Merge pull request openwrt#14649 from dibdot/banip

banip: release 0.7.0

net/banip/Makefile

@@ -1,12 +1,12 @@
 #
-# Copyright (c) 2018-2019 Dirk Brenken (dev@brenken.org)
+# Copyright (c) 2018-2021 Dirk Brenken (dev@brenken.org)
 # This is free software, licensed under the GNU General Public License v3.
 #
 
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.3.13
+PKG_VERSION:=0.7.0
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@@ -16,7 +16,7 @@ include $(INCLUDE_DIR)/package.mk
 define Package/banip
 	SECTION:=net
 	CATEGORY:=Network
-	TITLE:=Ban incoming and/or outgoing ip adresses via ipsets
+	TITLE:=Ban incoming and outgoing ip adresses via ipsets
 	DEPENDS:=+jshn +jsonfilter +ip +ipset +iptables +ca-bundle
 	PKGARCH:=all
 endef
@@ -30,8 +30,9 @@ endef
 
 define Package/banip/conffiles
 /etc/config/banip
-/etc/banip/banip.whitelist
+/etc/banip/banip.maclist
 /etc/banip/banip.blacklist
+/etc/banip/banip.whitelist
 endef
 
 define Build/Prepare
@@ -54,9 +55,14 @@ define Package/banip/install
 	$(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
 
 	$(INSTALL_DIR) $(1)/etc/banip
+	$(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip
 	$(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
+	$(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip
 	$(INSTALL_CONF) ./files/banip.blacklist $(1)/etc/banip
 	$(INSTALL_CONF) ./files/banip.whitelist $(1)/etc/banip
+	$(INSTALL_CONF) ./files/banip.countries $(1)/etc/banip
+	$(INSTALL_CONF) ./files/banip.sources $(1)/etc/banip
+	gzip -9 $(1)/etc/banip/banip.sources
 
 	$(INSTALL_DIR) $(1)/etc/hotplug.d/firewall
 	$(INSTALL_DATA) ./files/banip.hotplug $(1)/etc/hotplug.d/firewall/30-banip

net/banip/files/banip.conf

@@ -1,226 +1,16 @@
-
 config banip 'global'
 	option ban_enabled '0'
-	option ban_basever '0.3'
-	option ban_automatic '1'
-	option ban_realtime 'false'
-	option ban_log_src '0'
-	option ban_log_dst '0'
-
-config banip 'extra'
 	option ban_debug '0'
+	option ban_mail_enabled '0'
+	option ban_monitor_enabled '0'
+	option ban_logsrc_enabled '0'
+	option ban_logdst_enabled '0'
+	option ban_autodetect '1'
+	option ban_autoblacklist '1'
+	option ban_autowhitelist '1'
+	option ban_nice '0'
 	option ban_maxqueue '4'
-
-config source 'whitelist'
-	option ban_src '/etc/banip/banip.whitelist'
-	option ban_src_6 '/etc/banip/banip.whitelist'
-	option ban_src_desc 'Always allow these IPs (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add whitelist \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add whitelist_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '1'
-	option ban_src_on_6 '0'
-
-config source 'blacklist'
-	option ban_src '/etc/banip/banip.blacklist'
-	option ban_src_6 '/etc/banip/banip.blacklist'
-	option ban_src_desc 'Always deny these IPs (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add blacklist \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add blacklist_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'bogon'
-	option ban_src 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt'
-	option ban_src_6 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt'
-	option ban_src_desc 'Bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned to ISPs (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add bogon \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add bogon_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'DoH'
-	option ban_src 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt'
-	option ban_src_6 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt'
-	option ban_src_desc 'List of public DoH providers (DNS over HTTPS) (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add DoH \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add DoH_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'tor'
-	option ban_src 'https://check.torproject.org/exit-addresses'
-	option ban_src_desc 'List of Tor Exit Nodes (IPv4)'
-	option ban_src_rset '/^(ExitAddress ([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add tor \"\$2}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'threat'
-	option ban_src 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt'
-	option ban_src_desc 'Emerging Threats (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add threat \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'debl'
-	option ban_src 'https://www.blocklist.de/downloads/export-ips_all.txt'
-	option ban_src_6 'https://www.blocklist.de/downloads/export-ips_all.txt'
-	option ban_src_desc 'Fail2ban reporting service (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add debl \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add debl_6 \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'myip'
-	option ban_src 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt'
-	option ban_src_6 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt'
-	option ban_src_desc 'IP blacklist provided by myip.ms (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add myip \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add myip_6 \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'yoyo'
-	option ban_src 'https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext'
-	option ban_src_desc 'IP blocklist provided by Peter Lowe (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add yoyo \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'sslbl'
-	option ban_src 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
-	option ban_src_desc 'SSL Blacklist by abuse.ch (IPv4)'
-	option ban_src_rset 'BEGIN{FS=\",\"}/(([0-9]{1,3}\.){3}[0-9]{1,3},).*/{print \"add sslbl \"\$2}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'ransomware'
-	option ban_src 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt'
-	option ban_src_desc 'Ransomware Tracker by abuse.ch (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add ransomware \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'feodo'
-	option ban_src 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt'
-	option ban_src_desc 'Feodo Tracker by abuse.ch (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add feodo \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'dshield'
-	option ban_src 'https://feeds.dshield.org/block.txt'
-	option ban_src_desc 'Dshield recommended IP blocklist. Contains top 20 attacking class C subnets (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add dshield \"\$1 \"/\"\$3}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'proxy'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset'
-	option ban_src_desc 'List of Open Proxies (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add proxy \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'iblocklist'
-	option ban_src 'https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz'
-	option ban_src_desc 'Contains advertising trackers and a short list of bad/intrusive porn sites (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add iblocklist \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'drop'
-	option ban_src 'https://www.spamhaus.org/drop/drop.txt'
-	option ban_src_6 'https://www.spamhaus.org/drop/dropv6.txt'
-	option ban_src_desc 'Spamhaus drop compilation (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add drop \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add drop_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'edrop'
-	option ban_src 'https://www.spamhaus.org/drop/edrop.txt'
-	option ban_src_desc 'Spamhaus edrop compilation (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add edrop \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol1'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset'
-	option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol2'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset'
-	option ban_src_desc 'Firehol Level 2 compilation. Contains blocklists that track attacks, during the last 48 hours (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol2 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol3'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset'
-	option ban_src_desc 'Firehol Level 3 compilation. Contains blocklists that track attacks, spyware and viruses (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol3 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol4'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset'
-	option ban_src_desc 'Firehol Level 4 compilation. May include a large number of false positives (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol4 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'country'
-	option ban_src 'https://stat.ripe.net/data/country-resource-list/data.json?resource='
-	option ban_src_6 'https://stat.ripe.net/data/country-resource-list/data.json?resource='
-	option ban_src_desc 'Build a dynamic IPSet by country iso codes based on RIPE data (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add country \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add country_6 \"\$1}'
-	list ban_src_cat 'de'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'asn'
-	option ban_src 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='
-	option ban_src_6 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='
-	option ban_src_desc 'Build a dynamic IPSet by ASN numbers based on RIPE data (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add asn \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add asn_6 \"\$1}'
-	list ban_src_cat '32934'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
+	option ban_global_settype 'src+dst'
+	option ban_target_src 'DROP'
+	option ban_target_dst 'REJECT'
+	option ban_loglimit '100'