banip: update 0.9.5-5

* fix a processing race condition * it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'. Signed-off-by: Dirk Brenken <dev@brenken.org>
2024-05-05 21:57:28 +02:00 · 2024-05-05 21:57:28 +02:00 · 083554094b
parent 7cdf7b9c1a
commit 083554094b
4 changed files with 17 additions and 15 deletions
--- a/net/banip/Makefile
+++ b/net/banip/Makefile
@ -6,7 +6,7 @@ include $(TOPDIR)/rules.mk

 PKG_NAME:=banip
 PKG_VERSION:=0.9.5
-PKG_RELEASE:=4
+PKG_RELEASE:=5
 PKG_LICENSE:=GPL-3.0-or-later
 PKG_MAINTAINER:=Dirk Brenken <dev@brenken.org>

--- a/net/banip/files/README.md
+++ b/net/banip/files/README.md
@ -154,9 +154,9 @@ Available commands:
 | ban_logreadfile         | option | /var/log/messages             | alternative location for parsing the log file, e.g. via syslog-ng, to deactivate the standard parsing via logread |
 | ban_autodetect          | option | 1                             | auto-detect wan interfaces, devices and subnets                                                                   |
 | ban_debug               | option | 0                             | enable banIP related debug logging                                                                                |
-| ban_icmplimit           | option | 10                            | treshold in number of packets to detect icmp DDoS in prerouting chain                                             |
-| ban_synlimit            | option | 10                            | treshold in number of packets to detect syn DDoS in prerouting chain                                              |
-| ban_udplimit            | option | 100                           | treshold in number of packets to detect udp DDoS in prerouting chain                                              |
+| ban_icmplimit           | option | 10                            | threshold in number of packets to detect icmp DDoS in prerouting chain. A value of '0' disables this safeguard    |
+| ban_synlimit            | option | 10                            | threshold in number of packets to detect syn DDoS in prerouting chain. A value of '0' disables this safeguard     |
+| ban_udplimit            | option | 100                           | threshold in number of packets to detect udp DDoS in prerouting chain. A value of '0' disables this safeguard     |
 | ban_logprerouting       | option | 0                             | log supsicious packets in the prerouting chain                                                                    |
 | ban_loginput            | option | 0                             | log supsicious packets in the wan-input chain                                                                     |
 | ban_logforwardwan       | option | 0                             | log supsicious packets in the wan-forward chain                                                                   |
--- a/net/banip/files/banip-functions.sh
+++ b/net/banip/files/banip-functions.sh
@ -656,10 +656,12 @@ f_nftinit() {
 		#
 		printf "%s\n" "add rule inet banIP pre-routing iifname != { ${wan_dev} } counter accept"
 		printf "%s\n" "add rule inet banIP pre-routing ct state invalid ${log_ct} counter name cnt-ctinvalid drop"
-		printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
-		printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
-		printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
-		printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
+		if [ "${ban_icmplimit}" -gt "0" ]; then
+			printf "%s\n" "add rule inet banIP pre-routing ip protocol icmp limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
+			printf "%s\n" "add rule inet banIP pre-routing ip6 nexthdr icmpv6 limit rate over ${ban_icmplimit}/second ${log_icmp} counter name cnt-icmpflood drop"
+		fi
+		[ "${ban_udplimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing meta l4proto udp ct state new limit rate over ${ban_udplimit}/second ${log_udp} counter name cnt-udpflood drop"
+		[ "${ban_synlimit}" -gt "0" ] && printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|ack) == syn limit rate over ${ban_synlimit}/second ${log_syn} counter name cnt-synflood drop"
 		printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn) == (fin|syn) ${log_tcp} counter name cnt-tcpinvalid drop"
 		printf "%s\n" "add rule inet banIP pre-routing tcp flags & (syn|rst) == (syn|rst) ${log_tcp} counter name cnt-tcpinvalid drop"
 		printf "%s\n" "add rule inet banIP pre-routing tcp flags & (fin|syn|rst|psh|ack|urg) < (fin) ${log_tcp} counter name cnt-tcpinvalid drop"
--- a/net/banip/files/banip-service.sh
+++ b/net/banip/files/banip-service.sh
@ -150,14 +150,14 @@ wait

 # end processing
 #
-if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
-	(
-		sleep 5
+(
+	sleep 5
+	if [ "${ban_mailnotification}" = "1" ] && [ -n "${ban_mailreceiver}" ] && [ -x "${ban_mailcmd}" ]; then
 		f_mail
-	) &
-fi
-json_cleanup
-rm -rf "${ban_lock}"
+	fi
+	json_cleanup
+	rm -rf "${ban_lock}"
+) &

 # start detached log service (infinite loop)
 #