From: Dirk Brenken Date: Thu, 30 Apr 2026 09:36:40 +0000 (+0200) Subject: banip: release 1.8.8-1 X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=e0669cb1a8950fcdc50d46bf4e2683f3509c1abf;p=openwrt-packages.git banip: release 1.8.8-1 - introduced a shared named nft limit (loglimit) referenced by all log rules instead of per-rule limits, aligning with kernel printk rate limits - added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting entirely (useful for ulogd or other userspace log handlers that bypass printk) - LuCI: made the new UCI option available (Log Settings) - readme update Signed-off-by: Dirk Brenken --- diff --git a/net/banip/Makefile b/net/banip/Makefile index c1a445265..12f4abd38 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=1.8.7 +PKG_VERSION:=1.8.8 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/README.md b/net/banip/files/README.md index 170c02a29..a5eab46d4 100644 --- a/net/banip/files/README.md +++ b/net/banip/files/README.md @@ -13,7 +13,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * WAN-INP chain applies to packets from internet to your router * WAN-FWD chain applies to packets from internet to other local devices (not your router) * LAN-FWD chain applies to local packets going out to the internet (not your router) - The listed standard assignments can be changed to your needs under the 'Feed/Set Settings' config tab. + The listed standard assignments can be changed to your needs under the `Feed/Set Settings` config tab. | Feed | Focus | Inbound | Outbound | Proto/Port | Information | | :------------------ | :----------------------------- | :-----: | :------: | :---------------: | :----------------------------------------------------------- | @@ -44,6 +44,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre | ipthreat | hacker and botnet IPs | x | | | [Link](https://ipthreat.net) | | myip | real-time IP blocklist | x | | | [Link](https://myip.ms) | | proxy | open proxies | x | | | [Link](https://iplists.firehol.org/?ipset=proxylists) | +| spamhaus | Spamhaus DROP | x | | | [Link](https://www.spamhaus.org/blocklists/) | | threat | emerging threats | x | | | [Link](https://rules.emergingthreats.net) | | threatview | malicious IPs | x | | | [Link](https://threatview.io) | | tor | tor exit nodes | x | | | [Link](https://www.dan.me.uk) | @@ -59,7 +60,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre | vpndc | vpn datacenter IPs | x | | | [Link](https://github.com/X4BNet/lists_vpn) | * Zero-conf like automatic installation & setup, usually no manual changes needed -* All Sets are handled in a separate nft table/namespace 'banIP' +* All Sets are handled in a separate nft table/namespace `banIP` * Full IPv4 and IPv6 support * Supports nft atomic Set loading * Supports blocking by ASN numbers and by iso country codes @@ -77,7 +78,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre * Automatic blocklist backup & restore, the backups will be used in case of download errors or during startup * Automatically selects one of the following download utilities with ssl support: curl, uclient-fetch or full wget * Provides HTTP ETag support to download only ressources that have been updated on the server side, to speed up banIP reloads and to save bandwith -* Supports an 'allowlist only' mode, this option restricts the internet access only to specific, explicitly allowed IP segments +* Supports an `allowlist only` mode, this option restricts the internet access only to specific, explicitly allowed IP segments * Supports external allowlist URLs to reference additional IPv4/IPv6 feeds * Optionally always allow certain protocols/destination ports in the inbound chain * Deduplicate IPs accross all Sets (single IPs only, no intervals) @@ -97,9 +98,9 @@ IP address blocking is commonly used to protect against brute force attacks, pre ## Prerequisites * **[OpenWrt](https://openwrt.org)**, latest stable release or a development snapshot with nft/firewall 4 support -* A download utility with SSL support: 'curl', full 'wget' or 'uclient-fetch' with one of the 'libustream-*' SSL libraries, the latter one doesn't provide support for ETag HTTP header -* A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default -* For E-Mail notifications you need to install and setup the additional 'msmtp' package +* A download utility with SSL support: `curl`, full `wget` or `uclient-fetch` with one of the `libustream-*` SSL libraries, the latter one doesn't provide support for ETag HTTP header +* A certificate store like `ca-bundle`, as banIP checks the validity of the SSL certificates of all download sites by default +* For E-Mail notifications you need to install and setup the additional `msmtp` package **Please note:** * Devices with less than 256MB of RAM are **_not_** supported @@ -108,13 +109,13 @@ IP address blocking is commonly used to protect against brute force attacks, pre ## Installation and Usage * Update your router's apk repository (apk update) -* Install the LuCI companion package 'luci-app-banip' which also installs the main 'banip' package as a dependency +* Install the LuCI companion package `luci-app-banip` which also installs the main banIP package as a dependency * Enable the banIP system service (System -> Startup) and enable banIP itself (banIP -> General Settings) -* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the 'Services' menu +* It's strongly recommended