mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

banip: release 0.8.1-1 

* add missing wan-forward chain (incl. report/mail adaption)
* changed options:
  - old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan
  - old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan
* add missing dhcp(v6) rules/exceptions
* update readme

Previously run tested by certain forum users (and by me).

Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
Dirk Brenken 2023-02-25 09:33:50 +01:00
parent 8885636b4e
commit 02c2587f9d
No known key found for this signature in database
GPG Key ID: 9D71CD547BFAE684
4 changed files with 237 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
net/banip/Makefile
View File

@ -7,8 +7,8 @@
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.8.0
PKG_RELEASE:=4
PKG_VERSION:=0.8.1
PKG_RELEASE:=1
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

179
net/banip/files/README.md
View File

@ -7,52 +7,52 @@ IP address blocking is commonly used to protect against brute force attacks, pre
## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
**Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below.
**Please note:** the columns "WAN-INP", "WAN-FWD" and "LAN_FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
| Feed | Focus | INP | FWD | Information |
| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- |
| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) |
| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) |
| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) |
| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) |
| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) |
| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) |
| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) |
| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
| bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
| country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
| cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
| darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
| debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
| doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
| drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
| dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
| edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
| feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
| firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
| greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) |
| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) |
| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
| ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) |
| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
| threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) |
| threatview | malicious IPs | x | x | x | [Link](https://threatview.io) |
| tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
| urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
| webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* zero-conf like automatic installation & setup, usually no manual changes needed
* all sets are handled in a separate nft table/namespace 'banIP'
@ -128,8 +128,9 @@ Available commands:
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_debug | option | 0 | enable banIP related debug logging |
| ban_loginput | option | 1 | log drops in the input chain |
| ban_logforward | option | 0 | log rejects in the forward chain |
| ban_loginput | option | 1 | log drops in the wan-input chain |
| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
@ -150,8 +151,9 @@ Available commands:
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' |
| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' |
| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
@ -169,44 +171,65 @@ Available commands:
:::
::: banIP Set Statistics
:::
Timestamp: 2023-02-08 22:12:40
Timestamp: 2023-02-25 08:35:37
------------------------------
auto-added to allowlist: 1
auto-added to blocklist: 0
auto-added to allowlist: 0
auto-added to blocklist: 4
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
---------------------+---------------+---------------+---------------+---------------+----------------
allowlistvMAC | 0 | n/a | OK | n/a | 0
allowlistv4 | 1 | OK | OK | 0 | 0
allowlistv6 | 0 | OK | OK | 0 | 0
blocklistvMAC | 0 | n/a | OK | n/a | 0
blocklistv4 | 0 | OK | OK | 0 | 0
blocklistv6 | 0 | OK | OK | 0 | 0
dohv4 | 542 | n/a | OK | n/a | 22
adguardv4 | 23007 | n/a | OK | n/a | 18
yoyov4 | 1936 | n/a | OK | n/a | 1
oisdbasicv4 | 26000 | n/a | OK | n/a | 325
---------------------+---------------+---------------+---------------+---------------+----------------
10 | 51486 | 4 | 10 | 0 | 366
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
---------------------+--------------+-----------------------+-----------------------+------------------------
allowlistvMAC | 0 | - | - | OK: 0
allowlistv4 | 15 | OK: 0 | OK: 0 | OK: 0
allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
torv4 | 800 | OK: 0 | OK: 0 | OK: 0
