<!-- markdownlint-disable -->
-# banIP - ban incoming and/or outgoing ip adresses via ipsets
+# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
## Description
-IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example.
+IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
## Main Features
-* Support of the following fully pre-configured domain blocklist sources (free for private usage, for commercial use please check their individual licenses)
-
-| Source | Focus | Information |
-| :------------------ | :----------------------------: | :-------------------------------------------------------------------------------- |
-| asn | ASN block | [Link](https://asn.ipinfo.app) |
-| bogon | Bogon prefixes | [Link](https://team-cymru.com) |
-| country | Country blocks | [Link](https://www.ipdeny.com/ipblocks) |
-| darklist | blocks suspicious attacker IPs | [Link](https://darklist.de) |
-| debl | Fail2ban IP blacklist | [Link](https://www.blocklist.de) |
-| doh | Public DoH-Provider | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
-| drop | Spamhaus drop compilation | [Link](https://www.spamhaus.org) |
-| dshield | Dshield IP blocklist | [Link](https://www.dshield.org) |
-| edrop | Spamhaus edrop compilation | [Link](https://www.spamhaus.org) |
-| feodo | Feodo Tracker | [Link](https://feodotracker.abuse.ch) |
-| firehol1 | Firehol Level 1 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
-| firehol2 | Firehol Level 2 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
-| firehol3 | Firehol Level 3 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
-| firehol4 | Firehol Level 4 compilation | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
-| greensnow | blocks suspicious server IPs | [Link](https://greensnow.co) |
-| iblockads | Advertising blocklist | [Link](https://www.iblocklist.com) |
-| iblockspy | Malicious spyware blocklist | [Link](https://www.iblocklist.com) |
-| myip | Myip Live IP blacklist | [Link](https://myip.ms) |
-| nixspam | iX spam protection | [Link](http://www.nixspam.org) |
-| proxy | Firehol list of open proxies | [Link](https://iplists.firehol.org/?ipset=proxylists) |
-| ssbl | SSL botnet IP blacklist | [Link](https://sslbl.abuse.ch) |
-| talos | Cisco Talos IP Blacklist | [Link](https://talosintelligence.com/reputation_center) |
-| threat | Emerging Threats | [Link](https://rules.emergingthreats.net) |
-| tor | Tor exit nodes | [Link](https://fissionrelays.net/lists) |
-| uceprotect1 | Spam protection level 1 | [Link](http://www.uceprotect.net/en/index.php) |
-| uceprotect2 | Spam protection level 2 | [Link](http://www.uceprotect.net/en/index.php) |
-| voip | VoIP fraud blocklist | [Link](http://www.voipbl.org) |
-| yoyo | Ad protection blacklist | [Link](https://pgl.yoyo.org/adservers/) |
-
-* zero-conf like automatic installation & setup, usually no manual changes needed
-* automatically selects one of the following supported download utilities: aria2c, curl, uclient-fetch, wget
-* fast downloads & list processing as they are handled in parallel as background jobs in a configurable 'Download Queue'
-* full IPv4 and IPv6 support
-* ipsets (one per source) are used to ban a large number of IP addresses
-* supports blocking by ASN numbers
-* supports blocking by iso country codes
-* supports local black- & whitelist (IPv4, IPv6, CIDR notation or domain names)
-* auto-add unsuccessful LuCI, nginx or ssh login attempts via 'dropbear'/'sshd' to local blacklist
-* auto-add the uplink subnet to local whitelist
-* black- and whitelist also accept domain names as input to allow IP filtering based on these names
-* supports a 'whitelist only' mode, this option allows to restrict Internet access from/to a small number of secure websites/IPs
-* provides a small background log monitor to ban unsuccessful login attempts in real-time
-* per source configuration of SRC (incoming) and DST (outgoing)
-* integrated IPSet-Lookup
-* integrated bgpview-Lookup
-* blocklist source parsing by fast & flexible regex rulesets
-* minimal status & error logging to syslog, enable debug logging to receive more output
-* procd based init system support (start/stop/restart/reload/refresh/status)
-* procd network interface trigger support
-* automatic blocklist backup & restore, they will be used in case of download errors or during startup
-* provides comprehensive runtime information
-* provides a detailed IPSet Report
-* provides a powerful query function to quickly find blocked IPs/CIDR in banIP related IPSets
-* provides an easily configurable blocklist update scheduler called 'Refresh Timer'
-* strong LuCI support
-* optional: add new banIP sources on your own
+* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
+ **Please note:** By default every feed blocks all supported chains. The columns "WAN-INP", "WAN-FWD" and "LAN-FWD" show for which chains the feeds are suitable in common scenarios, e.g. the first entry should be limited to the LAN forward chain - see the config options 'ban\_blockpolicy', 'ban\_blockinput', 'ban\_blockforwardwan' and 'ban\_blockforwardlan' below.
