From: Dirk Brenken Date: Thu, 4 Dec 2025 19:25:29 +0000 (+0100) Subject: banip: release 1.6.0-1 X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=c47d8b149ca014d804697876c0c3ceb10cc23418;p=feed%2Fpackages.git banip: release 1.6.0-1 * split block/logging rules (fixed #27990) * adapt reload functions to support the new split logic * the banIP status now includes the backend- and the frontend version information * fixed a config parsing error with non existing dirs (reported in the forum) * fixed a small reporting issue (reported in the forum) * added a new public dns feed (by default restricted to outbound, ports 53 and 853) * added a new gawk dependency due to significant performance gains * LuCI: no longer call the logread binary, use rpc / the ubus log object instead * LuCI: various code cleanups * LuCI: various small usability improvements * readme update Signed-off-by: Dirk Brenken --- diff --git a/net/banip/Makefile b/net/banip/Makefile index 352d83333e..0e5e55e5a1 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=1.5.6 -PKG_RELEASE:=7 +PKG_VERSION:=1.6.0 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -16,7 +16,7 @@ define Package/banip SECTION:=net CATEGORY:=Network TITLE:=banIP blocks IPs via named nftables Sets - DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +rpcd +rpcd-mod-rpcsys + DEPENDS:=+jshn +jsonfilter +firewall4 +gawk +ca-bundle +rpcd +rpcd-mod-rpcsys PKGARCH:=all endef diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 6a95bbcaf7..77d16e9976 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -26,7 +26,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre | country | country blocks | x | | | [Link](https://www.ipdeny.com/ipblocks) | | cinsscore | suspicious attacker IPs | x | | | [Link](https://cinsscore.com/#list) | | debl | fail2ban IP blacklist | x | | | [Link](https://www.blocklist.de) | -| doh | public DoH-Provider | | x | tcp, udp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) | +| dns | public DNS-Server | | x | tcp, udp: 53, 853 | [Link](https://public-dns.info) | +| doh | public DoH-Server | | x | tcp, udp: 80, 443 | [Link](https://github.com/dibdot/DoH-IP-blocklists) | | drop | spamhaus drop compilation | x | | | [Link](https://www.spamhaus.org) | | dshield | dshield IP blocklist | x | | | [Link](https://www.dshield.org) | | etcompromised | ET compromised hosts | x | | | [Link](https://iplists.firehol.org/?ipset=et_compromised) | @@ -95,14 +96,14 @@ IP address blocking is commonly used to protect against brute force attacks, pre ## Prerequisites -* **[OpenWrt](https://openwrt.org)**, latest stable release 24.x or a development snapshot with nft/firewall 4 support +* **[OpenWrt](https://openwrt.org)**, latest stable release or a development snapshot with nft/firewall 4 support * A download utility with SSL support: 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default * For E-Mail notifications you need to install and setup the additional 'msmtp' package **Please note:** * Devices with less than 256MB of RAM are **_not_** supported -* Latest banIP 1.5.x does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead) +* Latest banIP does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead) * Any previous custom feeds file of banIP 1.0.x must be cleared and it's recommended to start with a fresh banIP default config @@ -339,19 +340,19 @@ Available commands: **banIP runtime information** ``` -~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 1.5.6-r4 - + element_count : 128 751 (chains: 7, sets: 19, rules: 47) - + active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, country.v6, debl.v6, doh.v4, doh.v6, country.v4, threat.v4, hagezi.v4, turris.v4, turris.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6 + + frontend_ver : 1.6.0-r1 + + backend_ver : 1.6.0-r1 + + element_count : 223 563 (chains: 7, sets: 22, rules: 75) + + active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, country.v6, debl.v6, country.v4, dns.v4, dns.v6, doh.v4, doh.v6, firehol1.v4, hagezi.v4, threat.v4, turris.v4, turris.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6 + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: - - + active_uplink : 91.61.111.35, 2004:fc:45fe:678:c890:e2a3:c729:dc13 - + nft_info : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100 + + active_uplink : 5.73.187.13, 2a04:5700:104:c65a:dc41:4131:409:227c + + nft_info : ver: 1.1.5-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100 + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, error: /mnt/data/banIP/error - + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✘/✘/✔, count: ✔, dedup: ✔, split: ✘, custom feed: ✔, allowed only: ✘ - + last_run : mode: restart, 2025-06-08 21:11:21, duration: 0m 22s, memory: 1310.16 MB available - + system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r29955-8b24289a52 + + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✔/✔/✔, count: ✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ + + last_run : mode: restart, 2025-12-04 10:00:41, duration: 0m 48s, memory: 1361.54 MB available + + system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r32101-28cc1c368c ``` **banIP search information** diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 81ee8c9c02..dcf69ca758 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -105,7 +105,8 @@ f_system() { ban_debug="$(uci_get banip global ban_debug "0")" ban_cores="$(uci_get banip global ban_cores)" ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" - ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" + ban_bver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" + ban_fver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["luci-app-banip"]')" ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')" @@ -233,9 +234,9 @@ f_log() { if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then if [ -x "${ban_logcmd}" ]; then - "${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg::256}" + "${ban_logcmd}" -p "${class}" -t "banIP-${ban_bver}[${$}]" "${log_msg::256}" else - printf "%s %s %s\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg::256}" + printf "%s %s %s\n" "${class}" "banIP-${ban_bver}[${$}]" "${log_msg::256}" fi fi if [ "${class}" = "err" ] || [ "${class}" = "emerg" ]; then @@ -264,24 +265,20 @@ f_conf() { option_cb() { local option="${1}" value="${2//\"/\\\"}" - if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then - eval "${option}=\"${value}\"" - fi + eval "${option}=\"${value}\"" } list_cb() { local append option="${1}" value="${2//\"/\\\"}" - if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then - eval "append=\"\${${option}}\"" - case "${option}" in - "ban_logterm") - eval "${option}=\"${append}${value}\\|\"" - ;; - *) - eval "${option}=\"${append}${value} \"" - ;; - esac - fi + eval "append=\"\${${option}}\"" + case "${option}" in + "ban_logterm") + eval "${option}=\"${append}${value}\\|\"" + ;; + *) + eval "${option}=\"${append}${value} \"" + ;; + esac } } config_load banip @@ -666,14 +663,43 @@ f_nftinit() { # default pre-routing rules # printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" - printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt_ctinvalid drop" - [ "${ban_icmplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt_icmpflood drop" - [ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt_udpflood drop" - [ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt_synflood drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt_tcpinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt_tcpinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt_tcpinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp} counter name cnt_tcpinvalid drop" + # ct state invalid + if [ "${ban_logprerouting}" = "1" ]; then + printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct}" + fi + printf "%s\n" "add rule inet banIP pre-routing ct state invalid counter name cnt_ctinvalid drop" + # ICMP Flood + if [ "${ban_icmplimit}" -gt "0" ]; then + if [ "${ban_logprerouting}" = "1" ]; then + printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second ${log_icmp}" + fi + printf "%s\n" "add rule inet banIP pre-routing meta nfproto . meta l4proto { ipv4 . icmp , ipv6 . icmpv6 } limit rate over ${ban_icmplimit}/second counter name cnt_icmpflood drop" + fi + # UDP Flood + if [ "${ban_udplimit}" -gt "0" ]; then + if [ "${ban_logprerouting}" = "1" ]; then + printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp}" + fi + printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second counter name cnt_udpflood drop" + fi + # SYN Flood + if [ "${ban_synlimit}" -gt "0" ]; then + if [ "${ban_logprerouting}" = "1" ]; then + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn}" + fi + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second counter name cnt_synflood drop" + fi + # TCP Invalid + if [ "${ban_logprerouting}" = "1" ]; then + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp}" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp}" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp}" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) ${log_tcp}" + fi + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) counter name cnt_tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) counter name cnt_tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) counter name cnt_tcpinvalid drop" + printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) counter name cnt_tcpinvalid drop" # default wan-input rules # @@ -683,14 +709,22 @@ f_nftinit() { printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept" - [ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-input counter jump _inbound" + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" + else + printf "%s\n" "add rule inet banIP wan-input counter jump _inbound" + fi # default wan-forward rules # printf "%s\n" "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-forward ${allow_dport} counter accept" - [ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound" + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound" + else + printf "%s\n" "add rule inet banIP wan-forward counter jump _inbound" + fi # default lan-forward rules # @@ -715,7 +749,7 @@ f_nftinit() { # handle downloads # f_down() { - local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handle etag_rc etag_cnt element_count + local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handles handle etag_rc etag_cnt element_count local expr cnt_set cnt_dl restore_rc feed_direction feed_policy feed_rc feed_comp feed_complete feed_target feed_dport chain flag local tmp_proto tmp_port asn country feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_chain="${5}" feed_flag="${6}" @@ -820,8 +854,10 @@ f_down() { { for chain in _inbound _outbound; do for expr in 0 1 2; do - handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" + handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)" + for handle in ${handles}; do + printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" + done done done printf "%s\n" "flush set inet banIP ${feed}" @@ -933,14 +969,20 @@ f_down() { printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound} counter ${feed_target}" + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound}" + fi + printf "%s\n" "add rule inet banIP _inbound ip saddr != @${feed} counter ${feed_target}" else printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter accept" fi fi if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound} counter goto _reject" + if [ "${ban_logoutbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound}" + fi + printf "%s\n" "add rule inet banIP _outbound ip daddr != @${feed} counter goto _reject" else printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter accept" fi @@ -952,14 +994,20 @@ f_down() { printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound} counter ${feed_target}" + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound}" + fi + printf "%s\n" "add rule inet banIP _inbound ip6 saddr != @${feed} counter ${feed_target}" else printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter accept" fi fi if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then - printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound} counter ${feed_target}" + if [ "${ban_logoutbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound}" + fi + printf "%s\n" "add rule inet banIP _outbound ip6 daddr != @${feed} counter ${feed_target}" else printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter accept" fi @@ -988,16 +1036,36 @@ f_down() { "${ban_awkcmd}" '/^127\./{next}/^(([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound} counter ${feed_target}" - [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound} counter goto _reject" + if [ -z "${feed_direction##*inbound*}" ]; then + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound}" + fi + printf "%s\n" "add rule inet banIP _inbound ip saddr @${feed} counter ${feed_target}" + fi + if [ -z "${feed_direction##*outbound*}" ]; then + if [ "${ban_logoutbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound}" + fi + printf "%s\n" "add rule inet banIP _outbound ip daddr @${feed} counter goto _reject" + fi ;; "6") "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' | "${ban_awkcmd}" '{ORS=" ";print}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound} counter ${feed_target}" - [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound} counter goto _reject" + if [ -z "${feed_direction##*inbound*}" ]; then + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound}" + fi + printf "%s\n" "add rule inet banIP _inbound ip6 saddr @${feed} counter ${feed_target}" + fi + if [ -z "${feed_direction##*outbound*}" ]; then + if [ "${ban_logoutbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound}" + fi + printf "%s\n" "add rule inet banIP _outbound ip6 daddr @${feed} counter goto _reject" + fi ;; esac } >"${tmp_nft}" @@ -1128,8 +1196,18 @@ f_down() { printf "%s\n\n" "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" - [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound} counter ${feed_target}" - [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound} counter goto _reject" + if [ -z "${feed_direction##*inbound*}" ]; then + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound}" + fi + printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} counter ${feed_target}" + fi + if [ -z "${feed_direction##*outbound*}" ]; then + if [ "${ban_logoutbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound}" + fi + printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} counter goto _reject" + fi } >"${tmp_nft}" elif [ "${proto}" = "6" ]; then { @@ -1138,8 +1216,18 @@ f_down() { printf "%s\n\n" "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" - [ -z "${feed_direction##*inbound*}" ] && printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound} counter ${feed_target}" - [ -z "${feed_direction##*outbound*}" ] && printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound} counter goto _reject" + if [ -z "${feed_direction##*inbound*}" ]; then + if [ "${ban_loginbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound}" + fi + printf "%s\n" "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} counter ${feed_target}" + fi + if [ -z "${feed_direction##*outbound*}" ]; then + if [ "${ban_logoutbound}" = "1" ]; then + printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound}" + fi + printf "%s\n" "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} counter goto _reject" + fi } >"${tmp_nft}" fi fi @@ -1219,7 +1307,7 @@ f_restore() { # remove staled Sets # f_rmset() { - local feedlist tmp_del table_json feed country asn table_sets handle expr del_set feed_rc + local feedlist tmp_del table_json feed country asn table_sets handles handle expr del_set feed_rc f_getfeed json_get_keys feedlist @@ -1258,8 +1346,10 @@ f_rmset() { rm -f "${ban_backupdir}/banIP.${feed}.gz" for chain in _inbound _outbound; do for expr in 0 1 2; do - handle="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle")" - [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" + handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)" + for handle in ${handles}; do + printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" + done done done printf "%s\n" "flush set inet banIP ${feed}" @@ -1312,7 +1402,8 @@ f_genstatus() { json_init json_load_file "${ban_rtfile}" >/dev/null 2>&1 json_add_string "status" "${status}" - json_add_string "version" "${ban_ver}" + json_add_string "frontend_ver" "${ban_fver}" + json_add_string "backend_ver" "${ban_bver}" json_add_string "element_count" "${element_cnt} (chains: ${chain_cnt:-"0"}, sets: ${set_cnt:-"0"}, rules: ${rule_cnt:-"0"})" json_add_array "active_feeds" for object in ${table_sets:-"-"}; do @@ -1765,6 +1856,9 @@ f_report() { [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail : >"${report_txt}" ;; + *) + : >"${report_txt}" + ;; esac } diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 6d786b10b9..f2838e4fa2 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -9,13 +9,13 @@ ban_action="${1}" ban_starttime="$(date "+%s")" ban_funlib="/usr/lib/banip-functions.sh" -[ -z "${ban_ver}" ] && . "${ban_funlib}" +[ -z "${ban_bver}" ] && . "${ban_funlib}" # load config and set banIP environment # [ "${ban_action}" = "boot" ] && sleep "$(uci_get banip global ban_triggerdelay "20")" f_conf -f_log "info" "start banIP processing (${ban_action}, ${ban_ver:-"n/a"})" +f_log "info" "start banIP processing (${ban_action}, ${ban_bver:-"n/a"})" f_genstatus "processing" f_tmp f_getfetch diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index f3f7507d48..5e1c624467 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -62,13 +62,22 @@ "chain": "in", "descr": "fail2ban IP blocklist" }, + "dns":{ + "url_4": "https://public-dns.info/nameservers-all.txt", + "url_6": "https://public-dns.info/nameservers-all.txt", + "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", + "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", + "chain": "out", + "descr": "public DNS-Server", + "flag": "tcp udp 53 853" + }, "doh":{ "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", "url_6": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)[[:space:]]/{printf \"%s,\\n\",$1}", "chain": "out", - "descr": "public DoH-Provider", + "descr": "public DoH-Server", "flag": "tcp udp 80 443" }, "drop":{