torv6 | 432 | OK: 0 | OK: 0 | OK: 0
countryv6 | 34282 | OK: 0 | OK: 1 | -
countryv4 | 35508 | OK: 1872 | OK: 0 | -
dohv6 | 343 | - | - | OK: 0
dohv4 | 540 | - | - | OK: 3
firehol1v4 | 1670 | OK: 296 | OK: 0 | OK: 16
deblv4 | 12402 | OK: 4 | OK: 0 | OK: 0
deblv6 | 41 | OK: 0 | OK: 0 | OK: 0
adguardv6 | 12742 | - | - | OK: 161
adguardv4 | 23183 | - | - | OK: 212
adguardtrackersv6 | 169 | - | - | OK: 0
adguardtrackersv4 | 633 | - | - | OK: 0
adawayv6 | 2737 | - | - | OK: 15
adawayv4 | 6542 | - | - | OK: 137
oisdsmallv6 | 10569 | - | - | OK: 0
oisdsmallv4 | 18800 | - | - | OK: 74
stevenblackv6 | 11901 | - | - | OK: 4
stevenblackv4 | 16776 | - | - | OK: 139
yoyov6 | 215 | - | - | OK: 0
yoyov4 | 309 | - | - | OK: 0
antipopadsv4 | 1872 | - | - | OK: 0
urlhausv4 | 7431 | OK: 0 | OK: 0 | OK: 0
antipopadsv6 | 2081 | - | - | OK: 2
blocklistvMAC | 0 | - | - | OK: 0
blocklistv4 | 1174 | OK: 1 | OK: 0 | OK: 0
blocklistv6 | 40 | OK: 0 | OK: 0 | OK: 0
---------------------+--------------+-----------------------+-----------------------+------------------------
30 | 203208 | 12 (2173) | 12 (1) | 28 (763)
```
**banIP runtime information**
```
~# etc/init.d/banip status
~# /etc/init.d/banip status
::: banIP runtime information
+ status : active
+ version : 0.8.0
+ element_count : 51486
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
, yoyov4, oisdbasicv4
+ version : 0.8.1-1
+ element_count : 206644
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6,
adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack
v6, stevenblackv4, yoyov6, yoyov4, antipopadsv4, urlhausv4, antipopadsv6, blocklistvMAC, blocklistv4, blocklistv6
+ active_devices : eth2
+ active_interfaces : wan
+ active_subnets : 192.168.98.107/24
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
anip/banip.feeds.gz
+ run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
+ system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
+ active_interfaces : wan, wan6
+ active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128
+ run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_archive: /etc/banip/banip
.feeds.gz
+ run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘
+ last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55
+ system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469
```
**banIP search information**

216
net/banip/files/banip-functions.sh
View File

@ -41,8 +41,9 @@ ban_logcount="1"
ban_logterm=""
ban_country=""
ban_asn=""
ban_loginput="0"
ban_logforward="0"
ban_loginput="1"
ban_logforwardwan="1"
ban_logforwardlan="0"
ban_allowlistonly="0"
ban_autoallowlist="1"
ban_autoblocklist="1"
@ -51,7 +52,8 @@ ban_splitsize="0"
ban_autodetect=""
ban_feed=""
ban_blockinput=""
ban_blockforward=""
ban_blockforwardwan=""
ban_blockforwardlan=""
ban_protov4="0"
ban_protov6="0"
ban_ifv4=""
@ -172,7 +174,7 @@ f_log() {
# load config
#
f_conf() {
unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforward ban_logterm ban_country ban_asn
unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
config_cb() {
option_cb() {
local option="${1}"
@ -198,8 +200,11 @@ f_conf() {
"ban_blockinput")
eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \""
;;
"ban_blockforward")
eval "${option}=\"$(printf "%s" "${ban_blockforward}")${value} \""
"ban_blockforwardwan")
eval "${option}=\"$(printf "%s" "${ban_blockforwardwan}")${value} \""
;;
"ban_blockforwardlan")
eval "${option}=\"$(printf "%s" "${ban_blockforwardlan}")${value} \""
;;
"ban_logterm")
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
@ -387,18 +392,26 @@ f_nftinit() {
fi
printf "%s\n" "add table inet banIP"
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
# default input rules
# default wan-input rules
#
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
# default forward rules
# default wan-forward rules
#
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${ban_dev// /, } } counter accept"
# default lan-forward rules
#
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept"
@ -414,7 +427,7 @@ f_nftinit() {
}
f_down() {
local nft_loginput nft_logforward start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forward_handles handle
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forwardwan_handles forwardlan_handles handle
local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
start_ts="$(date +%s)"
@ -426,27 +439,35 @@ f_down() {
tmp_flush="${ban_tmpfile}.${feed}.flush"
tmp_nft="${ban_tmpfile}.${feed}.nft"
[ "${ban_loginput}" = "1" ] && nft_loginput="log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \""
[ "${ban_logforward}" = "1" ] && nft_logforward="log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \""
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
# set source block direction
#
if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="input"
elif printf "%s" "${ban_blockforward}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="forward"
fi
if printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="${feed_direction} forwardwan"
fi
if printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
feed_direction="${feed_direction} forwardlan"