to use the LuCI frontend to easily configure all aspects of banIP, the application is located in LuCI under the `Services` menu * It's also recommended to configure a 'Startup Trigger Interface' to depend on your WAN ifup events during boot or restart of your router. Avoid IPv6 (wan6) interfaces here, as IPv6/netifd is chatty and would trigger frequent unnecessary banIP restarts * To be able to use banIP in a meaningful way, you must activate the service and possibly also activate a few blocklist feeds -* If you're using a complex network setup, e.g. special tunnel interfaces, than untick the 'Auto Detection' option under the 'General Settings' tab and set the required options manually -* Start the service with '/etc/init.d/banip start' and check everything is working by running '/etc/init.d/banip status', also check the 'Processing Log' tab +* If you're using a complex network setup, e.g. special tunnel interfaces, than untick the `Auto Detection` option under the `General Settings` tab and set the required options manually +* Start the service with `/etc/init.d/banip start` and check everything is working by running `/etc/init.d/banip status`, also check the `Processing Log` tab ## banIP CLI interface @@ -161,12 +162,14 @@ Available commands: | ban_logprerouting | option | 0 | log suspicious packets in the prerouting chain | | ban_loginbound | option | 0 | log suspicious packets in the inbound chain (wan-input and wan-forward) | | ban_logoutbound | option | 0 | log suspicious packets in the outbound chain (lan-forward) | +| ban_logratelimit | option | 10 | rate (per second) for the shared nft log limit, applied globally across all logged rules | +| ban_logburstlimit | option | 5 | burst size in packets for the shared nft log limit | | ban_autoallowlist | option | 1 | add wan IPs/subnets and resolved domains automatically to the local allowlist (not only to the Sets) | | ban_autoblocklist | option | 1 | add suspicious attacker IPs and resolved domains automatically to the local blocklist (not only to the Sets) | | ban_autoblocksubnet | option | 0 | add entire subnets to the blocklist Sets based on a rate-limited, non-blocking RDAP lookup for the suspicious IP | -| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: 'subnet', 'ip' or 'disable' it at all | +| ban_autoallowuplink | option | subnet | limit the uplink autoallow function to: `subnet`, `ip` or `disable` it at all | | ban_allowlistonly | option | 0 | restrict the internet access only to specific, explicitly allowed IP segments | -| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: 'tcp 80 443-445' | +| ban_allowflag | option | - | always allow certain protocols(tcp or udp) plus destination ports or port ranges, e.g.: `tcp 80 443-44`' | | ban_allowurl | list | - | external allowlist feed URLs, one or more references to simple remote IP lists | | ban_basedir | option | /tmp | base working directory while banIP processing | | ban_reportdir | option | /tmp/banIP-report | directory where banIP stores report files | @@ -174,12 +177,12 @@ Available commands: | ban_errordir | option | /tmp/banIP-error | directory where banIP stores processing error files | | ban_protov4 | option | - / autodetect | enable IPv4 support | | ban_protov6 | option | - / autodetect | enable IPv6 support | -| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. 'wan' | -| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. 'wan6' | -| ban_dev | list | - / autodetect | wan device(s), e.g. 'eth2' | +| ban_ifv4 | list | - / autodetect | logical wan IPv4 interfaces, e.g. `wan` | +| ban_ifv6 | list | - / autodetect | logical wan IPv6 interfaces, e.g. `wan6` | +| ban_dev | list | - / autodetect | wan device(s), e.g. `eth2` | | ban_vlanallow | list | - | always allow certain VLAN forwards, e.g. br-lan.20 | | ban_vlanblock | list | - | always block certain VLAN forwards, e.g. br-lan.10 | -| ban_trigger | list | - | logical reload trigger interface(s), e.g. 'wan' (avoid IPv6 interfaces) | +| ban_trigger | list | - | logical reload trigger interface(s), e.g. `wan` (avoid IPv6 interfaces) | | ban_triggerdelay | option | 20 | trigger timeout during interface reload and boot | | ban_deduplicate | option | 1 | deduplicate IP addresses across all active Sets (see optional feed flag 'dup' below) | | ban_splitsize | option | 0 | split the processing/loading of Sets in chunks of n lines/members (saves RAM) | @@ -192,11 +195,11 @@ Available commands: | ban_nftcount | option | 0 | enable nft counter for every Set element | | ban_bcp38 | option | 0 | block packets with spoofed source IP addresses in all supported chains | | ban_map | option | 0 | enable a GeoIP Map with suspicious Set elements | -| ban_feed | list | - | external download feeds, e.g. 'yoyo', 'doh', 'country' or 'talos' (see feed table) | +| ban_feed | list | - | external download feeds, e.g. `yoyo`, `doh`, `country` or `talos` (see feed table) | | ban_asn | list | - | ASNs for the 'asn' feed, e.g.'32934' | | ban_asnsplit | option | - | the selected ASNs are stored in separate Sets | | ban_region | list | - | Regional Internet Registry (RIR) country selection. Supported regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE | -| ban_country | list | - | country iso codes for the 'country' feed, e.g. 'ru' | +| ban_country | list | - | country iso codes for the `country` feed, e.g. 