+
+| Feed | Focus | WAN-INP | WAN-FWD | LAN-FWD | Information |
+| :------------------ | :----------------------------- | :-----: | :-----: | :-----: | :----------------------------------------------------------- |
+| adaway | adaway IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| adguard | adguard IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| adguardtrackers | adguardtracker IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| antipopads | antipopads IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| asn | ASN IPs | | | x | [Link](https://asn.ipinfo.app) |
+| backscatterer | backscatterer IPs | x | x | | [Link](https://www.uceprotect.net/en/index.php) |
+| bogon | bogon prefixes | x | x | | [Link](https://team-cymru.com) |
+| country | country blocks | x | x | | [Link](https://www.ipdeny.com/ipblocks) |
+| cinsscore | suspicious attacker IPs | x | x | | [Link](https://cinsscore.com/#list) |
+| darklist | blocks suspicious attacker IPs | x | x | | [Link](https://darklist.de) |
+| debl | fail2ban IP blacklist | x | x | | [Link](https://www.blocklist.de) |
+| doh | public DoH-Provider | | | x | [Link](https://github.com/dibdot/DoH-IP-blocklists) |
+| drop | spamhaus drop compilation | x | x | | [Link](https://www.spamhaus.org) |
+| dshield | dshield IP blocklist | x | x | | [Link](https://www.dshield.org) |
+| edrop | spamhaus edrop compilation | x | x | | [Link](https://www.spamhaus.org) |
+| feodo | feodo tracker | x | x | x | [Link](https://feodotracker.abuse.ch) |
+| firehol1 | firehol level 1 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level1) |
+| firehol2 | firehol level 2 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level2) |
+| firehol3 | firehol level 3 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level3) |
+| firehol4 | firehol level 4 compilation | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_level4) |
+| greensnow | suspicious server IPs | x | x | | [Link](https://greensnow.co) |
+| iblockads | Advertising IPs | | | x | [Link](https://www.iblocklist.com) |
+| iblockspy | Malicious spyware IPs | x | x | | [Link](https://www.iblocklist.com) |
+| ipthreat | hacker and botnet TPs | x | x | | [Link](https://ipthreat.net) |
+| myip | real-time IP blocklist | x | x | | [Link](https://myip.ms) |
+| nixspam | iX spam protection | x | x | | [Link](http://www.nixspam.org) |
+| oisdbig | OISD-big IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| oisdnsfw | OISD-nsfw IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| oisdsmall | OISD-small IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) |
+| ssbl | SSL botnet IPs | x | x | | [Link](https://sslbl.abuse.ch) |
+| stevenblack | stevenblack IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+| talos | talos IPs | x | x | | [Link](https://talosintelligence.com/reputation_center) |
+| threat | emerging threats | x | x | | [Link](https://rules.emergingthreats.net) |
+| threatview | malicious IPs | x | x | | [Link](https://threatview.io) |
+| tor | tor exit nodes | x | x | | [Link](https://github.com/SecOps-Institute/Tor-IP-Addresses) |
+| uceprotect1 | spam protection level 1 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
+| uceprotect2 | spam protection level 2 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
+| uceprotect3 | spam protection level 3 | x | x | | [Link](http://www.uceprotect.net/en/index.php) |
+| urlhaus | urlhaus IDS IPs | x | x | | [Link](https://urlhaus.abuse.ch) |
+| urlvir | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=urlvir) |
+| webclient | malware related IPs | x | x | | [Link](https://iplists.firehol.org/?ipset=firehol_webclient) |
+| voip | VoIP fraud blocklist | x | x | | [Link](https://voipbl.org) |
+| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
+
+* Zero-conf like automatic installation & setup, usually no manual changes needed
+* All Sets are handled in a separate nft table/namespace 'banIP'
+* Full IPv4 and IPv6 support
+* Supports nft atomic Set loading
+* Supports blocking by ASN numbers and by iso country codes
+* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names
+* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments
+* All local input types support ranges in CIDR notation
+* Auto-add the uplink subnet or uplink IP to the local allowlist
+* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.)
+* Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
+* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP
+* Fast feed processing as they are handled in parallel as background jobs (on capable multi-core hardware)
+* Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains)
+* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
+* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget
+* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
+* Deduplicate IPs accross all Sets (single IPs only, no intervals)
+* Provides comprehensive runtime information
+* Provides a detailed Set report
+* Provides a Set search engine for certain IPs
+* Feed parsing by fast & flexible regex rulesets
+* Minimal status & error logging to syslog, enable debug logging to receive more output
+* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
+* Procd network interface trigger support
+* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor
+* Supports external allowlist URLs to reference additional IPv4/IPv6 feeds
## Prerequisites
-* [OpenWrt](https://openwrt.org), tested with the stable release series (21.02.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x
- <b>Please note:</b> Ancient OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!
- <b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!
- <b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!
-* A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
+* **[OpenWrt](https://openwrt.org)**, latest stable release or a snapshot with nft/firewall 4 and logd/logread support
+* A download utility with SSL support: 'aria2c', 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries
* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
-* Optional E-Mail notification support: for E-Mail notifications you need to install and setup the additional 'msmtp' package
+* For E-Mail notifications you need to install and setup the additional 'msmtp' package
+
+**Please note the following:**
+* Devices with less than 256Mb of RAM are **_not_** supported
+* Any previous installation of ancient banIP 0.7.x must be uninstalled, and the /etc/banip folder and the /etc/config/banip configuration file must be deleted (they are recreated when this version is installed)
## Installation & Usage
* Update your local opkg repository (_opkg update_)
-* Install 'banip' (_opkg install banip_). The banIP service is disabled by default
-* Install the LuCI companion package 'luci-app-banip' (_opkg install luci-app-banip_)
+* Install banIP (_opkg install banip_) - the banIP service is disabled by default
+* Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip)
* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu
+* If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below)
+* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status'
-## banIP CLI
-* All important banIP functions are accessible via CLI as well.
-<pre><code>
-~# /etc/init.d/banip
+## banIP CLI interface
+* All important banIP functions are accessible via CLI.
+```
+~# /etc/init.d/banip
Syntax: /etc/init.d/banip [command]
Available commands:
enable Enable service autostart
disable Disable service autostart
enabled Check if service is started on boot
- refresh Refresh ipsets without new list downloads
- suspend Suspend banIP processing
- resume Resume banIP processing
- query <IP> Query active banIP IPSets for a specific IP address
- report [<cli>|<mail>|<gen>|<json>] Print banIP related IPset statistics
- list [<add>|<add_asn>|<add_country>|<remove>|<remove_asn>|<remove_country>] <source(s)> List/Edit available sources
- timer [<add> <tasks> <hour> [<minute>] [<weekday>]]|[<remove> <line no.>] List/Edit cron update intervals
- version Print version information
+ report [text|json|mail] Print banIP related Set statistics
+ search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
+ survey [<Set name>] List all elements of a given banIP Set
+ lookup Lookup the IPs of domain names in the local lists and update them
running Check if service is running
status Service status
trace Start with syscall trace
-</code></pre>
+ info Dump procd service info
+```
## banIP config options
-* Usually the auto pre-configured banIP setup works quite well and no manual overrides are needed
-
-| Option | Type | Default | Description |
-| :---------------------- | :----- | :---------------------------- | :------------------------------------------------------------------------------------ |
-| ban_enabled | option | 0 | enable the banIP service |
-| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
-| ban_debug | option | 0 | enable banIP related debug logging |
-| ban_mail_enabled | option | 0 | enable the mail service |
