mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

banip: release 0.9.1-1 

* drop packets silently on input and forwardwan chains or actively reject the traffic, set 'ban_blocktype' accordingly
* optimized banIP boot/reload handling
* removed pppoe quirk in device detection
* small fixes and optimizations

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-10-03 21:30:15 +02:00
parent 07e5c29d8e
commit 00cad2980c
No known key found for this signature in database
GPG Key ID: 9D71CD547BFAE684
6 changed files with 110 additions and 70 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
net/banip/Makefile
View File

@ -5,7 +5,7 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.9.0
PKG_VERSION:=0.9.1
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

6
net/banip/files/README.md
View File

@ -162,9 +162,8 @@ Available commands:
| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
| ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 |
| ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 |
| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload |
| ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout during interface reload and boot |
| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
@ -176,6 +175,7 @@ Available commands:
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic |
| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |

141
net/banip/files/banip-functions.sh
View File

@ -65,6 +65,7 @@ ban_splitsize="0"
ban_autodetect="1"
ban_feed=""
ban_blockpolicy=""
ban_blocktype="drop"
ban_blockinput=""
ban_blockforwardwan=""
ban_blockforwardlan=""
@ -86,7 +87,6 @@ ban_cores=""
ban_memory=""
ban_packages=""
ban_trigger=""
ban_triggerdelay="10"
ban_resolver=""
ban_enabled="0"
ban_debug="0"
@ -283,8 +283,6 @@ f_conf() {
}
}
config_load banip
[ "${ban_action}" = "boot" ] && [ -z "${ban_trigger}" ] && sleep ${ban_triggerdelay}
}
# get nft/monitor actuals
@ -421,15 +419,10 @@ f_getdev() {
network_flush_cache
for iface in ${ban_ifv4} ${ban_ifv6}; do
network_get_device dev "${iface}"
if [ -n "${dev}" ]; then
if printf "%s" "${dev}" | "${ban_grepcmd}" -qE "pppoe|6in4"; then
dev="${iface}"
fi
if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
f_log "info" "add device '${dev}' to config"
fi
if [ -n "${dev}" ] && ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
f_log "info" "add device '${dev}' to config"
fi
done
cnt="$((cnt + 1))"
@ -495,13 +488,15 @@ f_getuplink() {
f_getfeed() {
json_init
if [ -s "${ban_customfeedfile}" ]; then
if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then
if json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then
return
else
f_log "info" "can't load banIP custom feed file"
if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
f_log "err" "can't load banIP feed file"
fi
fi
elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
fi
if [ -s "${ban_feedfile}" ] && json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
return
else
f_log "err" "can't load banIP feed file"
fi
}
@ -526,9 +521,9 @@ f_etag() {
etag_id="$(printf "%s" "${http_head}" | "${ban_awkcmd}" 'tolower($0)~/^[[:space:]]*etag: /{gsub("\"","");printf "%s",$2}')"
etag_rc="${?}"
if [ "${http_code}" = "404" ] || { [ "${etag_rc}" = "0" ] && [ -n "${etag_id}" ] && "${ban_grepcmd}" -q "^${feed}${feed_suffix}.*${etag_id}\$" "${ban_backupdir}/banIP.etag"; }; then
if [ "${http_code}" = "404" ] || { [ "${etag_rc}" = "0" ] && [ -n "${etag_id}" ] && "${ban_grepcmd}" -q "^${feed}${feed_suffix}[[:space:]]\+${etag_id}\$" "${ban_backupdir}/banIP.etag"; }; then
out_rc="0"
elif [ "${etag_rc}" = "0" ] && [ -n "${etag_id}" ] && ! "${ban_grepcmd}" -q "^${feed}${feed_suffix}.*${etag_id}\$" "${ban_backupdir}/banIP.etag"; then
elif [ "${etag_rc}" = "0" ] && [ -n "${etag_id}" ] && ! "${ban_grepcmd}" -q "^${feed}${feed_suffix}[[:space:]]\+${etag_id}\$" "${ban_backupdir}/banIP.etag"; then
"${ban_sedcmd}" -i "/^${feed}${feed_suffix}/d" "${ban_backupdir}/banIP.etag"
printf "%-20s%s\n" "${feed}${feed_suffix}" "${etag_id}" >>"${ban_backupdir}/banIP.etag"
out_rc="2"
@ -559,6 +554,12 @@ f_nftinit() {
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP reject-chain"
# default reject rules
#
printf "%s\n" "add rule inet banIP reject-chain meta l4proto tcp reject with tcp reset"
printf "%s\n" "add rule inet banIP reject-chain reject"
# default wan-input rules
#
@ -581,7 +582,7 @@ f_nftinit() {
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept"
[ -n "${vlan_allow}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept"
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter reject"
[ -n "${vlan_block}" ] && printf "%s\n" "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto reject-chain"
} >"${file}"
# load initial banIP table within nft (atomic load)
@ -609,9 +610,9 @@ f_down() {
tmp_nft="${ban_tmpfile}.${feed}.nft"
tmp_allow="${ban_tmpfile}.${feed%v*}"
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/${ban_blocktype}/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/${ban_blocktype}/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/reject/${feed}: \""
# set feed block direction
#
@ -724,21 +725,29 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
fi
else
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
fi
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept"
fi
@ -749,21 +758,29 @@ f_down() {
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
fi
else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
if [ "${ban_blocktype}" = "reject" ]; then
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
fi
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter goto reject-chain"
else
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
fi
@ -778,11 +795,11 @@ f_down() {
if [ "${proto}" = "4MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter reject"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter goto reject-chain"
elif [ "${proto}" = "6MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter reject"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter goto reject-chain"
elif [ "${proto}" = "4" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
@ -794,9 +811,14 @@ f_down() {
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
elif [ "${proto}" = "6" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" |
@ -810,9 +832,14 @@ f_down() {
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
fi
} >"${tmp_nft}"
feed_rc="0"
@ -907,9 +934,14 @@ f_down() {
# input and forward rules
#
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
{
@ -921,9 +953,14 @@ f_down() {
# input and forward rules
#
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
if [ "${ban_blocktype}" = "reject" ]; then
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter goto reject-chain"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter goto reject-chain"
else
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
fi
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter goto reject-chain"
} >"${tmp_nft}"
fi
fi
@ -1035,18 +1072,18 @@ f_rmset() {
# generate status information
#
f_genstatus() {
local object duration item table_sets cnt_elements="0" custom_feed="0" split="0" status="${1}"
local object end_time duration table_sets cnt_elements="0" custom_feed="0" split="0" status="${1}"
[ -z "${ban_dev}" ] && f_conf
if [ "${status}" = "active" ]; then
if [ -n "${ban_starttime}" ]; then
ban_endtime="$(date "+%s")"
duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
if [ -n "${ban_starttime}" ] && [ "${ban_action}" != "boot" ]; then
end_time="$(date "+%s")"
duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s"
fi
table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')"
if [ "${ban_reportelements}" = "1" ]; then
for item in ${table_sets}; do
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
for object in ${table_sets}; do
cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
done
fi
runtime="action: ${ban_action:-"-"}, fetch: ${ban_fetchcmd##*/}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")"
@ -1437,13 +1474,11 @@ f_monitor() {
local nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info
if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then
f_log "info" "start detached banIP log service"
[ -n "${ban_nftexpiry}" ] && nft_expiry="timeout $(printf "%s" "${ban_nftexpiry}" | "${ban_grepcmd}" -oE "([0-9]+[d|h|m|s])+$")"
"${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null |
while read -r line; do
: >"{ban_rdapfile}"
: >"${ban_rdapfile}"
proto=""
ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')"
ip="$(f_trim "${ip}")"
@ -1455,7 +1490,7 @@ f_monitor() {
ip="${ip##* }"
[ -n "${ip}" ] && proto="v6"
fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; then
f_log "info" "suspicious IP '${ip}'"
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"

