From ca2ac06d28bf080d85c18b5e1b7a697857fca9c9 Mon Sep 17 00:00:00 2001 From: Hirokazu MORIKAWA Date: Wed, 21 Jun 2023 11:27:48 +0900 Subject: [PATCH 01/13] node: June 20 2023 Security Releases Update to v18.16.1 The following CVEs are fixed in this release: * CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High) * CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) * CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium) * CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium) * CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium) * OpenSSL Security Releases (Depends on shared library provided by OpenWrt) * OpenSSL security advisory 28th March. * OpenSSL security advisory 20th April. * OpenSSL security advisory 30th May * c-ares vulnerabilities: (Depends on shared library provided by OpenWrt) * GHSA-9g78-jv2r-p7vc * GHSA-8r8p-23f3-64c2 * GHSA-54xr-f67r-4pc4 * GHSA-x6mf-cxr9-8q6v Signed-off-by: Hirokazu MORIKAWA (cherry picked from commit 286d1d11ae451e9e90897aacd7ae20ec76e2cab5) --- lang/node/Makefile | 4 ++-- lang/node/patches/003-path.patch | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lang/node/Makefile b/lang/node/Makefile index a0cf9f928a..f924d1c780 100644 --- a/lang/node/Makefile +++ b/lang/node/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=node -PKG_VERSION:=v18.16.0 +PKG_VERSION:=v18.16.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION) -PKG_HASH:=33d81a233e235a509adda4a4f2209008d04591979de6b3f0f67c1c906093f118 +PKG_HASH:=e8404f8c8d89fdfdf7e95bbbc6066bd0e571acba58f54492599b615fbeefe272 PKG_MAINTAINER:=Hirokazu MORIKAWA , Adrian Panella PKG_LICENSE:=MIT diff --git a/lang/node/patches/003-path.patch b/lang/node/patches/003-path.patch index a1103be0df..8e390d88cc 100644 --- a/lang/node/patches/003-path.patch +++ b/lang/node/patches/003-path.patch @@ -1,6 +1,6 @@ --- a/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js -@@ -1389,7 +1389,8 @@ Module._initPaths = function() { +@@ -1391,7 +1391,8 @@ Module._initPaths = function() { path.resolve(process.execPath, '..') : path.resolve(process.execPath, '..', '..'); From a3151ba4bd1d9de48ed08ee9e30c500bee4d8959 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 19 Jun 2023 14:44:12 +0800 Subject: [PATCH 02/13] cloudflared: Update to 2023.6.0 Signed-off-by: Tianling Shen (cherry picked from commit 194cf52a82df2bdf98d52687762287ae689b6fc6) --- net/cloudflared/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile index 88f6c5a94e..1e5462cda7 100644 --- a/net/cloudflared/Makefile +++ b/net/cloudflared/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cloudflared -PKG_VERSION:=2023.5.1 +PKG_VERSION:=2023.6.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)? -PKG_HASH:=ee2c2a4b0c290c39475f79ab74972dfbce817df8e5090813cad0e58f33836194 +PKG_HASH:=8be9ab929fa5bbc021041e4fe33e2f91b4fe16d9c8354bfc19b1ad3fedb39b51 PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE From 7be688fb1c4ce839c77211ff32eb980a454ec51b Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Tue, 20 Jun 2023 13:11:04 +0800 Subject: [PATCH 03/13] xray-core: update to 1.8.3 Signed-off-by: Tianling Shen (cherry picked from commit c912e2bcedfcfb50c1ee02d0fa120f0b0025ac2c) --- net/xray-core/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/xray-core/Makefile b/net/xray-core/Makefile index 45a1141202..a34aa0f1c5 100644 --- a/net/xray-core/Makefile +++ b/net/xray-core/Makefile @@ -1,12 +1,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=xray-core -PKG_VERSION:=1.8.1 +PKG_VERSION:=1.8.3 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/XTLS/Xray-core/tar.gz/v$(PKG_VERSION)? -PKG_HASH:=477ad92b80700b4742e59ad7848ca4726201841a57339e4c1bf9012e395622e2 +PKG_HASH:=bdfa65c15cd25f931745d9c70c753503db5d119ff11960ca7b3a2e19c4b0a8d1 PKG_MAINTAINER:=Tianling Shen PKG_LICENSE:=MPL-2.0 From 66e9da0119c68bc36ea82d2ff00692213e97b2f1 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Tue, 20 Jun 2023 13:11:16 +0800 Subject: [PATCH 04/13] v2ray-geodata: Update to latest version Signed-off-by: Tianling Shen (cherry picked from commit e4a22284cb5ddbcaccdea1ad850a573f9d783026) --- net/v2ray-geodata/Makefile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/v2ray-geodata/Makefile b/net/v2ray-geodata/Makefile index 7e83c3663d..1224c037c6 100644 --- a/net/v2ray-geodata/Makefile +++ b/net/v2ray-geodata/Makefile @@ -12,22 +12,22 @@ PKG_MAINTAINER:=Tianling Shen include $(INCLUDE_DIR)/package.mk -GEOIP_VER:=202306010100 +GEOIP_VER:=202306150049 GEOIP_FILE:=geoip.dat.$(GEOIP_VER) define Download/geoip URL:=https://github.com/v2fly/geoip/releases/download/$(GEOIP_VER)/ URL_FILE:=geoip.dat FILE:=$(GEOIP_FILE) - HASH:=033864e77e40f8b9c1a5254bf85881515c51340d3d11e142a4e01594eb151914 + HASH:=811085edc67057690c783e735182db32e5a4b446ee5f6d70ef9e12960ce910da endef -GEOSITE_VER:=20230601044045 +GEOSITE_VER:=20230620033122 GEOSITE_FILE:=dlc.dat.$(GEOSITE_VER) define Download/geosite URL:=https://github.com/v2fly/domain-list-community/releases/download/$(GEOSITE_VER)/ URL_FILE:=dlc.dat FILE:=$(GEOSITE_FILE) - HASH:=d20bcd23c185dd3102a2106ad5370bc615cfb33d9a818daaadefe7a2068fb9ef + HASH:=caecb282d72bf6bfc7977257cadd436e59cb7eea8f6aabb0eae656ae4bf57d76 endef define Package/v2ray-geodata/template From 1d273f9058a6cbb127bf4ef39d667eee42d909b6 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Wed, 21 Jun 2023 20:47:19 +0800 Subject: [PATCH 05/13] cloudflared: Update to 2023.6.1 Signed-off-by: Tianling Shen (cherry picked from commit 1aa41e92ac8733be9a25b77eddea7cdac3bedc34) --- net/cloudflared/Makefile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/cloudflared/Makefile b/net/cloudflared/Makefile index 1e5462cda7..bb41069273 100644 --- a/net/cloudflared/Makefile +++ b/net/cloudflared/Makefile @@ -5,12 +5,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=cloudflared -PKG_VERSION:=2023.6.0 +PKG_VERSION:=2023.6.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://codeload.github.com/cloudflare/cloudflared/tar.gz/$(PKG_VERSION)? -PKG_HASH:=8be9ab929fa5bbc021041e4fe33e2f91b4fe16d9c8354bfc19b1ad3fedb39b51 +PKG_HASH:=7f7509bb364f107541dc810410b763721c39cdfab85799080ccae96d1c4a9cff PKG_LICENSE:=Apache-2.0 PKG_LICENSE_FILES:=LICENSE From 01ade55f683287e0df8f7352dfd0eb3690307430 Mon Sep 17 00:00:00 2001 From: Hirokazu MORIKAWA Date: Thu, 15 Jun 2023 15:49:25 +0900 Subject: [PATCH 06/13] c-ares: bump to 1.19.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is a security and bugfix release. Security o CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service o CVE-2023-31147. Moderate. Insufficient randomness in generation of DNS
