banIP support thread

klipz · January 18, 2025, 4:22pm

Ok I took your hint and realized my banip.feeds file was old. Copied the new raw version from git and re-created it; now everything is working in luci.

Sorry for not keeping my feeds file updated!

dibdot · January 18, 2025, 4:22pm

That's the old format ... you have to use the new format. Did you "protect" this file from updates!? This is the root cause of your LuCI problem.

klipz · January 18, 2025, 4:30pm

Just to confirm, yes for some reason I had previously added the /etc/banip directory to my protected upgrade list... in hindsight, this was stupid and has now been reverted.

Sorry for all the noise and thanks for helping me fix it so quickly!

dibdot · January 18, 2025, 4:31pm

No problem, glad that 1.5.x works for you now ...

klipz · January 18, 2025, 4:34pm

Thanks. I do have one other semi-related question. While I love OpenWRT and it has been my main edge router for a few years now, I do also dabble with Alpine and a few other trim/slim distros for routing...

Is there any possibility of a "general purpose" version of banIP that will run on straight-up linux, e.g. Alpine? I imagine you've got some bits that rely on owrt's netif/ubus/procd systems, though.

Thanks again for banIP, it's great.

dibdot · January 18, 2025, 4:38pm

Nope, sorry. I have a tempting full time job (not related to OpenWrt ) and no time/interest in doing something like that.

klipz · January 18, 2025, 4:39pm

haha ok yes no worries; I figured it couldn't hurt to ask

CornelCotoara · January 18, 2025, 5:53pm

It's quite easy to setup an x86 flavour of openwrt.

Or you may have a look at csf: https://configserver.com/configserver-security-and-firewall/

AcidSlide · January 18, 2025, 6:13pm

Hi @dibdot .. i'm trying the latest version 1.5.0-r1 and I'm seeing some "can't load initial file error", and I can see files in the error folder

What does those error exactly mean? Below is just one of the feeds ('doh') that generated those errors.

Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_etag      ::: feed: doh.v6, suffix: -, http_code: 200, etag_id: 8f1ce76f987b3034902a3341c3b65d8a8344043ee214ce06425cc4a4ef9675ad
 , etag_rc: 0, rc: 2
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_etag      ::: feed: doh.v4, suffix: -, http_code: 200, etag_id: 48ff4ff4ddabd6aedd2825f6f805a7d91067e4cd1fdef73744e71b23cba6cc33
 , etag_rc: 0, rc: 2
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_backup    ::: feed: doh.v6, file: banIP.doh.v6.gz, rc: 0
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_backup    ::: feed: doh.v4, file: banIP.doh.v4.gz, rc: 0
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_mkdir     ::: directory: /mnt/sdb1/openwrt/banip/errors
Sun Jan 19 02:03:40 2025 user.info banIP-1.5.0-r1[19662]: can't load initial file to nfset 'doh.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.cEKfCK.doh.v6.nft)
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_nftload   ::: file: tmp.cEKfCK.doh.v6.nft, cnt: 5, max_cnt: 5
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_down      ::: feed: doh.v6, policy: out, complete: -, cnt_dl: 1804, cnt_set: -, split_size: 4096, time: 1, rc: 4
Sun Jan 19 02:03:40 2025 user.info banIP-1.5.0-r1[19662]: can't load initial file to nfset 'doh.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.cEKfCK.doh.v4.nft)
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_nftload   ::: file: tmp.cEKfCK.doh.v4.nft, cnt: 5, max_cnt: 5
Sun Jan 19 02:03:40 2025 user.debug banIP-1.5.0-r1[19662]: f_down      ::: feed: doh.v4, policy: out, complete: -, cnt_dl: 2508, cnt_set: -, split_size: 4096, time: 1, rc: 4

Also got it for the ff:

Blocklist - Note: my blocklist is empty
proxy
hagezi

Additional Note:
I'm using custom feed, changes where done on the following

doh - removed Flag
proxy - changed chain to inbound & outbound
tofull - it's a copy of the tor but using the full nodes list instead of just the exit nodes, and changed chain to "inbount & outbound"

For hagezi I didn't change anything on it.

