banIP: update 1.5.6-6

* limit nft logging to a rate 10/second to prevent possible log-flooding
* skip external feed processing if "allowlist-only" mode is fully enabled (in in- and outbound)
* remove needless default icmpv6 rule in wan-input
* refine the housekeeping script (uci-defaults)
* readme update

Signed-off-by: Dirk Brenken <dev@brenken.org>

net/banip/Makefile

@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=1.5.6
-PKG_RELEASE:=5
+PKG_RELEASE:=6
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 

net/banip/files/95-banip-housekeeping

@@ -9,23 +9,28 @@ export LC_ALL=C
 export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
 
 config="banip"
-old_options="ban_loginput ban_logforwardwan ban_logforwardlan ban_blockinput ban_blockforwardwan ban_blockforwardlan"
+old_options="ban_loginput ban_logforwardwan ban_logforwardlan ban_blockinput ban_blockforwardwan ban_blockforwardlan ban_blocktype ban_blockpolicy"
 
 for option in ${old_options}; do
-	if uci -q get ${config}.global.${option} >/dev/null 2>&1; then
-		old_values="$(uci -q get "${config}.global.${option}")"
-		for value in ${old_values}; do
-			case "${option}" in
-				"ban_loginput" | "ban_logforwardwan")
-					uci -q set "${config}".global.ban_loginbound="${value}"
-				;;
-				"ban_logforwardlan")
-					uci -q set "${config}".global.ban_logoutbound="${value}"
-				;;
-			esac
-		done
-		uci -q delete "${config}.global.${option}"
-	fi
+	old_values="$(uci -q get "${config}.global.${option}" 2>/dev/null)"
+	for value in ${old_values}; do
+		case "${option}" in
+			"ban_loginput" | "ban_logforwardwan")
+				uci -q set "${config}".global.ban_loginbound="${value}"
+			;;
+			"ban_logforwardlan")
+				uci -q set "${config}".global.ban_logoutbound="${value}"
+			;;
+			"ban_blockpolicy")
+				if printf "%s" "${old_values}" | grep -qw "input\|forwardwan\|forwardlan"; then
+					break
+				else
+					continue 2
+				fi
+			;;
+		esac
+	done
+	uci -q delete "${config}.global.${option}"
 done
 [ -n "$(uci -q changes "${config}")" ] && uci -q commit "${config}"
 exit 0

net/banip/files/README.md

@@ -482,6 +482,16 @@ C8:C2:9B:F7:80:12 192.168.1.10                     => this will be populated to
 C8:C2:9B:F7:80:12                                  => this will be populated to v6MAC-Set with the IP-wildcard ::/0
 ```
 
+**MAC-address logging in nftables**  
+The MAC-address logging format in nftables is a little bit unusual. It is generated by the kernel's NF_LOG module and places all MAC-related data into one flat field, without separators or labels. For example, the field MAC=7e:1a:2f:fc:ee:29:68:34:21:1f:a7:b1:08:00 is actually a concatenation of the following:  
+
+```
+[Source MAC (6 bytes)] + [Destination MAC (6 bytes)] + [EtherType (2 bytes)]
+7e:1a:2f:fc:ee:29 → the source MAC address
+68:34:21:1f:a7:b1 → the destination MAC address
+08:00 → the EtherType for IPv4 (0x0800)
+```
+
 **Set reporting, enable the GeoIP Map**  
 banIP includes a powerful reporting tool on the Set Reporting tab which shows the latest NFT banIP Set statistics. To get the latest statistics always press the "Refresh" button.  
 In addition to a tabular overview banIP reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of potential attackers (in red). To enable the GeoIP Map set the following options (in "Feed/Set Settings" config tab):  

net/banip/files/banip-functions.sh

@@ -620,11 +620,11 @@ f_nftinit() {
 	fi
 
 	if [ "${ban_logprerouting}" = "1" ]; then
-		log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \""
-		log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \""
-		log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \""
-		log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \""
-		log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \""
+		log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \" limit rate 10/second"
+		log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \" limit rate 10/second"
+		log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \" limit rate 10/second"
+		log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \" limit rate 10/second"
+		log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \" limit rate 10/second"
 	fi
 
 	{
@@ -677,8 +677,7 @@ f_nftinit() {
 		printf "%s\n" "add rule inet banIP wan-input ct state established,related counter accept"
 		printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept"
 		printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept"
-		printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 counter accept"
-		printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept"
+		printf "%s\n" "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept"
 		[ -n "${allow_dport}" ] && printf "%s\n" "add rule inet banIP wan-input ${allow_dport} counter accept"
 		[ "${ban_loginbound}" = "1" ] && printf "%s\n" "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" || printf "%s\n" "add rule inet banIP wan-input counter jump _inbound"
 
@@ -728,8 +727,8 @@ f_down() {
 
 	# set log target
 	#
-	[ "${ban_loginbound}" = "1" ] && log_inbound="log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \""
-	[ "${ban_logoutbound}" = "1" ] && log_outbound="log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \""
+	[ "${ban_loginbound}" = "1" ] && log_inbound="log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \" limit rate 10/second"
+	[ "${ban_logoutbound}" = "1" ] && log_outbound="log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \" limit rate 10/second"
 
 	# set feed target
 	#
@@ -1229,7 +1228,10 @@ f_rmset() {
 			if ! printf "%s" "allowlist blocklist ${ban_feed}" | "${ban_grepcmd}" -q "${feed%.*}" ||
 				! printf "%s" "allowlist blocklist ${feedlist}" | "${ban_grepcmd}" -q "${feed%.*}" ||
 				{ [ "${feed%.*}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; } ||
-				{ [ "${feed%.*}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; }; then
+				{ [ "${feed%.*}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; } ||
+				{ [ "${feed%.*}" != "allowlist" ] && [ "${feed%.*}" != "blocklist" ] && [ "${ban_allowlistonly}" = "1" ] &&
+					! printf "%s" "${ban_feedin}" | "${ban_grepcmd}" -q "allowlist" &&
+					! printf "%s" "${ban_feedout}" | "${ban_grepcmd}" -q "allowlist"; }; then
 				case "${feed%%.*}" in
 					"country")
 						country="${feed%.*}"

net/banip/files/banip-service.sh

@@ -58,6 +58,14 @@ for feed in allowlist ${ban_feed} blocklist; do
 		continue
 	fi
 
+	# skip external feeds in allowlistonly mode
+	#
+	if [ "${ban_allowlistonly}" = "1" ] &&
+		! printf "%s" "${ban_feedin}" | "${ban_grepcmd}" -q "allowlist" &&
+		! printf "%s" "${ban_feedout}" | "${ban_grepcmd}" -q "allowlist"; then
+		continue
+	fi
+
 	# external feeds (parallel processing on multicore hardware)
 	#
 	if ! json_select "${feed}" >/dev/null 2>&1; then