banip: release 0.8.1-1
* add missing wan-forward chain (incl. report/mail adaption) * changed options: - old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan - old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan * add missing dhcp(v6) rules/exceptions * update readme Previously run tested by certain forum users (and by me). Signed-off-by: Dirk Brenken <dev@brenken.org>
This commit is contained in:
parent
8885636b4e
commit
02c2587f9d
|
@ -7,8 +7,8 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=banip
|
||||
PKG_VERSION:=0.8.0
|
||||
PKG_RELEASE:=4
|
||||
PKG_VERSION:=0.8.1
|
||||
PKG_RELEASE:=1
|
||||
PKG_LICENSE:=GPL-3.0-or-later
|
||||
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
|
||||
|
||||
|
|
|
@ -7,52 +7,52 @@ IP address blocking is commonly used to protect against brute force attacks, pre
|
|||
|
||||
## Main Features
|
||||
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
|
||||
**Please note:** the columns "INP" and "FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to forward chain - see the config options 'ban\_blockforward' and 'ban\_blockinput' below.
|
||||
**Please note:** the columns "WAN-INP", "WAN-FWD" and "LAN_FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
|
||||
|
||||
| Feed | Focus | INP | FWD | Information |
|
||||
| :------------------ | :----------------------------: | :-: | :-: | :-------------------------------------------------------------------- |
|
||||
| adaway | adaway IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguard | adguard IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguardtrackers | adguardtracker IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| antipopads | antipopads IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| asn | ASN IPs | | x | [Link](https://asn.ipinfo.app) |
|
||||
| backscatterer | backscatterer IPs | x | x | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| bogon | bogon prefixes | x | x | [Link](https://team-cymru.com) |
|
||||
| country | country blocks | x | | [Link](https://www.ipdeny.com/ipblocks) |
|
||||
| cinsscore | suspicious attacker IPs | x | x | [Link](https://cinsscore.com/#list) |
|
||||
| darklist | blocks suspicious attacker IPs | x | x | [Link](https://darklist.de) |
|
||||
| debl | fail2ban IP blacklist | x | x | [Link](https://www.blocklist.de) |
|
||||
| doh | public DoH-Provider | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
||||
| drop | spamhaus drop compilation | x | x | [Link](https://www.spamhaus.org) |
|
||||
| dshield | dshield IP blocklist | x | x | [Link](https://www.dshield.org) |
|
||||
| edrop | spamhaus edrop compilation | x | x | [Link](https://www.spamhaus.org) |
|
||||
| feodo | feodo tracker | x | x | [Link](https://feodotracker.abuse.ch) |
|
||||
| firehol1 | firehol level 1 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
|
||||
| firehol2 | firehol level 2 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
|
||||
| firehol3 | firehol level 3 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
|
||||
| firehol4 | firehol level 4 compilation | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
|
||||
| greensnow | suspicious server IPs | x | x | [Link](https://greensnow.co) |
|
||||
| iblockads | Advertising IPs | | x | [Link](https://www.iblocklist.com) |
|
||||
| iblockspy | Malicious spyware IPs | x | x | [Link](https://www.iblocklist.com) |
|
||||
| myip | real-time IP blocklist | x | x | [Link](https://myip.ms) |
|
||||
| nixspam | iX spam protection | x | x | [Link](http://www.nixspam.org) |
|
||||
| oisdnsfw | OISD-nsfw IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdsmall | OISD-small IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| proxy | open proxies | x | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||
| ssbl | SSL botnet IPs | x | x | [Link](https://sslbl.abuse.ch) |
|
||||
| stevenblack | stevenblack IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| talos | talos IPs | x | x | [Link](https://talosintelligence.com/reputation_center) |
|
||||
