banIP support thread

powtrix · August 10, 2022, 8:04pm

Try there:

Edit maclist

abysso2 · August 17, 2022, 8:47am

Bump - is firewall4 supported. If not, i can not upgrade to 22.03-rc6 ....

phinn · August 17, 2022, 11:59am

If the nftables support list on github is up to date the answer is no, banIP is not yet supported. I read somewhere it's being worked on but will take time.

github.com/openwrt/packages

Certain upstream switch to `firewall4` aka `nftables` instead of `iptables`

opened 05:49AM - 06 Oct 21 UTC

aparcar

help wanted

Hi all, especially @openwrt/packages-write, for the next OpenWrt release `fir…ewall4` is [considered](https://github.com/openwrt/openwrt/pull/4642) as a replacement of the current `iptables` based `firewall` package. While the configuration stays within `/etc/config/firewall`, packages using `iptables` directly may see trouble. This is a heads up for everyone maintaining such packages but also please post packages here that would be affected so a smother migration is possible. Compatible with `firewall4`: - [ ] acme - [x] adblock - [ ] apfree-wifidog - [ ] banip - [ ] bcp38 - [x] collectd (iptables plugin still uses iptables, no nftables plugin) - [ ] coova-chilli - [ ] dockerd - [x] etherwake-nfqueue - [ ] fail2ban - [ ] frr - [ ] fwknop - [x] gnunet - [x] https-dns-proxy - [x] jool - [x] keepalived https://github.com/openwrt/packages/pull/18058 - [ ] libreswan - [x] miniupnpd https://github.com/openwrt/packages/pull/17094 - [x] mwan3 https://github.com/openwrt/packages/pull/17940 - [x] phantap - [x] podman via dcbef6fde01eed546bd405724bd70cd8f3381c4b - [x] ~~pppossh~~ - [ ] redsocks - [x] shadowsocks-libev ((https://github.com/openwrt/packages/pull/17937) - [x] ~~shorewall~~ - [x] ~~shorewall6~~ - [x] ~~shorewall6-lite~~ - [x] ~~shorewall-lite~~ - [x] simple-adblock - [x] sqm-scripts - [ ] strongswan - [ ] trafficshaper - [ ] uacme - [x] v2raya (https://github.com/openwrt/packages/pull/18052) - [ ] vpnbypass - [ ] vpnc-scripts - [ ] vpn-policy-routing - [ ] wifidog - [ ] xtables-addons Heads up for routing.git: https://github.com/openwrt/routing/issues/731 Heads up for luci.git: https://github.com/openwrt/luci/issues/5409

shaarkys · August 19, 2022, 5:49am

Yep, directly from didbot - banIP support thread - #709 by dibdot

Apr 12

Said that, I've just started to port/rewrite banIP to support nftables ... but it's a long way to go.

m0dul8r · August 20, 2022, 6:18pm

The old version of BanIP (0.7.10) still works in OpenWRT 22.03 - but it has become a manual process to get it to work. You have to pull legacy packages and source .ipk's from older builds - you also have to downgrade to legacy iptables. (For those who are interested).

dibdot · August 21, 2022, 5:49am

Sorry gents, banIP is marked as broken for now - there will be no solution ready for 22.03. The migration is currently too time consuming for me. I use a CLI only prototype on my router, but it's far from being ready for prime time.

abysso2 · August 21, 2022, 10:27am

Uhhh, thats a pity but fair enough. Free time is precious, so i can totally understand you.

Just a question: Does that mean, that banip will be ready for 22.03 later (eg. for 22.03.2)? If so, i would stick to 20.02., because your tool increases security a lot !!!

jlpapple · August 24, 2022, 1:08am

Can you create a quick start guide or list of packages to accomplish this…it would benefit many users!

RuralRoots · August 24, 2022, 2:30am

Unless you have an absolute requirement for your use case, might I suggest you simply stay with 21.02.3 and FW3.

