From 4979ade990f0dcf183795c52980297cc21fdaaf6 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 26 Apr 2024 17:03:14 +0200 Subject: [PATCH] banip: update 0.9.5-3 * allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000' * removed the default protocol/port limitation from asn feed Signed-off-by: Dirk Brenken (cherry picked from commit 2c6d5adac049a55ca067255da90dc938b5604249) --- net/banip/Makefile | 2 +- net/banip/files/README.md | 8 ++--- net/banip/files/banip-functions.sh | 50 ++++++++++++++++++------------ net/banip/files/banip.feeds | 3 +- 4 files changed, 37 insertions(+), 26 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 14636f1b81..41f01195a4 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.9.5 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index a28067e84e..a29375bbf3 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -15,7 +15,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre | adguard | adguard IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | adguardtrackers | adguardtracker IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | antipopads | antipopads IPs | | | x | tcp: 80, 443 | [Link](https://github.com/dibdot/banIP-IP-blocklists) | -| asn | ASN segments | | | x | tcp: 80, 443 | [Link](https://asn.ipinfo.app) | +| asn | ASN segments | x | x | x | | [Link](https://asn.ipinfo.app) | | backscatterer | backscatterer IPs | x | x | | | [Link](https://www.uceprotect.net/en/index.php) | | becyber | malicious attacker IPs | x | x | | | [Link](https://github.com/duggytuxy/malicious_ip_addresses) | | binarydefense | binary defense banlist | x | x | | | [Link](https://iplists.firehol.org/?ipset=bds_atif) | @@ -114,7 +114,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu * If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually * Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' and also check the 'Firewall Log' and 'Processing Log' tabs -* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below) +* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs, see the options reference table below ## banIP CLI interface * All important banIP functions are accessible via CLI. @@ -428,12 +428,12 @@ A valid JSON source object contains the following information, e.g.: "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", "descr": "tor exit nodes", - "flag": "tcp 80-89 443" + "flag": "gz tcp 80-88 udp 50000" }, [...] ``` Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. -Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations. +Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format, protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations - multiple definitions are possible. ## Support Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 50e805b5a4..b5c9b47745 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -595,24 +595,30 @@ f_etag() { # build initial nft file with base table, chains and rules # f_nftinit() { - local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc allow_proto allow_dport flag file="${1}" + local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp feed_log feed_rc flag tmp_proto tmp_port allow_dport file="${1}" wan_dev="$(printf "%s" "${ban_dev}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanallow}" ] && vlan_allow="$(printf "%s" "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanblock}" ] && vlan_block="$(printf "%s" "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" for flag in ${ban_allowflag}; do - if [ -z "${allow_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then - allow_proto="${flag}" - elif [ -n "${allow_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${allow_dport}" | "${ban_grepcmd}" -qw "${flag}"; then - if [ -z "${allow_dport}" ]; then - allow_dport="${flag}" - else - allow_dport="${allow_dport}, ${flag}" + if [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then + if [ -z "${tmp_proto}" ]; then + tmp_proto="${flag}" + elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_proto="${tmp_proto}, ${flag}" + fi + elif [ -n "${flag//[![:digit]-]/}" ]; then + if [ -z "${tmp_port}" ]; then + tmp_port="${flag}" + elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_port="${tmp_port}, ${flag}" fi fi done - [ -n "${allow_dport}" ] && allow_dport="${allow_proto} dport { ${allow_dport} }" + if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then + allow_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }" + fi if [ "${ban_logprerouting}" = "1" ]; then log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \"" @@ -697,7 +703,7 @@ f_nftinit() { # f_down() { local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle rc etag_rc - local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_proto feed_dport feed_target + local expr cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed_comp feed_target feed_dport tmp_proto tmp_port flag local feed="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}" start_ts="$(date +%s)" @@ -756,19 +762,25 @@ f_down() { # prepare feed flags # for flag in ${feed_flag}; do - if [ "${flag}" = "gz" ] && ! printf "%s" "${feed_comp}" | "${ban_grepcmd}" -qw "${flag}"; then + if [ "${flag}" = "gz" ]; then feed_comp="${flag}" - elif [ -z "${feed_proto}" ] && { [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; }; then - feed_proto="${flag}" - elif [ -n "${feed_proto}" ] && [ -n "${flag//[![:digit]-]/}" ] && ! printf "%s" "${feed_dport}" | "${ban_grepcmd}" -qw "${flag}"; then - if [ -z "${feed_dport}" ]; then - feed_dport="${flag}" - else - feed_dport="${feed_dport}, ${flag}" + elif [ "${flag}" = "tcp" ] || [ "${flag}" = "udp" ]; then + if [ -z "${tmp_proto}" ]; then + tmp_proto="${flag}" + elif ! printf "%s" "${tmp_proto}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_proto="${tmp_proto}, ${flag}" + fi + elif [ -n "${flag//[![:digit]-]/}" ]; then + if [ -z "${tmp_port}" ]; then + tmp_port="${flag}" + elif ! printf "%s" "${tmp_port}" | "${ban_grepcmd}" -qw "${flag}"; then + tmp_port="${tmp_port}, ${flag}" fi fi done - [ -n "${feed_dport}" ] && feed_dport="${feed_proto} dport { ${feed_dport} }" + if [ -n "${tmp_proto}" ] && [ -n "${tmp_port}" ]; then + feed_dport="meta l4proto { ${tmp_proto} } th dport { ${tmp_port} }" + fi # chain/rule maintenance # diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 36982654ba..90eaf62adc 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -36,8 +36,7 @@ "url_6": "https://asn.ipinfo.app/api/text/list/", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}", - "descr": "ASN IP segments", - "flag": "tcp 80 443" + "descr": "ASN IP segments" }, "backscatterer":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/ips.backscatterer.org.gz", -- 2.30.2