| threat | emerging threats | x | x | [Link](https://rules.emergingthreats.net) |
|
||||
| threatview | malicious IPs | x | x | [Link](https://threatview.io) |
|
||||
| tor | tor exit nodes | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
|
||||
| uceprotect1 | spam protection level 1 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect2 | spam protection level 2 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect3 | spam protection level 3 | x | x | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| urlhaus | urlhaus IDS IPs | x | x | [Link](https://urlhaus.abuse.ch) |
|
||||
| urlvir | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
|
||||
| webclient | malware related IPs | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
|
||||
| voip | VoIP fraud blocklist | x | x | [Link](https://voipbl.org) |
|
||||
| yoyo | yoyo IPs | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
|
||||
| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
|
||||
| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
|
||||
| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
|
||||
| bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
|
||||
| country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
|
||||
| cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
|
||||
| darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
|
||||
| debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
|
||||
| doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
|
||||
| drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
|
||||
| dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
|
||||
| edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
|
||||
| feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
|
||||
| firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
|
||||
| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
|
||||
| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
|
||||
| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
|
||||
| greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) |
|
||||
| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
|
||||
| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) |
|
||||
| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
|
||||
| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
|
||||
| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
|
||||
| ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) |
|
||||
| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
|
||||
| threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) |
|
||||
| threatview | malicious IPs | x | x | x | [Link](https://threatview.io) |
|
||||
| tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
|
||||
| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
|
||||
| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
|
||||
| urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) |
|
||||
| webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
|
||||
| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
|
||||
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
|
||||
|
||||
* zero-conf like automatic installation & setup, usually no manual changes needed
|
||||
* all sets are handled in a separate nft table/namespace 'banIP'
|
||||
|
@ -128,8 +128,9 @@ Available commands:
|
|||
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
|
||||
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
|
||||
| ban_debug | option | 0 | enable banIP related debug logging |
|
||||
| ban_loginput | option | 1 | log drops in the input chain |
|
||||
| ban_logforward | option | 0 | log rejects in the forward chain |
|
||||
| ban_loginput | option | 1 | log drops in the wan-input chain |
|
||||
| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
|
||||
| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
|
||||
| ban_autoallowlist | option | 1 | add wan IPs/subnets automatically to the local allowlist |
|
||||
| ban_autoblocklist | option | 1 | add suspicious attacker IPs automatically to the local blocklist |
|
||||
| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
|
||||
|
@ -150,8 +151,9 @@ Available commands:
|
|||
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
|
||||
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
|
||||
| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
|
||||
| ban_blockinput | list | - | limit a feed to the input chain, e.g. 'country' |
|
||||
| ban_blockforward | list | - | limit a feed to the forward chain, e.g. 'doh' |
|
||||
| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
|
||||
| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
|
||||
| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
|
||||
| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
|
||||
| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
|
||||
| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
|
||||
|
@ -169,44 +171,65 @@ Available commands:
|
|||
:::
|
||||
::: banIP Set Statistics
|
||||
:::
|
||||
Timestamp: 2023-02-08 22:12:40
|
||||
Timestamp: 2023-02-25 08:35:37
|
||||
------------------------------
|
||||
auto-added to allowlist: 1
|
||||
auto-added to blocklist: 0
|
||||
auto-added to allowlist: 0
|
||||
auto-added to blocklist: 4
|
||||
|
||||
Set | Set Elements | Chain Input | Chain Forward | Input Packets | Forward Packets
|
||||
---------------------+---------------+---------------+---------------+---------------+----------------
|
||||
allowlistvMAC | 0 | n/a | OK | n/a | 0
|
||||
allowlistv4 | 1 | OK | OK | 0 | 0
|
||||
allowlistv6 | 0 | OK | OK | 0 | 0
|
||||
blocklistvMAC | 0 | n/a | OK | n/a | 0
|
||||
blocklistv4 | 0 | OK | OK | 0 | 0
|
||||
blocklistv6 | 0 | OK | OK | 0 | 0
|
||||
dohv4 | 542 | n/a | OK | n/a | 22
|
||||
adguardv4 | 23007 | n/a | OK | n/a | 18
|
||||
yoyov4 | 1936 | n/a | OK | n/a | 1
|
||||
oisdbasicv4 | 26000 | n/a | OK | n/a | 325
|
||||
---------------------+---------------+---------------+---------------+---------------+----------------
|
||||
10 | 51486 | 4 | 10 | 0 | 366
|
||||
Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
|
||||
---------------------+--------------+-----------------------+-----------------------+------------------------
|
||||
allowlistvMAC | 0 | - | - | OK: 0
|
||||
allowlistv4 | 15 | OK: 0 | OK: 0 | OK: 0
|
||||
allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
|
||||
torv4 | 800 | OK: 0 | OK: 0 | OK: 0
|
||||
torv6 | 432 | OK: 0 | OK: 0 | OK: 0
|
||||
countryv6 | 34282 | OK: 0 | OK: 1 | -
|
||||
countryv4 | 35508 | OK: 1872 | OK: 0 | -
|
||||
dohv6 | 343 | - | - | OK: 0
|
||||
dohv4 | 540 | - | - | OK: 3
|
||||
firehol1v4 | 1670 | OK: 296 | OK: 0 | OK: 16
|
||||
deblv4 | 12402 | OK: 4 | OK: 0 | OK: 0
|
||||
deblv6 | 41 | OK: 0 | OK: 0 | OK: 0
|
||||
adguardv6 | 12742 | - | - | OK: 161
|
||||
adguardv4 | 23183 | - | - | OK: 212
|
||||
adguardtrackersv6 | 169 | - | - | OK: 0
|
||||
adguardtrackersv4 | 633 | - | - | OK: 0
|
||||
adawayv6 | 2737 | - | - | OK: 15
|
||||
adawayv4 | 6542 | - | - | OK: 137
|
||||
oisdsmallv6 | 10569 | - | - | OK: 0
|
||||
oisdsmallv4 | 18800 | - | - | OK: 74
|
||||
stevenblackv6 | 11901 | - | - | OK: 4
|
||||
stevenblackv4 | 16776 | - | - | OK: 139
|
||||
yoyov6 | 215 | - | - | OK: 0
|
||||
yoyov4 | 309 | - | - | OK: 0
|
||||
antipopadsv4 | 1872 | - | - | OK: 0
|
||||
urlhausv4 | 7431 | OK: 0 | OK: 0 | OK: 0
|
||||
antipopadsv6 | 2081 | - | - | OK: 2
|
||||
blocklistvMAC | 0 | - | - | OK: 0
|
||||
blocklistv4 | 1174 | OK: 1 | OK: 0 | OK: 0
|
||||
blocklistv6 | 40 | OK: 0 | OK: 0 | OK: 0
|
||||
---------------------+--------------+-----------------------+-----------------------+------------------------
|
||||
30 | 203208 | 12 (2173) | 12 (1) | 28 (763)
|
||||
```
|
||||
|
||||
**banIP runtime information**
|
||||
```
|
||||
~# etc/init.d/banip status
|
||||
~# /etc/init.d/banip status
|
||||
::: banIP runtime information
|
||||
+ status : active
|
||||
+ version : 0.8.0
|
||||
+ element_count : 51486
|
||||
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, blocklistvMAC, blocklistv4, blocklistv6, dohv4, adguardv4
|
||||
, yoyov4, oisdbasicv4
|
||||
+ version : 0.8.1-1
|
||||
+ element_count : 206644
