From ac1076ef9530138e7c84d2858d5cf2b5d8c74e02 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 4 Aug 2025 20:53:01 +0200 Subject: [PATCH] banIP: update 1.5.6-7 * skip rdap requests/replies with placeholders for all IPv4/IPv6 addresses * sanitize possible bogus config values, e.g. '/dev/null' as a directory * change URL for beycyber feed Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip-functions.sh | 35 ++++++++++++++++++------------ net/banip/files/banip.feeds | 2 +- 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index fe9b4bdcc7..352d83333e 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=1.5.6 -PKG_RELEASE:=6 +PKG_RELEASE:=7 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index fc15f12981..81ee8c9c02 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -264,20 +264,24 @@ f_conf() { option_cb() { local option="${1}" value="${2//\"/\\\"}" - eval "${option}=\"${value}\"" + if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then + eval "${option}=\"${value}\"" + fi } list_cb() { local append option="${1}" value="${2//\"/\\\"}" - eval "append=\"\${${option}}\"" - case "${option}" in - "ban_logterm") - eval "${option}=\"${append}${value}\\|\"" - ;; - *) - eval "${option}=\"${append}${value} \"" - ;; - esac + if [ -d "${value}" ] || { [ ! -d "${value}" ] && [ -n "${value%%[./]*}" ]; }; then + eval "append=\"\${${option}}\"" + case "${option}" in + "ban_logterm") + eval "${option}=\"${append}${value}\\|\"" + ;; + *) + eval "${option}=\"${append}${value} \"" + ;; + esac + fi } } config_load banip @@ -1901,7 +1905,8 @@ f_monitor() { ip="${ip##* }" [ -n "${ip%%::*}" ] && proto=".v6" fi - if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then + if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP allowlist"${proto}" "{ ${ip} }" >/dev/null 2>&1 && + ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then f_log "info" "suspicious IP '${ip}'" log_raw="$(eval ${loglimit_cmd})" log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")" @@ -1922,9 +1927,11 @@ f_monitor() { prefix="${idx}" continue else - cidr="${prefix}/${idx}" - if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${cidr} ${nft_expiry} } >/dev/null 2>&1; then - f_log "info" "add IP range '${cidr}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" + if [ -n "${prefix%%::*}" ] && [ "${prefix%%.*}" != "127" ] && [ "${prefix%%.*}" != "0" ]; then + cidr="${prefix}/${idx}" + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${cidr} ${nft_expiry} } >/dev/null 2>&1; then + f_log "info" "add IP range '${cidr}' (source: ${rdap_info:-"n/a"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" + fi fi prefix="" fi diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 3f6cd16f8d..f3f7507d48 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -15,7 +15,7 @@ "flag": "gz" }, "becyber":{ - "url_4": "https://raw.githubusercontent.com/duggytuxy/Intelligence_IPv4_Blocklists/refs/heads/main/agressive_ips_dst_fr_be_blocklist.txt", + "url_4": "https://raw.githubusercontent.com/duggytuxy/Data-Shield_IPv4_Blocklist/refs/heads/main/prod_data-shield_ipv4_blocklist.txt", "rule_4": "/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "chain": "in", "descr": "malicious attacker IPs" -- 2.30.2