diff options
| author | Dirk Brenken <dev@brenken.org> | 2024-05-05 21:57:28 +0200 |
|---|---|---|
| committer | Dirk Brenken <dev@brenken.org> | 2024-05-05 21:58:13 +0200 |
| commit | 083554094b169ad79ce4d4054e227f0829722de7 (patch) | |
| tree | 4753d6d42e0cff93e509711d091f000b25125362 | |
| parent | 7cdf7b9c1ad1c86e86c0ae11a442a43dff5873ce (diff) | |
banip: update 0.9.5-5
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
Signed-off-by: Dirk Brenken <dev@brenken.org>
| -rw-r--r-- | net/banip/Makefile | 2 | ||||
| -rw-r--r-- | net/banip/files/README.md | 6 | ||||
| -rw-r--r-- | net/banip/files/banip-functions.sh | 10 | ||||
| -rwxr-xr-x | net/banip/files/banip-service.sh | 14 |
4 files changed, 17 insertions, 15 deletions
diff --git a/net/banip/Makefile b/net/banip/Makefile index 43bf050f1..1a726d824 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.9.5 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 4f4300a01..fef0e9caa 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -154,9 +154,9 @@ Available commands: | ban_logreadfile | option | /var/log/messages | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | | ban_debug | option | 0 | enable banIP related debug logging | -| ban_icmplimit | option | 10 | treshold in number of packets to detect icmp DDoS in prerouting chain | -| ban_synlimit | option | 10 | treshold in number of packets to detect syn DDoS in prerouting chain | -| ban_udplimit | option | 100 | treshold in number of packets to detect udp DDoS in prerouting chain | +| ban_icmplimit | option | 10 | threshold in number of packets to detect icmp DDoS in prerouting chain. A value of '0' disables this safeguard | +| ban_synlimit | option | 10 | threshold in number of packets to detect syn DDoS in prerouting chain. A value of '0' disables this safeguard | +| ban_udplimit | option | 100 | threshold in number of packets to detect udp DDoS in prerouting chain. A value of '0' disables this safeguard | | ban_logprerouting | option | 0 | log supsicious packets in the prerouting chain | | ban_loginput | option | 0 | log supsicious packets in the wan-input chain | | ban_logforwardwan | option | 0 | log supsicious packets in the wan-forward chain | diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index e9cf87367..be009f428 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -656,10 +656,12 @@ f_nftinit() { # printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop" - printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" - printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" - printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop" - printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop" + if [ "${ban_icmplimit}" -gt "0" ]; then + printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" + printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop" + fi + [ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop" + [ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop" printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop" printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop" printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop" diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index fac3f15f4..f13d605a7 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -150,14 +150,14 @@ wait # end processing # -if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then - ( - sleep 5 +( + sleep 5 + if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then f_mail - ) & -fi -json_cleanup -rm -rf "${ban_lock}" + fi + json_cleanup + rm -rf "${ban_lock}" +) & # start detached log service (infinite loop) # |