|
||||
+ active_feeds : allowlistvMAC, allowlistv4, allowlistv6, torv4, torv6, countryv6, countryv4, dohv4, dohv6, firehol1v4, deblv4, deblv6,
|
||||
adguardv6, adguardv4, adguardtrackersv6, adguardtrackersv4, adawayv6, adawayv4, oisdsmallv6, oisdsmallv4, stevenblack
|
||||
v6, stevenblackv4, yoyov6, yoyov4, antipopadsv4, urlhausv4, antipopadsv6, blocklistvMAC, blocklistv4, blocklistv6
|
||||
+ active_devices : eth2
|
||||
+ active_interfaces : wan
|
||||
+ active_subnets : 192.168.98.107/24
|
||||
+ run_info : base_dir: /tmp, backup_dir: /tmp/banIP-backup, report_dir: /tmp/banIP-report, feed_archive: /etc/b
|
||||
anip/banip.feeds.gz
|
||||
+ run_flags : protocol (4/6): ✔/✘, log (inp/fwd): ✔/✘, deduplicate: ✔, split: ✘, allowed only: ✘
|
||||
+ last_run : action: start, duration: 0m 15s, date: 2023-02-08 22:12:46
|
||||
+ system_info : cores: 2, memory: 3614, device: PC Engines apu1, OpenWrt SNAPSHOT r21997-b5193291bd
|
||||
+ active_interfaces : wan, wan6
|
||||
+ active_subnets : 91.61.199.218/24, 2a02:910c:0:80:e542:4b0c:846d:1d33/128
|
||||
+ run_info : base_dir: /tmp, backup_dir: /mnt/data/banIP-backup, report_dir: /mnt/data/banIP-report, feed_archive: /etc/banip/banip
|
||||
.feeds.gz
|
||||
+ run_flags : proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, deduplicate: ✔, split: ✘, allowed only: ✘
|
||||
+ last_run : action: restart, duration: 1m 6s, date: 2023-02-25 08:55:55
|
||||
+ system_info : cores: 2, memory: 1826, device: Turris Omnia, OpenWrt SNAPSHOT r22125-52ddb38469
|
||||
```
|
||||
|
||||
**banIP search information**
|
||||
|
|
|
@ -41,8 +41,9 @@ ban_logcount="1"
|
|||
ban_logterm=""
|
||||
ban_country=""
|
||||
ban_asn=""
|
||||
ban_loginput="0"
|
||||
ban_logforward="0"
|
||||
ban_loginput="1"
|
||||
ban_logforwardwan="1"
|
||||
ban_logforwardlan="0"
|
||||
ban_allowlistonly="0"
|
||||
ban_autoallowlist="1"
|
||||
ban_autoblocklist="1"
|
||||
|
@ -51,7 +52,8 @@ ban_splitsize="0"
|
|||
ban_autodetect=""
|
||||
ban_feed=""
|
||||
ban_blockinput=""
|
||||
ban_blockforward=""
|
||||
ban_blockforwardwan=""
|
||||
ban_blockforwardlan=""
|
||||
ban_protov4="0"
|
||||
ban_protov6="0"
|
||||
ban_ifv4=""
|
||||
|
@ -172,7 +174,7 @@ f_log() {
|
|||
# load config
|
||||
#
|
||||
f_conf() {
|
||||
unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforward ban_logterm ban_country ban_asn
|
||||
unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
|
||||
config_cb() {
|
||||
option_cb() {
|
||||
local option="${1}"
|
||||
|
@ -198,8 +200,11 @@ f_conf() {
|
|||
"ban_blockinput")
|
||||
eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \""
|
||||
;;
|
||||
"ban_blockforward")
|
||||
eval "${option}=\"$(printf "%s" "${ban_blockforward}")${value} \""
|
||||
"ban_blockforwardwan")
|
||||
eval "${option}=\"$(printf "%s" "${ban_blockforwardwan}")${value} \""
|
||||
;;
|
||||
"ban_blockforwardlan")
|
||||
eval "${option}=\"$(printf "%s" "${ban_blockforwardlan}")${value} \""
|
||||
;;
|
||||
"ban_logterm")
|
||||
eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|\""
|
||||
|
@ -387,18 +392,26 @@ f_nftinit() {
|
|||
fi
|
||||
printf "%s\n" "add table inet banIP"
|
||||
printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
|
||||
printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
||||
printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
|
||||
|
||||
# default input rules
|
||||
# default wan-input rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
|
||||
|
||||
# default forward rules
|
||||
# default wan-forward rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP wan-forward iifname != { ${ban_dev// /, } } counter accept"
|
||||
|
||||
# default lan-forward rules
|
||||
#
|
||||
printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
|
||||
printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept"
|
||||
|
@ -414,7 +427,7 @@ f_nftinit() {
|
|||
}
|
||||
|
||||
f_down() {
|
||||
local nft_loginput nft_logforward start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forward_handles handle
|
||||