fi
# chain/rule maintenance
#
if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then
input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
{
printf "%s\n" "flush set inet banIP ${feed}"
handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
} >"${tmp_flush}"
fi
@ -468,22 +489,27 @@ f_down() {
if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
fi
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
elif [ "${proto}" = "4" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${nft_loginput} counter drop"
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
else
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
fi
fi
if [ "${feed_direction}" != "input" ]; then
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
else
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
else
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept"
fi
@ -492,16 +518,23 @@ f_down() {
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then
if [ -z "${feed_direction##*input*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${nft_loginput} counter drop"
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
else
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
fi
fi
if [ "${feed_direction}" != "input" ]; then
if [ -z "${feed_direction##*forwardwan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
else
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
fi
fi
if [ -z "${feed_direction##*forwardlan*}" ]; then
if [ "${ban_allowlistonly}" = "1" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
else
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
fi
@ -516,9 +549,7 @@ f_down() {
if [ "${proto}" = "MAC" ]; then
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${nft_logforward} counter reject"
fi
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject"
elif [ "${proto}" = "4" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
@ -530,12 +561,9 @@ f_down() {
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop"
fi
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
elif [ "${proto}" = "6" ]; then
if [ "${ban_deduplicate}" = "1" ]; then
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
@ -549,12 +577,9 @@ f_down() {
fi
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
if [ "${feed_direction}" != "forward" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop"
fi
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
fi
} >"${tmp_nft}"
feed_rc="${?}"
@ -650,12 +675,9 @@ f_down() {
# input and forward rules
#
if [ "${feed_direction}" != "forward" ]; then
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop"
fi
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
} >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
{
@ -667,12 +689,9 @@ f_down() {
# input and forward rules
#
if [ "${feed_direction}" != "forward" ]; then
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop"
fi
if [ "${feed_direction}" != "input" ]; then
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
fi
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
} >"${tmp_nft}"
fi
fi
@ -741,12 +760,13 @@ f_restore() {
# remove disabled feeds
#
f_rmset() {
local tmp_del table_sets input_handles forward_handles handle sets feed feed_log feed_rc
local tmp_del table_sets input_handles forwardwan_handles forwardlan_handles handle sets feed feed_log feed_rc
tmp_del="${ban_tmpfile}.final.delete"
table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)"
input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
{
printf "%s\n\n" "#!/usr/sbin/nft -f"
for feed in ${table_sets}; do
@ -756,7 +776,9 @@ f_rmset() {
printf "%s\n" "flush set inet banIP ${feed}"
handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
printf "%s\n\n" "delete set inet banIP ${feed}"
fi
@ -852,7 +874,7 @@ f_genstatus() {
fi
json_close_array
json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}"
json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (inp/fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforward}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
json_add_string "last_run" "${runtime:-"-"}"
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
json_dump >"${ban_basedir}/ban_runtime.json"
@ -885,7 +907,7 @@ f_getstatus() {
fi
value="$(
printf "%s" "${value}" |
awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}'
awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}'
)"
printf " + %-17s : %s\n" "${key}" "${value:-"-"}"
done
@ -945,8 +967,8 @@ f_lookup() {
# banIP table statistics
#
f_report() {
local report_jsn report_txt set nft_raw nft_sets set_cnt set_input set_forward set_cntinput set_cntforward output="${1}"
local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforward sum_setelements sum_cntinput sum_cntforward
local report_jsn report_txt set tmp_val nft_raw nft_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
[ -z "${ban_dev}" ] && f_conf
f_mkdir "${ban_reportdir}"
@ -959,10 +981,12 @@ f_report() {
nft_sets="$(printf "%s" "${nft_raw}" | jsonfilter -qe '@.nftables[*].set.name')"
sum_sets="0"
sum_setinput="0"
sum_setforward="0"
sum_setforwardwan="0"
sum_setforwardlan="0"
