From 4e3d7845fd6823c2e6030937f0cf9f5fc80010dd Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Thu, 13 Feb 2025 21:47:39 +0100 Subject: [PATCH] banIP: release 1.5.1-1 * optimized the f_nftload function * reduced the prerouting priority to -175 * optimized the output of the f_survey function * removed a needless fw4 call/check * no longer skips regular blocklist feeds in "allowlist only" mode * optimized init checks * turris feed: enable IPv6 parsing, too (prvided by @curbengh) * update the readme Signed-off-by: Dirk Brenken --- net/banip/Makefile | 4 ++-- net/banip/files/README.md | 6 +++--- net/banip/files/banip-functions.sh | 23 +++++++++++++---------- net/banip/files/banip-service.sh | 16 ++++++---------- net/banip/files/banip.feeds | 8 +++++--- net/banip/files/banip.init | 25 ++++++++++++++++++------- 6 files changed, 47 insertions(+), 35 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index cece0d3fb5..092f4fc58b 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=1.5.0 -PKG_RELEASE:=6 +PKG_VERSION:=1.5.1 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 5a8294239a..942713f31f 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -86,7 +86,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith -* Supports an 'allowlist only' mode, this option skips all blocklists and restricts the internet access only to specific, explicitly allowed IP segments +* Supports an 'allowlist only' mode, this option restricts the internet access only to specific, explicitly allowed IP segments * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds * Optionally always allow certain protocols/destination ports in the inbound chain * Deduplicate IPs accross all Sets (single IPs only, no intervals) @@ -174,7 +174,7 @@ Available commands: | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | | ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | -| ban_allowlistonly | option | 0 | skip all blocklists and restrict the internet access only to specific, explicitly allowed IP segments | +| ban_allowlistonly | option | 0 | restrict the internet access only to specific, explicitly allowed IP segments | | ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' | | ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists | | ban_basedir | option | /tmp | base working directory while banIP processing | @@ -370,7 +370,7 @@ Furthermore, you can reference external Allowlist URLs with additional IPv4 and Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **Allowlist-only mode** -banIP supports an "allowlist only" mode. This option skips all blocklists and restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world. +banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world. **MAC/IP-binding** banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments or to free connected clients from outbound blocking. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 0ada0956b7..cd7fbf78d2 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -99,14 +99,13 @@ ban_debug="0" f_system() { local cpu core - if [ -z "${ban_dev}" ]; then - ban_debug="$(uci_get banip global ban_debug "0")" - ban_cores="$(uci_get banip global ban_cores)" - fi + ban_debug="$(uci_get banip global ban_debug "0")" + ban_cores="$(uci_get banip global ban_cores)" ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s %s %s",$1,$2,$3,$4,$5,$6}')" + if [ -z "${ban_cores}" ]; then cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)" core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)" @@ -608,17 +607,17 @@ f_etag() { # load file in nftset # f_nftload() { - local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" load_log="" file="${1}" errmsg="${2}" + local cnt="1" max_cnt="${ban_nftretry:-"5"}" load_rc="4" file="${1}" errmsg="${2}" while [ "${load_rc}" != "0" ]; do - load_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" + "${ban_nftcmd}" -f "${file}" >/dev/null 2>&1 load_rc="${?}" if [ "${load_rc}" = "0" ]; then break elif [ "${cnt}" = "${max_cnt}" ]; then [ ! -d "${ban_errordir}" ] && f_mkdir "${ban_errordir}" "${ban_catcmd}" "${file}" 2>/dev/null >"${ban_errordir}/err.${file##*/}" - f_log "info" "${errmsg}, ${load_log::256}" + f_log "info" "${errmsg}" break fi cnt="$((cnt + 1))" @@ -677,7 +676,7 @@ f_nftinit() { printf "%s\n" "add table inet banIP" # base chains # - printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -199; policy accept; }" + printf "%s\n" "add chain inet banIP pre-routing { type filter hook prerouting priority -175; policy accept; }" printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" @@ -1737,7 +1736,12 @@ f_survey() { printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::" return fi - set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')" + + if [ "$(uci_get banip global ban_nftcount)" = "1" ]; then + set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*].elem.val')" + else + set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')" + fi printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" @@ -1866,7 +1870,6 @@ fi # ban_awkcmd="$(f_cmd gawk awk)" ban_catcmd="$(f_cmd cat)" -ban_fw4cmd="$(f_cmd fw4)" ban_grepcmd="$(f_cmd grep)" ban_jsoncmd="$(f_cmd jsonfilter)" ban_logcmd="$(f_cmd logger)" diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 33e80478f4..2850c77213 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -29,10 +29,8 @@ f_rmdir "${ban_errordir}" # firewall/fw4 pre-check # -if [ ! -x "${ban_fw4cmd}" ] || [ ! -x "/etc/init.d/firewall" ]; then - f_log "err" "firewall/fw4 not found" -elif ! /etc/init.d/firewall status >/dev/null 2>&1; then - f_log "info" "firewall/fw4 is not running" +if ! /etc/init.d/firewall status >/dev/null 2>&1; then + f_log "info" "the main firewall is not running" fi # init banIP nftables namespace @@ -41,16 +39,14 @@ if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" list chain inet banIP pr f_nftinit "${ban_tmpfile}".init.nft fi -# handle downloads +# start banIP processing # f_log "info" "start banIP download processes" -if [ "${ban_allowlistonly}" = "1" ]; then - ban_feed="" -else - f_getfeed -fi +f_getfeed [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate" +# handle downloads +# cnt="1" for feed in allowlist ${ban_feed} blocklist; do # local feeds (sequential processing) diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 89a8b3e98a..6c79c72556 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -275,10 +275,12 @@ "descr": "tor exit nodes" }, "turris":{ - "url_4":"https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv", - "rule_4":"BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}", + "url_4": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv", + "url_6": "https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv", + "rule_4": "BEGIN{FS=\",\"}/^127\\./{next}/^(([1-9][0-9]{0,2}\\.){1}([0-9]{1,3}\\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)/{printf \"%s,\\n\",$1}", + "rule_6": "BEGIN{FS=\",\"}/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)/{printf \"%s,\\n\",$1}", "chain": "in", - "descr":"turris sentinel blocklist" + "descr": "turris sentinel blocklist" }, "uceprotect1":{ "url_4": "http://wget-mirrors.uceprotect.net/rbldnsd-all/dnsbl-1.uceprotect.net.gz", diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 205df62c2a..86745c1867 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -20,13 +20,24 @@ ban_funlib="/usr/lib/banip-functions.sh" ban_pidfile="/var/run/banip.pid" ban_lock="/var/run/banip.lock" -[ "${action}" = "boot" ] && "${ban_init}" running && exit 0 -{ [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running && exit 0 -[ ! -r "${ban_funlib}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && exit 1 -[ -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1 -[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && mkdir -p "${ban_lock}" -{ [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "survey" ] || [ "${action}" = "lookup" ] || [ "${action}" = "status" ]; } && . "${ban_funlib}" -[ ! -d "${ban_lock}" ] && { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; } && exit 1 +if [ -z "${IPKG_INSTROOT}" ]; then + if [ "${action}" = "boot" ] && "${ban_init}" running; then + exit 0 + elif { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || + [ "${action}" = "survey" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running; then + exit 0 + fi + if [ ! -d "${ban_lock}" ] && + { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || + [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then + mkdir -p "${ban_lock}" + elif [ -d "${ban_lock}" ] && + { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || + [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then + exit 1 + fi + . "${ban_funlib}" +fi boot() { : >"${ban_pidfile}" -- 2.30.2