From ecf901a6ba98e0b70c773b7e0ffe795c3be0aa78 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sun, 15 Mar 2026 18:17:04 +0100 Subject: [PATCH] banip: release 1.8.1-1 * the debug mode now captures internal error output in a dedicated log file, located by default in the banIP base directory as /tmp/ban_error.log * replaced the non-functional recursive PID tree walk in f_rmpid with a correct iterative implementation * added several IP validator improvements * fixed a copy-paste error in f_report * fixed a uninitialized variable in f_actual * fixed missing token validation in banip.cgi * various other minor improvement & fixes * removed abandoned nixspam feed * LuCI: various fixes & optimizations * readme update Signed-off-by: Dirk Brenken (cherry picked from commit e724274907fa9d1bbe3c37a9843a971948e4e668) --- net/banip/Makefile | 6 +- net/banip/files/README.md | 209 ++++++++++++++--------------- net/banip/files/banip-functions.sh | 195 ++++++++++++++++----------- net/banip/files/banip-service.sh | 10 +- net/banip/files/banip.cgi | 2 +- net/banip/files/banip.feeds | 7 - net/banip/files/banip.init | 11 +- net/banip/files/banip.tpl | 7 +- 8 files changed, 238 insertions(+), 209 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 14b3603bc2..478b1093cf 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=1.8.0 -PKG_RELEASE:=3 +PKG_VERSION:=1.8.1 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken @@ -51,7 +51,7 @@ define Package/banip/install $(INSTALL_BIN) ./files/banip.init $(1)/etc/init.d/banip $(INSTALL_DIR) $(1)/usr/lib - $(INSTALL_CONF) ./files/banip-functions.sh $(1)/usr/lib + $(INSTALL_DATA) ./files/banip-functions.sh $(1)/usr/lib $(INSTALL_DIR) $(1)/etc/config $(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 3ecb881f3e..3266592806 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -4,16 +4,16 @@ ## Description -IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh. +IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh. ## Main Features -* banIP supports the following fully pre-configured IP blocklist feeds (free for private usage, for commercial use please check their individual licenses). -**Please note:** By default, each feed blocks the packet flow in the chain shown in the table below. _Inbound_ combines the chains WAN-Input and WAN-Forward, _Outbound_ represents the LAN-FWD chain: - * WAN-INP chain applies to packets from internet to your router - * WAN-FWD chain applies to packets from internet to other local devices (not your router) - * LAN-FWD chain applies to local packets going out to the internet (not your router) - The listed standard assignments can be changed to your needs under the 'Feed/Set Settings' config tab. +* banIP supports the following fully pre-configured IP blocklist feeds (free for private usage, for commercial use please check their individual licenses). +**Please note:** By default, each feed blocks the packet flow in the chain shown in the table below. _Inbound_ combines the chains WAN-Input and WAN-Forward, _Outbound_ represents the LAN-FWD chain: + * WAN-INP chain applies to packets from internet to your router + * WAN-FWD chain applies to packets from internet to other local devices (not your router) + * LAN-FWD chain applies to local packets going out to the internet (not your router) + The listed standard assignments can be changed to your needs under the 'Feed/Set Settings' config tab. | Feed | Focus | Inbound | Outbound | Proto/Port | Information | | :------------------ | :----------------------------- | :-----: | :------: | :---------------: | :----------------------------------------------------------- | @@ -41,9 +41,8 @@ IP address blocking is commonly used to protect against brute force attacks, pre | ipblackhole | blackhole IPs | x | | | [Link](https://github.com/BlackHoleMonster/IP-BlackHole) | | ipexdbl | IPEX dynamic blocklists | x | | | [Link](https://github.com/ZEROF/ipextractor) | | ipsum | malicious IPs | x | | | [Link](https://github.com/stamparm/ipsum) | -| ipthreat | hacker and botnet TPs | x | | | [Link](https://ipthreat.net) | +| ipthreat | hacker and botnet IPs | x | | | [Link](https://ipthreat.net) | | myip | real-time IP blocklist | x | | | [Link](https://myip.ms) | -| nixspam | iX spam protection | x | | | [Link](http://www.nixspam.org) | | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | | threat | emerging threats | x | | | [Link](https://rules.emergingthreats.net) | | threatview | malicious IPs | x | | | [Link](https://threatview.io) | @@ -104,12 +103,11 @@ IP address blocking is commonly used to protect against brute force attacks, pre **Please note:** * Devices with less than 256MB of RAM are **_not_** supported -* Latest banIP does **_not_** support OpenWrt 23.x because the kernel and the nft library are outdated (use former banIP 1.0.x instead) -* Any previous custom feeds file of banIP 1.0.x must be cleared and it's recommended to start with a fresh banIP default config +* After system upgrades it's recommended to start with a fresh banIP default config ## Installation and Usage -* Update your routers apk repository (apk Update) +* Update your router's apk repository (apk update) * Install the LuCI companion package 'luci-app-banip' which also installs the main 'banip' package as a dependency * Enable the banIP system service (System -> Startup) and enable banIP itself (banIP -> General Settings) * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu @@ -120,9 +118,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre ## banIP CLI interface -* All important banIP functions are accessible via CLI, too. If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service, add pre-configured feeds and add/change other options to your needs, see the options reference table below. +* All important banIP functions are accessible via CLI, too. If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service, add pre-configured feeds and add/change other options to your needs, see the options reference table below. -``` +```sh ~# /etc/init.d/banip Syntax: /etc/init.d/banip [command] @@ -160,9 +158,9 @@ Available commands: | ban_icmplimit | option | 25 | threshold in number of packets to detect icmp DoS in prerouting chain. A value of '0' disables this safeguard | | ban_synlimit | option | 10 | threshold in number of packets to detect syn DoS in prerouting chain. A value of '0' disables this safeguard | | ban_udplimit | option | 100 | threshold in number of packets to detect udp DoS in prerouting chain. A value of '0' disables this safeguard | -| ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain | -| ban_loginbound | option | 0 | log supsicious packets in the inbound chain (wan-input and wan-forward) | -| ban_logoutbound | option | 0 | log supsicious packets in the outbound chain (lan-forward) | +| ban_logprerouting | option | 0 | log suspicious packets in the prerouting chain | +| ban_loginbound | option | 0 | log suspicious packets in the inbound chain (wan-input and wan-forward) | +| ban_logoutbound | option | 0 | log suspicious packets in the outbound chain (lan-forward) | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | @@ -190,7 +188,7 @@ Available commands: | ban_nftpriority | option | -100 | nft