banip: update 0.8.4-3

* add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'

Signed-off-by: Dirk Brenken <dev@brenken.org>

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 37ae9344047ba7924dab794c421ec0c074f06653..02cc404bf8189a44ecd7a80288518bd241e6effa 100644 (file)
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -1,5 +1,5 @@
 #
-# banIP - ban incoming and outgoing ip addresses/subnets via sets in nftables
+# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 #
@@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=0.8.4
-PKG_RELEASE:=2
+PKG_RELEASE:=3
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 
@@ -23,7 +23,7 @@ define Package/banip
 endef
 
 define Package/banip/description
-banIP blocks IP addresses via named nftables sets.
+banIP blocks IP addresses via named nftables Sets.
 banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime.
 Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information.
 

diff --git a/net/banip/files/README.md b/net/banip/files/README.md
index cca75823d0de92fc25dabe7f7a7ac416d410dc7e..803e4a9315fc1a7b1985b63de711db88c9e01f68 100644 (file)
--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@@ -139,6 +139,7 @@ Available commands:
 | ban_logforwardlan       | option | 0                             | log rejects in the lan-forward chain                                                                         |
 | ban_autoallowlist       | option | 1                             | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets)         |
 | ban_autoblocklist       | option | 1                             | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) |
+| ban_autoallowuplink     | option | subnet                        | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all                                |
 | ban_allowlistonly       | option | 0                             | restrict the internet access from/to a small number of secure websites/IPs                                   |
 | ban_basedir             | option | /tmp                          | base working directory while banIP processing                                                                |
 | ban_reportdir           | option | /tmp/banIP-report             | directory where banIP stores the report files                                                                |

diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh
index 36442381ece9f92041261ef9a63b6a12366382c6..225427516f35daab3a0b2000477b019560c22b98 100644 (file)
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@@ -51,6 +51,7 @@ ban_logforwardwan="1"
 ban_logforwardlan="0"
 ban_allowlistonly="0"
 ban_autoallowlist="1"
+ban_autoallowuplink="subnet"
 ban_autoblocklist="1"
 ban_deduplicate="1"
 ban_splitsize="0"
@@ -65,7 +66,7 @@ ban_protov6="0"
 ban_ifv4=""
 ban_ifv6=""
 ban_dev=""
-ban_sub=""
+ban_uplink=""
 ban_fetchinsecure=""
 ban_cores=""
 ban_memory=""
@@ -105,7 +106,7 @@ f_mkdir() {
        if [ ! -d "${dir}" ]; then
                rm -f "${dir}"
                mkdir -p "${dir}"
-               f_log "debug" "f_mkdir   ::: created directory: ${dir}"
+               f_log "debug" "f_mkdir     ::: created directory: ${dir}"
        fi
 }
 
@@ -116,7 +117,7 @@ f_mkfile() {
 
        if [ ! -f "${file}" ]; then
                : >"${file}"
-               f_log "debug" "f_mkfile  ::: created file: ${file}"
+               f_log "debug" "f_mkfile    ::: created file: ${file}"
        fi
 }
 
@@ -127,7 +128,7 @@ f_tmp() {
        ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)"
        ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)"
 
-       f_log "debug" "f_tmp     ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}"
+       f_log "debug" "f_tmp       ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}"
 }
 
 # remove directories
@@ -137,7 +138,7 @@ f_rmdir() {
 
        if [ -d "${dir}" ]; then
                rm -rf "${dir}"
-               f_log "debug" "f_rmdir   ::: deleted directory: ${dir}"
+               f_log "debug" "f_rmdir     ::: deleted directory: ${dir}"
        fi
 }
 
@@ -286,7 +287,7 @@ f_fetch() {
                        ;;
        esac
 
-       f_log "debug" "f_fetch   ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}"
+       f_log "debug" "f_fetch     ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}"
 }
 
 # remove logservice
@@ -363,7 +364,7 @@ f_getif() {
        fi
        [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration"
 
-       f_log "debug" "f_getif   ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
+       f_log "debug" "f_getif     ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}"
 }
 
 # get wan devices
@@ -398,37 +399,45 @@ f_getdev() {
        ban_dev="${ban_dev%%?}"
        [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration"
 
-       f_log "debug" "f_getdev  ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
+       f_log "debug" "f_getdev    ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}"
 }
 
-# get local subnets
+# get local uplink
 #
-f_getsub() {
-       local sub iface ip update="0"
+f_getuplink() {
+       local uplink iface ip update="0"
 
-       if [ "${ban_autoallowlist}" = "1" ]; then
+       if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then
                for iface in ${ban_ifv4} ${ban_ifv6}; do
                        network_flush_cache
-                       network_get_subnet sub "${iface}"
-                       if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
-                               ban_sub="${ban_sub}${sub} "
+                       if [ "${ban_autoallowuplink}" = "subnet" ]; then
+                               network_get_subnet uplink "${iface}"
+                       elif [ "${ban_autoallowuplink}" = "ip" ]; then
+                               network_get_ipaddr uplink "${iface}"
                        fi
-                       network_get_subnet6 sub "${iface}"
-                       if [ -n "${sub}" ] && ! printf " %s " "${ban_sub}" | "${ban_grepcmd}" -q " ${sub} "; then
-                               ban_sub="${ban_sub}${sub} "
+                       if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
+                               ban_uplink="${ban_uplink}${uplink} "
+                       fi
+                       if [ "${ban_autoallowuplink}" = "subnet" ]; then
+                               network_get_subnet6 uplink "${iface}"
+                       elif [ "${ban_autoallowuplink}" = "ip" ]; then
+                               network_get_ipaddr6 uplink "${iface}"
+                       fi
+                       if [ -n "${uplink}" ] && ! printf " %s " "${ban_uplink}" | "${ban_grepcmd}" -q " ${uplink} "; then
+                               ban_uplink="${ban_uplink}${uplink} "
                        fi
                done
-               for ip in ${ban_sub}; do
+               for ip in ${ban_uplink}; do
                        if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then
                                update="1"
-                               printf "%-42s%s\n" "${ip}" "# subnet added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
-                               f_log "info" "added subnet '${ip}' to local allowlist"
+                               printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}"
+                               f_log "info" "added uplink '${ip}' to local allowlist"
                        fi
                done
-               ban_sub="${ban_sub%%?}"
+               ban_uplink="${ban_uplink%%?}"
        fi
 
