gh-mirrors/openwrt-packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-10 12:41:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

banip: release 1.6.0-1

Browse Source 
* split block/logging rules (fixed #27990)
* adapt reload functions to support the new split logic
* the banIP status now includes the backend- and the frontend version information
* fixed a config parsing error with non existing dirs (reported in the forum)
* fixed a small reporting issue (reported in the forum)
* added a new public dns feed (by default restricted to outbound, ports 53 and 853)
* added a new gawk dependency due to significant performance gains
* LuCI: no longer call the logread binary, use rpc / the ubus log object instead
* LuCI: various code cleanups
* LuCI: various small usability improvements
* readme update

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
2025-12-04 20:25:29 +01:00
parent e93f03aadd
commit c47d8b149c
5 changed files with 168 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
net/banip/Makefile
View File

@@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=1.5.6
PKG_RELEASE:=7
PKG_VERSION:=1.6.0
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@@ -16,7 +16,7 @@ define Package/banip
SECTION:=net
CATEGORY:=Network
TITLE:=banIP blocks IPs via named nftables Sets
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys
DEPENDS:=+jshn +jsonfilter +firewall4 +gawk +ca-bundle +rpcd +rpcd-mod-rpcsys
PKGARCH:=all
endef

25
net/banip/files/README.md
View File

@@ -26,7 +26,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| country | country blocks | x | | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | | | [Link](https://cinsscore.com/#list) |
| debl | fail2ban IP blacklist | x | | | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | x | tcp, udp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| dns | public DNS-Server | | x | tcp, udp: 53, 853 | [Link](https://public-dns.info) |
| doh | public DoH-Server | | x | tcp, udp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | | | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | | | [Link](https://www.dshield.org) |
| etcompromised | ET compromised hosts | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
@@ -95,14 +96,14 @@ IP address blocking is commonly used to protect against brute force attacks, pre
<a id="prerequisites"></a>
## Prerequisites
* **[OpenWrt](https://openwrt.org)**, latest stable release 24.x or a development snapshot with nft/firewall 4 support
* **[OpenWrt](https://openwrt.org)**, latest stable release or a development snapshot with nft/firewall 4 support
* A download utility with SSL support: 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* For E-Mail notifications you need to install and setup the additional 'msmtp' package
**Please note:**
* Devices with less than 256MB of RAM are **_not_** supported
* Latest banIP 1.5.x does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead)
* Latest banIP does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead)
* Any previous custom feeds file of banIP 1.0.x must be cleared and it's recommended to start with a fresh banIP default config
<a id="installation-and-usage"></a>
@@ -339,19 +340,19 @@ Available commands:
**banIP runtime information**
```
~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
+ version : 1.5.6-r4
+ element_count : 128 751 (chains: 7, sets: 19, rules: 47)
+ active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, country.v6, debl.v6, doh.v4, doh.v6, country.v4, threat.v4, hagezi.v4, turris.v4, turris.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6
+ frontend_ver : 1.6.0-r1
+ backend_ver : 1.6.0-r1
+ element_count : 223 563 (chains: 7, sets: 22, rules: 75)
+ active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, country.v6, debl.v6, country.v4, dns.v4, dns.v6, doh.v4, doh.v6, firehol1.v4, hagezi.v4, threat.v4, turris.v4, turris.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
+ active_uplink : 91.61.111.35, 2004:fc:45fe:678:c890:e2a3:c729:dc13
+ nft_info : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100
+ active_uplink : 5.73.187.13, 2a04:5700:104:c65a:dc41:4131:409:227c
+ nft_info : ver: 1.1.5-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, error: /mnt/data/banIP/error
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✘/✘/✔, count: ✔, dedup: ✔, split: ✘, custom feed: , allowed only: ✘
+ last_run : mode: restart, 2025-06-08 21:11:21, duration: 0m 22s, memory: 1310.16 MB available
+ system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r29955-8b24289a52
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✔/✔/✔, count: ✔, dedup: ✔, split: ✘, custom feed: , allowed only: ✘
+ last_run : mode: restart, 2025-12-04 10:00:41, duration: 0m 48s, memory: 1361.54 MB available
+ system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r32101-28cc1c368c
```
**banIP search information**

