banip: release 0.7.0

* major rewrite
* add support for multiple chains
* add mac whitelisting
* add support for multiple ssh daemons in parallel
* add an ipset report engine
* add mail notifications
* add suspend/resume functions
* add a cron wrapper to set an ipset related auto-timer for
  automatic blocklist updates
* add a list wrapper to add/remove blocklist sources
* add 19.x and Turris OS 5.x compatibility code
* sources stored in an external compressed json file
  (/etc/banip/banip.sources.gz)
* change Country/ASN download sources (faster/more reliable)
* fix DHCPv6/icmpv6 issues

Signed-off-by: Dirk Brenken <dev@brenken.org>

net/banip/files/banip.conf

@@ -1,226 +1,16 @@
-
 config banip 'global'
 	option ban_enabled '0'
-	option ban_basever '0.3'
-	option ban_automatic '1'
-	option ban_realtime 'false'
-	option ban_log_src '0'
-	option ban_log_dst '0'
-
-config banip 'extra'
 	option ban_debug '0'
+	option ban_mail_enabled '0'
+	option ban_monitor_enabled '0'
+	option ban_logsrc_enabled '0'
+	option ban_logdst_enabled '0'
+	option ban_autodetect '1'
+	option ban_autoblacklist '1'
+	option ban_autowhitelist '1'
+	option ban_nice '0'
 	option ban_maxqueue '4'
-
-config source 'whitelist'
-	option ban_src '/etc/banip/banip.whitelist'
-	option ban_src_6 '/etc/banip/banip.whitelist'
-	option ban_src_desc 'Always allow these IPs (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add whitelist \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add whitelist_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '1'
-	option ban_src_on_6 '0'
-
-config source 'blacklist'
-	option ban_src '/etc/banip/banip.blacklist'
-	option ban_src_6 '/etc/banip/banip.blacklist'
-	option ban_src_desc 'Always deny these IPs (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add blacklist \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add blacklist_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'bogon'
-	option ban_src 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt'
-	option ban_src_6 'https://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt'
-	option ban_src_desc 'Bogon prefixes, plus prefixes that have been allocated to RIRs but not yet assigned to ISPs (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add bogon \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add bogon_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'DoH'
-	option ban_src 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv4.txt'
-	option ban_src_6 'https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-ipv6.txt'
-	option ban_src_desc 'List of public DoH providers (DNS over HTTPS) (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add DoH \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add DoH_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src+dst'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'tor'
-	option ban_src 'https://check.torproject.org/exit-addresses'
-	option ban_src_desc 'List of Tor Exit Nodes (IPv4)'
-	option ban_src_rset '/^(ExitAddress ([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add tor \"\$2}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'threat'
-	option ban_src 'https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt'
-	option ban_src_desc 'Emerging Threats (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add threat \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'debl'
-	option ban_src 'https://www.blocklist.de/downloads/export-ips_all.txt'
-	option ban_src_6 'https://www.blocklist.de/downloads/export-ips_all.txt'
-	option ban_src_desc 'Fail2ban reporting service (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add debl \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add debl_6 \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'myip'
-	option ban_src 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt'
-	option ban_src_6 'https://www.myip.ms/files/blacklist/general/latest_blacklist.txt'
-	option ban_src_desc 'IP blacklist provided by myip.ms (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add myip \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add myip_6 \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'yoyo'
-	option ban_src 'https://pgl.yoyo.org/adservers/iplist.php?ipformat=plain&showintro=0&mimetype=plaintext'
-	option ban_src_desc 'IP blocklist provided by Peter Lowe (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add yoyo \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'sslbl'
-	option ban_src 'https://sslbl.abuse.ch/blacklist/sslipblacklist.csv'
-	option ban_src_desc 'SSL Blacklist by abuse.ch (IPv4)'
-	option ban_src_rset 'BEGIN{FS=\",\"}/(([0-9]{1,3}\.){3}[0-9]{1,3},).*/{print \"add sslbl \"\$2}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'ransomware'
-	option ban_src 'https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt'
-	option ban_src_desc 'Ransomware Tracker by abuse.ch (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add ransomware \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'feodo'
-	option ban_src 'https://feodotracker.abuse.ch/downloads/ipblocklist.txt'
-	option ban_src_desc 'Feodo Tracker by abuse.ch (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add feodo \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'dshield'
-	option ban_src 'https://feeds.dshield.org/block.txt'
-	option ban_src_desc 'Dshield recommended IP blocklist. Contains top 20 attacking class C subnets (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add dshield \"\$1 \"/\"\$3}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'proxy'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/proxylists.ipset'
-	option ban_src_desc 'List of Open Proxies (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3})([[:space:]]|$)/{print \"add proxy \"\$1}'
-	option ban_src_settype 'ip'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'iblocklist'
-	option ban_src 'https://list.iblocklist.com/?list=dgxtneitpuvgqqcpfulq&fileformat=cidr&archiveformat=gz'
-	option ban_src_desc 'Contains advertising trackers and a short list of bad/intrusive porn sites (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add iblocklist \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'drop'
-	option ban_src 'https://www.spamhaus.org/drop/drop.txt'
-	option ban_src_6 'https://www.spamhaus.org/drop/dropv6.txt'
-	option ban_src_desc 'Spamhaus drop compilation (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add drop \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add drop_6 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'edrop'
-	option ban_src 'https://www.spamhaus.org/drop/edrop.txt'
-	option ban_src_desc 'Spamhaus edrop compilation (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add edrop \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol1'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset'
-	option ban_src_desc 'Firehol Level 1 compilation. Contains bogons, spamhaus drop and edrop, dshield and malware lists (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol1 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol2'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset'
-	option ban_src_desc 'Firehol Level 2 compilation. Contains blocklists that track attacks, during the last 48 hours (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol2 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol3'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset'
-	option ban_src_desc 'Firehol Level 3 compilation. Contains blocklists that track attacks, spyware and viruses (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol3 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'firehol4'
-	option ban_src 'https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset'
-	option ban_src_desc 'Firehol Level 4 compilation. May include a large number of false positives (IPv4)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add firehol4 \"\$1}'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-
-config source 'country'
-	option ban_src 'https://stat.ripe.net/data/country-resource-list/data.json?resource='
-	option ban_src_6 'https://stat.ripe.net/data/country-resource-list/data.json?resource='
-	option ban_src_desc 'Build a dynamic IPSet by country iso codes based on RIPE data (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add country \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add country_6 \"\$1}'
-	list ban_src_cat 'de'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
-
-config source 'asn'
-	option ban_src 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='
-	option ban_src_6 'https://stat.ripe.net/data/announced-prefixes/data.json?resource='
-	option ban_src_desc 'Build a dynamic IPSet by ASN numbers based on RIPE data (IPv4/IPv6)'
-	option ban_src_rset '/^(([0-9]{1,3}\.){3}[0-9]{1,3}(\/[0-9]{1,2})?)([[:space:]]|$)/{print \"add asn \"\$1}'
-	option ban_src_rset_6 '/^([0-9a-fA-F]{0,4}:){1,7}[0-9a-fA-F]{0,4}(:\/[0-9]{1,2})?([[:space:]]|$)/{print \"add asn_6 \"\$1}'
-	list ban_src_cat '32934'
-	option ban_src_settype 'net'
-	option ban_src_ruletype 'src'
-	option ban_src_on '0'
-	option ban_src_on_6 '0'
+	option ban_global_settype 'src+dst'
+	option ban_target_src 'DROP'
+	option ban_target_dst 'REJECT'
+	option ban_loglimit '100'