query IDs o CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() o CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross
compilation Fixing libcares.pc The pkg-config file libcares.pc in version 1.19.1 has been changed to be unsuitable for OpenWrt and causes build errors with Openwrt packages that use libcares. For this reason, libcares.pc was replaced. Signed-off-by: Hirokazu MORIKAWA (cherry picked from commit 4c4d3b900197785292ef92055effcccd7f3b805b) --- libs/c-ares/Makefile | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/libs/c-ares/Makefile b/libs/c-ares/Makefile index 4c13927b23..9f5a9424bb 100644 --- a/libs/c-ares/Makefile +++ b/libs/c-ares/Makefile @@ -9,12 +9,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=c-ares -PKG_VERSION:=1.18.1 +PKG_VERSION:=1.19.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://c-ares.org/download -PKG_HASH:=1a7d52a8a84a9fbffb1be9133c0f6e17217d91ea5a6fa61f6b4729cda78ebbcf +PKG_HASH:=321700399b72ed0e037d0074c629e7741f6b2ec2dda92956abe3e9671d3e268e PKG_LICENSE:=MIT PKG_LICENSE_FILES:=LICENSE.md @@ -48,6 +48,13 @@ CMAKE_OPTIONS += \ -DCARES_BUILD_TESTS=OFF \ -DCARES_BUILD_TOOLS=OFF +define Build/InstallDev + $(call Build/InstallDev/cmake,$(1)) + $(SED) 's,/usr/bin,$$$${prefix}/lib,g' $(1)/usr/lib/pkgconfig/libcares.pc + $(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libcares.pc + $(SED) 's,/usr/lib,$$$${prefix}/lib,g' $(1)/usr/lib/pkgconfig/libcares.pc +endef + define Package/libcares/install $(INSTALL_DIR) $(1)/usr/lib $(CP) $(PKG_INSTALL_DIR)/usr/lib/libcares.so.* $(1)/usr/lib/ From 39f49ddb23e42f8efe8873fd0b7b8ab7398e526c Mon Sep 17 00:00:00 2001 From: Quintin Hill Date: Tue, 20 Jun 2023 22:39:58 +0100 Subject: [PATCH 07/13] python-ble2mqtt: fix installation of python program This was broken when the init script was added in 408502ee0. (cherry picked from commit 5cf30460555ba0687bbd61769c30edfb43e39949) Signed-off-by: Quintin Hill --- lang/python/python-ble2mqtt/Makefile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lang/python/python-ble2mqtt/Makefile b/lang/python/python-ble2mqtt/Makefile index 8516846885..8e78d36ee1 100644 --- a/lang/python/python-ble2mqtt/Makefile +++ b/lang/python/python-ble2mqtt/Makefile @@ -8,7 +8,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=python-ble2mqtt PKG_VERSION:=0.1.7 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PYPI_NAME:=ble2mqtt PKG_HASH:=c57d6823f1133ce0b5e0e3d9f7d2b3fd58d2ad64c0cc86cb3fa180b178999fa6 @@ -38,6 +38,8 @@ endef define Py3Package/python3-ble2mqtt/install $(INSTALL_DIR) $(1)/etc/init.d $(INSTALL_BIN) ./files/ble2mqtt.init $(1)/etc/init.d/ble2mqtt + $(INSTALL_DIR) $(1)/usr/bin + $(CP) $(PKG_INSTALL_DIR)/usr/bin/* $(1)/usr/bin/ endef $(eval $(call Py3Package,python3-ble2mqtt)) From 418725b9459bc555ca53bd27bf4d409001b6a2e6 Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Mon, 19 Jun 2023 17:25:04 +0800 Subject: [PATCH 08/13] gitlab-runner: Update to 16.0.2 * Added test.sh script * Fixed build with riscv64 * Passed package version via go ldflags * Refreshed patches * Removed useless test binaries from package Signed-off-by: Tianling Shen (cherry picked from commit 27b4291bd474f1517fc1a00ee7b8e7e69ded8a55) --- devel/gitlab-runner/Makefile | 15 ++++++++++++--- devel/gitlab-runner/patches/010-test.patch | 2 +- devel/gitlab-runner/test.sh | 3 +++ 3 files changed, 16 insertions(+), 4 deletions(-) create mode 100644 devel/gitlab-runner/test.sh diff --git a/devel/gitlab-runner/Makefile b/devel/gitlab-runner/Makefile index 575db47074..801119e077 100644 --- a/devel/gitlab-runner/Makefile +++ b/devel/gitlab-runner/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=gitlab-runner -PKG_VERSION:=14.3.2 -PKG_RELEASE:=2 +PKG_VERSION:=16.0.2 +PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-v$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://gitlab.com/gitlab-org/gitlab-runner/-/archive/v$(PKG_VERSION) -PKG_HASH:=f67aeae05349f5c612ea5d8772407237caf4da586c0365e3c7edceec6b853d8c +PKG_HASH:=f874b9babe21ae04007abfc901e9ad4c0c1ec22095d4de3e22e176914683cb5d PKG_MAINTAINER:=Jan Pavlinec PKG_LICENSE:=MIT @@ -23,7 +23,9 @@ PKG_BUILD_DIR:=$(BUILD_DIR)/gitlab-runner-v$(PKG_VERSION) PKG_BUILD_DEPENDS:=golang/host PKG_BUILD_PARALLEL:=1 PKG_BUILD_FLAGS:=no-mips16 + GO_PKG:=gitlab.com/gitlab-org/gitlab-runner +GO_PKG_LDFLAGS_X:=$(GO_PKG)/common.VERSION=$(PKG_VERSION) include $(INCLUDE_DIR)/package.mk include ../../lang/golang/golang-package.mk @@ -41,5 +43,12 @@ define Package/gitlab-runner/description GitLab CI/CD to run jobs in a pipeline. endef +define Package/gitlab-runner/install + $(call GoPackage/Package/Install/Bin,$(PKG_INSTALL_DIR)) + $(INSTALL_DIR) $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gitlab-runner $(1)/usr/bin/ + $(INSTALL_BIN) $(PKG_INSTALL_DIR)/usr/bin/gitlab-runner-helper $(1)/usr/bin/ +endef + $(eval $(call GoBinPackage,gitlab-runner)) $(eval $(call BuildPackage,gitlab-runner)) diff --git a/devel/gitlab-runner/patches/010-test.patch b/devel/gitlab-runner/patches/010-test.patch index 5bf5dfbe8b..f66940508b 100644 --- a/devel/gitlab-runner/patches/010-test.patch +++ b/devel/gitlab-runner/patches/010-test.patch @@ -1,6 +1,6 @@ --- a/common/buildtest/masking.go +++ b/common/buildtest/masking.go -@@ -45,7 +45,7 @@ func RunBuildWithMasking(t *testing.T, c +@@ -55,7 +55,7 @@ func RunBuildWithMasking(t *testing.T, c buf.Finish() diff --git a/devel/gitlab-runner/test.sh b/devel/gitlab-runner/test.sh new file mode 100644 index 0000000000..1517147092 --- /dev/null +++ b/devel/gitlab-runner/test.