186
net/banip/files/banip-functions.sh
View File

@@ -105,7 +105,8 @@ f_system() {
ban_debug="$(uci_get banip global ban_debug "0")"
ban_cores="$(uci_get banip global ban_cores)"
ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
ban_bver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
ban_fver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["luci-app-banip"]')"
ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' |
"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')"
@@ -233,9 +234,9 @@ f_log() {
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then
if [ -x "${ban_logcmd}" ]; then
"${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg::256}"
"${ban_logcmd}" -p "${class}" -t "banIP-${ban_bver}[${$}]" "${log_msg::256}"
else
printf "%s %s %s\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg::256}"
printf "%s %s %s\n" "${class}" "banIP-${ban_bver}[${$}]" "${log_msg::256}"
fi
fi
if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then
@@ -264,24 +265,20 @@ f_conf() {
option_cb() {
local option="${1}" value="${2//\"/\\\"}"
if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then
eval "${option}=\"${value}\""
fi
eval "${option}=\"${value}\""
}
list_cb() {
local append option="${1}" value="${2//\"/\\\"}"
if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then
eval "append=\"\${${option}}\""
case "${option}" in
"ban_logterm")
eval "${option}=\"${append}${value}\\|\""
;;
*)
eval "${option}=\"${append}${value} \""
;;
esac
fi
eval "append=\"\${${option}}\""
case "${option}" in
"ban_logterm")
eval "${option}=\"${append}${value}\\|\""
;;
*)
eval "${option}=\"${append}${value} \""
;;
esac
}
}
config_load banip
@@ -666,14 +663,43 @@ f_nftinit() {
# default pre-routing rules
#
printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt_ctinvalid drop"
[ "${ban_icmplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt_icmpflood drop"
[ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt_udpflood drop"
[ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt_synflood drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt_tcpinvalid drop"
# ct state invalid
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct}"
fi
printf "%s\n" "add rule inet banIP pre-routing ct state invalid counter name cnt_ctinvalid drop"
# ICMP Flood
if [ "${ban_icmplimit}" -gt "0" ]; then
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second ${log_icmp}"
fi
printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second counter name cnt_icmpflood drop"
fi
# UDP Flood
if [ "${ban_udplimit}" -gt "0" ]; then
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp}"
fi
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second counter name cnt_udpflood drop"
fi
# SYN Flood
if [ "${ban_synlimit}" -gt "0" ]; then
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn}"
fi
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second counter name cnt_synflood drop"
fi
# TCP Invalid
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp}"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp}"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp}"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp}"
fi
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) counter name cnt_tcpinvalid drop"
# default wan-input rules
#
@@ -683,14 +709,22 @@ f_nftinit() {
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept"
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
[ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-input counter jump _inbound"
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound"
else
printf "%s\n" "add rule inet banIP wan-input counter jump _inbound"
fi
# default wan-forward rules
#
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept"
[ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound"
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound"
else
printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound"
fi
# default lan-forward rules
#
@@ -715,7 +749,7 @@ f_nftinit() {
# handle downloads
#
f_down() {
local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handle etag_rc etag_cnt element_count
local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handles handle etag_rc etag_cnt element_count
local expr cnt_set cnt_dl restore_rc feed_direction feed_policy feed_rc feed_comp feed_complete feed_target feed_dport chain flag
local tmp_proto tmp_port asn country feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_chain="${5}" feed_flag="${6}"
@@ -820,8 +854,10 @@ f_down() {
{
for chain in _inbound _outbound; do
for expr in 0 1 2; do
handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}"
handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)"
for handle in ${handles}; do
printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}"
done
done
done
printf "%s\n" "flush set inet banIP ${feed}"
@@ -933,14 +969,20 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound} counter ${feed_target}"
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound} counter goto _reject"
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} counter goto _reject"
else
printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter accept"
fi
@@ -952,14 +994,20 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound} counter ${feed_target}"
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound} counter ${feed_target}"
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} counter ${feed_target}"
else
printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter accept"
fi
@@ -988,16 +1036,36 @@ f_down() {
"${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" |
"${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound} counter ${feed_target}"
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound} counter goto _reject"
if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter goto _reject"
fi
;;
"6")
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' |
"${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound} counter ${feed_target}"
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound} counter goto _reject"
if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter goto _reject"
fi
;;
esac
} >"${tmp_nft}"
@@ -1128,8 +1196,18 @@ f_down() {
printf "%s\n\n" "#!${ban_nftcmd} -f"
[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound} counter ${feed_target}"
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound} counter goto _reject"
if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} counter goto _reject"
fi
} >"${tmp_nft}"
elif [ "${proto}" = "6" ]; then
{
@@ -1138,8 +1216,18 @@ f_down() {
printf "%s\n\n" "#!${ban_nftcmd} -f"
[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound} counter ${feed_target}"
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound} counter goto _reject"
if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} counter goto _reject"
fi
} >"${tmp_nft}"
fi
fi
@@ -1219,7 +1307,7 @@ f_restore() {
# remove staled Sets
#
f_rmset() {
local feedlist tmp_del table_json feed country asn table_sets handle expr del_set feed_rc
local feedlist tmp_del table_json feed country asn table_sets handles handle expr del_set feed_rc
f_getfeed
json_get_keys feedlist
@@ -1258,8 +1346,10 @@ f_rmset() {
rm -f "${ban_backupdir}/banIP.${feed}.gz"
for chain in _inbound _outbound; do
for expr in 0 1 2; do
handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}"
handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)"
for handle in ${handles}; do
printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}"
done
done
done
printf "%s\n" "flush set inet banIP ${feed}"
@@ -1312,7 +1402,8 @@ f_genstatus() {
json_init
json_load_file "${ban_rtfile}" >/dev/null 2>&1
json_add_string "status" "${status}"
json_add_string "version" "${ban_ver}"
json_add_string "frontend_ver" "${ban_fver}"
json_add_string "backend_ver" "${ban_bver}"
json_add_string "element_count" "${element_cnt} (chains: ${chain_cnt:-"0"}, sets: ${set_cnt:-"0"}, rules: ${rule_cnt:-"0"})"
json_add_array "active_feeds"
for object in ${table_sets:-"-"}; do
@@ -1765,6 +1856,9 @@ f_report() {
[ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail
: >"${report_txt}"
;;
*)
: >"${report_txt}"
;;
esac
}