'ru' | | ban_countrysplit | option | - | the selected countries are stored in separate Sets | | ban_blockpolicy | option | drop | 'drop' packets silently on input and forwardwan chains or actively 'reject' the traffic | | ban_feedin | list | - | limit the selected feeds to the inbound chain (wan-input and wan-forward) | @@ -204,14 +207,14 @@ Available commands: | ban_feedinout | list | - | set the selected feeds to the inbound and outbound chain (lan-forward) | | ban_feedreset | list | - | override the default feed configuration and remove existing port/protocol limitations | | ban_feedcomplete | list | - | opt out the selected feeds from the deduplication process | -| ban_fetchcmd | option | - / autodetect | 'uclient-fetch', 'wget' or 'curl' | +| ban_fetchcmd | option | - / autodetect | `uclient-fetch`, `wget` or `curl` | | ban_fetchparm | option | - / autodetect | set the config options for the selected download utility | | ban_fetchretry | option | 5 | number of download attempts in case of an error (not supported by uclient-fetch) | | ban_fetchinsecure | option | 0 | don't check SSL server certificates during download | | ban_mailreceiver | option | - | receiver address for banIP related notification E-Mails | | ban_mailsender | option | no-reply@banIP | sender address for banIP related notification E-Mails | | ban_mailtopic | option | banIP notification | topic for banIP related notification E-Mails | -| ban_mailprofile | option | ban_notify | mail profile used in 'msmtp' for banIP related notification E-Mails | +| ban_mailprofile | option | ban_notify | mail profile used in `msmtp` for banIP related notification E-Mails | | ban_mailnotification | option | 0 | receive E-Mail notifications with every banIP run | | ban_resolver | option | - | external resolver used for DNS lookups, by default the local resolver/forwarder will be used | | ban_remotelog | option | 0 | enable the cgi interface to receive remote logging events | @@ -342,9 +345,9 @@ List only elements with hits of a given Set with hit counters, e.g.: nftables supports the atomic loading of firewall rules (incl. elements), which is cool but unfortunately is also very memory intensive. To reduce the memory pressure on low memory systems (i.e. those with 256-512MB RAM), you should optimize your configuration with the following options: * point 'ban_basedir', 'ban_reportdir', 'ban_backupdir' and 'ban_errordir' to an external usb drive or ssd -* set 'ban_cores' to '1' (only useful on a multicore system) to force sequential feed processing -* set 'ban_splitsize' e.g. to '1024' to split the load of an external Set after every 1024 lines/elements -* set 'ban_nftcount' to '0' to deactivate the CPU- and memory-intensive creation of counter elements at Set level +* set `ban_cores` to '1' (only useful on a multicore system) to force sequential feed processing +* set `ban_splitsize` e.g. to '1024' to split the load of an external Set after every 1024 lines/elements +* set `ban_nftcount` to '0' to deactivate the CPU- and memory-intensive creation of counter elements at Set level. With this setting, all packet counters are disabled — including the DoS protection counters (`syn-flood`, `udp-flood`, `icmp-flood`, etc.). The Set Reporting will show zero values for these even when the protection rules are actively dropping traffic. **Sensible choice of blocklists** The following feeds are just my personal recommendation as an initial setup: @@ -422,12 +425,31 @@ BCP38 (**B**est **C**urrent **P**ractice, RFC 2827) defines ingress filtering to In banIP, the BCP38 implementation uses nftables’ FIB lookup to enforce this. It checks whether the packet’s source address is not valid for the incoming interface or whether the routing table reports no route for this source on this interface. Packets that fail this check are dropped. +**Counter behavior and ban_nftcount** +The `ban_nftcount` option globally controls all nft counters in the banIP table — both per-Set element counters and chain rule counters. Default is '0' (disabled) to keep memory usage and CPU overhead low on constrained devices. + +When enabled (`ban_nftcount=1`): +* every Set element gets its own packet/byte counter (memory cost: ~16 bytes per element, so ~1.6 MB for a 100k-element feed) +* all chain rules count packets and bytes +* DoS protection counters (`cnt_synflood`, `cnt_udpflood`, `cnt_icmpflood`, `cnt_tcpinvalid`, `cnt_ctinvalid`, `cnt_bcp38`) become populated and visible in `/etc/init.d/banip report` +* the GeoIP Map (`ban_map=1`) becomes available, as it requires per-element counters to identify hit IPs + +When disabled (`ban_nftcount=0`): +* memory footprint is minimal, suitable for low memory routers +* the Set Reporting still works structurally, but packet counts will all read as zero +* the GeoIP Map cannot be enabled + +For most modern routers with ≥512 MB RAM, enabling `ban_nftcount` is recommended for full visibility into what banIP is actually blocking. + +**Log Limit / Options** +All log rules (prerouting flood protection, inbound and outbound feeds) share a single nft limit named `loglimit`. The default of 10/second with burst 5 is intentionally aligned with typical kernel printk rate limits, so banIP log messages are not dropped by the kernel. Tune via `ban_logratelimit` and `ban_logburstlimit` accordingly if you have adjusted the kernel defaults. Set the `ban_logratelimit` to '0' to disable rate limiting entirely, e.g. when