21.02 is a stable release while 22.03.0 still only exists as a release candidate.

isslam · August 24, 2022, 8:42pm

how to block youtube or add youtube domain into blacklist, i tried googlevideo.com

bldur · August 28, 2022, 1:39pm

I find very little on the progress, except for this related issue.

github.com/openwrt/openwrt

Large sets with "counter" enabled fail and break subsequent nft operations.

opened 07:13AM - 08 Aug 22 UTC

djadair

Both 22.03-rc6 and master w/ 5.15 kernel fail when attempting to load tables con…taining large block lists with counters. The same list works fine with Ubuntu Jammy 5.15 kernel booted as live CD using the same VM config ( loads w/o errors, counts blocked traffic ). Also if "counter" is removed from large sets file loads properly. Loading sets one element at a time sometimes works but that is both really really slow and non-atomic. - nft reports netlink / ENOBUFS errors. ( atomic update ) - kernel WARNING backtraces. ( randomly after failures ). - nft_counter module refcount -1 ( sometimes after load, always for table delete w/ large set counters ) The refcount -1 is fatal and requires a reboot to get nft to work again. Note: Netlink appears to be a red herring. Seems like nf_tables api throwing errors not the netlink layer. Reproduction: Using 22.03-rc6 x86-64 image file in vmware 5.x generic, 2 core, 2G ram virtual machine. nft -f banIP.save.nft >> fails. remove "counter" from sets >> works. Have also seen one case where chains stopped being processed despite showing up in nft list. Flushing and re-creating table did not fix but deleting table and re-creating did. Unfortunately can not reproduce that one but I think it may be related to errors following use of "dormant" flag. The backtrace from main references "module_put" which is consistent with the refcount -1. Not sure if the accounting error is cause or effect but it seems likely this patch is related to it not occurring 5.17 which was first version that removed nft_counter as a separate module: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter?h=v5.18.16&id=023223dfbfb34fcc9b7dd41e21fbf9a5d5237989 [banIP.save.nft.gz](https://github.com/openwrt/openwrt/files/9279287/banIP.save.nft.gz) From 22.03-rc6: console: ( nr_cpus=4, note set is not mentioned -- failure in end of batch or final commit ) ``` root@OpenWrt:~# cat /sys/module/nft_counter/refcnt 16 root@OpenWrt:~# grep cpu /proc/meminfo Percpu: 960 kB root@OpenWrt:~# grep Mem /proc/meminfo MemTotal: 2040872 kB MemFree: 1995824 kB MemAvailable: 1971612 kB root@OpenWrt:~# nft -f /etc/banip/backup/banIP.save.nft netlink: Error: Could not process rule: No buffer space available root@OpenWrt:~# grep Mem /proc/meminfo MemTotal: 2040872 kB MemFree: 1993876 kB MemAvailable: 1970192 kB root@OpenWrt:~# grep cpu /proc/meminfo Percpu: 1056 kB root@OpenWrt:~# cat /sys/module/nft_counter/refcnt -1 ``` dmesg: ``` [ 78.868725] ------------[ cut here ]------------ [ 78.869865] WARNING: CPU: 1 PID: 4187 at 0xffffffff81133891 [ 78.873156] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack slhc r8169 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_ipv6 nf_log_ipv4 nf_log_common nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c igc forcedeth e1000e crc_ccitt bnx2 i2c_dev nfsv3 nfs nfs_ssc ixgbe e1000 amd_xgbe mdio oid_registry vfat fat lockd sunrpc grace dns_resolver nls_utf8 nls_iso8859_1 nls_cp437 ena igb ramoops reed_solomon pstore button_hotplug tg3 ptp realtek pps_core mii [ 78.906278] CPU: 1 PID: 4187 Comm: nft Tainted: G W 5.10.134 #0 [ 78.908083] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 78.910764] RIP: 0010:0xffffffff81133891 [ 78.911789] Code: 31 c0 eb f3 0f 1f 44 00 00 48 85 ff 74 17 8b 87 b0 02 00 00 89 c2 83 ea 01 78 0f f0 0f b1 97 b0 02 00 00 75 ef c3 cc cc cc cc <0f> 0b eb f7 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 e8 c7 ff [ 78.916382] RSP: 0018:ffffc9000240f918 EFLAGS: 00010297 [ 78.917735] RAX: 0000000000000000 RBX: ffffffffa02ba000 RCX: 0000000000000011 [ 78.919558] RDX: 00000000ffffffff RSI: 0000000000000286 RDI: ffffffffa02ba0c0 [ 78.921405] RBP: ffffc9000240f938 R08: 0000000000000000 R09: 00000000000001ec [ 78.923209] R10: fff0000000000fff R11: 00000000000002ba R12: ffff888005821000 [ 78.924984] R13: ffff8880055349f0 R14: ffffffff82500ca0 R15: ffffffff824ffe80 [ 78.927008] FS: 00007fd9f34e5b48(0000) GS:ffff88807be40000(0000) knlGS:0000000000000000 [ 78.929129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.930714] CR2: 00007ffe15e6a508 CR3: 000000000585a005 CR4: 00000000000606e0 [ 78.932632] Call Trace: [ 78.933303] ? 0xffffffffa028be01 [nf_tables@0000000001b1d63b+0x27000] [ 78.934978] 0xffffffffa0297b8e [nf_tables@0000000001b1d63b+0x27000] [ 78.936583] 0xffffffffa0297f21 [nf_tables@0000000001b1d63b+0x27000] [ 78.938131] 0xffffffffa0240abc [nfnetlink@00000000aa1f8fb0+0x3000] [ 78.939905] ? 0xffffffff811f0ae0 [ 78.940769] ? 0xffffffff811d27d0 [ 78.941640] ? 0xffffffff813cca4b [ 78.942494] ? 0xffffffff811e9209 [ 78.943353] 0xffffffffa0240f88 [nfnetlink@00000000aa1f8fb0+0x3000] [ 78.944899] 0xffffffff818b8865 [ 78.945795] 0xffffffff818b8b40 [ 78.946622] 0xffffffff81831f82 [ 78.947458] ? 0xffffffff818b8930 [ 78.948336] ? 0xffffffff813b412b [ 78.949215] 0xffffffff81833734 [ 78.950122] ? 0xffffffff8120c70c [ 78.951007] ? 0xffffffff813b7bf0 [ 78.951861] ? 0xffffffff8183821c [ 78.952716] ? 0xffffffff81206cca [ 78.953571] ? 0xffffffff811b2db2 [ 78.954419] ? 0xffffffff81a37aa9 [ 78.955418] ? 0xffffffff81838cda [ 78.956300] ? 0xffffffff818392a2 [ 78.957178] 0xffffffff81833840 [ 78.958016] 0xffffffff81833898 [ 78.958852] 0xffffffff81a2c5e5 [ 78.959710] 0xffffffff81c000a9 [ 78.960632] RIP: 0033:0x7fd9f34c436c [ 78.961594] Code: c3 8b 07 85 c0 75 24 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> e9 ff d0 ff ff 41 54 b8 02 00 00 00 49 89 f4 be 00 88 08 00 55 [ 78.966219] RSP: 002b:00007ffe15e6a058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 78.968050] RAX: ffffffffffffffda RBX: 00007fd9f34e5b48 RCX: 00007fd9f34c436c [ 78.969860] RDX: 0000000000000000 RSI: 00007ffe15e6a0a8 RDI: 0000000000000003 [ 78.971655] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 78.973427] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000002e [ 78.975362] R13: 00007ffe15e6a510 R14: 00007ffe15e7b560 R15: 00007ffe15e7b870 [ 78.977222] ---[ end trace 5520b1270a0d6134 ]--- ```

