[PATCH 01/12] location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/".

[PATCH 01/12] location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/".

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 731 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/cfgroot/location-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl
index 4d44ce24d..f86464933 100644
--- a/config/cfgroot/location-functions.pl
+++ b/config/cfgroot/location-functions.pl
@@ -53,7 +53,7 @@ our $database = "$location_dir/database.db";
 our $keyfile = "$location_dir/signing-key.pem";
 
 # Directory which contains the exported databases.
-our $xt_geoip_db_directory = "/usr/share/xt_geoip/";
+our $ipset_db_directory = "$location_dir/ipset";
 
 # Create libloc database handle.
 my $db_handle = &init();
-- 
2.30.2

[PATCH 02/12] location-functions.pl: Remove ending backslash from location_dir variable.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 710 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/cfgroot/location-functions.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl
index f86464933..46e27c04a 100644
--- a/config/cfgroot/location-functions.pl
+++ b/config/cfgroot/location-functions.pl
@@ -44,7 +44,7 @@ my %network_flags = (
 my @special_locations = ( "A1", "A2", "A3", "XD" );
 
 # Directory where the libloc database and keyfile lives.
-our $location_dir = "/var/lib/location/";
+our $location_dir = "/var/lib/location";
 
 # Libloc database file.
 our $database = "$location_dir/database.db";
-- 
2.30.2

[PATCH 03/12] rules.pl: Move flush of LOCATIONBLOCK into main flush() function.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 1043 bytes --]

It is required to get rid of all ipset based rules before all of
the loaded ipset lists can be destroyed.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 9d280045a..f685d08a7 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -186,6 +186,9 @@ sub flush {
 	run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE");
 	run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION");
 	run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
+
+	# Flush LOCATIONBLOCK chain.
+	run("$IPTABLES -F LOCATIONBLOCK");
 }
 
 sub buildrules {
@@ -638,8 +641,7 @@ sub p2pblock {
 }
 
 sub locationblock {
-	# Flush iptables chain.
-	run("$IPTABLES -F LOCATIONBLOCK");
+	# The LOCATIONBLOCK chain now gets flushed by the flush() function.
 
 	# If location blocking is not enabled, we are finished here.
 	if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {
-- 
2.30.2

[PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 750 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index f685d08a7..da01b8775 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
 my $DEBUG = 0;
 
 my $IPTABLES = "iptables --wait";
+my $IPSET = "ipset";
 
 # iptables chains
 my $CHAIN_INPUT           = "INPUTFW";
@@ -114,6 +115,9 @@ sub main {
 	# Flush all chains.
 	&flush();
 
+	# Destroy all existing ipsets.
+	run("$IPSET destroy");
+
 	# Prepare firewall rules.
 	if (! -z  "${General::swroot}/firewall/input"){
 		&buildrules(\%configinputfw);
-- 
2.30.2

[PATCH 05/12] rules.pl: Add tiny ipset_restore function.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 773 bytes --]

This helper function is used to load a previously exported list of
networks for a given country code into the ipset module, so it can be
used for any kind of firewall rules.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index da01b8775..5b1153b08 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -888,3 +888,10 @@ sub firewall_is_in_subnet {
 
 	return 0;
 }
+
+sub ipset_restore ($) {
+	my ($ccode) = @_;
+
+	# Run ipset and restore the list of the given country code.
+	run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
+}
-- 
2.30.2

[PATCH 06/12] rules.pl: Move to ipset based data for LOCATIONBLOCK feature.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 861 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 5b1153b08..e009c1838 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -671,7 +671,11 @@ sub locationblock {
 	# is enabled.
 	foreach my $location (@locations) {
 		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
-			run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP");
+			# Call function to load the networks list for this country.
+			&ipset_restore($location);
+
+			# Call iptables and create rule to use the loaded ipset list.
+			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
 		}
 	}
 }
-- 
2.30.2

[PATCH 07/12] rules.pl: Move to ipset based data for location based firewall rules.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2245 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/firewall-lib.pl |  4 ++--
 config/firewall/rules.pl        | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index bc0b30ca5..13f0c9971 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -466,7 +466,7 @@ sub get_address
 			# Get external interface.
 			my $external_interface = &get_external_interface();
 
-			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
 		}
 
 	# Handle rule options with a location as target.
@@ -476,7 +476,7 @@ sub get_address
 			# Get external interface.
 			my $external_interface = &get_external_interface();
 