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +gitlab-runner --version | grep "$PKG_VERSION" From 5c220eaef7d2b477c413ef8c9d57ae3ea4fef38a Mon Sep 17 00:00:00 2001 From: Tianling Shen Date: Thu, 22 Jun 2023 14:27:18 +0800 Subject: [PATCH 09/13] vsftpd: fix compilation with musl 1.2.4 musl 1.2.4 deprecated legacy "LFS64" ("large file support") interfaces so just having _GNU_SOURCE defined is not enough anymore. Manually pass -D_LARGEFILE64_SOURCE to allow to keep using LFS64 definitions. Signed-off-by: Tianling Shen (cherry picked from commit a9cda9150232c4907607a3f19ad1d0833541bc89) --- net/vsftpd/Makefile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/vsftpd/Makefile b/net/vsftpd/Makefile index ad74c7f928..52853052ff 100644 --- a/net/vsftpd/Makefile +++ b/net/vsftpd/Makefile @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=vsftpd PKG_VERSION:=3.0.5 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://security.appspot.com/downloads/ @@ -52,6 +52,7 @@ Package/vsftpd-tls/conffiles=$(Package/vsftpd/conffiles) ifneq ($(CONFIG_USE_MUSL),) NLSSTRING:=-lcrypt + TARGET_CFLAGS += -D_LARGEFILE64_SOURCE else ifneq ($(CONFIG_USE_GLIBC),) NLSSTRING:=-lcrypt else From d4019d3828fe049c0e8d6b6064114f7618ba5615 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Mon, 5 Jun 2023 17:20:12 +0200 Subject: [PATCH 10/13] banip: release 0.8.7-1 * Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default). For more information regarding RDAP see https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference. * small fixes & cosmetics * update readme Signed-off-by: Dirk Brenken (cherry picked from commit 767d1ec663b980f86f31354ceaee07c6184656eb) --- net/banip/Makefile | 4 +- net/banip/files/README.md | 8 ++- net/banip/files/banip-functions.sh | 91 ++++++++++++++++++++---------- 3 files changed, 68 insertions(+), 35 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index a62540da60..7ca6d9de33 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,8 +5,8 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.6 -PKG_RELEASE:=2 +PKG_VERSION:=0.8.7 +PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 3a104ea04f..c30b7865f4 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -65,10 +65,11 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Auto-add the uplink subnet or uplink IP to the local allowlist * Provides a small background log monitor to ban unsuccessful login attempts in real-time * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist +* Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP * Fast feed processing as they are handled in parallel as background jobs * Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains) * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup -* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget +* Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget * Supports an 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs * Deduplicate IPs accross all Sets (single IPs only, no intervals) * Provides comprehensive runtime information @@ -78,7 +79,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Minimal status & error logging to syslog, enable debug logging to receive more output * Procd based init system support (start/stop/restart/reload/status/report/search/survey/lookup) * Procd network interface trigger support -* Add new or edit existing banIP feeds on your own with the integrated custom feed editor +* Add new or edit existing banIP feeds on your own with the LuCI integrated custom feed editor * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds ## Prerequisites @@ -97,7 +98,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Install the LuCI companion package 'luci-app-banip' (opkg install luci-app-banip) * It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu * If you're going to configure banIP via CLI, edit the config file '/etc/config/banip' and enable the service (set ban\_enabled to '1'), then add pre-configured feeds via 'ban\_feed' (see the feed list above) and add/change other options to your needs (see the options reference below) -* Start the service with '/etc/init.d/banip start' and check check everything is working by running '/etc/init.d/banip status' +* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status' ## banIP CLI interface * All important banIP functions are accessible via CLI. @@ -140,6 +141,7 @@ Available commands: | ban_logforwardlan | option | 0 | log rejects in the lan-forward chain | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | +| ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on an additional RDAP request with the suspicious IP | | ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | | ban_allowlistonly | option | 0 | restrict the internet access from/to a small number of secure websites/IPs | | ban_basedir | option | /tmp | base working directory while banIP processing | diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index ac28523b9a..9731c71641 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -20,8 +20,12 @@ ban_blocklist="/etc/banip/banip.blocklist" ban_mailtemplate="/etc/banip/banip.tpl" ban_pidfile="/var/run/banip.pid" ban_rtfile="/var/run/banip_runtime.json" +ban_rdapfile="/var/run/banip_rdap.json" +ban_rdapurl="https://rdap.db.ripe.net/ip/" ban_lock="/var/run/banip.lock" ban_fetchcmd="" +ban_fetchparm="" +ban_rdapparm="" ban_logreadcmd="$(command -v logread)" ban_logcmd="$(command -v logger)" ban_ubuscmd="$(command -v ubus)" @@ -33,12 +37,13 @@ ban_sedcmd="$(command -v sed)" ban_catcmd="$(command -v cat)" ban_zcatcmd="$(command -v zcat)" ban_lookupcmd="$(command -v nslookup)" +ban_jsoncmd="$(command -v jsonfilter)" ban_mailcmd="$(command -v msmtp)" ban_mailsender="no-reply@banIP" ban_mailreceiver="" ban_mailtopic="banIP notification" ban_mailprofile="ban_notify" -ban_mailnotifcation="0" +ban_mailnotification="0" ban_reportelements="1" ban_nftloglevel="warn" ban_nftpriority="-200" @@ -57,6 +62,7 @@ ban_allowlistonly="0" ban_autoallowlist="1" ban_autoallowuplink="subnet" ban_autoblocklist="1" +ban_autoblocksubnet="0" ban_deduplicate="1" ban_splitsize="0" ban_autodetect="1" @@ -93,8 +99,8 @@ f_system() { fi ban_packages="$(${ban_ubuscmd} -S call rpc-sys packagelist '{ "all": true }' 2>/dev/null)" ban_memory="$("${ban_awkcmd}" '/^MemAvailable/{printf "%s",int($2/1000)}' "/proc/meminfo" 2>/dev/null)" - ban_ver="$(printf "%s" "${ban_packages}" | jsonfilter -ql1 -e '@.packages.banip')" - ban_sysver="$(${ban_ubuscmd} -S call system board 2>/dev/null | jsonfilter -ql1 -e '@.model' -e '@.release.description' | + ban_ver="$(printf "%s" "${ban_packages}" | "${ban_jsoncmd}" -ql1 -e '@.packages.banip')" + ban_sysver="$("${ban_ubuscmd}" -S call system board 2>/dev/null | "${ban_jsoncmd}" -ql1 -e '@.model' -e '@.release.description' | "${ban_awkcmd}" 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" if [ -z "${ban_cores}" ]; then cpu="$("${ban_grepcmd}" -c '^processor' /proc/cpuinfo 2>/dev/null)" @@ -236,6 +242,9 @@ f_conf() { "ban_ifv6") eval "${option}=\"$(printf "%s" "${ban_ifv6}")${value} \"" ;; + "ban_trigger") + eval "${option}=\"$(printf "%s" "${ban_trigger}")${value} \"" + ;; "ban_feed") eval "${option}=\"$(printf "%s" "${ban_feed}")${value} \"" ;; @@ -321,22 +330,26 @@ f_getfetch() { "aria2c") [ "${ban_fetchinsecure}" = "1" ] && insecure="--check-certificate=false" ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 --retry-wait=10 --max-tries=${ban_fetchretry} --max-file-not-found=${ban_fetchretry} --allow-overwrite=true --auto-file-renaming=false --log-level=warn --dir=/ -o"}" + ban_rdapparm="--timeout=5 --allow-overwrite=true --auto-file-renaming=false --dir=/ -o" ;; "curl") [ "${ban_fetchinsecure}" = "1" ] && insecure="--insecure" ban_fetchparm="${ban_fetchparm:-"${insecure} --connect-timeout 20 --retry-delay 10 --retry ${ban_fetchretry} --retry-all-errors --fail --silent --show-error --location -o"}" + ban_rdapparm="--connect-timeout 5 --silent --location -o" ;; "uclient-fetch") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" ban_fetchparm="${ban_fetchparm:-"${insecure} --timeout=20 -O"}" + ban_rdapparm="--timeout=5 -O" ;; "wget") [ "${ban_fetchinsecure}" = "1" ] && insecure="--no-check-certificate" - ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused --max-redirect=0 -O"}" + ban_fetchparm="${ban_fetchparm:-"${insecure} --no-cache --no-cookies --timeout=20 --waitretry=10 --tries=${ban_fetchretry} --retry-connrefused -O"}" + ban_rdapparm="--timeout=5 -O" ;; esac - f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, parm: ${ban_fetchparm:-"-"}" + f_log "debug" "f_getfetch ::: auto/update: ${ban_autodetect}/${update}, cmd: ${ban_fetchcmd:-"-"}, fetch_parm: ${ban_fetchparm:-"-"}, rdap_parm: ${ban_rdapparm:-"-"}" } # get wan interfaces @@ -593,11 +606,11 @@ f_down() { ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" { printf "%s\n" "flush set inet banIP ${feed}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${feed}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${feed}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${feed}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" } >"${tmp_flush}" fi @@ -866,7 +879,7 @@ f_down() { rm -f "${split_file}" done if [ "${ban_debug}" = "1" ] && [ "${ban_reportelements}" = "1" ]; then - cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + cnt_set="$("${ban_nftcmd}" -j list set inet banIP "${feed}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" fi fi else @@ -916,7 +929,7 @@ f_rmset() { json_get_keys feedlist tmp_del="${ban_tmpfile}.final.delete" ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" - table_sets="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" + table_sets="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')" { printf "%s\n\n" "#!/usr/sbin/nft -f" for item in ${table_sets}; do @@ -925,11 +938,11 @@ f_rmset() { del_set="${del_set}${item}, " rm -f "${ban_backupdir}/banIP.${item}.gz" printf "%s\n" "flush set inet banIP ${item}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-input handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP wan-forward handle ${handle}" - handle="$(printf "%s\n" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" + handle="$(printf "%s\n" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].handle")" [ -n "${handle}" ] && printf "%s\n" "delete rule inet banIP lan-forward handle ${handle}" printf "%s\n\n" "delete set inet banIP ${item}" fi @@ -957,10 +970,10 @@ f_genstatus() { ban_endtime="$(date "+%s")" duration="$(((ban_endtime - ban_starttime) / 60))m $(((ban_endtime - ban_starttime) % 60))s" fi - table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" + table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')" if [ "${ban_reportelements}" = "1" ]; then for item in ${table_sets}; do - cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" + cnt_elements="$((cnt_elements + $("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)))" done fi runtime="action: ${ban_action:-"-"}, duration: ${duration:-"-"}, date: $(date "+%Y-%m-%d %H:%M:%S")" @@ -1132,7 +1145,7 @@ f_report() { # json output preparation # ruleset_raw="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null)" - table_sets="$(printf "%s" "${ruleset_raw}" | jsonfilter -qe '@.nftables[@.set.table="banIP"].set.name')" + table_sets="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -qe '@.nftables[@.set.table="banIP"].set.name')" sum_sets="0" sum_setinput="0" sum_setforwardwan="0" @@ -1147,11 +1160,11 @@ f_report() { printf "%s\n" "{" printf "\t%s\n" '"sets":{' for item in ${table_sets}; do - set_cntinput="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" - set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" - set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | jsonfilter -l1 -qe "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntinput="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-input\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntforwardwan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"wan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" + set_cntforwardlan="$(printf "%s" "${ruleset_raw}" | "${ban_jsoncmd}" -ql1 -e "@.nftables[@.rule.table=\"banIP\"&&@.rule.chain=\"lan-forward\"][@.expr[0].match.right=\"@${item}\"].expr[*].counter.packets")" if [ "${ban_reportelements}" = "1" ]; then - set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" + set_cnt="$("${ban_nftcmd}" -j list