From d8b6e2ca2a9a88852eb3aa23e1d4201a844813e7 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Fri, 10 Mar 2023 19:42:19 +0100 Subject: [PATCH] banip: update 0.8.2-2 * fix the auto-detection for pppoe and 6in4 tunnel interfaces * add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance * add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default), notice, info, debug, audit * status optimizations * logging optimizations * update the readme Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/README.md | 51 +++---- net/banip/files/banip-functions.sh | 214 +++++++++++++++++------------ net/banip/files/banip-service.sh | 2 +- net/banip/files/banip.init | 2 +- 5 files changed, 159 insertions(+), 112 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index be9a6aa031..7e1d5265a7 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.2 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 56c517a4f0..8e7afa35d5 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -31,27 +31,27 @@ IP address blocking is commonly used to protect against brute force attacks, pre | firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) | | firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) | | firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) | -| greensnow | suspicious server IPs | x | x | x | [Link](https://greensnow.co) | +| greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) | | iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) | -| iblockspy | Malicious spyware IPs | x | x | x | [Link](https://www.iblocklist.com) | +| iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) | | myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) | | nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) | | oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | -| ssbl | SSL botnet IPs | x | x | x | [Link](https://sslbl.abuse.ch) | +| ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) | | stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | | talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) | -| threat | emerging threats | x | x | x | [Link](https://rules.emergingthreats.net) | -| threatview | malicious IPs | x | x | x | [Link](https://threatview.io) | -| tor | tor exit nodes | x | x | x | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | +| threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) | +| threatview | malicious IPs | x | x | | [Link](https://threatview.io) | +| tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) | | uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | | uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) | | urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) | -| urlvir | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=urlvir) | -| webclient | malware related IPs | x | x | x | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | +| urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) | +| webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) | | voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) | | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | @@ -151,8 +151,10 @@ Available commands: | ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | | ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | +| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug, audit | +| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | +| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | -| ban_nftpriority | option | -200 | nft banIP table priority (default is the prerouting table priority) | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | @@ -222,18 +224,18 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.8.2-1 - + element_count : 180596 - + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, cinsscorev4, adguardv6, countryv6, countryv4, - deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv6, oisdsmallv4, urlvirv4, webclientv4, blocklistvMAC, blocklistv4, - blocklistv6 - + active_devices : eth2 - + active_interfaces : wan, wan6 - + active_subnets : 91.64.168.218/24, 2a02:710c:0:80:e342:4b0c:725d:1d43/128 - + run_info : base: /tmp, backup: /mnt/data/banIP-backup, report: /mnt/data/banIP-report, feed: /etc/banip/banip.feeds + + version : 0.8.2-2 + + element_count : 211397 + + active_feeds : allowlistvMAC, allowlistv4, allowlistv6, adawayv4, adawayv6, adguardv4, adguardtrackersv4, adguardv6, adguardtrackersv + 6, antipopadsv4, antipopadsv6, cinsscorev4, countryv6, countryv4, deblv4, deblv6, dohv4, dohv6, firehol1v4, oisdsmallv + 6, oisdsmallv4, stevenblackv6, stevenblackv4, webclientv4, blocklistvMAC, blocklistv4, blocklistv6 + + active_devices : eth2 ::: wan, wan6 + + active_subnets : 91.64.148.211/24, 2b02:710c:0:80:e442:4b0c:637d:1d33/128 + + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: - + + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ - + last_run : action: restart, duration: 0m 58s, date: 2023-03-06 13:50:27 - + system_info : cores: 2, memory: 1831, device: Turris Omnia, OpenWrt SNAPSHOT r22151-1d82a47b49 + + last_run : action: restart, duration: 0m 55s, date: 2023-03-10 19:33:08 + + system_info : cores: 2, memory: 1830, device: Turris Omnia, OpenWrt SNAPSHOT r22248-bf055fcdca ``` **banIP