Difuse/packages
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

banip: update 0.8.2-2

Browse source 
* fix the auto-detection for pppoe and 6in4 tunnel interfaces
* add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
* add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default),
  notice, info, debug, audit
* status optimizations
* logging optimizations
* update the readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-03-10 19:42:19 +01:00
parent 2d3e0da711
commit d8b6e2ca2a
No known key found for this signature in database
GPG key ID: 9D71CD547BFAE684
5 changed files with 161 additions and 114 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
net/banip/Makefile
View file

@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.8.2 PKG_VERSION:=0.8.2
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

51
net/banip/files/README.md
View file

@ -31,27 +31,27 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | | firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | | firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | | firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) | | greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) | | iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) | | iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) | | myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) | | nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
| oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) | | ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) | | talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) | | threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | x | [Link](https://threatview.io) | | threatview | malicious IPs | x | x | | [Link](https://threatview.io) |
| tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | | tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) | | urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) | | urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | | webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) | | voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
@ -151,8 +151,10 @@ Available commands:
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | | ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | | ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug, audit |
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
@ -222,18 +224,18 @@ Available commands:
~# /etc/init.d/banip status ~# /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔) + status : active (nft: ✔, monitor: ✔)
+ version : 0.8.2-1 + version : 0.8.2-2
+ element_count : 180596 + element_count : 211397
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, cinsscorev4, adguardv6, countryv6, countryv4, + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, adguardtrackersv4, adguardv6, adguardtrackersv
deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv6, oisdsmallv4, urlvirv4, webclientv4, blocklistvMAC, blocklistv4, 6, antipopadsv4, antipopadsv6, cinsscorev4, countryv6, countryv4, deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv
blocklistv6 6, oisdsmallv4, stevenblackv6, stevenblackv4, webclientv4, blocklistvMAC, blocklistv4, blocklistv6
+ active_devices : eth2 + active_devices : eth2 ::: wan, wan6
+ active_interfaces : wan, wan6 + active_subnets : 91.64.148.211/24, 2b02:710c:0:80:e442:4b0c:637d:1d33/128
+ active_subnets : 91.64.168.218/24, 2a02:710c:0:80:e342:4b0c:725d:1d43/128 + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: -
+ run_info : base: /tmp, backup: /mnt/data/banIP-backup, report: /mnt/data/banIP-report, feed: /etc/banip/banip.feeds + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
+ last_run : action: restart, duration: 0m 58s, date: 2023-03-06 13:50:27 + last_run : action: restart, duration: 0m 55s, date: 2023-03-10 19:33:08
+ system_info : cores: 2, memory: 1831, device: Turris Omnia, OpenWrt SNAPSHOT r22151-1d82a47b49 + system_info : cores: 2, memory: 1830, device: Turris Omnia, OpenWrt SNAPSHOT r22248-bf055fcdca
``` ```
**banIP search information** **banIP search information**
@ -242,9 +244,9 @@ Available commands:
::: :::
::: banIP Search ::: banIP Search
::: :::
Looking for IP 221.228.105.173 on 2023-02-08 22:12:48 Looking for IP '221.228.105.173' on 2023-02-08 22:12:48
--- ---
IP found in set oisdbasicv4 IP found in Set 'oisdbasicv4'
``` ```
**banIP survey information** **banIP survey information**
@ -253,7 +255,7 @@ Available commands:
::: :::
::: banIP Survey ::: banIP Survey
::: :::
List the elements of set cinsscorev4 on 2023-03-06 14:07:58 List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58
--- ---
1.10.187.179 1.10.187.179
1.10.203.30 1.10.203.30
@ -272,7 +274,7 @@ Available commands:
1.15.77.237 1.15.77.237
[...] [...]
``` ```
**default regex for logfile parsing** **default regex for logfile parsing**
``` ```
list ban_logterm 'Exit before auth from' list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login' list ban_logterm 'luci: failed login'
@ -299,6 +301,7 @@ nftables supports the atomic loading of rules/sets/members, which is cool but un
* point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
* set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
* set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements
**tweak the download options** **tweak the download options**
By default banIP uses the following pre-configured download options: By default banIP uses the following pre-configured download options:

218
net/banip/files/banip-functions.sh
View file

@ -35,9 +35,10 @@ ban_mailreceiver=""
ban_mailtopic="banIP notification" ban_mailtopic="banIP notification"
ban_mailprofile="ban_notify" ban_mailprofile="ban_notify"
ban_reportelements="1" ban_reportelements="1"
ban_nftloglevel="warn"
ban_nftpriority="-200" ban_nftpriority="-200"
ban_nftpolicy="memory"
ban_nftexpiry="" ban_nftexpiry=""
ban_loglevel="warn"
ban_loglimit="100" ban_loglimit="100"
ban_logcount="1" ban_logcount="1"
ban_logterm="" ban_logterm=""
@ -304,90 +305,112 @@ f_actual() {
# get wan interfaces # get wan interfaces
# #
f_getif() { f_getif() {
local iface local iface update="0"
"${ban_ubuscmd}" -t 5 wait_for network.device network.interface 2>/dev/null
if [ "${ban_autodetect}" = "1" ]; then if [ "${ban_autodetect}" = "1" ]; then
if [ -z "${ban_ifv4}" ]; then if [ -z "${ban_ifv4}" ]; then
network_flush_cache
network_find_wan iface network_find_wan iface
if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv4}" | "${ban_grepcmd}" -q "${iface}"; then if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
ban_protov4="1" ban_protov4="1"
ban_ifv4="${ban_ifv4}${iface} " ban_ifv4="${iface}"
uci_set banip global ban_protov4 "1" uci_set banip global ban_protov4 "1"
uci_add_list banip global ban_ifv4 "${iface}" uci_add_list banip global ban_ifv4 "${iface}"
f_log "info" "added IPv4 interface '${iface}' to config"
fi fi
fi fi
if [ -z "${ban_ifv6}" ]; then if [ -z "${ban_ifv6}" ]; then
network_flush_cache
network_find_wan6 iface network_find_wan6 iface
if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv6}" | "${ban_grepcmd}" -q "${iface}"; then if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
ban_protov6="1" ban_protov6="1"
ban_ifv6="${ban_ifv6}${iface} " ban_ifv6="${iface}"
uci_set banip global ban_protov6 "1" uci_set banip global ban_protov6 "1"
uci_add_list banip global ban_ifv6 "${iface}" uci_add_list banip global ban_ifv6 "${iface}"
f_log "info" "added IPv6 interface '${iface}' to config"
fi fi
fi fi
fi
if [ -n "$(uci -q changes "banip")" ]; then
update="1"
uci_commit "banip"
else
ban_ifv4="${ban_ifv4%%?}" ban_ifv4="${ban_ifv4%%?}"
ban_ifv6="${ban_ifv6%%?}" ban_ifv6="${ban_ifv6%%?}"
[ -n "$(uci -q changes "banip")" ] && uci_commit "banip" for iface in ${ban_ifv4} ${ban_ifv6}; do
if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
f_log "err" "wan interface '${iface}' is not available, please check your configuration"
fi
done
fi fi
[ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration"
f_log "debug" "f_getif ::: auto_detect: ${ban_autodetect}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
} }
# get wan devices # get wan devices
# #
f_getdev() { f_getdev() {
local dev iface local dev iface update="0" cnt="0" cnt_max="10"
if [ "${ban_autodetect}" = "1" ] && [ -z "${ban_dev}" ]; then if [ "${ban_autodetect}" = "1" ]; then
for iface in ${ban_ifv4} ${ban_ifv6}; do while [ -z "${ban_dev}" ] && [ "${cnt}" -le "${cnt_max}" ]; do
network_get_device dev "${iface}" network_flush_cache
if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then for iface in ${ban_ifv4} ${ban_ifv6}; do
ban_dev="${ban_dev}${dev} " network_get_device dev "${iface}"
uci_add_list banip global ban_dev "${dev}" if [ -n "${dev}" ]; then
else if printf "%s" "${dev}" | "${ban_grepcmd}" -qE "pppoe|6in4"; then
network_get_physdev dev "${iface}" dev="${iface}"
if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then fi
ban_dev="${ban_dev}${dev} " if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
uci_add_list banip global ban_dev "${dev}" ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
f_log "info" "added device '${dev}' to config"
fi
fi fi
fi done
cnt="$((cnt + 1))"
sleep 1
done done
ban_dev="${ban_dev%%?}"
[ -n "$(uci -q changes "banip")" ] && uci_commit "banip"
fi fi
if [ -n "$(uci -q changes "banip")" ]; then
update="1"
uci_commit "banip"
fi
ban_dev="${ban_dev%%?}"
[ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration"
f_log "debug" "f_getdev ::: auto_detect: ${ban_autodetect}, devices: ${ban_dev}" f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
} }
# get local subnets # get local subnets
# #
f_getsub() { f_getsub() {
local sub iface ip local sub iface ip update="0"
for iface in ${ban_ifv4} ${ban_ifv6}; do
network_get_subnet sub "${iface}"
if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then
ban_sub="${ban_sub} ${sub}"
fi
network_get_subnet6 sub "${iface}"
if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then
ban_sub="${ban_sub} ${sub}"
fi
done
if [ "${ban_autoallowlist}" = "1" ]; then if [ "${ban_autoallowlist}" = "1" ]; then
for ip in ${ban_sub}; do for iface in ${ban_ifv4} ${ban_ifv6}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then network_flush_cache
printf "%-42s%s\n" "${ip}" "added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" network_get_subnet sub "${iface}"
f_log "info" "add subnet '${ip}' to local allowlist" if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
ban_sub="${ban_sub}${sub} "
fi
network_get_subnet6 sub "${iface}"
if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
ban_sub="${ban_sub}${sub} "
fi fi
done done
for ip in ${ban_sub}; do
if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
update="1"
printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
f_log "info" "added subnet '${ip}' to local allowlist"
fi
done
ban_sub="${ban_sub%%?}"
fi fi
[ -z "${ban_sub}" ] && f_log "err" "wan subnet(s) not found, please check your configuration"
f_log "debug" "f_getsub ::: auto_allowlist: ${ban_autoallowlist}, subnet(s): ${ban_sub:-"-"}" f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}"
} }
# get set elements # get set elements
@ -442,7 +465,7 @@ f_nftinit() {
feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
feed_rc="${?}" feed_rc="${?}"
f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
return ${feed_rc} return ${feed_rc}
} }
@ -461,9 +484,9 @@ f_down() {
tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_flush="${ban_tmpfile}.${feed}.flush"
tmp_nft="${ban_tmpfile}.${feed}.nft" tmp_nft="${ban_tmpfile}.${feed}.nft"
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \"" [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
# set source block direction # set source block direction
# #
@ -508,11 +531,11 @@ f_down() {
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
if [ "${proto}" = "MAC" ]; then if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
elif [ "${proto}" = "4" ]; then elif [ "${proto}" = "4" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop" printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
@ -537,7 +560,7 @@ f_down() {
elif [ "${proto}" = "6" ]; then elif [ "${proto}" = "6" ]; then
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop" printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
@ -568,7 +591,7 @@ f_down() {
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
if [ "${proto}" = "MAC" ]; then if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject"
elif [ "${proto}" = "4" ]; then elif [ "${proto}" = "4" ]; then
if [ "${ban_deduplicate}" = "1" ]; then if [ "${ban_deduplicate}" = "1" ]; then
@ -580,7 +603,7 @@ f_down() {
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}"
fi fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop" [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
@ -596,7 +619,7 @@ f_down() {
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}"
fi fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop" [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
@ -691,7 +714,7 @@ f_down() {
# #
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
# input and forward rules # input and forward rules
# #
@ -705,7 +728,7 @@ f_down() {
