-#
-# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables
+# banIP - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
-#
include $(TOPDIR)/rules.mk
PKG_NAME:=banip
PKG_VERSION:=0.8.4
-PKG_RELEASE:=4
+PKG_RELEASE:=5
PKG_LICENSE:=GPL-3.0-or-later
PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
define Package/banip
SECTION:=net
CATEGORY:=Network
- TITLE:=banIP blocks IP addresses via named nftables sets
+ TITLE:=banIP blocks IPs via named nftables Sets
DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys
PKGARCH:=all
endef
define Package/banip/description
-banIP blocks IP addresses via named nftables Sets.
+banIP blocks IPs via named nftables Sets.
banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
<!-- markdownlint-disable -->
-# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables
+# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables
## Description
-IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh.
+IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh.
## Main Features
* banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses).
| yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) |
* Zero-conf like automatic installation & setup, usually no manual changes needed
-* All sets are handled in a separate nft table/namespace 'banIP'
+* All Sets are handled in a separate nft table/namespace 'banIP'
* Full IPv4 and IPv6 support
-* Supports nft atomic set loading
+* Supports nft atomic Set loading
* Supports blocking by ASN numbers and by iso country codes
* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
* Auto-add the uplink subnet to the local allowlist
* Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
* Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
-* Deduplicate IPs accross all sets (single IPs only, no intervals)
+* Deduplicate IPs accross all Sets (single IPs only, no intervals)
* Provides comprehensive runtime information
-* Provides a detailed set report
-* Provides a set search engine for certain IPs
+* Provides a detailed Set report
+* Provides a Set search engine for certain IPs
* Feed parsing by fast & flexible regex rulesets
* Minimal status & error logging to syslog, enable debug logging to receive more output
* Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup)
enable Enable service autostart
disable Disable service autostart
enabled Check if service is started on boot
- report [text|json|mail] Print banIP related set statistics
- search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set
- survey [<set name>] List all elements of a given banIP set
+ report [text|json|mail] Print banIP related Set statistics
+ search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set
+ survey [<Set name>] List all elements of a given banIP Set
lookup Lookup the IPs of domain names in the local lists and update them
running Check if service is running
status Service status
| ban_enabled | option | 0 | enable the banIP service |
| ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) |
| ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) |
-| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor |
+| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor |
| ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious |
| ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) |
| ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets |
| ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' |
| ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins |
| ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload |
-| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets |
-| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) |
+| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets |
+| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) |
| ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) |
| ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug |
| ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) |
-| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance |
+| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance |
| ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' |
| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) |
| ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' |
| ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails |
| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails |
| ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run |
-| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly |
+| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly |
| ban_resolver | option | - | external resolver used for DNS lookups |
## Examples
~# /etc/init.d/banip status
::: banIP runtime information
+ status : active (nft: ✔, monitor: ✔)
- + version : 0.8.3-1
+ + version : 0.8.5-1
+ element_count : 281161
+ active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6
+ active_devices : br-wan ::: wan, wan6
- + active_subnets : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128
+ + active_uplink : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128
+ nft_info : priority: -200, policy: memory, loglevel: warn, expiry: -
+ run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds
+ run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘
:::
::: banIP Survey
:::
- List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58
+ List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58
---
1.10.187.179
1.10.203.30
banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist.
Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option.
Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option).
-Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
+Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time.
**allowlist-only mode**
banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked.
```
**tweaks for low memory systems**
-nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
+nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options:
* point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive
* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing
- * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members
- * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements
+ * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members
+ * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements
**tweak the download options**
By default banIP uses the following pre-configured download options:
A valid JSON source object contains the following information, e.g.:
```
[...]
