1 # banIP shared function library/include
2 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
3 # This is free software, licensed under the GNU General Public License v3.
5 # (s)hellcheck exceptions
6 # shellcheck disable=all
11 export PATH
="/usr/sbin:/usr/bin:/sbin:/bin"
14 ban_backupdir
="/tmp/banIP-backup"
15 ban_reportdir
="/tmp/banIP-report"
16 ban_feedfile
="/etc/banip/banip.feeds"
17 ban_allowlist
="/etc/banip/banip.allowlist"
18 ban_blocklist
="/etc/banip/banip.blocklist"
19 ban_mailtemplate
="/etc/banip/banip.tpl"
20 ban_pidfile
="/var/run/banip.pid"
21 ban_rtfile
="/var/run/banip_runtime.json"
22 ban_lock
="/var/run/banip.lock"
24 ban_logreadcmd
="$(command -v logread)"
25 ban_logcmd
="$(command -v logger)"
26 ban_ubuscmd
="$(command -v ubus)"
27 ban_nftcmd
="$(command -v nft)"
28 ban_fw4cmd
="$(command -v fw4)"
29 ban_awkcmd
="$(command -v awk)"
30 ban_grepcmd
="$(command -v grep)"
31 ban_lookupcmd
="$(command -v nslookup)"
32 ban_mailcmd
="$(command -v msmtp)"
33 ban_mailsender
="no-reply@banIP"
35 ban_mailtopic
="banIP notification"
36 ban_mailprofile
="ban_notify"
37 ban_mailnotifcation
="0"
38 ban_reportelements
="1"
39 ban_nftloglevel
="warn"
40 ban_nftpriority
="-200"
41 ban_nftpolicy
="memory"
59 ban_blockforwardwan
=""
60 ban_blockforwardlan
=""
76 # gather system information
81 [ -z "${ban_dev}" ] && ban_cores
="$(uci_get banip global ban_cores)"
82 ban_memory
="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s
",int($2/1000)}' "/proc
/meminfo
" 2>/dev/null)"
83 ban_ver
="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all
": true }' 2>/dev/null | jsonfilter -ql1 -e '@.packages.banip')"
84 ban_sysver
="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' |
85 "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s
, %s
",$1,$2}')"
86 if [ -z "${ban_cores}" ]; then
87 cpu
="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)"
88 core
="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)"
89 [ "${cpu}" = "0" ] && cpu
="1"
90 [ "${core}" = "0" ] && core
="1"
91 ban_cores
="$((cpu * core))"
94 f_log
"debug" "f_system ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
102 if [ ! -d "${dir}" ]; then
105 f_log
"debug" "f_mkdir ::: created directory: ${dir}"
114 if [ ! -f "${file}" ]; then
116 f_log
"debug" "f_mkfile ::: created file: ${file}"
120 # create temporary files and directories
123 f_mkdir
"${ban_basedir}"
124 ban_tmpdir
="$(mktemp -p "${ban_basedir}" -d)"
125 ban_tmpfile
="$(mktemp -p "${ban_tmpdir}" -tu)"
127 f_log
"debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}"
135 if [ -d "${dir}" ]; then
137 f_log
"debug" "f_rmdir ::: deleted directory: ${dir}"
146 [ "${char}" = "1" ] && printf "%s" "✔" ||
printf "%s" "✘"
154 string
="${string#"${string%%[![:space:]]*}"}"
155 string
="${string%"${string##*[![:space:]]}"}"
156 printf "%s" "${string}"
162 local class
="${1}" log_msg
="${2}"
164 if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }; then
165 if [ -x "${ban_logcmd}" ]; then
166 "${ban_logcmd}" -p "${class}" -t "banIP-${ban_ver}[${$}]" "${log_msg}"
168 printf "%s
%s
%s
\n" "${class}" "banIP-${ban_ver}[${$}]" "${log_msg}"
171 if [ "${class}" = "err
" ]; then
172 "${ban_nftcmd}" delete table inet banIP >/dev/null 2>&1
173 if [ "${ban_enabled}" = "1" ]; then
175 [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail
177 f_genstatus "disabled
"
179 f_rmdir "${ban_tmpdir}"
189 unset ban_dev ban_ifv4 ban_ifv6 ban_feed ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_logterm ban_country ban_asn
194 eval "${option}=\"${value}\""
201 eval "${option}=\"$(printf "%s" "${ban_dev}")${value} \""
204 eval "${option}=\"$(printf "%s" "${ban_ifv4}")${value} \""
207 eval "${option}=\"$(printf "%s" "${ban_ifv6}")${value} \""