sum_setelements="0"
sum_cntinput="0"
sum_cntforward="0"
sum_cntforwardwan="0"
sum_cntforwardlan="0"
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
: >"${report_jsn}"
{
@ -972,30 +996,41 @@ f_report() {
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
sum_setelements="$((sum_setelements + set_cnt))"
set_cntinput="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-input\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
set_cntforward="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
set_cntforwardwan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
set_cntforwardlan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
if [ -n "${set_cntinput}" ]; then
set_input="OK"
sum_setinput="$((sum_setinput + 1))"
sum_cntinput="$((sum_cntinput + set_cntinput))"
else
set_input="n/a"
set_cntinput="n/a"
set_input="-"
set_cntinput=""
fi
if [ -n "${set_cntforward}" ]; then
set_forward="OK"
sum_setforward="$((sum_setforward + 1))"
sum_cntforward="$((sum_cntforward + set_cntforward))"
if [ -n "${set_cntforwardwan}" ]; then
set_forwardwan="OK"
sum_setforwardwan="$((sum_setforwardwan + 1))"
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
else
set_forward="n/a"
set_cntforward="n/a"
set_forwardwan="-"
set_cntforwardwan=""
fi
if [ -n "${set_cntforwardlan}" ]; then
set_forwardlan="OK"
sum_setforwardlan="$((sum_setforwardlan + 1))"
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
else
set_forwardlan="-"
set_cntforwardlan=""
fi
[ "${sum_sets}" -gt "0" ] && printf "%s\n" ","
printf "\t\t%s\n" "\"${set}\": {"
printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\","
printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
printf "\t\t\t%s\n" "\"forward\": \"${set_forward}\","
printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\","
printf "\t\t\t%s\n" "\"cnt_forward\": \"${set_cntforward}\""
printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\","
printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\","
printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\","
printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\""
printf "\t\t%s" "}"
sum_sets="$((sum_sets + 1))"
done
@ -1005,10 +1040,12 @@ f_report() {
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
printf "\t%s\n" "\"sum_setforward\": \"${sum_setforward}\","
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
printf "\t%s\n" "\"sum_setforwardlan\": \"${sum_setforwardlan}\","
printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\","
printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\","
printf "\t%s\n" "\"sum_cntforward\": \"${sum_cntforward}\""
printf "\t%s\n" "\"sum_cntforwardwan\": \"${sum_cntforwardwan}\","
printf "\t%s\n" "\"sum_cntforwardlan\": \"${sum_cntforwardlan}\""
printf "%s\n" "}"
} >>"${report_jsn}"
@ -1023,10 +1060,12 @@ f_report() {
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
json_get_var sum_setforward "sum_setforward" >/dev/null 2>&1
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
json_get_var sum_setforwardlan "sum_setforwardlan" >/dev/null 2>&1
json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1
json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1
json_get_var sum_cntforward "sum_cntforward" >/dev/null 2>&1
json_get_var sum_cntforwardwan "sum_cntforwardwan" >/dev/null 2>&1
json_get_var sum_cntforwardlan "sum_cntforwardlan" >/dev/null 2>&1
{
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
printf "%s\n" " Timestamp: ${timestamp}"
@ -1036,21 +1075,32 @@ f_report() {
json_select "sets" >/dev/null 2>&1
json_get_keys nft_sets >/dev/null 2>&1
if [ -n "${nft_sets}" ]; then
printf "%-25s%-16s%-16s%-16s%-16s%s\n" " Set" "| Set Elements" "| Chain Input" "| Chain Forward" "| Input Packets" "| Forward Packets"
printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------"
printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)"
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
for set in ${nft_sets}; do
printf " %-21s" "${set}"
json_select "${set}"
json_get_keys set_details
for detail in ${set_details}; do
json_get_var jsnval "${detail}" >/dev/null 2>&1
printf "%-16s" "| ${jsnval}"
case "${detail}" in
"cnt_elements")
printf "%-15s" "| ${jsnval}"
;;
"cnt_input" | "cnt_forwardwan" | "cnt_forwardlan")
[ -n "${jsnval}" ] && tmp_val=": ${jsnval}"
;;
*)
printf "%-24s" "| ${jsnval}${tmp_val}"
tmp_val=""
;;
esac
done
printf "\n"
json_select ".."
done
printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------"
printf "%-25s%-16s%-16s%-16s%-16s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput}" "| ${sum_setforward}" "| ${sum_cntinput}" "| ${sum_cntforward}"
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})"
fi
} >>"${report_txt}"
fi

2
net/banip/files/banip.tpl
View File

@ -8,7 +8,7 @@ local banip_info report_info log_info system_info mail_text
banip_info="$(/etc/init.d/banip status 2>/dev/null)"
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP/" 2>/dev/null | awk '{NR=1;max=140;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
system_info="$(
strings /etc/banner 2>/dev/null
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'