using ulogd or other userspace log handlers without printk constraints. + **Set reporting, enable the GeoIP Map** banIP includes a powerful reporting tool on the Set Reporting tab which shows the latest NFT banIP Set statistics. To get the latest statistics always press the "Refresh" button. In addition to a tabular overview banIP reporting includes a GeoIP map in a modal popup window/iframe that shows the geolocation of your own uplink addresses (in green) and the locations of potential attackers (in red). To enable the GeoIP Map set the following options (in "Feed/Set Settings" config tab): - * set 'ban_nftcount' to '1' to enable the nft counter for every Set element - * set 'ban_map' to '1' to include the external components listed below and activate the GeoIP map + * set `ban_nftcount` to '1' to enable the nft counter for every Set element + * set `ban_map` to '1' to include the external components listed below and activate the GeoIP map To make this work, banIP uses the following external components: * [Leaflet](https://leafletjs.com/) is a lightweight open-source JavaScript library for interactive maps @@ -438,8 +460,8 @@ To make this work, banIP uses the following external components: **CGI interface to receive remote logging events** banIP ships a basic cgi interface in '/www/cgi-bin/banip' to receive remote logging events (disabled by default). The cgi interface evaluates logging events via GET or POST request (see examples below). To enable the cgi interface set the following options: - * set 'ban_remotelog' to '1' to enable the cgi interface - * set 'ban_remotetoken' to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':' + * set `ban_remotelog` to '1' to enable the cgi interface + * set `ban_remotetoken` to a secret transfer token, allowed token characters consist of '[A-Za-z]', '[0-9]', '.' and ':' * add the remote logging event to the logterm Examples to transfer remote logging events from an internal server to banIP via cgi interface: @@ -458,11 +480,11 @@ By default banIP uses the following pre-configured download options: * uclient-fetch: --timeout=20 -O ``` -To override the default set 'ban_fetchretry', 'ban_fetchinsecure' or globally 'ban_fetchparm' to your needs. +To override the default set `ban_fetchretry`, `ban_fetchinsecure` or globally `ban_fetchparm` to your needs. **Configure E-Mail notifications via 'msmtp'** To use the email notification you must install and configure the package 'msmtp'. -Modify the file '/etc/msmtprc', e.g.: +Modify the file `/etc/msmtprc`, e.g.: ``` [...] @@ -495,7 +517,7 @@ For a regular, automatic status mailing and update of the used lists on a daily By default banIP scans the logfile via logread, so to monitor attacks on asterisk, its security log must be available via logread. To do this, edit '/etc/asterisk/logger.conf' and add the line 'syslog.local0 = security', then run 'asterisk -rx reload logger' to update the running asterisk configuration. **Change/add banIP feeds and set optional feed flags** -The banIP default blocklist feeds are stored in an external JSON file '/etc/banip/banip.feeds'. All custom changes should be stored in an external JSON file '/etc/banip/banip.custom.feeds' (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file. +The banIP default blocklist feeds are stored in an external JSON file `/etc/banip/banip.feeds`. All custom changes should be stored in an external JSON file `/etc/banip/banip.custom.feeds` (empty by default). It's recommended to use the LuCI based Custom Feed Editor to make changes to this file. A valid JSON source object contains the following information, e.g.: ```json @@ -513,25 +535,25 @@ A valid JSON source object contains the following information, e.g.: Add an unique feed name (no spaces, no special chars) and make the required changes: adapt at least the URL, check/change the rule, the size and the description for a new feed. The rule consist of max. 4 individual, space separated parameters: -1. type: 'feed' or 'suricata' (required) +1. type: `feed` or `suricata` (required) 2. prefix: an optional search term (a string literal, no regex) to identify valid IP list entries 3. column: the IP column within the feed file, e.g. '1' (required) -4. separator: an optional field separator, default is the character class '[[:space:]]' +4. separator: an optional field separator, default is the character class `[[:space:]]` -Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format and protocols 'tcp' or 'udp' with port numbers/port ranges for destination port limitations. +Please note: the flag field is optional, it's a space separated list of options: supported are 'gz' as an archive format and protocols `tcp` or `udp` with port numbers/port ranges for destination port limitations. **Debug options** -banIP provides an optional debug mode that writes diagnostic information to the system log and captures internal error output in a dedicated error logfile - by default located in the banIP base directory as '/tmp/ban_error.log'. The log file is automatically cleared at the beginning of each run. Under normal conditions, all error messages are discarded to keep regular runs clean and silent. +banIP provides an optional debug mode that writes diagnostic information to the system log and captures internal error output in a dedicated error logfile - by default located in the banIP base directory as `/tmp/ban_error.log`. The