210 eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \""
213 eval "${option}=\"$(printf "%s" "${ban_blockinput}")${value} \""
215 "ban_blockforwardwan
")
216 eval "${option}=\"$(printf "%s" "${ban_blockforwardwan}")${value} \""
218 "ban_blockforwardlan
")
219 eval "${option}=\"$(printf "%s" "${ban_blockforwardlan}")${value} \""
222 eval "${option}=\"$(printf "%s" "${ban_logterm}")${value}\\|
\""
225 eval "${option}=\"$(printf "%s" "${ban_country}")${value} \""
228 eval "${option}=\"$(printf "%s" "${ban_asn}")${value} \""
235 [ "${ban_action}" = "boot" ] && [ -z "${ban_trigger}" ] && sleep ${ban_triggerdelay}
238 # prepare fetch utility
241 local ut utils packages insecure
243 if [ -z "${ban_fetchcmd}" ] ||
[ ! -x "${ban_fetchcmd}" ]; then
244 packages
="$(${ban_ubuscmd} -S call rpc-sys packagelist 2>/dev/null)"
245 [ -z "${packages}" ] && f_log
"err" "local opkg package repository is not available, please set the download utility 'ban_fetchcmd' manually"
246 utils
="aria2c curl wget uclient-fetch"
247 for ut
in ${utils}; do
248 if { [ "${ut}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
249 { [ "${ut}" = "wget" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"wget-ssl'; } ||
250 [ "${ut}" = "curl" ] ||
[ "${ut}" = "aria2c" ]; then
251 ban_fetchcmd
="$(command -v "${ut}")"
252 if [ -x "${ban_fetchcmd}" ]; then
253 uci_set banip global ban_fetchcmd
"${ban_fetchcmd##*/}"
260 [ ! -x "${ban_fetchcmd}" ] && f_log
"err" "download utility with SSL support not found"
261 case "${ban_fetchcmd##*/}" in
263 [ "${ban_fetchinsecure}" = "1" ] && insecure
="--check-certificate=false"
264 ban_fetchparm
="${ban_fetchparm:-"${insecure} --timeout=20 --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}"
267 [ "${ban_fetchinsecure}" = "1" ] && insecure
="--insecure"
268 ban_fetchparm
="${ban_fetchparm:-"${insecure} --connect-timeout 20 --fail --silent --show-error --location -o"}"
271 [ "${ban_fetchinsecure}" = "1" ] && insecure
="--no-check-certificate"
272 ban_fetchparm
="${ban_fetchparm:-"${insecure} --timeout=20 -O"}"
275 [ "${ban_fetchinsecure}" = "1" ] && insecure
="--no-check-certificate"
276 ban_fetchparm
="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --max-redirect=0 --timeout=20 -O"}"
280 f_log
"debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}"
288 ppid
="$(cat "${ban_pidfile}" 2>/dev/null)"
289 [ -n "${ppid}" ] && pids
="$(pgrep -P "${ppid}" 2>/dev/null)" ||
return 0
290 for pid
in ${pids}; do
291 kill -INT "${pid}" >/dev
/null
2>&1
296 # get nft/monitor actuals
301 if "${ban_nftcmd}" -t list
set inet banIP allowlistvMAC
>/dev
/null
2>&1; then
306 if pgrep
-f "logread" -P "$(cat "${ban_pidfile}" 2>/dev/null)" >/dev
/null
2>&1; then
307 monitor
="$(f_char "1")"
309 monitor
="$(f_char "0")"
311 printf "%s" "nft: ${nft}, monitor: ${monitor}"
317 local iface update
="0"
319 if [ "${ban_autodetect}" = "1" ]; then
320 if [ -z "${ban_ifv4}" ]; then
322 network_find_wan iface
323 if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev
/null
2>&1; then
326 uci_set banip global ban_protov4
"1"
327 uci_add_list banip global ban_ifv4
"${iface}"
328 f_log
"info" "added IPv4 interface '${iface}' to config"
331 if [ -z "${ban_ifv6}" ]; then
333 network_find_wan6 iface
334 if [ -n "${iface}" ] && "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev
/null
2>&1; then
337 uci_set banip global ban_protov6
"1"
338 uci_add_list banip global ban_ifv6
"${iface}"
339 f_log
"info" "added IPv6 interface '${iface}' to config"
343 if [ -n "$(uci -q changes "banip
")" ]; then
347 ban_ifv4
="${ban_ifv4%%?}"
348 ban_ifv6
="${ban_ifv6%%?}"
349 for iface
in ${ban_ifv4} ${ban_ifv6}; do
350 if ! "${ban_ubuscmd}" -t 10 wait_for network.interface.