local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file input_handles forwardwan_handles forwardlan_handles handle
|
||||
local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
|
||||
|
||||
start_ts="$(date +%s)"
|
||||
|
@ -426,27 +439,35 @@ f_down() {
|
|||
tmp_flush="${ban_tmpfile}.${feed}.flush"
|
||||
tmp_nft="${ban_tmpfile}.${feed}.nft"
|
||||
|
||||
[ "${ban_loginput}" = "1" ] && nft_loginput="log level ${ban_loglevel} prefix \"banIP_drp/${feed}: \""
|
||||
[ "${ban_logforward}" = "1" ] && nft_logforward="log level ${ban_loglevel} prefix \"banIP_rej/${feed}: \""
|
||||
[ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
|
||||
[ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
|
||||
[ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
|
||||
|
||||
# set source block direction
|
||||
#
|
||||
if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then
|
||||
feed_direction="input"
|
||||
elif printf "%s" "${ban_blockforward}" | "${ban_grepcmd}" -q "${feed%v*}"; then
|
||||
feed_direction="forward"
|
||||
fi
|
||||
if printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
|
||||
feed_direction="${feed_direction} forwardwan"
|
||||
fi
|
||||
if printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
|
||||
feed_direction="${feed_direction} forwardlan"
|
||||
fi
|
||||
|
||||
# chain/rule maintenance
|
||||
#
|
||||
if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then
|
||||
input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
|
||||
forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
|
||||
forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
|
||||
forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
|
||||
{
|
||||
printf "%s\n" "flush set inet banIP ${feed}"
|
||||
handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||
handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
|
||||
handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||
handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}")"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||
} >"${tmp_flush}"
|
||||
fi
|
||||
|
@ -468,22 +489,27 @@ f_down() {
|
|||
if [ "${proto}" = "MAC" ]; then
|
||||
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
|
||||
fi
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
|
||||
elif [ "${proto}" = "4" ]; then
|
||||
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${feed_direction}" != "forward" ]; then
|
||||
if [ -z "${feed_direction##*input*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${nft_loginput} counter drop"
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ -z "${feed_direction##*forwardlan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept"
|
||||
fi
|
||||
|
@ -492,16 +518,23 @@ f_down() {
|
|||
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
|
||||
"${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${feed_direction}" != "forward" ]; then
|
||||
if [ -z "${feed_direction##*input*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${nft_loginput} counter drop"
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
if [ -z "${feed_direction##*forwardwan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
|
||||
fi
|
||||
fi
|
||||
if [ -z "${feed_direction##*forwardlan*}" ]; then
|
||||
if [ "${ban_allowlistonly}" = "1" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
|
||||
else
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
|
||||
fi
|
||||
|
@ -516,9 +549,7 @@ f_down() {
|
|||
if [ "${proto}" = "MAC" ]; then
|
||||
"${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${nft_logforward} counter reject"
|
||||
fi
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject"
|
||||
elif [ "${proto}" = "4" ]; then
|
||||
if [ "${ban_deduplicate}" = "1" ]; then
|
||||
"${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
|
||||
|
@ -530,12 +561,9 @@ f_down() {
|
|||
fi
|
||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${feed_direction}" != "forward" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop"
|
||||
fi
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
|
||||
elif [ "${proto}" = "6" ]; then
