banip: bump to 0.7.5
authorDirk Brenken <dev@brenken.org>
Sat, 13 Mar 2021 20:08:25 +0000 (21:08 +0100)
committerDirk Brenken <dev@brenken.org>
Sun, 14 Mar 2021 05:07:07 +0000 (06:07 +0100)
* black- and whitelist now supporting domain names as well - the
corresponding IPs (IPv4 & IPv6) will be resolved in a detached
background process and added to the IPsets

Signed-off-by: Dirk Brenken <dev@brenken.org>
net/banip/Makefile
net/banip/files/banip.dns [new file with mode: 0755]
net/banip/files/banip.sh

index dea787b9e2eb7872766b3c728d87a842b30cdbce..a43b67d960682b72d51806049d4e27dbdc1745e2 100644 (file)
@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.7.3
+PKG_VERSION:=0.7.5
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
@@ -55,6 +55,7 @@ define Package/banip/install
        $(INSTALL_CONF) ./files/banip.conf $(1)/etc/config/banip
 
        $(INSTALL_DIR) $(1)/etc/banip
+       $(INSTALL_BIN) ./files/banip.dns $(1)/etc/banip
        $(INSTALL_BIN) ./files/banip.mail $(1)/etc/banip
        $(INSTALL_BIN) ./files/banip.service $(1)/etc/banip
        $(INSTALL_CONF) ./files/banip.maclist $(1)/etc/banip
diff --git a/net/banip/files/banip.dns b/net/banip/files/banip.dns
new file mode 100755 (executable)
index 0000000..c5b2b9a
--- /dev/null
@@ -0,0 +1,79 @@
+#!/bin/sh
+# helper script to resolve domains for adding to banIP-related IPSets
+# written by Dirk Brenken (dev@brenken.org)
+#
+# This is free software, licensed under the GNU General Public License v3.
+#
+# (s)hellcheck exceptions
+# shellcheck disable=1091,2030,2031,2034,2039,2086,2129,2140,2143,2154,2181,2183,2188
+
+export LC_ALL=C
+export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
+set -o pipefail
+
+if [ -r "/lib/functions.sh" ]
+then
+       . "/lib/functions.sh"
+       ban_debug="$(uci_get banip global ban_debug "0")"
+fi
+ban_ver="${1}"
+ban_src_name="${2}"
+ban_src_file="${3}"
+ban_ipset_cmd="$(command -v ipset)"
+ban_lookup_cmd="$(command -v nslookup)"
+ban_logger_cmd="$(command -v logger)"
+ban_rc=1
+
+f_log()
+{
+       local class="${1}" log_msg="${2}"
+
+       if [ -n "${log_msg}" ] && { [ "${class}" != "debug" ] || [ "${ban_debug}" = "1" ]; }
+       then
+               if [ -x "${ban_logger_cmd}" ]
+               then
+                       "${ban_logger_cmd}" -p "${class}" -t "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
+               else
+                       printf "%s %s %s\n" "${class}" "banIP-${ban_ver%-*}[${$}]" "${log_msg}"
+               fi
+       fi
+}
+
+while read -r domain
+do
+       update_ips=""
+       result="$("${ban_lookup_cmd}" "${domain}" 2>/dev/null; printf "%s" "${?}")"
+       if [ "$(printf "%s" "${result}" | tail -1)" = "0" ]
+       then
+               ips="$(printf "%s" "${result}" | awk '/^Address[ 0-9]*: /{ORS=" ";print $NF}')"
+               for ip in ${ips}
+               do
+                       for proto in "4" "6"
+                       do
+                               if { [ "${proto}" = "4" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -n "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; } || \
+                                       { [ "${proto}" = "6" ] && [ -n "$("${ban_ipset_cmd}" -q -n list "${ban_src_name}_${proto}")" ] && [ -z "$(printf "%s" "${ip}" | awk '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print $1}')" ]; }
+                               then
+                                       "${ban_ipset_cmd}" add "${ban_src_name}_${proto}" "${ip}" 2>/dev/null
+                                       if [ "${?}" = "0" ]
+                                       then
+                                               if [ -z "${update_ips}" ]
+                                               then
+                                                       update_ips="${ip}"
+                                               else
+                                                       update_ips="${update_ips}, ${ip}"
+                                               fi
+                                       fi
+                                       break
+                               fi
+                       done
+               done
+               if [ -n "${update_ips}" ]
+               then
+                       ban_rc=0
+                       f_log "debug" "dns_imp ::: source '${ban_src_name}' supplemented by '${domain}' (${update_ips})"
+               fi
+       fi
+done < "${ban_src_file}"
+rm -f "${ban_src_file}"
+f_log "info" "banIP domain import for source '${ban_src_name}' has been finished with rc '${ban_rc}'"
+exit ${ban_rc}
index ed1bfad051d9a3610d465aac4b7cd6f3b365f6b4..5e045a748d5579a651df1d6e2b7fdf8f97c7c11b 100755 (executable)
@@ -12,7 +12,7 @@
 export LC_ALL=C
 export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
 set -o pipefail
-ban_ver="0.7.3"
+ban_ver="0.7.5"
 ban_enabled="0"
 ban_mail_enabled="0"
 ban_proto4_enabled="0"
@@ -44,7 +44,7 @@ ban_ipt6_savecmd="$(command -v ip6tables-save)"
 ban_ipt6_restorecmd="$(command -v ip6tables-restore)"
 ban_ipset_cmd="$(command -v ipset)"
 ban_logger_cmd="$(command -v logger)"
-ban_logread="$(command -v logread)"
+ban_logread_cmd="$(command -v logread)"
 ban_allsources=""
 ban_sources=""
 ban_asns=""
@@ -68,6 +68,7 @@ ban_srcfile="${ban_tmpbase}/ban_sources.json"
 ban_reportdir="${ban_tmpbase}/banIP-Report"
 ban_backupdir="${ban_tmpbase}/banIP-Backup"
 ban_srcarc="/etc/banip/banip.sources.gz"
+ban_dnsservice="/etc/banip/banip.dns"
 ban_mailservice="/etc/banip/banip.mail"
 ban_logservice="/etc/banip/banip.service"
 ban_maclist="/etc/banip/banip.maclist"
@@ -921,7 +922,7 @@ f_bgsrv()
 {
        local bg_pid action="${1}"
 