"${iface}" >/dev
/null
2>&1; then
351 f_log
"err" "wan interface '${iface}' is not available, please check your configuration"
355 [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log
"err" "wan interfaces not found, please check your configuration"
357 f_log
"debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
363 local dev iface update
="0" cnt
="0" cnt_max
="30"
365 if [ "${ban_autodetect}" = "1" ]; then
366 while [ "${cnt}" -lt "${cnt_max}" ] && [ -z "${ban_dev}" ]; do
368 for iface
in ${ban_ifv4} ${ban_ifv6}; do
369 network_get_device dev
"${iface}"
370 if [ -n "${dev}" ]; then
371 if printf "%s" "${dev}" |
"${ban_grepcmd}" -qE "pppoe|6in4"; then
374 if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
375 ban_dev
="${ban_dev}${dev} "
376 uci_add_list banip global ban_dev
"${dev}"
377 f_log
"info" "added device '${dev}' to config"
385 if [ -n "$(uci -q changes "banip
")" ]; then
389 ban_dev
="${ban_dev%%?}"
390 [ -z "${ban_dev}" ] && f_log
"err" "wan devices not found, please check your configuration"
392 f_log
"debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
398 local sub iface ip update
="0"
400 if [ "${ban_autoallowlist}" = "1" ]; then
401 for iface
in ${ban_ifv4} ${ban_ifv6}; do
403 network_get_subnet sub
"${iface}"
404 if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
405 ban_sub
="${ban_sub}${sub} "
407 network_get_subnet6 sub
"${iface}"
408 if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
409 ban_sub
="${ban_sub}${sub} "
412 for ip
in ${ban_sub}; do
413 if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
415 printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-
%m-
%d
%H
:%M
:%S
")" >>"${ban_allowlist}"
416 f_log
"info" "added subnet '${ip}' to local allowlist"
419 ban_sub
="${ban_sub%%?}"
422 f_log
"debug" "f_getsub ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}"
430 [ -s "${file}" ] && printf "%s" "elements={ $(cat "${file}" 2>/dev/null) };"
433 # build initial nft file with base table, chains and rules
436 local feed_log feed_rc
file="${1}"
439 # nft header (tables and chains)
441 printf "%s\n\n" "#!/usr/sbin/nft -f"
442 if "${ban_nftcmd}" -t list
set inet banIP allowlistvMAC
>/dev
/null
2>&1; then
443 printf "%s\n" "delete table inet banIP"
445 printf "%s\n" "add table inet banIP"
446 printf "%s\n" "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }"
447 printf "%s\n" "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
448 printf "%s\n" "add chain inet banIP lan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }"
450 # default wan-input rules
452 printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
453 printf "%s\n" "add rule inet banIP wan-input iifname != { ${ban_dev// /, } } counter accept"
454 printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
455 printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
456 printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 icmp type { echo-request } limit rate 1000/second counter accept"
457 printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { echo-request } limit rate 1000/second counter accept"
458 printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 1 counter accept"
459 printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} limit rate 1000/second ip6 hoplimit 255 counter accept"
461 # default wan-forward rules
463 printf "%s\n" "add rule inet banIP wan-forward ct state established,related counter accept"
464 printf "%s\n" "add rule inet banIP wan-forward iifname != { ${ban_dev// /, } } counter accept"
466 # default lan-forward rules
468 printf "%s\n" "add rule inet banIP lan-forward ct state established,related counter accept"
469 printf "%s\n" "add rule inet banIP lan-forward oifname != { ${ban_dev// /, } } counter accept"
472 # load initial banIP table within nft (atomic load)
474 feed_log
="$("${ban_nftcmd}" -f "${file}" 2>&1)"
477 f_log
"debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
484 local log_input log_forwardwan log_forwardlan start_ts end_ts tmp_raw tmp_load tmp_file split_file ruleset_raw handle
485 local cnt_set cnt_dl restore_rc feed_direction feed_rc feed_log feed
="${1}" proto="${2}" feed_url="${3}" feed_rule="${4}" feed_flag="${5}"
487 start_ts
="$(date +%s)"
488 feed
="${feed}v${proto}"
489 tmp_load
="${ban_tmpfile}.${feed}.load"
490 tmp_raw
="${ban_tmpfile}.${feed}.raw"
491 tmp_split
="${ban_tmpfile}.${feed}.split"
492 tmp_file
="${ban_tmpfile}.${feed}.file"
493 tmp_flush
="${ban_tmpfile}.${feed}.flush"
494 tmp_nft
="${ban_tmpfile}.${feed}.nft"
496 [ "${ban_loginput}" = "1" ] && log_input="log level ${ban_nftloglevel} prefix \"banIP/inp-wan/drp/${feed}: \""
497 [ "${ban_logforwardwan}" = "1" ] && log_forwardwan="log level ${ban_nftloglevel} prefix \"banIP/fwd-wan/drp/${feed}: \""
498 [ "${ban_logforwardlan}" = "1" ] && log_forwardlan="log level ${ban_nftloglevel} prefix \"banIP/fwd-lan/rej/${feed}: \""
500 # set source block direction
502 if printf "%s" "${ban_blockinput}" | "${ban_grepcmd}" -q "${feed%v*}"; then
503 feed_direction
="input"
505 if printf "%s" "${ban_blockforwardwan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
506 feed_direction
="${feed_direction} forwardwan"
508 if printf "%s" "${ban_blockforwardlan}" | "${ban_grepcmd}" -q "${feed%v*}"; then
509 feed_direction
="${feed_direction} forwardlan"
512 # chain/rule maintenance
514 if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev
/null
2>&1; then
515 ruleset_raw
="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
517 printf "%s\n" "flush set inet banIP ${feed}"
518 handle
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables
[@.rule.table
=\"banIP
\"&&@.rule.chain
=\"wan-input
\"][@.
expr[0].match.right
=\"@
${feed}\"].handle
")"
519 [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
520 handle
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables
[@.rule.table
=\"banIP
\"&&@.rule.chain
=\"wan-forward
\"][@.
expr[0].match.right
=\"@
${feed}\"].handle
")"
521 [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
522 handle
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables
[@.rule.table
=\"banIP
\"&&@.rule.chain
=\"lan-forward
\"][@.