|
||||
if [ "${ban_deduplicate}" = "1" ]; then
|
||||
"${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
|
||||
|
@ -549,12 +577,9 @@ f_down() {
|
|||
fi
|
||||
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
|
||||
printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }"
|
||||
if [ "${feed_direction}" != "forward" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop"
|
||||
fi
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
|
||||
fi
|
||||
} >"${tmp_nft}"
|
||||
feed_rc="${?}"
|
||||
|
@ -650,12 +675,9 @@ f_down() {
|
|||
|
||||
# input and forward rules
|
||||
#
|
||||
if [ "${feed_direction}" != "forward" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${nft_loginput} counter drop"
|
||||
fi
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${nft_logforward} counter reject with icmp type admin-prohibited"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
|
||||
} >"${tmp_nft}"
|
||||
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
|
||||
{
|
||||
|
@ -667,12 +689,9 @@ f_down() {
|
|||
|
||||
# input and forward rules
|
||||
#
|
||||
if [ "${feed_direction}" != "forward" ]; then
|
||||
printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${nft_loginput} counter drop"
|
||||
fi
|
||||
if [ "${feed_direction}" != "input" ]; then
|
||||
printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${nft_logforward} counter reject with icmpv6 type admin-prohibited"
|
||||
fi
|
||||
[ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
|
||||
[ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
|
||||
[ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
|
||||
} >"${tmp_nft}"
|
||||
fi
|
||||
fi
|
||||
|
@ -741,12 +760,13 @@ f_restore() {
|
|||
# remove disabled feeds
|
||||
#
|
||||
f_rmset() {
|
||||
local tmp_del table_sets input_handles forward_handles handle sets feed feed_log feed_rc
|
||||
local tmp_del table_sets input_handles forwardwan_handles forwardlan_handles handle sets feed feed_log feed_rc
|
||||
|
||||
tmp_del="${ban_tmpfile}.final.delete"
|
||||
table_sets="$("${ban_nftcmd}" -t list table inet banIP 2>/dev/null | "${ban_awkcmd}" '/^[[:space:]]+set [[:alnum:]]+ /{printf "%s ",$2}' 2>/dev/null)"
|
||||
input_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-input 2>/dev/null)"
|
||||
forward_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
|
||||
forwardwan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP wan-forward 2>/dev/null)"
|
||||
forwardlan_handles="$("${ban_nftcmd}" -t --handle --numeric list chain inet banIP lan-forward 2>/dev/null)"
|
||||
{
|
||||
printf "%s\n\n" "#!/usr/sbin/nft -f"
|
||||
for feed in ${table_sets}; do
|
||||
|
@ -756,7 +776,9 @@ f_rmset() {
|
|||
printf "%s\n" "flush set inet banIP ${feed}"
|
||||
handle="$(printf "%s\n" "${input_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
|
||||
handle="$(printf "%s\n" "${forward_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
|
||||
handle="$(printf "%s\n" "${forwardwan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
|
||||
handle="$(printf "%s\n" "${forwardlan_handles}" | "${ban_awkcmd}" "/@${feed} /{print \$NF}" 2>/dev/null)"
|
||||
[ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
|
||||
printf "%s\n\n" "delete set inet banIP ${feed}"
|
||||
fi
|
||||
|
@ -852,7 +874,7 @@ f_genstatus() {
|
|||
fi
|
||||
json_close_array
|
||||
json_add_string "run_info" "base_dir: ${ban_basedir}, backup_dir: ${ban_backupdir}, report_dir: ${ban_reportdir}, feed_archive: ${ban_feedarchive}"
|
||||
json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (inp/fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforward}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
|
||||
json_add_string "run_flags" "protocol (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), deduplicate: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
|
||||
json_add_string "last_run" "${runtime:-"-"}"
|
||||
json_add_string "system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
|
||||
json_dump >"${ban_basedir}/ban_runtime.json"
|
||||
|
@ -885,7 +907,7 @@ f_getstatus() {