priority for the banIP table (the prerouting table is fixed to priority -150) | | ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | | ban_nftexpiry | option | - | expiry time (ms|s|m|h|d|w) for auto added blocklist members, e.g. '5m', '2h' or '1d' | -| ban_nftretry | option | 5 | number of Set load attempts in case of an error | +| ban_nftretry | option | 3 | number of Set load attempts in case of an error | | ban_nftcount | option | 0 | enable nft counter for every Set element | | ban_bcp38 | option | 0 | block packets with spoofed source IP addresses in all supported chains | | ban_map | option | 0 | enable a GeoIP Map with suspicious Set elements | @@ -200,7 +198,7 @@ Available commands: | ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE | | ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | | ban_countrysplit | option | - | the selected countries are stored in separate Sets | -| ban_blocktype | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | +| ban_blockpolicy | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | | ban_feedin | list | - | limit the selected feeds to the inbound chain (wan-input and wan-forward) | | ban_feedout | list | - | limit the selected feeds to the outbound chain (lan-forward) | | ban_feedinout | list | - | set the selected feeds to the inbound and outbound chain (lan-forward) | @@ -215,14 +213,13 @@ Available commands: | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | -| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | | ban_resolver | option | - | external resolver used for DNS lookups, by default the local resolver/forwarder will be used | | ban_remotelog | option | 0 | enable the cgi interface to receive remote logging events | | ban_remotetoken | option | - | unique token to communicate with the cgi interface | ## Examples -**banIP report information** +**banIP report information** ``` ~# /etc/init.d/banip report @@ -241,30 +238,30 @@ Available commands: auto-added IPs to allowlist: 0 auto-added IPs to blocklist: 0 - Set | Count | Inbound (packets) | Outbound (packets) | Port/Protocol | Elements (max. 50) + Set | Count | Inbound (packets) | Outbound (packets) | Port/Protocol | Elements (max. 50) ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ - allowlist.v4 | 1 | ON: 0 | ON: 0 | - | - allowlist.v4MAC | 0 | - | ON: 0 | - | - allowlist.v6 | 1 | ON: 0 | ON: 0 | - | - allowlist.v6MAC | 0 | - | ON: 0 | - | - blocklist.v4 | 7 | ON: 358 | ON: 812 | - | 5.187.35.0, 20.160.0.0, + allowlist.v4 | 1 | ON: 0 | ON: 0 | - | + allowlist.v4MAC | 0 | - | ON: 0 | - | + allowlist.v6 | 1 | ON: 0 | ON: 0 | - | + allowlist.v6MAC | 0 | - | ON: 0 | - | + blocklist.v4 | 7 | ON: 358 | ON: 812 | - | 5.187.35.0, 20.160.0.0, | | | | | 45.135.232.0, 91.202.233 - | | | | | .0 - blocklist.v4MAC | 0 | - | ON: 0 | - | - blocklist.v6 | 0 | ON: 4 | ON: 0 | - | - blocklist.v6MAC | 0 | - | ON: 0 | - | - dns.v4 | 95493 | - | ON: 2039 | tcp, udp: 53, 853 | 8.8.8.8 - dns.v6 | 251 | - | ON: 0 | tcp, udp: 53, 853 | - doh.v4 | 1663 | - | ON: 0 | tcp, udp: 80, 443 | - doh.v6 | 1204 | - | ON: 0 | tcp, udp: 80, 443 | - hagezi.v4 | 39535 | - | ON: 0 | tcp, udp: 80, 443 | + | | | | | .0 + blocklist.v4MAC | 0 | - | ON: 0 | - | + blocklist.v6 | 0 | ON: 4 | ON: 0 | - | + blocklist.v6MAC | 0 | - | ON: 0 | - | + dns.v4 | 95493 | - | ON: 2039 | tcp, udp: 53, 853 | 8.8.8.8 + dns.v6 | 251 | - | ON: 0 | tcp, udp: 53, 853 | + doh.v4 | 1663 | - | ON: 0 | tcp, udp: 80, 443 | + doh.v6 | 1204 | - | ON: 0 | tcp, udp: 80, 443 | + hagezi.v4 | 39535 | - | ON: 0 | tcp, udp: 80, 443 | ---------------------+--------------+-----------------------+-----------------------+-----------------------+------------------------ - 13 | 138155 | 4 (362) | 13 (2851) | 10 | 5 + 13 | 138155 | 4 (362) | 13 (2851) | 10 | 5 ``` -**banIP runtime information** +**banIP runtime information** -``` +```sh ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) @@ -281,9 +278,9 @@ Available commands: + system_info : cores: 4, log: logread, fetch: curl, Bananapi BPI-R3, mediatek/filogic, OpenWrt SNAPSHOT (r32542-bf46d119a2) ``` -**banIP search information** +**banIP search information** -``` +```sh ~# /etc/init.d/banip search 8.8.8.8 ::: ::: banIP Search @@ -294,10 +291,10 @@ Available commands: IP found in Set 'doh.v4' ``` -**banIP Set content information** -List all elements of a given Set with hit counters, e.g.: +**banIP Set content information** +List all elements of a given Set with hit counters, e.g.: -``` +```sh ~# /etc/init.d/banip content turris.v4 ::: ::: banIP Set Content @@ -319,8 +316,8 @@ List all elements of a given Set with hit counters, e.g.: [...] ``` -List only elements with hits of a given Set with hit counters, e.g.: -``` +List only elements with hits of a given Set with hit counters, e.g.: +```sh ~# /etc/init.d/banip content turris.v4 true ::: ::: banIP Set Content @@ -341,24 +338,24 @@ List only elements with hits of a given Set with hit counters, e.g.: ## Best practise and tweaks -**Recommendation for low memory systems** -nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512MB RAM), you should optimize your configuration with the following options: +**Recommendation for low memory systems** +nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512MB RAM), you should optimize your configuration with the following options: * point 'ban_basedir', 'ban_reportdir', 'ban_backupdir' and 'ban_errordir' to an external usb drive or ssd * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing * set 'ban_splitsize' e.g. to '1024' to split the load of an external Set after every 1024 lines/elements * set 'ban_nftcount' to '0' to deactivate the CPU- and memory-intensive creation of counter elements at Set level -**Sensible choice of blocklists** -The following feeds are just my personal recommendation as an initial setup: +**Sensible choice of blocklists** +The following feeds are just my personal recommendation as an initial setup: * cinsscore, debl, turris and doh in their default chains -In total, this feed selection blocks about 20K IP addresses. It may also be useful to include some countries to the country feed. -Please note: don't just blindly activate (too) many feeds at once, sooner or later this will lead to OOM conditions. +In total, this feed selection blocks about 20K IP addresses. It may also be useful to include some countries to the country feed. +Please note: don't just blindly activate (too) many feeds at once, sooner or later this will lead to OOM conditions. -**Log Terms for logfile parsing** -Like fail2ban and crowdsec, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs. -In the default config only the log terms to detect failed login attempts via dropbear and LuCI are in place. The following search pattern has been tested as well: +**Log Terms for logfile parsing** +Like fail2ban and crowdsec, banIP supports logfile scanning and automatic blocking of suspicious attacker IPs. +In the default config only the log terms to detect failed login attempts via dropbear and LuCI are in place. The following search pattern has been tested as well: ``` dropbear : 'Exit before auth from' @@ -371,20 +368,20 @@ openvpn : 'TLS Error: could not determine wrapping from \[AF_INET\]' AdGuard : 'AdGuardHome.