diff options
| author | Dirk Brenken <dev@brenken.org> | 2023-05-04 22:40:48 +0200 |
|---|---|---|
| committer | Dirk Brenken <dev@brenken.org> | 2023-05-04 22:40:48 +0200 |
| commit | 7e70de77d089e94e80a3ae71b60ec87ec31be1ac (patch) | |
| tree | ff965db4ddb5dd07da4a2de51cf6a504db4cba95 | |
| parent | 97d6c8bf77a3fdb3e252fefaff7ad8584d2e2b1c (diff) | |
banip: update 0.8.4-5
* fix remaining small issues
* standardize log wording
* polished up for branch 23.x
Signed-off-by: Dirk Brenken <dev@brenken.org>
| -rw-r--r-- | net/banip/Makefile | 10 | ||||
| -rw-r--r-- | net/banip/files/README.md | 46 | ||||
| -rw-r--r-- | net/banip/files/banip-functions.sh | 89 | ||||
| -rwxr-xr-x | net/banip/files/banip-service.sh | 21 | ||||
| -rwxr-xr-x | net/banip/files/banip.init | 10 | ||||
| -rw-r--r-- | net/banip/files/banip.tpl | 4 |
6 files changed, 87 insertions, 93 deletions
diff --git a/net/banip/Makefile b/net/banip/Makefile index bb736d3bf..e29e10eaf 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -1,14 +1,12 @@ -# -# banIP - ban incoming and outgoing ip addresses/subnets via Sets in nftables +# banIP - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. -# include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.4 -PKG_RELEASE:=4 +PKG_RELEASE:=5 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org> @@ -17,13 +15,13 @@ include $(INCLUDE_DIR)/package.mk define Package/banip SECTION:=net CATEGORY:=Network - TITLE:=banIP blocks IP addresses via named nftables sets + TITLE:=banIP blocks IPs via named nftables Sets DEPENDS:=+jshn +jsonfilter +firewall4 +ca-bundle +logd +rpcd +rpcd-mod-rpcsys PKGARCH:=all endef define Package/banip/description -banIP blocks IP addresses via named nftables Sets. +banIP blocks IPs via named nftables Sets. banIP supports many IP blocklist feeds and provides a log service to block suspicious IPs in realtime. Please see https://github.com/openwrt/packages/blob/master/net/banip/files/README.md for further information. diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 803e4a931..0a91b8290 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -1,9 +1,9 @@ <!-- markdownlint-disable --> -# banIP - ban incoming and outgoing IP addresses/subnets via sets in nftables +# banIP - ban incoming and outgoing IP addresses/subnets via Sets in nftables ## Description -IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IP addresses that make too many password failures, e.g. via ssh. +IP address blocking is commonly used to protect against brute force attacks, prevent disruptive or unauthorized address(es) from access or it can be used to restrict access to or from a particular geographic area — for example. Further more banIP scans the log file via logread and bans IPs that make too many password failures, e.g. via ssh. ## Main Features * banIP supports the following fully pre-configured domain blocklist feeds (free for private usage, for commercial use please check their individual licenses). @@ -57,9 +57,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre | yoyo | yoyo IPs | | | x | [Link](https://github.com/dibdot/banIP-IP-blocklists) | * Zero-conf like automatic installation & setup, usually no manual changes needed -* All sets are handled in a separate nft table/namespace 'banIP' +* All Sets are handled in a separate nft table/namespace 'banIP' * Full IPv4 and IPv6 support -* Supports nft atomic set loading +* Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes * Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) * Auto-add the uplink subnet to the local allowlist @@ -70,10 +70,10 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget * Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs -* Deduplicate IPs accross all sets (single IPs only, no intervals) +* Deduplicate IPs accross all Sets (single IPs only, no intervals) * Provides comprehensive runtime information -* Provides a detailed set report -* Provides a set search engine for certain IPs +* Provides a detailed Set report +* Provides a Set search engine for certain IPs * Feed parsing by fast & flexible regex rulesets * Minimal status & error logging to syslog, enable debug logging to receive more output * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) @@ -112,9 +112,9 @@ Available commands: enable Enable service autostart disable Disable service