Where banIP.save.nft.gz is mentioned.
I'd love me some CLI only support, as there aren't many better alternatives.

Out of curiosity I checkd this.

So upgrading may be wise!

But please push whats better than the current broken state!
Or some pointers about how and what needs to be done, LuCI isn't mandatory.

m0dul8r · August 31, 2022, 5:21am

When 22.03 final comes out I'll look into putting together a work-around for nftables - but you're still going to have to manually do this each time you upgrade the build. The attended sys-upgrade will not work to install banip while the build is marked as broken.

beetlrokr · September 4, 2022, 6:25pm

Script to work with fw4/nftables. Now with ipv6!

#!/bin/sh

# IP blacklisting script for openwrt nftables

# bogons
# Emerging Threats lists 
# Blocklist.de 
URLS="https://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt https://www.blocklist.de/downloads/export-ips_all.txt"

# create set to contain ip addresses
if ! nft list set inet fw4 blackhole6 > /dev/null 2> /dev/null; then
  nft add set inet fw4 blackhole { flags interval\; type ipv4_addr\; auto-merge\; }
  nft add set inet fw4 blackhole6 { flags interval\; type ipv6_addr\; auto-merge\; }
fi

# insert chain to drop where source address in blackhole set
if ! nft list chain inet fw4 input_wan > /dev/null 2> /dev/null | grep @blackhole6; then
  nft insert rule inet fw4 input_wan ip saddr @blackhole drop
  nft insert rule inet fw4 input_wan ip6 saddr @blackhole6 drop
fi

# temp filename
blocklist=$(mktemp)

# add new elements to the set
for url in $URLS; do
    # download the blocklist
    curl -L -s -k "$url" 2> /dev/null
    echo
done | grep -v ^# | grep -v ^$ > "${blocklist}"

# clear old ipv4
nft flush set inet fw4 blackhole

# create ipv4 block rules
grep -v : "${blocklist}" | while read line; do
  echo add element inet fw4 blackhole { $line }
done | nft -f -

# clear old ipv6
nft flush set inet fw4 blackhole6

# create ipv6 block rules
grep : "${blocklist}" | while read line; do
  echo add element inet fw4 blackhole6 { $line }
done | nft -f -

# cleanup
rm "${blocklist}"

dibdot · September 4, 2022, 7:15pm

Please be so kind and open another thread for your script - thanks!

bldur · September 5, 2022, 2:48pm

There is tag out, and were more wondering if the hackish steps to get it work with fw4 could be done.
May also be good for working out bugs.

Like this banip nftables file you can find in an openwrt issue, and lines to change.
Various scripts and just adding ipsets to a block list is fine and all.
But a luxury with scripts with regexp that more have looked at.
Such things are plagued with, "just scripts, so not bother sharing".
banIP is closest to a pf-badhost quivalent.

m0dul8r · September 5, 2022, 7:18pm

Banip is designed around iptables (which is fw3). It injects chains using the iptables command instead of nftables and the formatting is different. You would need to uninstall fw4 and install fw3 in order for it to work on 22.03. Fw3 is still available as legacy software in the repositories at this point in time. I really don't want to make a "how to" for 22.03 in it's "release candidate" state - I have a feeling that as soon as I did the final version would come out and change everything anyways... not to mention - dibdot is working on a new version for fw4 (nftables) which we are all looking forward to. He mentioned it's still a long way off in the future on a previous post.

bldur · September 5, 2022, 7:26pm

github.com/openwrt/openwrt

Large sets with "counter" enabled fail and break subsequent nft operations.

