banIP support thread

---
update 1.0.0-9

• fixed gathering/printing of system information in banIP status
• removed broken iblocklist.com feeds
• updated readme
  ---
  update 1.0.0-8
• supports comments (introduced with a #), for MAC addresses in the allow and block list, e.g. 26:5e:a0:6a:9c:da # Test
• added hagezi threat ip feed
• added an adguard logterm to the readme
• removed the broken talos feed
  ---
  update 1.0.0-7
• fixed auto allow-/blocklist-issue with IPv6 addresses in CIDR notation
• removed edrop feed from readme (had been removed from feeds for a while)
  ---
  update 1.0.0-6
• automatic blocking of IP ranges via RDAP request now supports multiple CIDRs
• cosmetics
  ---
  update 1.0.0-5
• filter crappy IP entries from urlhaus feed
  ---
  update 1.0.0-4
• relax the firewall pre-check if fw4 is not running
• replace former stale tor feed source with 'https://www.dan.me.uk/torlist/?exit'
• add openvpn log term/search pattern example to the readme
• the default config now includes only log terms for dropbear and LuCI, all others are optional
• readme update
  ---
  update 1.0.0-3
• fixed a regression in the split Set function (reported in the forum)
• fixed regex for urlhaus feed
  ---
  update 1.0.0-2
• fixed a possible "Argument list too long" error in the f_log function
• fixed multiple, incomplete digit character classes
• fixed/optimized split file handling
• cosmetics
  ---
  release 1.0.0-1
• made sure, that the domain lookup always add the found IPs to the underlying allow-/blocklist-Set
• major readme update
  ---
  update 0.9.6-3
• fixed concurrent, too high nft loads during feed processing (seen in LuCI frontend)
  ---
  update 0.9.6-2
• fix regex for nixspam and sslbl feed
• list the pre-routing limits in the banIP status
• small fixes and log improvements
  ---
  release 0.9.6-1
• refine IPv4 parsing, skip rough feed entries like loopback addresses
• better error logging during banIP nftables initialization and Set loading
• cosmetics
  ---
  update 0.9.5-5
• fix a processing race condition
• it's now possible to disable the icmp/syn/udp safeguards in pre-routing - set the threshold to '0'.
  ---
  update 0.9.5-4
• optimized adding suspicious IPs to Sets in the log monitor
• re-added ipblackhole feed
  ---
  update 0.9.5-3
• allow multiple protocol/port definitions per feed, e.g. 'tcp udp 80 443 50000'
• removed the default protocol/port limitation from asn feed
  ---
  update 0.9.5-2
• fixed possible Set search race condition (initiated from LuCI frontend)
• fixed the "no result" Set search problem in LuCI
• removed abandoned feeds: spamhaus edrop (was merged with spamhaus drop)
  ---
  release 0.9.5-1
• added DDoS protection rules in a new pre-routing chain to prevent common ICMP, UDP and SYN flood attacks and drop spoofed tcp flags & invalid conntrack packets, flood tresholds are configured via 'ban_icmplimit' (default 10/s), 'ban_synlimit' (default 10/s) and 'ban_udplimit' (default 100/s)
• the new pre-routing rules are tracked via named nft counters and are part of the standard reporting, set 'ban_logprerouting' accordingly
• block countries dynamically by Regional Internet Registry (RIR)/regions, e.g. all countries related to ARIN. Supported service regions are: AFRINIC, ARIN, APNIC, LACNIC and RIPE, set 'ban_region' accordingly
• it's now possible to always allow certain protocols/destination ports in wan-input and wan-forward chains, set 'ban_allowflag' accordingly - e.g. ' tcp 80 443-445'
• filter/convert possible windows line endings of external feeds during processing
• the cpu core autodetection is now limited to max. 16 cores in parallel, set 'ban_cores' manually to overrule this limitation
• set the default nft priority to -100 for banIP input/forward chains (pre-routing is set to -150)
• update readme
• a couple of bugfixes & performance improvements
• removed abandoned feeds: darklist, ipblackhole
• added new feeds: becyber, ipsum, pallebone, debl (changed URL)
• requires a LuCI frontend update as well (separate PR/commit)
  ---
  update 0.9.4-3
• fix another logical glitch in the logfile monitor
  ---
  update 0.9.4-2
• fix a long standing problem in the logfile-parser with dropbear and compressed IPv6 addresses
  ---
  release 0.9.4-1
• add support for destination port & protocol limitations for external feeds (see readme for details), useful for lan-forward ad- or DoH-blocking, e.g. only tcp ports 80 and 443
• add turris sentinel blocklist feed
• update readme
  ---
  update 0.9.3-5
• fix the nft Set survey function
  ---
  update 0.9.3-4
• made the default mail template "responsive" to get a better view esp. on mobile devices
  ---
  update 0.9.3-3
• more init fixes
  ---
  update 0.9.3-2