log file is automatically cleared at the beginning of each run. Under normal conditions, all error messages are discarded to keep regular runs clean and silent. -Whenever you encounter banIP related processing problems, please enable "Verbose Debug Logging", restart banIP and check the "Processing Log" tab. +Whenever you encounter banIP related processing problems, please enable `Verbose Debug Logging`, restart banIP and check the `Processing Log` tab. Typical symptoms: -* The nftables initialization failed: untick the 'Auto Detection' option in the 'General Settings' config section and set the required device and tools options manually +* The nftables initialization failed: untick the `Auto Detection` option in the `General Settings` config section and set the required device and tools options manually * A blocklist feed does not work: maybe a temporary server problem or the download URL has been changed. In the latter case, just use the Custom Feed Editor to point this feed to a new URL -In case of a nft processing error, banIP creates an error directory (by default '/tmp/banIP-error') with the faulty nft load files. -For further troubleshooting, you can try to load such an error file manually to determine the exact cause of the error, e.g.: 'nft -f error.file.nft'. +In case of a nft processing error, banIP creates an error directory (by default `/tmp/banIP-error`) with the faulty nft load files. +For further troubleshooting, you can try to load such an error file manually to determine the exact cause of the error, e.g.: `nft -f error.file.nft`. -Whenever you encounter firewall problems, enable the logging of certain chains in the "Log Settings" config section, restart banIP and check the "Firewall Log" tab. +Whenever you encounter firewall problems, enable the logging of certain chains in the `Log Settings` config section, restart banIP and check the `Firewall Log` tab. Typical symptoms: * A feed blocks a legit IP: disable the entire feed or add this IP to your local allowlist and reload banIP * A feed (e.g. doh) interrupts almost all client connections: check the feed table above for reference and reset the feed to the defaults in the "Feed/Set Settings" config tab section @@ -544,7 +566,7 @@ If you want to report an error, please describe it in as much detail as possible ## Removal -Stop all banIP related services with _/etc/init.d/banip stop_ and remove the banip package if necessary. +Stop all banIP related services with `/etc/init.d/banip stop` and remove the banip package if necessary. ## Donations diff --git a/net/banip/files/banip-functions.sh b/net/banip/files/banip-functions.sh index e2166a915..98f2d8d21 100644 --- a/net/banip/files/banip-functions.sh +++ b/net/banip/files/banip-functions.sh @@ -53,6 +53,8 @@ ban_icmplimit="25" ban_synlimit="10" ban_udplimit="100" ban_loglimit="100" +ban_logratelimit="10" +ban_logburstlimit="5" ban_logcount="1" ban_logterm="" ban_region="" @@ -817,7 +819,7 @@ f_nftload() { # build initial nft file with base table, chains and rules # f_nftinit() { - local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp flag tmp_proto tmp_port allow_dport feed_rc="0" file="${1}" + local wan_dev vlan_allow vlan_block log_ct log_icmp log_syn log_udp log_tcp nft_cnt flag tmp_proto tmp_port allow_dport feed_rc="0" file="${1}" # format wan devices, allowed and blocked vlans as nft sets # @@ -825,6 +827,12 @@ f_nftinit() { [ -n "${ban_vlanallow}" ] && vlan_allow="$(printf '%s' "${ban_vlanallow%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" [ -n "${ban_vlanblock}" ] && vlan_block="$(printf '%s' "${ban_vlanblock%%?}" | "${ban_sedcmd}" 's/^/\"/;s/$/\"/;s/ /\", \"/g')" + # set nft counter flag + # + if [ "${ban_nftcount}" = "1" ]; then + nft_cnt="counter" + fi + # format allowed protocols and ports # for flag in ${ban_allowflag}; do @@ -864,21 +872,29 @@ f_nftinit() { # build log rules for pre-routing chains if enabled, with dynamic log level and prefix # if [ "${ban_logprerouting}" = "1" ]; then - log_icmp="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \"" - log_syn="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \"" - log_udp="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \"" - log_tcp="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \"" - log_ct="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \"" + if [ "${ban_logratelimit}" = "0" ]; then + log_icmp="log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \"" + log_syn="log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \"" + log_udp="log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \"" + log_tcp="log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \"" + log_ct="log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \"" + else + log_icmp="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/pre-icmp/drop: \"" + log_syn="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/pre-syn/drop: \"" + log_udp="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/pre-udp/drop: \"" + log_tcp="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/pre-tcp/drop: \"" + log_ct="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/pre-ct/drop: \"" + fi fi { # nft header, optional table cleanup, base table, chains, counters and default rules # printf '%s\n' "#!