set inet banIP "${item}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]' | wc -l 2>/dev/null)" sum_setelements="$((sum_setelements + set_cnt))" else set_cnt="" @@ -1295,7 +1308,7 @@ f_search() { fi fi if [ -n "${proto}" ]; then - table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | jsonfilter -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")" + table_sets="$("${ban_nftcmd}" -tj list ruleset 2>/dev/null | "${ban_jsoncmd}" -qe "@.nftables[@.set.table=\"banIP\"&&@.set.type=\"ip${proto}_addr\"].set.name")" else printf "%s\n%s\n%s\n" ":::" "::: no valid search input" ":::" return @@ -1332,7 +1345,7 @@ f_survey() { printf "%s\n%s\n%s\n" ":::" "::: no valid survey input" ":::" return fi - set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | jsonfilter -qe '@.nftables[*].set.elem[*]')" + set_elements="$("${ban_nftcmd}" -j list set inet banIP "${input}" 2>/dev/null | "${ban_jsoncmd}" -qe '@.nftables[*].set.elem[*]')" printf "%s\n%s\n%s\n" ":::" "::: banIP Survey" ":::" printf " %s\n" "List of elements in the Set '${input}' on $(date "+%Y-%m-%d %H:%M:%S")" printf " %s\n" "---" @@ -1366,7 +1379,7 @@ f_mail() { # log monitor # f_monitor() { - local nft_expiry line proto ip log_raw log_count + local nft_expiry line proto ip log_raw log_count rdap_log rdap_rc rdap_elements rdap_info if [ -x "${ban_logreadcmd}" ] && [ -n "${ban_logterm%%??}" ] && [ "${ban_loglimit}" != "0" ]; then @@ -1375,6 +1388,7 @@ f_monitor() { "${ban_logreadcmd}" -fe "${ban_logterm%%??}" 2>/dev/null | while read -r line; do + : >"{ban_rdapfile}" proto="" ip="$(printf "%s" "${line}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{if(!seen[RT]++)printf "%s ",RT}')" ip="$(f_trim "${ip}")" @@ -1387,17 +1401,34 @@ f_monitor() { [ -n "${ip}" ] && proto="v6" fi if [ -n "${proto}" ] && ! "${ban_nftcmd}" get element inet banIP blocklist"${proto}" "{ ${ip} }" >/dev/null 2>&1; then - f_log "info" "suspicious IP${proto} '${ip}'" + f_log "info" "suspicious IP '${ip}'" log_raw="$("${ban_logreadcmd}" -l "${ban_loglimit}" 2>/dev/null)" - log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP${proto} '${ip}'")" + log_count="$(printf "%s\n" "${log_raw}" | "${ban_grepcmd}" -c "suspicious IP '${ip}'")" if [ "${log_count}" -ge "${ban_logcount}" ]; then - if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then - f_log "info" "add IP${proto} '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" - if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then - printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" - f_log "info" "add IP${proto} '${ip}' to local blocklist" + if [ "${ban_autoblocksubnet}" = "1" ]; then + rdap_log="$("${ban_fetchcmd}" ${ban_rdapparm} "${ban_rdapfile}" "${ban_rdapurl}${ip}" 2>&1)" + rdap_rc="${?}" + if [ "${rdap_rc}" = "0" ] && [ -s "${ban_rdapfile}" ]; then + rdap_elements="$(jsonfilter -i "${ban_rdapfile}" -qe '@.cidr0_cidrs.*' | awk 'BEGIN{FS="[\" ]"}{printf "%s/%s, ",$6,$11}')" + rdap_info="$(jsonfilter -i "${ban_rdapfile}" -qe '@.country' -qe '@.notices[@.title="Source"].description[1]' | awk 'BEGIN{RS="";FS="\n"}{printf "%s, %s",$1,$2}')" + if [ -n "${rdap_elements//\/*/}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${rdap_elements%%??} ${nft_expiry} }" >/dev/null 2>&1; then + f_log "info" "add IP range '${rdap_elements%%??}' (source: ${rdap_info:-"-"} ::: expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" + fi + fi + else + f_log "info" "rdap request failed (rc: ${rdap_rc:-"-"}/log: ${rdap_log})" + fi + fi + if [ "${ban_autoblocksubnet}" = "0" ] || [ "${rdap_rc}" != "0" ] || [ ! -s "${ban_rdapfile}" ] || [ -z "${rdap_elements//\/*/}" ]; then + if "${ban_nftcmd}" add element inet banIP "blocklist${proto}" "{ ${ip} ${nft_expiry} }" >/dev/null 2>&1; then + f_log "info" "add IP '${ip}' (expiry: ${ban_nftexpiry:-"-"}) to blocklist${proto} set" fi fi + if [ -z "${ban_nftexpiry}" ] && [ "${ban_autoblocklist}" = "1" ] && ! "${ban_grepcmd}" -q "^${ip}" "${ban_blocklist}"; then + printf "%-42s%s\n" "${ip}" "# added on $(date "+%Y-%m-%d %H:%M:%S")" >>"${ban_blocklist}" + f_log "info" "add IP '${ip}' to local blocklist" + fi fi fi done From dd3a67536b3e6345b7d9c534685dbc6bba3f17b6 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Wed, 21 Jun 2023 10:53:19 +0200 Subject: [PATCH 11/13] banip: release 0.8.8-1 * Support MAC-/IPv4/IPv6 ranges in CIDR notation * Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme) * small fixes & cosmetics * update readme Signed-off-by: Dirk Brenken (cherry picked from commit b9bd6cdb0dcd85b30999b162a06a10c5229908e7) --- net/banip/Makefile | 2 +- net/banip/files/README.md | 105 ++++++++++++++++------------- net/banip/files/banip-functions.sh | 53 +++++++++------ net/banip/files/banip-service.sh | 14 ++-- 4 files changed, 97 insertions(+), 77 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 7ca6d9de33..2aa306ed43 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.8.7 +PKG_VERSION:=0.8.8 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index c30b7865f4..88e4374377 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -61,12 +61,14 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Full IPv4 and IPv6 support * Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes -* Supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names) +* Supports local allow- and blocklist with MAC/IPv4/IPv6 addresses or domain names +* Supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments +* All local input types support ranges in CIDR notation * Auto-add the uplink subnet or uplink IP to the local allowlist -* Provides a small background log monitor to ban unsuccessful login attempts in real-time +* Provides a small background log monitor to ban unsuccessful login attempts in real-time (like fail2ban, crowdsec etc.) * Auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist * Auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP -* Fast feed processing as they are handled in parallel as background jobs +* Fast feed processing as they are handled in parallel as background jobs (on capable multi-core hardware) * Per feed it can be defined whether the wan-input chain, the wan-forward