- gated config sanity checks at the end of banip-functions.sh
behind 'ban_action' to skip them on init script sourcing paths (enable/disable/help)
- added a ubus socket guard around f_system to harden against pre-ubus sourcing
- added a 'ban_bver' fallback in f_log for sourcing paths without prior f_system execution
- reordered system utility references before system library sourcing,
so f_log has a valid 'ban_logcmd' available if the library check fails
- minor code improvements and fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
- optimized pidfile handling in the init file
- small cornercase fixes & improvements
- drop deprecated 'drop' feed (replaced by 'spamhaus' json feed with the same content)
- LuCI: expose the new JSON Lines Format in the feed editor
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* flock/serialize the etag writing in the f_etag function
* added various variables to local scope
* LuCI: removed needless ACL
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the initialization of the banIP rundir (reported in the forum)
* sanitize possible windows line endings in local block- and allowlist
* refine the cpu/core detection
* code clean-up/linting
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed two issues in the mail template, reported in the forum
* tweak the f_report function
* changed the f_actual function to reduce subshell calls
* further optimize the monitor function:
* fixed a possible RDAP rate-limit race condition,
serialize the rdap_tsfile via flock
* block_cache bounded growth, when the cache reaches 500
entries it resets to empty, preventing unbounded string growth
in the monitor loop
* set the printf format string in single quotes (overall)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* removed needless fork/exec calls (#29010)
* removed needless eval calls
* added parallel country and ASN feed downloads (#29010)
* rework the IP monitor:
* IP extraction, counting, and threshold detection now run
entirely inside a single gawk process
* added a dynamic cache management and a three-tier IP deduplication
* added asynchronous/non-blocking RDAP requests
* hardend the cgi script and mail template
* fixed#28998
* LuCI: added more status information
* LuCI: more fixes & optimizations (e.g. #8486)
* readme update
Co-authored-by: Colin Brown <devs@coralesoft.nz>
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add better input validation to the f_content and f_search functions,
to compensate for the very limited Wildcard ACL mechanisms in LuCI, see
https://github.com/openwrt/luci/issues/8435 for reference
* LuCI: add a proper poll mechanism to mitigate Reporting timeouts
on "Search" and "Refresh", even with big Sets
* LuCI: Refine some ACLs
* LuCI: more fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* the debug mode now captures internal error output in a dedicated log file,
located by default in the banIP base directory as /tmp/ban_error.log
* replaced the non-functional recursive PID tree walk in f_rmpid with
a correct iterative implementation
* added several IP validator improvements
* fixed a copy-paste error in f_report
* fixed a uninitialized variable in f_actual
* fixed missing token validation in banip.cgi
* various other minor improvement & fixes
* removed abandoned nixspam feed
* LuCI: various fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* hardened the uci config parsing
* added a fast, flexible & secure IPv4/IPv6 validator function, it eliminates > 99 % of garbage inputs
Please note: The ‘rule’ in the feed file now only contains parameters for the IP validator;
details can be found in the readme file. Old custom feed files are not compatible and will be
backed up/removed via the uci-defaults script
* added BCP38 support: to block packets with spoofed source IP addresses in all supported chains
* optimized the log monitor plus performance improvements
* removed the pallebone feed (discontinued)
* added the ipexdbl feed
* various small improvements
* LuCI: add the BC38 option under Table/Chain Settings
* LuCI: updating the custom feed editor
* LuCI: small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* split block/logging rules (fixed#27990)
* adapt reload functions to support the new split logic
* the banIP status now includes the backend- and the frontend version information
* fixed a config parsing error with non existing dirs (reported in the forum)
* fixed a small reporting issue (reported in the forum)
* added a new public dns feed (by default restricted to outbound, ports 53 and 853)
* added a new gawk dependency due to significant performance gains
* LuCI: no longer call the logread binary, use rpc / the ubus log object instead
* LuCI: various code cleanups
* LuCI: various small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* skip rdap requests/replies with placeholders for all IPv4/IPv6 addresses
* sanitize possible bogus config values, e.g. '/dev/null' as a directory
* change URL for beycyber feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* limit nft logging to a rate 10/second to prevent possible log-flooding
* skip external feed processing if "allowlist-only" mode is fully enabled (in in- and outbound)
* remove needless default icmpv6 rule in wan-input
* refine the housekeeping script (uci-defaults)
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the restore rc handling
* skip allowlist entries during map creation
* disable the map button by default (only enabled if map & NFT counter are selected)