search information** @@ -242,9 +244,9 @@ Available commands: ::: ::: banIP Search ::: - Looking for IP 221.228.105.173 on 2023-02-08 22:12:48 + Looking for IP '221.228.105.173' on 2023-02-08 22:12:48 --- - IP found in set oisdbasicv4 + IP found in Set 'oisdbasicv4' ``` **banIP survey information** @@ -253,7 +255,7 @@ Available commands: ::: ::: banIP Survey ::: - List the elements of set cinsscorev4 on 2023-03-06 14:07:58 + List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58 --- 1.10.187.179 1.10.203.30 @@ -272,7 +274,7 @@ Available commands: 1.15.77.237 [...] ``` -**default regex for logfile parsing** +**default regex for logfile parsing** ``` list ban_logterm 'Exit before auth from' list ban_logterm 'luci: failed login' @@ -299,6 +301,7 @@ nftables supports the atomic loading of rules/sets/members, which is cool but un * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members + * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements **tweak the download options** By default banIP uses the following pre-configured download options: diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 8ed8a2c9ec..6e231a6524 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -35,9 +35,10 @@ ban_mailreceiver="" ban_mailtopic="banIP notification" ban_mailprofile="ban_notify" ban_reportelements="1" +ban_nftloglevel="warn" ban_nftpriority="-200" +ban_nftpolicy="memory" ban_nftexpiry="" -ban_loglevel="warn" ban_loglimit="100" ban_logcount="1" ban_logterm="" @@ -304,90 +305,112 @@ f_actual() { # get wan interfaces # f_getif() { - local iface + local iface update="0" - "${ban_ubuscmd}" -t 5 wait_for network.device network.interface 2>/dev/null if [ "${ban_autodetect}" = "1" ]; then if [ -z "${ban_ifv4}" ]; then + network_flush_cache network_find_wan iface - if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv4}" | "${ban_grepcmd}" -q "${iface}"; then + if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then ban_protov4="1" - ban_ifv4="${ban_ifv4}${iface} " + ban_ifv4="${iface}" uci_set banip global ban_protov4 "1" uci_add_list banip global ban_ifv4 "${iface}" + f_log "info" "added IPv4 interface '${iface}' to config" fi fi if [ -z "${ban_ifv6}" ]; then + network_flush_cache network_find_wan6 iface - if [ -n "${iface}" ] && ! printf "%s" "${ban_ifv6}" | "${ban_grepcmd}" -q "${iface}"; then + if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then ban_protov6="1" - ban_ifv6="${ban_ifv6}${iface} " + ban_ifv6="${iface}" uci_set banip global ban_protov6 "1" uci_add_list banip global ban_ifv6 "${iface}" + f_log "info" "added IPv6 interface '${iface}' to config" fi fi + fi + if [ -n "$(uci -q changes "banip")" ]; then + update="1" + uci_commit "banip" + else ban_ifv4="${ban_ifv4%%?}" ban_ifv6="${ban_ifv6%%?}" - [ -n "$(uci -q changes "banip")" ] && uci_commit "banip" + for iface in ${ban_ifv4} ${ban_ifv6}; do + if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then + f_log "err" "wan interface '${iface}' is not available, please check your configuration" + fi + done fi [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" - f_log "debug" "f_getif ::: auto_detect: ${ban_autodetect}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" + f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" } # get wan devices # f_getdev() { - local dev iface + local dev iface update="0" cnt="0" cnt_max="10" - if [ "${ban_autodetect}" = "1" ] && [ -z "${ban_dev}" ]; then - for iface in ${ban_ifv4} ${ban_ifv6}; do - network_get_device dev "${iface}" - if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then - ban_dev="${ban_dev}${dev} " - uci_add_list banip global ban_dev "${dev}" - else - network_get_physdev dev "${iface}" - if [ -n "${dev}" ] && ! printf "%s" "${ban_dev}" | "${ban_grepcmd}" -q "${dev}"; then - ban_dev="${ban_dev}${dev} " - uci_add_list banip global ban_dev "${dev}" + if [ "${ban_autodetect}" = "1" ]; then + while [ -z "${ban_dev}" ] && [ "${cnt}" -le "${cnt_max}" ]; do + network_flush_cache + for iface in ${ban_ifv4} ${ban_ifv6}; do + network_get_device dev "${iface}" + if [ -n "${dev}" ]; then + if printf "%s" "${dev}" | "${ban_grepcmd}" -qE "pppoe|6in4"; then + dev="${iface}" + fi + if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then + ban_dev="${ban_dev}${dev} " + uci_add_list banip global ban_dev "${dev}" + f_log "info" "added device '${dev}' to config" + fi fi - fi + done + cnt="$((cnt + 1))" + sleep 1 done - ban_dev="${ban_dev%%?}" - [ -n "$(uci -q changes "banip")" ] && uci_commit "banip" fi + if [ -n "$(uci -q changes "banip")" ]; then + update="1" + uci_commit "banip" + fi + ban_dev="${ban_dev%%?