chain or the lan-forward chain should be blocked (default: all chains) * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or full wget @@ -188,62 +190,54 @@ Available commands: ::: ::: banIP Set Statistics ::: - Timestamp: 2023-02-25 08:35:37 + Timestamp: 2023-06-21 07:03:23 ------------------------------ - auto-added to allowlist: 0 - auto-added to blocklist: 4 + auto-added to allowlist today: 0 + auto-added to blocklist today: 0 Set | Elements | WAN-Input (packets) | WAN-Forward (packets) | LAN-Forward (packets) ---------------------+--------------+-----------------------+-----------------------+------------------------ - allowlistvMAC | 0 | - | - | OK: 0 - allowlistv4 | 15 | OK: 0 | OK: 0 | OK: 0 + allowlistv4MAC | 0 | - | - | OK: 0 + allowlistv6MAC | 0 | - | - | OK: 0 + allowlistv4 | 1 | OK: 0 | OK: 0 | OK: 0 allowlistv6 | 1 | OK: 0 | OK: 0 | OK: 0 - torv4 | 800 | OK: 0 | OK: 0 | OK: 0 - torv6 | 432 | OK: 0 | OK: 0 | OK: 0 - countryv6 | 34282 | OK: 0 | OK: 1 | - - countryv4 | 35508 | OK: 1872 | OK: 0 | - - dohv6 | 343 | - | - | OK: 0 - dohv4 | 540 | - | - | OK: 3 - firehol1v4 | 1670 | OK: 296 | OK: 0 | OK: 16 - deblv4 | 12402 | OK: 4 | OK: 0 | OK: 0 - deblv6 | 41 | OK: 0 | OK: 0 | OK: 0 - adguardv6 | 12742 | - | - | OK: 161 - adguardv4 | 23183 | - | - | OK: 212 - adguardtrackersv6 | 169 | - | - | OK: 0 - adguardtrackersv4 | 633 | - | - | OK: 0 - adawayv6 | 2737 | - | - | OK: 15 - adawayv4 | 6542 | - | - | OK: 137 - oisdsmallv6 | 10569 | - | - | OK: 0 - oisdsmallv4 | 18800 | - | - | OK: 74 - stevenblackv6 | 11901 | - | - | OK: 4 - stevenblackv4 | 16776 | - | - | OK: 139 - yoyov6 | 215 | - | - | OK: 0 - yoyov4 | 309 | - | - | OK: 0 - antipopadsv4 | 1872 | - | - | OK: 0 - urlhausv4 | 7431 | OK: 0 | OK: 0 | OK: 0 - antipopadsv6 | 2081 | - | - | OK: 2 - blocklistvMAC | 0 | - | - | OK: 0 - blocklistv4 | 1174 | OK: 1 | OK: 0 | OK: 0 - blocklistv6 | 40 | OK: 0 | OK: 0 | OK: 0 + cinsscorev4 | 13115 | OK: 142 | OK: 0 | - + deblv4 | 8076 | OK: 5 | OK: 0 | OK: 0 + countryv6 | 37313 | OK: 0 | OK: 1 | - + countryv4 | 36155 | OK: 33 | OK: 0 | - + deblv6 | 15 | OK: 0 | OK: 0 | OK: 0 + dropv6 | 35 | OK: 0 | OK: 0 | OK: 0 + dropv4 | 620 | OK: 0 | OK: 0 | OK: 0 + dohv6 | 598 | - | - | OK: 0 + dohv4 | 902 | - | - | OK: 0 + edropv4 | 247 | OK: 0 | OK: 0 | OK: 0 + threatviewv4 | 571 | OK: 0 | OK: 0 | OK: 0 + firehol1v4 | 877 | OK: 8 | OK: 0 | OK: 0 + ipthreatv4 | 5751 | OK: 0 | OK: 0 | OK: 0 + urlvirv4 | 169 | OK: 0 | OK: 0 | OK: 0 + blocklistv4MAC | 0 | - | - | OK: 0 + blocklistv6MAC | 0 | - | - | OK: 0 + blocklistv4 | 3 | OK: 0 | OK: 0 | OK: 0 + blocklistv6 | 0 | OK: 0 | OK: 0 | OK: 0 ---------------------+--------------+-----------------------+-----------------------+------------------------ - 30 | 203208 | 12 (2173) | 12 (1) | 28 (763) + 22 | 104449 | 16 (188) | 16 (1) | 19 (0) ``` **banIP runtime information** ``` -~# /etc/init.d/banip status +root@blackhole:~# /etc/init.d/banip status ::: banIP runtime information + status : active (nft: ✔, monitor: ✔) - + version : 0.8.6-2 - + element_count : 172309 - + active_feeds : allowlistvMAC, allowlistv6, allowlistv4, adawayv4, adguardtrackersv4, adawayv6, adguardv6, adguardv4, urlvirv4, adguardtrackersv6, oisdbigv6, oisdbigv4, blocklistvMAC, blocklistv4, blocklistv6 + + version : 0.8.8-1 + + element_count : 104449 + + active_feeds : allowlistv4MAC, allowlistv6MAC, allowlistv4, allowlistv6, cinsscorev4, deblv4, countryv6, countryv4, deblv6, dropv6, dropv4, dohv6, dohv4, edropv4, threatviewv4, firehol1v4, ipthreatv4, urlvirv4, blocklistv4MAC, blocklistv6MAC, blocklistv4, blocklistv6 + active_devices : br-wan ::: wan, wan6 - + active_uplink : 91.64.173.145, 2a12:610c:0:80:848b:3ad0:4e05:abb + + active_uplink : 91.63.198.120, 2a12:810c:0:80:a20d:52c3:5cf:f4f + nft_info : priority: -200, policy: performance, loglevel: warn, expiry: - + run_info : base: /mnt/data/banIP, backup: /mnt/data/banIP/backup, report: /mnt/data/banIP/report, custom feed: ✘ + run_flags : auto: ✔, proto (4/6): ✔/✔, log (wan-inp/wan-fwd/lan-fwd): ✔/✔/✔, dedup: ✔, split: ✘, allowed only: ✘ - + last_run : action: restart, duration: 0m 22s, date: 2023-05-15 22:39:15 - + system_info : cores: 4, memory: 1798, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r22784-1645c34d56 + + last_run : action: restart, duration: 0m 19s, date: 2023-06-21 06:45:52 + + system_info : cores: 4, memory: 1634, device: Bananapi BPI-R3, OpenWrt SNAPSHOT r23398-c4be106f4d ``` **banIP search information** @@ -292,14 +286,35 @@ list ban_logterm 'SecurityEvent=\"InvalidAccountID\".*RemoteAddress=' ``` **allow-/blocklist handling** -banIP supports local allow and block lists (IPv4, IPv6, CIDR notation or domain names), located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. +banIP supports local allow and block lists, MAC/IPv4/IPv6 addresses (incl. ranges in CIDR notation) or domain names. These files are located in /etc/banip/banip.allowlist and /etc/banip/banip.blocklist. Unsuccessful login attempts or suspicious requests will be tracked and added to the local blocklist (see the 'ban_autoblocklist' option). The blocklist behaviour can be further tweaked with the 'ban_nftexpiry' option. Depending on the options 'ban_autoallowlist' and 'ban_autoallowuplink' the uplink subnet or the uplink IP will be added automatically to local allowlist. Furthermore, you can reference external Allowlist URLs with additional IPv4 and IPv6 feeds (see 'ban_allowurl'). Both local lists also accept domain names as input to allow IP filtering based on these names. The corresponding IPs (IPv4 & IPv6) will be extracted and added to the Sets. You can also start the domain lookup separately via /etc/init.d/banip lookup at any time. +**MAC/IP-binding** +banIP supports concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments. Following notations in the local allow and block lists are allowed: +``` +MAC-address only: +C8:C2:9B:F7:80:12 => this will be populated to the v4MAC- and v6MAC-Sets with the IP-wildcards 0.0.0.0/0 and ::/0 + +MAC-address with IPv4 concatenation: +C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated only to v4MAC-Set with the certain IP, no