banIP: release 1.5.0-1

* change the chain structure: only two regular chains contain the generated banIP sets. “_inbound” covers the base chains WAN-Input and WAN-Forward, ‘_outbound’ covers the base chain LAN-Forward. * pre-configure the default chains for every feed in the banip.feeds json file, no longer blocks selected feeds in all chains by default * it's now possible to split country and asn Sets by country or asn (disabled by default) * support Set counters to report easily suspicious IPs per Set (disabled by default) * make it possible, to opt out certain chains from the deduplication process * the element search now returns all matches (and not only the first one) * the report engine now includes statistics about the Inbound & Outbound chains and the Set counters (optional) * save the temp. files of possible nft loading errors in "/tmp/banIP-errors" by default for easier debugging * various code improvements * remove ssbl feed (deprecated) * add two new vpn feeds * update the readme Signed-off-by: Dirk Brenken <[email protected]>
openwrt · Jan 16, 2025 · 80768df · 80768df
1 parent def5214
commit 80768df
Show file tree

Hide file tree

Showing 8 changed files with 791 additions and 607 deletions.
diff --git a/net/banip/Makefile b/net/banip/Makefile
@@ -1,12 +1,12 @@
 # banIP - ban incoming and outgoing IPs via named nftables Sets
-# Copyright (c) 2018-2024 Dirk Brenken ([email protected])
+# Copyright (c) 2018-2025 Dirk Brenken ([email protected])
 # This is free software, licensed under the GNU General Public License v3.
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=1.0.1
-PKG_RELEASE:=2
+PKG_VERSION:=1.5.0
+PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <[email protected]>
 

diff --git a/net/banip/files/README.md b/net/banip/files/README.md
diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh
diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 # banIP main service script - ban incoming and outgoing IPs via named nftables Sets
-# Copyright (c) 2018-2024 Dirk Brenken ([email protected])
+# Copyright (c) 2018-2025 Dirk Brenken ([email protected])
 # This is free software, licensed under the GNU General Public License v3.
 
 # (s)hellcheck exceptions
@@ -25,6 +25,7 @@ f_getuplink
 f_mkdir "${ban_backupdir}"
 f_mkfile "${ban_allowlist}"
 f_mkfile "${ban_blocklist}"
+f_rmdir "${ban_errordir}"
 
 # firewall/fw4 pre-check
 #
@@ -57,7 +58,7 @@ for feed in allowlist ${ban_feed} blocklist; do
 	if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then
 		for proto in 4MAC 6MAC 4 6; do
 			[ "${feed}" = "blocklist" ] && wait
-			f_down "${feed}" "${proto}"
+			f_down "${feed}" "${proto}" "-" "-" "inout"
 		done
 		continue
 	fi
@@ -70,7 +71,7 @@ for feed in allowlist ${ban_feed} blocklist; do
 		uci_commit "banip"
 		continue
 	fi
-	json_objects="url_4 rule_4 url_6 rule_6 flag"
+	json_objects="url_4 rule_4 url_6 rule_6 chain flag"
 	for object in ${json_objects}; do
 		eval json_get_var feed_"${object}" '${object}' >/dev/null 2>&1
 	done
@@ -85,36 +86,44 @@ for feed in allowlist ${ban_feed} blocklist; do
 		continue
 	fi
 
-	# handle IPv4/IPv6 feeds with a single download URL
+	# handle IPv4/IPv6 feeds
 	#
-	if [ "${feed_url_4}" = "${feed_url_6}" ]; then
-		if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
-			(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
+	if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
+		if [ "${feed}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; then
+			for country in ${ban_country}; do
+				f_down "${feed}.${country}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}"
+			done
+		elif [ "${feed}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; then
+			for asn in ${ban_asn}; do
+				f_down "${feed}.${asn}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}"
+			done
+		else
+			(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_chain:-"in"}" "${feed_flag}") &
+		fi
+		if [ "${feed_url_4}" = "${feed_url_6}" ]; then
 			feed_url_6="local"
 			wait
-		fi
-		if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
-			(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
+		else
 			hold="$((cnt % ban_cores))"
 			[ "${hold}" = "0" ] && wait
 			cnt="$((cnt + 1))"
 		fi
-		continue
-	fi
-
-	# handle IPv4/IPv6 feeds with separate download URLs
-	#
-	if [ "${ban_protov4}" = "1" ] && [ -n "${feed_url_4}" ] && [ -n "${feed_rule_4}" ]; then
-		(f_down "${feed}" "4" "${feed_url_4}" "${feed_rule_4}" "${feed_flag}") &
-		hold="$((cnt % ban_cores))"
-		[ "${hold}" = "0" ] && wait
-		cnt="$((cnt + 1))"
 	fi
 	if [ "${ban_protov6}" = "1" ] && [ -n "${feed_url_6}" ] && [ -n "${feed_rule_6}" ]; then
-		(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_flag}") &
+		if [ "${feed}" = "country" ] && [ "${ban_countrysplit}" = "1" ]; then
+			for country in ${ban_country}; do
+				f_down "${feed}.${country}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}"
+			done
+		elif [ "${feed}" = "asn" ] && [ "${ban_asnsplit}" = "1" ]; then
+			for asn in ${ban_asn}; do
+				f_down "${feed}.${asn}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}"
+			done
+		else
+			(f_down "${feed}" "6" "${feed_url_6}" "${feed_rule_6}" "${feed_chain:-"in"}" "${feed_flag}") &
+		fi
+		cnt="$((cnt + 1))"
 		hold="$((cnt % ban_cores))"
 		[ "${hold}" = "0" ] && wait
-		cnt="$((cnt + 1))"
 	fi
 done
 wait

diff --git a/net/banip/files/banip.cgi b/net/banip/files/banip.cgi
@@ -1,6 +1,6 @@
 #!/bin/sh
 # banIP cgi remote logging script - ban incoming and outgoing IPs via named nftables Sets
-# Copyright (c) 2018-2024 Dirk Brenken ([email protected])
+# Copyright (c) 2018-2025 Dirk Brenken ([email protected])
 # This is free software, licensed under the GNU General Public License v3.
 
 # (s)hellcheck exceptions