-| ban_monitor_enabled | option | 0 | enable the log monitor, e.g. to catch failed ssh/luci logins |
-| ban_logsrc_enabled | option | 0 | enable the src-related logchain |
-| ban_logdst_enabled | option | 0 | enable the dst-related logchain |
-| ban_autoblacklist | option | 1 | add suspicious IPs automatically to the local blacklist |
-| ban_autowhitelist | option | 1 | add wan IPs/subnets automatically to the local whitelist |
-| ban_whitelistonly | option | 0 | allow to restrict Internet access from/to a small number of secure websites/IPs |
-| ban_maxqueue | option | 4 | size of the download queue to handle downloads and processing in parallel |
-| ban_reportdir | option | /tmp/banIP-Report | directory where banIP stores the report files |
-| ban_backupdir | option | /tmp/banIP-Backup | directory where banIP stores the compressed backup files |
-| ban_ifaces | list | - | list option to add logical wan interfaces manually |
-| ban_sources | list | - | list option to add banIP sources |
-| ban_countries | list | - | list option to add certain countries as an alpha-2 ISO code, e.g. 'de' for germany |
-| ban_asns | list | - | list option to add certain ASNs (autonomous system number), e.g. '32934' for facebook |
-| ban_chain | option | banIP | name of the root chain used by banIP |
-| ban_global_settype | option | src+dst | global settype as default for all sources |
-| ban_settype_src | list | - | special SRC settype for a certain sources |
-| ban_settype_dst | list | - | special DST settype for a certain sources |
-| ban_settype_all | list | - | special SRC+DST settype for a certain sources |
-| ban_target_src | option | DROP | default src action (used by log chains as well) |
-| ban_target_dst | option | REJECT | default dst action (used by log chains as well) |
-| ban_lan_inputchains_4 | list | input_lan_rule | list option to add IPv4 lan input chains |
-| ban_lan_inputchains_6 | list | input_lan_rule | list option to add IPv6 lan input chains |
-| ban_lan_forwardchains_4 | list | forwarding_lan_rule | list option to add IPv4 lan forward chains |
-| ban_lan_forwardchains_6 | list | forwarding_lan_rule | list option to add IPv6 lan forward chains |
-| ban_wan_inputchains_4 | list | input_wan_rule | list option to add IPv4 wan input chains |
-| ban_wan_inputchains_6 | list | input_wan_rule | list option to add IPv6 wan input chains |
-| ban_wan_forwardchains_4 | list | forwarding_wan_rule | list option to add IPv4 wan forward chains |
-| ban_wan_forwardchains_6 | list | forwarding_wan_rule | list option to add IPv6 wan forward chains |
-| ban_fetchutil | option | -, auto-detected | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
-| ban_fetchparm | option | -, auto-detected | manually override the config options for the selected download utility |
-| ban_fetchinsecure | option | 0, disabled | don't check SSL server certificates during download |
-| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
-| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
-| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
-| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
-| ban_srcarc | option | /etc/banip/banip.sources.gz | full path to the compressed source archive file used by banIP |
-| ban_localsources | list | maclist, whitelist, blacklist | limit the selection to certain local sources |
-| ban_extrasources | list | - | add additional, non-banIP related IPSets e.g. for reporting or queries |
-| ban_maclist_timeout | option | - | individual maclist IPSet timeout |
-| ban_whitelist_timeout | option | - | individual whitelist IPSet timeout |
-| ban_blacklist_timeout | option | - | individual blacklist IPSet timeout |
-| ban_logterms | list | dropbear, sshd, luci, nginx | limit the log monitor to certain log terms |
-| ban_loglimit | option | 100 | parse only the last stated number of log entries for suspicious events |
-| ban_ssh_logcount | option | 3 | number of the failed ssh login repetitions of the same ip in the log before banning |
-| ban_luci_logcount | option | 3 | number of the failed luci login repetitions of the same ip in the log before banning |
-| ban_nginx_logcount | option | 5 | number of the failed nginx requests of the same ip in the log before banning |
-
+
+| Option | Type | Default | Description |
+| :---------------------- | :----- | :---------------------------- | :----------------------------------------------------------------------------------------------------------- |
+| ban_enabled | option | 0 | enable the banIP service |
+| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
+| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
+| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
+| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
+| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
+| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
+| ban_debug | option | 0 | enable banIP related debug logging |
+| ban_loginput | option | 1 | log drops in the wan-input chain |
+| ban_logforwardwan | option | 1 | log drops in the wan-forward chain |
+| ban_logforwardlan | option | 0 | log rejects in the lan-forward chain |
+| ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) |
+| ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
+| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP |
+| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all |
+| ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs |
+| ban_basedir | option | /tmp | base working directory while banIP processing |
+| ban_reportdir | option | /tmp/banIP-report | directory where banIP stores the report files |
+| ban_backupdir | option | /tmp/banIP-backup | directory where banIP stores the compressed backup files |
+| ban_protov4 | option | - / autodetect | enable IPv4 support |
+| ban_protov6 | option | - / autodetect | enable IPv4 support |
+| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' |
+| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' |
+| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' |
+| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
+| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
+| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload |
+| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
+| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
+| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
+| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
+| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
+| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
+| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
+| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
+| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
+| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' |
+| ban_blockpolicy | option | - | limit the default block policy to a certain chain, e.g. 'input', 'forwardwan' or 'forwardlan' |
+| ban_blockinput | list | - | limit a feed to the wan-input chain, e.g. 'country' |
+| ban_blockforwardwan | list | - | limit a feed to the wan-forward chain, e.g. 'debl' |
+| ban_blockforwardlan | list | - | limit a feed to the lan-forward chain, e.g. 'doh' |
+| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget', 'curl' or 'aria2c' |
+| ban_fetchparm | option | - / autodetect | set the config options for the selected download utility |
+| ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) |
+| ban_fetchinsecure | option | 0 | don't check SSL server certificates during download |
+| ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails |
+| ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails |
+| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
+| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
+| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
+| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
+| ban_resolver | option | - | external resolver used for DNS lookups |
+
## Examples
-**list/edit banIP sources:**
-<pre><code>
-~# /etc/init.d/banip list
-::: Available banIP sources
+**banIP report information**
+```
+~# /etc/init.d/banip report
+:::
+::: banIP Set Statistics
:::
- Name Enabled Focus Info URL
- ---------------------------------------------------------------------------
- + asn ASN blocks https://asn.ipinfo.app
- + bogon Bogon prefixes https://team-cymru.com
- + country x Country blocks https://www.ipdeny.com/ipblocks
- + darklist x Blocks suspicious attacker IPs https://darklist.de
- + debl x Fail2ban IP blacklist https://www.blocklist.de
- + doh x Public DoH-Provider https://github.com/dibdot/DoH-IP-blocklists
- + drop x Spamhaus drop compilation https://www.spamhaus.org
- + dshield x Dshield IP blocklist https://www.dshield.org
- + edrop Spamhaus edrop compilation https://www.spamhaus.org
- + feodo x Feodo Tracker https://feodotracker.abuse.ch
- + firehol1 x Firehol Level 1 compilation https://iplists.firehol.org/?ipset=firehol_level1
- + firehol2 Firehol Level 2 compilation https://iplists.firehol.org/?ipset=firehol_level2
- + firehol3 Firehol Level 3 compilation https://iplists.firehol.org/?ipset=firehol_level3
- + firehol4 Firehol Level 4 compilation https://iplists.firehol.org/?ipset=firehol_level4
- + greensnow x Blocks suspicious server IPs https://greensnow.co
- + iblockads Advertising blocklist https://www.iblocklist.com
- + iblockspy x Malicious spyware blocklist https://www.iblocklist.com
- + myip Myip Live IP blacklist https://myip.ms
- + nixspam x iX spam protection http://www.nixspam.org
