Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.8.4-5

Browse source 
* fix remaining small issues
* standardize log wording
* polished up for branch 23.x

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-05-04 22:40:48 +02:00
parent 97d6c8bf77
commit 7e70de77d0
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
6 changed files with 87 additions and 93 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
net/banip/Makefile
View file

@ -1,14 +1,12 @@
# # banIP - ban incoming and outgoing IPs via named nftables Sets
# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
#
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.4 PKG_VERSION:=0.8.4
PKG_RELEASE:=4 PKG_RELEASE:=5
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -17,13 +15,13 @@ include $(INCLUDE_DIR)/package.mk
define Package/banip define Package/banip
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=banIP blocks IP addresses via named nftables sets TITLE:=banIP blocks IPs via named nftables Sets
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
PKGARCH:=all PKGARCH:=all
endef endef
define Package/banip/description define Package/banip/description
banIP blocks IP addresses via named nftables Sets. banIP blocks IPs via named nftables Sets.
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.

46
net/banip/files/README.md
View file

@ -1,9 +1,9 @@
<!-- markdownlint-disable --> <!-- markdownlint-disable -->
# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables # banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
## Description ## Description
IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh. IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
## Main Features ## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
@ -57,9 +57,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* Zero-conf like automatic installation & setup, usually no manual changes needed * Zero-conf like automatic installation & setup, usually no manual changes needed
* All sets are handled in a separate nft table/namespace 'banIP' * All Sets are handled in a separate nft table/namespace 'banIP'
* Full IPv4 and IPv6 support * Full IPv4 and IPv6 support
* Supports nft atomic set loading * Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes * Supports blocking by ASN numbers and by iso country codes
* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
* Auto-add the uplink subnet to the local allowlist * Auto-add the uplink subnet to the local allowlist
@ -70,10 +70,10 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs * Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
* Deduplicate IPs accross all sets (single IPs only, no intervals) * Deduplicate IPs accross all Sets (single IPs only, no intervals)
* Provides comprehensive runtime information * Provides comprehensive runtime information
* Provides a detailed set report * Provides a detailed Set report
* Provides a set search engine for certain IPs * Provides a Set search engine for certain IPs
* Feed parsing by fast & flexible regex rulesets * Feed parsing by fast & flexible regex rulesets
* Minimal status & error logging to syslog, enable debug logging to receive more output * Minimal status & error logging to syslog, enable debug logging to receive more output
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
@ -112,9 +112,9 @@ Available commands:
enable Enable service autostart enable Enable service autostart
disable Disable service autostart disable Disable service autostart
enabled Check if service is started on boot enabled Check if service is started on boot
report [text|json|mail] Print banIP related set statistics report [text|json|mail] Print banIP related Set statistics
search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
survey [<set name>] List all elements of a given banIP set survey [<Set name>] List all elements of a given banIP Set
lookup Lookup the IPs of domain names in the local lists and update them lookup Lookup the IPs of domain names in the local lists and update them
running Check if service is running running Check if service is running
status Service status status Service status
@ -129,7 +129,7 @@ Available commands:
| ban_enabled | option | 0 | enable the banIP service | | ban_enabled | option | 0 | enable the banIP service |
| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | | ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor | | ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
@ -152,12 +152,12 @@ Available commands:
| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | | ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | | ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | | ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload |
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | | ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | | ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | | ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | | ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
@ -174,7 +174,7 @@ Available commands:
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly | | ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
| ban_resolver | option | - | external resolver used for DNS lookups | | ban_resolver | option | - | external resolver used for DNS lookups |
## Examples ## Examples
@ -230,11 +230,11 @@ Available commands:
~# /etc/init.d/banip status ~# /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔) + status : active (nft: ✔, monitor: ✔)
+ version : 0.8.3-1 + version : 0.8.5-1
+ element_count : 281161 + element_count : 281161
+ active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6 + active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6
+ active_devices : br-wan ::: wan, wan6 + active_devices : br-wan ::: wan, wan6
+ active_subnets : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + active_uplink : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128
+ nft_info : priority: -200, policy: memory, loglevel: warn, expiry: - + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: -
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
@ -259,7 +259,7 @@ Available commands:
::: :::
::: banIP Survey ::: banIP Survey
::: :::
List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58 List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
--- ---
1.10.187.179 1.10.187.179
1.10.203.30 1.10.203.30
@ -291,7 +291,7 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option).
Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
**allowlist-only mode** **allowlist-only mode**
banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
@ -307,12 +307,12 @@ For a regular, automatic status mailing and update of the used lists on a daily
``` ```
**tweaks for low memory systems** **tweaks for low memory systems**
nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
* point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
* set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
* set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
**tweak the download options** **tweak the download options**
By default banIP uses the following pre-configured download options: By default banIP uses the following pre-configured download options:
@ -350,7 +350,7 @@ The banIP default blocklist feeds are stored in an external JSON file '/etc/bani
A valid JSON source object contains the following information, e.g.: A valid JSON source object contains the following information, e.g.:
``` ```
[...] [...]
"tor": { "tor":{
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",

