } || { [ "${action}" = "report" ] && [ "${1}" != "json" ]; }; }; then [ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ]; } && mkdir -p "${ban_lock}"
exit 0
fi
boot() { boot() {
: >"${ban_pidfile}" : >"${ban_pidfile}"
rc_procd start_service rc_procd start_service "boot"
} }
start_service() { start_service() {
if "${ban_init}" enabled; then if "${ban_init}" enabled; then
if [ "${action}" = "boot" ]; then [ "${action}" = "boot" ] && [ -n "$(uci_get banip global ban_trigger)" ] && return 0
return 0 [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
fi f_rmpid
procd_open_instance "banip" procd_open_instance "banip-service"
procd_set_param command "${ban_script}" "${@}" procd_set_param command "${ban_service}" "${@:-"${action}"}"
procd_set_param pidfile "${ban_pidfile}" procd_set_param pidfile "${ban_pidfile}"
procd_set_param nice "$(uci_get banip global ban_nice "0")" procd_set_param nice "$(uci_get banip global ban_nicelimit "0")"
procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")"
procd_set_param stdout 1 procd_set_param stdout 1
procd_set_param stderr 1 procd_set_param stderr 1
procd_close_instance procd_close_instance
else
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'"
rm -rf "${ban_lock}"
fi fi
} }
version() {
rc_procd "${ban_script}" version
}
refresh() {
rc_procd start_service refresh
}
reload_service() { reload_service() {
rc_procd start_service reload [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
rc_procd start_service "reload"
} }
stop_service() { stop_service() {
rc_procd "${ban_script}" stop [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
"${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
f_genstatus "stopped"
f_rmpid
} }
restart() { restart() {
rc_procd start_service restart stop_service
} rc_procd start_service "restart"
suspend() {
rc_procd start_service suspend
}
resume() {
rc_procd start_service resume
}
query() {
rc_procd "${ban_script}" query "${1}"
}
list() {
local src_archive src_file src_enabled key name enabled focus descurl url_4 rule_4 url_6 rule_6 action="${1}"
if [ "${action%_*}" = "add" ] || [ "${action%_*}" = "remove" ]; then
shift
for name in "${@}"; do
case "${action}" in
"add")
if ! uci_get banip global ban_sources | grep -q "${name}"; then
uci_add_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' added to config"
fi
;;
"remove")
if uci_get banip global ban_sources | grep -q "${name}"; then
uci_remove_list banip global ban_sources "${name}"
printf "%s\n" "::: banIP source '${name}' removed from config"
fi
;;
"add_asn")
if ! uci_get banip global ban_asns | grep -q "${name}"; then
uci_add_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' added to config"
fi
;;
"remove_asn")
if uci_get banip global ban_asns | grep -q "${name}"; then
uci_remove_list banip global ban_asns "${name}"
printf "%s\n" "::: banIP asn '${name}' removed from config"
fi
;;
"add_country")
if ! uci_get banip global ban_countries | grep -q "${name}"; then
uci_add_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' added to config"
fi
;;
"remove_country")
if uci_get banip global ban_countries | grep -q "${name}"; then
uci_remove_list banip global ban_countries "${name}"
printf "%s\n" "::: banIP country '${name}' removed from config"
fi
;;
esac
done
if [ -n "$(uci -q changes banip)" ]; then
uci_commit banip
"${ban_init}" start
fi
else
src_archive="$(uci_get banip global ban_srcarc "/etc/banip/banip.sources.gz")"
src_file="$(uci_get banip global ban_srcfile "/tmp/ban_sources.json")"
src_enabled="$(uci -q show banip.global.ban_sources)"
if [ -r "${src_archive}" ]; then
zcat "${src_archive}" >"${src_file}"
else
printf "%s\n" "::: banIP source archive '${src_archive}' not found"
fi
if [ -r "${src_file}" ]; then
src_enabled="${src_enabled#*=}"
src_enabled="${src_enabled//\'/}"
printf "%s\n" "::: Available banIP sources"
printf "%s\n" ":::"
printf "%-25s%-10s%-36s%s\n" " Name" "Enabled" "Focus" "Info URL"
printf "%s\n" " ---------------------------------------------------------------------------"
json_load_file "${src_file}"
json_get_keys keylist
for key in ${keylist}; do
json_select "${key}"
json_get_var focus "focus"
json_get_var descurl "descurl"
json_get_var url_4 "url_4"
json_get_var rule_4 "rule_4"
json_get_var url_6 "url_6"
json_get_var rule_6 "rule_6"
if { [ -n "${url_4}" ] && [ -n "${rule_4}" ]; } || { [ -n "${url_6}" ] && [ -n "${rule_6}" ]; }; then
if printf "%s" "${src_enabled}" | grep -q "${key}"; then
enabled="x"
else
enabled=" "
fi
src_enabled="${src_enabled/${key}/}"
printf " + %-21s%-10s%-36s%s\n" "${key:0:20}" "${enabled}" "${focus:0:35}" "${descurl:0:50}"
else
src_enabled="${src_enabled} ${key}"
fi
json_select ..
done
asn_list="$(uci_get banip global ban_asns "-")"
country_list="$(uci_get banip global ban_countries "-")"
printf "%s\n" " ---------------------------------------------------------------------------"
printf " * %s\n" "Configured ASNs: ${asn_list// /, }"
printf " * %s\n" "Configured Countries: ${country_list// /, }"
if [ -n "${src_enabled// /}" ]; then
printf "%s\n" " ---------------------------------------------------------------------------"
printf "%s\n" " Sources without valid configuration"
printf "%s\n" " ---------------------------------------------------------------------------"
for key in ${src_enabled}; do
printf " - %s\n" "${key:0:20}"
done
fi
else
printf "%s\n" "::: banIP source file '${src_file}' not found"
fi
fi
} }
status() { status() {
@ -204,90 +71,29 @@ status() {
} }
status_service() { status_service() {
local key keylist type value index_value values rtfile [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_getstatus
rtfile="$(uci_get banip global ban_rtfile "/tmp/ban_runtime.json")"
json_load_file "${rtfile}" >/dev/null 2>&1
json_get_keys keylist
if [ -n "${keylist}" ]; then
printf "%s\n" "::: banIP runtime information"
for key in ${keylist}; do
json_get_var value "${key}" >/dev/null 2>&1
if [ "${key%_*}" = "active" ]; then
printf " + %-15s : " "${key}"
json_select "${key}" >/dev/null 2>&1
values=""
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_values index_value "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ]; then
values="${index_value}"
else
values="${values}, ${index_value}"
fi
index=$((index + 1))
done
values="$(printf "%s" "${values}" | awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-22s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
printf "%s\n" "${values:-"-"}"
json_select ".."
else
printf " + %-15s : %s\n" "${key}" "${value:-"-"}"
fi
done
else
printf "%s\n" "::: no banIP runtime information available"
fi
} }
report() { report() {
rc_procd "${ban_script}" report "${1:-"cli"}" [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_report "${1:-"text"}"
} }
timer() { search() {
local cron_file cron_content cron_lineno action="${1:-"list"}" cron_tasks="${2}" hour="${3}" minute="${4:-0}" weekday="${5:-"*"}" [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_search "${1}"
cron_file="/etc/crontabs/root"
if [ -s "${cron_file}" ] && [ "${action}" = "list" ]; then
awk '{print NR "> " $0}' "${cron_file}"
elif [ "${action}" = "add" ]; then
hour="${hour//[[:alpha:]]/}"
minute="${minute//[[:alpha:]]/}"
if [ -n "${cron_tasks}" ] && [ -n "${hour}" ] && [ -n "${minute}" ] && [ -n "${weekday}" ] &&
[ "${hour}" -ge 0 ] && [ "${hour}" -le 23 ] &&
[ "${minute}" -ge 0 ] && [ "${minute}" -le 59 ]; then
printf "%02d %02d %s\n" "${minute}" "${hour}" "* * ${weekday} ${ban_init} ${cron_tasks}" >>"${cron_file}"
/etc/init.d/cron restart
fi
elif [ -s "${cron_file}" ] && [ "${action}" = "remove" ]; then
cron_tasks="${cron_tasks//[[:alpha:]]/}"
cron_lineno="$(awk 'END{print NR}' "${cron_file}")"
cron_content="$(awk '{print $0}' "${cron_file}")"
if [ "${cron_tasks:-"0"}" -le "${cron_lineno:-"1"}" ] && [ -n "${cron_content}" ]; then
printf "%s\n" "${cron_content}" | awk "NR!~/^${cron_tasks}$/" >"${cron_file}"
/etc/init.d/cron restart
fi
fi
} }
service_triggers() { service_triggers() {
local iface delay local iface trigger delay
iface="$(uci_get banip global ban_trigger)" trigger="$(uci_get banip global ban_trigger)"
delay="$(uci_get banip global ban_triggerdelay "5")" delay="$(uci_get banip global ban_triggerdelay "5")"
PROCD_RELOAD_DELAY=$((delay * 1000)) PROCD_RELOAD_DELAY=$((delay * 1000))
if [ -z "${iface}" ]; then for iface in ${trigger}; do
. "/lib/functions/network.sh"
network_find_wan iface
if [ -n "${iface}" ]; then
uci_set banip global ban_trigger "${iface}"
uci_commit "banip"
fi
fi
if [ -n "${iface}" ]; then
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start" procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "start"
fi done
procd_add_reload_trigger "banip" procd_add_reload_trigger "banip"
} }

