From 829a9a61c26421032a4184c1dabc460bad4aea33 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Tue, 2 May 2023 21:41:37 +0200 Subject: [PATCH] banip: update 0.8.4-3 * add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable' Signed-off-by: Dirk Brenken --- net/banip/Makefile | 6 +-- net/banip/files/README.md | 1 + net/banip/files/banip-functions.sh | 75 +++++++++++++++++------------- net/banip/files/banip-service.sh | 6 +-- 4 files changed, 49 insertions(+), 39 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 37ae934404..02cc404bf8 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,5 +1,5 @@ # -# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables +# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.4 -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -23,7 +23,7 @@ define Package/banip endef define Package/banip/description -banIP blocks IP addresses via named nftables sets. +banIP blocks IP addresses via named nftables Sets. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. diff --git a/net/banip/files/README.md b/net/banip/files/README.md index cca75823d0..803e4a9315 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -139,6 +139,7 @@ Available commands: | ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | +| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | | ban_basedir | option | /tmp | base working directory while banIP processing | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files | diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 36442381ec..225427516f 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -51,6 +51,7 @@ ban_logforwardwan="1" ban_logforwardlan="0" ban_allowlistonly="0" ban_autoallowlist="1" +ban_autoallowuplink="subnet" ban_autoblocklist="1" ban_deduplicate="1" ban_splitsize="0" @@ -65,7 +66,7 @@ ban_protov6="0" ban_ifv4="" ban_ifv6="" ban_dev="" -ban_sub="" +ban_uplink="" ban_fetchinsecure="" ban_cores="" ban_memory="" @@ -105,7 +106,7 @@ f_mkdir() { if [ ! -d "${dir}" ]; then rm -f "${dir}" mkdir -p "${dir}" - f_log "debug" "f_mkdir ::: created directory: ${dir}" + f_log "debug" "f_mkdir ::: created directory: ${dir}" fi } @@ -116,7 +117,7 @@ f_mkfile() { if [ ! -f "${file}" ]; then : >"${file}" - f_log "debug" "f_mkfile ::: created file: ${file}" + f_log "debug" "f_mkfile ::: created file: ${file}" fi } @@ -127,7 +128,7 @@ f_tmp() { ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" - f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" + f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" } # remove directories @@ -137,7 +138,7 @@ f_rmdir() { if [ -d "${dir}" ]; then rm -rf "${dir}" - f_log "debug" "f_rmdir ::: deleted directory: ${dir}" + f_log "debug" "f_rmdir ::: deleted directory: ${dir}" fi } @@ -286,7 +287,7 @@ f_fetch() { ;; esac - f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" + f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" } # remove logservice @@ -363,7 +364,7 @@ f_getif() { fi [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" - f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" + f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" } # get wan devices @@ -398,37 +399,45 @@ f_getdev() { ban_dev="${ban_dev%%?}" [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" - f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" + f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" } -# get local subnets +# get local uplink # -f_getsub() { - local sub iface ip update="0" +f_getuplink() { + local uplink iface ip update="0" - if [ "${ban_autoallowlist}" = "1" ]; then + if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then for iface in ${ban_ifv4} ${ban_ifv6}; do network_flush_cache - network_get_subnet sub "${iface}" - if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then - ban_sub="${ban_sub}${sub} " + if [ "${ban_autoallowuplink}" = "subnet" ]; then + network_get_subnet uplink "${iface}" + elif [ "${ban_autoallowuplink}" = "ip" ]; then + network_get_ipaddr uplink "${iface}" fi - network_get_subnet6 sub "${iface}" - if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then - ban_sub="${ban_sub}${sub} " + if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + ban_uplink="${ban_uplink}${uplink} " + fi + if [ "${ban_autoallowuplink}" = "subnet" ]; then + network_get_subnet6 uplink "${iface}" + elif [ "${ban_autoallowuplink}" = "ip" ]; then + network_get_ipaddr6 uplink "${iface}" + fi + if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then + ban_uplink="${ban_uplink}${uplink} " fi done - for ip in ${ban_sub}; do + for ip in ${ban_uplink}; do if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then update="1" - printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" - f_log "info" "added subnet '${ip}' to local allowlist" + printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + f_log "info" "added uplink '${ip}' to local allowlist" fi done - ban_sub="${ban_sub%%?}" + ban_uplink="${ban_uplink%%?}" fi - f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}" + f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}" } # get feed information @@ -499,7 +508,7 @@ f_nftinit() { feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_rc="${?}" - f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" return ${feed_rc} } @@ -824,7 +833,7 @@ f_down() { rm -f "${tmp_split}" "${tmp_nft}" end_ts="$(date +%s)" - f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } # backup feeds @@ -835,7 +844,7 @@ f_backup() { gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz" backup_rc="${?}" - f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" + f_log "debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}" return ${backup_rc} } @@ -851,7 +860,7 @@ f_restore() { restore_rc="${?}" fi - f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" + f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}" return ${restore_rc} } @@ -891,7 +900,7 @@ f_rmset() { fi rm -f "${tmp_del}" - f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" } # generate status information @@ -941,10 +950,10 @@ f_genstatus() { json_close_object done json_close_array - json_add_array "active_subnets" - for object in ${ban_sub:-"-"}; do + json_add_array "active_uplink" + for object in ${ban_uplink:-"-"}; do json_add_object - json_add_string "subnet" "${object}" + json_add_string "uplink" "${object}" json_close_object done json_close_array @@ -1063,7 +1072,7 @@ f_lookup() { end_time="$(date "+%s")" duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s" - f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" + f_log "debug" "f_lookup ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}" } # table statistics @@ -1310,7 +1319,7 @@ f_mail() { f_log "info" "failed to send status mail (${?})" fi - f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" + f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } # initial sourcing diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index ed2b9914c9..b8a10398ad 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,5 +1,5 @@ #!/bin/sh -# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables +# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -15,13 +15,13 @@ ban_funlib="/usr/lib/banip-functions.sh" # f_conf f_log "info" "start banIP processing (${ban_action})" -f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" +f_log "debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}" f_genstatus "processing" f_tmp f_fetch f_getif f_getdev -f_getsub +f_getuplink f_mkdir "${ban_backupdir}" f_mkfile "${ban_blocklist}" f_mkfile "${ban_allowlist}" -- 2.30.2