From b65353b4f76f89c11a8e7f2c6307d461e0dce696 Mon Sep 17 00:00:00 2001
From: Dirk Brenken <dev@brenken.org>
Date: Sat, 20 Feb 2021 10:26:16 +0100
Subject: [PATCH] banip: update to 0.7.3

* fix search string/pipe preparation for the background service
* fix IPSet maxelem limitation, made it more flexible
* fix potential error during resume action
* add Cisco Talos IP blacklist
* update readme

Signed-off-by: Dirk Brenken <dev@brenken.org>
---
 net/banip/Makefile            |  2 +-
 net/banip/files/README.md     |  2 ++
 net/banip/files/banip.sh      | 57 +++++++++++++++++++----------------
 net/banip/files/banip.sources |  6 ++++
 4 files changed, 40 insertions(+), 27 deletions(-)

diff --git a/net/banip/Makefile b/net/banip/Makefile
index 69f3cee77..dea787b9e 100644
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@@ -6,7 +6,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=banip
-PKG_VERSION:=0.7.2
+PKG_VERSION:=0.7.3
 PKG_RELEASE:=1
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>
diff --git a/net/banip/files/README.md b/net/banip/files/README.md
index 498c95baa..83fbf4081 100644
--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@@ -31,6 +31,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 | nixspam             | iX spam protection             | [Link](http://www.nixspam.org)                                                    |
 | proxy               | Firehol list of open proxies   | [Link](https://iplists.firehol.org/?ipset=proxylists)                             |
 | ssbl                | SSL botnet IP blacklist        | [Link](https://sslbl.abuse.ch)                                                    |
+| talos               | Cisco Talos IP Blacklist       | [Link](https://talosintelligence.com/reputation_center)                           |
 | threat              | Emerging Threats               | [Link](https://rules.emergingthreats.net)                                         |
 | tor                 | Tor exit nodes                 | [Link](https://fissionrelays.net/lists)                                           |
 | uceprotect1         | Spam protection level 1        | [Link](http://www.uceprotect.net/en/index.php)                                    |
@@ -68,6 +69,7 @@ IP address blocking is commonly used to protect against brute force attacks, pre
 * [OpenWrt](https://openwrt.org), tested with the stable release series (19.07.x) and with the latest rolling snapshot releases. On turris devices it has been successfully tested with TurrisOS 5.2.x  
   <b>Please note:</b> Older OpenWrt releases like 18.06.x or 17.01.x are _not_ supported!  
   <b>Please note:</b> Devices with less than 128 MByte RAM are _not_ supported!  
+  <b>Please note:</b> If you're updating from former banIP 0.3x please manually remove your config (/etc/config/banip) before you start!  
 * A download utility with SSL support: 'wget', 'uclient-fetch' with one of the 'libustream-*' ssl libraries, 'aria2c' or 'curl' is required
 * A certificate store like 'ca-bundle', as banIP checks the validity of the SSL certificates of all download sites by default
 * Optional E-Mail notification support: for E-Mail notifications you need to install the additional 'msmtp' package
diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh
index 179f6f458..ed1bfad05 100755
--- a/net/banip/files/banip.sh
+++ b/net/banip/files/banip.sh
@@ -12,7 +12,7 @@
 export LC_ALL=C
 export PATH="/usr/sbin:/usr/bin:/sbin:/bin"
 set -o pipefail
-ban_ver="0.7.2"
+ban_ver="0.7.3"
 ban_enabled="0"
 ban_mail_enabled="0"
 ban_proto4_enabled="0"
@@ -93,11 +93,11 @@ f_load()
 	#
 	if [ "${ban_enabled}" = "0" ]
 	then
+		f_bgsrv "stop"
 		f_ipset "destroy"
 		f_jsnup "disabled"
 		f_rmbckp
 		f_rmtmp
-		f_bgsrv "stop"
 		f_log "info" "banIP is currently disabled, please set the config option 'ban_enabled' to '1' to use this service"
 		exit 0
 	fi
@@ -739,22 +739,24 @@ f_ipset()
 			return "${out_rc}"
 		;;
 		"create")
-			if [ "${src_name}" = "maclist" ] && [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
-			then
-				"${ban_ipset_cmd}" create "${src_name}" hash:mac maxelem 262144 counters timeout "${ban_maclist_timeout:-"0"}"
-				out_rc="${?}"
-			elif [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
+			if [ -s "${tmp_file}" ] && [ -z "$("${ban_ipset_cmd}" -q -n list "${src_name}")" ]
 			then
