From 764a77acfdc2df4acbc7bf6fcafea792da190876 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 7 Mar 2025 13:25:54 +0100 Subject: [PATCH] banIP: update 1.5.3-3 * fix a race condition in the process scheduler * sync the banIP country file with ipdeny feed * refine etag handling with country/asn feeds * refine logging with country/asn feeds * refine the banIP status output (incl. LuCI changes) Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/README.md | 12 ++++++------ net/banip/files/banip-functions.sh | 30 ++++++++++-------------------- net/banip/files/banip-service.sh | 24 ++++++++++++------------ net/banip/files/banip.countries | 11 ++--------- net/banip/files/banip.init | 2 +- 6 files changed, 32 insertions(+), 49 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 6a8407dde2..32f2e111a6 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=1.5.3 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index b9fa191801..73b5e75bef 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -279,16 +279,16 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 1.5.3-r1 - + element_count : 96 031 (chains: 7, sets: 18, rules: 46) - + active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, country.v6, debl.v4, doh.v6, debl.v6, doh.v4, turris.v6, country.v4, threat.v4, turris.v4, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6 + + version : 1.5.3-r3 + + element_count : 91 763 (chains: 7, sets: 18, rules: 46) + + active_feeds : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, cinsscore.v4, debl.v4, debl.v6, doh.v6, doh.v4, threat.v4, turris.v4, country.v4, turris.v6, country.v6, blocklist.v4MAC, blocklist.v6MAC, blocklist.v4, blocklist.v6 + active_devices : wan: pppoe-wan / wan-if: wan, wan_6 / vlan-allow: - / vlan-block: - + active_uplink : 91.61.217.158, 2001:fc:37ff:f64:b513:16dd:6903:7710 - + nft_info : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 10/10/100 + + nft_info : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 2h, limit (icmp/syn/udp): 25/10/100 + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, error: /mnt/data/banIP/error + run_flags : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✘/✘/✘, count: ✔, dedup: ✔, split: ✘, custom feed: ✘, allowed only: ✘ - + last_run : mode: restart, duration: 0m 19s, memory: 1331.10 MB available, 1.75 MB max. used, cores: 4, log: logread, fetch: curl - + system_info : 2025-02-28 13:29:29, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r28906-d6977ab33a + + last_run : 2025-03-07 13:08:56, duration: 1m 12s, mode: reload, memory: 1325.18 MB available, 1.88 MB max. used + + system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT r28926-9a7192c08e ``` **banIP search information** diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 979506f49e..e3b2a72bc7 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -828,33 +828,23 @@ f_down() { etag_rc="0" case "${feed%%.*}" in "country") - if [ "${ban_countrysplit}" = "0" ]; then - for country in ${ban_country}; do - f_etag "${feed}" "${feed_url}${country}-aggregated.zone" ".${country}" - rc="${?}" - etag_rc="$((etag_rc + rc))" - [ "${rc}" = "4" ] && break - done - else + if [ "${ban_countrysplit}" = "1" ]; then country="${feed%.*}" country="${country#*.}" f_etag "${feed}" "${feed_url}${country}-aggregated.zone" ".${country}" etag_rc="${?}" + else + etag_rc="4" fi ;; "asn") - if [ "${ban_asnsplit}" = "0" ]; then - for asn in ${ban_asn}; do - f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}" - rc="${?}" - etag_rc="$((etag_rc + rc))" - [ "${rc}" = "4" ] && break - done - else + if [ "${ban_asnsplit}" = "1" ]; then asn="${feed%.*}" asn="${asn#*.}" f_etag "${feed}" "${feed_url}AS${asn}" ".${asn}" etag_rc="${?}" + else + etag_rc="4" fi ;; *) @@ -1007,7 +997,7 @@ f_down() { feed_rc="${?}" fi else - f_log "info" "download for feed '${feed%%.*}/${country}' failed" + f_log "info" "download for feed '${feed}/${country}' failed" fi done : >"${tmp_raw}" @@ -1031,7 +1021,7 @@ f_down() { feed_rc="${?}" fi else - f_log "info" "download for feed '${feed%%.