1 -- Copyright 2018-2019 Dirk Brenken (dev@brenken.org)
2 -- This is free software, licensed under the Apache License, Version 2.0
4 local fs = require("nixio.fs")
5 local uci = require("luci.model.uci").cursor()
6 local net = require "luci.model.network".init()
7 local util = require("luci.util")
8 local dump = util.ubus("network.interface", "dump", {})
10 m = Map("banip", translate("banIP"),
11 translate("Configuration of the banIP package to block ip adresses/subnets via IPSet. ")
12 ..translatef("For further information "
13 .. "<a href=\"%s\" target=\"_blank\">"
14 .. "check the online documentation</a>", "https://github.com/openwrt/packages/blob/master/net/banip/files/README.md"))
18 s = m:section(NamedSection, "global", "banip")
20 o1 = s:option(Flag, "ban_enabled", translate("Enable banIP"))
21 o1.default = o1.disabled
24 o2 = s:option(Flag, "ban_automatic", translate("Automatic WAN Interface Detection"))
25 o2.default = o2.enabled
28 o3 = s:option(MultiValue, "ban_iface", translate("Manual WAN Interface Selection"),
29 translate("Select your preferred interface(s) manually."))
32 for i, v in ipairs(dump.interface) do
33 if v.interface ~= "loopback" then
34 local device = v.l3_device or v.device or "-"
35 o3:value(v.interface, " " .. v.interface .. " (" .. device .. ") ")
39 o3:depends("ban_automatic", 0)
40 o3.widget = "checkbox"
43 o4 = s:option(Flag, "ban_realtime", translate("SSH/LuCI RT Monitor"),
44 translate("Starts a small log/banIP monitor in the background to block SSH/LuCI brute force attacks in realtime."))
46 o4.default = o4.disabled
49 -- Runtime Information
51 ds = s:option(DummyValue, "_dummy")
52 ds.template = "banip/runtime"
56 bl = m:section(TypedSection, "source", translate("IPSet Sources"))
57 bl.template = "banip/sourcelist"
59 name_4 = bl:option(Flag, "ban_src_on", translate("enable IPv4"))
60 name_4.rmempty = false
62 name_6 = bl:option(Flag, "ban_src_on_6", translate("enable IPv6"))
63 name_6.rmempty = false
65 type = bl:option(ListValue, "ban_src_ruletype", translate("SRC/DST"))
72 des = bl:option(DummyValue, "ban_src_desc", translate("Description"))
74 cat = bl:option(DynamicList, "ban_src_cat", translate("ASN/Country"))
75 cat.datatype = "uciname"
80 e = m:section(NamedSection, "extra", "banip", translate("Extra Options"),
81 translate("Options for further tweaking in case the defaults are not suitable for you."))
83 e1 = e:option(Flag, "ban_debug", translate("Verbose Debug Logging"),
84 translate("Enable verbose debug logging in case of any processing error."))
87 e2 = e:option(Flag, "ban_nice", translate("Low Priority Service"),
88 translate("Set the nice level to 'low priority' and banIP background processing will take less resources from the system. ")
89 ..translate("This change requires a manual service stop/re-start to take effect."))
94 e3 = e:option(Value, "ban_backupdir", translate("Backup Directory"),
95 translate("Target directory for banIP backups. Default is '/tmp', please use preferably a non-volatile disk if available."))
96 e3.datatype = "directory"
100 e4 = e:option(Value, "ban_maxqueue", translate("Max. Download Queue"),
101 translate("Size of the download queue to handle downloads & IPset processing in parallel (default '4'). ")
102 .. translate("For further performance improvements you can raise this value, e.g. '8' or '16' should be safe."))
104 e4.datatype = "range(1,32)"
107 e5 = e:option(ListValue, "ban_sshdaemon", translate("SSH Daemon"),
108 translate("Select the SSH daemon for logfile parsing, to detect break-in events."))
111 e5.default = "dropbear"
114 e6 = e:option(Flag, "ban_autoblacklist", translate("Local Save Blacklist Addons"),
115 translate("Blacklist auto addons are stored temporary in the IPSet and saved permanently in the local blacklist. Disable this option to prevent the local save."))
116 e6.default = e6.enabled
119 e7 = e:option(Flag, "ban_autowhitelist", translate("Local Save Whitelist Addons"),
120 translate("Whitelist auto addons are stored temporary in the IPSet and saved permanently in the local whitelist. Disable this option to prevent the local save."))
121 e7.default = e7.enabled
124 -- Optional Extra Options
126 e20 = e:option(ListValue, "ban_fetchutil", translate("Download Utility"),
127 translate("Select your preferred download utility."))
128 e20:value("uclient-fetch")
134 e21 = e:option(Value, "ban_fetchparm", translate("Download Options"),
135 translate("Special options for the selected download utility, e.g. '--timeout=20 -O'."))
138 e22 = e:option(Value, "ban_triggerdelay", translate("Trigger Delay"),
139 translate("Additional trigger delay in seconds before banIP processing begins."))
141 e22.datatype = "range(1,60)"
144 e23 = e:option(ListValue, "ban_starttype", translate("Start Type"),
145 translate("Select the used start type during boot."))
148 e23.default = "start"
151 e30 = e:option(Value, "ban_wan_input_chain", translate("WAN Input Chain IPv4"))
152 e30.default = "input_wan_rule"
153 e30.datatype = "uciname"
156 e31 = e:option(Value, "ban_wan_forward_chain", translate("WAN Forward Chain IPv4"))
157 e31.default = "forwarding_wan_rule"
158 e31.datatype = "uciname"
161 e32 = e:option(Value, "ban_lan_input_chain", translate("LAN Input Chain IPv4"))
162 e32.default = "input_lan_rule"
163 e32.datatype = "uciname"
166 e33 = e:option(Value, "ban_lan_forward_chain", translate("LAN Forward Chain IPv4"))
167 e33.default = "forwarding_lan_rule"
168 e33.datatype = "uciname"
171 e34 = e:option(ListValue, "ban_target_src", translate("SRC Target IPv4"))
177 e35 = e:option(ListValue, "ban_target_dst", translate("DST Target IPv4"))
180 e35.default = "REJECT"
183 e36 = e:option(Value, "ban_wan_input_chain_6", translate("WAN Input Chain IPv6"))
184 e36.default = "input_wan_rule"
185 e36.datatype = "uciname"
188 e37 = e:option(Value, "ban_wan_forward_chain_6", translate("WAN Forward Chain IPv6"))
189 e37.default = "forwarding_wan_rule"
190 e37.datatype = "uciname"
193 e38 = e:option(Value, "ban_lan_input_chain_6", translate("LAN Input Chain IPv6"))
194 e38.default = "input_lan_rule"
195 e38.datatype = "uciname"
198 e39 = e:option(Value, "ban_lan_forward_chain_6", translate("LAN Forward Chain IPv6"))
199 e39.default = "forwarding_lan_rule"
200 e39.datatype = "uciname"
203 e40 = e:option(ListValue, "ban_target_src_6", translate("SRC Target IPv6"))
209 e41 = e:option(ListValue, "ban_target_dst_6", translate("DST Target IPv6"))
212 e41.default = "REJECT"