From 884876c7e14f19c100b2f2e030b123c977732d77 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 21 Feb 2025 22:08:45 +0100 Subject: [PATCH] banIP: release 1.5.2-1 * add memory measurements: - free memory in MB (MemAvailable from /proc/meminfo) - script run max. used RAM in MB (VmHWM from /proc/$$/status) * removed the obsolete (domain) lookup command in init script * update the readme Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/README.md | 5 ++--- net/banip/files/banip-functions.sh | 8 ++++---- net/banip/files/banip.init | 14 -------------- 4 files changed, 7 insertions(+), 22 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 092f4fc58b..6272adae87 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=1.5.1 +PKG_VERSION:=1.5.2 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 942713f31f..fe0138a2b5 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -95,7 +95,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Provides a Set search engine for certain IPs * Feed parsing by fast & flexible regex rulesets * Minimal status & error logging to syslog, enable debug logging to receive more output -* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) +* Procd based init system support (start/stop/restart/reload/status/report/search/survey) * Procd network interface trigger support * Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor * Supports destination port & protocol limitations for external feeds (see the feed list above). To change the default assignments just use the custom feed editor @@ -143,7 +143,6 @@ Available commands: report [text|json|mail] Print banIP related Set statistics search [|] Check if an element exists in a banIP Set survey [] List all elements of a given banIP Set - lookup Lookup the IPs of domain names in the local lists and update them running Check if service is running status Service status trace Start with syscall trace @@ -367,7 +366,7 @@ banIP supports local allow- and block-lists, MAC/IPv4/IPv6 addresses (incl. rang Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). -Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. **Allowlist-only mode** banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index cd7fbf78d2..ec99a07bdd 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1318,8 +1318,8 @@ f_rmset() { f_genstatus() { local mem_free mem_max nft_ver object end_time duration table_sets cnt_elements="0" custom_feed="0" split="0" status="${1}" - mem_free="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1024)}' "/proc/meminfo" 2>/dev/null)" - mem_max="$("${ban_awkcmd}" '/^VmHWM/{printf "%s",int($2)}' /proc/${$}/status 2>/dev/null)" + mem_free="$("${ban_awkcmd}" '/^MemAvailable/{printf "%.2f", $2/1024}' "/proc/meminfo" 2>/dev/null)" + mem_max="$("${ban_awkcmd}" '/^VmHWM/{printf "%.2f", $2/1024}' /proc/${$}/status 2>/dev/null)" nft_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["nftables-json"]')" [ -z "${ban_dev}" ] && f_conf @@ -1332,7 +1332,8 @@ f_genstatus() { for object in ${table_sets}; do cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>/dev/null)))" done - runtime="mode: ${ban_action:-"-"}, period: ${duration:-"-"}, memory: ${mem_free} MB available, ${mem_max} KB max. used, cores: ${ban_cores}, log: ${ban_logreadcmd##*/}, fetch: ${ban_fetchcmd##*/}" + cnt_elements="$("${ban_awkcmd}" -v cnt="${cnt_elements}" 'BEGIN{res="";pos=0;for(i=length(cnt);i>0;i--){res=substr(cnt,i,1)res;pos++;if(pos==3&&i>1){res=" "res;pos=0;}}; printf"%s",res}')" + runtime="mode: ${ban_action:-"-"}, period: ${duration:-"-"}, memory: ${mem_free} MB available, ${mem_max} MB max. used, cores: ${ban_cores}, log: ${ban_logreadcmd##*/}, fetch: ${ban_fetchcmd##*/}" fi [ -s "${ban_customfeedfile}" ] && custom_feed="1" [ "${ban_splitsize:-"0"}" -gt "0" ] && split="1" @@ -1424,7 +1425,6 @@ f_getstatus() { f_lookup() { local cnt list domain lookup ip elementsv4 elementsv6 start_time end_time duration cnt_domain="0" cnt_ip="0" feed="${1}" - [ -z "${ban_dev}" ] && f_conf start_time="$(date "+%s")" if [ "${feed}" = "allowlist" ]; then list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>/dev/null)" diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 86745c1867..4fedd3c140 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -12,7 +12,6 @@ USE_PROCD=1 extra_command "report" "[text|json|mail] Print banIP related Set statistics" extra_command "search" "[|] Check if an element exists in a banIP Set" extra_command "survey" "[] List all elements of a given banIP Set" -extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them" ban_init="/etc/init.d/banip" ban_service="/usr/bin/banip-service.sh" @@ -99,19 +98,6 @@ survey() { f_survey "${1}" } -lookup() { - local list hold cnt="1" - - for list in allowlist blocklist; do - (f_lookup "${list}") & - hold="$((cnt % ban_cores))" - [ "${hold}" = "0" ] && wait - cnt="$((cnt + 1))" - done - wait - rm -rf "${ban_lock}" -} - service_triggers() { local iface trigger delay -- 2.30.2