* bugfix: only load the configuration once per run: a new `ban_confload`
guard short-circuits `f_conf()` on subsequent calls, avoiding
repeated `config_load` invocations
* new: the per-set report now sorts elements by their packet counter in
descending order before truncating to the top 50, so the report
shows the most active elements instead of just the first 50 found
Signed-off-by: Dirk Brenken <dev@brenken.org>
- gated config sanity checks at the end of banip-functions.sh
behind 'ban_action' to skip them on init script sourcing paths (enable/disable/help)
- added a ubus socket guard around f_system to harden against pre-ubus sourcing
- added a 'ban_bver' fallback in f_log for sourcing paths without prior f_system execution
- reordered system utility references before system library sourcing,
so f_log has a valid 'ban_logcmd' available if the library check fails
- minor code improvements and fixes
Signed-off-by: Dirk Brenken <dev@brenken.org>
- optimized pidfile handling in the init file
- small cornercase fixes & improvements
- drop deprecated 'drop' feed (replaced by 'spamhaus' json feed with the same content)
- LuCI: expose the new JSON Lines Format in the feed editor
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
- introduced a shared named nft limit (loglimit) referenced by
all log rules instead of per-rule limits, aligning with kernel printk rate limits
- added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning
the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting
entirely (useful for ulogd or other userspace log handlers that bypass printk)
- LuCI: made the new UCI option available (Log Settings)
- readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* flock/serialize the etag writing in the f_etag function
* added various variables to local scope
* LuCI: removed needless ACL
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the initialization of the banIP rundir (reported in the forum)
* sanitize possible windows line endings in local block- and allowlist
* refine the cpu/core detection
* code clean-up/linting
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed two issues in the mail template, reported in the forum
* tweak the f_report function
* changed the f_actual function to reduce subshell calls
* further optimize the monitor function:
* fixed a possible RDAP rate-limit race condition,
serialize the rdap_tsfile via flock
* block_cache bounded growth, when the cache reaches 500
entries it resets to empty, preventing unbounded string growth
in the monitor loop
* set the printf format string in single quotes (overall)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* removed needless fork/exec calls (#29010)
* removed needless eval calls
* added parallel country and ASN feed downloads (#29010)
* rework the IP monitor:
* IP extraction, counting, and threshold detection now run
entirely inside a single gawk process
* added a dynamic cache management and a three-tier IP deduplication
* added asynchronous/non-blocking RDAP requests
* hardend the cgi script and mail template
* fixed#28998
* LuCI: added more status information
* LuCI: more fixes & optimizations (e.g. #8486)
* readme update
Co-authored-by: Colin Brown <devs@coralesoft.nz>
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add better input validation to the f_content and f_search functions,
to compensate for the very limited Wildcard ACL mechanisms in LuCI, see
https://github.com/openwrt/luci/issues/8435 for reference
* LuCI: add a proper poll mechanism to mitigate Reporting timeouts
on "Search" and "Refresh", even with big Sets
* LuCI: Refine some ACLs
* LuCI: more fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* the debug mode now captures internal error output in a dedicated log file,
located by default in the banIP base directory as /tmp/ban_error.log
* replaced the non-functional recursive PID tree walk in f_rmpid with
a correct iterative implementation
* added several IP validator improvements
* fixed a copy-paste error in f_report
* fixed a uninitialized variable in f_actual
* fixed missing token validation in banip.cgi
* various other minor improvement & fixes
* removed abandoned nixspam feed
* LuCI: various fixes & optimizations
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* hardened the uci config parsing
* added a fast, flexible & secure IPv4/IPv6 validator function, it eliminates > 99 % of garbage inputs
Please note: The ‘rule’ in the feed file now only contains parameters for the IP validator;
details can be found in the readme file. Old custom feed files are not compatible and will be
backed up/removed via the uci-defaults script
* added BCP38 support: to block packets with spoofed source IP addresses in all supported chains
* optimized the log monitor plus performance improvements
* removed the pallebone feed (discontinued)
* added the ipexdbl feed
* various small improvements
* LuCI: add the BC38 option under Table/Chain Settings
* LuCI: updating the custom feed editor
* LuCI: small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* split block/logging rules (fixed#27990)
* adapt reload functions to support the new split logic
* the banIP status now includes the backend- and the frontend version information
* fixed a config parsing error with non existing dirs (reported in the forum)
* fixed a small reporting issue (reported in the forum)
* added a new public dns feed (by default restricted to outbound, ports 53 and 853)
* added a new gawk dependency due to significant performance gains
* LuCI: no longer call the logread binary, use rpc / the ubus log object instead
* LuCI: various code cleanups
* LuCI: various small usability improvements
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* skip rdap requests/replies with placeholders for all IPv4/IPv6 addresses
* sanitize possible bogus config values, e.g. '/dev/null' as a directory
* change URL for beycyber feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* limit nft logging to a rate 10/second to prevent possible log-flooding