89
net/banip/files/banip-functions.sh
View file

@ -1,4 +1,4 @@
# banIP shared function library/include # banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
@ -107,7 +107,7 @@ f_mkdir() {
if [ ! -d "${dir}" ]; then if [ ! -d "${dir}" ]; then
rm -f "${dir}" rm -f "${dir}"
mkdir -p "${dir}" mkdir -p "${dir}"
f_log "debug" "f_mkdir ::: created directory: ${dir}" f_log "debug" "f_mkdir ::: directory: ${dir}"
fi fi
} }
@ -118,7 +118,7 @@ f_mkfile() {
if [ ! -f "${file}" ]; then if [ ! -f "${file}" ]; then
: >"${file}" : >"${file}"
f_log "debug" "f_mkfile ::: created file: ${file}" f_log "debug" "f_mkfile ::: file: ${file}"
fi fi
} }
@ -139,7 +139,7 @@ f_rmdir() {
if [ -d "${dir}" ]; then if [ -d "${dir}" ]; then
rm -rf "${dir}" rm -rf "${dir}"
f_log "debug" "f_rmdir ::: deleted directory: ${dir}" f_log "debug" "f_rmdir ::: directory: ${dir}"
fi fi
} }
@ -253,7 +253,7 @@ f_fetch() {
if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then
packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
[ -z "${packages}" ] && f_log "err" "local package repository is not available, please set the download utility 'ban_fetchcmd' manually" [ -z "${packages}" ] && f_log "err" "no local package repository"
utils="aria2c curl wget uclient-fetch" utils="aria2c curl wget uclient-fetch"
for item in ${utils}; do for item in ${utils}; do
if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
@ -268,7 +268,7 @@ f_fetch() {
fi fi
done done
fi fi
[ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found" [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support"
case "${ban_fetchcmd##*/}" in case "${ban_fetchcmd##*/}" in
"aria2c") "aria2c")
[ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false"
@ -288,7 +288,7 @@ f_fetch() {
;; ;;
esac esac
f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}"
} }
# remove logservice # remove logservice
@ -336,7 +336,7 @@ f_getif() {
ban_ifv4="${iface}" ban_ifv4="${iface}"
uci_set banip global ban_protov4 "1" uci_set banip global ban_protov4 "1"
uci_add_list banip global ban_ifv4 "${iface}" uci_add_list banip global ban_ifv4 "${iface}"
f_log "info" "added IPv4 interface '${iface}' to config" f_log "info" "add IPv4 interface '${iface}' to config"
fi fi
fi fi
if [ -z "${ban_ifv6}" ]; then if [ -z "${ban_ifv6}" ]; then
@ -347,7 +347,7 @@ f_getif() {
ban_ifv6="${iface}" ban_ifv6="${iface}"
uci_set banip global ban_protov6 "1" uci_set banip global ban_protov6 "1"
uci_add_list banip global ban_ifv6 "${iface}" uci_add_list banip global ban_ifv6 "${iface}"
f_log "info" "added IPv6 interface '${iface}' to config" f_log "info" "add IPv6 interface '${iface}' to config"
fi fi
fi fi
fi fi
@ -359,11 +359,11 @@ f_getif() {
ban_ifv6="${ban_ifv6%%?}" ban_ifv6="${ban_ifv6%%?}"
for iface in ${ban_ifv4} ${ban_ifv6}; do for iface in ${ban_ifv4} ${ban_ifv6}; do
if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
f_log "err" "wan interface '${iface}' is not available, please check your configuration" f_log "err" "no wan interface '${iface}'"
fi fi
done done
fi fi
[ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "no wan interfaces"
f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
} }
@ -385,7 +385,7 @@ f_getdev() {
if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
ban_dev="${ban_dev}${dev} " ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}" uci_add_list banip global ban_dev "${dev}"
f_log "info" "added device '${dev}' to config" f_log "info" "add device '${dev}' to config"
fi fi
fi fi
done done
@ -398,7 +398,7 @@ f_getdev() {
uci_commit "banip" uci_commit "banip"
fi fi
ban_dev="${ban_dev%%?}" ban_dev="${ban_dev%%?}"
[ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" [ -z "${ban_dev}" ] && f_log "err" "no wan devices"
f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
} }
@ -429,12 +429,12 @@ f_getuplink() {
fi fi
done done
for ip in ${ban_uplink}; do for ip in ${ban_uplink}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then
if [ "${update}" = "0" ]; then if [ "${update}" = "0" ]; then
"${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}"
fi fi
printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
f_log "info" "added uplink '${ip}' to local allowlist" f_log "info" "add uplink '${ip}' to local allowlist"
update="1" update="1"
fi fi
done done
@ -453,17 +453,17 @@ f_getfeed() {
json_init json_init
if [ -s "${ban_customfeedfile}" ]; then if [ -s "${ban_customfeedfile}" ]; then
if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then
f_log "info" "banIP custom feed file can't be loaded" f_log "info" "can't load banIP custom feed file"
if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
f_log "err" "banIP feed file can't be loaded" f_log "err" "can't load banIP feed file"
fi fi
fi fi
elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
f_log "err" "banIP feed file can't be loaded" f_log "err" "can't load banIP feed file"
fi fi
} }
# get set elements # get Set elements
# #
f_getelements() { f_getelements() {
local file="${1}" local file="${1}"
@ -751,10 +751,10 @@ f_down() {
feed_rc="${?}" feed_rc="${?}"
fi fi