}" [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" - f_log "debug" "f_getdev ::: auto_detect: ${ban_autodetect}, devices: ${ban_dev}" + f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" } # get local subnets # f_getsub() { - local sub iface ip + local sub iface ip update="0" - for iface in ${ban_ifv4} ${ban_ifv6}; do - network_get_subnet sub "${iface}" - if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then - ban_sub="${ban_sub} ${sub}" - fi - network_get_subnet6 sub "${iface}" - if [ -n "${sub}" ] && ! printf "%s" "${ban_sub}" | "${ban_grepcmd}" -q "${sub}"; then - ban_sub="${ban_sub} ${sub}" - fi - done if [ "${ban_autoallowlist}" = "1" ]; then + for iface in ${ban_ifv4} ${ban_ifv6}; do + network_flush_cache + network_get_subnet sub "${iface}" + if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then + ban_sub="${ban_sub}${sub} " + fi + network_get_subnet6 sub "${iface}" + if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then + ban_sub="${ban_sub}${sub} " + fi + done for ip in ${ban_sub}; do if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then - printf "%-42s%s\n" "${ip}" "added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" - f_log "info" "add subnet '${ip}' to local allowlist" + update="1" + printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + f_log "info" "added subnet '${ip}' to local allowlist" fi done + ban_sub="${ban_sub%%?}" fi - [ -z "${ban_sub}" ] && f_log "err" "wan subnet(s) not found, please check your configuration" - f_log "debug" "f_getsub ::: auto_allowlist: ${ban_autoallowlist}, subnet(s): ${ban_sub:-"-"}" + f_log "debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}" } # get set elements @@ -442,7 +465,7 @@ f_nftinit() { feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)" feed_rc="${?}" - f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" + f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}" return ${feed_rc} } @@ -461,9 +484,9 @@ f_down() { tmp_flush="${ban_tmpfile}.${feed}.flush" tmp_nft="${ban_tmpfile}.${feed}.nft" - [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_loglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" - [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_loglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" - [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_loglevel} prefix \"banIP/fwd-lan/rej/${feed}: \"" + [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \"" + [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \"" + [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/rej/${feed}: \"" # set source block direction # @@ -508,11 +531,11 @@ f_down() { [ -s "${tmp_flush}" ] && cat "${tmp_flush}" if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop" @@ -537,7 +560,7 @@ f_down() { elif [ "${proto}" = "6" ]; then "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" | "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop" @@ -568,7 +591,7 @@ f_down() { [ -s "${tmp_flush}" ] && cat "${tmp_flush}" if [ "${proto}" = "MAC" ]; then "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy memory; $(f_getelements "${tmp_file}") }" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject" elif [ "${proto}" = "4" ]; then if [ "${ban_deduplicate}" = "1" ]; then @@ -580,7 +603,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited" @@ -596,7 +619,7 @@ f_down() { "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy memory; $(f_getelements "${tmp_file}") }" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop" [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop" [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited" @@ -691,7 +714,7 @@ f_down() { # printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && cat "${tmp_flush}" - printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }" + printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules # @@ -705,7 +728,7 @@ f_down() { # printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && cat "${tmp_flush}" - printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy memory; $(f_getelements "${tmp_file}.1") }" + printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }" # input and forward rules # @@ -737,7 +760,9 @@ f_down() { fi rm -f "${split_file}" done - cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then + cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + fi fi else f_log "info" "empty feed ${feed} will be skipped" @@ -825,9 +850,11 @@ f_genstatus() { duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s" fi table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" - for set in ${table_sets}; do - cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" - done + if [ "${ban_reportelements}" = "1" ]; then + for set in ${table_sets}; do + cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" + done + fi runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")" fi f_system @@ -863,14 +890,6 @@ f_genstatus() { json_add_string "device" "${object}" json_close_object done - fi - json_close_array - json_add_array "active_interfaces" - if [ "${status}" != "active" ]; then - json_add_object - json_add_string "interface" "-" - json_close_object - else for object in ${ban_ifv4} ${ban_ifv6}; do json_add_object json_add_string "interface" "${object}" @@ -891,6 +910,7 @@ f_genstatus() { done fi json_close_array + json_add_string "nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}" json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})" json_add_string "last_run" "${runtime:-"-"}" @@ -901,7 +921,7 @@ f_genstatus() { # get status information # f_getstatus() { - local key keylist type value index_value actual="${1}" + local key keylist type value index_key1 index_key2 index_value1 index_value2 actual="${1}" [ -z "${ban_dev}" ] && f_conf json_load_file "${ban_rtfile}" >/dev/null 