AcidSlide · January 18, 2025, 6:31pm

Hi again @dibdot .. I went back to the default feed (cleared the custom feed).. still getting the same errors

Sun Jan 19 02:23:17 2025 user.info banIP-1.5.0-r1[30157]: can't load initial file to nfset 'doh.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.aPFMLC.doh.v4.nft)
Sun Jan 19 02:23:17 2025 user.info banIP-1.5.0-r1[30157]: can't load initial file to nfset 'doh.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.aPFMLC.doh.v6.nft)

Sun Jan 19 02:23:18 2025 user.info banIP-1.5.0-r1[30157]: can't load initial file to nfset 'hagezi.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.aPFMLC.hagezi.v4.nft)

Sun Jan 19 02:24:05 2025 user.info banIP-1.5.0-r1[30157]: can't load initial file to nfset 'blocklist.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.aPFMLC.blocklist.v4.nft)
Sun Jan 19 02:24:05 2025 user.info banIP-1.5.0-r1[30157]: can't load initial file to nfset 'blocklist.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.aPFMLC.blocklist.v6.nft)

And when switching feeds to "Inbound&Outbound" (see screenshot), it also generates the error

Sun Jan 19 02:34:06 2025 user.info banIP-1.5.0-r1[22685]: can't load initial file to nfset 'proxy.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.dAbjFE.proxy.v4.nft)

Sun Jan 19 02:34:21 2025 user.info banIP-1.5.0-r1[22685]: can't load initial file to nfset 'tor.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.dAbjFE.tor.v4.nft)
Sun Jan 19 02:34:21 2025 user.info banIP-1.5.0-r1[22685]: can't load initial file to nfset 'tor.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.dAbjFE.tor.v6.nft)

dibdot · January 18, 2025, 6:35pm

please provide your config and the banIP status output.

AcidSlide · January 18, 2025, 6:45pm

BanIP Status

::: banIP runtime information
  + status            : active (nft: ✔, monitor: ✔)
  + version           : 1.5.0-r1
  + element_count     : 176038
  + active_feeds      : allowlist.v4MAC, allowlist.v6MAC, allowlist.v4, allowlist.v6, binarydefense.v4, becyber.v4, debl.v4, debl.v6, etcompromised.v4, firehol1.v4, greensnow.v4, firehol2.v4, ipblackhole.v4, threat.v4, ipthreat.v4, pallebone.v4, threatview.v4, urlhaus.v4, turris.v4, urlvir.v4, blocklist.v4MAC, blocklist.v6MAC
  + active_devices    : wan: eth1 / wan-if: wan, wan6 / vlan-allow: - / vlan-block: -
  + active_uplink     : 10.0.0.244/24, 2001:4450:4645:6e40::ff4/128
  + nft_info          : ver: 1.1.1-r1, priority: -100, policy: performance, loglevel: warn, expiry: 1h, limit (icmp/syn/udp): 0/0/0
  + run_info          : base: /tmp, backup: /mnt/sdb1/openwrt/banip/backup, report: /mnt/sdb1/openwrt/banip/reports, error: /mnt/sdb1/openwrt/banip/errors
  + run_flags         : auto: ✔, proto (4/6): ✔/✔, log (pre/in/out): ✔/✔/✔, count: ✔, dedup: ✔, split: ✔, custom feed: ✘, allowed only: ✘
  + last_run          : mode: restart, period: 1m 42s, memory: 641 MB available, 1664 KB max. used, cores: 4, log: logread, fetch: curl
  + system_info       : 2025-01-19 02:44:26, Parallels International GmbH. Parallels Virtual Platform, x86/64, OpenWrt SNAPSHOT r28599-dac8021297