entry in the v6MAC-Set + +MAC-address with IPv6 concatenation: +C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated only to v6MAC-Set with the certain IP, no entry in the v4MAC-Set + +MAC-address with IPv4 and IPv6 concatenation: +C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP +C8:C2:9B:F7:80:12 2a02:810c:0:80:a10e:62c3:5af:f3f => this will be populated to v6MAC-Set with the certain IP + +MAC-address with IPv4 and IPv6 wildcard concatenation: +C8:C2:9B:F7:80:12 192.168.1.10 => this will be populated to v4MAC-Set with the certain IP +C8:C2:9B:F7:80:12 => this will be populated to v6MAC-Set with the IP-wildcard ::/0 +``` + **allowlist-only mode** -banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure websites/IPs, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. +banIP supports an "allowlist only" mode. This option restricts the internet access from/to a small number of secure MACs, IPs or domains, and block access from/to the rest of the internet. All IPs and Domains which are _not_ listed in the allowlist are blocked. **redirect Asterisk security logs to lodg/logread** banIP only supports logfile scanning via logread, so to monitor attacks on Asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running Asterisk configuration. diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 9731c71641..92d8e5a2a8 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -23,9 +23,6 @@ ban_rtfile="/var/run/banip_runtime.json" ban_rdapfile="/var/run/banip_rdap.json" ban_rdapurl="https://rdap.db.ripe.net/ip/" ban_lock="/var/run/banip.lock" -ban_fetchcmd="" -ban_fetchparm="" -ban_rdapparm="" ban_logreadcmd="$(command -v logread)" ban_logcmd="$(command -v logger)" ban_ubuscmd="$(command -v ubus)" @@ -77,8 +74,11 @@ ban_ifv4="" ban_ifv6="" ban_dev="" ban_uplink="" +ban_fetchcmd="" +ban_fetchparm="" ban_fetchinsecure="" ban_fetchretry="5" +ban_rdapparm="" ban_cores="" ban_memory="" ban_packages="" @@ -189,6 +189,7 @@ f_rmpid() { for pid in ${pids}; do kill -INT "${pid}" >/dev/null 2>&1 done + : >"${ban_rdapfile}" : >"${ban_pidfile}" } @@ -282,7 +283,7 @@ f_conf() { f_actual() { local nft monitor - if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then + if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then nft="$(f_char "1")" else nft="$(f_char "0")" @@ -510,7 +511,7 @@ f_nftinit() { # nft header (tables and chains) # printf "%s\n\n" "#!/usr/sbin/nft -f" - if "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then + if "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then printf "%s\n" "delete table inet banIP" fi printf "%s\n" "add table inet banIP" @@ -644,12 +645,16 @@ f_down() { { printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - if [ "${proto}" = "MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${tmp_allow}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} counter accept" + if [ "${proto}" = "4MAC" ]; then + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter accept" + elif [ "${proto}" = "6MAC" ]; then + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter accept" elif [ "${proto}" = "4" ]; then - "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s, ",$1}' "${tmp_allow}" >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then @@ -673,8 +678,8 @@ f_down() { fi fi elif [ "${proto}" = "6" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${tmp_allow}" | - "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${tmp_allow}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s, ",tolower($1)}' >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*input*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then @@ -704,18 +709,22 @@ f_down() { { printf "%s\n\n" "#!/usr/sbin/nft -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - if [ "${proto}" = "MAC" ]; then - "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s, ",tolower($1)}' "${ban_blocklist}" >"${tmp_file}" - printf "%s\n" "add set inet banIP ${feed} { type ether_addr; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr @${feed} ${log_forwardlan} counter reject" + if [ "${proto}" = "4MAC" ]; then + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip saddr @${feed} counter reject" + elif [ "${proto}" = "6MAC" ]; then + "${ban_awkcmd}" '/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?[[:space:]]*$|[[:space:]]+$|$)/{if(!$2)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" + printf "%s\n" "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ether saddr . ip6 saddr @${feed} counter reject" elif [ "${proto}" = "4" ]; then if [ "${ban_deduplicate}" = "1" ]; then - "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else - "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" + "${ban_awkcmd}" '/^(([0-9]{1,3}\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]].*|$)/{printf "%s,\n",$1}' "${ban_blocklist}" >"${tmp_split}" fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" @@ -724,14 +733,14 @@ f_down() { [ -z "${feed_direction##*forwardlan*}" ] && printf "%s\n" "add rule inet banIP lan-forward ip daddr @${feed} ${log_forwardlan} counter reject with icmp type admin-prohibited" elif [ "${proto}" = "6" ]; then if [ "${ban_deduplicate}" = "1" ]; then - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | - "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' >"${tmp_raw}" "${ban_awkcmd}" 'NR==FNR{member[$0];next}!($0 in member)' "${ban_tmpfile}.deduplicate" "${tmp_raw}" 2>/dev/null >"${tmp_split}" "${ban_awkcmd}" 'BEGIN{FS="[ ,]"}NR==FNR{member[$1];next}!($1 in member)' "${ban_tmpfile}.deduplicate" "${ban_blocklist}" 2>/dev/null >"${tmp_raw}" "${ban_catcmd}" "${tmp_raw}" 2>/dev/null >"${ban_blocklist}" else - "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}([[:space:]]|$)/{printf "%s\n",$1}' "${ban_blocklist}" | - "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]]|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" + "${ban_awkcmd}" '!/^([0-9A-f]{2}:){5}[0-9A-f]{2}.