banip: update 0.3.1
authorDirk Brenken <dev@brenken.org>
Wed, 9 Oct 2019 12:07:05 +0000 (14:07 +0200)
committerDirk Brenken <dev@brenken.org>
Wed, 9 Oct 2019 17:40:04 +0000 (19:40 +0200)
* the WAN auto detection now supports multiple interfaces, too
* no longer filter out possible LAN devices
* add a new DoH (DNS over HTTPS) blocklist source with public
  DoH DNS server addresses, to effectively block client side DoH
  communication, e.g. via Firefox or Chrome

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 70ab67649b6a96e7581048ec9c1a7a4debce005d)

net/banip/Makefile
net/banip/files/banip.conf
net/banip/files/banip.sh

index 897ecd8a70259c709f66da5e2db6597956dffd88..a9aaf7abe3eb87554f339284ffe0e9dfe35f3f80 100644 (file)
@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.3.0
+PKG_VERSION:=0.3.1
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
index 04f5cee8d1c4f6b4850d3bb91c3b64c94d0e970a..68a48aad49fb52e0b81528199bce63b5d152d3c0 100644 (file)
@@ -42,6 +42,17 @@ config source 'bogon'
        option ban_src_on '0'
        option ban_src_on_6 '0'
 
+config source 'DoH'
+       option ban_src 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt'
+       option ban_src_6 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt'
+       option ban_src_desc 'List of public DoH providers (DNS over HTTPS) (IPv4/IPv6)'
+       option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add DoH \"\$1}'
+       option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add DoH_6 \"\$1}'
+       option ban_src_settype 'net'
+       option ban_src_ruletype 'src+dst'
+       option ban_src_on '0'
+       option ban_src_on_6 '0'
+
 config source 'tor'
        option ban_src 'https://check.torproject.org/exit-addresses'
        option ban_src_desc 'List of Tor Exit Nodes (IPv4)'
index 8634b19df60441175004205ac0024b272308f3df..bf322444d1f7693aa2dee8f0b5fb9ba7e90fdec1 100755 (executable)
@@ -13,7 +13,7 @@
 #
 LC_ALL=C
 PATH="/usr/sbin:/usr/bin:/sbin:/bin"
-ban_ver="0.3.0"
+ban_ver="0.3.1"
 ban_basever=""
 ban_enabled=0
 ban_automatic="1"
@@ -127,7 +127,7 @@ f_envload()
 #
 f_envcheck()
 {
-       local util utils packages tmp cnt=0
+       local util utils packages iface tmp cnt=0 cnt_max=0
 
        # check backup directory
        #
@@ -189,12 +189,25 @@ f_envcheck()
        then
                while [ "${cnt}" -le 30 ]
                do
-                       network_find_wan ban_iface
-                       if [ -z "${ban_iface}" ]
+                       network_find_wan iface
+                       if [ -n "${iface}" ] && [ -z "$(printf "%s\\n" "${ban_iface}" | grep -F "${iface}")" ]
                        then
-                               network_find_wan6 ban_iface
+                               ban_iface="${ban_iface} ${iface}"
+                               if [ "${cnt_max}" -eq 0 ]
+                               then
+                                       cnt_max=$((cnt+5))
+                               fi
+                       fi
+                       network_find_wan6 iface
+                       if [ -n "${iface}" ] && [ -z "$(printf "%s\\n" "${ban_iface}" | grep -F "${iface}")" ]
+                       then
+                               ban_iface="${ban_iface} ${iface}"
+                               if [ "${cnt_max}" -eq 0 ]
+                               then
+                                       cnt_max=$((cnt+5))
+                               fi
                        fi
-                       if [ -z "${ban_iface}" ]
+                       if [ -z "${ban_iface}" ] || [ "${cnt}" -le "${cnt_max}" ]
                        then
                                network_flush_cache
                                cnt=$((cnt+1))
@@ -208,23 +221,23 @@ f_envcheck()
        for iface in ${ban_iface}
        do
                network_get_device tmp "${iface}"
-               if [ -n "${tmp}" ]
+               if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_dev}" | grep -F "${tmp}")" ]
                then
                        ban_dev="${ban_dev} ${tmp}"
                else
                        network_get_physdev tmp "${iface}"
-                       if [ -n "${tmp}" ]
+                       if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_dev}" | grep -F "${tmp}")" ]
                        then
                                ban_dev="${ban_dev} ${tmp}"
                        fi
                fi
                network_get_subnets tmp "${iface}"
-               if [ -n "${tmp}" ]
+               if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_subnets}" | grep -F "${tmp}")" ]
                then
                        ban_subnets="${ban_subnets} ${tmp}"
                fi
                network_get_subnets6 tmp "${iface}"
-               if [ -n "${tmp}" ]
+               if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_subnets6}" | grep -F "${tmp}")" ]
                then
                        ban_subnets6="${ban_subnets6} ${tmp}"
                fi
@@ -234,7 +247,7 @@ f_envcheck()
        then
                f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration"
        else
-               ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')"
+               ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')"
                f_jsnup "running"
                f_log "info" "start banIP processing (${ban_action})"
        fi