# build nft file with set and rules for regular downloads # build nft file with Sets and rules for regular downloads
# #
if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then
# deduplicate sets # deduplicate Sets
# #
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}" "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
@ -763,13 +763,13 @@ f_down() {
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
fi fi
feed_rc="${?}" feed_rc="${?}"
# split sets # split Sets
# #
if [ "${feed_rc}" = "0" ]; then if [ "${feed_rc}" = "0" ]; then
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
rm -f "${tmp_file}".* rm -f "${tmp_file}".*
f_log "info" "failed to split '${feed}' Set to size '${ban_splitsize//[![:digit]]/}'" f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
fi fi
else else
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
@ -779,7 +779,7 @@ f_down() {
rm -f "${tmp_raw}" "${tmp_load}" rm -f "${tmp_raw}" "${tmp_load}"
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
{ {
# nft header (IPv4 set) # nft header (IPv4 Set)
# #
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
@ -793,7 +793,7 @@ f_down() {
} >"${tmp_nft}" } >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
{ {
# nft header (IPv6 set) # nft header (IPv6 Set)
# #
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
@ -815,6 +815,7 @@ f_down() {
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
feed_rc="${?}" feed_rc="${?}"
# load additional split files # load additional split files
# #
if [ "${feed_rc}" = "0" ]; then if [ "${feed_rc}" = "0" ]; then
@ -825,7 +826,7 @@ f_down() {
continue continue
fi fi
if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then
f_log "info" "failed to add split file '${split_file##*.}' to '${feed}' Set" f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
fi fi
rm -f "${split_file}" rm -f "${split_file}"
done done
@ -834,7 +835,7 @@ f_down() {
fi fi
fi fi
else else
f_log "info" "empty feed '${feed}' will be skipped" f_log "info" "skip empty feed '${feed}'"
fi fi
fi fi
rm -f "${tmp_split}" "${tmp_nft}" rm -f "${tmp_split}" "${tmp_nft}"
@ -871,7 +872,7 @@ f_restore() {
return ${restore_rc} return ${restore_rc}
} }
# remove disabled feeds # remove disabled Sets
# #
f_rmset() { f_rmset() {
local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc
@ -1068,12 +1069,12 @@ f_lookup() {
done done
if [ -n "${elementsv4}" ]; then if [ -n "${elementsv4}" ]; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
f_log "info" "failed to add lookup file to '${feed}v4' Set" f_log "info" "can't add lookup file to Set '${feed}v4'"
fi fi
fi fi
if [ -n "${elementsv6}" ]; then if [ -n "${elementsv6}" ]; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
f_log "info" "failed to add lookup file to '${feed}v6' Set" f_log "info" "can't add lookup file to Set '${feed}v6'"
fi fi
fi fi
end_time="$(date "+%s")" end_time="$(date "+%s")"
@ -1245,7 +1246,7 @@ f_report() {
rm -f "${report_txt}" rm -f "${report_txt}"
} }
# set search # Set search
# #
f_search() { f_search() {
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
@ -1287,7 +1288,7 @@ f_search() {
printf " %s\n" "IP not found" printf " %s\n" "IP not found"
} }
# set survey # Set survey
# #
f_survey() { f_survey() {
local set_elements input="${1}" local set_elements input="${1}"
@ -1298,12 +1299,12 @@ f_survey() {
fi fi
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
printf " %s\n" "List the elements of Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf " %s\n" "---" printf " %s\n" "---"
[ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set" [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty Set"
} }
# send status mails # send status mail
# #
f_mail() { f_mail() {
local msmtp_debug local msmtp_debug
@ -1313,19 +1314,16 @@ f_mail() {
if [ -r "${ban_mailtemplate}" ]; then if [ -r "${ban_mailtemplate}" ]; then
. "${ban_mailtemplate}" . "${ban_mailtemplate}"
else else
f_log "info" "the mail template is missing" f_log "info" "no mail template"
fi fi
[ -z "${mail_text}" ] && f_log "info" "the 'mail_text' template variable is empty" [ -z "${mail_text}" ] && f_log "info" "no mail content"
[ "${ban_debug}" = "1" ] && msmtp_debug="--debug" [ "${ban_debug}" = "1" ] && msmtp_debug="--debug"
# send mail # send mail
# #
ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n" ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
f_log "info" "status mail was sent successfully" f_log "info" "send status mail (${?})"
else
f_log "info" "failed to send status mail (${?})"
fi
f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
} }
@ -1345,8 +1343,7 @@ fi
# #
f_system f_system
if [ "${ban_action}" != "stop" ]; then if [ "${ban_action}" != "stop" ]; then
[ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package" [ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory"
[ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package" [ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config"
[ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package" [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled"
[ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
fi fi