autostart enabled Check if service is started on boot - report [text|json|mail] Print banIP related set statistics - search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set - survey [<set name>] List all elements of a given banIP set + report [text|json|mail] Print banIP related Set statistics + search [<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set + survey [<Set name>] List all elements of a given banIP Set lookup Lookup the IPs of domain names in the local lists and update them running Check if service is running status Service status @@ -129,7 +129,7 @@ Available commands: | ban_enabled | option | 0 | enable the banIP service | | ban_nicelimit | option | 0 | ulimit nice level of the banIP service (range 0-19) | | ban_filelimit | option | 1024 | ulimit max open/number of files (range 1024-4096) | -| ban_loglimit | option | 100 | scan only the last n log entries permanently. Set it to '0' to disable the monitor | +| ban_loglimit | option | 100 | scan only the last n log entries permanently. A value of '0' disables the monitor | | ban_logcount | option | 1 | how many times the IP must appear in the log to be considered as suspicious | | ban_logterm | list | regex | various regex for logfile parsing (default: dropbear, sshd, luci, nginx, asterisk) | | ban_autodetect | option | 1 | auto-detect wan interfaces, devices and subnets | @@ -152,12 +152,12 @@ Available commands: | ban_trigger | list | - | logical startup trigger interface(s), e.g. 'wan' | | ban_triggerdelay | option | 10 | trigger timeout before banIP processing begins | | ban_triggeraction | option | start | trigger action on ifup events, e.g. start, restart or reload | -| ban_deduplicate | option | 1 | deduplicate IP addresses across all active sets | -| ban_splitsize | option | 0 | split ext. sets after every n lines/members (saves RAM) | +| ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets | +| ban_splitsize | option | 0 | split ext. Sets after every n lines/members (saves RAM) | | ban_cores | option | - / autodetect | limit the cpu cores used by banIP (saves RAM) | | ban_nftloglevel | option | warn | nft loglevel, values: emerg, alert, crit, err, warn, notice, info, debug | | ban_nftpriority | option | -200 | nft priority for the banIP table (default is the prerouting table priority) | -| ban_nftpolicy | option | memory | nft policy for banIP-related sets, values: memory, performance | +| ban_nftpolicy | option | memory | nft policy for banIP-related Sets, values: memory, performance | | ban_nftexpiry | option | - | expiry time for auto added blocklist members, e.g. '5m', '2h' or '1d' | | ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | @@ -174,7 +174,7 @@ Available commands: | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | | ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | -| ban_reportelements | option | 1 | list set elements in the report, disable this to speed up the report significantly | +| ban_reportelements | option | 1 | count Set elements in the report, disable this option to speed up the report significantly | | ban_resolver | option | - | external resolver used for DNS lookups | ## Examples @@ -230,11 +230,11 @@ Available commands: ~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.8.3-1 + + version : 0.8.5-1 + element_count : 281161 + active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, adguardtrackersv6, antipopadsv6, antipopadsv4, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dohv4, dohv6, iblockadsv4, firehol1v4, oisdbigv4, yoyov6, threatviewv4, yoyov4, oisdbigv6, blocklistvMAC, blocklistv4, blocklistv6 + active_devices : br-wan ::: wan, wan6 - + active_subnets : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + + active_uplink : 91.64.169.252/24, 2a02:710c:0:60:958b:3bd0:9e14:abb/128 + nft_info : priority: -200, policy: memory, loglevel: warn, expiry: - + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, feed: /etc/banip/banip.feeds + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ @@ -259,7 +259,7 @@ Available commands: ::: ::: banIP Survey ::: - List the elements of Set 'cinsscorev4' on 2023-03-06 14:07:58 + List of elements in the Set 'cinsscorev4' on 2023-03-06 14:07:58 --- 1.10.187.179 1.10.203.30 @@ -291,7 +291,7 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban\_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban\_nftexpiry' option. Furthermore