*\[error\].*/control/login: from ip' ``` -You find the 'Log Terms' option in LuCI under the 'Log Settings' tab. Feel free to add more log terms to meet your needs and protect additional services. +You find the 'Log Terms' option in LuCI under the 'Log Settings' tab. Feel free to add more log terms to meet your needs and protect additional services. -**Allow-/Blocklist handling** -banIP supports local allow- and block-lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. -Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. -Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. -Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). -Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. +**Allow-/Blocklist handling** +banIP supports local allow- and block-lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. +Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. +Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. +Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). +Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. -**Allowlist-only mode** -banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world. +**Allowlist-only mode** +banIP supports an "allowlist only" mode. This option restricts Internet access only to certain, explicitly permitted IP segments - and blocks access to the rest of the Internet. All IPs that are _not_ listed in the allowlist or in the external allowlist URLs are blocked. In this mode it might be useful to limit the allowlist feed to the inbound chain, to still allow outbound communication to the rest of the world. **MAC/IP-binding** -banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments or to free connected clients from outbound blocking. +banIP supports concatenation of local MAC addresses/ranges with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments or to free connected clients from outbound blocking. The following notations in the local allow- and block-list are supported: ``` @@ -409,8 +406,8 @@ C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0 ``` -**MAC-address logging in nftables** -The MAC-address logging format in nftables is a little bit unusual. It is generated by the kernel's NF_LOG module and places all MAC-related data into one flat field, without separators or labels. For example, the field MAC=7e:1a:2f:fc:ee:29:68:34:21:1f:a7:b1:08:00 is actually a concatenation of the following: +**MAC-address logging in nftables** +The MAC-address logging format in nftables is a little bit unusual. It is generated by the kernel's NF_LOG module and places all MAC-related data into one flat field, without separators or labels. For example, the field MAC=7e:1a:2f:fc:ee:29:68:34:21:1f:a7:b1:08:00 is actually a concatenation of the following: ``` [Source MAC (6 bytes)] + [Destination MAC (6 bytes)] + [EtherType (2 bytes)] @@ -418,40 +415,40 @@ The MAC-address logging format in nftables is a little bit unusual. It is genera 68:34:21:1f:a7:b1 → the destination MAC address 08:00 → the EtherType for IPv4 (0x0800) ``` -**BCP38** -BCP38 (**B**est **C**urrent **P**ractice, RFC 2827) defines ingress filtering to prevent IP address spoofing. In practice, this means: +**BCP38** +BCP38 (**B**est **C**urrent **P**ractice, RFC 2827) defines ingress filtering to prevent IP address spoofing. In practice, this means: * dropping packets arriving on the WAN whose source address is not valid or routable via that interface * dropping packets leaving LAN => WAN whose source address does not belong to the local/internal prefixes -In banIP, the BCP38 implementation uses nftables’ FIB lookup to enforce this. It checks whether the packet’s source address is not valid for the incoming interface or whether the routing table reports no route for this source on this interface. Packets that fail this check are dropped. +In banIP, the BCP38 implementation uses nftables’ FIB lookup to enforce this. It checks whether the packet’s source address is not valid for the incoming interface or whether the routing table reports no route for this source on this interface. Packets that fail this check are dropped. -**Set reporting, enable the GeoIP Map** -banIP includes a powerful reporting tool on the Set Reporting tab which shows the latest NFT banIP Set statistics. To get the latest statistics always press the "Refresh" button. -In addition to a tabular overview banIP reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of potential attackers (in red). To enable the GeoIP Map set the following options (in "Feed/Set Settings" config tab): +**Set reporting, enable the GeoIP Map** +banIP includes a powerful reporting tool on the Set Reporting tab which shows the latest NFT banIP Set statistics. To get the latest statistics always press the "Refresh" button. +In addition to a tabular overview banIP reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of potential attackers (in red). To enable the GeoIP Map set the following options (in "Feed/Set Settings" config tab): * set 'ban_nftcount' to '1' to enable the nft counter for every Set element * set 'ban_map' to '1' to include the external components listed below and activate the GeoIP map -To make this work, banIP uses the following external components: +To make this work, banIP uses the following external components: * [Leaflet](https://leafletjs.com/) is a lightweight open-source JavaScript library for interactive maps * [OpenStreetMap](https://www.openstreetmap.org/) provides the map data under an open-source license * [CARTO basemap styles](https://github.com/CartoDB/basemap-styles) based on [OpenMapTiles](https://openmaptiles.org/schema) * The free and quite fast [IP Geolocation API](https://ip-api.com/) to resolve the required IP/geolocation information -**CGI interface to receive remote logging events** -banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options: +**CGI interface to receive remote logging events** +banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options: * set 'ban_remotelog' to '1' to enbale the cgi interface * set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':' - Examples to transfer remote logging events from an internal server to banIP via cgi interface: + Examples to transfer remote logging events from an internal server to banIP via cgi interface: * POST request: curl --insecure --data "=" https://192.168.1.1/cgi-bin/banip * GET request: wget --no-check-certificate https://192.168.1.1/cgi-bin/banip?