openwrt-mirror/packages
1
0
Fork 0
mirror of https://github.com/openwrt/packages.git synced 2025-12-21 19:14:30 +04:00
Code Issues Packages Projects Releases Wiki Activity

banip: release 1.6.0-1

Browse Source 
* split block/logging rules (fixed #27990)
* adapt reload functions to support the new split logic
* the banIP status now includes the backend- and the frontend version information
* fixed a config parsing error with non existing dirs (reported in the forum)
* fixed a small reporting issue (reported in the forum)
* added a new public dns feed (by default restricted to outbound, ports 53 and 853)
* added a new gawk dependency due to significant performance gains
* LuCI: no longer call the logread binary, use rpc / the ubus log object instead
* LuCI: various code cleanups
* LuCI: various small usability improvements
* readme update

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken
2025-12-04 20:25:29 +01:00
parent e93f03aadd
commit c47d8b149c
5 changed files with 168 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
net/banip/Makefile
View File

@@ -5,8 +5,8 @@
include $(TOPDIR)/rules.mk include $(TOPDIR)/rules.mk
PKG_NAME:=banip PKG_NAME:=banip
PKG_VERSION:=1.5.6 PKG_VERSION:=1.6.0
PKG_RELEASE:=7 PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@@ -16,7 +16,7 @@ define Package/banip
SECTION:=net SECTION:=net
CATEGORY:=Network CATEGORY:=Network
TITLE:=banIP blocks IPs via named nftables Sets TITLE:=banIP blocks IPs via named nftables Sets
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys DEPENDS:=+jshn +jsonfilter +firewall4 +gawk +ca-bundle +rpcd +rpcd-mod-rpcsys
PKGARCH:=all PKGARCH:=all
endef endef

25
net/banip/files/README.md
View File

@@ -26,7 +26,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre
| country | country blocks | x | | | [Link](https://www.ipdeny.com/ipblocks) | | country | country blocks | x | | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | | | [Link](https://cinsscore.com/#list) | | cinsscore | suspicious attacker IPs | x | | | [Link](https://cinsscore.com/#list) |
| debl | fail2ban IP blacklist | x | | | [Link](https://www.blocklist.de) | | debl | fail2ban IP blacklist | x | | | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | x | tcp, udp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) | | dns | public DNS-Server | | x | tcp, udp: 53, 853 | [Link](https://public-dns.info) |
| doh | public DoH-Server | | x | tcp, udp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | | | [Link](https://www.spamhaus.org) | | drop | spamhaus drop compilation | x | | | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | | | [Link](https://www.dshield.org) | | dshield | dshield IP blocklist | x | | | [Link](https://www.dshield.org) |
| etcompromised | ET compromised hosts | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) | | etcompromised | ET compromised hosts | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) |
@@ -95,14 +96,14 @@ IP address blocking is commonly used to protect against brute force attacks, pre
<a id="prerequisites"></a> <a id="prerequisites"></a>
## Prerequisites ## Prerequisites
* **[OpenWrt](https://openwrt.org)**, latest stable release 24.x or a development snapshot with nft/firewall 4 support * **[OpenWrt](https://openwrt.org)**, latest stable release or a development snapshot with nft/firewall 4 support
* A download utility with SSL support: 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header * A download utility with SSL support: 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
* For E-Mail notifications you need to install and setup the additional 'msmtp' package * For E-Mail notifications you need to install and setup the additional 'msmtp' package
**Please note:** **Please note:**
* Devices with less than 256MB of RAM are **_not_** supported * Devices with less than 256MB of RAM are **_not_** supported
* Latest banIP 1.5.x does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead) * Latest banIP does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead)
* Any previous custom feeds file of banIP 1.0.x must be cleared and it's recommended to start with a fresh banIP default config * Any previous custom feeds file of banIP 1.0.x must be cleared and it's recommended to start with a fresh banIP default config
<a id="installation-and-usage"></a> <a id="installation-and-usage"></a>
@@ -339,19 +340,19 @@ Available commands:
**banIP runtime information** **banIP runtime information**
``` ```
~# /etc/init.d/banip status
::: banIP runtime information ::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔) + status : active (nft: ✔, monitor: ✔)
+ version : 1.5.6-r4 + frontend_ver : 1.6.0-r1
+ element_count : 128 751 (chains: 7, sets: 19, rules: 47) + backend_ver : 1.6.0-r1
+ active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, country.v6, debl.v6, doh.v4, doh.v6, country.v4, threat.v4, hagezi.v4, turris.v4, turris.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6 + element_count : 223 563 (chains: 7, sets: 22, rules: 75)
+ active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, country.v6, debl.v6, country.v4, dns.v4, dns.v6, doh.v4, doh.v6, firehol1.v4, hagezi.v4, threat.v4, turris.v4, turris.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6
+ active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: - + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: -
+ active_uplink : 91.61.111.35, 2004:fc:45fe:678:c890:e2a3:c729:dc13 + active_uplink : 5.73.187.13, 2a04:5700:104:c65a:dc41:4131:409:227c
+ nft_info : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100 + nft_info : ver: 1.1.5-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, error: /mnt/data/banIP/error + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, error: /mnt/data/banIP/error
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✘/✘/✔, count: ✔, dedup: ✔, split: ✘, custom feed: , allowed only: ✘ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✔/✔/✔, count: ✔, dedup: ✔, split: ✘, custom feed: , allowed only: ✘
+ last_run : mode: restart, 2025-06-08 21:11:21, duration: 0m 22s, memory: 1310.16 MB available + last_run : mode: restart, 2025-12-04 10:00:41, duration: 0m 48s, memory: 1361.54 MB available
+ system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r29955-8b24289a52 + system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r32101-28cc1c368c
``` ```
**banIP search information** **banIP search information**

