banIP: update 1.5.6-7

* skip rdap requests/replies with placeholders for all IPv4/IPv6 addresses
* sanitize possible bogus config values, e.g. '/dev/null' as a directory
* change URL for beycyber feed

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit ac1076ef95)

net/banip/Makefile

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=1.5.6
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 

net/banip/files/banip-functions.sh

@@ -264,20 +264,24 @@ f_conf() {
 		option_cb() {
 			local option="${1}" value="${2//\"/\\\"}"
 
-			eval "${option}=\"${value}\""
+			if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then
+				eval "${option}=\"${value}\""
+			fi
 		}
 		list_cb() {
 			local append option="${1}" value="${2//\"/\\\"}"
 
-			eval "append=\"\${${option}}\""
-			case "${option}" in
-				"ban_logterm")
-					eval "${option}=\"${append}${value}\\|\""
-					;;
-				*)
-					eval "${option}=\"${append}${value} \""
-					;;
-			esac
+			if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then
+				eval "append=\"\${${option}}\""
+				case "${option}" in
+					"ban_logterm")
+						eval "${option}=\"${append}${value}\\|\""
+						;;
+					*)
+						eval "${option}=\"${append}${value} \""
+						;;
+				esac
+			fi
 		}
 	}
 	config_load banip
@@ -1901,7 +1905,8 @@ f_monitor() {
 					ip="${ip##* }"
 					[ -n "${ip%%::*}" ] && proto=".v6"
 				fi
-				if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
+				if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 &&
+					! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
 					f_log "info" "suspicious IP '${ip}'"
 					log_raw="$(eval ${loglimit_cmd})"
 					log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"
@@ -1922,9 +1927,11 @@ f_monitor() {
 										prefix="${idx}"
 										continue
 									else
-										cidr="${prefix}/${idx}"
-										if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${cidr} ${nft_expiry} } >/dev/null 2>&1; then
-											f_log "info" "add IP range '${cidr}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
+										if [ -n "${prefix%%::*}" ] && [ "${prefix%%.*}" != "127" ] && [ "${prefix%%.*}" != "0" ]; then
+											cidr="${prefix}/${idx}"
+											if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${cidr} ${nft_expiry} } >/dev/null 2>&1; then
+												f_log "info" "add IP range '${cidr}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
+											fi
 										fi
 										prefix=""
 									fi

net/banip/files/banip.feeds

@@ -15,7 +15,7 @@
 		"flag": "gz"
 	},
 	"becyber":{
-		"url_4": "https://raw.githubusercontent.com/duggytuxy/Intelligence_IPv4_Blocklists/refs/heads/main/agressive_ips_dst_fr_be_blocklist.txt",
+		"url_4": "https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_data-shield_ipv4_blocklist.txt",
 		"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"chain": "in",
 		"descr": "malicious attacker IPs"