* disable the content filter checkbox for elements with hits by default (only enabled if NFT counter are selected)
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* show the IP plus the packet counter in the modal Set content view (or on the CLI)
* add a filter to show only elements with hits in the modal Set content view (or on the CLI)
* limit the element output with hits to max. 50 per Set on the Set Reporting overview page
* fixed set names suffix in the report output
* fixed the Set content view for MAC based Sets
* display the map even if the HomeIP cannot be determined
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add an uci-defaults script for housekeeping and option migration from former versions
* small fixes and improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
* the ETAG function now supports country and asn feeds as well
* fixed becyber URL and other small fixes
* LuCI fixes and improvements (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a JSON reporting issue (when the map and NFT counters are disabled)
* optimized the getfetch function call within the reporting function
* removed the stale IPv6 links in the becyber feed
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a geoIP Map to show home IPs and potential attacker IPs on a leafletjs based map
* significantly improved the reporting performance on multicore hardware
* removed aria2 support (it doesn't support post data requests)
* removed the following outbound feeds due to too many false positives:
adaway, adguard, adguardtrackers, antipopads, oisdbig, oisdnsfw, oisdsmall, stevenblack and yoyo
* renamed the banIP command "survey" to "content"
* various other small tweaks
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix a race condition in the process scheduler
* sync the banIP country file with ipdeny feed
* refine etag handling with country/asn feeds
* refine logging with country/asn feeds
* refine the banIP status output (incl. LuCI changes)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized uci config processing (list options)
* optimized icmp rules in pre-routing (thanks @brada)
* set inbound marker in pre-routing only if inbound logging is enabled (fixes#26044)
* fix cornercase in Set removal function
* print chain-, set- and rules-counter in the banIP status
* clean up logging und download queue handling
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add memory measurements:
- free memory in MB (MemAvailable from /proc/meminfo)
- script run max. used RAM in MB (VmHWM from /proc/$$/status)
* removed the obsolete (domain) lookup command in init script
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized the f_nftload function
* reduced the prerouting priority to -175
* optimized the output of the f_survey function
* removed a needless fw4 call/check
* no longer skips regular blocklist feeds in "allowlist only" mode
* optimized init checks
* turris feed: enable IPv6 parsing, too (prvided by @curbengh)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the incomplete rule maintainance during banIP reloads
* fixed the Set query function (if the Set counters are disabled)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* change the chain structure: only two regular chains contain the generated banIP sets.
“_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward.
* pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks
selected feeds in all chains by default
* it's now possible to split country and asn Sets by country or asn (disabled by default)
* support Set counters to report easily suspicious IPs per Set (disabled by default)
* make it possible, to opt out certain chains from the deduplication process
* the element search now returns all matches (and not only the first one)
* the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional)
* save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging
* various code improvements
* remove ssbl feed (deprecated)
* add two new vpn feeds
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized procd settings for better performance
* made the log monitor working again (even on master with apk migration issues)
* reworked the fetch autodetection function (still broken in master due to apk migration)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed gathering/printing of system information in banIP status
* removed broken iblocklist.com feeds
* updated readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* supports comments (introduced with a #), for MAC addresses
in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
* added hagezi threat ip feed
* added an adguard logterm to the readme
* removed the broken talos feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
* removed edrop feed from readme (had been removed from feeds for a while)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* relax the firewall pre-check if fw4 is not running
* replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
* add openvpn log term/search pattern example to the readme
* the default config now includes only log terms for dropbear and LuCI, all others are optional
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a possible "Argument list too long" error in the f_log function
* fixed multiple, incomplete digit character classes
* fixed/optimized split file handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
* major readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
Dirk Brenken