banIP support thread

hiyan · April 26, 2026, 4:33am

My feeds are not loading. Is this related to the libmbedtls issue?

I tried changing to wget, still same error.

[26 Apr 2026, 00:01:01 GMT+8] user.info: banIP-1.8.6-r4[13362]: skip incomplete feed 'debl'
[26 Apr 2026, 00:01:01 GMT+8] user.info: banIP-1.8.6-r4[13362]: skip incomplete feed 'doh'
[26 Apr 2026, 00:01:01 GMT+8] user.info: banIP-1.8.6-r4[13362]: skip incomplete feed 'firehol1'
[26 Apr 2026, 00:01:01 GMT+8] user.info: banIP-1.8.6-r4[13362]: skip incomplete feed 'firehol2'
[26 Apr 2026, 00:01:01 GMT+8] user.info: banIP-1.8.6-r4[13362]: skip incomplete feed 'firehol3'
[26 Apr 2026, 00:01:01 GMT+8] user.info: banIP-1.8.6-r4[13362]: skip incomplete feed 'firehol4'

dibdot · April 26, 2026, 10:45am

Nope, most probably you try to use an old, custom feed file from a former release. Just nuke this fle in the custom feed editor ...

hiyan · April 26, 2026, 12:21pm

Thank you. Forgot to mention I just upgraded from v24 to v25.

My custom feed was empty. I nuked the main banip.feeds and replaced with a copy in github.

Working fine now. I probably edited it sometime in the past.

neurotransmitter · April 29, 2026, 6:40pm

…missing knowlegde…

How to implement

https://www.spamhaus.org/drop/asndrop.json

ASN-Filterlist

Thx

Renato · April 29, 2026, 10:16pm

There is a comment there saying:
"...I think we have to wait for a future release 3.6.7 to get this bugfix in openwrt..."

It seems it will not be fixed soon because it's not an openwrt project

Is there any workaround while we wait?

[24/04/2026-15:47:03] banIP-1.8.6-r4[5521]: download for feed 'country.us.v4' failed, rc: 4

JustAnotherEndUser · April 30, 2026, 6:00am

Disclaimer: I’m not a developer, and currently don’t have an available test device to try this. Not sure if it will work.
If you want though, maybe try this as a temporary fix by editing /usr/lib/banip-functions.sh and modifying line 92 from being ban_fetchparm="" to new value:
ban_fetchparm="--tlsv1.2 --tls-max 1.2"
(Pay attention to specific spacing above. Also, you should probably make a backup copy of file before editing.)

I could be wrong, but this may work for you by passing parameters at time of list download so that it forces CURL’s use of TLS 1.2; making compatible with the country list server.

(Note: make sure the the ‘download insecure’ option is unchecked (off) - as that would modify and override the parm value later on.)

Renato · April 30, 2026, 9:20am

FANTASTIC! It works!
Thanks for your help. The country list is back

dibdot · April 30, 2026, 11:13am

A new banIP release 1.8.8. is in master/25.12. It includes many logging improvements and fixes, see:

and

github.com/openwrt/packages

banip: release 1.8.8-1

committed 09:37AM - 30 Apr 26 UTC

dibdot

+156 -105

- introduced a shared named nft limit (loglimit) referenced by all log rules i…nstead of per-rule limits, aligning with kernel printk rate limits - added new 'ban_logratelimit' and 'ban_logburstlimit' UCI options for tuning the shared log limit; setting ban_logratelimit=0 disables nft-side rate limiting entirely (useful for ulogd or other userspace log handlers that bypass printk) - LuCI: made the new UCI option available (Log Settings) - readme update Signed-off-by: Dirk Brenken <dev@brenken.org>

@neurotransmitter
With 1.8.8 I also added a new feed "spamhaus" (Spamhaus DROP) with IPv4/IPv6 addresses in a json format.

dibdot · April 30, 2026, 11:15am

ASN is not supported in this context - just use the usual IPv4/IPv6 list in JSON format (see banIP 1.8.8).

dibdot · April 30, 2026, 11:19am

Great that it works for you!
The correct way to change download parameters in banIP/adblock is to uncheck the Auto Detection and add the download parameters manually, e.g.:

The default download parameters per download utility are documented within the online readme.

JustAnotherEndUser · April 30, 2026, 12:59pm

Oh, my mistake. I completely overlooked that part!
Thank you.