186
net/banip/files/banip-functions.sh
View File

@@ -105,7 +105,8 @@ f_system() {
ban_debug="$(uci_get banip global ban_debug "0")" ban_debug="$(uci_get banip global ban_debug "0")"
ban_cores="$(uci_get banip global ban_cores)" ban_cores="$(uci_get banip global ban_cores)"
ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" ban_bver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')"
ban_fver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["luci-app-banip"]')"
ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' | ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' |
"${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')" "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')"
@@ -233,9 +234,9 @@ f_log() {
if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then
if [ -x "${ban_logcmd}" ]; then if [ -x "${ban_logcmd}" ]; then
"${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg::256}" "${ban_logcmd}" -p "${class}" -t "banIP-${ban_bver}[${$}]" "${log_msg::256}"
else else
printf "%s %s %s\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg::256}" printf "%s %s %s\n" "${class}" "banIP-${ban_bver}[${$}]" "${log_msg::256}"
fi fi
fi fi
if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then
@@ -264,24 +265,20 @@ f_conf() {
option_cb() { option_cb() {
local option="${1}" value="${2//\"/\\\"}" local option="${1}" value="${2//\"/\\\"}"
if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then eval "${option}=\"${value}\""
eval "${option}=\"${value}\""
fi
} }
list_cb() { list_cb() {
local append option="${1}" value="${2//\"/\\\"}" local append option="${1}" value="${2//\"/\\\"}"
if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then eval "append=\"\${${option}}\""
eval "append=\"\${${option}}\"" case "${option}" in
case "${option}" in "ban_logterm")
"ban_logterm") eval "${option}=\"${append}${value}\\|\""
eval "${option}=\"${append}${value}\\|\"" ;;
;; *)
*) eval "${option}=\"${append}${value} \""
eval "${option}=\"${append}${value} \"" ;;
;; esac
esac
fi
} }
} }
config_load banip config_load banip
@@ -666,14 +663,43 @@ f_nftinit() {
# default pre-routing rules # default pre-routing rules
# #
printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt_ctinvalid drop" # ct state invalid
[ "${ban_icmplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt_icmpflood drop" if [ "${ban_logprerouting}" = "1" ]; then
[ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt_udpflood drop" printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct}"
[ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt_synflood drop" fi
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt_tcpinvalid drop" printf "%s\n" "add rule inet banIP pre-routing ct state invalid counter name cnt_ctinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt_tcpinvalid drop" # ICMP Flood
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt_tcpinvalid drop" if [ "${ban_icmplimit}" -gt "0" ]; then
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt_tcpinvalid drop" if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second ${log_icmp}"
fi
printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second counter name cnt_icmpflood drop"
fi
# UDP Flood
if [ "${ban_udplimit}" -gt "0" ]; then
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp}"
fi
printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second counter name cnt_udpflood drop"
fi
# SYN Flood
if [ "${ban_synlimit}" -gt "0" ]; then
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn}"
fi
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second counter name cnt_synflood drop"
fi
# TCP Invalid
if [ "${ban_logprerouting}" = "1" ]; then
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp}"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp}"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp}"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp}"
fi
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) counter name cnt_tcpinvalid drop"
printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) counter name cnt_tcpinvalid drop"
# default wan-input rules # default wan-input rules
# #
@@ -683,14 +709,22 @@ f_nftinit() {
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept"
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
[ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-input counter jump _inbound" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound"
else
printf "%s\n" "add rule inet banIP wan-input counter jump _inbound"
fi
# default wan-forward rules # default wan-forward rules
# #
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept"
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept"
[ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound"
else
printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound"
fi
# default lan-forward rules # default lan-forward rules
# #
@@ -715,7 +749,7 @@ f_nftinit() {
# handle downloads # handle downloads
# #
f_down() { f_down() {
local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handle etag_rc etag_cnt element_count local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handles handle etag_rc etag_cnt element_count
local expr cnt_set cnt_dl restore_rc feed_direction feed_policy feed_rc feed_comp feed_complete feed_target feed_dport chain flag local expr cnt_set cnt_dl restore_rc feed_direction feed_policy feed_rc feed_comp feed_complete feed_target feed_dport chain flag
local tmp_proto tmp_port asn country feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_chain="${5}" feed_flag="${6}" local tmp_proto tmp_port asn country feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_chain="${5}" feed_flag="${6}"
@@ -820,8 +854,10 @@ f_down() {
{ {
for chain in _inbound _outbound; do for chain in _inbound _outbound; do
for expr in 0 1 2; do for expr in 0 1 2; do
handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" for handle in ${handles}; do
printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}"
done
done done
done done
printf "%s\n" "flush set inet banIP ${feed}" printf "%s\n" "flush set inet banIP ${feed}"
@@ -933,14 +969,20 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*inbound*}" ]; then if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound} counter ${feed_target}" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} counter ${feed_target}"
else else
printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter accept" printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter accept"
fi fi
fi fi
if [ -z "${feed_direction##*outbound*}" ]; then if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound} counter goto _reject" if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} counter goto _reject"
else else
printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter accept" printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter accept"
fi fi
@@ -952,14 +994,20 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*inbound*}" ]; then if [ -z "${feed_direction##*inbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound} counter ${feed_target}" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} counter ${feed_target}"
else else
printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter accept" printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter accept"
fi fi
fi fi
if [ -z "${feed_direction##*outbound*}" ]; then if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound} counter ${feed_target}" if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} counter ${feed_target}"
else else
printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter accept" printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter accept"
fi fi
@@ -988,16 +1036,36 @@ f_down() {
"${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" |
"${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}" "${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound} counter ${feed_target}" if [ -z "${feed_direction##*inbound*}" ]; then
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound} counter goto _reject" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter goto _reject"
fi
;; ;;
"6") "6")
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' |
"${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}" "${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound} counter ${feed_target}" if [ -z "${feed_direction##*inbound*}" ]; then
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound} counter goto _reject" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter goto _reject"
fi
;; ;;
esac esac
} >"${tmp_nft}" } >"${tmp_nft}"
@@ -1128,8 +1196,18 @@ f_down() {
printf "%s\n\n" "#!${ban_nftcmd} -f" printf "%s\n\n" "#!${ban_nftcmd} -f"
[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound} counter ${feed_target}" if [ -z "${feed_direction##*inbound*}" ]; then
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound} counter goto _reject" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} counter goto _reject"
fi
} >"${tmp_nft}" } >"${tmp_nft}"
elif [ "${proto}" = "6" ]; then elif [ "${proto}" = "6" ]; then
{ {
@@ -1138,8 +1216,18 @@ f_down() {
printf "%s\n\n" "#!${ban_nftcmd} -f" printf "%s\n\n" "#!${ban_nftcmd} -f"
[ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }"
[ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound} counter ${feed_target}" if [ -z "${feed_direction##*inbound*}" ]; then
[ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound} counter goto _reject" if [ "${ban_loginbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound}"
fi
printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} counter ${feed_target}"
fi
if [ -z "${feed_direction##*outbound*}" ]; then
if [ "${ban_logoutbound}" = "1" ]; then
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound}"
fi
printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} counter goto _reject"
fi
} >"${tmp_nft}" } >"${tmp_nft}"
fi fi
fi fi
@@ -1219,7 +1307,7 @@ f_restore() {
# remove staled Sets # remove staled Sets
# #
f_rmset() { f_rmset() {
local feedlist tmp_del table_json feed country asn table_sets handle expr del_set feed_rc local feedlist tmp_del table_json feed country asn table_sets handles handle expr del_set feed_rc
f_getfeed f_getfeed
json_get_keys feedlist json_get_keys feedlist
@@ -1258,8 +1346,10 @@ f_rmset() {
rm -f "${ban_backupdir}/banIP.${feed}.gz" rm -f "${ban_backupdir}/banIP.${feed}.gz"
for chain in _inbound _outbound; do for chain in _inbound _outbound; do
for expr in 0 1 2; do for expr in 0 1 2; do
handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" for handle in ${handles}; do
printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}"
done
done done
done done
printf "%s\n" "flush set inet banIP ${feed}" printf "%s\n" "flush set inet banIP ${feed}"
@@ -1312,7 +1402,8 @@ f_genstatus() {
json_init json_init
json_load_file "${ban_rtfile}" >/dev/null 2>&1 json_load_file "${ban_rtfile}" >/dev/null 2>&1
json_add_string "status" "${status}" json_add_string "status" "${status}"
json_add_string "version" "${ban_ver}" json_add_string "frontend_ver" "${ban_fver}"
json_add_string "backend_ver" "${ban_bver}"
json_add_string "element_count" "${element_cnt} (chains: ${chain_cnt:-"0"}, sets: ${set_cnt:-"0"}, rules: ${rule_cnt:-"0"})" json_add_string "element_count" "${element_cnt} (chains: ${chain_cnt:-"0"}, sets: ${set_cnt:-"0"}, rules: ${rule_cnt:-"0"})"
json_add_array "active_feeds" json_add_array "active_feeds"
for object in ${table_sets:-"-"}; do for object in ${table_sets:-"-"}; do
@@ -1765,6 +1856,9 @@ f_report() {
[ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail
: >"${report_txt}" : >"${report_txt}"
;; ;;
*)
: >"${report_txt}"
;;
esac esac
} }