-       f_log "debug" "f_getsub  ::: auto/update: ${ban_autoallowlist}/${update}, subnet(s): ${ban_sub:-"-"}"
+       f_log "debug" "f_getuplink ::: auto/update: ${ban_autoallowlist}/${update}, uplink: ${ban_uplink:-"-"}"
 }
 
 # get feed information
@@ -499,7 +508,7 @@ f_nftinit() {
        feed_log="$("${ban_nftcmd}" -f "${file}" 2>&1)"
        feed_rc="${?}"
 
-       f_log "debug" "f_nftinit ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
+       f_log "debug" "f_nftinit   ::: devices: ${ban_dev}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
        return ${feed_rc}
 }
 
@@ -824,7 +833,7 @@ f_down() {
        rm -f "${tmp_split}" "${tmp_nft}"
        end_ts="$(date +%s)"
 
-       f_log "debug" "f_down    ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
+       f_log "debug" "f_down      ::: name: ${feed}, cnt_dl: ${cnt_dl:-"-"}, cnt_set: ${cnt_set:-"-"}, split_size: ${ban_splitsize:-"-"}, time: $((end_ts - start_ts)), rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
 }
 
 # backup feeds
@@ -835,7 +844,7 @@ f_backup() {
        gzip -cf "${feed_file}" >"${ban_backupdir}/banIP.${feed}.gz"
        backup_rc="${?}"
 
-       f_log "debug" "f_backup  ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}"
+       f_log "debug" "f_backup    ::: name: ${feed}, source: ${feed_file##*/}, target: banIP.${feed}.gz, rc: ${backup_rc}"
        return ${backup_rc}
 }
 
@@ -851,7 +860,7 @@ f_restore() {
                restore_rc="${?}"
        fi
 
-       f_log "debug" "f_restore ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}"
+       f_log "debug" "f_restore   ::: name: ${feed}, source: banIP.${tmp_feed}.gz, target: ${feed_file##*/}, in_rc: ${feed_rc}, rc: ${restore_rc}"
        return ${restore_rc}
 }
 
@@ -891,7 +900,7 @@ f_rmset() {
        fi
        rm -f "${tmp_del}"
 
-       f_log "debug" "f_rmset   ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
+       f_log "debug" "f_rmset     ::: sets: ${del_set:-"-"}, rc: ${feed_rc:-"-"}, log: ${feed_log:-"-"}"
 }
 
 # generate status information
@@ -941,10 +950,10 @@ f_genstatus() {
                json_close_object
        done
        json_close_array
-       json_add_array "active_subnets"
-       for object in ${ban_sub:-"-"}; do
+       json_add_array "active_uplink"
+       for object in ${ban_uplink:-"-"}; do
                json_add_object
-               json_add_string "subnet" "${object}"
+               json_add_string "uplink" "${object}"
                json_close_object
        done
        json_close_array
@@ -1063,7 +1072,7 @@ f_lookup() {
        end_time="$(date "+%s")"
        duration="$(((end_time - start_time) / 60))m $(((end_time - start_time) % 60))s"
 
-       f_log "debug" "feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}"
+       f_log "debug" "f_lookup    ::: feed: ${feed}, domains: ${cnt_domain}, IPs: ${cnt_ip}, duration: ${duration}"
 }
 
 # table statistics
@@ -1310,7 +1319,7 @@ f_mail() {
                f_log "info" "failed to send status mail (${?})"
        fi
 
-       f_log "debug" "f_mail    ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
+       f_log "debug" "f_mail      ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}"
 }
 
 # initial sourcing

diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh
index ed2b9914c9a84ce5817e549e69078e07c483e0f3..b8a10398adf204232d1ba7ca02e19374bc2d37c7 100755 (executable)
--- a/net/banip/files/banip-service.sh
+++ b/net/banip/files/banip-service.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-# banIP main service script - ban incoming and outgoing ip addresses/subnets via sets in nftables
+# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables
 # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 
@@ -15,13 +15,13 @@ ban_funlib="/usr/lib/banip-functions.sh"
 #
 f_conf
 f_log "info" "start banIP processing (${ban_action})"
-f_log "debug" "f_system  ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
+f_log "debug" "f_system    ::: system: ${ban_sysver:-"n/a"}, version: ${ban_ver:-"n/a"}, memory: ${ban_memory:-"0"}, cpu_cores: ${ban_cores}"
 f_genstatus "processing"
 f_tmp
 f_fetch
 f_getif
 f_getdev
-f_getsub
+f_getuplink
 f_mkdir "${ban_backupdir}"
 f_mkfile "${ban_blocklist}"
 f_mkfile "${ban_allowlist}"