${ban_nftcmd} -f" "" - "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1 && - printf '%s\n' "delete table inet banIP" + "${ban_nftcmd}" -t list table inet banIP >/dev/null 2>&1 && printf '%s\n' "delete table inet banIP" + printf '%s\n' "add table inet banIP" + [ "${ban_logratelimit}" != "0" ] && printf '%s\n' "add limit inet banIP loglimit { rate ${ban_logratelimit}/second burst ${ban_logburstlimit} packets }" printf '%s\n' \ - "add table inet banIP" \ "add chain inet banIP pre-routing { type filter hook prerouting priority -175; policy accept; }" \ "add chain inet banIP wan-input { type filter hook input priority ${ban_nftpriority}; policy accept; }" \ "add chain inet banIP wan-forward { type filter hook forward priority ${ban_nftpriority}; policy accept; }" \ @@ -894,7 +910,7 @@ f_nftinit() { "add counter inet banIP cnt_bcp38" \ "add rule inet banIP _reject iifname != { ${wan_dev} } meta l4proto tcp reject with tcp reset" \ "add rule inet banIP _reject reject with icmpx host-unreachable" \ - "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept" + "add rule inet banIP pre-routing iifname != { ${wan_dev} } ${nft_cnt} accept" # ct state invalid # @@ -944,48 +960,48 @@ f_nftinit() { # default wan-input rules # printf '%s\n' \ - "add rule inet banIP wan-input ct state established,related counter accept" \ - "add rule inet banIP wan-input iifname != { ${wan_dev} } counter accept" \ - "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter accept" \ - "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 counter accept" \ - "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 counter accept" + "add rule inet banIP wan-input ct state established,related ${nft_cnt} accept" \ + "add rule inet banIP wan-input iifname != { ${wan_dev} } ${nft_cnt} accept" \ + "add rule inet banIP wan-input meta nfproto ipv4 udp sport 67-68 udp dport 67-68 ${nft_cnt} accept" \ + "add rule inet banIP wan-input meta nfproto ipv6 udp sport 547 udp dport 546 ${nft_cnt} accept" \ + "add rule inet banIP wan-input meta nfproto ipv6 icmpv6 type { nd-neighbor-solicit, nd-neighbor-advert, nd-router-advert } ip6 hoplimit 255 ${nft_cnt} accept" [ -n "${allow_dport}" ] && - printf '%s\n' "add rule inet banIP wan-input ${allow_dport} counter accept" + printf '%s\n' "add rule inet banIP wan-input ${allow_dport} ${nft_cnt} accept" [ "${ban_bcp38}" = "1" ] && printf '%s\n' "add rule inet banIP wan-input fib saddr . iif oif missing counter name cnt_bcp38 drop" if [ "${ban_loginbound}" = "1" ]; then - printf '%s\n' "add rule inet banIP wan-input meta mark set 1 counter jump _inbound" + printf '%s\n' "add rule inet banIP wan-input meta mark set 1 ${nft_cnt} jump _inbound" else - printf '%s\n' "add rule inet banIP wan-input counter jump _inbound" + printf '%s\n' "add rule inet banIP wan-input ${nft_cnt} jump _inbound" fi # default wan-forward rules # printf '%s\n' \ - "add rule inet banIP wan-forward ct state established,related counter accept" \ - "add rule inet banIP wan-forward iifname != { ${wan_dev} } counter accept" + "add rule inet banIP wan-forward iifname != { ${wan_dev} } ${nft_cnt} accept" \ + "add rule inet banIP wan-forward ct state established,related ${nft_cnt} accept" [ -n "${allow_dport}" ] && - printf '%s\n' "add rule inet banIP wan-forward ${allow_dport} counter accept" + printf '%s\n' "add rule inet banIP wan-forward ${allow_dport} ${nft_cnt} accept" [ "${ban_bcp38}" = "1" ] && printf '%s\n' "add rule inet banIP wan-forward fib saddr . iif oif missing counter name cnt_bcp38 drop" if [ "${ban_loginbound}" = "1" ]; then - printf '%s\n' "add rule inet banIP wan-forward meta mark set 2 counter jump _inbound" + printf '%s\n' "add rule inet banIP wan-forward meta mark set 2 ${nft_cnt} jump _inbound" else - printf '%s\n' "add rule inet banIP wan-forward counter jump _inbound" + printf '%s\n' "add rule inet banIP wan-forward ${nft_cnt} jump _inbound" fi # default lan-forward rules # printf '%s\n' \ - "add rule inet banIP lan-forward ct state established,related counter accept" \ - "add rule inet banIP lan-forward oifname != { ${wan_dev} } counter accept" + "add rule inet banIP lan-forward ct state established,related ${nft_cnt} accept" \ + "add rule inet banIP lan-forward oifname != { ${wan_dev} } ${nft_cnt} accept" [ -n "${vlan_allow}" ] && - printf '%s\n' "add rule inet banIP lan-forward iifname { ${vlan_allow} } counter accept" + printf '%s\n' "add rule inet banIP lan-forward iifname { ${vlan_allow} } ${nft_cnt} accept" [ -n "${vlan_block}" ] && - printf '%s\n' "add rule inet banIP lan-forward iifname { ${vlan_block} } counter goto _reject" + printf '%s\n' "add rule inet banIP lan-forward iifname { ${vlan_block} } ${nft_cnt} goto _reject" [ "${ban_bcp38}" = "1" ] && printf '%s\n' "add rule inet banIP lan-forward fib saddr . iif oif missing counter name cnt_bcp38 drop" - printf '%s\n' "add rule inet banIP lan-forward counter jump _outbound" + printf '%s\n' "add rule inet banIP lan-forward ${nft_cnt} jump _outbound" } >"${file}" # load initial banIP table/rules to nftset @@ -1002,7 +1018,7 @@ f_nftinit() { # handle downloads # f_down() { - local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handles handle etag_rc etag_cnt element_count tmp_allow feed_name + local log_inbound log_outbound start_ts end_ts tmp_raw tmp_load tmp_file split_file table_json handles handle etag_rc etag_cnt nft_cnt nft_setcnt tmp_allow feed_name local expr cnt_set cnt_dl restore_rc feed_direction feed_policy feed_rc feed_comp feed_complete feed_target feed_dport chain flag tmp_flush