-       bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}|${ban_logread}|^grep -qE Exit before auth|^grep -qE error: maximum|^grep -qE luci: failed|^grep -qE nginx" | awk '{ORS=" "; print $1}')"
+       bg_pid="$(pgrep -f "^/bin/sh ${ban_logservice}|${ban_logread_cmd}|^grep -qE Exit before auth|^grep -qE error: maximum|^grep -qE luci: failed|^grep -qE nginx" | awk '{ORS=" "; print $1}')"
        if [ "${action}" = "start" ] && [ -x "${ban_logservice}" ] && [ "${ban_monitor_enabled}" = "1" ]
        then
                if [ -n "${bg_pid}" ]
@@ -1004,6 +1005,20 @@ f_down()
                        if [ "${src_rc}" = "0" ]
                        then
                                f_ipset "create"
+                               src_name="${src_name%_*}"
+                               tmp_dns="${ban_tmpbase}/${src_name}.dns"
+                               if [ ! -f "${tmp_dns}" ] && [ "${proto}" = "4" ]
+                               then
+                                       src_rule="/^([[:alnum:]_-]{1,63}\\.)+[[:alpha:]]+([[:space:]]|$)/{print tolower(\$1)}"
+                                       awk "${src_rule}" "${src_url}" > "${tmp_dns}"
+                                       src_rc="${?}"
+                                       if [ "${src_rc}" = "0" ] && [ -s "${tmp_dns}" ]
+                                       then
+                                               ( "${ban_dnsservice}" "${ban_ver}" "${src_name}" "${tmp_dns}" & )
+                                       else
+                                               rm -f "${tmp_dns}"
+                                       fi
+                               fi
                        else
                                f_log "debug" "f_down  ::: name: ${src_name}, url: ${src_url}, rule: ${src_rule}, rc: ${src_rc}"
                        fi
@@ -1160,7 +1175,7 @@ f_main()
        #
        if [ "${ban_autoblacklist}" = "1" ] || [ "${ban_monitor_enabled}" = "1" ]
        then
-               log_raw="$(${ban_logread} -l "${ban_loglimit}")"
+               log_raw="$(${ban_logread_cmd} -l "${ban_loglimit}")"
                if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "dropbear")" ]
                then
                        log_ips="$(printf "%s\n" "${log_raw}" | grep -E "Exit before auth from" | \