- "tor": {
+ "tor":{
"url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst",
"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
-# banIP shared function library/include
+# banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
if [ ! -d "${dir}" ]; then
rm -f "${dir}"
mkdir -p "${dir}"
- f_log "debug" "f_mkdir ::: created directory: ${dir}"
+ f_log "debug" "f_mkdir ::: directory: ${dir}"
fi
}
if [ ! -f "${file}" ]; then
: >"${file}"
- f_log "debug" "f_mkfile ::: created file: ${file}"
+ f_log "debug" "f_mkfile ::: file: ${file}"
fi
}
if [ -d "${dir}" ]; then
rm -rf "${dir}"
- f_log "debug" "f_rmdir ::: deleted directory: ${dir}"
+ f_log "debug" "f_rmdir ::: directory: ${dir}"
fi
}
if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then
packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)"
- [ -z "${packages}" ] && f_log "err" "local package repository is not available, please set the download utility 'ban_fetchcmd' manually"
+ [ -z "${packages}" ] && f_log "err" "no local package repository"
utils="aria2c curl wget uclient-fetch"
for item in ${utils}; do
if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } ||
fi
done
fi
- [ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found"
+ [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support"
case "${ban_fetchcmd##*/}" in
"aria2c")
[ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false"
;;
esac
- f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}"
+ f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}"
}
# remove logservice
ban_ifv4="${iface}"
uci_set banip global ban_protov4 "1"
uci_add_list banip global ban_ifv4 "${iface}"
- f_log "info" "added IPv4 interface '${iface}' to config"
+ f_log "info" "add IPv4 interface '${iface}' to config"
fi
fi
if [ -z "${ban_ifv6}" ]; then
ban_ifv6="${iface}"
uci_set banip global ban_protov6 "1"
uci_add_list banip global ban_ifv6 "${iface}"
- f_log "info" "added IPv6 interface '${iface}' to config"
+ f_log "info" "add IPv6 interface '${iface}' to config"
fi
fi
fi
ban_ifv6="${ban_ifv6%%?}"
for iface in ${ban_ifv4} ${ban_ifv6}; do
if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then
- f_log "err" "wan interface '${iface}' is not available, please check your configuration"
+ f_log "err" "no wan interface '${iface}'"
fi
done
fi
- [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration"
+ [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "no wan interfaces"
f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
}
if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then
ban_dev="${ban_dev}${dev} "
uci_add_list banip global ban_dev "${dev}"
- f_log "info" "added device '${dev}' to config"
+ f_log "info" "add device '${dev}' to config"
fi
fi
done
uci_commit "banip"
fi
ban_dev="${ban_dev%%?}"
- [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration"
+ [ -z "${ban_dev}" ] && f_log "err" "no wan devices"
f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
}
fi
done
for ip in ${ban_uplink}; do
- if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
+ if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then
if [ "${update}" = "0" ]; then
"${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}"
fi
printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
- f_log "info" "added uplink '${ip}' to local allowlist"
+ f_log "info" "add uplink '${ip}' to local allowlist"
update="1"
fi
done
json_init
if [ -s "${ban_customfeedfile}" ]; then
if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then
- f_log "info" "banIP custom feed file can't be loaded"
+ f_log "info" "can't load banIP custom feed file"
if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
- f_log "err" "banIP feed file can't be loaded"
+ f_log "err" "can't load banIP feed file"
fi
fi
elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then
- f_log "err" "banIP feed file can't be loaded"
+ f_log "err" "can't load banIP feed file"
fi
}
-# get set elements
+# get Set elements
#
f_getelements() {
local file="${1}"
feed_rc="${?}"
fi
- # build nft file with set and rules for regular downloads
+ # build nft file with Sets and rules for regular downloads
#
if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then
- # deduplicate sets
+ # deduplicate Sets
#
if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}"
"${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}"
fi
feed_rc="${?}"
- # split sets
+ # split Sets
#
if [ "${feed_rc}" = "0" ]; then
if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then
if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then
rm -f "${tmp_file}".*
- f_log "info" "failed to split '${feed}' Set to size '${ban_splitsize//[![:digit]]/}'"
+ f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'"
fi
else
"${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1"
rm -f "${tmp_raw}" "${tmp_load}"
if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then
{
- # nft header (IPv4 set)
+ # nft header (IPv4 Set)
#
printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
} >"${tmp_nft}"
elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then
{
- # nft header (IPv6 set)
+ # nft header (IPv6 Set)
#
printf "%s\n\n" "#!/usr/sbin/nft -f"
[ -s "${tmp_flush}" ] && cat "${tmp_flush}"
if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then
feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)"
feed_rc="${?}"
+
# load additional split files
#
if [ "${feed_rc}" = "0" ]; then
continue
fi
if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then
- f_log "info" "failed to add split file '${split_file##*.}' to '${feed}' Set"
+ f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'"
fi
rm -f "${split_file}"
done
fi
fi
else
- f_log "info" "empty feed '${feed}' will be skipped"
+ f_log "info" "skip empty feed '${feed}'"
fi
fi
rm -f "${tmp_split}" "${tmp_nft}"
return ${restore_rc}
}
-# remove disabled feeds
+# remove disabled Sets
#
f_rmset() {
local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc
done
if [ -n "${elementsv4}" ]; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then
- f_log "info" "failed to add lookup file to '${feed}v4' Set"
+ f_log "info" "can't add lookup file to Set '${feed}v4'"
fi
fi
if [ -n "${elementsv6}" ]; then
if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then
- f_log "info" "failed to add lookup file to '${feed}v6' Set"
+ f_log "info" "can't add lookup file to Set '${feed}v6'"
fi
fi
end_time="$(date "+%s")"
rm -f "${report_txt}"
}
-# set search
+# Set search
#
f_search() {
local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}"
printf " %s\n" "IP not found"
}
-# set survey
+# Set survey
#
f_survey() {
local set_elements input="${1}"
fi
set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')"
printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::"
- printf " %s\n" "List the elements of Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
+ printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")"
printf " %s\n" "---"
- [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set"
+ [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty Set"
}
-# send status mails
+# send status mail
#
f_mail() {
local msmtp_debug
if [ -r "${ban_mailtemplate}" ]; then
. "${ban_mailtemplate}"
else
- f_log "info" "the mail template is missing"
+ f_log "info" "no mail template"
fi
- [ -z "${mail_text}" ] && f_log "info" "the 'mail_text' template variable is empty"
+ [ -z "${mail_text}" ] && f_log "info" "no mail content"
[ "${ban_debug}" = "1" ] && msmtp_debug="--debug"
# send mail
#
ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n"
- if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then
- f_log "info" "status mail was sent successfully"
- else
- f_log "info" "failed to send status mail (${?})"
- fi
+ printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1
+ f_log "info" "send status mail (${?})"
f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
}
#
f_system
if [ "${ban_action}" != "stop" ]; then
- [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package"
- [ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package"
- [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package"
- [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
+ [ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory"
+ [ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config"
+ [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled"
fi
#!/bin/sh
-# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables
+# banIP main service script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
sleep 1
done
if ! /etc/init.d/firewall status >/dev/null 2>&1; then
- f_log "err" "nft based firewall/fw4 not functional"
+ f_log "err" "error in nft based firewall/fw4"
fi
else
- f_log "err" "nft based firewall/fw4 not found"
+ f_log "err" "no nft based firewall/fw4"
fi
fi
#
if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then
if f_nftinit "${ban_tmpfile}".init.nft; then
- f_log "info" "nft namespace initialized"
+ f_log "info" "initialize nft namespace"
else
- f_log "err" "nft namespace can't be initialized"
+ f_log "err" "can't initialize nft namespace"
fi
fi
# external feeds
#
if ! json_select "${feed}" >/dev/null 2>&1; then
- f_log "info" "unknown feed '${feed}' will be removed"
+ f_log "info" "remove unknown feed '${feed}'"
uci_remove_list banip global ban_feed "${feed}"
uci_commit "banip"
continue
if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } ||
{ { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } ||
{ [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then
- f_log "info" "incomplete feed '${feed}' will be skipped"
+ f_log "info" "skip incomplete feed '${feed}'"
continue
fi
f_rmset
f_rmdir "${ban_tmpdir}"
f_genstatus "active"
-f_log "info" "finish banIP download processes"
# start domain lookup
#
[ -n "${ip}" ] && proto="v6"
fi
if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then
- f_log "info" "suspicious IP${proto} found '${ip}'"
+ f_log "info" "suspicious IP${proto} '${ip}'"
log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)"
log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")"
if [ "${log_count}" -ge "${ban_logcount}" ]; then
if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then
- f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
+ f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set"
if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then
printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
- f_log "info" "added IP${proto} '${ip}' to local blocklist"
+ f_log "info" "add IP${proto} '${ip}' to local blocklist"
fi
fi
fi
#!/bin/sh /etc/rc.common
-# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables
+# banIP init script - ban incoming and outgoing IPs via named nftables Sets
# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
START=30
USE_PROCD=1
-extra_command "report" "[text|json|mail] Print banIP related set statistics"
-extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set"
-extra_command "survey" "[<set name>] List all elements of a given banIP set"
+extra_command "report" "[text|json|mail] Print banIP related Set statistics"
+extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set"
+extra_command "survey" "[<Set name>] List all elements of a given banIP Set"
extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them"
ban_init="/etc/init.d/banip"
procd_close_instance
else
[ -z "$(command -v "f_system")" ] && . "${ban_funlib}"
- f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'"
+ f_log "err" "banIP service autostart is disabled"
rm -rf "${ban_lock}"
fi
}
-# banIP mail template/include
-# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org)
+# banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets
+# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
# This is free software, licensed under the GNU General Public License v3.
# info preparation
projects / feed / packages.git / commitdiff