4
net/banip/files/banip-service.sh
View File

@@ -9,13 +9,13 @@
ban_action="${1}"
ban_starttime="$(date "+%s")"
ban_funlib="/usr/lib/banip-functions.sh"
[ -z "${ban_ver}" ] && . "${ban_funlib}"
[ -z "${ban_bver}" ] && . "${ban_funlib}"
# load config and set banIP environment
#
[ "${ban_action}" = "boot" ] && sleep "$(uci_get banip global ban_triggerdelay "20")"
f_conf
f_log "info" "start banIP processing (${ban_action}, ${ban_ver:-"n/a"})"
f_log "info" "start banIP processing (${ban_action}, ${ban_bver:-"n/a"})"
f_genstatus "processing"
f_tmp
f_getfetch

11
net/banip/files/banip.feeds
View File

@@ -62,13 +62,22 @@
"chain": "in",
"descr": "fail2ban IP blocklist"
},
"dns":{
"url_4": "https://public-dns.info/nameservers-all.txt",
"url_6": "https://public-dns.info/nameservers-all.txt",
"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"chain": "out",
"descr": "public DNS-Server",
"flag": "tcp udp 53 853"
},
"doh":{
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"chain": "out",
"descr": "public DoH-Provider",
"descr": "public DoH-Server",
"flag": "tcp udp 80 443"
},
"drop":{