the uplink subnet will be added to local allowlist (see 'ban\_autoallowlist' option). -Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +Both lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. **allowlist-only mode** banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. @@ -307,12 +307,12 @@ For a regular, automatic status mailing and update of the used lists on a daily ``` **tweaks for low memory systems** -nftables supports the atomic loading of rules/sets/members, which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: +nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512Mb RAM), you should optimize your configuration with the following options: * point 'ban_basedir', 'ban_reportdir' and 'ban_backupdir' to an external usb drive * set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing - * set 'ban_splitsize' e.g. to '1000' to split the load of an external set after every 1000 lines/members - * set 'ban_reportelements' to '0' to disable the CPU intensive counting of set elements + * set 'ban_splitsize' e.g. to '1000' to split the load of an external Set after every 1000 lines/members + * set 'ban_reportelements' to '0' to disable the CPU intensive counting of Set elements **tweak the download options** By default banIP uses the following pre-configured download options: @@ -350,7 +350,7 @@ The banIP default blocklist feeds are stored in an external JSON file '/etc/bani A valid JSON source object contains the following information, e.g.: ``` [...] - "tor": { + "tor":{ "url_4": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "url_6": "https://raw.githubusercontent.com/SecOps-Institute/Tor-IP-Addresses/master/tor-exit-nodes.lst", "rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)$/{printf \"%s,\\n\",$1}", diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index fc54dc3d2..7e882f244 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1,4 +1,4 @@ -# banIP shared function library/include +# banIP shared function library/include - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -107,7 +107,7 @@ f_mkdir() { if [ ! -d "${dir}" ]; then rm -f "${dir}" mkdir -p "${dir}" - f_log "debug" "f_mkdir ::: created directory: ${dir}" + f_log "debug" "f_mkdir ::: directory: ${dir}" fi } @@ -118,7 +118,7 @@ f_mkfile() { if [ ! -f "${file}" ]; then : >"${file}" - f_log "debug" "f_mkfile ::: created file: ${file}" + f_log "debug" "f_mkfile ::: file: ${file}" fi } @@ -139,7 +139,7 @@ f_rmdir() { if [ -d "${dir}" ]; then rm -rf "${dir}" - f_log "debug" "f_rmdir ::: deleted directory: ${dir}" + f_log "debug" "f_rmdir ::: directory: ${dir}" fi } @@ -253,7 +253,7 @@ f_fetch() { if [ -z "${ban_fetchcmd}" ] || [ ! -x "${ban_fetchcmd}" ]; then packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" - [ -z "${packages}" ] && f_log "err" "local package repository is not available, please set the download utility 'ban_fetchcmd' manually" + [ -z "${packages}" ] && f_log "err" "no local package repository" utils="aria2c curl wget uclient-fetch" for item in ${utils}; do if { [ "${item}" = "uclient-fetch" ] && printf "%s" "${packages}" | "${ban_grepcmd}" -q '"libustream-'; } || @@ -268,7 +268,7 @@ f_fetch() { fi done fi - [ ! -x "${ban_fetchcmd}" ] && f_log "err" "download utility with SSL support not found" + [ ! -x "${ban_fetchcmd}" ] && f_log "err" "no download utility with SSL support" case "${ban_fetchcmd##*/}" in "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" @@ -288,7 +288,7 @@ f_fetch() { ;; esac - f_log "debug" "f_fetch ::: fetch_cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}" + f_log "debug" "f_fetch ::: cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" } # remove logservice @@ -336,7 +336,7 @@ f_getif() { ban_ifv4="${iface}" uci_set banip global ban_protov4 "1" uci_add_list banip global ban_ifv4 "${iface}" - f_log "info" "added IPv4 interface '${iface}' to config" + f_log "info" "add IPv4 interface '${iface}' to config" fi fi if [ -z "${ban_ifv6}" ]; then @@ -347,7 +347,7 @@ f_getif() { ban_ifv6="${iface}" uci_set banip global ban_protov6 "1" uci_add_list banip global ban_ifv6 "${iface}" - f_log "info" "added IPv6 interface '${iface}' to config" + f_log "info" "add IPv6 interface '${iface}' to config" fi fi fi @@ -359,11 +359,11 @@ f_getif() { ban_ifv6="${ban_ifv6%%?