Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.8.4-3

Browse source 
* add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-05-02 21:41:37 +02:00
parent f1e33826fb
commit 829a9a61c2
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
4 changed files with 49 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
net/banip/Makefile
View file

@ -1,5 +1,5 @@
# #
# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables # banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
# #
@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.4 PKG_VERSION:=0.8.4
PKG_RELEASE:=2 PKG_RELEASE:=3
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -23,7 +23,7 @@ define Package/banip
endef endef
define Package/banip/description define Package/banip/description
banIP blocks IP addresses via named nftables sets. banIP blocks IP addresses via named nftables Sets.
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.

1
net/banip/files/README.md
View file

@ -139,6 +139,7 @@ Available commands:
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | | ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
| ban_basedir | option | /tmp | base working directory while banIP processing | | ban_basedir | option | /tmp | base working directory while banIP processing |
| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |

75
net/banip/files/banip-functions.sh
View file

@ -51,6 +51,7 @@ ban_logforwardwan="1"
ban_logforwardlan="0" ban_logforwardlan="0"
ban_allowlistonly="0" ban_allowlistonly="0"
ban_autoallowlist="1" ban_autoallowlist="1"
ban_autoallowuplink="subnet"
ban_autoblocklist="1" ban_autoblocklist="1"
ban_deduplicate="1" ban_deduplicate="1"
ban_splitsize="0" ban_splitsize="0"
@ -65,7 +66,7 @@ ban_protov6="0"
ban_ifv4="" ban_ifv4=""
ban_ifv6="" ban_ifv6=""
ban_dev="" ban_dev=""
ban_sub="" ban_uplink=""
ban_fetchinsecure="" ban_fetchinsecure=""
ban_cores="" ban_cores=""
ban_memory="" ban_memory=""
@ -105,7 +106,7 @@ f_mkdir() {
if [ ! -d "${dir}" ]; then if [ ! -d "${dir}" ]; then
rm -f "${dir}" rm -f "${dir}"
mkdir -p "${dir}" mkdir -p "${dir}"
f_log "debug" "f_mkdir ::: created directory: ${dir}" f_log "debug" "f_mkdir ::: created directory: ${dir}"
fi fi
} }
@ -116,7 +117,7 @@ f_mkfile() {
if [ ! -f "${file}" ]; then if [ ! -f "${file}" ]; then
: >"${file}" : >"${file}"
f_log "debug" "f_mkfile ::: created file: ${file}" f_log "debug" "f_mkfile ::: created file: ${file}"
fi fi
} }
@ -127,7 +128,7 @@ f_tmp() {
ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)" ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)"
ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}"
} }
# remove directories # remove directories
@ -137,7 +138,7 @@ f_rmdir() {
if [ -d "${dir}" ]; then if [ -d "${dir}" ]; then
rm -rf "${dir}" rm -rf "${dir}"
f_log "debug" "f_rmdir ::: deleted directory: ${dir}" f_log "debug" "f_rmdir ::: deleted directory: ${dir}"
fi fi
} }
@ -286,7 +287,7 @@ f_fetch() {
;; ;;
esac esac
f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}"
} }
# remove logservice # remove logservice
@ -363,7 +364,7 @@ f_getif() {
fi fi
[ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration"
f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
} }
# get wan devices # get wan devices
@ -398,37 +399,45 @@ f_getdev() {
ban_dev="${ban_dev%%?}" ban_dev="${ban_dev%%?}"
[ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration"
f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
} }
# get local subnets # get local uplink
# #
f_getsub() { f_getuplink() {
local sub iface ip update="0" local uplink iface ip update="0"
if [ "${ban_autoallowlist}" = "1" ]; then if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then
for iface in ${ban_ifv4} ${ban_ifv6}; do for iface in ${ban_ifv4} ${ban_ifv6}; do
network_flush_cache network_flush_cache
network_get_subnet sub "${iface}" if [ "${ban_autoallowuplink}" = "subnet" ]; then
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then network_get_subnet uplink "${iface}"