= Please note: for security reasons use this cgi interface only internally and only encrypted via https transfer protocol. -**Download options** +**Download options** By default banIP uses the following pre-configured download options: ``` @@ -462,8 +459,8 @@ By default banIP uses the following pre-configured download options: To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs. -**Configure E-Mail notifications via 'msmtp'** -To use the email notification you must install and configure the package 'msmtp'. +**Configure E-Mail notifications via 'msmtp'** +To use the email notification you must install and configure the package 'msmtp'. Modify the file '/etc/msmtprc', e.g.: ``` @@ -485,7 +482,7 @@ password Finally add a valid E-Mail receiver address in banIP. -**Send status E-Mails and update the banIP lists via cron job** +**Send status E-Mails and update the banIP lists via cron job** For a regular, automatic status mailing and update of the used lists on a daily basis set up a cron job, e.g. ``` @@ -493,14 +490,14 @@ For a regular, automatic status mailing and update of the used lists on a daily 00 04 * * * /etc/init.d/banip reload ``` -**Redirect asterisk security logs to lodg/logread** +**Redirect asterisk security logs to lodg/logread** By default banIP scans the logfile via logread, so to monitor attacks on asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running asterisk configuration. -**Change/add banIP feeds and set optional feed flags** -The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file. +**Change/add banIP feeds and set optional feed flags** +The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file. A valid JSON source object contains the following information, e.g.: -``` +```json [...] "doh":{ "url_4": "https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt", @@ -513,34 +510,36 @@ A valid JSON source object contains the following information, e.g.: [...] ``` -Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, check/change the rule, the size and the description for a new feed. +Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, check/change the rule, the size and the description for a new feed. The rule consist of max. 4 individual, space separated parameters: 1. type: 'feed' or 'suricata' (required) 2. prefix: an optional search term (a string literal, no regex) to identify valid IP list entries 3. column: the IP column within the feed file, e.g. '1' (required) 4. separator: an optional field separator, default is the character class '[[:space:]]' -Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format and protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations. +Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format and protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations. -**Debug options** -Whenever you encounter banIP related processing problems, please enable "Verbose Debug Logging", restart banIP and check the "Processing Log" tab. -Typical symptoms: -* The nftables initialization failed: untick the 'Auto Detection' option in the 'General Settings' config section and set the required device and tools options manually -* A blocklist feed does not work: maybe a temporary server problem or the download URL has been changed. In the latter case, just use the Custom Feed Editor to point this feed to a new URL +**Debug options** +banIP provides an optional debug mode that writes diagnostic information to the system log and captures internal error output in a dedicated error logfile - by default located in the banIP base directory as '/tmp/ban_error.log'. The log file is automatically cleared at the beginning of each run. Under normal conditions, all error messages are discarded to keep regular runs clean and silent. -In case of a nft processing error, banIP creates an error directory (by default '/tmp/banIP-error') with the faulty nft load files. -For further troubleshooting, you can try to load such an error file manually to determine the exact cause of the error, e.g.: 'nft -f error.file.nft'. +Whenever you encounter banIP related processing problems, please enable "Verbose Debug Logging", restart banIP and check the "Processing Log" tab. +Typical symptoms: +* The nftables initialization failed: untick the 'Auto Detection' option in the 'General Settings' config section and set the required device and tools options manually +* A blocklist feed does not work: maybe a temporary server problem or the download URL has been changed. In the latter case, just use the Custom Feed Editor to point this feed to a new URL -Whenever you encounter firewall problems, enable the logging of certain chains in the "Log Settings" config section, restart banIP and check the "Firewall Log" tab. -Typical symptoms: -* A feed blocks a legit IP: disable the entire feed or add this IP to your local allowlist and reload banIP -* A feed (e.g. doh) interrupts almost all client connections: check the feed table above for reference and reset the feed to the defaults in the "Feed/Set Settings" config tab section -* The allowlist doesn't free a certain IP/MAC address: check the current content of the allowlist with the "Set Content" under the "Set Reporting" tab to make sure that the desired IP/MAC is listed - if not, reload banIP +In case of a nft processing error, banIP creates an error directory (by default '/tmp/banIP-error') with the faulty nft load files. +For further troubleshooting, you can try to load such an error file manually to determine the exact cause of the error, e.g.: 'nft -f error.file.nft'. + +Whenever you encounter firewall problems, enable the logging of certain chains in the "Log Settings" config section, restart banIP and check the "Firewall Log" tab. +Typical symptoms: +* A feed blocks a legit IP: disable the entire feed or add this IP to your local allowlist and reload banIP +* A feed (e.g. doh) interrupts almost all client connections: check the feed table above for reference and reset the feed to the defaults in the "Feed/Set Settings" config tab section +* The allowlist doesn't free a certain IP/MAC address: check the current content of the allowlist with the "Set Content" under the "Set Reporting" tab to make sure that the desired IP/MAC is listed - if not, reload banIP ## Support -Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail -If you want to report an error, please describe it in as much detail as possible - with (debug) logs, the current banIP status, your banIP configuration, etc. +Please join the banIP discussion in this [forum thread](https://forum.openwrt.org/t/banip-support-thread/16985) or contact me by mail +If you want to report an error, please describe it in as much detail as possible - with (debug) logs, the current banIP status, your banIP configuration, etc. ## Removal @@ -548,14 +547,14 @@ Stop all banIP related services with _/etc/init.d/banip stop_ and remove the ban ## Donations -You like this project - is there a way to donate? Generally speaking "No" - I have a well-paying full-time job and my OpenWrt projects are just a hobby of mine in my spare time. +You like this project - is there a way to donate? Generally speaking "No" - I have a well-paying full-time job and my OpenWrt projects are just a hobby of mine in my spare time. -If you still insist to donate some bucks ... +If you still insist to donate some bucks ... * I would be happy if you put your money in kind into other, social projects in your area, e.g. a children's hospice * Let's meet and invite me for a coffee if you are in my area, the “Markgräfler Land” in southern Germany or in Switzerland (Basel) * Send your money to my [PayPal account](https://www.paypal.me/DirkBrenken) and I will collect your donations over the year to support various social projects in my area -No matter what you decide - thank you very much for your support! +No matter what you decide - thank you very much for your support! -Have fun! +Have fun! Dirk diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 79bee69496..1c31ec7125 