}" for iface in ${ban_ifv4} ${ban_ifv6}; do if ! "${ban_ubuscmd}" -t 10 wait_for network.interface."${iface}" >/dev/null 2>&1; then - f_log "err" "wan interface '${iface}' is not available, please check your configuration" + f_log "err" "no wan interface '${iface}'" fi done fi - [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "wan interfaces not found, please check your configuration" + [ -z "${ban_ifv4}" ] && [ -z "${ban_ifv6}" ] && f_log "err" "no wan interfaces" f_log "debug" "f_getif ::: auto/update: ${ban_autodetect}/${update}, interfaces (4/6): ${ban_ifv4}/${ban_ifv6}, protocols (4/6): ${ban_protov4}/${ban_protov6}" } @@ -385,7 +385,7 @@ f_getdev() { if ! printf " %s " "${ban_dev}" | "${ban_grepcmd}" -q " ${dev} "; then ban_dev="${ban_dev}${dev} " uci_add_list banip global ban_dev "${dev}" - f_log "info" "added device '${dev}' to config" + f_log "info" "add device '${dev}' to config" fi fi done @@ -398,7 +398,7 @@ f_getdev() { uci_commit "banip" fi ban_dev="${ban_dev%%?}" - [ -z "${ban_dev}" ] && f_log "err" "wan devices not found, please check your configuration" + [ -z "${ban_dev}" ] && f_log "err" "no wan devices" f_log "debug" "f_getdev ::: auto/update: ${ban_autodetect}/${update}, devices: ${ban_dev}, cnt: ${cnt}" } @@ -429,12 +429,12 @@ f_getuplink() { fi done for ip in ${ban_uplink}; do - if ! "${ban_grepcmd}" -q "${ip}" "${ban_allowlist}"; then + if ! "${ban_grepcmd}" -q "${ip} " "${ban_allowlist}"; then if [ "${update}" = "0" ]; then "${ban_sedcmd}" -i '/# uplink added on /d' "${ban_allowlist}" fi printf "%-42s%s\n" "${ip}" "# uplink added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_allowlist}" - f_log "info" "added uplink '${ip}' to local allowlist" + f_log "info" "add uplink '${ip}' to local allowlist" update="1" fi done @@ -453,17 +453,17 @@ f_getfeed() { json_init if [ -s "${ban_customfeedfile}" ]; then if ! json_load_file "${ban_customfeedfile}" >/dev/null 2>&1; then - f_log "info" "banIP custom feed file can't be loaded" + f_log "info" "can't load banIP custom feed file" if ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then - f_log "err" "banIP feed file can't be loaded" + f_log "err" "can't load banIP feed file" fi fi elif ! json_load_file "${ban_feedfile}" >/dev/null 2>&1; then - f_log "err" "banIP feed file can't be loaded" + f_log "err" "can't load banIP feed file" fi } -# get set elements +# get Set elements # f_getelements() { local file="${1}" @@ -751,10 +751,10 @@ f_down() { feed_rc="${?}" fi - # build nft file with set and rules for regular downloads + # build nft file with Sets and rules for regular downloads # if [ "${feed_rc}" = "0" ] && [ ! -s "${tmp_nft}" ]; then - # deduplicate sets + # deduplicate Sets # if [ "${ban_deduplicate}" = "1" ] && [ "${feed_url}" != "local" ]; then "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_raw}" @@ -763,13 +763,13 @@ f_down() { "${ban_awkcmd}" "${feed_rule}" "${tmp_load}" 2>/dev/null >"${tmp_split}" fi feed_rc="${?}" - # split sets + # split Sets # if [ "${feed_rc}" = "0" ]; then if [ -n "${ban_splitsize//[![:digit]]/}" ] && [ "${ban_splitsize//[![:digit]]/}" -gt "0" ]; then if ! "${ban_awkcmd}" "NR%${ban_splitsize//[![:digit]]/}==1{file=\"${tmp_file}.\"++i;}{ORS=\" \";print > file}" "${tmp_split}" 2>/dev/null; then rm -f "${tmp_file}".* - f_log "info" "failed to split '${feed}' Set to size '${ban_splitsize//[![:digit]]/}'" + f_log "info" "can't split Set '${feed}' to size '${ban_splitsize//[![:digit]]/}'" fi else "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}.1" @@ -779,7 +779,7 @@ f_down() { rm -f "${tmp_raw}" "${tmp_load}" if [ "${feed_rc}" = "0" ] && [ "${proto}" = "4" ]; then { - # nft header (IPv4 set) + # nft header (IPv4 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && cat "${tmp_flush}" @@ -793,7 +793,7 @@ f_down() { } >"${tmp_nft}" elif [ "${feed_rc}" = "0" ] && [ "${proto}" = "6" ]; then { - # nft header (IPv6 set) + # nft header (IPv6 Set) # printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && cat "${tmp_flush}" @@ -815,6 +815,7 @@ f_down() { if [ "${cnt_dl:-"0"}" -gt "0" ] || [ "${feed_url}" = "local" ] || [ "${feed%v*}" = "allowlist" ] || [ "${feed%v*}" = "blocklist" ]; then feed_log="$("${ban_nftcmd}" -f "${tmp_nft}" 2>&1)" feed_rc="${?