tmp_nft local tmp_split tmp_proto tmp_port asn country feed="${1}" feed_ipv="${2}" feed_url="${3}" feed_rule="${4}" feed_chain="${5}" feed_flag="${6}" @@ -1021,8 +1037,13 @@ f_down() { # set log target # - [ "${ban_loginbound}" = "1" ] && log_inbound="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \"" - [ "${ban_logoutbound}" = "1" ] && log_outbound="limit rate 10/second log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \"" + if [ "${ban_logratelimit}" = "0" ]; then + [ "${ban_loginbound}" = "1" ] && log_inbound="log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \"" + [ "${ban_logoutbound}" = "1" ] && log_outbound="log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \"" + else + [ "${ban_loginbound}" = "1" ] && log_inbound="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/inbound/${ban_blockpolicy}/${feed}: \"" + [ "${ban_logoutbound}" = "1" ] && log_outbound="limit name \"loglimit\" log level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \"" + fi # set feed target # @@ -1032,10 +1053,11 @@ f_down() { feed_target="drop" fi - # set element counter flag + # set nft counter flag # if [ "${ban_nftcount}" = "1" ]; then - element_count="counter" + nft_cnt="counter" + nft_setcnt="; counter" fi # set feed complete flag @@ -1252,25 +1274,25 @@ f_down() { case "${feed_ipv}" in "4MAC") "${ban_awkcmd}" '{gsub(/\r/,"")}/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*outbound*}" ] && printf '%s\n' "add rule inet banIP _outbound ether saddr . ip saddr @${feed} counter accept" + printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*outbound*}" ] && printf '%s\n' "add rule inet banIP _outbound ether saddr . ip saddr @${feed} ${nft_cnt} accept" ;; "6MAC") "${ban_awkcmd}" '{gsub(/\r/,"")}/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${tmp_allow}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" - [ -z "${feed_direction##*outbound*}" ] && printf '%s\n' "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} counter accept" + printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" + [ -z "${feed_direction##*outbound*}" ] && printf '%s\n' "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} ${nft_cnt} accept" ;; "4") f_chkip ${feed_ipv} local 1 <"${tmp_allow}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + printf '%s\n' "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_loginbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _inbound ip saddr != @${feed} ${log_inbound}" fi - printf '%s\n' "add rule inet banIP _inbound ip saddr != @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _inbound ip saddr != @${feed} ${nft_cnt} ${feed_target}" else - printf '%s\n' "add rule inet banIP _inbound ip saddr @${feed} counter accept" + printf '%s\n' "add rule inet banIP _inbound ip saddr @${feed} ${nft_cnt} accept" fi fi if [ -z "${feed_direction##*outbound*}" ]; then @@ -1278,23 +1300,23 @@ f_down() { if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ip daddr != @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ip daddr != @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _outbound ip daddr != @${feed} ${nft_cnt} ${feed_target}" else - printf '%s\n' "add rule inet banIP _outbound ip daddr @${feed} counter accept" + printf '%s\n' "add rule inet banIP _outbound ip daddr @${feed} ${nft_cnt} accept" fi fi ;; "6") f_chkip ${feed_ipv} local 1 <"${tmp_allow}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + printf '%s\n' "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_allowlistonly}" = "1" ]; then if [ "${ban_loginbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _inbound ip6 saddr != @${feed} ${log_inbound}" fi - printf '%s\n' "add rule inet banIP _inbound ip6 saddr != @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _inbound ip6 saddr != @${feed} ${nft_cnt} ${feed_target}" else - printf '%s\n' "add rule inet banIP _inbound ip6 saddr @${feed} counter accept" + printf '%s\n' "add rule inet banIP _inbound ip6 saddr @${feed} ${nft_cnt} accept" fi fi if [ -z "${feed_direction##*outbound*}" ]; then @@ -1302,9 +1324,9 @@ f_down() { if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ip6 daddr != @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ip6 daddr != @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _outbound ip6 daddr != @${feed} ${nft_cnt} ${feed_target}" else - printf '%s\n' "add rule inet banIP _outbound ip6 daddr @${feed} counter accept" + printf '%s\n' "add rule inet banIP _outbound ip6 daddr @${feed} ${nft_cnt} accept" fi fi ;; @@ -1319,54 +1341,54 @@ f_down() { case "${feed_ipv}" in "4MAC") "${ban_awkcmd}" '{gsub(/\r/,"")}/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([1-9][0-9]?[0-9]?\.){1}([0-9]{1,3}\.){2}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\/(1?[0-9]|2?[0-9]|3?[0-2]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="0.0.0.0/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ether saddr . ip saddr @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ether saddr . ip saddr @${feed} counter goto _reject" + printf '%s\n' "add rule inet banIP _outbound ether saddr . ip saddr @${feed} ${nft_cnt} goto _reject" fi ;; "6MAC") "${ban_awkcmd}" '{gsub(/\r/,"")}/^([0-9A-f]{2}:){5}[0-9A-f]{2}(\/([0-9]|[1-3][0-9]|4[0-8]))?([[:space:]]+([0-9A-f]{0,4}:){1,7}[0-9A-f]{0,4}:?(\/(1?[0-2][0-8]|[0-9][0-9]))?([[:space:]]+#.*$|[[:space:]]*$)|[[:space:]]+#.*$|$)/{if(!