openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-21 21:24:31 +04:00
Code Issues Packages Projects Releases Wiki Activity

banip: update 0.9.5-5

Browse Source 
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
2024-05-05 21:57:28 +02:00
parent 7cdf7b9c1a
commit 083554094b
4 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
net/banip/Makefile
View File

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=0.9.5 PKG_VERSION:=0.9.5
PKG_RELEASE:=4 PKG_RELEASE:=5
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

6
net/banip/files/README.md
View File

@@ -154,9 +154,9 @@ Available commands:
| ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread | | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging | | ban_debug | option | 0 | enable banIP related debug logging |
| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain | | ban_icmplimit | option | 10 | threshold in number of packets to detect icmp DDoS in prerouting chain. A value of '0' disables this safeguard |
| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain | | ban_synlimit | option | 10 | threshold in number of packets to detect syn DDoS in prerouting chain. A value of '0' disables this safeguard |
| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain | | ban_udplimit | option | 100 | threshold in number of packets to detect udp DDoS in prerouting chain. A value of '0' disables this safeguard |
| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain | | ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain |
| ban_loginput | option | 0 | log supsicious packets in the wan-input chain | | ban_loginput | option | 0 | log supsicious packets in the wan-input chain |
| ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain | | ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain |

10
net/banip/files/banip-functions.sh
View File

@@ -656,10 +656,12 @@ f_nftinit() {
# #
printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop" printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" if [ "${ban_icmplimit}" -gt "0" ]; then
printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop" printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop" fi
[ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
[ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop" printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop" printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop" printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"

14
net/banip/files/banip-service.sh
View File

@@ -150,14 +150,14 @@ wait
# end processing # end processing
# #
if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then (
( sleep 5
sleep 5 if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
f_mail f_mail
) & fi
fi json_cleanup
json_cleanup rm -rf "${ban_lock}"
rm -rf "${ban_lock}" ) &
# start detached log service (infinite loop) # start detached log service (infinite loop)
# #