}" + # load additional split files # if [ "${feed_rc}" = "0" ]; then @@ -825,7 +826,7 @@ f_down() { continue fi if ! "${ban_nftcmd}" add element inet banIP "${feed}" "{ $(cat "${split_file}") }" >/dev/null 2>&1; then - f_log "info" "failed to add split file '${split_file##*.}' to '${feed}' Set" + f_log "info" "can't add split file '${split_file##*.}' to Set '${feed}'" fi rm -f "${split_file}" done @@ -834,7 +835,7 @@ f_down() { fi fi else - f_log "info" "empty feed '${feed}' will be skipped" + f_log "info" "skip empty feed '${feed}'" fi fi rm -f "${tmp_split}" "${tmp_nft}" @@ -871,7 +872,7 @@ f_restore() { return ${restore_rc} } -# remove disabled feeds +# remove disabled Sets # f_rmset() { local feedlist tmp_del ruleset_raw item table_sets handle del_set feed_log feed_rc @@ -1068,12 +1069,12 @@ f_lookup() { done if [ -n "${elementsv4}" ]; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v4" "{ ${elementsv4} }" >/dev/null 2>&1; then - f_log "info" "failed to add lookup file to '${feed}v4' Set" + f_log "info" "can't add lookup file to Set '${feed}v4'" fi fi if [ -n "${elementsv6}" ]; then if ! "${ban_nftcmd}" add element inet banIP "${feed}v6" "{ ${elementsv6} }" >/dev/null 2>&1; then - f_log "info" "failed to add lookup file to '${feed}v6' Set" + f_log "info" "can't add lookup file to Set '${feed}v6'" fi fi end_time="$(date "+%s")" @@ -1245,7 +1246,7 @@ f_report() { rm -f "${report_txt}" } -# set search +# Set search # f_search() { local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" @@ -1287,7 +1288,7 @@ f_search() { printf " %s\n" "IP not found" } -# set survey +# Set survey # f_survey() { local set_elements input="${1}" @@ -1298,12 +1299,12 @@ f_survey() { fi set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" - printf " %s\n" "List the elements of Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" + printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" - [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty set" + [ -n "${set_elements}" ] && printf "%s\n" "${set_elements}" || printf " %s\n" "empty Set" } -# send status mails +# send status mail # f_mail() { local msmtp_debug @@ -1313,19 +1314,16 @@ f_mail() { if [ -r "${ban_mailtemplate}" ]; then . "${ban_mailtemplate}" else - f_log "info" "the mail template is missing" + f_log "info" "no mail template" fi - [ -z "${mail_text}" ] && f_log "info" "the 'mail_text' template variable is empty" + [ -z "${mail_text}" ] && f_log "info" "no mail content" [ "${ban_debug}" = "1" ] && msmtp_debug="--debug" # send mail # ban_mailhead="From: ${ban_mailsender}\nTo: ${ban_mailreceiver}\nSubject: ${ban_mailtopic}\nReply-to: ${ban_mailsender}\nMime-Version: 1.0\nContent-Type: text/html;charset=utf-8\nContent-Disposition: inline\n\n" - if printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1; then - f_log "info" "status mail was sent successfully" - else - f_log "info" "failed to send status mail (${?})" - fi + printf "%b" "${ban_mailhead}${mail_text}" | "${ban_mailcmd}" --timeout=10 ${msmtp_debug} -a "${ban_mailprofile}" "${ban_mailreceiver}" >/dev/null 2>&1 + f_log "info" "send status mail (${?})" f_log "debug" "f_mail ::: notification: ${ban_mailnotification}, template: ${ban_mailtemplate}, profile: ${ban_mailprofile}, receiver: ${ban_mailreceiver}, rc: ${?}" } @@ -1345,8 +1343,7 @@ fi # f_system if [ "${ban_action}" != "stop" ]; then - [ ! -d "/etc/banip" ] && f_log "err" "banIP config directory not found, please re-install the package" - [ ! -r "/etc/banip/banip.feeds" ] && f_log "err" "banIP feed file not found, please re-install the package" - [ ! -r "/etc/config/banip" ] && f_log "err" "banIP config not found, please re-install the package" - [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service" + [ ! -d "/etc/banip" ] && f_log "err" "no banIP config directory" + [ ! -r "/etc/config/banip" ] && f_log "err" "no banIP config" + [ "$(uci_get banip global ban_enabled)" = "0" ] && f_log "err" "banIP is disabled" fi diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index f70f5723f..aadeae380 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -1,5 +1,5 @@ #!