62
net/banip/files/banip.mail
View file

@ -1,62 +0,0 @@
#!/bin/sh
# send mail script for banIP notifications
# Copyright (c) 2020-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=1091,3040
# Please note: you have to setup the package 'msmtp' before using this script
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
. "/lib/functions.sh"
ban_debug="$(uci_get banip global ban_debug "0")"
ban_loglimit="$(uci_get banip global ban_loglimit "100")"
ban_mailsender="$(uci_get banip global ban_mailsender "no-reply@banIP")"
ban_mailreceiver="$(uci_get banip global ban_mailreceiver)"
ban_mailtopic="$(uci_get banip global ban_mailtopic "banIP notification")"
ban_mailprofile="$(uci_get banip global ban_mailprofile "ban_notify")"
ban_mail="$(command -v msmtp)"
ban_logger="$(command -v logger)"
ban_logread="$(command -v logread)"
if [ -z "${ban_mailreceiver}" ]; then
f_log "err" "please set the mail receiver with the 'ban_mailreceiver' option"
exit 1
fi
if [ "${ban_debug}" = "1" ]; then
msmtp_debug="--debug"
fi
ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
# info preparation
#
sys_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
ban_info="$(/etc/init.d/banip "status" 2>/dev/null)"
rep_info="${1}"
log_info="$("${ban_logread}" -l "${ban_loglimit}" -e "banIP-" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
# mail body
#
ban_mailtext="<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>"
ban_mailtext="${ban_mailtext}\n<strong>++\n++ System Information ++\n++</strong>\n${sys_info}"
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${ban_info}"
if [ -n "${rep_info}" ]; then
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${rep_info}"
fi
ban_mailtext="${ban_mailtext}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}"
ban_mailtext="${ban_mailtext}</pre></body></html>"
# send mail
#
printf "%b" "${ban_mailhead}${ban_mailtext}" 2>/dev/null | "${ban_mail}" ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
"${ban_logger}" -p "info" -t "banIP-mail [${$}]" "mail sent to '${ban_mailreceiver}' with rc '${?}'" 2>/dev/null

28
net/banip/files/banip.service
View file

@ -1,28 +0,0 @@
#!/bin/sh
# log service to trace suspicious logins and conditionally refresh banIP
# Copyright (c) 2019-2021 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# (s)hellcheck exceptions
# shellcheck disable=3040
export LC_ALL=C
export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
set -o pipefail
ban_search="${1}"
ban_logger_cmd="$(command -v logger)"
ban_logread_cmd="$(command -v logread)"
if [ -x "${ban_logread_cmd}" ]; then
"${ban_logger_cmd}" -p "info" -t "banIP-service [${$}]" "log/banIP service started" 2>/dev/null
"${ban_logread_cmd}" -f |
{
grep -qE "${ban_search}" && {
/etc/init.d/banip refresh
exit 0
}
}
else
"${ban_logger_cmd}" -p "err" -t "banIP-service [${$}]" "can't start log/banIP service" 2>/dev/null
fi

1595
net/banip/files/banip.sh
View file

File diff suppressed because it is too large Load diff

191
net/banip/files/banip.sources
View file

@ -1,191 +0,0 @@
{
"asn": {
"url_4": "https://asn.ipinfo.app/api/text/list/",
"url_6": "https://asn.ipinfo.app/api/text/list/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add asn_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add asn_6 \"$1}",
"focus": "ASN blocks",
"descurl": "https://asn.ipinfo.app"
},
"bogon": {
"url_4": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt",
"url_6": "https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add bogon_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add bogon_6 \"$1}",
"focus": "Bogon prefixes",
"descurl": "https://team-cymru.com"
},
"country": {
"url_4": "http://www.ipdeny.com/ipblocks/data/aggregated/",
"url_6": "http://www.ipdeny.com/ipv6/ipaddresses/aggregated/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add country_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add country_6 \"$1}",
"focus": "Country blocks",
"descurl": "http://www.ipdeny.com/ipblocks"
},
"darklist": {
"url_4": "https://darklist.de/raw.php",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add darklist_4 \"$1}",
"focus": "Blocks suspicious attacker IPs",
"descurl": "https://darklist.de"
},
"debl": {
"url_4": "https://www.blocklist.de/downloads/export-ips_all.txt",
"url_6": "https://www.blocklist.de/downloads/export-ips_all.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add debl_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add debl_6 \"$1}",
"focus": "Fail2ban IP blacklist",
"descurl": "https://www.blocklist.de"
},
"doh": {
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add doh_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add doh_6 \"$1}",
"focus": "Public DoH-Provider",
"descurl": "https://github.com/dibdot/DoH-IP-blocklists"
},
"drop": {
"url_4": "https://www.spamhaus.org/drop/drop.txt",
"url_6": "https://www.spamhaus.org/drop/dropv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add drop_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add drop_6 \"$1}",
"focus": "Spamhaus drop compilation",
"descurl": "https://www.spamhaus.org"
},
"dshield": {
"url_4": "https://feeds.dshield.org/block.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add dshield_4 \"$1 \"/\"$3}",
"focus": "Dshield IP blocklist",
"descurl": "https://www.dshield.org"
},
"edrop": {
"url_4": "https://www.spamhaus.org/drop/edrop.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add edrop_4 \"$1}",
"focus": "Spamhaus edrop compilation",
"descurl": "https://www.spamhaus.org"
},
"feodo": {
"url_4": "https://feodotracker.abuse.ch/downloads/ipblocklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add feodo_4 \"$1}",
"focus": "Feodo Tracker",
"descurl": "https://feodotracker.abuse.ch"
},
"firehol1": {
"url_4": "https://iplists.firehol.org/files/firehol_level1.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol1_4 \"$1}",
"focus": "Firehol Level 1 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level1"
},
"firehol2": {
"url_4": "https://iplists.firehol.org/files/firehol_level2.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol2_4 \"$1}",
"focus": "Firehol Level 2 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level2"
},
"firehol3": {
"url_4": "https://iplists.firehol.org/files/firehol_level3.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol3_4 \"$1}",
"focus": "Firehol Level 3 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level3"
},
"firehol4": {
"url_4": "https://iplists.firehol.org/files/firehol_level4.netset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add firehol4_4 \"$1}",
"focus": "Firehol Level 4 compilation",
"descurl": "https://iplists.firehol.org/?ipset=firehol_level4"
},
"greensnow": {
"url_4": "https://blocklist.greensnow.co/greensnow.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add greensnow_4 \"$1}",
"focus": "Blocks suspicious server IPs",
"descurl": "https://greensnow.co"
},
"iblockads": {
"url_4": "https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockads_4 \"$1}",
"focus": "Advertising blocklist",
"descurl": "https://www.iblocklist.com",
"comp": "gz"
},
"iblockspy": {
"url_4": "https://list.iblocklist.com/?list=llvtlsjyoyiczbkjsxpf&fileformat=cidr&archiveformat=gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add iblockspy_4 \"$1}",
"focus": "Malicious spyware blocklist",
"descurl": "https://www.iblocklist.com",
"comp": "gz"
},
"myip": {
"url_4": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"url_6": "https://myip.ms/files/blacklist/general/latest_blacklist.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add myip_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add myip_6 \"$1}",
"focus": "Myip Live IP blacklist",
"descurl": "https://myip.ms"
},
"nixspam": {
"url_4": "http://www.dnsbl.manitu.net/download/nixspam-ip.dump.gz",
"rule_4": "/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add nixspam_4 \"$2}",
"focus": "iX spam protection",
"descurl": "http://www.nixspam.org",
"comp": "gz"
},
"proxy": {
"url_4": "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add proxy_4 \"$1}",
"focus": "Firehol list of open proxies",
"descurl": "https://iplists.firehol.org/?ipset=proxylists"
},
"sslbl": {
"url_4": "https://sslbl.abuse.ch/blacklist/sslipblacklist.csv",
"rule_4": "BEGIN{FS=\",\"}/(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{print \"add sslbl_4 \"$2}",
"focus": "SSL botnet IP blacklist",
"descurl": "https://sslbl.abuse.ch"
},
"talos": {
"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}",
"focus": "Cisco Talos IP Blacklist",
"descurl": "https://talosintelligence.com/reputation_center"
},
"threat": {
"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",
"focus": "Emerging Threats",
"descurl": "https://rules.emergingthreats.net"
},
"tor": {
"url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
"url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
"focus": "Tor exit nodes",
"descurl": "https://fissionrelays.net/lists"
},
"uceprotect1": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{print \"add uceprotect1_4 \"$1}",
"focus": "Spam protection level 1",
"descurl": "http://www.uceprotect.net/en/index.php",
"comp": "gz"
},
"uceprotect2": {
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-2.uceprotect.net.gz",
"rule_4": "BEGIN{IGNORECASE=1}/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]+NET[[:space:]]+)/{print \"add uceprotect2_4 \"$1}",
"focus": "Spam protection level 2",
"descurl": "http://www.uceprotect.net/en/index.php",
"comp": "gz"
},
"voip": {
"url_4": "http://www.voipbl.org/update/",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add voip_4 \"$1}",
"focus": "VoIP fraud blocklist",
"descurl": "http://www.voipbl.org"
},
"yoyo": {
"url_4": "https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add yoyo_4 \"$1}",
"focus": "Ad protection blacklist",
"descurl": "https://pgl.yoyo.org/adservers/"
}
}