|
|||
fi
|
||||
value="$(
|
||||
printf "%s" "${value}" |
|
||||
awk '{NR=1;max=98;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}'
|
||||
awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}'
|
||||
)"
|
||||
printf " + %-17s : %s\n" "${key}" "${value:-"-"}"
|
||||
done
|
||||
|
@ -945,8 +967,8 @@ f_lookup() {
|
|||
# banIP table statistics
|
||||
#
|
||||
f_report() {
|
||||
local report_jsn report_txt set nft_raw nft_sets set_cnt set_input set_forward set_cntinput set_cntforward output="${1}"
|
||||
local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforward sum_setelements sum_cntinput sum_cntforward
|
||||
local report_jsn report_txt set tmp_val nft_raw nft_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
|
||||
local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
|
||||
|
||||
[ -z "${ban_dev}" ] && f_conf
|
||||
f_mkdir "${ban_reportdir}"
|
||||
|
@ -959,10 +981,12 @@ f_report() {
|
|||
nft_sets="$(printf "%s" "${nft_raw}" | jsonfilter -qe '@.nftables[*].set.name')"
|
||||
sum_sets="0"
|
||||
sum_setinput="0"
|
||||
sum_setforward="0"
|
||||
sum_setforwardwan="0"
|
||||
sum_setforwardlan="0"
|
||||
sum_setelements="0"
|
||||
sum_cntinput="0"
|
||||
sum_cntforward="0"
|
||||
sum_cntforwardwan="0"
|
||||
sum_cntforwardlan="0"
|
||||
timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
|
||||
: >"${report_jsn}"
|
||||
{
|
||||
|
@ -972,30 +996,41 @@ f_report() {
|
|||
set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
|
||||
sum_setelements="$((sum_setelements + set_cnt))"
|
||||
set_cntinput="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-input\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
|
||||
set_cntforward="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
|
||||
set_cntforwardwan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"wan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
|
||||
set_cntforwardlan="$(printf "%s" "${nft_raw}" | jsonfilter -qe "@.nftables[@.rule.chain=\"lan-forward\"][@.expr[*].match.right=\"@${set}\"].expr[*].counter.packets")"
|
||||
if [ -n "${set_cntinput}" ]; then
|
||||
set_input="OK"
|
||||
sum_setinput="$((sum_setinput + 1))"
|
||||
sum_cntinput="$((sum_cntinput + set_cntinput))"
|
||||
else
|
||||
set_input="n/a"
|
||||
set_cntinput="n/a"
|
||||
set_input="-"
|
||||
set_cntinput=""
|
||||
fi
|
||||
if [ -n "${set_cntforward}" ]; then
|
||||
set_forward="OK"
|
||||
sum_setforward="$((sum_setforward + 1))"
|
||||
sum_cntforward="$((sum_cntforward + set_cntforward))"
|
||||
if [ -n "${set_cntforwardwan}" ]; then
|
||||
set_forwardwan="OK"
|
||||
sum_setforwardwan="$((sum_setforwardwan + 1))"
|
||||
sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
|
||||
else
|
||||
set_forward="n/a"
|
||||
set_cntforward="n/a"
|
||||
set_forwardwan="-"
|
||||
set_cntforwardwan=""
|
||||
fi
|
||||
if [ -n "${set_cntforwardlan}" ]; then
|
||||
set_forwardlan="OK"
|
||||
sum_setforwardlan="$((sum_setforwardlan + 1))"
|
||||
sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
|
||||
else
|
||||
set_forwardlan="-"
|
||||
set_cntforwardlan=""
|
||||
fi
|
||||
[ "${sum_sets}" -gt "0" ] && printf "%s\n" ","
|
||||
printf "\t\t%s\n" "\"${set}\": {"
|
||||
printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\","
|
||||
printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
|
||||
printf "\t\t\t%s\n" "\"forward\": \"${set_forward}\","
|
||||
printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\","
|
||||
printf "\t\t\t%s\n" "\"cnt_forward\": \"${set_cntforward}\""
|
||||
printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
|
||||
printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\","
|
||||
printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\","
|
||||
printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\","
|
||||
printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\""
|
||||
printf "\t\t%s" "}"
|
||||
sum_sets="$((sum_sets + 1))"
|
||||
done
|
||||
|
@ -1005,10 +1040,12 @@ f_report() {
|
|||
printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
|