opened 07:13AM - 08 Aug 22 UTC

djadair

Both 22.03-rc6 and master w/ 5.15 kernel fail when attempting to load tables con…taining large block lists with counters. The same list works fine with Ubuntu Jammy 5.15 kernel booted as live CD using the same VM config ( loads w/o errors, counts blocked traffic ). Also if "counter" is removed from large sets file loads properly. Loading sets one element at a time sometimes works but that is both really really slow and non-atomic. - nft reports netlink / ENOBUFS errors. ( atomic update ) - kernel WARNING backtraces. ( randomly after failures ). - nft_counter module refcount -1 ( sometimes after load, always for table delete w/ large set counters ) The refcount -1 is fatal and requires a reboot to get nft to work again. Note: Netlink appears to be a red herring. Seems like nf_tables api throwing errors not the netlink layer. Reproduction: Using 22.03-rc6 x86-64 image file in vmware 5.x generic, 2 core, 2G ram virtual machine. nft -f banIP.save.nft >> fails. remove "counter" from sets >> works. Have also seen one case where chains stopped being processed despite showing up in nft list. Flushing and re-creating table did not fix but deleting table and re-creating did. Unfortunately can not reproduce that one but I think it may be related to errors following use of "dormant" flag. The backtrace from main references "module_put" which is consistent with the refcount -1. Not sure if the accounting error is cause or effect but it seems likely this patch is related to it not occurring 5.17 which was first version that removed nft_counter as a separate module: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/netfilter?h=v5.18.16&id=023223dfbfb34fcc9b7dd41e21fbf9a5d5237989 [banIP.save.nft.gz](https://github.com/openwrt/openwrt/files/9279287/banIP.save.nft.gz) From 22.03-rc6: console: ( nr_cpus=4, note set is not mentioned -- failure in end of batch or final commit ) ``` root@OpenWrt:~# cat /sys/module/nft_counter/refcnt 16 root@OpenWrt:~# grep cpu /proc/meminfo Percpu: 960 kB root@OpenWrt:~# grep Mem /proc/meminfo MemTotal: 2040872 kB MemFree: 1995824 kB MemAvailable: 1971612 kB root@OpenWrt:~# nft -f /etc/banip/backup/banIP.save.nft netlink: Error: Could not process rule: No buffer space available root@OpenWrt:~# grep Mem /proc/meminfo MemTotal: 2040872 kB MemFree: 1993876 kB MemAvailable: 1970192 kB root@OpenWrt:~# grep cpu /proc/meminfo Percpu: 1056 kB root@OpenWrt:~# cat /sys/module/nft_counter/refcnt -1 ``` dmesg: ``` [ 78.868725] ------------[ cut here ]------------ [ 78.869865] WARNING: CPU: 1 PID: 4187 at 0xffffffff81133891 [ 78.873156] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack slhc r8169 nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_ipv6 nf_log_ipv4 nf_log_common nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c igc forcedeth e1000e crc_ccitt bnx2 i2c_dev nfsv3 nfs nfs_ssc ixgbe e1000 amd_xgbe mdio oid_registry vfat fat lockd sunrpc grace dns_resolver nls_utf8 nls_iso8859_1 nls_cp437 ena igb ramoops reed_solomon pstore button_hotplug tg3 ptp realtek pps_core mii [ 78.906278] CPU: 1 PID: 4187 Comm: nft Tainted: G W 5.10.134 #0 [ 78.908083] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 [ 78.910764] RIP: 0010:0xffffffff81133891 [ 78.911789] Code: 31 c0 eb f3 0f 1f 44 00 00 48 85 ff 74 17 8b 87 b0 02 00 00 89 c2 83 ea 01 78 0f f0 0f b1 97 b0 02 00 00 75 ef c3 cc cc cc cc <0f> 0b eb f7 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 e8 c7 ff [ 78.916382] RSP: 0018:ffffc9000240f918 EFLAGS: 00010297 [ 78.917735] RAX: 0000000000000000 RBX: ffffffffa02ba000 RCX: 0000000000000011 [ 78.919558] RDX: 00000000ffffffff RSI: 0000000000000286 RDI: ffffffffa02ba0c0 [ 78.921405] RBP: ffffc9000240f938 R08: 0000000000000000 R09: 00000000000001ec [ 78.923209] R10: fff0000000000fff R11: 00000000000002ba R12: ffff888005821000 [ 78.924984] R13: ffff8880055349f0 R14: ffffffff82500ca0 R15: ffffffff824ffe80 [ 78.927008] FS: 00007fd9f34e5b48(0000) GS:ffff88807be40000(0000) knlGS:0000000000000000 [ 78.929129] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 78.930714] CR2: 00007ffe15e6a508 CR3: 000000000585a005 CR4: 00000000000606e0 [ 78.932632] Call Trace: [ 78.933303] ? 0xffffffffa028be01 [nf_tables@0000000001b1d63b+0x27000] [ 78.934978] 0xffffffffa0297b8e [nf_tables@0000000001b1d63b+0x27000] [ 78.936583] 0xffffffffa0297f21 [nf_tables@0000000001b1d63b+0x27000] [ 78.938131] 0xffffffffa0240abc [nfnetlink@00000000aa1f8fb0+0x3000] [ 78.939905] ? 0xffffffff811f0ae0 [ 78.940769] ? 0xffffffff811d27d0 [ 78.941640] ? 0xffffffff813cca4b [ 78.942494] ? 0xffffffff811e9209 [ 78.943353] 0xffffffffa0240f88 [nfnetlink@00000000aa1f8fb0+0x3000] [ 78.944899] 0xffffffff818b8865 [ 78.945795] 0xffffffff818b8b40 [ 78.946622] 0xffffffff81831f82 [ 78.947458] ? 0xffffffff818b8930 [ 78.948336] ? 0xffffffff813b412b [ 78.949215] 0xffffffff81833734 [ 78.950122] ? 0xffffffff8120c70c [ 78.951007] ? 0xffffffff813b7bf0 [ 78.951861] ? 0xffffffff8183821c [ 78.952716] ? 0xffffffff81206cca [ 78.953571] ? 0xffffffff811b2db2 [ 78.954419] ? 0xffffffff81a37aa9 [ 78.955418] ? 0xffffffff81838cda [ 78.956300] ? 0xffffffff818392a2 [ 78.957178] 0xffffffff81833840 [ 78.958016] 0xffffffff81833898 [ 78.958852] 0xffffffff81a2c5e5 [ 78.959710] 0xffffffff81c000a9 [ 78.960632] RIP: 0033:0x7fd9f34c436c [ 78.961594] Code: c3 8b 07 85 c0 75 24 49 89 fb 48 89 f0 48 89 d7 48 89 ce 4c 89 c2 4d 89 ca 4c 8b 44 24 08 4c 8b 4c 24 10 4c 89 5c 24 08 0f 05 <c3> e9 ff d0 ff ff 41 54 b8 02 00 00 00 49 89 f4 be 00 88 08 00 55 [ 78.966219] RSP: 002b:00007ffe15e6a058 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 78.968050] RAX: ffffffffffffffda RBX: 00007fd9f34e5b48 RCX: 00007fd9f34c436c [ 78.969860] RDX: 0000000000000000 RSI: 00007ffe15e6a0a8 RDI: 0000000000000003 [ 78.971655] RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 [ 78.973427] R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000002e [ 78.975362] R13: 00007ffe15e6a510 R14: 00007ffe15e7b560 R15: 00007ffe15e7b870 [ 78.977222] ---[ end trace 5520b1270a0d6134 ]--- ```