/bin/sh -# banIP main service script - ban incoming and outgoing ip addresses/subnets via Sets in nftables +# banIP main service script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -36,10 +36,10 @@ if [ "${ban_action}" != "reload" ]; then sleep 1 done if ! /etc/init.d/firewall status >/dev/null 2>&1; then - f_log "err" "nft based firewall/fw4 not functional" + f_log "err" "error in nft based firewall/fw4" fi else - f_log "err" "nft based firewall/fw4 not found" + f_log "err" "no nft based firewall/fw4" fi fi @@ -47,9 +47,9 @@ fi # if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then if f_nftinit "${ban_tmpfile}".init.nft; then - f_log "info" "nft namespace initialized" + f_log "info" "initialize nft namespace" else - f_log "err" "nft namespace can't be initialized" + f_log "err" "can't initialize nft namespace" fi fi @@ -83,7 +83,7 @@ for feed in allowlist ${ban_feed} blocklist; do # external feeds # if ! json_select "${feed}" >/dev/null 2>&1; then - f_log "info" "unknown feed '${feed}' will be removed" + f_log "info" "remove unknown feed '${feed}'" uci_remove_list banip global ban_feed "${feed}" uci_commit "banip" continue @@ -99,7 +99,7 @@ for feed in allowlist ${ban_feed} blocklist; do if { { [ -n "${feed_url_4}" ] && [ -z "${feed_rule_4}" ]; } || { [ -z "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; }; } || { { [ -n "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; } || { [ -z "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; }; } || { [ -z "${feed_url_4}" ] && [ -z "${feed_rule_4}" ] && [ -z "${feed_url_6}" ] && [ -z "${feed_rule_6}" ]; }; then - f_log "info" "incomplete feed '${feed}' will be skipped" + f_log "info" "skip incomplete feed '${feed}'" continue fi @@ -138,7 +138,6 @@ wait f_rmset f_rmdir "${ban_tmpdir}" f_genstatus "active" -f_log "info" "finish banIP download processes" # start domain lookup # @@ -191,15 +190,15 @@ if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimi [ -n "${ip}" ] && proto="v6" fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP${proto} found '${ip}'" + f_log "info" "suspicious IP${proto} '${ip}'" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" log_count="$(printf "%s\n" "${log_raw}" | grep -c "found '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "added IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" + f_log "info" "add IP${proto} '${ip}' (expiry: ${nft_expiry:-"-"}) to blocklist${proto} set" if [ "${ban_autoblocklist}" = "1" ] && ! grep -q "^${ip}" "${ban_blocklist}"; then printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "added IP${proto} '${ip}' to local blocklist" + f_log "info" "add IP${proto} '${ip}' to local blocklist" fi fi fi diff --git a/net/banip/files/banip.init b/net/banip/files/banip.init index 891dee4eb..db584e2e2 100755 --- a/net/banip/files/banip.init +++ b/net/banip/files/banip.init @@ -1,5 +1,5 @@ #!/bin/sh /etc/rc.common -# banIP init script - ban incoming and outgoing ip adresses/subnets via sets in nftables +# banIP init script - ban incoming and outgoing IPs via named nftables Sets # Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. @@ -9,9 +9,9 @@ START=30 USE_PROCD=1 -extra_command "report" "[text|json|mail] Print banIP related set statistics" -extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP set" -extra_command "survey" "[<set name>] List all elements of a given banIP set" +extra_command "report" "[text|json|mail] Print banIP related Set statistics" +extra_command "search" "[<IPv4 address>|<IPv6 address>] Check if an element exists in a banIP Set" +extra_command "survey" "[<Set name>] List all elements of a given banIP Set" extra_command "lookup" "Lookup the IPs of domain names in the local lists and update them" ban_init="/etc/init.d/banip" @@ -45,7 +45,7 @@ start_service() { procd_close_instance else [ -z "$(command -v "f_system")" ] && . "${ban_funlib}" - f_log "err" "banIP service autostart is currently disabled, please enable the service autostart with '/etc/init.d/banip enable'" + f_log "err" "banIP service autostart is disabled" rm -rf "${ban_lock}" fi } diff --git a/net/banip/files/banip.tpl b/net/banip/files/banip.tpl index f6bd5214c..df5c7e8a1 100644 --- a/net/banip/files/banip.tpl +++ b/net/banip/files/banip.tpl @@ -1,5 +1,5 @@ -# banIP mail template/include -# Copyright (c) 2020-2023 Dirk Brenken (dev@brenken.org) +# banIP mail template/include - ban incoming and outgoing IPs via named nftables Sets +# Copyright (c) 2018-2023 Dirk Brenken (dev@brenken.org) # This is free software, licensed under the GNU General Public License v3. # info preparation |