Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.8.2-2

Browse source 
* fix the auto-detection for pppoe and 6in4 tunnel interfaces
* add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
* add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default),
  notice, info, debug, audit
* status optimizations
* logging optimizations
* update the readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-03-10 19:42:19 +01:00
parent 2d3e0da711
commit d8b6e2ca2a
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
5 changed files with 161 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/banip/Makefile
View file

@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.8.2
PKG_RELEASE:=1
PKG_RELEASE:=2
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

51
net/banip/files/README.md
View file

@ -31,27 +31,27 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) |
| greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
| oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) |
| ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | | [Link](https://threatview.io) |
| tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
@ -151,8 +151,10 @@ Available commands:
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug, audit |
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
@ -222,18 +224,18 @@ Available commands:
~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
+ version : 0.8.2-1
+ element_count : 180596
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, cinsscorev4, adguardv6, countryv6, countryv4,
deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv6, oisdsmallv4, urlvirv4, webclientv4, blocklistvMAC, blocklistv4,
blocklistv6
+ active_devices : eth2
+ active_interfaces : wan, wan6
+ active_subnets : 91.64.168.218/24, 2a02:710c:0:80:e342:4b0c:725d:1d43/128
+ run_info : base: /tmp, backup: /mnt/data/banIP-backup, report: /mnt/data/banIP-report, feed: /etc/banip/banip.feeds
+ version : 0.8.2-2
+ element_count : 211397
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, adguardtrackersv4, adguardv6, adguardtrackersv
6, antipopadsv4, antipopadsv6, cinsscorev4, countryv6, countryv4, deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv
6, oisdsmallv4, stevenblackv6, stevenblackv4, webclientv4, blocklistvMAC, blocklistv4, blocklistv6
+ active_devices : eth2 ::: wan, wan6
+ active_subnets : 91.64.148.211/24, 2b02:710c:0:80:e442:4b0c:637d:1d33/128
+ nft_info : priority: -200, policy: memory, loglevel: warn, expiry: -
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
+ last_run : action: restart, duration: 0m 58s, date: 2023-03-06 13:50:27
+ system_info : cores: 2, memory: 1831, device: Turris Omnia, OpenWrt SNAPSHOT r22151-1d82a47b49
+ last_run : action: restart, duration: 0m 55s, date: 2023-03-10 19:33:08
+ system_info : cores: 2, memory: 1830, device: Turris Omnia, OpenWrt SNAPSHOT r22248-bf055fcdca
```
**banIP search information**
@ -242,9 +244,9 @@ Available commands:
:::
::: banIP Search
:::
Looking for IP 221.228.105.173 on 2023-02-08 22:12:48
Looking for IP '221.228.105.173' on 2023-02-08 22:12:48
---
IP found in set oisdbasicv4
IP found in Set 'oisdbasicv4'
```
**banIP survey information**
@ -253,7 +255,7 @@ Available commands:
:::
::: banIP Survey
:::
List the elements of set cinsscorev4 on 2023-03-06 14:07:58
List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58
---
1.10.187.179
1.10.203.30
@ -272,7 +274,7 @@ Available commands:
1.15.77.237
[...]
```
**default regex for logfile parsing**
**default regex for logfile parsing**
```
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
@ -299,6 +301,7 @@ nftables supports the atomic loading of rules/sets/members, which is cool but un
* point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
* set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
* set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements
**tweak the download options**
By default banIP uses the following pre-configured download options:

218
net/banip/files/banip-functions.sh
View file

@ -35,9 +35,10 @@ ban_mailreceiver=""
ban_mailtopic="banIP notification"
ban_mailprofile="ban_notify"
ban_reportelements="1"
ban_nftloglevel="warn"
ban_nftpriority="-200"
ban_nftpolicy="memory"
ban_nftexpiry=""
ban_loglevel="warn"
ban_loglimit="100"
ban_logcount="1"
ban_logterm=""
@ -304,90 +305,112 @@ f_actual() {
# get wan interfaces
#
f_getif() {
local iface
local iface update="0"
"${ban_ubuscmd}" -t 5 wait_for network.device network.interface 2>/dev/null
if [ "${ban_autodetect}" = "1" ]; then
if [ -z "${ban_ifv4}" ]; then
network_flush_cache
network_find_wan iface
if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv4}" | "${ban_grepcmd}" -q "${iface}"; then
if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
ban_protov4="1"
ban_ifv4="${ban_ifv4}${iface} "
ban_ifv4="${iface}"
uci_set banip global ban_protov4 "1"
uci_add_list banip global ban_ifv4 "${iface}"
f_log "info" "added IPv4 interface '${iface}' to config"
fi
fi
if [ -z "${ban_ifv6}" ]; then
network_flush_cache
network_find_wan6 iface
if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv6}" | "${ban_grepcmd}" -q "${iface}"; then
if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
ban_protov6="1"
ban_ifv6="${ban_ifv6}${iface} "
ban_ifv6="${iface}"
uci_set banip global ban_protov6 "1"
uci_add_list banip global ban_ifv6 "${iface}"
f_log "info" "added IPv6 interface '${iface}' to config"
fi
fi
fi
if [ -n "$(uci -q changes "banip")" ]; then
update="1"
uci_commit "banip"
else
ban_ifv4="${ban_ifv4%%?}"
ban_ifv6="${ban_ifv6%%?}"
[ -n "$(uci -q changes "banip")" ] && uci_commit "banip"
for iface in ${ban_ifv4} ${ban_ifv6}; do
if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
f_log "err" "wan interface '${iface}' is not available, please check your configuration"
fi
done
fi
[ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration"
f_log "debug" "f_getif ::: auto_detect: ${ban_autodetect}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
}
# get wan devices
#
f_getdev() {
local dev iface
local dev iface update="0" cnt="0" cnt_max="10"
if [ "${ban_autodetect}" = "1" ] && [ -z "${ban_dev}" ]; then
for iface in ${ban_ifv4} ${ban_ifv6}; do
network_get_device dev "${iface}"
if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then
ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
else
network_get_physdev dev "${iface}"
if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then
ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
if [ "${ban_autodetect}" = "1" ]; then
while [ -z "${ban_dev}" ] && [ "${cnt}" -le "${cnt_max}" ]; do
network_flush_cache
for iface in ${ban_ifv4} ${ban_ifv6}; do
network_get_device dev "${iface}"
if [ -n "${dev}" ]; then
if printf "%s" "${dev}" | "${ban_grepcmd}" -qE "pppoe|6in4"; then
dev="${iface}"
fi
if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
f_log "info" "added device '${dev}' to config"
fi
fi
fi
done
cnt="$((cnt + 1))"
sleep 1
done
ban_dev="${ban_dev%%?}"
[ -n "$(uci -q changes "banip")" ] && uci_commit "banip"
fi
if [ -n "$(uci -q changes "banip")" ]; then
update="1"
uci_commit "banip"
fi
ban_dev="${ban_dev%%?}"
[ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration"
f_log "debug" "f_getdev ::: auto_detect: ${ban_autodetect}, devices: ${ban_dev}"
f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
}
# get local subnets
#
f_getsub() {
local sub iface ip
local sub iface ip update="0"
for iface in ${ban_ifv4} ${ban_ifv6}; do
network_get_subnet sub "${iface}"
if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then
ban_sub="${ban_sub} ${sub}"
fi
network_get_subnet6 sub "${iface}"
if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then
ban_sub="${ban_sub} ${sub}"
fi
done
if [ "${ban_autoallowlist}" = "1" ]; then
for ip in ${ban_sub}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
printf "%-42s%s\n" "${ip}" "added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
f_log "info" "add subnet '${ip}' to local allowlist"
for iface in ${ban_ifv4} ${ban_ifv6}; do
network_flush_cache
network_get_subnet sub "${iface}"
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
ban_sub="${ban_sub}${sub} "
fi
network_get_subnet6 sub "${iface}"
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
ban_sub="${ban_sub}${sub} "
fi
done
for ip in ${ban_sub}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
update="1"
printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
f_log "info" "added subnet '${ip}' to local allowlist"
fi
done
ban_sub="${ban_sub%%?}"
fi
[ -z "${ban_sub}" ] && f_log "err" "wan subnet(s) not found, please check your configuration"
f_log "debug" "f_getsub ::: auto_allowlist: ${ban_autoallowlist}, subnet(s): ${ban_sub:-"-"}"
f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}"
}
# get set elements
@ -442,7 +465,7 @@ f_nftinit() {
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
feed_rc="${?}"
f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
return ${feed_rc}
}
@ -461,9 +484,9 @@ f_down() {
tmp_flush="${ban_tmpfile}.${feed}.flush"
tmp_nft="${ban_tmpfile}.${feed}.nft"
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
# set source block direction
#
@ -508,11 +531,11 @@ f_down() {
[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
elif [ "${proto}" = "4" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
@ -537,7 +560,7 @@ f_down() {
elif [ "${proto}" = "6" ]; then
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
@ -568,7 +591,7 @@ f_down() {
[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject"
elif [ "${proto}" = "4" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
@ -580,7 +603,7 @@ f_down() {
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}"
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
@ -596,7 +619,7 @@ f_down() {
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}"
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
@ -691,7 +714,7 @@ f_down() {
#
printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