expr[0].match.right
=\"@
${feed}\"].handle
")"
523 [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
527 # restore local backups during init
529 if { [ "${ban_action}" != "reload" ] || [ "${feed_url}" = "local" ]; } && [ "${feed%v*}" != "allowlist" ] && [ "${feed%v*}" != "blocklist" ]; then
530 f_restore
"${feed}" "${feed_url}" "${tmp_load}"
532 feed_rc
="${restore_rc}"
537 if [ "${feed%v*}" = "allowlist" ]; then
539 printf "%s\n\n" "#!/usr/sbin/nft -f"
540 [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
541 if [ "${proto}" = "MAC" ]; then
542 "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_allowlist}" >"${tmp_file}"
543 printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
544 [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept"
545 elif [ "${proto}" = "4" ]; then
546 "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${ban_allowlist}" >"${tmp_file}"
547 printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
548 if [ -z "${feed_direction##*input*}" ]; then
549 if [ "${ban_allowlistonly}" = "1" ]; then
550 printf "%s\n" "add rule inet banIP wan-input ip saddr != @${feed} ${log_input} counter drop"
552 printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} counter accept"
555 if [ -z "${feed_direction##*forwardwan*}" ]; then
556 if [ "${ban_allowlistonly}" = "1" ]; then
557 printf "%s\n" "add rule inet banIP wan-forward ip saddr != @${feed} ${log_forwardwan} counter drop"
559 printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} counter accept"
562 if [ -z "${feed_direction##*forwardlan*}" ]; then
563 if [ "${ban_allowlistonly}" = "1" ]; then
564 printf "%s\n" "add rule inet banIP lan-forward ip daddr != @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
566 printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} counter accept"
569 elif [ "${proto}" = "6" ]; then
570 "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_allowlist}" |
571 "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}"
572 printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
573 if [ -z "${feed_direction##*input*}" ]; then
574 if [ "${ban_allowlistonly}" = "1" ]; then
575 printf "%s\n" "add rule inet banIP wan-input ip6 saddr != @${feed} ${log_input} counter drop"
577 printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} counter accept"
580 if [ -z "${feed_direction##*forwardwan*}" ]; then
581 if [ "${ban_allowlistonly}" = "1" ]; then
582 printf "%s\n" "add rule inet banIP wan-forward ip6 saddr != @${feed} ${log_forwardwan} counter drop"
584 printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} counter accept"
587 if [ -z "${feed_direction##*forwardlan*}" ]; then
588 if [ "${ban_allowlistonly}" = "1" ]; then
589 printf "%s\n" "add rule inet banIP lan-forward ip6 daddr != @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
591 printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} counter accept"
597 elif [ "${feed%v*}" = "blocklist" ]; then
599 printf "%s\n\n" "#!/usr/sbin/nft -f"
600 [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
601 if [ "${proto}" = "MAC" ]; then
602 "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}"
603 printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
604 [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject"
605 elif [ "${proto}" = "4" ]; then
606 if [ "${ban_deduplicate}" = "1" ]; then
607 "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}"
608 "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}"
609 "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}"
610 cat "${tmp_raw}" 2>/dev
/null
>"${ban_blocklist}"
612 "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}"
614 "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
615 printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
616 [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
617 [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
618 [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
619 elif [ "${proto}" = "6" ]; then
620 if [ "${ban_deduplicate}" = "1" ]; then
621 "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
622 "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}"
623 "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}"
624 "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}"
625 cat "${tmp_raw}" 2>/dev
/null
>"${ban_blocklist}"
627 "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" |
628 "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}"
630 "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}"
631 printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }"
632 [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
633 [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
634 [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
638 # handle external downloads
640 elif [ "${restore_rc}" != "0" ] && [ "${feed_url}" != "local" ]; then
641 # handle country downloads
643 if [ "${feed%v*}" = "country" ]; then
644 for country
in ${ban_country}; do
645 feed_log
="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone
" 2>&1)"
647 [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
651 # handle asn downloads
653 elif [ "${feed%v*}" = "asn" ]; then
654 for asn
in ${ban_asn}; do
655 feed_log
="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>&1)"
657 [ "${feed_rc}" = "0" ] && cat "${tmp_raw}" 2>/dev/null >>"${tmp_load}"
661 # handle compressed downloads
663 elif [ -n "${feed_flag}" ]; then
664 case "${feed_flag}" in
666 feed_log
="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>&1)"
668 if [ "${feed_rc}" = "0" ]; then
669 zcat
"${tmp_raw}" 2>/dev
/null
>"${tmp_load}"
676 # handle normal downloads
679 feed_log
="$("${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>&1)"
686 if [ "${restore_rc}" != "0" ] && [ "${feed_rc}" = "0" ] && [ "${feed_url}" != "local" ] && [ ! -s "${tmp_nft}" ]; then
687 f_backup
"${feed}" "${tmp_load}"
689 elif [ -z "${restore_rc}" ] && [ "${feed_rc}" != "0" ] && [ "${feed_url}" != "local" ] && [ ! -s "${tmp_nft}" ]; then
690 f_restore
"${feed}" "${feed_url}" "${tmp_load}" "${feed_rc}"
694 # build nft file with set and rules for regular downloads
696 if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then
699 if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
700 "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
701 "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}"
703 "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
708 if [ "${feed_rc}" = "0" ]; then
709 if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
710 if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev
/null
; then
711 rm -f "${tmp_file}".
