* split block/logging rules (fixed#27990)
* adapt reload functions to support the new split logic
* the banIP status now includes the backend- and the frontend version information
* fixed a config parsing error with non existing dirs (reported in the forum)
* fixed a small reporting issue (reported in the forum)
* added a new public dns feed (by default restricted to outbound, ports 53 and 853)
* added a new gawk dependency due to significant performance gains
* LuCI: no longer call the logread binary, use rpc / the ubus log object instead
* LuCI: various code cleanups
* LuCI: various small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* skip rdap requests/replies with placeholders for all IPv4/IPv6 addresses
* sanitize possible bogus config values, e.g. '/dev/null' as a directory
* change URL for beycyber feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* limit nft logging to a rate 10/second to prevent possible log-flooding
* skip external feed processing if "allowlist-only" mode is fully enabled (in in- and outbound)
* remove needless default icmpv6 rule in wan-input
* refine the housekeeping script (uci-defaults)
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the restore rc handling
* skip allowlist entries during map creation
* disable the map button by default (only enabled if map & NFT counter are selected)
* disable the content filter checkbox for elements with hits by default (only enabled if NFT counter are selected)
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* show the IP plus the packet counter in the modal Set content view (or on the CLI)
* add a filter to show only elements with hits in the modal Set content view (or on the CLI)
* limit the element output with hits to max. 50 per Set on the Set Reporting overview page
* fixed set names suffix in the report output
* fixed the Set content view for MAC based Sets
* display the map even if the HomeIP cannot be determined
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add an uci-defaults script for housekeeping and option migration from former versions
* small fixes and improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
* the ETAG function now supports country and asn feeds as well
* fixed becyber URL and other small fixes
* LuCI fixes and improvements (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a JSON reporting issue (when the map and NFT counters are disabled)
* optimized the getfetch function call within the reporting function
* removed the stale IPv6 links in the becyber feed
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a geoIP Map to show home IPs and potential attacker IPs on a leafletjs based map
* significantly improved the reporting performance on multicore hardware
* removed aria2 support (it doesn't support post data requests)
* removed the following outbound feeds due to too many false positives:
adaway, adguard, adguardtrackers, antipopads, oisdbig, oisdnsfw, oisdsmall, stevenblack and yoyo
* renamed the banIP command "survey" to "content"
* various other small tweaks
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix a race condition in the process scheduler
* sync the banIP country file with ipdeny feed
* refine etag handling with country/asn feeds
* refine logging with country/asn feeds
* refine the banIP status output (incl. LuCI changes)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized uci config processing (list options)
* optimized icmp rules in pre-routing (thanks @brada)
* set inbound marker in pre-routing only if inbound logging is enabled (fixes#26044)
* fix cornercase in Set removal function
* print chain-, set- and rules-counter in the banIP status
* clean up logging und download queue handling
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add memory measurements:
- free memory in MB (MemAvailable from /proc/meminfo)
- script run max. used RAM in MB (VmHWM from /proc/$$/status)
* removed the obsolete (domain) lookup command in init script
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized the f_nftload function
* reduced the prerouting priority to -175
* optimized the output of the f_survey function
* removed a needless fw4 call/check
* no longer skips regular blocklist feeds in "allowlist only" mode
* optimized init checks
* turris feed: enable IPv6 parsing, too (prvided by @curbengh)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the incomplete rule maintainance during banIP reloads
* fixed the Set query function (if the Set counters are disabled)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* change the chain structure: only two regular chains contain the generated banIP sets.
“_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward.
* pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks
selected feeds in all chains by default
* it's now possible to split country and asn Sets by country or asn (disabled by default)
* support Set counters to report easily suspicious IPs per Set (disabled by default)
* make it possible, to opt out certain chains from the deduplication process
* the element search now returns all matches (and not only the first one)
* the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional)
* save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging
* various code improvements
* remove ssbl feed (deprecated)
* add two new vpn feeds
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized procd settings for better performance
* made the log monitor working again (even on master with apk migration issues)
* reworked the fetch autodetection function (still broken in master due to apk migration)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed gathering/printing of system information in banIP status
* removed broken iblocklist.com feeds
* updated readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* supports comments (introduced with a #), for MAC addresses
in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
* added hagezi threat ip feed
* added an adguard logterm to the readme
* removed the broken talos feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
* removed edrop feed from readme (had been removed from feeds for a while)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* relax the firewall pre-check if fw4 is not running
* replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
* add openvpn log term/search pattern example to the readme
* the default config now includes only log terms for dropbear and LuCI, all others are optional
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a possible "Argument list too long" error in the f_log function
* fixed multiple, incomplete digit character classes
* fixed/optimized split file handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
* major readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix regex for nixspam and sslbl feed
* list the pre-routing limits in the banIP status
* small fixes and log improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed possible Set search race condition (initiated from LuCI frontend)
* fixed the "no result" Set search problem in LuCI
* removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
* the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
* block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
* it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
* filter/convert possible windows line endings of external feeds during processing
* the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
* set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
* update readme
* a couple of bugfixes & performance improvements
* removed abandoned feeds: darklist, ipblackhole
* added new feeds: becyber, ipsum, pallebone, debl (changed URL)
* requires a LuCI frontend update as well (separate PR/commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add support for destination port & protocol limitations for external feeds (see readme for details),
useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
* add turris sentinel blocklist feed
* update readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* rework the device/interface auto-detection (only layer-3 network devices will be detetcted correctly), disable the auto-detection e.g. for special tunnel interfaces
* supports now full gawk (preferred, if installed) and busybox awk
* raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
* various small fixes and improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
* refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
Signed-off-by: Dirk Brenken <dev@brenken.org>