24
net/banip/files/banip.tpl Normal file
View file

@ -0,0 +1,24 @@
# banIP mail template/include
# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# info preparation
#
local banip_info report_info log_info system_info mail_text
banip_info="$(/etc/init.d/banip status 2>/dev/null)"
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
system_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
)"
# mail body
#
mail_text="$(printf "%s\n" "<html><body><pre style='display:block;font-family:monospace;font-size:1rem;padding:20;background-color:#f3eee5;white-space:pre'>")"
mail_text="$(printf "%s\n" "${mail_text}\n<strong>++\n++ System Information ++\n++</strong>\n${system_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ banIP Status ++\n++</strong>\n${banip_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ banIP Report ++\n++</strong>\n${report_info:-"-"}")"
mail_text="$(printf "%s\n" "${mail_text}\n\n<strong>++\n++ Logfile Information ++\n++</strong>\n${log_info}")"
mail_text="$(printf "%s\n" "${mail_text}</pre></body></html>")"

0
net/banip/files/banip.whitelist
View file

2
net/boinc/Makefile
View file

@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=boinc PKG_NAME:=boinc
PKG_VERSION:=7.16.16 PKG_VERSION:=7.16.16
PKG_VERSION_SHORT:=$(shell echo $(PKG_VERSION)| cut -f1,2 -d.) PKG_VERSION_SHORT:=$(shell echo $(PKG_VERSION)| cut -f1,2 -d.)
PKG_RELEASE:=2 PKG_RELEASE:=3
PKG_SOURCE_DATE:=2020-02-25 PKG_SOURCE_DATE:=2020-02-25
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz

34
net/boinc/patches/003-update-to-openssl-3.0.0.patch Normal file
View file

@ -0,0 +1,34 @@
From 689dc20ede9768377d4032ff8c70b58269c8dc9c Mon Sep 17 00:00:00 2001
From: Charlie Fenton <charlief@example.com>
Date: Mon, 18 Oct 2021 01:43:08 -0700
Subject: [PATCH] Mac: update dependent libraries to latest: c-ares-1.17.2,
curl-7.79.1, freetype-2.11.0, openssl-3.0.0 Previously updated to
wxWidgets-3.1.5. FTGL version ftgl-2.1.3~rc5 is still the current version.
---
cotequeiroz: Trimming original commit to lib/crypt.cpp only
lib/crypt.cpp | 7 +-
--- a/lib/crypt.cpp
+++ b/lib/crypt.cpp
@@ -1,6 +1,6 @@
// This file is part of BOINC.
// http://boinc.berkeley.edu
-// Copyright (C) 2008 University of California
+// Copyright (C) 2021 University of California
//
// BOINC is free software; you can redistribute it and/or modify it
// under the terms of the GNU Lesser General Public License
@@ -670,7 +670,10 @@ int check_validity_of_cert(
}
#ifdef HAVE_OPAQUE_RSA_DSA_DH
RSA *rsa;
- rsa = EVP_PKEY_get0_RSA(pubKey);
+ // CAUTION: In OpenSSL 3.0.0, EVP_PKEY_get0_RSA() now returns a
+ // pointer of type "const struct rsa_st*" to an immutable value.
+ // Do not try to modify the contents of the returned struct.
+ rsa = (rsa_st*)EVP_PKEY_get0_RSA(pubKey);
if (!RSA_blinding_on(rsa, c)) {
#else
if (!RSA_blinding_on(pubKey->pkey.rsa, c)) {

4
net/dnsproxy/Makefile
View file

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=dnsproxy PKG_NAME:=dnsproxy
PKG_VERSION:=0.47.0 PKG_VERSION:=0.48.0
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)? PKG_SOURCE_URL:=https://codeload.github.com/AdguardTeam/dnsproxy/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=be88e9db73b7d5fa42afd4bc38c901a7e589c503bfb091c43362c956e2669915 PKG_HASH:=b63d10b0f7d4ede68aae9bda9ef306a0673c8ca97ef9d57b838edb53e0023f8b
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org> PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=Apache-2.0 PKG_LICENSE:=Apache-2.0

6
net/knot/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=knot PKG_NAME:=knot
PKG_VERSION:=3.2.4 PKG_VERSION:=3.2.5
PKG_RELEASE:=2 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/ PKG_SOURCE_URL:=https://secure.nic.cz/files/knot-dns/
PKG_HASH:=299e8de918f9fc7ecbe625b41cb085e47cdda542612efbd51cd5ec60deb9dd13 PKG_HASH:=c6b122e92baa179d09ba4c8ce5b0d42fb7475805f4ff9c81d5036acfaa161820
PKG_MAINTAINER:=Daniel Salzman <daniel.salzman@nic.cz> PKG_MAINTAINER:=Daniel Salzman <daniel.salzman@nic.cz>
PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD BSD-3-Clause OLDAP-2.8 PKG_LICENSE:=GPL-3.0 LGPL-2.0 0BSD BSD-3-Clause OLDAP-2.8

5
net/lighttpd/Makefile
View file

@ -8,14 +8,14 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=lighttpd PKG_NAME:=lighttpd
PKG_VERSION:=1.4.68 PKG_VERSION:=1.4.69
PKG_RELEASE:=1 PKG_RELEASE:=1
# release candidate ~rcX testing; remove for release # release candidate ~rcX testing; remove for release
#PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) #PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION)
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x PKG_SOURCE_URL:=https://download.lighttpd.net/lighttpd/releases-1.4.x
PKG_HASH:=e56f37ae52b63e1ada4d76ce78005affb6e56eea2f6bdb0ce17d6d36e9583384 PKG_HASH:=16ac8db95e719629ba61949b99f8a26feba946a81d185215b28379bb4116b0b4
PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org> PKG_MAINTAINER:=W. Michael Petullo <mike@flyn.org>
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
@ -270,6 +270,7 @@ $(eval $(call BuildPlugin,vhostdb_ldap,Virtual Host Database (LDAP),lighttpd-mod
$(eval $(call BuildPlugin,vhostdb_mysql,Virtual Host Database (MariaDB),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_mysql:libmariadb,30)) $(eval $(call BuildPlugin,vhostdb_mysql,Virtual Host Database (MariaDB),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_mysql:libmariadb,30))
$(eval $(call BuildPlugin,vhostdb_pgsql,Virtual Host Database (PostgreSQL),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_pgsql:libpq,30)) $(eval $(call BuildPlugin,vhostdb_pgsql,Virtual Host Database (PostgreSQL),lighttpd-mod-vhostdb +PACKAGE_lighttpd-mod-vhostdb_pgsql:libpq,30))
$(eval $(call BuildPlugin,webdav,WebDAV,+PACKAGE_lighttpd-mod-webdav:libsqlite3 +PACKAGE_lighttpd-mod-webdav:libuuid +PACKAGE_lighttpd-mod-webdav:libxml2,30)) $(eval $(call BuildPlugin,webdav,WebDAV,+PACKAGE_lighttpd-mod-webdav:libsqlite3 +PACKAGE_lighttpd-mod-webdav:libuuid +PACKAGE_lighttpd-mod-webdav:libxml2,30))
$(eval $(call BuildPlugin,webdav_min,WebDAV,,30))
$(eval $(call BuildPlugin,wolfssl,TLS using wolfssl,@LIGHTTPD_SSL +PACKAGE_lighttpd-mod-wolfssl:libwolfssl,30)) $(eval $(call BuildPlugin,wolfssl,TLS using wolfssl,@LIGHTTPD_SSL +PACKAGE_lighttpd-mod-wolfssl:libwolfssl,30))
$(eval $(call BuildPlugin,wstunnel,Websocket tunneling,$(if $(cryptolib),+PACKAGE_lighttpd-mod-wstunnel:$(cryptolib),),30)) $(eval $(call BuildPlugin,wstunnel,Websocket tunneling,$(if $(cryptolib),+PACKAGE_lighttpd-mod-wstunnel:$(cryptolib),),30))

