openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-26 11:16:31 +04:00
Code Issues Packages Projects Releases Wiki Activity

banIP: release 1.5.1-1

Browse Source 
* optimized the f_nftload function
* reduced the prerouting priority to -175
* optimized the output of the f_survey function
* removed a needless fw4 call/check
* no longer skips regular blocklist feeds in "allowlist only" mode
* optimized init checks
* turris feed: enable IPv6 parsing, too (prvided by @curbengh)
* update the readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
2025-02-13 21:47:39 +01:00
parent ae038d0773
commit 4e3d7845fd
6 changed files with 47 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
net/banip/Makefile
View File

@@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=1.5.0
PKG_RELEASE:=6
PKG_VERSION:=1.5.1
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

6
net/banip/files/README.md
View File

@@ -86,7 +86,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
* Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith
* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments
* Supports an 'allowlist only' mode, this option restricts the internet access only to specific, explicitly allowed IP segments
* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
* Optionally always allow certain protocols/destination ports in the inbound chain
* Deduplicate IPs accross all Sets (single IPs only, no intervals)
@@ -174,7 +174,7 @@ Available commands:
| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments |
| ban_allowlistonly | option | 0 | restrict the internet access only to specific, explicitly allowed IP segments |
| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' |
| ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists |
| ban_basedir | option | /tmp | base working directory while banIP processing |
@@ -370,7 +370,7 @@ Furthermore, you can reference external Allowlist URLs with additional IPv4 and
Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
**Allowlist-only mode**
banIP supports an "allowlist only" mode. This option skips all blocklists and restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.
banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world.
**MAC/IP-binding**
banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments or to free connected clients from outbound blocking.

23
net/banip/files/banip-functions.sh
View File

@@ -99,14 +99,13 @@ ban_debug="0"
f_system() {
local cpu core
if [ -z "${ban_dev}" ]; then
ban_debug="$(uci_get banip global ban_debug "0")"
ban_cores="$(uci_get banip global ban_cores)"
fi
ban_debug="$(uci_get banip global ban_debug "0")"
ban_cores="$(uci_get banip global ban_cores)"
ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' |
"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')"
if [ -z "${ban_cores}" ]; then
cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)"
core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)"
@@ -608,17 +607,17 @@ f_etag() {
# load file in nftset
#
f_nftload() {
local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" load_log="" file="${1}" errmsg="${2}"
local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" file="${1}" errmsg="${2}"
while [ "${load_rc}" != "0" ]; do
load_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
"${ban_nftcmd}" -f "${file}" >/dev/null 2>&1
load_rc="${?}"
if [ "${load_rc}" = "0" ]; then
break
elif [ "${cnt}" = "${max_cnt}" ]; then
[ ! -d "${ban_errordir}" ] && f_mkdir "${ban_errordir}"
"${ban_catcmd}" "${file}" 2>/dev/null >"${ban_errordir}/err.${file##*/}"
f_log "info" "${errmsg}, ${load_log::256}"
f_log "info" "${errmsg}"
break
fi
cnt="$((cnt + 1))"
@@ -677,7 +676,7 @@ f_nftinit() {
printf "%s\n" "add table inet banIP"
# base chains
#
printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -199; policy accept; }"
printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -175; policy accept; }"
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
@@ -1737,7 +1736,12 @@ f_survey() {
printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
return
fi
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
if [ "$(uci_get banip global ban_nftcount)" = "1" ]; then
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*].elem.val')"
else
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')"
fi
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf " %s\n" "---"
@@ -1866,7 +1870,6 @@ fi
#
ban_awkcmd="$(f_cmd gawk awk)"
ban_catcmd="$(f_cmd cat)"
ban_fw4cmd="$(f_cmd fw4)"
ban_grepcmd="$(f_cmd grep)"
ban_jsoncmd="$(f_cmd jsonfilter)"
ban_logcmd="$(f_cmd logger)"

16
net/banip/files/banip-service.sh
View File

@@ -29,10 +29,8 @@ f_rmdir "${ban_errordir}"
# firewall/fw4 pre-check
#
if [ ! -x "${ban_fw4cmd}" ] || [ ! -x "/etc/init.d/firewall" ]; then
f_log "err" "firewall/fw4 not found"
elif ! /etc/init.d/firewall status >/dev/null 2>&1; then
f_log "info" "firewall/fw4 is not running"
if ! /etc/init.d/firewall status >/dev/null 2>&1; then
f_log "info" "the main firewall is not running"
fi
# init banIP nftables namespace
@@ -41,16 +39,14 @@ if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" list chain inet banIP pr
f_nftinit "${ban_tmpfile}".init.nft
fi
# handle downloads
# start banIP processing
#
f_log "info" "start banIP download processes"
if [ "${ban_allowlistonly}" = "1" ]; then
ban_feed=""
else
f_getfeed
fi
f_getfeed
[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
# handle downloads
#
cnt="1"
for feed in allowlist ${ban_feed} blocklist; do
# local feeds (sequential processing)

8
net/banip/files/banip.feeds
View File

@@ -275,10 +275,12 @@
"descr": "tor exit nodes"
},
"turris":{
"url_4":"https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
"rule_4":"BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
"url_4": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
"url_6": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv",
"rule_4": "BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}",
"rule_6": "BEGIN{FS=\",\"}/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)/{printf \"%s,\\n\",$1}",
"chain": "in",
"descr":"turris sentinel blocklist"
"descr": "turris sentinel blocklist"
},
"uceprotect1":{
"url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz",

25
net/banip/files/banip.init
View File

@@ -20,13 +20,24 @@ ban_funlib="/usr/lib/banip-functions.sh"
ban_pidfile="/var/run/banip.pid"
ban_lock="/var/run/banip.lock"
[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}"
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}"
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1
if [ -z "${IPKG_INSTROOT}" ]; then
if [ "${action}" = "boot" ] && "${ban_init}" running; then
exit 0
elif { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] ||
[ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running; then
exit 0
fi
if [ ! -d "${ban_lock}" ] &&
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] ||
[ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then
mkdir -p "${ban_lock}"
elif [ -d "${ban_lock}" ] &&
{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] ||
[ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then
exit 1
fi
. "${ban_funlib}"
fi
boot() {
: >"${ban_pidfile}"