banIP: update 1.5.6-7

* skip rdap requests/replies with placeholders for all IPv4/IPv6 addresses * sanitize possible bogus config values, e.g. '/dev/null' as a directory * change URL for beycyber feed Signed-off-by: Dirk Brenken <dev@brenken.org> (cherry picked from commit ac1076ef95)
2025-12-21 21:24:31 +04:00 · 2025-08-04 20:53:01 +02:00
parent 3ae8b6f406
commit ff3c02aaf2
3 changed files with 23 additions and 16 deletions
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=banip
 PKG_VERSION:=1.5.6
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@@ -264,11 +264,14 @@ f_conf() {
 		option_cb() {
 			local option="${1}" value="${2//\"/\\\"}"

+			if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then
 				eval "${option}=\"${value}\""
+			fi
 		}
 		list_cb() {
 			local append option="${1}" value="${2//\"/\\\"}"

+			if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then
 				eval "append=\"\${${option}}\""
 				case "${option}" in
 					"ban_logterm")
@@ -278,6 +281,7 @@ f_conf() {
 						eval "${option}=\"${append}${value} \""
 						;;
 				esac
+			fi
 		}
 	}
 	config_load banip
@@ -1901,7 +1905,8 @@ f_monitor() {
 					ip="${ip##* }"
 					[ -n "${ip%%::*}" ] && proto=".v6"
 				fi
-				if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
+				if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 &&
+					! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
 					f_log "info" "suspicious IP '${ip}'"
 					log_raw="$(eval ${loglimit_cmd})"
 					log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"
@@ -1922,10 +1927,12 @@ f_monitor() {
 										prefix="${idx}"
 										continue
 									else
+										if [ -n "${prefix%%::*}" ] && [ "${prefix%%.*}" != "127" ] && [ "${prefix%%.*}" != "0" ]; then
 											cidr="${prefix}/${idx}"
 											if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${cidr} ${nft_expiry} } >/dev/null 2>&1; then
 												f_log "info" "add IP range '${cidr}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
 											fi
+										fi
 										prefix=""
 									fi
 								done
--- a/net/banip/files/banip.feeds
+++ b/net/banip/files/banip.feeds
@@ -15,7 +15,7 @@
 		"flag": "gz"
 	},
 	"becyber":{
-		"url_4": "https://raw.githubusercontent.com/duggytuxy/Intelligence_IPv4_Blocklists/refs/heads/main/agressive_ips_dst_fr_be_blocklist.txt",
+		"url_4": "https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_data-shield_ipv4_blocklist.txt",
 		"rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
 		"chain": "in",
 		"descr": "malicious attacker IPs"