-				if [ "${src_name%_*}" = "whitelist" ]
+				cnt="$(awk 'END{print NR}' "${tmp_file}" 2>/dev/null)"
+				cnt=$((cnt+262144))
+				if [ "${src_name}" = "maclist" ]
+				then
+					"${ban_ipset_cmd}" create "${src_name}" hash:mac hashsize 64 maxelem "${cnt}" counters timeout "${ban_maclist_timeout:-"0"}"
+					out_rc="${?}"
+				elif [ "${src_name%_*}" = "whitelist" ]
 				then
-					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
+					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_whitelist_timeout:-"0"}"
 					out_rc="${?}"
 				elif [ "${src_name%_*}" = "blacklist" ]
 				then
-					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
+					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters timeout "${ban_blacklist_timeout:-"0"}"
 					out_rc="${?}"
 				else
-					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem 262144 family "${src_ipver}" counters
+					"${ban_ipset_cmd}" create "${src_name}" hash:net hashsize 64 maxelem "${cnt}" family "${src_ipver}" counters
 					out_rc="${?}"
 				fi
 			else
@@ -821,19 +823,22 @@ f_ipset()
 			f_log "debug" "f_ipset ::: name: ${src:-"-"}, mode: ${mode:-"-"}"
 		;;
 		"resume")
-			"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file"
-			out_rc="${?}"
-			if [ "${out_rc}" = "0" ]
+			if [ -f "${ban_backupdir}/${src_name}.file" ]
 			then
-				rm -f "${ban_backupdir}/${src_name}.file"
-				src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
-				cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
-				cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
-				cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
-				cnt_ip=$((cnt-cnt_cidr-cnt_mac))
-				printf "%s\n" "${cnt}" > "${tmp_cnt}"
+				"${ban_ipset_cmd}" -q -! restore < "${ban_backupdir}/${src_name}.file"
+				out_rc="${?}"
+				if [ "${out_rc}" = "0" ]
+				then
+					rm -f "${ban_backupdir}/${src_name}.file"
+					src_list="$("${ban_ipset_cmd}" -q list "${src_name}")"
+					cnt="$(printf "%s\n" "${src_list}" | awk '/^Number of entries:/{print $4}')"
+					cnt_mac="$(printf "%s\n" "${src_list}" | grep -cE "^(([0-9A-Z][0-9A-Z]:){5}[0-9A-Z]{2} packets)")"
+					cnt_cidr="$(printf "%s\n" "${src_list}" | grep -cE "(/[0-9]{1,3} packets)")"
+					cnt_ip=$((cnt-cnt_cidr-cnt_mac))
+					printf "%s\n" "${cnt}" > "${tmp_cnt}"
+				fi
+				f_iptables
 			fi
-			f_iptables
 			end_ts="$(date +%s)"
 			out_rc="${out_rc:-"${in_rc}"}"
 			f_log "debug" "f_ipset ::: name: ${src_name:-"-"}, mode: ${mode:-"-"}, ipver: ${src_ipver:-"-"}, settype: ${src_settype:-"-"}, count(sum/ip/cidr/mac): ${cnt}/${cnt_ip}/${cnt_cidr}/${cnt_mac}, time: $((end_ts-start_ts)), out_rc: ${out_rc}"
@@ -937,9 +942,9 @@ f_bgsrv()
 		fi
 		if [ -n "$(printf "%s\n" "${ban_logterms}" | grep -F "nginx")" ]
 		then
-			ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+"
+			ban_search="${ban_search}nginx\[[0-9]+\]:.*\[error\].*open().*client: [[:alnum:].:]+|"
 		fi
-		( "${ban_logservice}" "${ban_ver}" "${ban_search}" & )
+		( "${ban_logservice}" "${ban_ver}" "${ban_search%?}" & )
 	elif [ "${action}" = "stop" ] && [ -n "${bg_pid}" ]
 	then
 		kill -HUP "${bg_pid}" 2>/dev/null
@@ -1750,10 +1755,10 @@ fi
 f_load
 case "${ban_action}" in
 	"stop")
+		f_bgsrv "stop"
 		f_ipset "destroy"
 		f_jsnup "stopped"
 		f_rmbckp
-		f_bgsrv "stop"
 	;;
 	"restart")
 		f_ipset "destroy"
@@ -1764,10 +1769,10 @@ case "${ban_action}" in
 	"suspend")
 		if [ "${ban_status}" = "enabled" ]
 		then
+			f_bgsrv "stop"
 			f_jsnup "running"
 			f_ipset "suspend"
 			f_jsnup "paused"
-			f_bgsrv "stop"
 		fi
 		f_rmtmp
 	;;
diff --git a/net/banip/files/banip.sources b/net/banip/files/banip.sources
index 3255e4fa4..9dce5ae35 100644
--- a/net/banip/files/banip.sources
+++ b/net/banip/files/banip.sources
@@ -142,6 +142,12 @@
 		"focus": "SSL botnet IP blacklist",
 		"descurl": "https://sslbl.abuse.ch"
 	},
+	"talos": {
+		"url_4": "https://www.talosintelligence.com/documents/ip-blacklist",
+		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add talos_4 \"$1}",
+		"focus": "Cisco Talos IP Blacklist",
+		"descurl": "https://talosintelligence.com/reputation_center"
+	},
 	"threat": {
 		"url_4": "https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt",
 		"rule_4": "/^(([0-9]{1,3}\\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])(\\/(1?[0-9]|2?[0-9]|3?[0-2]))?)([[:space:]]|$)/{print \"add threat_4 \"$1}",