*/{printf "%s\n",$1}' "${ban_blocklist}" | + "${ban_awkcmd}" '/^(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)/{printf "%s,\n",tolower($1)}' >"${tmp_split}" fi "${ban_awkcmd}" '{ORS=" ";print}' "${tmp_split}" 2>/dev/null >"${tmp_file}" printf "%s\n" "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; $(f_getelements "${tmp_file}") }" diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 3f43ef34c9..1170c8b1d5 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -45,7 +45,7 @@ fi # init nft namespace # -if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistvMAC >/dev/null 2>&1; then +if [ "${ban_action}" != "reload" ] || ! "${ban_nftcmd}" -t list set inet banIP allowlistv4MAC >/dev/null 2>&1; then if f_nftinit "${ban_tmpfile}".init.nft; then f_log "info" "initialize nft namespace" else @@ -56,22 +56,18 @@ fi # handle downloads # f_log "info" "start banIP download processes" -if [ "${ban_allowlistonly}" = "1" ]; then - ban_feed="" -else - f_getfeed - [ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate" -fi +[ "${ban_allowlistonly}" = "1" ] && ban_feed="" || f_getfeed +[ "${ban_deduplicate}" = "1" ] && printf "\n" >"${ban_tmpfile}.deduplicate" cnt="1" for feed in allowlist ${ban_feed} blocklist; do # local feeds # if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then - for proto in MAC 4 6; do + for proto in 4MAC 6MAC 4 6; do [ "${feed}" = "blocklist" ] && wait (f_down "${feed}" "${proto}") & - [ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && [ "${proto}" = "MAC" ]; } && wait + [ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && { [ "${proto}" = "4MAC" ] || [ "${proto}" = "6MAC" ]; }; } && wait hold="$((cnt % ban_cores))" [ "${hold}" = "0" ] && wait cnt="$((cnt + 1))" From 4ccbbab78fbd40bad1defd6614b13edade977784 Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Sat, 24 Jun 2023 13:09:40 +0200 Subject: [PATCH 12/13] banip: update 0.8.8-2 * process local lists in strict sequential order to prevent possible race conditions * support ranges in the IP search, too * fix some minor search issues Signed-off-by: Dirk Brenken (cherry picked from commit c3084be415f5c701a319342c85ca626996b5b463) --- net/banip/Makefile | 2 +- net/banip/files/banip-functions.sh | 11 ++++------- net/banip/files/banip-service.sh | 11 +++-------- 3 files changed, 8 insertions(+), 16 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 2aa306ed43..95dc366415 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip PKG_VERSION:=0.8.8 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index 92d8e5a2a8..a04265f65e 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -1309,10 +1309,10 @@ f_search() { local item table_sets ip proto hold cnt result_flag="/var/run/banIP.search" input="${1}" if [ -n "${input}" ]; then - ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}[0-9]{1,3})+"}{printf "%s",RT}')" + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?[[:space:]]*$)"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v4" if [ -z "${proto}" ]; then - ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="([A-Fa-f0-9]{1,4}::?){3,7}[A-Fa-f0-9]{1,4}"}{printf "%s",RT}')" + ip="$(printf "%s" "${input}" | "${ban_awkcmd}" 'BEGIN{RS="(([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?)([[:space:]].*|$)"}{printf "%s",RT}')" [ -n "${ip}" ] && proto="v6" fi fi @@ -1327,10 +1327,7 @@ f_search() { printf " %s\n" "---" cnt="1" for item in ${table_sets}; do - if [ -f "${result_flag}" ]; then - rm -f "${result_flag}" - return - fi + [ -f "${result_flag}" ] && break ( if "${ban_nftcmd}" get element inet banIP "${item}" "{ ${ip} }" >/dev/null 2>&1; then printf " %s\n" "IP found in Set '${item}'" @@ -1342,7 +1339,7 @@ f_search() { cnt="$((cnt + 1))" done wait - printf " %s\n" "IP not found" + [ -f "${result_flag}" ] && rm -f "${result_flag}" || printf " %s\n" "IP not found" } # Set survey diff --git a/net/banip/files/banip-service.sh b/net/banip/files/banip-service.sh index 1170c8b1d5..47abf43cac 100755 --- a/net/banip/files/banip-service.sh +++ b/net/banip/files/banip-service.sh @@ -61,22 +61,17 @@ f_log "info" "start banIP download processes" cnt="1" for feed in allowlist ${ban_feed} blocklist; do - # local feeds + # local feeds (sequential processing) # if [ "${feed}" = "allowlist" ] || [ "${feed}" = "blocklist" ]; then for proto in 4MAC 6MAC 4 6; do [ "${feed}" = "blocklist" ] && wait - (f_down "${feed}" "${proto}") & - [ "${feed}" = "blocklist" ] || { [ "${feed}" = "allowlist" ] && { [ "${proto}" = "4MAC" ] || [ "${proto}" = "6MAC" ]; }; } && wait - hold="$((cnt % ban_cores))" - [ "${hold}" = "0" ] && wait - cnt="$((cnt + 1))" + f_down "${feed}" "${proto}" done - wait continue fi - # external feeds + # external feeds (parallel processing on multicore hardware) # if ! json_select "${feed}" >/dev/null 2>&1; then f_log "info" "remove unknown feed '${feed}'" From 8939b43659dabe9b737feee02976949ad0355adc Mon Sep 17 00:00:00 2001 From: Huangbin Zhan Date: Wed, 14 Jun 2023 12:19:28 +0800 Subject: [PATCH 13/13] haproxy: update to v2.8.0 - New major LTS release (https://www.mail-archive.com/haproxy@formilux.org/msg43600.html) Signed-off-by: Huangbin Zhan (cherry picked from commit 3e454f418da95e4dff75ac2ff995f204dfe3dc2c) --- net/haproxy/Makefile | 6 +++--- net/haproxy/get-latest-patches.sh | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/net/haproxy/Makefile b/net/haproxy/Makefile index 70b776f6a0..a1f858c4ca 100644 --- a/net/haproxy/Makefile +++ b/net/haproxy/Makefile @@ -10,12 +10,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=haproxy -PKG_VERSION:=2.6.13 +PKG_VERSION:=2.8.0 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=https://www.haproxy.org/download/2.6/src -PKG_HASH:=d69ff5233dbca657132ef280d111222ec1e33f5be1c1937d4e9ff516f63f5243 +PKG_SOURCE_URL:=https://www.haproxy.org/download/2.8/src +PKG_HASH:=61cdafb5db7e9174d0757b8e4bcde938352306fb7cc8ff2b5f55c26dd48a6cf7 PKG_MAINTAINER:=Thomas Heil , \ Christian Lachner diff --git a/net/haproxy/get-latest-patches.sh b/net/haproxy/get-latest-patches.sh index 2e312cc0a6..6b60869c01 100755 --- a/net/haproxy/get-latest-patches.sh +++ b/net/haproxy/get-latest-patches.sh @@ -1,7 +1,7 @@ #!/bin/sh -CLONEURL=https://git.haproxy.org/git/haproxy-2.6.git -BASE_TAG=v2.6.13 +CLONEURL=https://git.haproxy.org/git/haproxy-2.8.git +BASE_TAG=v2.8.0 TMP_REPODIR=tmprepo PATCHESDIR=patches