/etc/config/banip

config banip 'global'
	option ban_enabled '1'
	option ban_debug '1'
	option ban_autodetect '1'
	list ban_logterm 'Exit before auth from'
	list ban_logterm 'luci: failed login'
	option ban_triggerdelay '30'
	option ban_fetchretry '5'
	option ban_nicelimit '0'
	option ban_filelimit '4096'
	option ban_cores '4'
	option ban_splitsize '4096'
	option ban_backupdir '/mnt/sdb1/openwrt/banip/backup'
	option ban_reportdir '/mnt/sdb1/openwrt/banip/reports'
	option ban_errordir '/mnt/sdb1/openwrt/banip/errors'
	option ban_deduplicate '1'
	option ban_nftpriority '-100'
	option ban_icmplimit '0'
	option ban_synlimit '0'
	option ban_udplimit '0'
	option ban_nftpolicy 'performance'
	option ban_nftretry '5'
	option ban_nftcount '1'
	option ban_blockpolicy 'drop'
	option ban_nftloglevel 'warn'
	option ban_logprerouting '1'
	option ban_loginbound '1'
	option ban_logoutbound '1'
	option ban_loglimit '1000'
	option ban_logcount '3'
	option ban_autoallowlist '1'
	option ban_autoallowuplink 'subnet'
	option ban_autoblocklist '1'
	option ban_nftexpiry '1h'
	option ban_allowlistonly '0'
	option ban_fetchcmd 'curl'
	option ban_protov4 '1'
	list ban_ifv4 'wan'
	option ban_protov6 '1'
	list ban_ifv6 'wan6'
	list ban_dev 'eth1'
	list ban_feed 'becyber'
	list ban_feed 'binarydefense'
	list ban_feed 'debl'
	list ban_feed 'doh'
	list ban_feed 'etcompromised'
	list ban_feed 'firehol1'
	list ban_feed 'firehol2'
	list ban_feed 'greensnow'
	list ban_feed 'hagezi'
	list ban_feed 'ipblackhole'
	list ban_feed 'ipthreat'
	list ban_feed 'pallebone'
	list ban_feed 'proxy'
	list ban_feed 'threat'
	list ban_feed 'threatview'
	list ban_feed 'tor'
	list ban_feed 'turris'
	list ban_feed 'urlhaus'
	list ban_feed 'urlvir'
	list ban_feedinout 'proxy'
	list ban_feedinout 'tor'

dibdot · January 18, 2025, 6:46pm

disable the nft counter option ... and see if it helps. (Restart banIP!)

AcidSlide · January 18, 2025, 6:52pm

still the same errors

Sun Jan 19 02:49:35 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'doh.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.doh.v6.nft)
Sun Jan 19 02:49:35 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'doh.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.doh.v4.nft)

Sun Jan 19 02:49:36 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'hagezi.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.hagezi.v4.nft)

Sun Jan 19 02:49:36 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'proxy.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.proxy.v4.nft)

Sun Jan 19 02:49:59 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'tor.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.tor.v4.nft)
Sun Jan 19 02:49:59 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'tor.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.tor.v6.nft)

Sun Jan 19 02:50:01 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'blocklist.v4' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.blocklist.v4.nft)
Sun Jan 19 02:50:01 2025 user.info banIP-1.5.0-r1[12033]: can't load initial file to nfset 'blocklist.v6' (/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.blocklist.v6.nft)

dibdot · January 18, 2025, 6:55pm

try if you could load such error file manually, e.g.:

nft -f /mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.doh.v4.nft

AcidSlide · January 18, 2025, 7:02pm

This is the error

/mnt/sdb1/openwrt/banip/errors/err.tmp.enfhDF.doh.v4.nft:4:146-152: Error: syntax error, unexpected counter
add rule inet banIP _outbound meta l4proto { tcp } th dport { 80, 443 } ip daddr @doh.v4 tlog level warn prefix "banIP/outbound/reject/doh.v4: " counter goto _reject
                                                                                                                                                 ^^^^^^^

dibdot · January 18, 2025, 7:46pm

Please send me one of your error files and your banIP config to my maintainers address and I will take a look tomorrow - thanks.

AcidSlide · January 18, 2025, 10:21pm

Ok sure.. i'll send them.. thanks

dave14305 · January 18, 2025, 11:57pm

Looks like a recent typo that inserts tlog level instead of log level.

github.com

openwrt/packages/blob/cd89956c13bf7def493effaf8de1b568a379ebf9/net/banip/files/banip-functions.sh#L773-L773


      
          	[ "${ban_logoutbound}" = "1" ] && log_outbound="tlog level ${ban_nftloglevel} prefix \"banIP/outbound/reject/${feed}: \""

AcidSlide · January 19, 2025, 12:34am

Yup.. can confirm.. it is a typo after editing the /usr/lib/banip-functions.sh and removing the extra "l", no more errors.

Thanks a bunch!

@dibdot it was just a typo in banip-functions.sh so no need to test my config and just disregard the email. Thanks!