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -28,6 +28,7 @@ ban_rdapfile="/var/run/banip_rdap.json" ban_rdapurl="https://rdap.db.ripe.net/ip/" ban_geourl="http://ip-api.com/batch" ban_lock="/var/run/banip.lock" +ban_errorlog="/dev/null" ban_logreadfile="" ban_logreadcmd="" ban_mailsender="no-reply@banIP" @@ -105,15 +106,27 @@ f_system() { ban_debug="$(uci_get banip global ban_debug "0")" ban_cores="$(uci_get banip global ban_cores)" - ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" + ban_basedir="$(uci_get banip global ban_basedir "/tmp")" + + # set debug log file + # + if [ "${ban_debug}" = "1" ] && [ -d "${ban_basedir}" ]; then + ban_errorlog="${ban_basedir}/ban_error.log" + else + ban_errorlog="/dev/null" + fi + + # get banIP version and system information + # + ban_packages="$("${ban_ubuscmd}" -S call rpc-sys packagelist '{ "all": true }' 2>>"${ban_errorlog}")" ban_bver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" ban_fver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["luci-app-banip"]')" - ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' | + ban_sysver="$("${ban_ubuscmd}" -S call system board 2>>"${ban_errorlog}" | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.target' -e '@.release.distribution' -e '@.release.version' -e '@.release.revision' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s, %s %s (%s)",$1,$2,$3,$4,$5}')" if [ -z "${ban_cores}" ]; then - cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)" - core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>/dev/null)" + cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>>"${ban_errorlog}")" + core="$("${ban_grepcmd}" -cm1 '^core id' /proc/cpuinfo 2>>"${ban_errorlog}")" [ "${cpu}" = "0" ] && cpu="1" [ "${core}" = "0" ] && core="1" ban_cores="$((cpu * core))" @@ -126,11 +139,11 @@ f_system() { f_cmd() { local cmd pri_cmd="${1}" sec_cmd="${2}" - cmd="$(command -v "${pri_cmd}" 2>/dev/null)" + cmd="$(command -v "${pri_cmd}" 2>>"${ban_errorlog}")" if [ ! -x "${cmd}" ]; then if [ -n "${sec_cmd}" ]; then [ "${sec_cmd}" = "optional" ] && return - cmd="$(command -v "${sec_cmd}" 2>/dev/null)" + cmd="$(command -v "${sec_cmd}" 2>>"${ban_errorlog}")" fi if [ -x "${cmd}" ]; then printf "%s" "${cmd}" @@ -171,6 +184,7 @@ f_tmp() { f_mkdir "${ban_basedir}" ban_tmpdir="$(mktemp -p "${ban_basedir}" -d)" ban_tmpfile="$(mktemp -p "${ban_tmpdir}" -tu)" + [ "${ban_debug}" = "1" ] && : >"${ban_errorlog}" f_log "debug" "f_tmp ::: base_dir: ${ban_basedir:-"-"}, tmp_dir: ${ban_tmpdir:-"-"}" } @@ -213,15 +227,29 @@ f_trim() { # remove log monitor # f_rmpid() { - local ppid pid pids + local ppid pid pids_next pids_all childs newchilds - ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>>"${ban_errorlog}")" if [ -n "${ppid}" ]; then - pids="$("${ban_pgrepcmd}" -P "${ppid}" 2>/dev/null)" - for pid in ${pids}; do - pids="${pids} $("${ban_pgrepcmd}" -P "${pid}" 2>/dev/null)" + pids_next="$("${ban_pgrepcmd}" -P "${ppid}" 2>>"${ban_errorlog}")" + pids_all="" + while [ -n "${pids_next}" ]; do + for pid in ${pids_next}; do + case " ${pids_all} " in + *" ${pid} "*) + ;; + *) pids_all="${pids_all} ${pid}" + ;; + esac + done + newchilds="" + for pid in ${pids_next}; do + childs="$("${ban_pgrepcmd}" -P "${pid}" 2>>"${ban_errorlog}")" + [ -n "${childs}" ] && newchilds="${newchilds} ${childs}" + done + pids_next="$(f_trim "${newchilds}")" done - for pid in ${pids}; do + for pid in ${pids_all}; do kill -INT "${pid}" >/dev/null 2>&1 done fi @@ -365,7 +393,7 @@ f_chkip() { ip = $col1 gsub(/\r|^[[:space:]]+|[[:space:]]+$/, "", ip) # prefix filter - if (pre != "" && $1 != pre) next + if (pre != "" && index($0, pre) != 1) next # skip empty lines or comments if (ip == "" || ip ~ /^#/) next # reject invalid lengths @@ -375,6 +403,8 @@ f_chkip() { if (ipv == "6" && ip ~ /^([0-9A-Fa-f]{2}:){5}[0-9A-Fa-f]{2}$/) next # reject IPv4 when ipv=6 if (ipv == "6" && ip ~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) next + # reject IPv4-mapped IPv6 addresses + if (ipv == "6" && tolower(ip) ~ /^::ffff:/) next # reject IPv6 when ipv=4 if (ipv == "4" && ip ~ /:/) next # apply mask @@ -393,20 +423,23 @@ f_chkip() { # IPv4 CIDR if (ipv == "4") { if (base ~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) { - if (mask < 0 || mask > 32) next + if (mask > 32) next n = split(base, A, ".") - if (n != 4) next + # reject loopback and unspecified addresses if (A[1] == 127 || base == "0.0.0.0") next - for (i=1; i<=4; i++) if (A[i] < 0 || A[i] > 255) next + # reject leading zeros and octets > 255 + for (i=1; i<=4; i++) { + if (length(A[i]) > 1 && substr(A[i], 1, 1) == "0") next + if (A[i] > 255) next + } print lowip ", " next } } # IPv6 CIDR if (ipv == "6") { - #if (base ~ /^([0-9a-f]{0,4}:){2,7}[0-9a-f]{0,4}$/) { if (base ~ /^[0-9a-f:]+$/ && base ~ /:/) { - if (mask < 0 || mask > 128) next + if (mask > 128) next if (base == "::1" || base == "::") next if (base ~ /^fe80:/) next print lowip ", " @@ -418,18 +451,23 @@ f_chkip() { if (ipv == "4") { if (lowip ~ /^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/) { n = split(lowip, A, ".") - if (n != 4) next + # reject loopback and unspecified addresses if (A[1] == 127 || lowip == "0.0.0.0") next - for (i=1; i<=4; i++) if (A[i] < 0 || A[i] > 255) next + # reject leading zeros and octets > 255 + for (i=1; i<=4; i++) { + if (length(A[i]) > 1 && substr(A[i], 1, 1) == "0") next + if (A[i] > 255) next + } print lowip ", " next } } # IPv6 check if (ipv == "6") { - #if (lowip ~ /^([0-9a-f]{0,4}:){2,7}[0-9a-f]{0,4}$/) { if (lowip ~ /^[0-9a-f:]+$/ && lowip ~ /:/) { + # reject loopback and unspecified addresses if (lowip == "::1" || lowip == "::") next + # reject link-local addresses if (lowip ~ /^fe80:/) next print lowip ", " next @@ -451,15 +489,14 @@ f_actual() { nft="$(f_char "0")" fi - ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>/dev/null)" + ppid="$("${ban_catcmd}" "${ban_pidfile}" 2>>"${ban_errorlog}")" if [ -n "${ppid}" ]; then - pids="$("${ban_pgrepcmd}" -P "${ppid}" 2>/dev/null)" + monitor="$(f_char "0")" + pids="$("${ban_pgrepcmd}" -P "${ppid}" 2>>"${ban_errorlog}")" for pid in ${pids}; do if "${ban_pgrepcmd}" -f "${ban_logreadcmd##*/}" -P "${pid}" >/dev/null 2>&1; then monitor="$(f_char "1")" break - else - monitor="$(f_char "0")" fi done else @@ -611,7 +648,7 @@ f_getdev() { # get local uplink # f_getup() { - local uplink iface ip + local uplink iface timestamp ip if [ "${ban_autoallowlist}" = "1" ] && [ "${ban_autoallowuplink}" != "disable" ]; then for iface in ${ban_ifv4} ${ban_ifv6}; do @@ -640,10 +677,10 @@ f_getup() { break fi done - date="$(date "+%Y-%m-%d %H:%M:%S")" + timestamp="$(date "+%Y-%m-%d %H:%M:%S")" for ip in ${ban_uplink}; do if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then - printf "%-45s%s\n" "${ip}" "# uplink added on ${date}" >>"${ban_allowlist}" + printf "%-45s%s\n" "${ip}" "# uplink added on ${timestamp}" >>"${ban_allowlist}" f_log "info" "add uplink '${ip}' to local allowlist" fi done @@ -677,7 +714,7 @@ f_getfeed() { f_getelements() { local file="${1}" - [ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>/dev/null) };" + [ -s "${file}" ] && printf "%s" "elements={ $("${ban_catcmd}" "${file}" 2>>"${ban_errorlog}") };" } # handle etag http header @@ -724,7 +761,7 @@ f_nftload() { break elif [ "${cnt}" = "${max_cnt}" ]; then [ ! -d "${ban_errordir}" ] && f_mkdir "${ban_errordir}" - "${ban_catcmd}" "${file}" 2>/dev/null >"${ban_errordir}/err.