*
712 f_log
"info" "failed to split ${feed} set to size '${ban_splitsize//[![:digit]]/}'"
715 "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
719 rm -f "${tmp_raw}" "${tmp_load}"
720 if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
722 # nft header (IPv4 set)
724 printf "%s\n\n" "#!/usr/sbin/nft -f"
725 [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
726 printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
728 # input and forward rules
730 [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip saddr @${feed} ${log_input} counter drop"
731 [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip saddr @${feed} ${log_forwardwan} counter drop"
732 [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited"
734 elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
736 # nft header (IPv6 set)
738 printf "%s\n\n" "#!/usr/sbin/nft -f"
739 [ -s "${tmp_flush}" ] && cat "${tmp_flush}"
740 printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}.1") }"
742 # input and forward rules
744 [ -z "${feed_direction##*input*}" ] && printf "%s\n" "add rule inet banIP wan-input ip6 saddr @${feed} ${log_input} counter drop"
745 [ -z "${feed_direction##*forwardwan*}" ] && printf "%s\n" "add rule inet banIP wan-forward ip6 saddr @${feed} ${log_forwardwan} counter drop"
746 [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip6 daddr @${feed} ${log_forwardlan} counter reject with icmpv6 type admin-prohibited"
751 # load generated nft file in banIP table
753 if [ "${feed_rc}" = "0" ]; then
754 cnt_dl
="$("${ban_awkcmd}" 'END{printf "%d
",NR}' "${tmp_split}" 2>/dev/null)"
755 if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
756 feed_log
="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
758 # load additional split files
760 if [ "${feed_rc}" = "0" ]; then
761 for split_file
in "${tmp_file}".
*; do
762 [ ! -f "${split_file}" ] && break
763 if [ "${split_file##*.}" = "1" ]; then
764 rm -f "${split_file}"
767 if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev
/null
2>&1; then
768 f_log
"info" "failed to add split file '${split_file##*.}' to ${feed} set"
770 rm -f "${split_file}"
772 if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then
773 cnt_set
="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)"
777 f_log
"info" "empty feed ${feed} will be skipped"
780 rm -f "${tmp_split}" "${tmp_nft}"
783 f_log
"debug" "f_down ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
789 local backup_rc feed
="${1}" feed_file
="${2}"
791 gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz"
794 f_log
"debug" "f_backup ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}"
801 local tmp_feed restore_rc
="1" feed
="${1}" feed_url="${2}" feed_file="${3}" feed_rc="${4:-"0"}"
803 [ "${feed_rc}" != "0" ] && restore_rc
="${feed_rc}"
804 [ "${feed_url}" = "local" ] && tmp_feed="${feed%v*}v4" || tmp_feed="${feed}"
805 if [ -f "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then
806 zcat
"${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}"
810 f_log
"debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}"
814 # remove disabled feeds
817 local tmp_del ruleset_raw table_sets handle
set del_set feed_log feed_rc
819 tmp_del
="${ban_tmpfile}.final.delete"
820 ruleset_raw
="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
821 table_sets
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP
"].set.name')"
823 printf "%s\n\n" "#!/usr/sbin/nft -f"
824 for set in ${table_sets}; do
825 if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${set%v*}"; then
826 del_set
="${del_set}${set}, "
827 rm -f "${ban_backupdir}/banIP.${set}.gz"
828 printf "%s\n" "flush set inet banIP ${set}"
829 handle
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables
[@.rule.table
=\"banIP
\"&&@.rule.chain
=\"wan-input
\"][@.
expr[0].match.right
=\"@
${set}\"].handle
")"
830 [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}"
831 handle
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables
[@.rule.table
=\"banIP
\"&&@.rule.chain
=\"wan-forward
\"][@.
expr[0].match.right
=\"@
${set}\"].handle
")"
832 [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}"
833 handle
="$(printf "%s
\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables
[@.rule.table
=\"banIP
\"&&@.rule.chain
=\"lan-forward
\"][@.
expr[0].match.right
=\"@
${set}\"].handle
")"
834 [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}"
835 printf "%s\n\n" "delete set inet banIP ${set}"
840 if [ -n "${del_set}" ]; then
841 del_set
="${del_set%%??}"
842 feed_log
="$("${ban_nftcmd}" -f "${tmp_del}" 2>&1)"
847 f_log
"debug" "f_rmset ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
850 # generate status information
853 local object duration
set table_sets cnt_elements
="0" split="0" status
="${1}"
855 [ -z "${ban_dev}" ] && f_conf
856 if [ "${status}" = "active" ]; then
857 if [ -n "${ban_starttime}" ]; then
858 ban_endtime
="$(date "+%s
")"
859 duration
="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s"
861 table_sets
="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP
"].set.name')"
862 if [ "${ban_reportelements}" = "1" ]; then
863 for set in ${table_sets}; do
864 cnt_elements
="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))"
867 runtime
="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-
%m-
%d
%H
:%M
:%S
")"
869 [ ${ban_splitsize:-"0"} -gt "0" ] && split="1"
873 json_load_file
"${ban_rtfile}" >/dev
/null
2>&1
874 json_add_string
"status" "${status}"
875 json_add_string
"version" "${ban_ver}"
876 json_add_string
"element_count" "${cnt_elements}"
877 json_add_array
"active_feeds"
878 if [ "${status}" != "active" ]; then
880 json_add_string
"feed" "-"
883 for object