* skip external feed processing if "allowlist-only" mode is fully enabled (in in- and outbound)
* remove needless default icmpv6 rule in wan-input
* refine the housekeeping script (uci-defaults)
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the restore rc handling
* skip allowlist entries during map creation
* disable the map button by default (only enabled if map & NFT counter are selected)
* disable the content filter checkbox for elements with hits by default (only enabled if NFT counter are selected)
* readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* show the IP plus the packet counter in the modal Set content view (or on the CLI)
* add a filter to show only elements with hits in the modal Set content view (or on the CLI)
* limit the element output with hits to max. 50 per Set on the Set Reporting overview page
* fixed set names suffix in the report output
* fixed the Set content view for MAC based Sets
* display the map even if the HomeIP cannot be determined
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add an uci-defaults script for housekeeping and option migration from former versions
* small fixes and improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
* the ETAG function now supports country and asn feeds as well
* fixed becyber URL and other small fixes
* LuCI fixes and improvements (separate commit)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a JSON reporting issue (when the map and NFT counters are disabled)
* optimized the getfetch function call within the reporting function
* removed the stale IPv6 links in the becyber feed
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* added a geoIP Map to show home IPs and potential attacker IPs on a leafletjs based map
* significantly improved the reporting performance on multicore hardware
* removed aria2 support (it doesn't support post data requests)
* removed the following outbound feeds due to too many false positives:
adaway, adguard, adguardtrackers, antipopads, oisdbig, oisdnsfw, oisdsmall, stevenblack and yoyo
* renamed the banIP command "survey" to "content"
* various other small tweaks
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix a race condition in the process scheduler
* sync the banIP country file with ipdeny feed
* refine etag handling with country/asn feeds
* refine logging with country/asn feeds
* refine the banIP status output (incl. LuCI changes)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized uci config processing (list options)
* optimized icmp rules in pre-routing (thanks @brada)
* set inbound marker in pre-routing only if inbound logging is enabled (fixes#26044)
* fix cornercase in Set removal function
* print chain-, set- and rules-counter in the banIP status
* clean up logging und download queue handling
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* add memory measurements:
- free memory in MB (MemAvailable from /proc/meminfo)
- script run max. used RAM in MB (VmHWM from /proc/$$/status)
* removed the obsolete (domain) lookup command in init script
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized the f_nftload function
* reduced the prerouting priority to -175
* optimized the output of the f_survey function
* removed a needless fw4 call/check
* no longer skips regular blocklist feeds in "allowlist only" mode
* optimized init checks
* turris feed: enable IPv6 parsing, too (prvided by @curbengh)
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed the incomplete rule maintainance during banIP reloads
* fixed the Set query function (if the Set counters are disabled)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* change the chain structure: only two regular chains contain the generated banIP sets.
“_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward.
* pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks
selected feeds in all chains by default
* it's now possible to split country and asn Sets by country or asn (disabled by default)
* support Set counters to report easily suspicious IPs per Set (disabled by default)
* make it possible, to opt out certain chains from the deduplication process
* the element search now returns all matches (and not only the first one)
* the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional)
* save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging
* various code improvements
* remove ssbl feed (deprecated)
* add two new vpn feeds
* update the readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* optimized procd settings for better performance
* made the log monitor working again (even on master with apk migration issues)
* reworked the fetch autodetection function (still broken in master due to apk migration)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed gathering/printing of system information in banIP status
* removed broken iblocklist.com feeds
* updated readme
Signed-off-by: Dirk Brenken <dev@brenken.org>
* supports comments (introduced with a #), for MAC addresses
in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
* added hagezi threat ip feed
* added an adguard logterm to the readme
* removed the broken talos feed
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
* removed edrop feed from readme (had been removed from feeds for a while)
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fixed a possible "Argument list too long" error in the f_log function
* fixed multiple, incomplete digit character classes
* fixed/optimized split file handling
* cosmetics
Signed-off-by: Dirk Brenken <dev@brenken.org>
* made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
* major readme update
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix regex for nixspam and sslbl feed
* list the pre-routing limits in the banIP status
* small fixes and log improvements
Signed-off-by: Dirk Brenken <dev@brenken.org>
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
Dirk Brenken