28
net/lighttpd/patches/020-meson-mod_webdav_min.patch Normal file
View file

@ -0,0 +1,28 @@
From fe6895e5eb2c17ddad6e95faaac7d56d4dd73256 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Fri, 20 Jan 2023 18:48:14 -0500
Subject: [PATCH] [meson] mod_webdav_min w/o deps: xml2 sqlite3 uuid
---
src/meson.build | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/src/meson.build
+++ b/src/meson.build
@@ -865,6 +865,16 @@ if libsasl.found()
]
endif
+modules += [
+ [ 'mod_webdav_min', [ 'mod_webdav.c' ],
+ [ libelftc,
+ declare_dependency(compile_args: [
+ '-DMOD_WEBDAV_BUILD_MINIMAL',
+ '-Dmod_webdav_plugin_init=mod_webdav_min_plugin_init' ] )
+ ]
+ ]
+]
+
foreach mod: modules
mod_name = mod.get(0)
mod_sources = mod.get(1)

19
net/lighttpd/patches/020-meson-tests.patch
View file

@ -1,19 +0,0 @@
From d809433d6d900e899f796606b11bdc6a73413ac5 Mon Sep 17 00:00:00 2001
From: Glenn Strauss <gstrauss@gluelogic.com>
Date: Tue, 3 Jan 2023 17:50:16 -0500
Subject: [PATCH] [meson] remove t/test_mod_evasive.c
---
src/meson.build | 1 -
1 file changed, 1 deletion(-)
--- a/src/meson.build
+++ b/src/meson.build
@@ -721,7 +721,6 @@ test('test_mod', executable('test_mod',
't/test_mod.c',
't/test_mod_access.c',
't/test_mod_alias.c',
- 't/test_mod_evasive.c',
't/test_mod_evhost.c',
't/test_mod_indexfile.c',
't/test_mod_simple_vhost.c',

3
net/nginx-util/Makefile
View file

@ -2,7 +2,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=nginx-util PKG_NAME:=nginx-util
PKG_VERSION:=1.6 PKG_VERSION:=1.6
PKG_RELEASE:=$(AUTORELEASE) PKG_RELEASE:=15
PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at> PKG_MAINTAINER:=Peter Stadler <peter.stadler@student.uibk.ac.at>
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk
@ -11,6 +11,7 @@ include $(INCLUDE_DIR)/cmake.mk
CMAKE_OPTIONS+= -DUBUS=y CMAKE_OPTIONS+= -DUBUS=y
CMAKE_OPTIONS+= -DVERSION=$(PKG_VERSION) CMAKE_OPTIONS+= -DVERSION=$(PKG_VERSION)
TARGET_CFLAGS+= -Wno-error=deprecated-declarations
define Package/nginx-ssl-util/default define Package/nginx-ssl-util/default
SECTION:=net SECTION:=net

5
net/nsd/Makefile
View file

@ -8,12 +8,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=nsd PKG_NAME:=nsd
PKG_VERSION:=4.2.4 PKG_VERSION:=4.6.1
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://www.nlnetlabs.nl/downloads/nsd PKG_SOURCE_URL:=https://www.nlnetlabs.nl/downloads/nsd
PKG_HASH:=9ebd6d766765631a56c0eb332eac26b310fa39f662e5582c8210488cf91ef27c PKG_HASH:=3f60a3a13ec3f68e84bfa7e19daff663c82bcf1de96e4f53f2246525e773a27a
PKG_MAINTAINER:=Vasilis Tsiligiannis <acinonyx@openwrt.gr> PKG_MAINTAINER:=Vasilis Tsiligiannis <acinonyx@openwrt.gr>
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
@ -21,6 +21,7 @@ PKG_LICENSE_FILES:=LICENSE
PKG_INSTALL:=1 PKG_INSTALL:=1
PKG_BUILD_PARALLEL:=1 PKG_BUILD_PARALLEL:=1
PKG_FIXUP:=autoreconf
include $(INCLUDE_DIR)/package.mk include $(INCLUDE_DIR)/package.mk

43
net/nsd/patches/010-Fix-build-with-without-ssl.patch Normal file
View file

@ -0,0 +1,43 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
Date: Thu, 9 Feb 2023 13:48:31 -0300
Subject: [PATCH] Fix build with --without-ssl
Don't include COMMON_OBJ when compiling nsd-control without SSL.
Without SSL, nsd-control's only purpose is to print out an error
message. There's no need to include any other object files then.
*** THIS PATCH SHOULD NOT BE APPLIED TO NSD'S NEXT RELEASE ***
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
--- a/Makefile.in
+++ b/Makefile.in
@@ -85,7 +85,7 @@ NSD_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) difffi
ALL_OBJ=$(NSD_OBJ) nsd-checkconf.o nsd-checkzone.o nsd-control.o nsd-mem.o xfr-inspect.o
NSD_CHECKCONF_OBJ=$(COMMON_OBJ) nsd-checkconf.o
NSD_CHECKZONE_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o server.o zonec.o zparser.o zlexer.o nsd-checkzone.o verify.o
-NSD_CONTROL_OBJ=$(COMMON_OBJ) nsd-control.o
+NSD_CONTROL_OBJ=@NSD_CONTROL_COMMON_OBJ@ nsd-control.o
CUTEST_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o server.o verify.o zonec.o zparser.o zlexer.o cutest_dname.o cutest_dns.o cutest_iterated_hash.o cutest_run.o cutest_radtree.o cutest_rbtree.o cutest_namedb.o cutest_options.o cutest_region.o cutest_rrl.o cutest_udb.o cutest_udbrad.o cutest_util.o cutest_bitset.o cutest_popen3.o cutest_iter.o cutest_event.o cutest.o qtest.o
NSD_MEM_OBJ=$(COMMON_OBJ) $(XFRD_OBJ) dbaccess.o dbcreate.o difffile.o ipc.o mini_event.o netio.o verify.o server.o zonec.o zparser.o zlexer.o nsd-mem.o
all: $(TARGETS) $(MANUALS)
--- a/configure.ac
+++ b/configure.ac
@@ -1015,6 +1015,7 @@ AC_SUBST(ratelimit_default)
# we need SSL for TSIG (and maybe also for NSEC3).
CHECK_SSL
if test x$HAVE_SSL = x"yes"; then
+ AC_SUBST(NSD_CONTROL_COMMON_OBJ,'$(COMMON_OBJ)')
ACX_LIB_SSL
# remove space after -ldl if there.
LIBS=`echo "$LIBS" | sed -e 's/ $//'`
@@ -1091,6 +1092,7 @@ AC_INCLUDES_DEFAULT
else
AC_MSG_WARN([No SSL, therefore remote-control is disabled])
AC_MSG_WARN([No SSL, therefore TLS is disabled])
+ AC_SUBST(NSD_CONTROL_COMMON_OBJ,)
fi
AC_ARG_ENABLE(nsec3, AS_HELP_STRING([--disable-nsec3],[Disable NSEC3 support]))