ban_sub="${ban_sub}${sub} " elif [ "${ban_autoallowuplink}" = "ip" ]; then
network_get_ipaddr uplink "${iface}"
fi fi
network_get_subnet6 sub "${iface}" if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then ban_uplink="${ban_uplink}${uplink} "
ban_sub="${ban_sub}${sub} " fi
if [ "${ban_autoallowuplink}" = "subnet" ]; then
network_get_subnet6 uplink "${iface}"
elif [ "${ban_autoallowuplink}" = "ip" ]; then
network_get_ipaddr6 uplink "${iface}"
fi
if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
ban_uplink="${ban_uplink}${uplink} "
fi fi
done done
for ip in ${ban_sub}; do for ip in ${ban_uplink}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
update="1" update="1"
printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
f_log "info" "added subnet '${ip}' to local allowlist" f_log "info" "added uplink '${ip}' to local allowlist"
fi fi
done done
ban_sub="${ban_sub%%?}" ban_uplink="${ban_uplink%%?}"
fi fi
f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}" f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}"
} }
# get feed information # get feed information
@ -499,7 +508,7 @@ f_nftinit() {
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
feed_rc="${?}" feed_rc="${?}"
f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
return ${feed_rc} return ${feed_rc}
} }
@ -824,7 +833,7 @@ f_down() {
rm -f "${tmp_split}" "${tmp_nft}" rm -f "${tmp_split}" "${tmp_nft}"
end_ts="$(date +%s)" end_ts="$(date +%s)"
f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
} }
# backup feeds # backup feeds
@ -835,7 +844,7 @@ f_backup() {
gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz" gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz"
backup_rc="${?}" backup_rc="${?}"
f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}"
return ${backup_rc} return ${backup_rc}
} }
@ -851,7 +860,7 @@ f_restore() {
restore_rc="${?}" restore_rc="${?}"
fi fi
f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}"
return ${restore_rc} return ${restore_rc}
} }
@ -891,7 +900,7 @@ f_rmset() {
fi fi
rm -f "${tmp_del}" rm -f "${tmp_del}"
f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
} }
# generate status information # generate status information
@ -941,10 +950,10 @@ f_genstatus() {
json_close_object json_close_object
done done
json_close_array json_close_array
json_add_array "active_subnets" json_add_array "active_uplink"
for object in ${ban_sub:-"-"}; do for object in ${ban_uplink:-"-"}; do
json_add_object json_add_object
json_add_string "subnet" "${object}" json_add_string "uplink" "${object}"
json_close_object json_close_object
done done
json_close_array json_close_array
@ -1063,7 +1072,7 @@ f_lookup() {
end_time="$(date "+%s")" end_time="$(date "+%s")"
duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s"
f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" f_log "debug" "f_lookup ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}"
} }
# table statistics # table statistics
@ -1310,7 +1319,7 @@ f_mail() {
f_log "info" "failed to send status mail (${?})" f_log "info" "failed to send status mail (${?})"
fi fi
f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
} }
# initial sourcing # initial sourcing

6
net/banip/files/banip-service.sh
View file

@ -1,5 +1,5 @@
#!/bin/sh #!/bin/sh
# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables # banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3. # This is free software, licensed under the GNU General Public License v3.
@ -15,13 +15,13 @@ ban_funlib="/usr/lib/banip-functions.sh"
# #
f_conf f_conf
f_log "info" "start banIP processing (${ban_action})" f_log "info" "start banIP processing (${ban_action})"
f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
f_genstatus "processing" f_genstatus "processing"
f_tmp f_tmp
f_fetch f_fetch
f_getif f_getif
f_getdev f_getdev
f_getsub f_getuplink
f_mkdir "${ban_backupdir}" f_mkdir "${ban_backupdir}"
f_mkfile "${ban_blocklist}" f_mkfile "${ban_blocklist}"
f_mkfile "${ban_allowlist}" f_mkfile "${ban_allowlist}"