From: Dirk Brenken Date: Sat, 28 Jun 2025 20:10:34 +0000 (+0200) Subject: banIP: update 1.5.6-6 X-Git-Url: http://git.openwrt.org/?a=commitdiff_plain;h=d2599fb6b6bed89f254496e391c3bc6372b33876;p=feed%2Fpackages.git banIP: update 1.5.6-6 * limit nft logging to a rate 10/second to prevent possible log-flooding * skip external feed processing if "allowlist-only" mode is fully enabled (in in- and outbound) * remove needless default icmpv6 rule in wan-input * refine the housekeeping script (uci-defaults) * readme update Signed-off-by: Dirk Brenken --- diff --git a/net/banip/Makefile b/net/banip/Makefile index e0fcaa651c..fe9b4bdcc7 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=1.5.6 -PKG_RELEASE:=5 +PKG_RELEASE:=6 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/95-banip-housekeeping b/net/banip/files/95-banip-housekeeping index 55b2439e69..1ca7a3cbad 100755 --- a/net/banip/files/95-banip-housekeeping +++ b/net/banip/files/95-banip-housekeeping @@ -9,23 +9,28 @@ export LC_ALL=C export PATH="/usr/sbin:/usr/bin:/sbin:/bin" config="banip" -old_options="ban_loginput ban_logforwardwan ban_logforwardlan ban_blockinput ban_blockforwardwan ban_blockforwardlan" +old_options="ban_loginput ban_logforwardwan ban_logforwardlan ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_blocktype ban_blockpolicy" for option in ${old_options}; do - if uci -q get ${config}.global.${option} >/dev/null 2>&1; then - old_values="$(uci -q get "${config}.global.${option}")" - for value in ${old_values}; do - case "${option}" in - "ban_loginput" | "ban_logforwardwan") - uci -q set "${config}".global.ban_loginbound="${value}" - ;; - "ban_logforwardlan") - uci -q set "${config}".global.ban_logoutbound="${value}" - ;; - esac - done - uci -q delete "${config}.global.${option}" - fi + old_values="$(uci -q get "${config}.global.${option}" 2>/dev/null)" + for value in ${old_values}; do + case "${option}" in + "ban_loginput" | "ban_logforwardwan") + uci -q set "${config}".global.ban_loginbound="${value}" + ;; + "ban_logforwardlan") + uci -q set "${config}".global.ban_logoutbound="${value}" + ;; + "ban_blockpolicy") + if printf "%s" "${old_values}" | grep -qw "input\|forwardwan\|forwardlan"; then + break + else + continue 2 + fi + ;; + esac + done + uci -q delete "${config}.global.${option}" done [ -n "$(uci -q changes "${config}")" ] && uci -q commit "${config}" exit 0 diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 6ac676c803..6a95bbcaf7 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -482,6 +482,16 @@ C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0 ``` +**MAC-address logging in nftables** +The MAC-address logging format in nftables is a little bit unusual. It is generated by the kernel's NF_LOG module and places all MAC-related data into one flat field, without separators or labels. For example, the field MAC=7e:1a:2f:fc:ee:29:68:34:21:1f:a7:b1:08:00 is actually a concatenation of the following: + +``` +[Source MAC (6 bytes)] + [Destination MAC (6 bytes)] + [EtherType (2 bytes)] +7e:1a:2f:fc:ee:29 → the source MAC address +68:34:21:1f:a7:b1 → the destination MAC address +08:00 → the EtherType for IPv4 (0x0800) +``` + **Set reporting, enable the GeoIP Map** banIP includes a powerful reporting tool on the Set Reporting tab which shows the latest NFT banIP Set statistics. To get the latest statistics always press the "Refresh" button. In addition to a tabular overview banIP reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of potential attackers (in red). To enable the GeoIP Map set the following options (in "Feed/Set Settings" config tab): diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 901b5797e4..fc15f12981 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -620,11 +620,11 @@ f_nftinit() { fi if [ "${ban_logprerouting}" = "1" ]; then - log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \"" - log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \"" - log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \"" - log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \"" - log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \"" + log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \" limit rate 10/second" + log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \" limit rate 10/second" + log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \" limit rate 10/second" + log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \" limit rate 10/second" + log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \" limit rate 10/second" fi { @@ -677,8 +677,7 @@ f_nftinit() { printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept" printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept" - printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept" - printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept" + printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept" [ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept" [ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-input counter jump _inbound" @@ -728,8 +727,8 @@ f_down() { # set log target # - [ "${ban_loginbound}" = "1" ] && log_inbound="log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \"" - [ "${ban_logoutbound}" = "1" ] && log_outbound="log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \"" + [ "${ban_loginbound}" = "1" ] && log_inbound="log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \" limit rate 10/second" + [ "${ban_logoutbound}" = "1" ] && log_outbound="log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \" limit rate 10/second" # set feed target # @@ -1229,7 +1228,10 @@ f_rmset() { if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${feed%.*}" || ! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${feed%.*}" || { [ "${feed%.*}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; } || - { [ "${feed%.*}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; }; then + { [ "${feed%.*}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; } || + { [ "${feed%.*}" != "allowlist" ] && [ "${feed%.*}" != "blocklist" ] && [ "${ban_allowlistonly}" = "1" ] && + ! printf "%s" "${ban_feedin}" | "${ban_grepcmd}" -q "allowlist" && + ! printf "%s" "${ban_feedout}" | "${ban_grepcmd}" -q "allowlist"; }; then case "${feed%%.*}" in "country") country="${feed%.*}" diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index f8860786e6..6d786b10b9 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -58,6 +58,14 @@ for feed in allowlist ${ban_feed} blocklist; do continue fi + # skip external feeds in allowlistonly mode + # + if [ "${ban_allowlistonly}" = "1" ] && + ! printf "%s" "${ban_feedin}" | "${ban_grepcmd}" -q "allowlist" && + ! printf "%s" "${ban_feedout}" | "${ban_grepcmd}" -q "allowlist"; then + continue + fi + # external feeds (parallel processing on multicore hardware) # if ! json_select "${feed}" >/dev/null 2>&1; then