From 4d7c38c7708110cb1d0290f50ef48129192dd76a Mon Sep 17 00:00:00 2001
From: Dirk Brenken <dev@brenken.org>
Date: Wed, 1 May 2024 15:02:44 +0200
Subject: [PATCH] banip: update 0.9.5-4

* optimized adding suspicious IPs to Sets in the log monitor
* re-added ipblackhole feed

Signed-off-by: Dirk Brenken <dev@brenken.org>
---
 net/banip/Makefile                 |  2 +-
 net/banip/files/README.md          |  1 +
 net/banip/files/banip-functions.sh | 11 +++++------
 net/banip/files/banip.feeds        |  5 +++++
 4 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 41f01195a4..43bf050f1e 100644
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=0.9.5
-PKG_RELEASE:=3
+PKG_RELEASE:=4
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 
diff --git a/net/banip/files/README.md b/net/banip/files/README.md
index a29375bbf3..4f4300a01e 100644
--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@@ -37,6 +37,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | greensnow           | suspicious server IPs          |    x    |    x    |         |              | [Link](https://greensnow.co)                                 |
 | iblockads           | Advertising IPs                |         |         |    x    | tcp: 80, 443 | [Link](https://www.iblocklist.com)                           |
 | iblockspy           | Malicious spyware IPs          |         |         |    x    | tcp: 80, 443 | [Link](https://www.iblocklist.com)                           |
+| ipblackhole         | blackhole IPs                  |    x    |    x    |         |              | [Link](https://github.com/BlackHoleMonster/IP-BlackHole)     |
 | ipsum               | malicious IPs                  |    x    |    x    |         |              | [Link](https://github.com/stamparm/ipsum)                    |
 | ipthreat            | hacker and botnet TPs          |    x    |    x    |         |              | [Link](https://ipthreat.net)                                 |
 | myip                | real-time IP blocklist         |    x    |    x    |         |              | [Link](https://myip.ms)                                      |
diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh
index b5c9b47745..e9cf873674 100644
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@@ -1354,6 +1354,7 @@ f_report() {
 	local report_jsn report_txt tmp_val ruleset_raw item table_sets set_cnt set_input set_forwardwan set_forwardlan set_cntinput set_cntforwardwan set_cntforwardlan set_proto set_dport set_details
 	local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinput sum_setforwardwan sum_setforwardlan sum_setelements sum_cntinput sum_cntforwardwan sum_cntforwardlan
 	local sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid output="${1}"
+
 	[ -z "${ban_dev}" ] && f_conf
 	f_mkdir "${ban_reportdir}"
 	report_jsn="${ban_reportdir}/ban_report.jsn"
@@ -1549,7 +1550,7 @@ f_report() {
 			[ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ] && f_mail
 			;;
 	esac
-	rm -f "${report_txt}"
+	: >"${report_txt}"
 }
 
 # Set search
@@ -1682,6 +1683,9 @@ f_monitor() {
 					log_raw="$(eval ${loglimit_cmd})"
 					log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")"
 					if [ "${log_count}" -ge "${ban_logcount}" ]; then
+						if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then
+							f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
+						fi
 						if [ "${ban_autoblocksubnet}" = "1" ]; then
 							rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)"
 							rdap_rc="${?}"
@@ -1700,11 +1704,6 @@ f_monitor() {
 								f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})"
 							fi
 						fi
-						if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_prefix}" ] || [ -z "${rdap_length}" ]; then
-							if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" { ${ip} ${nft_expiry} } >/dev/null 2>&1; then
-								f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set"
-							fi
-						fi
 						if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then
 							printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}"
 							f_log "info" "add IP '${ip}' to local blocklist"
diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds
index 90eaf62adc..a614b33947 100644
--- a/net/banip/files/banip.feeds
+++ b/net/banip/files/banip.feeds
@@ -154,6 +154,11 @@
 		"descr": "malicious spyware IPs",
 		"flag": "gz tcp 80 443"
 	},
+	"ipblackhole":{
+		"url_4": "https://blackhole.s-e-r-v-e-r.pw/blackhole-today",
+		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}",
+		"descr": "blackhole IP blocklist"
+	},
 	"ipsum":{
 		"url_4": "https://raw.githubusercontent.com/stamparm/ipsum/master/levels/3.txt",
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)[-[:space:]]?/{printf \"%s,\\n\",$1}",
-- 
2.30.2