# #
printf "%s\n\n" "#!/usr/sbin/nft -f" printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}" [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
# input and forward rules # input and forward rules
# #
@ -737,7 +760,9 @@ f_down() {
fi fi
rm -f "${split_file}" rm -f "${split_file}"
done done
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
fi
fi fi
else else
f_log "info" "empty feed ${feed} will be skipped" f_log "info" "empty feed ${feed} will be skipped"
@ -825,9 +850,11 @@ f_genstatus() {
duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s" duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
fi fi
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')"
for set in ${table_sets}; do if [ "${ban_reportelements}" = "1" ]; then
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" for set in ${table_sets}; do
done cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
done
fi
runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")" runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")"
fi fi
f_system f_system
@ -863,14 +890,6 @@ f_genstatus() {
json_add_string "device" "${object}" json_add_string "device" "${object}"
json_close_object json_close_object
done done
fi
json_close_array
json_add_array "active_interfaces"
if [ "${status}" != "active" ]; then
json_add_object
json_add_string "interface" "-"
json_close_object
else
for object in ${ban_ifv4} ${ban_ifv6}; do for object in ${ban_ifv4} ${ban_ifv6}; do
json_add_object json_add_object
json_add_string "interface" "${object}" json_add_string "interface" "${object}"
@ -891,6 +910,7 @@ f_genstatus() {
done done
fi fi
json_close_array json_close_array
json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}"
json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}" json_add_string "last_run" "${runtime:-"-"}"
@ -901,7 +921,7 @@ f_genstatus() {
# get status information # get status information
# #
f_getstatus() { f_getstatus() {
local key keylist type value index_value actual="${1}" local key keylist type value index_key1 index_key2 index_value1 index_value2 actual="${1}"
[ -z "${ban_dev}" ] && f_conf [ -z "${ban_dev}" ] && f_conf
json_load_file "${ban_rtfile}" >/dev/null 2>&1 json_load_file "${ban_rtfile}" >/dev/null 2>&1
@ -911,22 +931,45 @@ f_getstatus() {
json_get_var value "${key}" >/dev/null 2>&1 json_get_var value "${key}" >/dev/null 2>&1
if [ "${key}" = "status" ]; then if [ "${key}" = "status" ]; then
value="${value} ($(f_actual))" value="${value} ($(f_actual))"
elif [ "${key}" = "active_devices" ]; then
json_select "${key}" >/dev/null 2>&1
index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_keys index_key1 "${index}" >/dev/null 2>&1
json_get_keys index_key2 "$((index + 1))" >/dev/null 2>&1
json_get_values index_value1 "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then
json_get_values index_value2 "$((index + 1))" >/dev/null 2>&1
value="${index_value1} ::: ${index_value2}"
index="$((index + 1))"
elif [ "${index}" = "1" ]; then
value="${index_value1}"
elif [ "${index}" != "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then
json_get_values index_value2 "$((index + 1))" >/dev/null 2>&1
value="${value}, ${index_value1} ::: ${index_value2}"
index="$((index + 1))"
elif [ "${index}" != "1" ]; then
value="${value}, ${index_value1}"
fi
index="$((index + 1))"
done
json_select ".."
elif [ "${key%_*}" = "active" ]; then elif [ "${key%_*}" = "active" ]; then
json_select "${key}" >/dev/null 2>&1 json_select "${key}" >/dev/null 2>&1
index=1 index=1
while json_get_type type "${index}" && [ "${type}" = "object" ]; do while json_get_type type "${index}" && [ "${type}" = "object" ]; do
json_get_values index_value "${index}" >/dev/null 2>&1 json_get_values index_value1 "${index}" >/dev/null 2>&1
if [ "${index}" = "1" ]; then if [ "${index}" = "1" ]; then
value="${index_value}" value="${index_value1}"
else else
value="${value}, ${index_value}" value="${value}, ${index_value1}"
fi fi