@Renato - See post above. dibdot already had a mechanism in place to override the parameter; and even better, it is built into the GUI.

neurotransmitter · April 30, 2026, 5:42pm

Spamhaus drop feed is always implemented in drop list, isn’t it??

drop 	spamhaus drop compilation 	x 			Link

ASN Drop is the missing important list…

Neuro

dibdot · April 30, 2026, 6:04pm

According to Spamhaus the text files are deprecated - I will remove the drop feed with the next update (for details see https://www.spamhaus.org/blocklists/do-not-route-or-peer/).

Nope, it's just another "view" to the same IP blocks.

rexbinary · April 30, 2026, 6:40pm

This workaround is not working for me by either method. I tried using the Download Parameters in luci, and editing the banip-functions.sh by hand. Neither works. Restarted banip after each edit. Same error when downloading county feeds rc: 4.

dibdot · April 30, 2026, 6:42pm

Provide your banIP config.

rexbinary · April 30, 2026, 6:55pm

config banip 'global'
option ban_enabled '1'
option ban_autodetect '0'
option ban_nftpolicy 'performance'
option ban_fetchcmd 'curl'
option ban_protov4 '1'
list ban_ifv4 'wan'
list ban_dev 'eth0'
list ban_ifv6 'wan6'
list ban_trigger 'wan'
list ban_country 'br'
list ban_country 'cn'
list ban_country 'ir'
list ban_country 'kp'
list ban_country 'ru'
list ban_country 'tr'
option ban_nftexpiry '5m'
option ban_countrysplit '1'
option ban_debug '0'
option ban_fetchretry '5'
option ban_nicelimit '0'
option ban_filelimit '1024'
option ban_deduplicate '1'
option ban_nftpriority '-100'
option ban_icmplimit '25'
option ban_synlimit '10'
option ban_udplimit '100'
option ban_nftretry '5'
option ban_blockpolicy 'drop'
option ban_nftloglevel 'warn'
option ban_logprerouting '0'
option ban_loginbound '0'
option ban_logoutbound '0'
option ban_loglimit '100'
option ban_autoallowlist '1'
option ban_autoallowuplink 'subnet'
option ban_autoblocklist '1'
option ban_allowlistonly '0'
option ban_asnsplit '1'
list ban_asn '24309'
list ban_feed 'asn'
list ban_feed 'becyber'
list ban_feed 'bogon'
list ban_feed 'cinsscore'
list ban_feed 'country'
list ban_feed 'debl'
list ban_feed 'dns'
list ban_feed 'doh'
list ban_feed 'proxy'
list ban_feed 'threat'
list ban_feed 'threatview'
list ban_feed 'tor'
list ban_feed 'turris'
option ban_bcp38 '1'
list ban_logterm 'Exit before auth from'
list ban_logterm 'luci: failed login'
list ban_logterm 'error: maximum authentication attempts exceeded'
list ban_logterm 'sshd.Connection closed by.[preauth]'
list ban_logterm 'SecurityEvent="InvalidAccountID".RemoteAddress='
list ban_logterm 'TLS Error: could not determine wrapping from [AF_INET]'
list ban_logterm 'AdGuardHome.[error].*/control/login: from ip'
list ban_logterm 'received a suspicious remote IP'

dibdot · April 30, 2026, 7:04pm

You didn't specify the fetchparm option at all?
Try something like that ...

option ban_fetchparm '--connect-timeout 20 --tlsv1.2 --tls-max 1.2 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o'

rexbinary · April 30, 2026, 7:10pm

Sorry yes I did. I tried many different combinations. But I must have done something wrong as this is now working: option ban_fetchparm '--tlsv1.2 --tls-max 1.2 --connect-timeout 20 --retry-delay 10 --retry 5 --retry-all-errors --fail --silent --show-error --location -o’

There also was a type-o in the command as listed in the thread as --tlsmax 1.2 is actaully --tls-max 1.2

Anyway it’s working! Thank you!

rexbinary · May 3, 2026, 1:36am

With 1.8.6 under Set Reporting I had packet reporting without elements being listed. Now with the new Reporting Counters toggle in 1.8.8 it seems to be all or nothing. Both packets and elements, or neither. Is that how it’s supposed to work now? Or am I missing something.

dibdot · May 3, 2026, 3:43am

That's intentional, see latest readme:

The DoS protection counters are always enabled ... here is the latest readme a bit misleading/wriong.