banip: update 0.9.5-5
authorDirk Brenken <dev@brenken.org>
Sun, 5 May 2024 19:57:28 +0000 (21:57 +0200)
committerDirk Brenken <dev@brenken.org>
Mon, 6 May 2024 19:31:55 +0000 (21:31 +0200)
* fix a processing race condition
* it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.

Signed-off-by: Dirk Brenken <dev@brenken.org>
(cherry picked from commit 083554094b169ad79ce4d4054e227f0829722de7)

net/banip/Makefile
net/banip/files/README.md
net/banip/files/banip-functions.sh
net/banip/files/banip-service.sh

index 43bf050f1ee4ae2d51fe70d7b667da193ae4fe51..1a726d82429f36837e2642d89f24614ee209d7b7 100644 (file)
@@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
 PKG_VERSION:=0.9.5
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
 
index 4f4300a01ea9f0f48fe46ca216b55350a5484cb7..fef0e9caaac8aa05388a55bd642cc224093223aa 100644 (file)
@@ -154,9 +154,9 @@ Available commands:
 | ban_logreadfile         | option | /var/log/messages             | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
 | ban_autodetect          | option | 1                             | auto-detect wan interfaces, devices and subnets                                                                   |
 | ban_debug               | option | 0                             | enable banIP related debug logging                                                                                |
-| ban_icmplimit           | option | 10                            | treshold in number of packets to detect icmp DDoS in prerouting chain                                             |
-| ban_synlimit            | option | 10                            | treshold in number of packets to detect syn DDoS in prerouting chain                                              |
-| ban_udplimit            | option | 100                           | treshold in number of packets to detect udp DDoS in prerouting chain                                              |
+| ban_icmplimit           | option | 10                            | threshold in number of packets to detect icmp DDoS in prerouting chain. A value of '0' disables this safeguard    |
+| ban_synlimit            | option | 10                            | threshold in number of packets to detect syn DDoS in prerouting chain. A value of '0' disables this safeguard     |
+| ban_udplimit            | option | 100                           | threshold in number of packets to detect udp DDoS in prerouting chain. A value of '0' disables this safeguard     |
 | ban_logprerouting       | option | 0                             | log supsicious packets in the prerouting chain                                                                    |
 | ban_loginput            | option | 0                             | log supsicious packets in the wan-input chain                                                                     |
 | ban_logforwardwan       | option | 0                             | log supsicious packets in the wan-forward chain                                                                   |
index e9cf873674dd40c55fba77965aeb9d404874c860..be009f428fe7f25756f25bba70471a1670ebcbbd 100644 (file)
@@ -656,10 +656,12 @@ f_nftinit() {
                #
                printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
                printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
-               printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
-               printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
-               printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
-               printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
+               if [ "${ban_icmplimit}" -gt "0" ]; then
+                       printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
+                       printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
+               fi
+               [ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
+               [ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
                printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
                printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
                printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"
index fac3f15f4ac5f0c2e3be4a8e482cd9852287e523..f13d605a7029c003b22df1ab6c311731259105a9 100755 (executable)
@@ -150,14 +150,14 @@ wait
 
 # end processing
 #
-if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
-       (
-               sleep 5
+(
+       sleep 5
+       if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
                f_mail
-       ) &
-fi
-json_cleanup
-rm -rf "${ban_lock}"
+       fi
+       json_cleanup
+       rm -rf "${ban_lock}"
+) &
 
 # start detached log service (infinite loop)
 #