21
net/banip/files/banip-service.sh
View file

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables # banIP main service script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
@ -36,10 +36,10 @@ if [ "${ban_action}" != "reload" ]; then
sleep 1 sleep 1
done done
if ! /etc/init.d/firewall status >/dev/null 2>&1; then if ! /etc/init.d/firewall status >/dev/null 2>&1; then
f_log "err" "nft based firewall/fw4 not functional" f_log "err" "error in nft based firewall/fw4"
fi fi
else else
f_log "err" "nft based firewall/fw4 not found" f_log "err" "no nft based firewall/fw4"
fi fi
fi fi
@ -47,9 +47,9 @@ fi
# #
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then if f_nftinit "${ban_tmpfile}".init.nft; then
f_log "info" "nft namespace initialized" f_log "info" "initialize nft namespace"
else else
f_log "err" "nft namespace can't be initialized" f_log "err" "can't initialize nft namespace"
fi fi
fi fi
@ -83,7 +83,7 @@ for feed in allowlist ${ban_feed} blocklist; do
# external feeds # external feeds
# #
if ! json_select "${feed}" >/dev/null 2>&1; then if ! json_select "${feed}" >/dev/null 2>&1; then
f_log "info" "unknown feed '${feed}' will be removed" f_log "info" "remove unknown feed '${feed}'"
uci_remove_list banip global ban_feed "${feed}" uci_remove_list banip global ban_feed "${feed}"
uci_commit "banip" uci_commit "banip"
continue continue
@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do
if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } || if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } ||
{ { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } || { { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } ||
{ [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then { [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then
f_log "info" "incomplete feed '${feed}' will be skipped" f_log "info" "skip incomplete feed '${feed}'"
continue continue
fi fi
@ -138,7 +138,6 @@ wait
f_rmset f_rmset
f_rmdir "${ban_tmpdir}" f_rmdir "${ban_tmpdir}"
f_genstatus "active" f_genstatus "active"
f_log "info" "finish banIP download processes"
# start domain lookup # start domain lookup
# #
@ -191,15 +190,15 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimi
[ -n "${ip}" ] && proto="v6" [ -n "${ip}" ] && proto="v6"
fi fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
f_log "info" "suspicious IP${proto} found '${ip}'" f_log "info" "suspicious IP${proto} '${ip}'"
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
f_log "info" "added IP${proto} '${ip}' to local blocklist" f_log "info" "add IP${proto} '${ip}' to local blocklist"
fi fi
fi fi
fi fi

10
net/banip/files/banip.init
View file

@ -1,5 +1,5 @@
#!/bin/sh /etc/rc.common #!/bin/sh /etc/rc.common
# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables # banIP init script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
@ -9,9 +9,9 @@
START=30 START=30
USE_PROCD=1 USE_PROCD=1
extra_command "report" "[text|json|mail] Print banIP related set statistics" extra_command "report" "[text|json|mail] Print banIP related Set statistics"
extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set" extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
extra_command "survey" "[<set name>] List all elements of a given banIP set" extra_command "survey" "[<Set name>] List all elements of a given banIP Set"
extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them" extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them"
ban_init="/etc/init.d/banip" ban_init="/etc/init.d/banip"
@ -45,7 +45,7 @@ start_service() {
procd_close_instance procd_close_instance
else else
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}" [ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'" f_log "err" "banIP service autostart is disabled"
rm -rf "${ban_lock}" rm -rf "${ban_lock}"
fi fi
} }

4
net/banip/files/banip.tpl
View file

@ -1,5 +1,5 @@
# banIP mail template/include # banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
# info preparation # info preparation