Second time i link to it, but here you also find.
banIP.save.nft.gz

Where I assume he has this in /etc/nftables.d/ and slightly modify the commands to work with it in the scripts.

The scripts are also quite LuCI centric, and I have less interest in the web portion of things, but this and testing is generally what is required to get a patch accepted? Have been assuming things along these lines, and not backport the firewall to support a now deprecrated LuCI functionality so to speak.

That is currently marked as broken, where it doesn't break things in any significant way currently I assume. Building with support for packages marked broken, even if it is scripts we are talking about, enables BPF in the kernel for some reason that isn't good. And banIP should be a bit "core" as a firewall.

bldur · September 10, 2022, 5:26pm

Sorry about this! Not intending to trash post.

But thanks to awk, it takes 24 seconds on arm64 with additional lists where,

nft list set inet fw4 blackhole | wc -l

17694

Bit silly to keep the while loop for ipv4 after that processing pipe.
Everything converted to dotted quad/32, comma seperated and sent to nft that slurps.
So mot things work and populating from scratch is fast. Miss all niceties, but that bit is fine.

github.com

bldur/bones/blob/main/wrt-badhost.sh

#!/bin/sh

# IP blacklisting script for openwrt nftables
# started with a openwrt forum script.
# mangled with and made into an unreadable mess using following sources with least effort:
# https://www.unix.com/shell-programming-and-scripting/233825-convert-ip-ranges-cidr-netblocks.html
# https://www.geoghegan.ca/pfbadhost.html
# copyleft, restrictions from above sources may apply.

