openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-21 21:24:31 +04:00
Code Issues Packages Projects Releases Wiki Activity

banip: update 1.0.0-2

Browse Source 
* fixed a possible "Argument list too long" error in the f_log function
* fixed multiple, incomplete digit character classes
* fixed/optimized split file handling
* cosmetics

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
2024-06-16 21:50:40 +02:00
parent 217e4ecb35
commit 059a530329
3 changed files with 62 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
net/banip/Makefile
View File

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=1.0.0 PKG_VERSION:=1.0.0
PKG_RELEASE:=1 PKG_RELEASE:=2
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

4
net/banip/files/README.md
View File

@@ -104,7 +104,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* For E-Mail notifications you need to install and setup the additional 'msmtp' package * For E-Mail notifications you need to install and setup the additional 'msmtp' package
Please note: Devices with less than 256Mb of RAM are **_not_** supported **Please note:**
* Devices with less than 256Mb of RAM are **_not_** supported
* Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
## Installation & Usage ## Installation & Usage
* Update your local opkg repository (_opkg update_) * Update your local opkg repository (_opkg update_)

114
net/banip/files/banip-functions.sh
View File

@@ -229,13 +229,13 @@ f_log() {
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then
if [ -x "${ban_logcmd}" ]; then if [ -x "${ban_logcmd}" ]; then
"${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}" "${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg::512}"
else else
printf "%s %s %s\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}" printf "%s %s %s\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg::512}"
fi fi
fi fi
if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then
if [ "${class}" = "err" ]; then if [ "${class}" = "err" ]; then
"${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1 "${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
if [ "$(uci_get banip global ban_enabled)" = "1" ]; then if [ "$(uci_get banip global ban_enabled)" = "1" ]; then
f_genstatus "error" f_genstatus "error"
@@ -323,7 +323,7 @@ f_conf() {
if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then if [ "${rir}" = "${region}" ] && ! printf "%s" "${ban_country}" | "${ban_grepcmd}" -qw "${ccode}"; then
ban_country="${ban_country} ${ccode}" ban_country="${ban_country} ${ccode}"
fi fi
done < "${ban_countryfile}" done <"${ban_countryfile}"
done done
} }
@@ -608,7 +608,7 @@ f_nftinit() {
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
tmp_proto="${tmp_proto}, ${flag}" tmp_proto="${tmp_proto}, ${flag}"
fi fi
elif [ -n "${flag//[![:digit]-]/}" ]; then elif [ -n "${flag//[![:digit:]-]/}" ]; then
if [ -z "${tmp_port}" ]; then if [ -z "${tmp_port}" ]; then
tmp_port="${flag}" tmp_port="${flag}"
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
@@ -778,7 +778,7 @@ f_down() {
elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then
tmp_proto="${tmp_proto}, ${flag}" tmp_proto="${tmp_proto}, ${flag}"
fi fi
elif [ -n "${flag//[![:digit]-]/}" ]; then elif [ -n "${flag//[![:digit:]-]/}" ]; then
if [ -z "${tmp_port}" ]; then if [ -z "${tmp_port}" ]; then
tmp_port="${flag}" tmp_port="${flag}"
elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then
@@ -1030,7 +1030,7 @@ f_down() {
feed_rc="${?}" feed_rc="${?}"
fi fi
# build nft file with Sets and rules for regular downloads # final file & Set preparation for regular downloads
# #
if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then
# deduplicate Sets # deduplicate Sets
@@ -1038,54 +1038,55 @@ f_down() {
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
"${ban_awkcmd}" '{sub("\r$", "");print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}" "${ban_awkcmd}" '{sub("\r$", "");print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_raw}"
"${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
feed_rc="${?}"
else else
"${ban_awkcmd}" '{sub("\r$", "");print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" '{sub("\r$", "");print}' "${tmp_load}" 2>/dev/null | "${ban_awkcmd}" "${feed_rule}" 2>/dev/null >"${tmp_split}"
fi
feed_rc="${?}"
# split Sets
#
if [ "${feed_rc}" = "0" ]; then
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "512" ]; then
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
rm -f "${tmp_file}".*
fi
else
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
fi
feed_rc="${?}" feed_rc="${?}"
fi fi
: >"${tmp_raw}" >"${tmp_load}" : >"${tmp_raw}" >"${tmp_load}"
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then # split Sets
{ #
# nft header (IPv4 Set) if [ "${feed_rc}" = "0" ]; then
# if [ -n "${ban_splitsize//[![:digit:]]/}" ]; then
printf "%s\n\n" "#!/usr/sbin/nft -f" [ "${ban_splitsize//[![:digit:]]/}" -lt "512" ] && ban_splitsize="512"
[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit:]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" feed_rc="${?}"
rm -f "${tmp_file}".*
f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit:]]/}'"
fi
else
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
feed_rc="${?}"
fi
fi
# input and forward rules # build nft file
# #
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}" if [ "${feed_rc}" = "0" ] && [ -s "${tmp_file}.1" ]; then
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}" if [ "${proto}" = "4" ]; then
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain" {
} >"${tmp_nft}" # nft header (IPv4 Set) input and forward rules
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then #
{ printf "%s\n\n" "#!/usr/sbin/nft -f"
# nft header (IPv6 Set) [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
# printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
printf "%s\n\n" "#!/usr/sbin/nft -f" [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip saddr @${feed} ${log_input} counter ${feed_target}"
[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip saddr @${feed} ${log_forwardwan} counter ${feed_target}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
# input and forward rules elif [ "${proto}" = "6" ]; then
# {
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}" # nft header (IPv6 Set) plus input and forward rules
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}" #
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain" printf "%s\n\n" "#!/usr/sbin/nft -f"
} >"${tmp_nft}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ${feed_dport} ip6 saddr @${feed} ${log_input} counter ${feed_target}"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ${feed_dport} ip6 saddr @${feed} ${log_forwardwan} counter ${feed_target}"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ${feed_dport} ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
fi
fi fi
: >"${tmp_flush}" >"${tmp_file}.1" : >"${tmp_flush}" >"${tmp_file}.1"
fi fi
@@ -1107,13 +1108,14 @@ f_down() {
# #
if [ "${feed_rc}" = "0" ]; then if [ "${feed_rc}" = "0" ]; then
for split_file in "${tmp_file}".*; do for split_file in "${tmp_file}".*; do
[ ! -s "${split_file}" ] && continue if [ -s "${split_file}" ]; then
"${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}" "${ban_sedcmd}" -i "1 i #!/usr/sbin/nft -f\nadd element inet banIP "${feed}" { " "${split_file}"
printf "%s\n" "}" >> "${split_file}" printf "%s\n" "}" >>"${split_file}"
if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then if ! "${ban_nftcmd}" -f "${split_file}" >/dev/null 2>&1; then
f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
fi
: >"${split_file}"
fi fi
: >"${split_file}"
done done
if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
@@ -1324,9 +1326,9 @@ f_lookup() {
continue continue
else else
[ "${ip##*:}" = "${ip}" ] && elementsv4="${elementsv4} ${ip}," || elementsv6="${elementsv6} ${ip}," [ "${ip##*:}" = "${ip}" ] && elementsv4="${elementsv4} ${ip}," || elementsv6="${elementsv6} ${ip},"
if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}[[:blank:]]*#" "${ban_allowlist}"; then if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}[[:space:]]*#" "${ban_allowlist}"; then
printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}[[:blank:]]*#" "${ban_blocklist}"; then elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}[[:space:]]*#" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
fi fi
cnt_ip="$((cnt_ip + 1))" cnt_ip="$((cnt_ip + 1))"