- + proxy Firehol list of open proxies https://iplists.firehol.org/?ipset=proxylists
- + sslbl x SSL botnet IP blacklist https://sslbl.abuse.ch
- + talos x Cisco Talos IP Blacklist https://talosintelligence.com/reputation_center
- + threat x Emerging Threats https://rules.emergingthreats.net
- + tor x Tor exit nodes https://fissionrelays.net/lists
- + uceprotect1 x Spam protection level 1 http://www.uceprotect.net/en/index.php
- + uceprotect2 Spam protection level 2 http://www.uceprotect.net/en/index.php
- + voip x VoIP fraud blocklist http://www.voipbl.org
- + yoyo x Ad protection blacklist https://pgl.yoyo.org/adservers/
- ---------------------------------------------------------------------------
- * Configured ASNs: -
- * Configured Countries: af, bd, br, cn, hk, hu, id, il, in, iq, ir, kp, kr, no, pk, pl, ro, ru, sa, th, tr, ua, gb
-</code></pre>
-
-**receive banIP runtime information:**
-<pre><code>
-~# /etc/init.d/banip status
+ Timestamp: 2023-06-21 07:03:23
+ ------------------------------
+ auto-added to allowlist today: 0
+ auto-added to blocklist today: 0
+
+ Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets)
+ ---------------------+--------------+-----------------------+-----------------------+------------------------
+ allowlistv4MAC | 0 | - | - | OK: 0
+ allowlistv6MAC | 0 | - | - | OK: 0
+ allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0
+ allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0
+ cinsscorev4 | 13115 | OK: 142 | OK: 0 | -
+ deblv4 | 8076 | OK: 5 | OK: 0 | OK: 0
+ countryv6 | 37313 | OK: 0 | OK: 1 | -
+ countryv4 | 36155 | OK: 33 | OK: 0 | -
+ deblv6 | 15 | OK: 0 | OK: 0 | OK: 0
+ dropv6 | 35 | OK: 0 | OK: 0 | OK: 0
+ dropv4 | 620 | OK: 0 | OK: 0 | OK: 0
+ dohv6 | 598 | - | - | OK: 0
+ dohv4 | 902 | - | - | OK: 0
+ edropv4 | 247 | OK: 0 | OK: 0 | OK: 0
+ threatviewv4 | 571 | OK: 0 | OK: 0 | OK: 0
+ firehol1v4 | 877 | OK: 8 | OK: 0 | OK: 0
+ ipthreatv4 | 5751 | OK: 0 | OK: 0 | OK: 0
+ urlvirv4 | 169 | OK: 0 | OK: 0 | OK: 0
+ blocklistv4MAC | 0 | - | - | OK: 0
+ blocklistv6MAC | 0 | - | - | OK: 0
+ blocklistv4 | 3 | OK: 0 | OK: 0 | OK: 0
+ blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0
+ ---------------------+--------------+-----------------------+-----------------------+------------------------
+ 22 | 104449 | 16 (188) | 16 (1) | 19 (0)
+```
+
+**banIP runtime information**
+```
+root@blackhole:~# /etc/init.d/banip status
::: banIP runtime information
- + status : enabled
- + version : 0.7.7
- + ipset_info : 2 IPSets with 30 IPs/Prefixes
- + active_sources : whitelist
- + active_devs : wlan0
- + active_ifaces : trm_wwan, trm_wwan6
- + active_logterms : dropbear, sshd, luci, nginx
- + active_subnets : xxx.xxx.xxx.xxx/24, xxxx:xxxx:xxxx:xx::xxx/128
- + run_infos : settype: src+dst, backup_dir: /tmp/banIP-Backup, report_dir: /tmp/banIP-Report
- + run_flags : protocols (4/6): ✔/✔, log (src/dst): ✔/✘, monitor: ✔, mail: ✘, whitelist only: ✔
- + last_run : restart, 0m 3s, 122/30/14, 21.04.2021 20:14:36
- + system : TP-Link RE650 v1, OpenWrt SNAPSHOT r16574-f7e00d81bc
-</code></pre>
-
-**black-/whitelist handling:**
-banIP supports a local black & whitelist (IPv4, IPv6, CIDR notation or domain names), located by default in /etc/banip/banip.whitelist and /etc/banip/banip.blacklist.
-Unsuccessful LuCI logins, suspicious nginx request or ssh login attempts via 'dropbear'/'sshd' could be tracked and automatically added to the local blacklist (see the 'ban_autoblacklist' option). Furthermore the uplink subnet could be automatically added to local whitelist (see 'ban_autowhitelist' option). The list behaviour could be further tweaked with different timeout and counter options (see the config options section above).
-Last but not least, both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be resolved in a detached background process and added to the IPsets. The detached name lookup takes place only during 'restart' or 'reload' action, 'start' and 'refresh' actions are using an auto-generated backup instead.
-
-**whitelist-only mode:**
-banIP supports a "whitelist only" mode. This option allows to restrict the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the whitelist are blocked. Please note: suspend/resume does not work in this mode.
-
-**Manually override the download options:**
-By default banIP uses the following pre-configured download options:
-* aria2c: <code>--timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o</code>
-* curl: <code>--connect-timeout 20 --silent --show-error --location -o</code>
-* uclient-fetch: <code>--timeout=20 -O</code>
-* wget: <code>--no-cache --no-cookies --max-redirect=0 --timeout=20 -O</code>
-
-To override the default set 'ban_fetchparm' manually to your needs.