||||
printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
|
||||
printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
|
||||
printf "\t%s\n" "\"sum_setforward\": \"${sum_setforward}\","
|
||||
printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
|
||||
printf "\t%s\n" "\"sum_setforwardlan\": \"${sum_setforwardlan}\","
|
||||
printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\","
|
||||
printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\","
|
||||
printf "\t%s\n" "\"sum_cntforward\": \"${sum_cntforward}\""
|
||||
printf "\t%s\n" "\"sum_cntforwardwan\": \"${sum_cntforwardwan}\","
|
||||
printf "\t%s\n" "\"sum_cntforwardlan\": \"${sum_cntforwardlan}\""
|
||||
printf "%s\n" "}"
|
||||
} >>"${report_jsn}"
|
||||
|
||||
|
@ -1023,10 +1060,12 @@ f_report() {
|
|||
json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
|
||||
json_get_var sum_sets "sum_sets" >/dev/null 2>&1
|
||||
json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
|
||||
json_get_var sum_setforward "sum_setforward" >/dev/null 2>&1
|
||||
json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
|
||||
json_get_var sum_setforwardlan "sum_setforwardlan" >/dev/null 2>&1
|
||||
json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1
|
||||
json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1
|
||||
json_get_var sum_cntforward "sum_cntforward" >/dev/null 2>&1
|
||||
json_get_var sum_cntforwardwan "sum_cntforwardwan" >/dev/null 2>&1
|
||||
json_get_var sum_cntforwardlan "sum_cntforwardlan" >/dev/null 2>&1
|
||||
{
|
||||
printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
|
||||
printf "%s\n" " Timestamp: ${timestamp}"
|
||||
|
@ -1036,21 +1075,32 @@ f_report() {
|
|||
json_select "sets" >/dev/null 2>&1
|
||||
json_get_keys nft_sets >/dev/null 2>&1
|
||||
if [ -n "${nft_sets}" ]; then
|
||||
printf "%-25s%-16s%-16s%-16s%-16s%s\n" " Set" "| Set Elements" "| Chain Input" "| Chain Forward" "| Input Packets" "| Forward Packets"
|
||||
printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------"
|
||||
printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)"
|
||||
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
|
||||
for set in ${nft_sets}; do
|
||||
printf " %-21s" "${set}"
|
||||
json_select "${set}"
|
||||
json_get_keys set_details
|
||||
for detail in ${set_details}; do
|
||||
json_get_var jsnval "${detail}" >/dev/null 2>&1
|
||||
printf "%-16s" "| ${jsnval}"
|
||||
case "${detail}" in
|
||||
"cnt_elements")
|
||||
printf "%-15s" "| ${jsnval}"
|
||||
;;
|
||||
"cnt_input" | "cnt_forwardwan" | "cnt_forwardlan")
|
||||
[ -n "${jsnval}" ] && tmp_val=": ${jsnval}"
|
||||
;;
|
||||
*)
|
||||
printf "%-24s" "| ${jsnval}${tmp_val}"
|
||||
tmp_val=""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
printf "\n"
|
||||
json_select ".."
|
||||
done
|
||||
printf "%s\n" " ---------------------+---------------+---------------+---------------+---------------+----------------"
|
||||
printf "%-25s%-16s%-16s%-16s%-16s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput}" "| ${sum_setforward}" "| ${sum_cntinput}" "| ${sum_cntforward}"
|
||||
printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
|
||||
printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})"
|
||||
fi
|
||||
} >>"${report_txt}"
|
||||
fi
|
||||
|
|
|
@ -8,7 +8,7 @@ local banip_info report_info log_info system_info mail_text
|
|||
|
||||
banip_info="$(/etc/init.d/banip status 2>/dev/null)"
|
||||
report_info="$(cat ${ban_reportdir}/ban_report.txt 2>/dev/null)"
|
||||
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP_" 2>/dev/null | awk '{NR=1;max=120;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
|
||||
log_info="$("${ban_logreadcmd}" -l 100 -e "banIP/" 2>/dev/null | awk '{NR=1;max=140;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{print substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')"
|
||||
system_info="$(
|
||||
strings /etc/banner 2>/dev/null
|
||||
ubus call system board | awk 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}'
|
||||
|
|
Loading…
Reference in New Issue