From 70ab67649b6a96e7581048ec9c1a7a4debce005d Mon Sep 17 00:00:00 2001 From: Dirk Brenken Date: Wed, 9 Oct 2019 14:07:05 +0200 Subject: [PATCH] banip: update 0.3.1 * the WAN auto detection now supports multiple interfaces, too * no longer filter out possible LAN devices * add a new DoH (DNS over HTTPS) blocklist source with public DoH DNS server addresses, to effectively block client side DoH communication, e.g. via Firefox or Chrome Signed-off-by: Dirk Brenken --- net/banip/Makefile | 2 +- net/banip/files/banip.conf | 11 +++++++++++ net/banip/files/banip.sh | 35 ++++++++++++++++++++++++----------- 3 files changed, 36 insertions(+), 12 deletions(-) diff --git a/net/banip/Makefile b/net/banip/Makefile index 897ecd8a7..a9aaf7abe 100644 --- a/net/banip/Makefile +++ b/net/banip/Makefile @@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=banip -PKG_VERSION:=0.3.0 +PKG_VERSION:=0.3.1 PKG_RELEASE:=1 PKG_LICENSE:=GPL-3.0-or-later PKG_MAINTAINER:=Dirk Brenken diff --git a/net/banip/files/banip.conf b/net/banip/files/banip.conf index 04f5cee8d..68a48aad4 100644 --- a/net/banip/files/banip.conf +++ b/net/banip/files/banip.conf @@ -42,6 +42,17 @@ config source 'bogon' option ban_src_on '0' option ban_src_on_6 '0' +config source 'DoH' + option ban_src 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt' + option ban_src_6 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt' + option ban_src_desc 'List of public DoH providers (DNS over HTTPS) (IPv4/IPv6)' + option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add DoH \"\$1}' + option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add DoH_6 \"\$1}' + option ban_src_settype 'net' + option ban_src_ruletype 'src+dst' + option ban_src_on '0' + option ban_src_on_6 '0' + config source 'tor' option ban_src 'https://check.torproject.org/exit-addresses' option ban_src_desc 'List of Tor Exit Nodes (IPv4)' diff --git a/net/banip/files/banip.sh b/net/banip/files/banip.sh index 8634b19df..bf322444d 100755 --- a/net/banip/files/banip.sh +++ b/net/banip/files/banip.sh @@ -13,7 +13,7 @@ # LC_ALL=C PATH="/usr/sbin:/usr/bin:/sbin:/bin" -ban_ver="0.3.0" +ban_ver="0.3.1" ban_basever="" ban_enabled=0 ban_automatic="1" @@ -127,7 +127,7 @@ f_envload() # f_envcheck() { - local util utils packages tmp cnt=0 + local util utils packages iface tmp cnt=0 cnt_max=0 # check backup directory # @@ -189,12 +189,25 @@ f_envcheck() then while [ "${cnt}" -le 30 ] do - network_find_wan ban_iface - if [ -z "${ban_iface}" ] + network_find_wan iface + if [ -n "${iface}" ] && [ -z "$(printf "%s\\n" "${ban_iface}" | grep -F "${iface}")" ] then - network_find_wan6 ban_iface + ban_iface="${ban_iface} ${iface}" + if [ "${cnt_max}" -eq 0 ] + then + cnt_max=$((cnt+5)) + fi + fi + network_find_wan6 iface + if [ -n "${iface}" ] && [ -z "$(printf "%s\\n" "${ban_iface}" | grep -F "${iface}")" ] + then + ban_iface="${ban_iface} ${iface}" + if [ "${cnt_max}" -eq 0 ] + then + cnt_max=$((cnt+5)) + fi fi - if [ -z "${ban_iface}" ] + if [ -z "${ban_iface}" ] || [ "${cnt}" -le "${cnt_max}" ] then network_flush_cache cnt=$((cnt+1)) @@ -208,23 +221,23 @@ f_envcheck() for iface in ${ban_iface} do network_get_device tmp "${iface}" - if [ -n "${tmp}" ] + if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_dev}" | grep -F "${tmp}")" ] then ban_dev="${ban_dev} ${tmp}" else network_get_physdev tmp "${iface}" - if [ -n "${tmp}" ] + if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_dev}" | grep -F "${tmp}")" ] then ban_dev="${ban_dev} ${tmp}" fi fi network_get_subnets tmp "${iface}" - if [ -n "${tmp}" ] + if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_subnets}" | grep -F "${tmp}")" ] then ban_subnets="${ban_subnets} ${tmp}" fi network_get_subnets6 tmp "${iface}" - if [ -n "${tmp}" ] + if [ -n "${tmp}" ] && [ -z "$(printf "%s\\n" "${ban_subnets6}" | grep -F "${tmp}")" ] then ban_subnets6="${ban_subnets6} ${tmp}" fi @@ -234,7 +247,7 @@ f_envcheck() then f_log "err" "wan interface(s)/device(s) (${ban_iface:-"-"}/${ban_dev:-"-"}) not found, please please check your configuration" else - ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if(($3!="lo")&&($3!="br-lan")){print $3}}')" + ban_dev_all="$(${ban_ip} link show | awk 'BEGIN{FS="[@: ]"}/^[0-9:]/{if($3!="lo"){print $3}}')" f_jsnup "running" f_log "info" "start banIP processing (${ban_action})" fi