4
net/simple-adblock/Makefile
View file

@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=simple-adblock PKG_NAME:=simple-adblock
PKG_VERSION:=1.9.3 PKG_VERSION:=1.9.4
PKG_RELEASE:=7 PKG_RELEASE:=3
PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca> PKG_MAINTAINER:=Stan Grishin <stangri@melmac.ca>
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later

25
net/simple-adblock/files/simple-adblock.conf
View file

@ -27,6 +27,7 @@ config simple-adblock 'config'
option led 'none' option led 'none'
option parallel_downloads '1' option parallel_downloads '1'
option procd_trigger_wan6 '0' option procd_trigger_wan6 '0'
option procd_boot_wan_timeout '60'
option verbosity '2' option verbosity '2'
# File size: 16.0K # File size: 16.0K
@ -71,9 +72,29 @@ config simple-adblock 'config'
# enabling this will disable processing of any other block/allow-lists # enabling this will disable processing of any other block/allow-lists
# option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/' # option dnsmasq_config_file_url 'https://dnsmasq.oisd.nl/'
# File size: 19.0M # File size: 1.4M
# block-list too big for most routers # block-list too big for most routers
# list blocked_domains_url 'https://dbl.oisd.nl/' # list blocked_adblockplus_url 'https://small.oisd.nl/'
# File size: 6.2M
# block-list too big for most routers
# list blocked_adblockplus_url 'https://nsfw.oisd.nl/'
# File size: 6.2M
# block-list too big for most routers
# list blocked_adblockplus_url 'https://big.oisd.nl/'
# File size: 1.5M
# block-list too big for most routers
# list blocked_domains_url 'https://small.oisd.nl/domains'
# File size: 7.8M
# block-list too big for most routers
# list blocked_domains_url 'https://nsfw.oisd.nl/domains'
# File size: 19.9M
# block-list too big for most routers
# list blocked_domains_url 'https://big.oisd.nl/domains'
# site was down on last check # site was down on last check
# list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt' # list blocked_domains_url 'http://support.it-mate.co.uk/downloads/hosts.txt'

8
net/simple-adblock/files/simple-adblock.conf.update
View file

@ -8,8 +8,16 @@ s|raw.githubusercontent.com/StevenBlack/hosts/|cdn.jsdelivr.net/gh/StevenBlack/h
s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g s|raw.githubusercontent.com/hoshsadiq/adblock-nocoin-list/|cdn.jsdelivr.net/gh/hoshsadiq/adblock-nocoin-list@|g
s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g s|raw.githubusercontent.com/jawz101/MobileAdTrackers/|cdn.jsdelivr.net/gh/jawz101/MobileAdTrackers@|g
s|http://winhelp2002.mvps.org/hosts.txt|https://winhelp2002.mvps.org/hosts.txt|g s|http://winhelp2002.mvps.org/hosts.txt|https://winhelp2002.mvps.org/hosts.txt|g
s|list blocked_domains_url 'https://dbl.oisd.nl/basic'|list blocked_adblockplus_url 'https://small.oisd.nl/'|g
s|list blocked_domains_url 'https://dbl.oisd.nl/nsfw'|list blocked_adblockplus_url 'https://nsfw.oisd.nl/'|g
s|list blocked_domains_url 'https://dbl.oisd.nl/'|list blocked_adblockplus_url 'https://big.oisd.nl/'|g
s|list blocked_hosts_url 'https://hosts.oisd.nl/basic'|list blocked_adblockplus_url 'https://small.oisd.nl/'|g
s|list blocked_hosts_url 'https://hosts.oisd.nl/nsfw'|list blocked_adblockplus_url 'https://nsfw.oisd.nl/'|g
s|list blocked_hosts_url 'https://hosts.oisd.nl/'|list blocked_adblockplus_url 'https://big.oisd.nl/'|g
\|dshield.org|d \|dshield.org|d
\|www.malwaredomainlist.com/hostslist/hosts.txt|d \|www.malwaredomainlist.com/hostslist/hosts.txt|d
\|https://mirror1.malwaredomains.com/files/justdomains|d \|https://mirror1.malwaredomains.com/files/justdomains|d
\|lists.disconnect.me|d \|lists.disconnect.me|d
\|https://cdn.jsdelivr.net/gh/paulgb/BarbBlock/blacklists/domain-list.txt|d \|https://cdn.jsdelivr.net/gh/paulgb/BarbBlock/blacklists/domain-list.txt|d
\|dnsmasq.oisd.nl|d
\|dnsmasq2.oisd.nl|d