${file##*/}" + "${ban_catcmd}" "${file}" 2>>"${ban_errorlog}" >"${ban_errordir}/err.${file##*/}" f_log "info" "${errmsg}" break fi @@ -1006,11 +1043,11 @@ f_down() { # chain/rule maintenance # if [ "${ban_action}" = "reload" ] && "${ban_nftcmd}" -t list set inet banIP "${feed}" >/dev/null 2>&1; then - table_json="$("${ban_nftcmd}" -tja list table inet banIP 2>/dev/null)" + table_json="$("${ban_nftcmd}" -tja list table inet banIP 2>>"${ban_errorlog}")" { for chain in _inbound _outbound; do for expr in 0 1 2; do - handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)" + handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | "${ban_xargscmd}")" for handle in ${handles}; do printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" done @@ -1080,12 +1117,12 @@ f_down() { # prepare local/remote allowlist # if [ "${feed%%.*}" = "allowlist" ] && [ ! -f "${tmp_allow}" ]; then - "${ban_catcmd}" "${ban_allowlist}" 2>/dev/null >"${tmp_allow}" + "${ban_catcmd}" "${ban_allowlist}" 2>>"${ban_errorlog}" >"${tmp_allow}" feed_rc="${?}" for feed_url in ${ban_allowurl}; do - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>>"${ban_errorlog}"; then if [ -s "${tmp_load}" ]; then - "${ban_catcmd}" "${tmp_load}" 2>/dev/null >>"${tmp_allow}" + "${ban_catcmd}" "${tmp_load}" 2>>"${ban_errorlog}" >>"${tmp_allow}" feed_rc="${?}" fi else @@ -1232,9 +1269,9 @@ f_down() { if [ "${feed%%.*}" = "country" ]; then if [ "${ban_countrysplit}" = "0" ]; then for country in ${ban_country}; do - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}${country}-aggregated.zone" 2>>"${ban_errorlog}"; then if [ -s "${tmp_raw}" ]; then - "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + "${ban_catcmd}" "${tmp_raw}" 2>>"${ban_errorlog}" >>"${tmp_load}" feed_rc="${?}" fi else @@ -1245,7 +1282,7 @@ f_down() { else country="${feed%.*}" country="${country#*.}" - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}${country}-aggregated.zone" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}${country}-aggregated.zone" 2>>"${ban_errorlog}"; then feed_rc="${?}" else feed_rc="4" @@ -1256,9 +1293,9 @@ f_down() { elif [ "${feed%%.*}" = "asn" ]; then if [ "${ban_asnsplit}" = "0" ]; then for asn in ${ban_asn}; do - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}AS${asn}" 2>>"${ban_errorlog}"; then if [ -s "${tmp_raw}" ]; then - "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >>"${tmp_load}" + "${ban_catcmd}" "${tmp_raw}" 2>>"${ban_errorlog}" >>"${tmp_load}" feed_rc="${?}" fi else @@ -1269,7 +1306,7 @@ f_down() { else asn="${feed%.*}" asn="${asn#*.}" - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}AS${asn}" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}AS${asn}" 2>>"${ban_errorlog}"; then feed_rc="${?}" else feed_rc="4" @@ -1278,9 +1315,9 @@ f_down() { # handle compressed downloads # elif [ "${feed_comp}" = "gz" ]; then - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_raw}" "${feed_url}" 2>>"${ban_errorlog}"; then if [ -s "${tmp_raw}" ]; then - "${ban_zcatcmd}" "${tmp_raw}" 2>/dev/null >"${tmp_load}" + "${ban_zcatcmd}" "${tmp_raw}" 2>>"${ban_errorlog}" >"${tmp_load}" feed_rc="${?}" fi else @@ -1291,7 +1328,7 @@ f_down() { # handle normal downloads # else - if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" >/dev/null 2>&1; then + if "${ban_fetchcmd}" ${ban_fetchparm} "${tmp_load}" "${feed_url}" 2>>"${ban_errorlog}"; then feed_rc="${?}" else feed_rc="4" @@ -1317,7 +1354,7 @@ f_down() { # if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ] && [ -z "${feed_complete}" ]; then f_chkip ${feed_ipv} ${feed_rule} < "${tmp_load}" >"${tmp_raw}" - "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}" + "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>>"${ban_errorlog}" | tee -a "${ban_tmpfile}.deduplicate" >"${tmp_split}" feed_rc="${?}" else f_chkip ${feed_ipv} ${feed_rule} < "${tmp_load}" >"${tmp_split}" @@ -1328,13 +1365,13 @@ f_down() { # if [ "${feed_rc}" = "0" ]; then if [ -n "${ban_splitsize//[![:digit:]]/}" ] && [ "${ban_splitsize//[![:digit:]]/}" -ge "512" ]; then - if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit:]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then + if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit:]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>>"${ban_errorlog}"; then feed_rc="${?}" rm -f "${tmp_file}".* f_log "info" "can't split nfset '${feed}' to size '${ban_splitsize//[![:digit:]]/}'" fi else - "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" + "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>>"${ban_errorlog}" >"${tmp_file}.1" feed_rc="${?}" fi fi @@ -1389,11 +1426,11 @@ f_down() { # if [ "${feed_rc}" = "0" ]; then if [ "${feed%%.*}" = "allowlist" ]; then - cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>/dev/null)" + cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_allow}" 2>>"${ban_errorlog}")" elif [ "${feed%%.*}" = "blocklist" ]; then - cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${ban_blocklist}" 2>/dev/null)" + cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${ban_blocklist}" 2>>"${ban_errorlog}")" else - cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>/dev/null)" + cnt_dl="$("${ban_awkcmd}" 'END{printf "%d",NR}' "${tmp_split}" 2>>"${ban_errorlog}")" : >"${tmp_split}" fi if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed%%.*}" = "allowlist" ] || [ "${feed%%.*}" = "blocklist" ]; then @@ -1448,7 +1485,7 @@ f_restore() { [ "${feed_url}" = "local" ] && tmp_feed="${feed%.*}.v4" || tmp_feed="${feed}" if [ -s "${ban_backupdir}/banIP.${tmp_feed}.gz" ]; then - "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>/dev/null >"${feed_file}" + "${ban_zcatcmd}" "${ban_backupdir}/banIP.${tmp_feed}.gz" 2>>"${ban_errorlog}" >"${feed_file}" restore_rc="${?}" fi @@ -1464,7 +1501,7 @@ f_rmset() { f_getfeed json_get_keys feedlist tmp_del="${ban_tmpfile}.final.delete" - table_json="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null)" + table_json="$("${ban_nftcmd}" -tj list table inet banIP 2>>"${ban_errorlog}")" table_sets="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.family="inet"].set.name')" { printf "%s\n\n" "#!${ban_nftcmd} -f" @@ -1498,7 +1535,7 @@ f_rmset() { rm -f "${ban_backupdir}/banIP.