in ${table_sets}; do
885 json_add_string
"feed" "${object}"
890 json_add_array
"active_devices"
891 if [ "${status}" != "active" ]; then
893 json_add_string
"device" "-"
896 for object
in ${ban_dev}; do
898 json_add_string
"device" "${object}"
901 for object
in ${ban_ifv4} ${ban_ifv6}; do
903 json_add_string
"interface" "${object}"
908 json_add_array
"active_subnets"
909 if [ "${status}" != "active" ]; then
911 json_add_string
"subnet" "-"
914 for object
in ${ban_sub}; do
916 json_add_string
"subnet" "${object}"
921 json_add_string
"nft_info" "priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}"
922 json_add_string
"run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, feed: ${ban_feedfile}"
923 json_add_string
"run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), log (wan-inp/wan-fwd/lan-fwd): $(f_char ${ban_loginput})/$(f_char ${ban_logforwardwan})/$(f_char ${ban_logforwardlan}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), allowed only: $(f_char ${ban_allowlistonly})"
924 json_add_string
"last_run" "${runtime:-"-"}"
925 json_add_string
"system_info" "cores: ${ban_cores}, memory: ${ban_memory}, device: ${ban_sysver}"
926 json_dump
>"${ban_rtfile}"
929 # get status information
932 local key keylist
type value index_key1 index_key2 index_value1 index_value2
934 [ -z "${ban_dev}" ] && f_conf
935 json_load_file
"${ban_rtfile}" >/dev
/null
2>&1
936 if json_get_keys keylist
; then
937 printf "%s\n" "::: banIP runtime information"
938 for key
in ${keylist}; do
939 json_get_var value
"${key}" >/dev
/null
2>&1
940 if [ "${key}" = "status" ]; then
941 value
="${value} ($(f_actual))"
942 elif [ "${key}" = "active_devices" ]; then
943 json_select
"${key}" >/dev
/null
2>&1
945 while json_get_type
type "${index}" && [ "${type}" = "object" ]; do
946 json_get_keys index_key1
"${index}" >/dev
/null
2>&1
947 json_get_keys index_key2
"$((index + 1))" >/dev
/null
2>&1
948 json_get_values index_value1
"${index}" >/dev
/null
2>&1
949 if [ "${index}" = "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then
950 json_get_values index_value2
"$((index + 1))" >/dev
/null
2>&1
951 value
="${index_value1} ::: ${index_value2}"
952 index
="$((index + 1))"
953 elif [ "${index}" = "1" ]; then
954 value
="${index_value1}"
955 elif [ "${index}" != "1" ] && [ "${index_key1// /}" = "device" ] && [ "${index_key2// /}" = "interface" ]; then
956 json_get_values index_value2
"$((index + 1))" >/dev
/null
2>&1
957 value
="${value}, ${index_value1} ::: ${index_value2}"
958 index
="$((index + 1))"
959 elif [ "${index}" != "1" ]; then
960 value
="${value}, ${index_value1}"
962 index
="$((index + 1))"
965 elif [ "${key%_*}" = "active" ]; then
966 json_select
"${key}" >/dev
/null
2>&1
968 while json_get_type
type "${index}" && [ "${type}" = "object" ]; do
969 json_get_values index_value1
"${index}" >/dev
/null
2>&1
970 if [ "${index}" = "1" ]; then
971 value
="${index_value1}"
973 value
="${value}, ${index_value1}"
975 index
="$((index + 1))"
979 printf " + %-17s : %s\n" "${key}" "${value:-"-"}"
982 printf "%s\n" "::: no banIP runtime information available"
989 local cnt list domain lookup ip elementsv4 elementsv6 start_time end_time duration cnt_domain
="0" cnt_ip
="0" feed
="${1}"
991 start_time
="$(date "+%s
")"
992 if [ "${feed}" = "allowlist" ]; then
993 list
="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s
",tolower($1)}' "${ban_allowlist}" 2>/dev/null)"
994 elif [ "${feed}" = "blocklist" ]; then
995 list
="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s
",tolower($1)}' "${ban_blocklist}" 2>/dev/null)"
998 for domain
in ${list}; do
999 lookup
="$("${ban_lookupcmd}" "${domain}" ${ban_resolver} 2>/dev/null | "${ban_awkcmd}" '/^Address[ 0-9]*: /{if(!seen[$NF]++)printf "%s ",$NF}' 2>/dev/null)"
1000 for ip in ${lookup}; do
1001 if [ "${ip%%.*}" = "0" ] || [ -z "${ip%%::*}" ]; then
1004 if { [ "${feed}" = "allowlist" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_allowlist}"; } ||
1005 { [ "${feed}" = "blocklist" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; }; then
1006 if [ "${ip##*:}" = "${ip}" ]; then
1007 elementsv4="${elementsv4} ${ip},"
1009 elementsv6="${elementsv6} ${ip},"
1011 if [ "${feed}" = "allowlist" ] && [ "${ban_autoallowlist}" = "1" ]; then
1012 printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
1013 elif [ "${feed}" = "blocklist" ] && [ "${ban_autoblocklist}" = "1" ]; then
1014 printf "%-42s%s\n" "${ip}" "# '${domain}' added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
1016 cnt_ip="$((cnt_ip + 1))"
1020 cnt_domain="$((cnt_domain + 1))"
1022 if [ -n "${elementsv4}" ]; then
1023 if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
1024 f_log "info" "failed to add lookup file to ${feed}v4 set"
1027 if [ -n "${elementsv6}" ]; then
1028 if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
1029 f_log "info" "failed to add lookup file to ${feed}v6 set"
1032 end_time="$(date "+%s")"
1033 duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s"
1035 f_log "info" "Lookup summary for the local ${feed}: Domains processed: ${cnt_domain}, IPs added: ${cnt_ip}, Duration: ${duration}"
1041 local report_jsn report_txt set tmp_val ruleset_raw table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan output="${1}"
1042 local detail set_details jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
1044 [ -z "${ban_dev}" ] && f_conf
1045 f_mkdir "${ban_reportdir}"
1046 report_jsn="${ban_reportdir}/ban_report.jsn"
1047 report_txt="${ban_reportdir}/ban_report.txt"
1049 # json output preparation
1051 ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)"
1052 table_sets="$(printf "%s" "${ruleset_raw}" | jsonfilter -qe '@.nftables
[@.