$2||$2~/#/)$2="::/0";if(!seen[$1]++)printf "%s . %s, ",tolower($1),$2}' "${ban_blocklist}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + printf '%s\n' "add set inet banIP ${feed} { type ether_addr . ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} counter goto _reject" + printf '%s\n' "add rule inet banIP _outbound ether saddr . ip6 saddr @${feed} ${nft_cnt} goto _reject" fi ;; "4") f_chkip ${feed_ipv} local 1 <"${ban_blocklist}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + printf '%s\n' "add set inet banIP ${feed} { type ipv4_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_loginbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _inbound ip saddr @${feed} ${log_inbound}" fi - printf '%s\n' "add rule inet banIP _inbound ip saddr @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _inbound ip saddr @${feed} ${nft_cnt} ${feed_target}" fi if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ip daddr @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ip daddr @${feed} counter goto _reject" + printf '%s\n' "add rule inet banIP _outbound ip daddr @${feed} ${nft_cnt} goto _reject" fi ;; "6") f_chkip ${feed_ipv} local 1 <"${ban_blocklist}" >"${tmp_file}" - printf '%s\n' "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}") }" + printf '%s\n' "add set inet banIP ${feed} { type ipv6_addr; flags interval, timeout; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_loginbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _inbound ip6 saddr @${feed} ${log_inbound}" fi - printf '%s\n' "add rule inet banIP _inbound ip6 saddr @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _inbound ip6 saddr @${feed} ${nft_cnt} ${feed_target}" fi if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ip6 daddr @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ip6 daddr @${feed} counter goto _reject" + printf '%s\n' "add rule inet banIP _outbound ip6 daddr @${feed} ${nft_cnt} goto _reject" fi ;; esac @@ -1506,18 +1528,18 @@ f_down() { # printf '%s\n\n' "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - printf '%s\n' "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" + printf '%s\n' "add set inet banIP ${feed} { type ipv4_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}.1") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_loginbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${log_inbound}" fi - printf '%s\n' "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _inbound ${feed_dport} ip saddr @${feed} ${nft_cnt} ${feed_target}" fi if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} counter goto _reject" + printf '%s\n' "add rule inet banIP _outbound ${feed_dport} ip daddr @${feed} ${nft_cnt} goto _reject" fi } >"${tmp_nft}" elif [ "${feed_ipv}" = "6" ]; then @@ -1526,18 +1548,18 @@ f_down() { # printf '%s\n\n' "#!${ban_nftcmd} -f" [ -s "${tmp_flush}" ] && "${ban_catcmd}" "${tmp_flush}" - printf '%s\n' "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}; ${element_count}; $(f_getelements "${tmp_file}.1") }" + printf '%s\n' "add set inet banIP ${feed} { type ipv6_addr; flags interval; auto-merge; policy ${ban_nftpolicy}${nft_setcnt}; $(f_getelements "${tmp_file}.1") }" if [ -z "${feed_direction##*inbound*}" ]; then if [ "${ban_loginbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${log_inbound}" fi - printf '%s\n' "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} counter ${feed_target}" + printf '%s\n' "add rule inet banIP _inbound ${feed_dport} ip6 saddr @${feed} ${nft_cnt} ${feed_target}" fi if [ -z "${feed_direction##*outbound*}" ]; then if [ "${ban_logoutbound}" = "1" ]; then printf '%s\n' "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${log_outbound}" fi - printf '%s\n' "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} counter goto _reject" + printf '%s\n' "add rule inet banIP _outbound ${feed_dport} ip6 daddr @${feed} ${nft_cnt} goto _reject" fi } >"${tmp_nft}" fi @@ -1804,7 +1826,7 @@ f_genstatus() { json_add_string "${object}" "${object}" done json_close_array - json_add_string "nft_info" "ver: ${nft_ver:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}, limit (icmp/syn/udp): ${ban_icmplimit}/${ban_synlimit}/${ban_udplimit}" + json_add_string "nft_info" "ver: ${nft_ver:-"-"}, priority: ${ban_nftpriority}, policy: ${ban_nftpolicy}, loglevel: ${ban_nftloglevel}, expiry: ${ban_nftexpiry:-"-"}, limit (icmp/syn/udp): ${ban_icmplimit}/${ban_synlimit}/${ban_udplimit}, loglimit (rate/burst): ${ban_logratelimit}/${ban_logburstlimit}" json_add_string "run_info" "base: ${ban_basedir}, backup: ${ban_backupdir}, report: ${ban_reportdir}, error: ${ban_errordir}" json_add_string "run_flags" "auto: ${s_auto}, proto (4/6): ${s_v4}/${s_v6}, bcp38: ${s_bcp}, log (pre/in/out): ${s_lpre}/${s_lin}/${s_lout}, count: ${s_cnt}, dedup: ${s_dedup}, split: ${s_split}, custom feed: ${s_cf}, allowed only: ${s_allow}, debug: ${s_dbg}" json_add_string "last_run" "${runtime:-"-"}" diff --git a/net/banip/files/banip.feeds b/net/banip/files/banip.feeds index 2f587aced..928cdbf8f 100644 --- a/net/banip/files/banip.feeds +++ b/net/banip/files/banip.feeds @@ -174,6 +174,13 @@ "chain": "in", "descr": "open proxies" }, + "spamhaus":{ + "url_4": "https://www.spamhaus.org/drop/drop_v4.json", + "url_6": "https://www.spamhaus.org/drop/drop_v6.json", + "rule": "feed 4 \"", + "chain": "in", + "descr": "Spamhaus DROP" + }, "threat":{ "url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt", "rule": "feed 1",