• rework the device/interface auto-detection (only layer-3 network devices will be detected correctly), disable the auto-detection e.g. for special tunnel interfaces
• supports now full gawk (preferred, if installed) and busybox awk
• raise the default boot timeout to 20 seconds (if 'ban_triggerdelay' is not set)
• various small fixes and improvements
• readme update
  ---
  release 0.9.3-1
• provides an option to transfer log events on remote servers via cgi interface (disabled by default), see readme for details
• refine the allowlist check to support IP intervals as well before adding an IP to the blocklist
  ---
  update 0.9.2-4
• fix the urlhaus regex
• fix a possible init race condition
  ---
  update 0.9.2-2
• support backup/restore for remote allowlists
• report the used log variant in status message
  ---
  release 0.9.2-1
• the log file monitor now supports standard log files used by other log daemons like syslog-ng. Set 'ban_logreadfile' accordingly, by default it points to /var/log/messages
• removed logd dependency
  ---
  update 0.9.1-1
• drop packets silently on input and forwardwan chains or actively reject the traffic, set 'ban_blocktype' accordingly
• optimized banIP boot/reload handling
• removed pppoe quirk in device detection
• small fixes and optimizations
  ---
  update 0.9.0-1
• supports allowing / blocking of certain VLAN forwards in segregated network environments, set 'ban_vlanallow', ''ban_vlanblock' accordingly
• simplified the code/JSON to generate/parse the banIP status
• enclose nft related devices in quotation marks , e.g. to handle devices which starts with a number '10g-1'
• made the new vlan options available to LuCI (separate commit)
  ---
  update 0.8.9-4
• made the etag id parsing more bulletproof (to catch unverified etags as well)
  ---
  update 0.8.9-3
• prevent superflous etag function calls during start action (on start backups will be used anyway)
• changed the ipthreat feed download URL (load a compressed file variant to save bandwidth)
  ---
  update 0.8.9-2
• fix a corner case backup issue with empty feed downloads
  ---
  release 0.8.9-1
• added HTTP ETag or entity tag support to download only ressources that have been updated on the server side, to save bandwidth and speed up banIP reloads
• added 4 new feeds: binarydefense, bruteforceblock, etcompromised, ipblackhole (see readme)
• updated the readme
  ---
  update 0.8.8-2
• process local lists in strict sequential order to prevent possible race conditions
• support ranges in the IP search, too
• fix some minor search issues
  ---
  release 0.8.8-1
• Support MAC-/IPv4/IPv6 ranges in CIDR notation
• Support concatenation of local MAC addresses with IPv4/IPv6 addresses, e.g. to enforce dhcp assignments (see readme)
• small fixes & cosmetics
• update readme
  ---
  release 0.8.7-1
• Optionally auto-add entire subnets to the blocklist Sets based on an additional RDAP request with the monitored suspicious IP, set 'ban_autoblocksubnet' accordingly (disabled by default). For more information regarding RDAP see https://www.ripe.net/manage-ips-and-asns/db/registration-data-access-protocol-rdap for reference.
• small fixes & cosmetics
• update readme
  ---
  update 0.8.6-2
• fix/rework no-op loop
• small fixes & cosmetics
• update readme
  ---
  release 0.8.6-1
• made the fetch utility function/autodetection more bullet proof
• no longer add suspicious IPs to the local blocklist when the nft set timeout has been set
• restructure internal functions & small fixes
  ---
  update 0.8.5-2
• fixed a log parser regression introduced in latest 0.8.4 update
  ---
  release 0.8.5-1
• add support for external allowlist URLs to reference additional IPv4/IPv6 feeds, set 'ban_allowurl' accordingly
• make download retries in case of an error configurable, set 'ban_fetchretry' accordingly (default 5)
• small fixes
• readme update
• LuCI update (separate commit)
  ---
  update 0.8.4-5
• fix remaining small issues
• standardize log wording
• polished up for branch 23.x
  ---
  update 0.8.4-4
• add housekeeping to the autoallow function, only the current uplink will be held
• fix small issues
• cosmetics
  ---
  update 0.8.4-3
• add the option 'ban_autoallowuplink' to limit the uplink autoallow function: 'subnet' (default), 'ip' or 'disable'
  ---
  update 0.8.4-2
• fix domain lookup function (parse banIP config vars)
• update readme
  ---
  release 0.8.4-1
• add support for a custom feeds file (/etc/banip/banip.custom.feeds). Add new or edit existing banIP feeds on your own with the integrated custom feed editor (LuCI-component
• add a new option 'ban_blockpolicy' to overrule the default bblock policy (block all chains), see readme for details
• change the feed file format and add a new ipthreat feed, see readme
• refine (debug) logging
• multiple small fixes and improvements
• readme update
• luci update (separate commit)