set.table
="banIP"].
set.name
')"
1055 sum_setforwardwan="0"
1056 sum_setforwardlan="0"
1059 sum_cntforwardwan="0"
1060 sum_cntforwardlan="0"
1061 timestamp="$(date "+%Y-%m-%d %H:%M:%S")"
1065 printf "\t%s\n" '"sets": {'
1066 for set in ${table_sets}; do
1067 set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")"
1068 set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")"
1069 set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${set}\"].expr[*].counter.packets")"
1070 if [ "${ban_reportelements}" = "1" ]; then
1071 set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables
[*].
set.elem
[*]' | wc -l 2>/dev/null)"
1072 sum_setelements="$((sum_setelements + set_cnt))"
1075 sum_setelements="n/a"
1077 if [ -n "${set_cntinput}" ]; then
1079 sum_setinput="$((sum_setinput + 1))"
1080 sum_cntinput="$((sum_cntinput + set_cntinput))"
1085 if [ -n "${set_cntforwardwan}" ]; then
1087 sum_setforwardwan="$((sum_setforwardwan + 1))"
1088 sum_cntforwardwan="$((sum_cntforwardwan + set_cntforwardwan))"
1091 set_cntforwardwan=""
1093 if [ -n "${set_cntforwardlan}" ]; then
1095 sum_setforwardlan="$((sum_setforwardlan + 1))"
1096 sum_cntforwardlan="$((sum_cntforwardlan + set_cntforwardlan))"
1099 set_cntforwardlan=""
1101 [ "${sum_sets}" -gt "0" ] && printf "%s\n" ","
1102 printf "\t\t%s\n" "\"${set}\": {"
1103 printf "\t\t\t%s\n" "\"cnt_elements\": \"${set_cnt}\","
1104 printf "\t\t\t%s\n" "\"cnt_input\": \"${set_cntinput}\","
1105 printf "\t\t\t%s\n" "\"input\": \"${set_input}\","
1106 printf "\t\t\t%s\n" "\"cnt_forwardwan\": \"${set_cntforwardwan}\","
1107 printf "\t\t\t%s\n" "\"wan_forward\": \"${set_forwardwan}\","
1108 printf "\t\t\t%s\n" "\"cnt_forwardlan\": \"${set_cntforwardlan}\","
1109 printf "\t\t\t%s\n" "\"lan_forward\": \"${set_forwardlan}\""
1111 sum_sets="$((sum_sets + 1))"
1113 printf "\n\t%s\n" "},"
1114 printf "\t%s\n" "\"timestamp\": \"${timestamp}\","
1115 printf "\t%s\n" "\"autoadd_allow\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_allowlist}")\","
1116 printf "\t%s\n" "\"autoadd_block\": \"$("${ban_grepcmd}" -c "added on ${timestamp% *}" "${ban_blocklist}")\","
1117 printf "\t%s\n" "\"sum_sets\": \"${sum_sets}\","
1118 printf "\t%s\n" "\"sum_setinput\": \"${sum_setinput}\","
1119 printf "\t%s\n" "\"sum_setforwardwan\": \"${sum_setforwardwan}\","
1120 printf "\t%s\n" "\"sum_setforwardlan\": \"${sum_setforwardlan}\","
1121 printf "\t%s\n" "\"sum_setelements\": \"${sum_setelements}\","
1122 printf "\t%s\n" "\"sum_cntinput\": \"${sum_cntinput}\","
1123 printf "\t%s\n" "\"sum_cntforwardwan\": \"${sum_cntforwardwan}\","
1124 printf "\t%s\n" "\"sum_cntforwardlan\": \"${sum_cntforwardlan}\""
1128 # text output preparation
1130 if [ "${output}" != "json" ] && [ -s "${report_jsn}" ]; then
1133 if json_load_file "${report_jsn}" >/dev/null 2>&1; then
1134 json_get_var timestamp "timestamp" >/dev/null 2>&1
1135 json_get_var autoadd_allow "autoadd_allow" >/dev/null 2>&1
1136 json_get_var autoadd_block "autoadd_block" >/dev/null 2>&1
1137 json_get_var sum_sets "sum_sets" >/dev/null 2>&1
1138 json_get_var sum_setinput "sum_setinput" >/dev/null 2>&1
1139 json_get_var sum_setforwardwan "sum_setforwardwan" >/dev/null 2>&1
1140 json_get_var sum_setforwardlan "sum_setforwardlan" >/dev/null 2>&1
1141 json_get_var sum_setelements "sum_setelements" >/dev/null 2>&1
1142 json_get_var sum_cntinput "sum_cntinput" >/dev/null 2>&1
1143 json_get_var sum_cntforwardwan "sum_cntforwardwan" >/dev/null 2>&1
1144 json_get_var sum_cntforwardlan "sum_cntforwardlan" >/dev/null 2>&1
1146 printf "%s\n%s\n%s\n" ":::" "::: banIP Set Statistics" ":::"
1147 printf "%s\n" " Timestamp: ${timestamp}"
1148 printf "%s\n" " ------------------------------"
1149 printf "%s\n" " auto-added to allowlist today: ${autoadd_allow}"
1150 printf "%s\n\n" " auto-added to blocklist today: ${autoadd_block}"
1151 json_select "sets" >/dev/null 2>&1
1152 json_get_keys table_sets >/dev/null 2>&1
1153 if [ -n "${table_sets}" ]; then
