banip: release 0.9.2-1

* the log file monitor now supports standard log files used by other log daemons like syslog-ng Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages * removed logd dependency, closes #21932 Signed-off-by: Dirk Brenken <dev@brenken.org>
2023-11-05 09:19:55 +01:00 · 2023-11-05 09:19:55 +01:00 · c4e8140740
commit c4e8140740
parent 4cb6cd2d18
3 changed files with 89 additions and 68 deletions
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@ -5,7 +5,7 @@
 include $(TOPDIR)/rules.mk

 PKG_NAME:=banip
-PKG_VERSION:=0.9.1
+PKG_VERSION:=0.9.2
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@ -16,7 +16,7 @@ define Package/banip
 	SECTION:=net
 	CATEGORY:=Network
 	TITLE:=banIP blocks IPs via named nftables Sets
-	DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
+	DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys
 	PKGARCH:=all
 endef

--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@ -91,7 +91,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * Supports allowing / blocking of certain VLAN forwards

 ## Prerequisites
-* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 and logd/logread support
+* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 support
 * A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header
 * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
 * For E-Mail notifications you need to install and setup the additional 'msmtp' package
@ -135,13 +135,14 @@ Available commands:
 ## banIP config options

 | Option                  | Type   | Default                       | Description                                                                                                       |
-| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- |
+| :---------------------- | :----- | :---------------------------- | :---------------------------------------------------------------------------------------------------------------- |
 | ban_enabled             | option | 0                             | enable the banIP service                                                                                          |
 | ban_nicelimit           | option | 0                             | ulimit nice level of the banIP service (range 0-19)                                                               |
 | ban_filelimit           | option | 1024                          | ulimit max open/number of files (range 1024-4096)                                                                 |
 | ban_loglimit            | option | 100                           | scan only the last n log entries permanently. A value of '0' disables the monitor                                 |
 | ban_logcount            | option | 1                             | how many times the IP must appear in the log to be considered as suspicious                                       |
 | ban_logterm             | list   | regex                         | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk)                                |
+| ban_logreadfile         | option | /var/log/messages             | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
 | ban_autodetect          | option | 1                             | auto-detect wan interfaces, devices and subnets                                                                   |
 | ban_debug               | option | 0                             | enable banIP related debug logging                                                                                |
 | ban_loginput            | option | 1                             | log drops in the wan-input chain                                                                                  |
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@ -23,7 +23,8 @@ ban_rtfile="/var/run/banip_runtime.json"
 ban_rdapfile="/var/run/banip_rdap.json"
 ban_rdapurl="https://rdap.db.ripe.net/ip/"
 ban_lock="/var/run/banip.lock"
-ban_logreadcmd="$(command -v logread)"
+ban_logreadfile="/var/log/messages"
+ban_logreadcmd=""
 ban_logcmd="$(command -v logger)"
 ban_ubuscmd="$(command -v ubus)"
 ban_nftcmd="$(command -v nft)"
@ -188,7 +189,12 @@ f_rmpid() {
 	local ppid pid pids

 	ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
-	[ -n "${ppid}" ] && pids="$(pgrep -P "${ppid}" 2>/dev/null)"
+	if [ -n "${ppid}" ]; then
+		pids="$(pgrep -P "${ppid}" 2>/dev/null)"
+		for pid in ${pids}; do
+			pids="${pids} $(pgrep -P "${pid}" 2>/dev/null)"
+		done
+	fi
 	for pid in ${pids}; do
 		kill -INT "${pid}" >/dev/null 2>&1
 	done
@ -283,19 +289,25 @@ f_conf() {
 		}
 	}
 	config_load banip
+	[ -f "${ban_logreadfile}" ] && ban_logreadcmd="$(command -v tail)" || ban_logreadcmd="$(command -v logread)"
 }

 # get nft/monitor actuals
 #
 f_actual() {
-	local nft monitor
+	local nft monitor ppid pid

 	if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then
 		nft="$(f_char "1")"
 	else
 		nft="$(f_char "0")"
 	fi
-	if pgrep -f "${ban_logreadcmd##*/}" -P "$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" >/dev/null 2>&1; then
+
+	ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)"
+	if [ -n "${ppid}" ]; then
+		pid="$(pgrep -oP "${ppid}" 2>/dev/null)"
+	fi
+	if pgrep -f "${ban_logreadcmd##*/}" -P "${pid}" >/dev/null 2>&1; then
 		monitor="$(f_char "1")"
 	else
 		monitor="$(f_char "0")"
@ -1471,12 +1483,20 @@ f_mail() {
 # log monitor
 #
 f_monitor() {
-	local nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
+	local logread_cmd loglimit_cmd nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info

-	if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
-		f_log "info" "start detached banIP log service"
+	if [ -f "${ban_logreadfile}" ]; then
+		logread_cmd="${ban_logreadcmd} -qf ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"${ban_logterm%%??}\" 2>/dev/null"
+		loglimit_cmd="${ban_logreadcmd} -qn ${ban_loglimit} ${ban_logreadfile} 2>/dev/null"
+	elif printf "%s" "${ban_packages}" | "${ban_grepcmd}" -q '"logd'; then
+		logread_cmd="${ban_logreadcmd} -fe \"${ban_logterm%%??}\" 2>/dev/null"
+		loglimit_cmd="${ban_logreadcmd} -l ${ban_loglimit} 2>/dev/null"
+	fi
+
+	if [ -x "${ban_logreadcmd}" ] && [ -n "${logread_cmd}" ] && [ -n "${loglimit_cmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
+		f_log "info" "start detached banIP log service (${ban_logreadcmd})"
 		[ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")"
-		"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
+		eval "${logread_cmd}" |
 			while read -r line; do
 				: >"${ban_rdapfile}"
 				proto=""
@ -1492,7 +1512,7 @@ f_monitor() {
 				fi
 				if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then
 					f_log "info" "suspicious IP '${ip}'"
-					log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
+					log_raw="$(eval ${loglimit_cmd})"
 					log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"
 					if [ "${log_count}" -ge "${ban_logcount}" ]; then
 						if [ "${ban_autoblocksubnet}" = "1" ]; then