2>&1 @@ -911,22 +931,45 @@ f_getstatus() { json_get_var value "${key}" >/dev/null 2>&1 if [ "${key}" = "status" ]; then value="${value} ($(f_actual))" + elif [ "${key}" = "active_devices" ]; then + json_select "${key}" >/dev/null 2>&1 + index=1 + while json_get_type type "${index}" && [ "${type}" = "object" ]; do + json_get_keys index_key1 "${index}" >/dev/null 2>&1 + json_get_keys index_key2 "$((index + 1))" >/dev/null 2>&1 + json_get_values index_value1 "${index}" >/dev/null 2>&1 + if [ "${index}" = "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then + json_get_values index_value2 "$((index + 1))" >/dev/null 2>&1 + value="${index_value1} ::: ${index_value2}" + index="$((index + 1))" + elif [ "${index}" = "1" ]; then + value="${index_value1}" + elif [ "${index}" != "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then + json_get_values index_value2 "$((index + 1))" >/dev/null 2>&1 + value="${value}, ${index_value1} ::: ${index_value2}" + index="$((index + 1))" + elif [ "${index}" != "1" ]; then + value="${value}, ${index_value1}" + fi + index="$((index + 1))" + done + json_select ".." elif [ "${key%_*}" = "active" ]; then json_select "${key}" >/dev/null 2>&1 index=1 while json_get_type type "${index}" && [ "${type}" = "object" ]; do - json_get_values index_value "${index}" >/dev/null 2>&1 + json_get_values index_value1 "${index}" >/dev/null 2>&1 if [ "${index}" = "1" ]; then - value="${index_value}" + value="${index_value1}" else - value="${value}, ${index_value}" + value="${value}, ${index_value1}" fi - index=$((index + 1)) + index="$((index + 1))" done json_select ".." fi value="$(printf "%s" "${value}" | - awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" + awk '{NR=1;max=118;if(length($0)>max+1)while($0){if(NR==1){print substr($0,1,max)}else{printf"%-24s%s\n","",substr($0,1,max)}{$0=substr($0,max+1);NR=NR+1}}else print}')" printf " + %-17s : %s\n" "${key}" "${value:-"-"}" done else @@ -967,9 +1010,9 @@ f_lookup() { fi fi if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ]; then - printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" + printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ]; then - printf "%-42s%s\n" "${ip}" "# ip of '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" + printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" fi fi fi @@ -1151,6 +1194,7 @@ f_search() { f_system run_search="/var/run/banIP.search" + if [ -n "${search}" ]; then ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v4" @@ -1158,24 +1202,21 @@ f_search() { ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v6" fi - if [ -n "${proto}" ]; then - table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")" - else - printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::" - return - fi + fi + if [ -n "${proto}" ]; then + table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")" else - printf "%s\n%s\n%s\n" ":::" "::: no valid search input (single IPv4/IPv6 address)" ":::" + printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::" return fi printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::" - printf "%s\n" " Looking for IP ${ip} on $(date "+%Y-%m-%d %H:%M:%S")" + printf "%s\n" " Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")" printf "%s\n" " ---" cnt=1 for set in ${table_sets}; do ( if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then - printf "%s\n" " IP found in set ${set}" + printf "%s\n" " IP found in Set '${set}'" : >"${run_search}" fi ) & @@ -1184,8 +1225,11 @@ f_search() { cnt="$((cnt + 1))" done wait - [ ! -f "${run_search}" ] && printf "%s\n" " IP not found" - rm -f "${run_search}" + if [ ! -f "${run_search}" ]; then + printf "%s\n" " IP not found" + else + rm -f "${run_search}" + fi } # set survey @@ -1197,11 +1241,11 @@ f_survey() { [ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" if [ -z "${set}" ] || [ -z "${set_elements}" ]; then - printf "%s\n%s\n%s\n" ":::" "::: no valid survey input (single banIP set name)" ":::" + printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::" return fi printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" - printf "%s\n" " List the elements of set ${set} on $(date "+%Y-%m-%d %H:%M:%S")" + printf "%s\n" " List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")" printf "%s\n" " ---" printf "%s\n" "${set_elements}" } diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 6b6d7339f4..94c1d47edd 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -174,7 +174,7 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ]; then log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "added IP${proto} '${ip}' (${nft_expiry:-"-"}) to blocklist${proto} set" + f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" f_log "info" "added IP${proto} '${ip}' to local blocklist" diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index e1cf070435..c56004279c 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -97,7 +97,7 @@ service_triggers() { local iface trigger delay trigger="$(uci_get banip global ban_trigger)" - delay="$(uci_get banip global ban_triggerdelay "5")" + delay="$(uci_get banip global ban_triggerdelay "10")" PROCD_RELOAD_DELAY=$((delay * 1000)) for iface in ${trigger}; do -- 2.30.2