199
net/simple-adblock/files/simple-adblock.init
View file

@ -62,7 +62,8 @@ readonly sharedMemoryError="/dev/shm/$packageName-error"
readonly sharedMemoryOutput="/dev/shm/$packageName-output" readonly sharedMemoryOutput="/dev/shm/$packageName-output"
readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly hostsFilter='/localhost/d;/^#/d;/^[^0-9]/d;s/^0\.0\.0\.0.//;s/^127\.0\.0\.1.//;s/[[:space:]]*#.*$//;s/[[:cntrl:]]$//;s/[[:space:]]//g;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;' readonly domainsFilter='/^#/d;s/[[:space:]]*#.*$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
readonly dnsmasqOISDFilter='\|^server=/[[:alnum:]_.-].*/|!d' readonly adBlockPlusFilter='/^#/d;/^!/d;s/[[:space:]]*#.*$//;s/^||//;s/\^$//;s/[[:space:]]*$//;s/[[:cntrl:]]$//;/[[:space:]]/d;/[`~!@#\$%\^&\*()=+;:"'\'',<>?/\|[{}]/d;/]/d;/\./!d;/^$/d;/[^[:alnum:]_.-]/d;'
readonly dnsmasqFileFilter='\|^server=/[[:alnum:]_.-].*/|!d'
readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m' readonly _OK_='\033[0;32m\xe2\x9c\x93\033[0m'
readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m' readonly _FAIL_='\033[0;31m\xe2\x9c\x97\033[0m'
readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m' readonly __OK__='\033[0;32m[\xe2\x9c\x93]\033[0m'
@ -76,6 +77,20 @@ readonly nft="$(command -v nft)"
readonly canaryDomainsMozilla='use-application-dns.net' readonly canaryDomainsMozilla='use-application-dns.net'
readonly canaryDomainsiCloud='mask.icloud.com mask-h2.icloud.com' readonly canaryDomainsiCloud='mask.icloud.com mask-h2.icloud.com'
dl_command=
dl_flag=
isSSLSupported=
outputFilter=
outputFilterIPv6=
outputFile=
outputGzip=
outputCache=
awk='awk'
load_environment_flag=
. /lib/functions/network.sh
. /usr/share/libubox/jshn.sh
debug() { local i j; for i in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; } debug() { local i j; for i in "$@"; do eval "j=\$$i"; echo "${i}: ${j} "; done; }
uci_add_list_if_new() { uci_add_list_if_new() {
@ -112,8 +127,7 @@ get_text() {
errorNoDnsmasqNftset) errorNoDnsmasqNftset)
r="dnsmasq nft set support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft set";; r="dnsmasq nft set support is enabled in $packageName, but dnsmasq is either not installed or installed dnsmasq does not support nft set";;
errorNoNft) r="dnsmasq nft sets support is enabled in $packageName, but nft is not installed";; errorNoNft) r="dnsmasq nft sets support is enabled in $packageName, but nft is not installed";;
errorMkdirFail) r="Unable to create directory for";; errorNoWanGateway) r="The ${serviceName} failed to discover WAN gateway";;
errorNoWanGateway) r="The ${serviceName} service failed to discover WAN gateway!";;
errorOutputDirCreate) r="failed to create directory for %s file";; errorOutputDirCreate) r="failed to create directory for %s file";;
errorOutputFileCreate) r="failed to create $outputFile file";; errorOutputFileCreate) r="failed to create $outputFile file";;
errorFailDNSReload) r="failed to restart/reload DNS resolver";; errorFailDNSReload) r="failed to restart/reload DNS resolver";;
@ -193,9 +207,53 @@ output() {
fi fi
} }
load_network() {
local param="$1"
local i j wan_if wan_gw wan_proto
local counter wan_if_timeout="$procd_boot_wan_timeout" wan_gw_timeout='5'
counter=0
while [ -z "$wan_if" ]; do
network_flush_cache
network_find_wan wan_if
if [ -n "$wan_if" ]; then
output "WAN interface found: '${wan_if}'.\\n"
break
fi
if [ "$counter" -gt "$wan_if_timeout" ]; then
output "WAN interface timeout, assuming 'wan'.\\n"
wan_if='wan'
break
fi
counter=$((counter+1))
output "Waiting to discover WAN Interface...\\n"
sleep 1
done
counter=0
wan_proto="$(uci -q get "network.${wan_if}.proto")"
if [ "$wan_proto" = 'pppoe' ]; then
wan_gw_timeout=$((wan_gw_timeout+10))
fi
while [ "$counter" -le "$wan_gw_timeout" ]; do
network_flush_cache
network_get_gateway wan_gw "$wan_if"
if [ -n "$wan_gw" ]; then
output "WAN gateway found: '${wan_gw}.'\\n"
return 0
fi
counter=$((counter+1))
output "Waiting to discover $wan_if gateway...\\n"
sleep 1
done
json add error "errorNoWanGateway"
output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1;
}
load_environment() { load_environment() {
local i j wan_if wan_gw local i j
local validation_result="$1" quiet="$2" local validation_result="$1" param="$2"
[ -z "$load_environment_flag" ] || return 0
if [ "$validation_result" != '0' ]; then if [ "$validation_result" != '0' ]; then
json add error "errorConfigValidationFail" json add error "errorConfigValidationFail"
@ -222,7 +280,7 @@ load_environment() {
case "$dns" in case "$dns" in
dnsmasq.conf) :;; dnsmasq.conf) :;;
*) *)
if [ -z "$quiet" ]; then if [ "$param" != 'quiet' ]; then
json add warning "warningExternalDnsmasqConfig" json add warning "warningExternalDnsmasqConfig"
output "${_WARNING_}: $(get_text 'warningExternalDnsmasqConfig')!\\n" output "${_WARNING_}: $(get_text 'warningExternalDnsmasqConfig')!\\n"
fi fi
@ -243,14 +301,14 @@ load_environment() {
case "$dns" in case "$dns" in
dnsmasq.ipset) dnsmasq.ipset)
if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then if dnsmasq -v 2>/dev/null | grep -q 'no-ipset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'ipset'; then
if [ -z "$quiet" ]; then if [ "$param" != 'quiet' ]; then
json add error "errorNoDnsmasqIpset" json add error "errorNoDnsmasqIpset"
output "${_ERROR_}: $(get_text 'errorNoDnsmasqIpset')!\\n" output "${_ERROR_}: $(get_text 'errorNoDnsmasqIpset')!\\n"
fi fi
dns='dnsmasq.servers' dns='dnsmasq.servers'
fi fi
if ! ipset help hash:net; then if ! ipset help hash:net; then
if [ -z "$quiet" ]; then if [ "$param" != 'quiet' ]; then
json add error "errorNoIpset" json add error "errorNoIpset"
output "${_ERROR_}: $(get_text 'errorNoIpset')!\\n" output "${_ERROR_}: $(get_text 'errorNoIpset')!\\n"
fi fi
@ -259,14 +317,14 @@ load_environment() {
;; ;;
dnsmasq.nftset) dnsmasq.nftset)
if dnsmasq -v 2>/dev/null | grep -q 'no-nftset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'nftset'; then if dnsmasq -v 2>/dev/null | grep -q 'no-nftset' || ! dnsmasq -v 2>/dev/null | grep -q -w 'nftset'; then
if [ -z "$quiet" ]; then if [ "$param" != 'quiet' ]; then
json add error "errorNoDnsmasqNftset" json add error "errorNoDnsmasqNftset"
output "${_ERROR_}: $(get_text 'errorNoDnsmasqNftset')!\\n" output "${_ERROR_}: $(get_text 'errorNoDnsmasqNftset')!\\n"
fi fi
dns='dnsmasq.servers' dns='dnsmasq.servers'
fi fi
if [ -z "$nft" ]; then if [ -z "$nft" ]; then
if [ -z "$quiet" ]; then if [ "$param" != 'quiet' ]; then
json add error "errorNoNft" json add error "errorNoNft"
output "${_ERROR_}: $(get_text 'errorNoNft')!\\n" output "${_ERROR_}: $(get_text 'errorNoNft')!\\n"
fi fi
@ -351,16 +409,15 @@ load_environment() {
;; ;;
esac esac
for i in "$outputFile" "$outputCache" "$outputGzip"; do for i in "$jsonFile" "$outputFile" "$outputCache" "$outputGzip"; do
if ! mkdir -p "$(dirname "$i")"; then if ! mkdir -p "$(dirname "$i")"; then
json add error "errorOutputDirCreate" "$i" if [ "$param" != 'quiet' ]; then
output "${_ERROR_}: $(get_text 'errorMkdirFail' "$i")!\\n" json add error "errorOutputDirCreate" "$i"
output "${_ERROR_}: $(get_text 'errorOutputDirCreate' "$i")!\\n"
fi
fi fi
done done
. /lib/functions/network.sh
. /usr/share/libubox/jshn.sh
is_present 'gawk' && awk='gawk' is_present 'gawk' && awk='gawk'
if ! is_present '/usr/libexec/grep-gnu' || ! is_present '/usr/libexec/sed-gnu' || \ if ! is_present '/usr/libexec/grep-gnu' || ! is_present '/usr/libexec/sed-gnu' || \
! is_present '/usr/libexec/sort-coreutils' || ! is_present 'gawk'; then ! is_present '/usr/libexec/sort-coreutils' || ! is_present 'gawk'; then
@ -369,8 +426,8 @@ load_environment() {
is_present '/usr/libexec/grep-gnu' || s="$s grep" is_present '/usr/libexec/grep-gnu' || s="$s grep"
is_present '/usr/libexec/sed-gnu' || s="$s sed" is_present '/usr/libexec/sed-gnu' || s="$s sed"
is_present '/usr/libexec/sort-coreutils' || s="$s coreutils-sort" is_present '/usr/libexec/sort-coreutils' || s="$s coreutils-sort"
if [ -z "$quiet" ]; then if [ "$param" != 'quiet' ]; then
json add warning "errorOutputFileCreate" "${i}" json add warning "warningMissingRecommendedPackages" "${i}"
output "${_WARNING_}: $(get_text 'warningMissingRecommendedPackages'), install them by running:\\n" output "${_WARNING_}: $(get_text 'warningMissingRecommendedPackages'), install them by running:\\n"
output "$s;\\n" output "$s;\\n"
fi fi
@ -405,12 +462,15 @@ load_environment() {
else else
unset isSSLSupported unset isSSLSupported
fi fi
load_environment_flag=1
cache 'test' && return 0 cache 'test' && return 0
cache 'test_gzip' && return 0 cache 'test_gzip' && return 0
network_flush_cache; network_find_wan wan_if; network_get_gateway wan_gw "$wan_if"; if [ "$param" = 'on_boot' ]; then
[ -n "$wan_gw" ] && return 0 load_network "$param"
json add error "errorNoWanGateway" return "$?"
output "${_ERROR_}: $(get_text 'errorNoWanGateway')!\\n"; return 1; else
return 0
fi
} }
resolver() { resolver() {
@ -555,7 +615,7 @@ json() {
case "$param" in case "$param" in
triggers) triggers)
curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ curReload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \
$blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
$dnsmasq_config_file_url $curl_max_file_size $curl_retry" $dnsmasq_config_file_url $curl_max_file_size $curl_retry"
curRestart="$compressed_cache $force_dns $led $force_dns_port" curRestart="$compressed_cache $force_dns $led $force_dns_port"
if [ ! -s "$jsonFile" ]; then if [ ! -s "$jsonFile" ]; then
@ -589,7 +649,7 @@ json() {
case "$param" in case "$param" in
triggers) triggers)
reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \ reload="$parallel_downloads $debug $download_timeout $allowed_domain $blocked_domain $allowed_domains_url \
$blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \ $blocked_adblockplus_url $blocked_domains_url $blocked_hosts_url $dns $config_update_enabled $config_update_url \
$dnsmasq_config_file_url $curl_max_file_size $curl_retry" $dnsmasq_config_file_url $curl_max_file_size $curl_retry"
restart="$compressed_cache $force_dns $led $force_dns_port" restart="$compressed_cache $force_dns $led $force_dns_port"
;; ;;
@ -608,6 +668,7 @@ json() {
json_add_string reload "$reload" json_add_string reload "$reload"
json_add_string restart "$restart" json_add_string restart "$restart"
json_close_object json_close_object
mkdir -p "$(dirname "$jsonFile")"
json_dump > "$jsonFile" json_dump > "$jsonFile"
sync sync
} }
@ -658,14 +719,22 @@ process_url() {
if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then return 1; fi if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ]; then return 1; fi
label="${1##*//}"; label="${label%%/*}"; label="${1##*//}"; label="${label%%/*}";
case "$2" in case "$2" in
dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqOISDFilter";; adbp) label="ADBPlus: $label"; filter="$adBlockPlusFilter"
domains) label="Domains: $label"; filter="$domainsFilter";; ;;
hosts) label="Hosts: $label"; filter="$hostsFilter";; dnsmasq) label="Dnsmasq: $label"; filter="$dnsmasqFileFilter"
;;
domains) label="Domains: $label"; filter="$domainsFilter"
;;
hosts) label="Hosts: $label"; filter="$hostsFilter"
;;
esac esac
case "$3" in case "$3" in
allowed) type='Allowed'; D_TMP="$A_TMP";; allowed) type='Allowed'; D_TMP="$A_TMP"
blocked) type='Blocked'; D_TMP="$B_TMP";; ;;
file) type='File'; D_TMP="$B_TMP";; blocked) type='Blocked'; D_TMP="$B_TMP"
;;
file) type='File'; D_TMP="$B_TMP"
;;
esac esac
if [ "${1:0:5}" = "https" ] && [ -z "$isSSLSupported" ]; then if [ "${1:0:5}" = "https" ] && [ -z "$isSSLSupported" ]; then
output 1 "$_FAIL_" output 1 "$_FAIL_"
@ -676,7 +745,7 @@ process_url() {
while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do
R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)" R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)"
done done
if ! $dl_command "$1" $dl_flag "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then if ! $dl_command "$1" "$dl_flag" "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then
output 1 "$_FAIL_" output 1 "$_FAIL_"
output 2 "[DL] $type $label $__FAIL__\\n" output 2 "[DL] $type $label $__FAIL__\\n"
echo "errorDownloadingList|${1}" >> "$sharedMemoryError" echo "errorDownloadingList|${1}" >> "$sharedMemoryError"
@ -757,6 +826,13 @@ download_lists() {
process_url "$hf" 'hosts' 'blocked' process_url "$hf" 'hosts' 'blocked'
fi fi
done done
for hf in ${blocked_adblockplus_url}; do
if [ "$parallel_downloads" -gt 0 ]; then
process_url "$hf" 'adbp' 'blocked' &
else
process_url "$hf" 'adbp' 'blocked'
fi
done
for hf in ${blocked_domains_url}; do for hf in ${blocked_domains_url}; do
if [ "$parallel_downloads" -gt 0 ]; then if [ "$parallel_downloads" -gt 0 ]; then
process_url "$hf" 'domains' 'blocked' & process_url "$hf" 'domains' 'blocked' &
@ -1080,8 +1156,12 @@ adb_check() {
adb_config_update() { adb_config_update() {
local R_TMP label local R_TMP label
local param="$1" validation_result="$3" local param validation_result="$3"
load_environment "$validation_result" 'quiet' || return 1 case "$1" in
on_boot) param="$1";;
*) param='quiet';;
esac
load_environment "$validation_result" "$param" || return 1
label="${config_update_url##*//}" label="${config_update_url##*//}"
label="${label%%/*}"; label="${label%%/*}";
[ "$config_update_enabled" -ne 0 ] || return 0 [ "$config_update_enabled" -ne 0 ] || return 0
@ -1094,7 +1174,7 @@ adb_config_update() {
while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do while [ -z "$R_TMP" ] || [ -e "$R_TMP" ]; do
R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)" R_TMP="$(mktemp -u -q -t ${packageName}_tmp.XXXXXXXX)"
done done
if ! $dl_command "$config_update_url" $dl_flag "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then if ! $dl_command "$config_update_url" "$dl_flag" "$R_TMP" 2>/dev/null || [ ! -s "$R_TMP" ]; then
output 1 "$_FAIL_\\n" output 1 "$_FAIL_\\n"
output 2 "[DL] Config Update: $label $__FAIL__\\n" output 2 "[DL] Config Update: $label $__FAIL__\\n"
json add error "errorDownloadingConfigUpdate" json add error "errorDownloadingConfigUpdate"
@ -1118,9 +1198,27 @@ adb_sizes() {
load_environment "$validation_result" 'quiet' || return 1 load_environment "$validation_result" 'quiet' || return 1
echo "# $(date)" echo "# $(date)"
for i in $blocked_domains_url; do for i in ${blocked_adblockplus_url}; do
[ "${i//melmac}" != "$i" ] && continue [ "${i//melmac}" != "$i" ] && continue
if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')"
if is_greater "$(du -sk /tmp/sast)" "500"; then
echo "# block-list too big for most routers"
elif is_greater "$(du -sk /tmp/sast)" "100"; then
echo "# block-list may be too big for some routers"
fi
rm -rf /tmp/sast
echo " list blocked_adblockplus_url '$i'"
echo ""
else
echo "# site was down on last check"
echo "# list blocked_adblockplus_url '$i'"
echo ""
fi
done
for i in ${blocked_domains_url}; do
[ "${i//melmac}" != "$i" ] && continue
if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')" echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')"
if is_greater "$(du -sk /tmp/sast)" "500"; then if is_greater "$(du -sk /tmp/sast)" "500"; then
echo "# block-list too big for most routers" echo "# block-list too big for most routers"
@ -1136,8 +1234,8 @@ adb_sizes() {
echo "" echo ""
fi fi
done done
for i in $blocked_hosts_url; do for i in ${blocked_hosts_url}; do
if $dl_command "$i" $dl_flag /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then if $dl_command "$i" "$dl_flag" /tmp/sast 2>/dev/null && [ -s /tmp/sast ]; then
echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')" echo "# File size: $(du -sh /tmp/sast | $awk '{print $1}')"
if is_greater "$(du -sk /tmp/sast)" "500"; then if is_greater "$(du -sk /tmp/sast)" "500"; then
echo "# block-list too big for most routers" echo "# block-list too big for most routers"
@ -1157,9 +1255,9 @@ adb_sizes() {
adb_start() { adb_start() {
local action status error message stats c local action status error message stats c
local validation_result="$3" local param="$1" validation_result="$3"
load_environment "$validation_result" || return 1 load_environment "$validation_result" "$param" || return 1
status="$(json get status)" status="$(json get status)"
error="$(json get error)" error="$(json get error)"
@ -1272,7 +1370,11 @@ adb_start() {
procd_open_data procd_open_data
json_add_string 'status' "$(json get status)" json_add_string 'status' "$(json get status)"
json_add_string 'errors' "$(json get errors)" json_add_string 'errors' "$(json get errors)"
json_add_int 'entries' "$(wc -l < "$outputFile")" if [ -s "$outputFile" ]; then
json_add_int 'entries' "$(wc -l < "$outputFile")"
else
json_add_int 'entries' '0'
fi
json_add_array firewall json_add_array firewall
if [ "$force_dns" -ne 0 ]; then if [ "$force_dns" -ne 0 ]; then
for c in $force_dns_port; do for c in $force_dns_port; do
@ -1460,15 +1562,6 @@ stop_service() { load_validate_config 'config' adb_stop "'$*'"; }
version() { echo "$PKG_VERSION"; } version() { echo "$PKG_VERSION"; }
load_validate_config() { load_validate_config() {
local dl_command
local dl_flag
local isSSLSupported
local outputFilter
local outputFilterIPv6
local outputFile
local outputGzip
local outputCache
local awk='awk'
local enabled local enabled
local force_dns local force_dns
local force_dns_port local force_dns_port
@ -1481,16 +1574,18 @@ load_validate_config() {
local canary_domains_mozilla local canary_domains_mozilla
local config_update_enabled local config_update_enabled
local config_update_url local config_update_url
local boot_delay
local download_timeout local download_timeout
local curl_max_file_size local curl_max_file_size
local curl_retry local curl_retry
local verbosity local verbosity
local procd_trigger_wan6
local procd_boot_wan_timeout
local led local led
local dns local dns
local dns_instance local dns_instance
local allowed_domain local allowed_domain
local allowed_domains_url local allowed_domains_url
local blocked_adblockplus_url
local blocked_domain local blocked_domain
local blocked_domains_url local blocked_domains_url
local blocked_hosts_url local blocked_hosts_url
@ -1513,12 +1608,14 @@ load_validate_config() {
'curl_retry:range(0,30):3' \ 'curl_retry:range(0,30):3' \
'verbosity:range(0,2):2' \ 'verbosity:range(0,2):2' \
'procd_trigger_wan6:bool:0' \ 'procd_trigger_wan6:bool:0' \
'procd_boot_wan_timeout:integer:60' \
'led:or("", "none", file, device, string)' \ 'led:or("", "none", file, device, string)' \
'dns:or("dnsmasq.addnhosts", "dnsmasq.conf", "dnsmasq.ipset", "dnsmasq.nftset", "dnsmasq.servers", "unbound.adb_list"):dnsmasq.servers' \ 'dns:or("dnsmasq.addnhosts", "dnsmasq.conf", "dnsmasq.ipset", "dnsmasq.nftset", "dnsmasq.servers", "unbound.adb_list"):dnsmasq.servers' \
'dns_instance:or(list(integer, string)):0' \ 'dns_instance:or(list(integer, string)):0' \
'allowed_domain:list(string)' \ 'allowed_domain:list(string)' \
'allowed_domains_url:list(string)' \ 'allowed_domains_url:list(string)' \
'blocked_domain:list(string)' \ 'blocked_domain:list(string)' \
'blocked_adblockplus_url:list(string)' \
'blocked_domains_url:list(string)' \ 'blocked_domains_url:list(string)' \
'blocked_hosts_url:list(string)' \ 'blocked_hosts_url:list(string)' \
'dnsmasq_config_file_url:string' 'dnsmasq_config_file_url:string'