${feed}.gz" for chain in _inbound _outbound; do for expr in 0 1 2; do - handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | xargs)" + handles="$(printf "%s\n" "${table_json}" | "${ban_jsoncmd}" -q -e "@.nftables[@.rule.chain=\"${chain}\"][@.expr[${expr}].match.right=\"@${feed}\"].handle" | "${ban_xargscmd}")" for handle in ${handles}; do printf "%s\n" "delete rule inet banIP ${chain} handle ${handle}" done @@ -1527,19 +1564,19 @@ f_rmset() { f_genstatus() { local mem_free nft_ver chain_cnt set_cnt rule_cnt object end_time duration table table_sets element_cnt="0" custom_feed="0" split="0" status="${1}" - mem_free="$("${ban_awkcmd}" '/^MemAvailable/{printf "%.2f", $2/1024}' "/proc/meminfo" 2>/dev/null)" + mem_free="$("${ban_awkcmd}" '/^MemAvailable/{printf "%.2f", $2/1024}' "/proc/meminfo" 2>>"${ban_errorlog}")" nft_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages["nftables-json"]')" [ -z "${ban_dev}" ] && f_conf if [ "${status}" = "active" ]; then - table="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null)" + table="$("${ban_nftcmd}" -tj list table inet banIP 2>>"${ban_errorlog}")" table_sets="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.family="inet"].set.name')" for object in ${table_sets}; do - element_cnt="$((element_cnt + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>/dev/null)))" + element_cnt="$((element_cnt + $("${ban_nftcmd}" -j list set inet banIP "${object}" 2>>"${ban_errorlog}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>>"${ban_errorlog}")))" done - chain_cnt="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[*].chain.name' | "${ban_wccmd}" -l 2>/dev/null)" - set_cnt="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.name' | "${ban_wccmd}" -l 2>/dev/null)" - rule_cnt="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[*].rule' | "${ban_wccmd}" -l 2>/dev/null)" + chain_cnt="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[*].chain.name' | "${ban_wccmd}" -l 2>>"${ban_errorlog}")" + set_cnt="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.name' | "${ban_wccmd}" -l 2>>"${ban_errorlog}")" + rule_cnt="$(printf "%s" "${table}" | "${ban_jsoncmd}" -qe '@.nftables[*].rule' | "${ban_wccmd}" -l 2>>"${ban_errorlog}")" element_cnt="$("${ban_awkcmd}" -v cnt="${element_cnt}" 'BEGIN{res="";pos=0;for(i=length(cnt);i>0;i--){res=substr(cnt,i,1)res;pos++;if(pos==3&&i>1){res=" "res;pos=0;}}; printf"%s",res}')" if [ -n "${ban_starttime}" ] && [ "${ban_action}" != "boot" ]; then end_time="$(date "+%s")" @@ -1589,7 +1626,7 @@ f_genstatus() { json_close_array json_add_string "nft_info" "ver: ${nft_ver:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}, limit (icmp/syn/udp): ${ban_icmplimit}/${ban_synlimit}/${ban_udplimit}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, error: ${ban_errordir}" - json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), bcp38: $(f_char ${ban_bcp38}), log (pre/in/out): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginbound})/$(f_char ${ban_logoutbound}), count: $(f_char ${ban_nftcount}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly})" + json_add_string "run_flags" "auto: $(f_char ${ban_autodetect}), proto (4/6): $(f_char ${ban_protov4})/$(f_char ${ban_protov6}), bcp38: $(f_char ${ban_bcp38}), log (pre/in/out): $(f_char ${ban_logprerouting})/$(f_char ${ban_loginbound})/$(f_char ${ban_logoutbound}), count: $(f_char ${ban_nftcount}), dedup: $(f_char ${ban_deduplicate}), split: $(f_char ${split}), custom feed: $(f_char ${custom_feed}), allowed only: $(f_char ${ban_allowlistonly}), debug: $(f_char ${ban_debug})" json_add_string "last_run" "${runtime:-"-"}" json_add_string "system_info" "cores: ${ban_cores}, log: ${ban_logreadcmd##*/}, fetch: ${ban_fetchcmd##*/}, ${ban_sysver}" json_dump >"${ban_rtfile}" @@ -1640,13 +1677,13 @@ f_lookup() { start_time="$(date "+%s")" if [ "${feed}" = "allowlist" ]; then - list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>/dev/null)" + list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_allowlist}" 2>>"${ban_errorlog}")" elif [ "${feed}" = "blocklist" ]; then - list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_blocklist}" 2>/dev/null)" + list="$("${ban_awkcmd}" '/^([[:alnum:]_-]{1,63}\.)+[[:alpha:]]+([[:space:]]|$)/{printf "%s ",tolower($1)}' "${ban_blocklist}" 2>>"${ban_errorlog}")" fi for domain in ${list}; do - lookup="$("${ban_lookupcmd}" "${domain}" ${ban_resolver} 2>/dev/null | "${ban_awkcmd}" '/^Address[ 0-9]*: /{if(!seen[$NF]++)printf "%s ",$NF}' 2>/dev/null)" + lookup="$("${ban_lookupcmd}" "${domain}" ${ban_resolver} 2>>"${ban_errorlog}" | "${ban_awkcmd}" '/^Address[ 0-9]*: /{if(!seen[$NF]++)printf "%s ",$NF}' 2>>"${ban_errorlog}")" for ip in ${lookup}; do if [ "${ip%%.*}" = "127" ] || [ "${ip%%.*}" = "0" ] || [ -z "${ip%%::*}" ]; then continue @@ -1663,12 +1700,12 @@ f_lookup() { cnt_domain="$((cnt_domain + 1))" done if [ -n "${elementsv4}" ]; then - if ! "${ban_nftcmd}" add element inet banIP "${feed}.v4" { ${elementsv4} } >/dev/null 2>&1; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}.v4" { ${elementsv4} } 2>>"${ban_errorlog}"; then f_log "info" "can't add lookup file to nfset '${feed}.v4'" fi fi if [ -n "${elementsv6}" ]; then - if ! "${ban_nftcmd}" add element inet banIP "${feed}.v6" { ${elementsv6} } >/dev/null 2>&1; then + if ! "${ban_nftcmd}" add element inet banIP "${feed}.v6" { ${elementsv6} } 2>>"${ban_errorlog}"; then f_log "info" "can't add lookup file to nfset '${feed}.v6'" fi fi @@ -1682,9 +1719,8 @@ f_lookup() { # f_report() { local report_jsn report_txt tmp_val table_json item table_sets set_cnt set_inbound set_outbound set_cntinbound set_cntoutbound set_proto set_dport set_details - local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinbound sum_setoutbound sum_cntelements sum_cntinbound sum_cntoutbound - local quantity chunk map_jsn chain set_elements set_json sum_setelements sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid - local sum_bcp38 output="${1}" + local expr detail jsnval timestamp autoadd_allow autoadd_block sum_sets sum_setinbound sum_setoutbound sum_cntelements sum_cntinbound sum_cntoutbound quantity + local chunk map_jsn chain set_elements set_json sum_setelements sum_synflood sum_udpflood sum_icmpflood sum_ctinvalid sum_tcpinvalid sum_setports sum_bcp38 output="${1}" f_conf f_mkdir "${ban_reportdir}" @@ -1697,7 +1733,7 @@ f_report() { # : >"${report_jsn}" : >"${map_jsn}" - table_json="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null)" + table_json="$("${ban_nftcmd}" -tj list table inet banIP 2>>"${ban_errorlog}")" table_sets="$(printf "%s" "${table_json}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.family="inet"].set.name')" sum_sets="0" sum_cntelements="0" @@ -1718,8 +1754,8 @@ f_report() { cnt="1" for item in ${table_sets}; do ( - set_json="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null)" - set_cnt="$(printf "%s" "${set_json}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>/dev/null)" + set_json="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>>"${ban_errorlog}")" + set_cnt="$(printf "%s" "${set_json}" | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | "${ban_wccmd}" -l 2>>"${ban_errorlog}")" set_cntinbound="" set_cntoutbound="" set_inbound="" @@ -1864,7 +1900,7 @@ f_report() { \"sum_udpflood\": \"${sum_udpflood}\", \ \"sum_icmpflood\": \"${sum_icmpflood}\", \ \"sum_ctinvalid\": \"${sum_ctinvalid}\", \ - \"sum_tcpinvalid\": \"${sum_bcp38}\", \ + \"sum_tcpinvalid\": \"${sum_tcpinvalid}\", \ \"sum_bcp38\": \"${sum_bcp38}\", \ \"sum_sets\": \"${sum_sets}\", \ \"sum_setinbound\": \"${sum_setinbound}\", \ @@ -1892,7 +1928,7 @@ f_report() { if [ "${jsnval}" != '""' ]; then { printf "%s" ",[{}" - "${ban_fetchcmd}" ${ban_geoparm} "[ ${jsnval} ]" "${ban_geourl}" 2>/dev/null | + "${ban_fetchcmd}" ${ban_geoparm} "[ ${jsnval} ]" "${ban_geourl}" 2>>"${ban_errorlog}" | "${ban_jsoncmd}" -qe '@[*&&@.status="success"]' | "${ban_awkcmd}" -v feed="homeIP" '{printf ",{\"%s\": %s}\n",feed,$0}' } >>"${map_jsn}" fi @@ -1921,14 +1957,14 @@ f_report() { chunk="${chunk} ${ip}" quantity="$((quantity + 1))" if [ "${quantity}" -eq "100" ]; then - "${ban_fetchcmd}" ${ban_geoparm} "[ ${chunk%%?