Hi!
There really isn't any interest, seems like the user base believe adblock is better.
And anyone managing networkrs, and blocking outgoing connections to known botnets or malware must be using other things for that specific task.
As you point out, prips and grepcidr isn't packaged for openwrt as opposed to ubuntu and other "network" appliance distributions.
Yeh, I'm puzzling a bit, as this is generally useful, even if prips and grepcidr is an inconvinience.
But the two programs are so simple they don't come with configure or autogen.sh.
Not awfullly difficult to understand what mine does, ensured you can look at lots of temporary files easily to check things.
Now getting slightly more complicated because i really really want this never flush feature, and the diff, and that it works properply and does sane things with netblocks, and between small netblocks and individual's ips.
Hard to do without grepcidr.
grepcidr -C 202.27.96.0/21 cidr_play
202.27.100.0/22
202.27.96.0/21
202.27.96.0/23
202.27.98.0/24
202.27.99.0/24
That overlapping intervals as you were, which makes NFT reject them, the biggest is sufficient.
But get's a combination of irritating and oddly pleasureable procrastrination wonder how to do best do it.
grepcidr -D $line cidr_play | sort -t "/" -k2 | head -n1
202.27.96.0/21
is guaranteed to output the biggest netblock for any line that you check.
as these programs lacks a few features, making unix pipe gymnastics necessary.
where rest of the lines need to stemped on and deleted over and over again with sed perhaps.
not sure if it is nft ipsets that are feature poor, or if these programs need work, or if i just haven't found the essentials.
In either case, you can run this on a faster router box i thought.
block outgoing for emerging threats on AP's, warn and email about it.
lots of regex and some gymnastics make these things inherently unreadable, and anyone serious would likely maintain own methods.
may not be much more, than matchin all lines found in cidr netblock file with the file and count line output, and loop from 2 lines up to most lines and all blocks are sanitized. Kept to a minimum, as i figure anything smaller than /24 can be single ip's perfectly fine.
think it should generally help average users with malware, even if not sexy cyber bla bla.
or well, never flushing and keeping track of updates and removals with diffs.
is something i see as minimal requirement for easily adaptation to a small set up.
comes with a level of awkward for that reason if you need more than block incoming.
I thought, have that in the monkey work, that if it can work as the "engine" within banip around quirks and nusances for those just wanting to block incoming to protect a service or two on a public ip, then even better.
Atm the features are limited to whitelisting, and another list for "alerts" if an ip is found in downloaded blocklists. And that is probably enough, and someone else with other interest would perhaps add lots of fw4 and wrap javascript and web stuff around it, feeding it a list of urls and whitelist.
But yeah, trying to keep it simple, that netblock currently has the highest hits among various public blocksts a bit more than 1MB in raw text. Sanitizing for biggest blocks, removing the smallest and "white listing" single ip's against ip blocks for a list without interval overlaps and no collisions with whats in the nft ipset from before with diff.
Biggest netblocks are well over 16 million ip's, and have collision with something as big as /12 for 1 million. And dealing with closer to 80k individual/small subnets. While honestly, just ignoring this and block individual ip's cover essential need or covers most of it for the majority.
Adblock doesn't do much towards, "internet immune system" for malware and crap.
Lowering the bak for running an AP at a breach front and informing over the hotspot of possible malware.
Doesn't really take much to be at "frontline" fighting botnets, and make that a common place networking topic in public networks.
I'm perplexed about scarcity and interest, as if monitoring traffic does anything useful for anyone other than those making bold statements with hand waving.
And that 22.03 was released without banIP and "gate way drugs" like it.
Running a firewall, but not so important to block contacting command and control for ransomware or botnets it seems.