4
net/banip/files/banip-service.sh
View File

@@ -9,13 +9,13 @@
ban_action="${1}" ban_action="${1}"
ban_starttime="$(date "+%s")" ban_starttime="$(date "+%s")"
ban_funlib="/usr/lib/banip-functions.sh" ban_funlib="/usr/lib/banip-functions.sh"
[ -z "${ban_ver}" ] && . "${ban_funlib}" [ -z "${ban_bver}" ] && . "${ban_funlib}"
# load config and set banIP environment # load config and set banIP environment
# #
[ "${ban_action}" = "boot" ] && sleep "$(uci_get banip global ban_triggerdelay "20")" [ "${ban_action}" = "boot" ] && sleep "$(uci_get banip global ban_triggerdelay "20")"
f_conf f_conf
f_log "info" "start banIP processing (${ban_action}, ${ban_ver:-"n/a"})" f_log "info" "start banIP processing (${ban_action}, ${ban_bver:-"n/a"})"
f_genstatus "processing" f_genstatus "processing"
f_tmp f_tmp
f_getfetch f_getfetch

11
net/banip/files/banip.feeds
View File

@@ -62,13 +62,22 @@
"chain": "in", "chain": "in",
"descr": "fail2ban IP blocklist" "descr": "fail2ban IP blocklist"
}, },
"dns":{
"url_4": "https://public-dns.info/nameservers-all.txt",
"url_6": "https://public-dns.info/nameservers-all.txt",
"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
"chain": "out",
"descr": "public DNS-Server",
"flag": "tcp udp 53 853"
},
"doh":{ "doh":{
"url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt",
"url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt",
"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}",
"chain": "out", "chain": "out",
"descr": "public DoH-Provider", "descr": "public DoH-Server",
"flag": "tcp udp 80 443" "flag": "tcp udp 80 443"
}, },
"drop":{ "drop":{