} ]" "${ban_geourl}" 2>/dev/null | + "${ban_fetchcmd}" ${ban_geoparm} "[ ${chunk%%?} ]" "${ban_geourl}" 2>>"${ban_errorlog}" | "${ban_jsoncmd}" -qe '@[*&&@.status="success"]' | "${ban_awkcmd}" -v feed="${item//_v/.v}" '{printf ",{\"%s\": %s}\n",feed,$0}' >>"${map_jsn}" chunk="" quantity="0" fi done if [ "${quantity}" -gt "0" ]; then - "${ban_fetchcmd}" ${ban_geoparm} "[ ${chunk} ]" "${ban_geourl}" 2>/dev/null | + "${ban_fetchcmd}" ${ban_geoparm} "[ ${chunk} ]" "${ban_geourl}" 2>>"${ban_errorlog}" | "${ban_jsoncmd}" -qe '@[*&&@.status="success"]' | "${ban_awkcmd}" -v feed="${item//_v/.v}" '{printf ",{\"%s\": %s}\n",feed,$0}' >>"${map_jsn}" fi ) & @@ -2035,10 +2071,10 @@ f_report() { ;; "json") if [ "${ban_nftcount}" = "1" ] && [ "${ban_map}" = "1" ]; then - jsn="$("${ban_catcmd}" ${report_jsn} ${map_jsn} 2>/dev/null)" + jsn="$("${ban_catcmd}" ${report_jsn} ${map_jsn} 2>>"${ban_errorlog}")" [ -n "${jsn}" ] && printf "[%s]]\n" "${jsn}" else - jsn="$("${ban_catcmd}" ${report_jsn} 2>/dev/null)" + jsn="$("${ban_catcmd}" ${report_jsn} 2>>"${ban_errorlog}")" [ -n "${jsn}" ] && printf "[%s]\n" "${jsn}" fi ;; @@ -2066,7 +2102,7 @@ f_search() { fi fi if [ -n "${proto}" ]; then - table_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>/dev/null | "${ban_jsoncmd}" -qe "@.nftables[@.set.type=\"ip${proto}_addr\"].set.name")" + table_sets="$("${ban_nftcmd}" -tj list table inet banIP 2>>"${ban_errorlog}" | "${ban_jsoncmd}" -qe "@.nftables[@.set.type=\"ip${proto}_addr\"].set.name")" else printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::" return @@ -2108,7 +2144,7 @@ f_content() { printf "%s\n%s\n%s\n" ":::" "::: no valid Set input" ":::" return fi - set_raw="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null)" + set_raw="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>>"${ban_errorlog}")" if [ "$(uci_get banip global ban_nftcount)" = "1" ]; then if [ "${filter}" = "true" ]; then @@ -2305,6 +2341,7 @@ ban_lookupcmd="$(f_cmd nslookup)" ban_mailcmd="$(f_cmd msmtp optional)" ban_nftcmd="$(f_cmd nft)" ban_pgrepcmd="$(f_cmd pgrep)" +ban_xargscmd="$(f_cmd xargs)" ban_sedcmd="$(f_cmd sed)" ban_ubuscmd="$(f_cmd ubus)" ban_zcatcmd="$(f_cmd zcat)" diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 0c47c5fddf..b59cbb5c34 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -49,6 +49,7 @@ f_getfeed # cnt="1" for feed in allowlist ${ban_feed} blocklist; do + # local feeds (sequential processing) # if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then @@ -82,13 +83,13 @@ for feed in allowlist ${ban_feed} blocklist; do # skip incomplete feeds # - if { [ -z "$feed_url_4" ] && [ -z "$feed_url_6" ]; } || \ - { { [ -n "$feed_url_4" ] || [ -n "$feed_url_6" ]; } && [ -z "$feed_rule" ]; }; then + if { [ -z "${feed_url_4}" ] && [ -z "${feed_url_6}" ]; } || \ + { { [ -n "${feed_url_4}" ] || [ -n "${feed_url_6}" ]; } && [ -z "${feed_rule}" ]; }; then f_log "info" "skip incomplete feed '${feed}'" continue fi - # handle IPv4/IPv6 feeds + # handle IPv4 feeds # if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule}" ]; then feed_ipv="4" @@ -111,6 +112,9 @@ for feed in allowlist ${ban_feed} blocklist; do fi fi fi + + # handle IPv6 feeds + # if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule}" ]; then feed_ipv="6" if [ "${feed}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; then diff --git a/net/banip/files/banip.cgi b/net/banip/files/banip.cgi index 629fe81186..770bce53e3 100644 --- a/net/banip/files/banip.cgi +++ b/net/banip/files/banip.cgi @@ -19,7 +19,7 @@ request_decode() { value="${request#*=}" token="$(uci -q get banip.global.ban_remotetoken)" - if [ -n "${key}" ] && [ -n "${value}" ] && [ "${key}" = "${token}" ] && /etc/init.d/banip running; then + if [ -n "${token}" ] && [ -n "${key}" ] && [ -n "${value}" ] && [ "${key}" = "${token}" ] && /etc/init.d/banip running; then [ -r "/usr/lib/banip-functions.sh" ] && { . "/usr/lib/banip-functions.sh"; f_conf; } if [ "${ban_remotelog}" = "1" ] && [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then f_log "info" "received a suspicious remote IP '${value}'" diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index bdf770c12e..2f587aced9 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -168,13 +168,6 @@ "chain": "in", "descr": "real-time IP blocklist" }, - "nixspam":{ - "url_4": "https://www.nixspam.net/download/nixspam-ip.dump.gz", - "rule": "feed 1", - "chain": "in", - "descr": "iX spam protection", - "flag": "gz" - }, "proxy":{ "url_4": "https://iplists.firehol.org/files/proxylists.ipset", "rule": "feed 1", diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 4ffbc8225a..a228c3b891 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -22,17 +22,14 @@ ban_lock="/var/run/banip.lock" if [ -z "${IPKG_INSTROOT}" ]; then if [ "${action}" = "boot" ] && "${ban_init}" running; then exit 0 - elif { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || - [ "${action}" = "content" ] || [ "${action}" = "lookup" ]; } && ! "${ban_init}" running; then + elif { [ "${action}" = "stop" ] || [ "${action}" = "report" ] || [ "${action}" = "search" ] || [ "${action}" = "content" ]; } && ! "${ban_init}" running; then exit 0 fi if [ ! -d "${ban_lock}" ] && - { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || - [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then - mkdir -p "${ban_lock}" + { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "search" ]; }; then + mkdir -p "${ban_lock}" elif [ -d "${ban_lock}" ] && - { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || - [ "${action}" = "reload" ] || [ "${action}" = "lookup" ] || [ "${action}" = "search" ]; }; then + { [ "${action}" = "boot" ] || [ "${action}" = "start" ] || [ "${action}" = "restart" ] || [ "${action}" = "reload" ] || [ "${action}" = "search" ]; }; then exit 1 fi . "${ban_funlib}" diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl index ddedb005fe..a542f6b0d5 100644 --- a/net/banip/files/banip.tpl +++ b/net/banip/files/banip.tpl @@ -9,14 +9,13 @@ local banip_info report_info log_info system_info mail_text logread_cmd if [ -f "${ban_logreadfile}" ] && [ -x "${ban_logreadcmd}" ] && [ "${ban_logreadcmd##*/}" = "tail" ]; then logread_cmd="${ban_logreadcmd} -qn ${ban_loglimit} ${ban_logreadfile} 2>/dev/null | ${ban_grepcmd} -e \"banIP/\" 2>/dev/null" elif [ -x "${ban_logreadcmd}" ] && [ "${ban_logreadcmd##*/}" = "logread" ]; then - logread_cmd="${ban_logreadcmd} -l ${ban_loglimit} -e "banIP/" 2>/dev/null" + logread_cmd="${ban_logreadcmd} -l ${ban_loglimit} -e \"banIP/\" 2>/dev/null" fi banip_info="$(/etc/init.d/banip status 2>/dev/null)" report_info="$("${ban_catcmd}" "${ban_reportdir}/ban_report.txt" 2>/dev/null)" -log_info="$(${logread_cmd})" -system_info="$(strings /etc/banner 2>/dev/null - "${ban_ubuscmd}" call system board | +log_info="$(eval "${logread_cmd}" 2>/dev/null)" +system_info="$(strings /etc/banner 2>/dev/null; "${ban_ubuscmd}" call system board | \ "${ban_awkcmd}" 'BEGIN{FS="[{}\"]"}{if($2=="kernel"||$2=="hostname"||$2=="system"||$2=="model"||$2=="description")printf " + %-12s: %s\n",$2,$4}')" # content header