Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.8.4-3

Browse source 
* add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-05-02 21:41:37 +02:00
parent f1e33826fb
commit 829a9a61c2
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
4 changed files with 49 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
net/banip/Makefile
View file

@ -1,5 +1,5 @@
# #
# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables # banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
# #
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.4 PKG_VERSION:=0.8.4
PKG_RELEASE:=2 PKG_RELEASE:=3
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -23,7 +23,7 @@ define Package/banip
endef endef
define Package/banip/description define Package/banip/description
banIP blocks IP addresses via named nftables sets. banIP blocks IP addresses via named nftables Sets.
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.

1
net/banip/files/README.md
View file

@ -139,6 +139,7 @@ Available commands:
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | | ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
| ban_basedir | option | /tmp | base working directory while banIP processing | | ban_basedir | option | /tmp | base working directory while banIP processing |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |

49
net/banip/files/banip-functions.sh
View file

@ -51,6 +51,7 @@ ban_logforwardwan="1"
ban_logforwardlan="0" ban_logforwardlan="0"
ban_allowlistonly="0" ban_allowlistonly="0"
ban_autoallowlist="1" ban_autoallowlist="1"
ban_autoallowuplink="subnet"
ban_autoblocklist="1" ban_autoblocklist="1"
ban_deduplicate="1" ban_deduplicate="1"
ban_splitsize="0" ban_splitsize="0"
@ -65,7 +66,7 @@ ban_protov6="0"
ban_ifv4="" ban_ifv4=""
ban_ifv6="" ban_ifv6=""
ban_dev="" ban_dev=""
ban_sub="" ban_uplink=""
ban_fetchinsecure="" ban_fetchinsecure=""
ban_cores="" ban_cores=""
ban_memory="" ban_memory=""
@ -401,34 +402,42 @@ f_getdev() {
f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
} }
# get local subnets # get local uplink
# #
f_getsub() { f_getuplink() {
local sub iface ip update="0" local uplink iface ip update="0"
if [ "${ban_autoallowlist}" = "1" ]; then if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then
for iface in ${ban_ifv4} ${ban_ifv6}; do for iface in ${ban_ifv4} ${ban_ifv6}; do
network_flush_cache network_flush_cache
network_get_subnet sub "${iface}" if [ "${ban_autoallowuplink}" = "subnet" ]; then
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then network_get_subnet uplink "${iface}"
ban_sub="${ban_sub}${sub} " elif [ "${ban_autoallowuplink}" = "ip" ]; then
network_get_ipaddr uplink "${iface}"
fi fi
network_get_subnet6 sub "${iface}" if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then ban_uplink="${ban_uplink}${uplink} "
ban_sub="${ban_sub}${sub} " fi
if [ "${ban_autoallowuplink}" = "subnet" ]; then
network_get_subnet6 uplink "${iface}"
elif [ "${ban_autoallowuplink}" = "ip" ]; then
network_get_ipaddr6 uplink "${iface}"
fi
if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
ban_uplink="${ban_uplink}${uplink} "
fi fi
done done
for ip in ${ban_sub}; do for ip in ${ban_uplink}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
update="1" update="1"
printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
f_log "info" "added subnet '${ip}' to local allowlist" f_log "info" "added uplink '${ip}' to local allowlist"
fi fi
done done
ban_sub="${ban_sub%%?}" ban_uplink="${ban_uplink%%?}"
fi fi
f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}" f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}"
} }
# get feed information # get feed information
@ -941,10 +950,10 @@ f_genstatus() {
json_close_object json_close_object
done done
json_close_array json_close_array
json_add_array "active_subnets" json_add_array "active_uplink"
for object in ${ban_sub:-"-"}; do for object in ${ban_uplink:-"-"}; do
json_add_object json_add_object
json_add_string "subnet" "${object}" json_add_string "uplink" "${object}"
json_close_object json_close_object
done done
json_close_array json_close_array
@ -1063,7 +1072,7 @@ f_lookup() {
end_time="$(date "+%s")" end_time="$(date "+%s")"
duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s"
f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" f_log "debug" "f_lookup ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}"
} }
# table statistics # table statistics

4
net/banip/files/banip-service.sh
View file

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables # banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
@ -21,7 +21,7 @@ f_tmp
f_fetch f_fetch
f_getif f_getif
f_getdev f_getdev
f_getsub f_getuplink
f_mkdir "${ban_backupdir}" f_mkdir "${ban_backupdir}"
f_mkfile "${ban_blocklist}" f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}" f_mkfile "${ban_allowlist}"