-
-**generate an IPSet report:**
-<pre><code>
-~# /etc/init.d/banip report
+ + status : active (nft: ✔, monitor: ✔)
+ + version : 0.8.8-1
+ + element_count : 104449
+ + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dropv4, dohv6, dohv4, edropv4, threatviewv4, firehol1v4, ipthreatv4, urlvirv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6
+ + active_devices : br-wan ::: wan, wan6
+ + active_uplink : 91.63.198.120, 2a12:810c:0:80:a20d:52c3:5cf:f4f
+ + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: -
+ + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, custom feed: ✘
+ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
+ + last_run : action: restart, duration: 0m 19s, date: 2023-06-21 06:45:52
+ + system_info : cores: 4, memory: 1634, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r23398-c4be106f4d
+```
+
+**banIP search information**
+```
+~# /etc/init.d/banip search 221.228.105.173
:::
-::: report on all banIP related IPSets
+::: banIP Search
:::
- + Report timestamp ::: 04.02.2021 06:24:41
- + Number of all IPSets ::: 24
- + Number of all entries ::: 302448
- + Number of IP entries ::: 224748
- + Number of CIDR entries ::: 77700
- + Number of MAC entries ::: 0
- + Number of accessed entries ::: 36
+ Looking for IP '221.228.105.173' on 2023-02-08 22:12:48
+ ---
+ IP found in Set 'oisdbasicv4'
+```
+
+**banIP survey information**
+```
+~# /etc/init.d/banip survey cinsscorev4
:::
-::: IPSet details
+::: banIP Survey
:::
- Name Type Count Cnt_IP Cnt_CIDR Cnt_MAC Cnt_ACC Entry details (Entry/Count)
- --------------------------------------------------------------------------------------------------------------------
- whitelist_4 src+dst 1 0 1 0 1
- xxx.xxxx.xxx.xxxx/24 85
- --------------------------------------------------------------------------------------------------------------------
- whitelist_6 src+dst 2 0 2 0 1
- xxxx:xxxx:xxxx::/64 29
- --------------------------------------------------------------------------------------------------------------------
- blacklist_4 src+dst 513 513 0 0 2
- 192.35.168.16 3
- 80.82.65.74 1
- --------------------------------------------------------------------------------------------------------------------
- blacklist_6 src+dst 1 1 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- country_4 src 52150 0 52150 0 23
- 124.5.0.0/16 1
- 95.188.0.0/14 1
- 121.16.0.0/12 1
- 46.161.0.0/18 1
- 42.56.0.0/14 1
- 113.64.0.0/10 1
- 113.252.0.0/14 1
- 5.201.128.0/17 1
- 125.64.0.0/11 1
- 90.188.0.0/15 1
- 60.0.0.0/11 1
- 78.160.0.0/11 1
- 1.80.0.0/12 1
- 183.184.0.0/13 1
- 175.24.0.0/14 1
- 119.176.0.0/12 1
- 59.88.0.0/13 1
- 103.78.12.0/22 1
- 123.128.0.0/13 1
- 116.224.0.0/12 1
- 42.224.0.0/12 1
- 82.80.0.0/15 1
- 14.32.0.0/11 1
- --------------------------------------------------------------------------------------------------------------------
- country_6 src 20099 0 20099 0 0
- --------------------------------------------------------------------------------------------------------------------
- debl_4 src+dst 29389 29389 0 0 1
- 5.182.210.16 4
- --------------------------------------------------------------------------------------------------------------------
- debl_6 src+dst 64 64 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- doh_4 src+dst 168 168 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- doh_6 src+dst 122 122 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- drop_4 src+dst 965 0 965 0 0
- --------------------------------------------------------------------------------------------------------------------
- drop_6 src+dst 36 0 36 0 0
- --------------------------------------------------------------------------------------------------------------------
- dshield_4 src+dst 20 0 20 0 1
- 89.248.165.0/24 1
- --------------------------------------------------------------------------------------------------------------------
- feodo_4 src+dst 325 325 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- firehol1_4 src+dst 2763 403 2360 0 0
- --------------------------------------------------------------------------------------------------------------------
- iblockspy_4 src+dst 3650 2832 818 0 0
- --------------------------------------------------------------------------------------------------------------------
- nixspam_4 src+dst 9577 9577 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- sslbl_4 src+dst 104 104 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- threat_4 src+dst 1300 315 985 0 0
- --------------------------------------------------------------------------------------------------------------------
- tor_4 src+dst 1437 1437 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- tor_6 src+dst 478 478 0 0 0
- --------------------------------------------------------------------------------------------------------------------
- uceprotect1_4 src+dst 156249 156249 0 0 6
- 192.241.220.137 1
- 128.14.137.178 1
- 61.219.11.153 1
- 138.34.32.33 1
- 107.174.133.130 2
- 180.232.99.46 1
- --------------------------------------------------------------------------------------------------------------------
- voip_4 src+dst 12563 12299 264 0 0
- --------------------------------------------------------------------------------------------------------------------
- yoyo_4 src+dst 10472 10472 0 0 1
- 204.79.197.200 2
- --------------------------------------------------------------------------------------------------------------------
-</code></pre>
-
-**Enable E-Mail notification via 'msmtp':**
-To use the email notification you have to install & configure the package 'msmtp'.
+ List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
+ ---
+1.10.187.179
+1.10.203.30
+1.10.255.58
+1.11.67.53
+1.11.114.211
+1.11.208.29
+1.12.75.87
+1.12.231.227
+1.12.247.134
+1.12.251.141
+1.14.96.156
+1.14.250.37
+1.15.40.79
+1.15.71.140
+1.15.77.237
+[...]
+```
+**default regex for logfile parsing**
+```
+list ban_logterm 'Exit before auth from'
+list ban_logterm 'luci: failed login'
+list ban_logterm 'error: maximum authentication attempts exceeded'
+list ban_logterm 'sshd.*Connection closed by.*\[preauth\]'
+list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress='
+```
+
+**allow-/blocklist handling**
+banIP supports local allow and block lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
+Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option.
+Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist.
+Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl').
+Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
+
+**MAC/IP-binding**
+banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed:
+```
+MAC-address only:
+C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0
+
+MAC-address with IPv4 concatenation:
+C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set
+
+MAC-address with IPv6 concatenation:
+C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated only to v6MAC-Set with the certain IP, no entry in the v4MAC-Set
+
+MAC-address with IPv4 and IPv6 concatenation:
+C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
+C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated to v6MAC-Set with the certain IP
+
+MAC-address with IPv4 and IPv6 wildcard concatenation:
+C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP
+C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0
+```
+
+**allowlist-only mode**
+banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure MACs, IPs or domains, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
+
+**redirect Asterisk security logs to lodg/logread**
+banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration.
+
+**send status E-Mails and update the banIP lists via cron job**
+For a regular, automatic status mailing and update of the used lists on a daily basis set up a cron job, e.g.
+```
+55 03 * * * /etc/init.d/banip report mail
+00 04 * * * /etc/init.d/banip reload
+```
+
+**tweaks for low memory systems**
+nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
+
+ * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
+ * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
+ * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
+ * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
+
+**tweak the download options**
+By default banIP uses the following pre-configured download options:
+```
+ * aria2c: --timeout=20 --retry-wait=10 --max-tries=5 --max-file-not-found=5 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o
+ * curl: --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o
+ * wget: --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=5 --retry-connrefused --max-redirect=0 -O
+ * uclient-fetch: --timeout=20 -O
+```
+To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs.
+
+**send E-Mail notifications via 'msmtp'**
+To use the email notification you must install & configure the package 'msmtp'.
Modify the file '/etc/msmtprc', e.g.:
-<pre><code>
+```
[...]
defaults
auth on
account ban_notify
host smtp.gmail.com
port 587
-from <address>@gmail.com
-user <gmail-user>
-password <password>
-</code></pre>
-Finally enable E-Mail support and add a valid E-Mail receiver address in LuCI.
-
-**Edit, add new banIP sources:**
-The banIP blocklist sources are stored in an external, compressed JSON file '/etc/banip/banip.sources.gz'.
-This file is directly parsed in LuCI and accessible via CLI, just call _/etc/init.d/banip list_.
-
-To add new or edit existing sources extract the compressed JSON file _gunzip /etc/banip/banip.sources.gz_.
-A valid JSON source object contains the following required information, e.g.:
-<pre><code>
+from <address>@gmail.com
+user <gmail-user>
+password <password>
+```
+Finally add a valid E-Mail receiver address.
+
+**change existing banIP feeds or add a new one**
+The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file.
+A valid JSON source object contains the following information, e.g.:
+```
[...]
- "tor": {
- "url_4": "https://lists.fissionrelays.net/tor/exits-ipv4.txt",
- "url_6": "https://lists.fissionrelays.net/tor/exits-ipv6.txt",
- "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add tor_4 \"$1}",
- "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{print \"add tor_6 \"$1}",
- "focus": "Tor exit nodes",
- "descurl": "https://fissionrelays.net/lists"
+ "tor":{
+ "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
+ "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
+ "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
+ "rule_6": "/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\\/(1?[0-2][0-8]|[0-9][0-9]))?)$/{printf \"%s,\\n\",$1}",
+ "descr": "tor exit nodes",
+ "flag": ""
},
[...]
-</code></pre>
-Add an unique object name, make the required changes to 'url_4', 'rule_4' (and/or 'url_6', 'rule_6'), 'focus' and 'descurl' and finally compress the changed JSON file _gzip /etc/banip/banip.sources.gz_ to use the new source object in banIP.
-<b>Please note:</b> if you're going to add new sources on your own, please make a copy of the default file and work with that copy further on, cause the default will be overwritten with every banIP update. To reference your copy set the option 'ban\_srcarc' which points by default to '/etc/banip/banip.sources.gz'
-
+```
+Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, the regex and the description for a new feed. The flag is optional, currently only 'gz' is supported to process archive downloads.
+
## Support
-Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
+Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail <dev@brenken.org>
## Removal
* stop all banIP related services with _/etc/init.d/banip stop_
-* optional: remove the banip package (_opkg remove banip_)
+* remove the banip package (_opkg remove banip_)
Have fun!
-Dirk
+Dirk
projects / feed / packages.git / blobdiff