10
net/squid/Makefile
View file

@ -8,13 +8,13 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=squid PKG_NAME:=squid
PKG_VERSION:=4.17 PKG_VERSION:=5.7
PKG_RELEASE:=$(AUTORELEASE) PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v4/ \ PKG_SOURCE_URL:=http://www2.pl.squid-cache.org/Versions/v5/ \
http://www.squid-cache.org/Versions/v4/ http://www.squid-cache.org/Versions/v5/
PKG_HASH:=cb928ac08c7c86b151b1c8f827abe1a84d83181a2a86e0d512286163e1e31418 PKG_HASH:=6b0753aaba4c9c4efd333e67124caecf7ad6cc2d38581f19d2f0321f5b7ecd81
PKG_MAINTAINER:=Marko Ratkaj <markoratkaj@gmail.com> PKG_MAINTAINER:=Marko Ratkaj <markoratkaj@gmail.com>
PKG_LICENSE:=GPL-2.0-or-later PKG_LICENSE:=GPL-2.0-or-later

12
net/squid/patches/001-glibc-compile.patch
View file

@ -1,12 +0,0 @@
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -582,7 +582,8 @@ enter_suid(void)
}
#else
- setuid(0);
+ if (setuid(0) < 0)
+ debugs(50, 1, "no_suid: setuid (0)");
#endif
#if HAVE_PRCTL && defined(PR_SET_DUMPABLE)
/* Set Linux DUMPABLE flag */

2
net/squid/patches/010-no-buildbxxflags.patch → net/squid/patches/010-no-buildcxxflags.patch
View file

@ -1,6 +1,6 @@
--- a/src/Makefile.am --- a/src/Makefile.am
+++ b/src/Makefile.am +++ b/src/Makefile.am
@@ -765,7 +765,7 @@ cache_cf.o: cf_parser.cci @@ -761,7 +761,7 @@ cache_cf.o: cf_parser.cci
# cf_gen builds the configuration files. # cf_gen builds the configuration files.
cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci cf_gen$(EXEEXT): $(cf_gen_SOURCES) $(cf_gen_DEPENDENCIES) cf_gen_defines.cci

10
net/squid/patches/020-libxml-drop-xmlSetFeature.patch
View file

@ -1,10 +0,0 @@
--- a/src/esi/Libxml2Parser.cc
+++ b/src/esi/Libxml2Parser.cc
@@ -91,7 +91,6 @@ ESILibxml2Parser::ESILibxml2Parser(ESIPa
/* TODO: grab the document encoding from the headers */
parser = xmlCreatePushParserCtxt(&sax, static_cast<void *>(this), NULL, 0, NULL);
- xmlSetFeature(parser, "substitute entities", 0);
if (entity_doc == NULL)
entity_doc = htmlNewDoc(NULL, NULL);

10
net/transmission/files/transmission.init
View file

@ -58,15 +58,15 @@ transmission() {
local incomplete_dir local incomplete_dir
config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission' config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission'
local incomplete_dir_enabled local incomplete_dir_enabled
config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 config_get_bool incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
local watch_dir local watch_dir
config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission' config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission'
local watch_dir_enabled local watch_dir_enabled
config_get watch_dir_enabled "$cfg" 'watch_dir_enabled' 0 config_get_bool watch_dir_enabled "$cfg" 'watch_dir_enabled' 0
local mem_percentage local mem_percentage
config_get mem_percentage "$cfg" 'mem_percentage' '50' config_get mem_percentage "$cfg" 'mem_percentage' '50'
local config_overwrite local config_overwrite
config_get config_overwrite "$cfg" config_overwrite 1 config_get_bool config_overwrite "$cfg" config_overwrite 1
local nice local nice
config_get nice "$cfg" nice 0 config_get nice "$cfg" nice 0
local web_home local web_home
@ -196,9 +196,9 @@ transmission_mount_triggers() {
watch_dir watch_dir_enabled web_home service_dirs watch_dir watch_dir_enabled web_home service_dirs
config_get config_dir "$cfg" 'config_dir' '/var/etc/transmission' config_get config_dir "$cfg" 'config_dir' '/var/etc/transmission'
config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission' config_get download_dir "$cfg" 'download_dir' '/var/etc/transmission'
config_get incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0 config_get_bool incomplete_dir_enabled "$cfg" 'incomplete_dir_enabled' 0
config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission' config_get incomplete_dir "$cfg" 'incomplete_dir' '/var/etc/transmission'
config_get watch_dir_enabled "$cfg" 'watch_dir_enabled' 0 config_get_bool watch_dir_enabled "$cfg" 'watch_dir_enabled' 0
config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission' config_get watch_dir "$cfg" 'watch_dir' '/var/etc/transmission'
config_get web_home "$cfg" 'web_home' config_get web_home "$cfg" 'web_home'

2
net/umurmur/Makefile
View file

@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=umurmur PKG_NAME:=umurmur
PKG_VERSION:=0.2.20 PKG_VERSION:=0.2.20
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/umurmur/umurmur/tar.gz/$(PKG_VERSION)? PKG_SOURCE_URL:=https://codeload.github.com/umurmur/umurmur/tar.gz/$(PKG_VERSION)?

11
net/umurmur/patches/010-umurmur-0.2.20-openssl3.patch Normal file
View file

@ -0,0 +1,11 @@
--- a/src/ssli_openssl.c
+++ b/src/ssli_openssl.c
@@ -142,8 +142,6 @@ static EVP_PKEY *SSL_generate_cert_and_k
Log_info("Generating new server certificate.");
- CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
-
x509 = X509_new();
if (!x509)
goto err_out;

4
net/v2ray-core/Makefile
View file

@ -5,12 +5,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=v2ray-core PKG_NAME:=v2ray-core
PKG_VERSION:=5.3.0 PKG_VERSION:=5.4.0
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)? PKG_SOURCE_URL:=https://codeload.github.com/v2fly/v2ray-core/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=8e97e2647cb1dee8aa7e71df276c56d74258b2d97bb490a362afa84bdf1b9e25 PKG_HASH:=86be35461a9dc7d037e0045771d99f1eae284fdb7aa0818a6782d18b6b003fca
PKG_LICENSE:=MIT PKG_LICENSE:=MIT
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE

4
utils/yq/Makefile
View file

@ -1,12 +1,12 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=yq PKG_NAME:=yq
PKG_VERSION:=4.30.8 PKG_VERSION:=4.31.1
PKG_RELEASE:=1 PKG_RELEASE:=1
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
PKG_SOURCE_URL:=https://codeload.github.com/mikefarah/yq/tar.gz/v$(PKG_VERSION)? PKG_SOURCE_URL:=https://codeload.github.com/mikefarah/yq/tar.gz/v$(PKG_VERSION)?
PKG_HASH:=aaf6c9f37968970413b8a6daf0b313a86efd1b8e3e5959e527b50636508eb776 PKG_HASH:=6481cd93fe9a773ea20f738a3340c88e691f3d073bc6d2fceee3f5b3867399fc
PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org> PKG_MAINTAINER:=Tianling Shen <cnsztl@immortalwrt.org>
PKG_LICENSE:=MIT PKG_LICENSE:=MIT