  ---
  update 0.8.3-2
• more init fixes
  ---
  release 0.8.3-1
• add the new init command 'lookup', to lookup the IPs of domain names in the local lists and update them
• significant acceleration of the domain lookup function
• multiple small fixes and improvements
• readme update
• luci update (separate commit)
  ---
  update 0.8.2-6
• restored some accidently removed init stuff in last commit
  ---
  update 0.8.2-5
• fixed missing version number when installed as separate package (not in build)
• fixed cornercase init and mailing issues
• sorted Country list by country names ascending
• fixed some shellcheck findings
  ---
  update 0.8.2-4
• fixed a race condition if the service is in a disabled state
• luci frontend sync
  ---
  update 0.8.2-3
• raise max. timeouts from 10 to 30 seconds to stabilize the autodetection on slow hardware
• made interface trigger action configurable, set 'ban_triggeraction' accordingly (default: 'start')
• made E-Mail notifications configurable to receive status E-Mais with every banIP run, set 'ban_mailnotification' accordingly (default: disabled)
• small fixes & optimizations
• readme update
  ---
  update 0.8.2-2
• fix the auto-detection for pppoe and 6in4 tunnel interfaces
• add the new 'ban_nftpolicy' option to expose the nft set policy, values: memory (default), performance
• add the new 'ban_nftlogevel' option to expose the nft syslog level, values: emerg, alert, crit, err, warn (default), notice, info, debug, audit
• status optimizations
• logging optimizations
• update the readme
  ---
  release 0.8.2-1
• major performance improvements: clean-up/optimize all nft calls
• add a new "ban_reportelements" option, to disable the (time consuming) Set element count in the report (enabled by default)
• update the readme
  ---
  update 0.8.1-3
• finalized the LuCI frontend preparation (this is the minmal version to use the forthcoming LuCI frontend)
• added a Set survey, to list all elements of a certain set
• changed the default logterm for asterisk
• update the readme
  ---
  update 0.8.1-2
• add oisdbig as new feed
• LuCI frontend preparation:
  • the json feed file points always to /etc/banip/banip.feeds (and is no longer compressed)
  • supply country list in /etc/banip/banip.countries
• update readme
  ---
  release 0.8.1-1
• add missing wan-forward chain (incl. report/mail adaption)
• changed options:
  • old: ban_blockforward, new: ban_blockforwardwan and ban_blockforwardlan
  • old: ban_logforward, new: ban_logforwardwan and ban_logforwardlan
• add missing dhcp(v6) rules/exceptions
• update readme
  ---
  update 0.8.0-4

• remove bogus log limit
  ---
  update 0.8.0-3
• properly initialize the 'proto' variable in the log service
  ---
  update 0.8.0-2
• fix a potential race condition during initial startup (after flash) which leads to a "disabled" service
  ---
  release 0.8.0-1
• complete rewrite of banIP to support nftables
• all sets are handled in a separate nft table/namespace 'banIP'
• for incoming blocking it uses the inet input hook, for outgoing blocking it uses the inet forward hook
• full IPv4 and IPv6 support
• supports nft atomic set loading
• supports blocking by ASN numbers and by iso country codes
• 42 preconfigured external feeds are available, plus local allow- and blocklist
• supports local allow- and blocklist (IPv4, IPv6, CIDR notation or domain names)
• auto-add the uplink subnet to the local allowlist
• provides a small background log monitor to ban unsuccessful login attempts in real-time
• the logterms for the log monitor service can be freely defined via regex
• auto-add unsuccessful LuCI, nginx, Asterisk or ssh login attempts to the local blocklist
• fast feed processing as they are handled in parallel as background jobs
• per feed it can be defined whether the input chain or the forward chain should be blocked (default: both chains)
• automatic blocklist backup & restore, the backups will be used in case of download errors or during startup
• automatically selects one of the following download utilities with ssl support: aria2c, curl, uclient-fetch or wget
• supports a 'allowlist only' mode, this option restricts internet access from/to a small number of secure websites/IPs
• provides comprehensive runtime information
• provides a detailed set report
• provides a set search engine for certain IPs
• feed parsing by fast & flexible regex rulesets
• minimal status & error logging to syslog, enable debug logging to receive more output
• procd based init system support (start/stop/restart/reload/status/report/search)
• procd network interface trigger support
• ability to add new banIP feeds on your own
• add a readme with all available options/feeds to customize your installation to your needs
• a new LuCI frontend will be available in due course