From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH 07/12] rules.pl: Move to ipset based data for location based firewall rules. Date: Mon, 14 Feb 2022 19:42:51 +0100 Message-ID: <20220214184257.2406-7-stefan.schantl@ipfire.org> In-Reply-To: <20220214184257.2406-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1347402695279490863==" List-Id: --===============1347402695279490863== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Signed-off-by: Stefan Schantl --- config/firewall/firewall-lib.pl | 4 ++-- config/firewall/rules.pl | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index bc0b30ca5..13f0c9971 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]); } # Handle rule options with a location as target. @@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]); } # If nothing was selected, we assume "any". diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index e009c1838..d533ffb42 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -401,7 +401,13 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } elsif ($source =~ /-m geoip/) { + } elsif ($source =~ /-m set/) { + # Grab location code from hash. + my $loc_src = $$hash{$key}[4]; + + # Call function to load the networks list for this country. + &ipset_restore($loc_src); + push(@source_options, $source); } elsif($source) { push(@source_options, ("-s", $source)); @@ -409,7 +415,13 @@ sub buildrules { # Prepare destination options. my @destination_options = (); - if ($destination =~ /-m geoip/) { + if ($destination =~ /-m set/) { + # Grab location code from hash. + my $loc_dst = $$hash{$key}[6]; + + # Call function to load the networks list for this country. + &ipset_restore($loc_dst); + push(@destination_options, $destination); } elsif ($destination) { push(@destination_options, ("-d", $destination)); -- 2.30.2 --===============1347402695279490863==--