GAWK_CIDR32() {
gawk --source='
function range2cidr(ipStart, ipEnd,  bits, mask, newip) {
    bits = 1
    mask = 1
    result = ""
    while (bits < 32) {
        newip = or(ipStart, mask)
        if ((newip>ipEnd) || ((lshift(rshift(ipStart,bits),bits)) != ipStart)) {
           bits--
           mask = rshift(mask,1)

This file has been truncated. show original

powtrix · September 12, 2022, 2:46am

Hi, can you add an allowed_list.txt int his script?
Thanks.

bldur · September 12, 2022, 2:30pm

This is the last post in this thread about alternative scripts.
I am tinkering a bit with it, as learn why banIP is taking time.
Quirks with how big lists nft will accept, that most need to be awk.
comm is not available in busybox, and diff is just odd.

I don't really know, or am not comfortable with nft / nftables.
And I am an awful scripter, but don't have a problem with ugly for function over form.

@powtrix you can add to the pleasure and scripty yourself, and look at pf-badhost and banIP.
Also, just change gawk to awk, as that is available in buxybox and not all may have gawk.
I'm tinkering and puzzling with awk and other thing I don't know, and would prefer removing nft flush.
And take the blackhole ipset, compare it to a new iteration and populate add and del commands to update. What you are asking is more into nft land, but by all means, hope my trash post and atrocious script additions encourage others to play with this towards banIP for fw4.

Also get a bug with at least busybox awk with the awk program added as a shell function in the script.
79.110.62.84/31 misses .85/32 (in current blocklists worked with). Where this intermittently breaks parsing existing nft ipset in order to diff --old-line-format=$'delete %l\n' --new-line-format=$'add %l\n' --unchanged-line-format='' or similar to batch process within list length that nft accept.

Tried to find something fast and sane to work around what seems to be certain short comings to make it really robust and simple without awkwards scripts. Haven't tested the awk program with gawk and others, but may or may not have hit a bug with awk in busybox, so unexpected from both program and awk that it's been an avalance of trial and error and possibly getting banned from blocklist.de

Maybe another nft issue, and not awk, but what I wanted ended up in a ditch.
And that ripping ip's in largely the same way from the nft set, diffing and doing adding and deleting fast without flushing. Most likely that bothersome ip-range syntax you find in nft list output, because there are actually two problems, and same problem with awk and gawk.

This is not UNIX friendly.

So another nft bug most likely. So my deppest sympathies for banIP development.

nft list set inet fw4 blackhole | grep 85.203.22
  	    85.203.22.76/31, 85.203.22.180,
nft delete element inet fw4 blackhole { 85.203.22.76/32 }

Error: interval not found in set
delete element inet fw4 blackhole { 85.203.22.76/32 }
^^^^^^^^^^^^^^^
Error: Could not process rule: No such file or directory
delete element inet fw4 blackhole { 85.203.22.76/32 }
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This and the "interval" mannerism, ie. ip-ip, makes this awful and makes you flush.
I was batching in 1000 at a time, less for deletion to work this out.
Arbitrarily being hit by this and ip ranges/intervals, and nft as a tool is not intelligent enough for the operation listed, while grouping without being told and fed /32 excluusively.
So if 1000 ip operations fail, check and fix what rejected it or write c and patch nft?

FYI, less than two minutes for 36 000 ip's, and subsequent updates and chances less than 30 seconds. Starting with 1,4MB uncompressed text of raw input for various sources with overlaps.

For basic useable, ip's should be able to be removed from sets with nft from command line the same way they was entered. Having lots of ipsets doesn't remove the problem, I don't understand why biection and mapping through this grouping logic -- and two of them -- isn there.