# input and forward rules
#
@ -705,7 +728,7 @@ f_down() {
#
printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
# input and forward rules
#
@ -737,7 +760,9 @@ f_down() {
fi
rm -f "${split_file}"
done
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
fi
fi
else
f_log "info" "empty feed ${feed} will be skipped"
@ -825,9 +850,11 @@ f_genstatus() {
duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
fi
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
for set in ${table_sets}; do
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
done
if [ "${ban_reportelements}" = "1" ]; then
for set in ${table_sets}; do
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
done
fi
runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")"
fi
f_system
@ -863,14 +890,6 @@ f_genstatus() {
json_add_string "device" "${object}"
json_close_object
done
fi
json_close_array
json_add_array "active_interfaces"
if [ "${status}" != "active" ]; then
json_add_object
json_add_string "interface" "-"
json_close_object
else
for object in ${ban_ifv4} ${ban_ifv6}; do
json_add_object
json_add_string "interface" "${object}"
@ -891,6 +910,7 @@ f_genstatus() {
done
fi
json_close_array
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}"
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}"
@ -901,7 +921,7 @@ f_genstatus() {
# get status information
#
f_getstatus() {
local key keylist type value index_value actual="${1}"
local key keylist type value index_key1 index_key2 index_value1 index_value2 actual="${1}"
[ -z "${ban_dev}" ] && f_conf
json_load_file "${ban_rtfile}" >/dev/null 2>&1
@ -911,22 +931,45 @@ f_getstatus() {
json_get_var value "${key}" >/dev/null 2>&1
if [ "${key}" = "status" ]; then
value="${value} ($(f_actual))"
elif [ "${key}" = "active_devices" ]; then
json_select "${key}" >/dev/null 2>&1
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_keys index_key1 "${index}" >/dev/null 2>&1
json_get_keys index_key2 "$((index + 1))" >/dev/null 2>&1
json_get_values index_value1 "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then
json_get_values index_value2 "$((index + 1))" >/dev/null 2>&1
value="${index_value1} ::: ${index_value2}"
index="$((index + 1))"
elif [ "${index}" = "1" ]; then
value="${index_value1}"
elif [ "${index}" != "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then
json_get_values index_value2 "$((index + 1))" >/dev/null 2>&1
value="${value}, ${index_value1} ::: ${index_value2}"
index="$((index + 1))"
elif [ "${index}" != "1" ]; then
value="${value}, ${index_value1}"
fi
index="$((index + 1))"
done
json_select ".."
elif [ "${key%_*}" = "active" ]; then
json_select "${key}" >/dev/null 2>&1
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_values index_value "${index}" >/dev/null 2>&1
json_get_values index_value1 "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ]; then
value="${index_value}"
value="${index_value1}"
else
value="${value}, ${index_value}"
value="${value}, ${index_value1}"
fi
index=$((index + 1))
index="$((index + 1))"
done
json_select ".."
fi
value="$(printf "%s" "${value}" |
awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
printf " + %-17s : %s\n" "${key}" "${value:-"-"}"
done
else
@ -967,9 +1010,9 @@ f_lookup() {
fi
fi
if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ]; then
printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ]; then
printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
fi
fi
fi
@ -1151,6 +1194,7 @@ f_search() {
f_system
run_search="/var/run/banIP.search"
if [ -n "${search}" ]; then
ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v4"
@ -1158,24 +1202,21 @@ f_search() {
ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v6"
fi
if [ -n "${proto}" ]; then
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")"
else
printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::"
return
fi
fi
if [ -n "${proto}" ]; then
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")"
else
printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::"
printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
return
fi
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
printf "%s\n" " Looking for IP ${ip} on $(date "+%Y-%m-%d %H:%M:%S")"
printf "%s\n" " Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf "%s\n" " ---"
cnt=1
for set in ${table_sets}; do
(
if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then
printf "%s\n" " IP found in set ${set}"
printf "%s\n" " IP found in Set '${set}'"
: >"${run_search}"
fi
) &
@ -1184,8 +1225,11 @@ f_search() {
cnt="$((cnt + 1))"
done
wait
[ ! -f "${run_search}" ] && printf "%s\n" " IP not found"
rm -f "${run_search}"
if [ ! -f "${run_search}" ]; then
printf "%s\n" " IP not found"
else
rm -f "${run_search}"
fi
}
# set survey
@ -1197,11 +1241,11 @@ f_survey() {
[ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
if [ -z "${set}" ] || [ -z "${set_elements}" ]; then
printf "%s\n%s\n%s\n" ":::" "::: no valid survey input (single banIP set name)" ":::"
printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
return
fi
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
printf "%s\n" " List the elements of set ${set} on $(date "+%Y-%m-%d %H:%M:%S")"
printf "%s\n" " List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf "%s\n" " ---"
printf "%s\n" "${set_elements}"
}

2
net/banip/files/banip-service.sh
View file

@ -174,7 +174,7 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "added IP${proto} '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set"
f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
f_log "info" "added IP${proto} '${ip}' to local blocklist"

2
net/banip/files/banip.init
View file

@ -97,7 +97,7 @@ service_triggers() {
local iface trigger delay
trigger="$(uci_get banip global ban_trigger)"
delay="$(uci_get banip global ban_triggerdelay "5")"
delay="$(uci_get banip global ban_triggerdelay "10")"
PROCD_RELOAD_DELAY=$((delay * 1000))
for iface in ${trigger}; do