9
net/banip/files/banip-service.sh
View File

@ -13,6 +13,7 @@ ban_funlib="/usr/lib/banip-functions.sh"
# load config and set banIP environment
#
[ "${ban_action}" = "boot" ] && sleep "$(uci_get banip global ban_triggerdelay "10")"
f_conf
f_log "info" "start banIP processing (${ban_action})"
f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
@ -56,7 +57,11 @@ fi
# handle downloads
#
f_log "info" "start banIP download processes"
[ "${ban_allowlistonly}" = "1" ] && ban_feed="" || f_getfeed
if [ "${ban_allowlistonly}" = "1" ]; then
ban_feed=""
else
f_getfeed
fi
[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate"
cnt="1"
@ -146,7 +151,7 @@ wait
#
if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
(
sleep ${ban_triggerdelay}
sleep 5
f_mail
) &
fi

18
net/banip/files/banip.init
View File

@ -6,7 +6,7 @@
# (s)hellcheck exceptions
# shellcheck disable=all
START=30
START=95
USE_PROCD=1
extra_command "report" "[text|json|mail] Print banIP related Set statistics"
@ -22,8 +22,8 @@ ban_lock="/var/run/banip.lock"
[ "${action}" = "boot" ] && "${ban_init}" running && exit 0
{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0
[ -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}"
[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && exit 1
[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ]; } && mkdir -p "${ban_lock}"
boot() {
: >"${ban_pidfile}"
@ -32,7 +32,6 @@ boot() {
start_service() {
if "${ban_init}" enabled; then
[ "${action}" = "boot" ] && [ -n "$(uci_get banip global ban_trigger)" ] && return 0
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
f_rmpid
procd_open_instance "banip-service"
@ -108,15 +107,16 @@ lookup() {
}
service_triggers() {
local iface trigger trigger_action delay
local iface trigger delay
trigger="$(uci_get banip global ban_trigger)"
trigger_action="$(uci_get banip global ban_triggeraction "start")"
delay="$(uci_get banip global ban_triggerdelay "10")"
PROCD_RELOAD_DELAY=$((delay * 1000))
trigger="$(uci_get banip global ban_trigger)"
PROCD_RELOAD_DELAY="$((delay * 1000))"
for iface in ${trigger}; do
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" "${trigger_action}"
procd_add_interface_trigger "interface.*.up" "${iface}" "${ban_init}" reload
done
PROCD_RELOAD_DELAY="$((2 * 1000))"
procd_add_reload_trigger "banip"
}

4
net/banip/files/banip.tpl
View File

@ -6,9 +6,9 @@
#
local banip_info report_info log_info system_info mail_text
banip_info="$(/etc/init.d/banip status 2>/dev/null | awk '{NR=1;max=140;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
banip_info="$(/etc/init.d/banip status 2>/dev/null | awk '{NR=1;max=160;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP/" 2>/dev/null | awk '{NR=1;max=140;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP/" 2>/dev/null | awk '{NR=1;max=160;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
system_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'