1154 printf "%-25s%-15s%-24s%-24s%s\n" " Set" "| Elements" "| WAN-Input (packets)" "| WAN-Forward (packets)" "| LAN-Forward (packets)"
1155 printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
1156 for set in ${table_sets}; do
1157 printf " %-21s" "${set}"
1158 json_select "${set}"
1159 json_get_keys set_details
1160 for detail in ${set_details}; do
1161 json_get_var jsnval "${detail}" >/dev/null 2>&1
1164 printf "%-15s" "| ${jsnval}"
1166 "cnt_input" | "cnt_forwardwan" | "cnt_forwardlan")
1167 [ -n "${jsnval}" ] && tmp_val=": ${jsnval}"
1170 printf "%-24s" "| ${jsnval}${tmp_val}"
1178 printf "%s\n" " ---------------------+--------------+-----------------------+-----------------------+------------------------"
1179 printf "%-25s%-15s%-24s%-24s%s\n" " ${sum_sets}" "| ${sum_setelements}" "| ${sum_setinput} (${sum_cntinput})" "| ${sum_setforwardwan} (${sum_cntforwardwan})" "| ${sum_setforwardlan} (${sum_cntforwardlan})"
1185 # output channel (text|json|mail)
1189 [ -s "${report_txt}" ] && cat "${report_txt}"
1192 [ -s "${report_jsn}" ] && cat "${report_jsn}"
1195 [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail
1198 rm -f "${report_txt}"
1204 local set table_sets ip proto run_search hold cnt search="${1}"
1206 if [ -n "${search}" ]; then
1207 ip="$(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')"
1208 [ -n "${ip}" ] && proto="v4
"
1209 if [ -z "${proto}" ]; then
1210 ip="$
(printf "%s" "${search}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT
}')"
1211 [ -n "${ip}" ] && proto="v6"
1214 if [ -n "${proto}" ]; then
1215 table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")"
1217 printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::"
1220 printf "%s\n%s\n%s\n" ":::" "::: banIP Search" ":::"
1221 printf " %s\n" "Looking for IP '${ip}' on $(date "+%Y-%m-%d %H:%M:%S")"
1222 printf " %s\n" "---"
1224 run_search="/var/run/banIP.search"
1225 for set in ${table_sets}; do
1226 [ -f "${run_search}" ] && break
1228 if "${ban_nftcmd}" get element inet banIP "${set}" "{ ${ip} }" >/dev/null 2>&1; then
1229 printf " %s\n" "IP found in Set '${set}'"
1233 hold="$((cnt % ban_cores))"
1234 [ "${hold}" = "0" ] && wait
1238 [ ! -f "${run_search}" ] && printf " %s\n" "IP not found"
1239 rm -f "${run_search}"
1245 local set_elements set="${1}"
1247 if [ -z "${set}" ]; then
1248 printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::"
1251 [ -n "${set}" ] && set_elements="$("${ban_nftcmd}" -j list set inet banIP "${set}" 2>/dev/null | jsonfilter -qe '@.nftables
[*].
set.elem
[*]')"
1252 printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
1253 printf " %s\n" "List the elements of Set '${set}' on $(date "+%Y-%m-%d %H:%M:%S")"
1254 printf " %s\n" "---"
1255 [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set"
1263 # load mail template
1265 if [ -r "${ban_mailtemplate}" ]; then
1266 . "${ban_mailtemplate}"
1268 f_log "info" "the mail template is missing"
1270 [ -z "${mail_text}" ] && f_log "info" "the 'mail_text
' template variable is empty"
1271 [ "${ban_debug}" = "1" ] && msmtp_debug="--debug"
1275 ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
1276 if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then
1277 f_log "info" "status mail was sent successfully"
1279 f_log "info" "failed to send status mail (${?})"
1282 f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
1285 # check banIP availability and initial sourcing
1288 if [ "${ban_action}" != "stop" ]; then
1289 if [ -r "/lib/functions.sh" ] && [ -r "/lib/functions/network.sh" ] && [ -r "/usr/share/libubox/jshn.sh" ]; then
1290 . "/lib/functions.sh"
1291 . "/lib/functions/network.sh"
1292 . "/usr/share/libubox/jshn.sh"
1294 f_log "err" "system libraries not found"
1296 [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package"
1297 [ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package"
1298 [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package"
1299 [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled
' to '1' to use this service"