index=$((index + 1)) index="$((index + 1))"
done done
json_select ".." json_select ".."
fi fi
value="$(printf "%s" "${value}" | value="$(printf "%s" "${value}" |
awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
printf " + %-17s : %s\n" "${key}" "${value:-"-"}" printf " + %-17s : %s\n" "${key}" "${value:-"-"}"
done done
else else
@ -967,9 +1010,9 @@ f_lookup() {
fi fi
fi fi
if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ]; then if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ]; then
printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ]; then elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ]; then
printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
fi fi
fi fi
fi fi
@ -1151,6 +1194,7 @@ f_search() {
f_system f_system
run_search="/var/run/banIP.search" run_search="/var/run/banIP.search"
if [ -n "${search}" ]; then if [ -n "${search}" ]; then
ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v4" [ -n "${ip}" ] && proto="v4"
@ -1158,24 +1202,21 @@ f_search() {
ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')"
[ -n "${ip}" ] && proto="v6" [ -n "${ip}" ] && proto="v6"
fi fi
if [ -n "${proto}" ]; then fi
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")" if [ -n "${proto}" ]; then
else table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")"
printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::"
return
fi
else else
printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::" printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
return return
fi fi
printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
printf "%s\n" " Looking for IP ${ip} on $(date "+%Y-%m-%d %H:%M:%S")" printf "%s\n" " Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf "%s\n" " ---" printf "%s\n" " ---"
cnt=1 cnt=1
for set in ${table_sets}; do for set in ${table_sets}; do
( (
if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then
printf "%s\n" " IP found in set ${set}" printf "%s\n" " IP found in Set '${set}'"
: >"${run_search}" : >"${run_search}"
fi fi
) & ) &
@ -1184,8 +1225,11 @@ f_search() {
cnt="$((cnt + 1))" cnt="$((cnt + 1))"
done done
wait wait
[ ! -f "${run_search}" ] && printf "%s\n" " IP not found" if [ ! -f "${run_search}" ]; then
rm -f "${run_search}" printf "%s\n" " IP not found"
else
rm -f "${run_search}"
fi
} }
# set survey # set survey
@ -1197,11 +1241,11 @@ f_survey() {
[ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" [ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
if [ -z "${set}" ] || [ -z "${set_elements}" ]; then if [ -z "${set}" ] || [ -z "${set_elements}" ]; then
printf "%s\n%s\n%s\n" ":::" "::: no valid survey input (single banIP set name)" ":::" printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
return return
fi fi
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
printf "%s\n" " List the elements of set ${set} on $(date "+%Y-%m-%d %H:%M:%S")" printf "%s\n" " List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf "%s\n" " ---" printf "%s\n" " ---"
printf "%s\n" "${set_elements}" printf "%s\n" "${set_elements}"
} }

2
net/banip/files/banip-service.sh
View file

@ -174,7 +174,7 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
f_log "info" "added IP${proto} '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set" f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
f_log "info" "added IP${proto} '${ip}' to local blocklist" f_log "info" "added IP${proto} '${ip}' to local blocklist"

2
net/banip/files/banip.init
View file

@ -97,7 +97,7 @@ service_triggers() {
local iface trigger delay local iface trigger delay
trigger="$(uci_get banip global ban_trigger)" trigger="$(uci_get banip global ban_trigger)"
delay="$(uci_get banip global ban_triggerdelay "5")" delay="$(uci_get banip global ban_triggerdelay "10")"
PROCD_RELOAD_DELAY=$((delay * 1000)) PROCD_RELOAD_DELAY=$((delay * 1000))
for iface in ${trigger}; do for iface in ${trigger}; do