*}/${asn}' failed" + f_log "info" "download for feed '${feed}/${asn}' failed" fi done : >"${tmp_raw}" @@ -1290,7 +1280,7 @@ f_genstatus() { end_time="$(date "+%s")" duration="$(((end_time - ban_starttime) / 60))m $(((end_time - ban_starttime) % 60))s" fi - runtime="mode: ${ban_action:-"-"}, duration: ${duration:-"-"}, memory: ${mem_free} MB available, ${mem_max} MB max. used, cores: ${ban_cores}, log: ${ban_logreadcmd##*/}, fetch: ${ban_fetchcmd##*/}" + runtime="$(date "+%Y-%m-%d %H:%M:%S"), duration: ${duration:-"-"}, mode: ${ban_action:-"-"}, memory: ${mem_free} MB available, ${mem_max} MB max. used" fi [ -s "${ban_customfeedfile}" ] && custom_feed="1" [ "${ban_splitsize:-"0"}" -gt "0" ] && split="1" @@ -1335,7 +1325,7 @@ f_genstatus() { json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, error: ${ban_errordir}" json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (pre/in/out): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginbound})/$(f_char ${ban_logoutbound}), count: $(f_char ${ban_nftcount}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" - json_add_string "system_info" "$(date "+%Y-%m-%d %H:%M:%S"), ${ban_sysver}" + json_add_string "system_info" "cores: ${ban_cores}, log: ${ban_logreadcmd##*/}, fetch: ${ban_fetchcmd##*/}, ${ban_sysver}" json_dump >"${ban_rtfile}" } diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 4dbaed78cb..b97e620cf9 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -94,15 +94,15 @@ for feed in allowlist ${ban_feed} blocklist; do f_down "${feed}.${asn}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}" done else - (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}") & - fi - if [ "${feed_url_4}" = "${feed_url_6}" ]; then - feed_url_6="local" - wait -n - else - hold="$((cnt % ban_cores))" - [ "${hold}" = "0" ] && wait -n - cnt="$((cnt + 1))" + if [ "${feed_url_4}" = "${feed_url_6}" ]; then + feed_url_6="local" + f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}" + else + (f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}") & + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait -n + cnt="$((cnt + 1))" + fi fi fi if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then @@ -116,10 +116,10 @@ for feed in allowlist ${ban_feed} blocklist; do done else (f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}") & + cnt="$((cnt + 1))" + hold="$((cnt % ban_cores))" + [ "${hold}" = "0" ] && wait -n fi - cnt="$((cnt + 1))" - hold="$((cnt % ban_cores))" - [ "${hold}" = "0" ] && wait -n fi done f_rmset diff --git a/net/banip/files/banip.countries b/net/banip/files/banip.countries index 5c0aa00b86..99e8dfc88c 100644 --- a/net/banip/files/banip.countries +++ b/net/banip/files/banip.countries @@ -1,4 +1,5 @@ af APNIC Afghanistan +ap AFRINIC ARIPO ax RIPE Åland Islands al RIPE Albania dz AFRINIC Algeria @@ -28,7 +29,6 @@ bo LACNIC Bolivia bq LACNIC Bonaire ba RIPE Bosnia & Herzegowina bw AFRINIC Botswana -bv ARIN Bouvet Island br LACNIC Brazil io APNIC British Indian Ocean Territory bn APNIC Brunei @@ -44,7 +44,6 @@ cf AFRINIC Central African Republic td AFRINIC Chad cl LACNIC Chile cn APNIC China -cx APNIC Christmas Island cc APNIC Cocos Islands co LACNIC Colombia km AFRINIC Comoros @@ -70,6 +69,7 @@ er AFRINIC Eritrea ee RIPE Estonia sz AFRINIC Eswatini et AFRINIC Ethiopia +eu RIPE European Union fk LACNIC Falkland Islands fo RIPE Faroe Islands fj APNIC Fiji @@ -77,7 +77,6 @@ fi RIPE Finland fr RIPE France gf LACNIC French Guiana pf APNIC French Polynesia -tf APNIC French Southern Territories ga AFRINIC Gabon gm AFRINIC Gambia ge RIPE Georgia @@ -95,7 +94,6 @@ gn AFRINIC Guinea gw AFRINIC Guinea-Bissau gy LACNIC Guyana ht LACNIC Haiti -hm ARIN Heard & McDonald Islands hn LACNIC Honduras hk APNIC Hong Kong hu RIPE Hungary @@ -172,7 +170,6 @@ pg APNIC Papua New Guinea py LACNIC Paraguay pe LACNIC Peru ph APNIC Philippines -pn APNIC Pitcairn pl RIPE Poland pt RIPE Portugal pr ARIN Puerto Rico @@ -181,7 +178,6 @@ re AFRINIC Reunion ro RIPE Romania ru RIPE Russian Federation rw AFRINIC Rwanda -sh ARIN Saint Helena bl ARIN Saint Barthélemy kn ARIN Saint Kitts & Nevis lc ARIN Saint Lucia @@ -203,14 +199,12 @@ si RIPE Slovenia sb APNIC Solomon Islands so AFRINIC Somalia za AFRINIC South Africa -gs LACNIC South Georgia kr APNIC South Korea ss AFRINIC South Sudan es RIPE Spain lk APNIC Sri Lanka sd AFRINIC Sudan sr LACNIC Suriname -sj RIPE Svalbard & Jan Mayen Islands se RIPE Sweden ch RIPE Switzerland sy RIPE Syrian @@ -243,7 +237,6 @@ vn APNIC Vietnam vg ARIN Virgin Islands (British) vi ARIN Virgin Islands (U.S.) wf APNIC Wallis & Futuna Islands -eh AFRINIC Western Sahara ye RIPE Yemen zm AFRINIC Zambia zw AFRINIC Zimbabwe diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 4fedd3c140..080a4242e1 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -52,7 +52,7 @@ start_service() { procd_set_param nice "$(uci_get banip global ban_nicelimit "0")" procd_set_param limits nofile="$(uci_get banip global ban_filelimit "1024")" procd_set_param stdout 0 - procd_set_param stderr 0 + procd_set_param stderr 1 procd_close_instance else f_log "err" "banIP service autostart is disabled" -- 2.30.2