-			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
 		}
 
 	# If nothing was selected, we assume "any".
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index e009c1838..d533ffb42 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -401,7 +401,13 @@ sub buildrules {
 					my @source_options = ();
 					if ($source =~ /mac/) {
 						push(@source_options, $source);
-					} elsif ($source =~ /-m geoip/) {
+					} elsif ($source =~ /-m set/) {
+						# Grab location code from hash.
+						my $loc_src = $$hash{$key}[4];
+
+						# Call function to load the networks list for this country.
+						&ipset_restore($loc_src);
+
 						push(@source_options, $source);
 					} elsif($source) {
 						push(@source_options, ("-s", $source));
@@ -409,7 +415,13 @@ sub buildrules {
 
 					# Prepare destination options.
 					my @destination_options = ();
-					if ($destination =~ /-m geoip/) {
+					if ($destination =~ /-m set/) {
+						# Grab location code from hash.
+						my $loc_dst = $$hash{$key}[6];
+
+						# Call function to load the networks list for this country.
+						&ipset_restore($loc_dst);
+
 						push(@destination_options,  $destination);
 					} elsif ($destination) {
 						push(@destination_options, ("-d", $destination));
-- 
2.30.2

[PATCH 08/12] update-location-database: Export database to ipset compatible format now.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 963 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/scripts/update-location-database | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database
index 06b22d101..d41a0a947 100644
--- a/src/scripts/update-location-database
+++ b/src/scripts/update-location-database
@@ -42,8 +42,8 @@ fi
 
 # Get the latest location database from server.
 if /usr/bin/location update --cron=$UPDATE_INTERVAL; then
-	# Call location and export all countries in xt_geoip compatible format.
-	if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then
+	# Call location and export all countries in an ipset compatible format.
+	if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
 
 		# Call initscript to reload the firewall.
 		/etc/init.d/firewall reload
-- 
2.30.2

[PATCH 09/12] rules.pl: Do not try to restore the same ipset multiple times.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 2825 bytes --]

When an ipset list get restored, this now will be documented in a hash
and this hash also will be checked before restoring a list if this has
not be done previously.

This will prevent from restoring the same list multiple times.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index d533ffb42..29990ee67 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -70,6 +70,7 @@ my %confignatfw=();
 my %locationsettings = (
 	"LOCATIONBLOCK_ENABLED" => "off"
 );
+my %loaded_ipset_lists=();
 
 my @p2ps=();
 
@@ -405,8 +406,14 @@ sub buildrules {
 						# Grab location code from hash.
 						my $loc_src = $$hash{$key}[4];
 
-						# Call function to load the networks list for this country.
-						&ipset_restore($loc_src);
+						# Check if the network list for this country already has been loaded.
+						unless($loaded_ipset_lists{$loc_src}) {
+							# Call function to load the networks list for this country.
+							&ipset_restore($loc_src);
+
+							# Store to the hash that this list has been loaded.
+							$loaded_ipset_lists{$loc_src} = "1";
+						}
 
 						push(@source_options, $source);
 					} elsif($source) {
@@ -419,8 +426,14 @@ sub buildrules {
 						# Grab location code from hash.
 						my $loc_dst = $$hash{$key}[6];
 
-						# Call function to load the networks list for this country.
-						&ipset_restore($loc_dst);
+						# Check if the network list for this country already has been loaded.
+						unless($loaded_ipset_lists{$loc_dst}) {
+							# Call function to load the networks list for this country.
+							&ipset_restore($loc_dst);
+
+							# Store to the hash that this list has been loaded.
+							$loaded_ipset_lists{$loc_dst} = "1";
+						}
 
 						push(@destination_options,  $destination);
 					} elsif ($destination) {
@@ -683,8 +696,14 @@ sub locationblock {
 	# is enabled.
 	foreach my $location (@locations) {
 		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
-			# Call function to load the networks list for this country.
-			&ipset_restore($location);
+			# Check if the network list for this country already has been loaded.
+			unless($loaded_ipset_lists{$location}) {
+				# Call function to load the networks list for this country.
+				&ipset_restore($location);
+
+				# Store to the hash that this list has been loaded.
+				$loaded_ipset_lists{$location} = "1";
+			}
 
 			# Call iptables and create rule to use the loaded ipset list.
 			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
-- 
2.30.2

[PATCH 10/12] rules.pl: Check if an ipset db file exists before call to restore it.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 876 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 29990ee67..162781f7a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -927,6 +927,12 @@ sub firewall_is_in_subnet {
 sub ipset_restore ($) {
 	my ($ccode) = @_;
 
-	# Run ipset and restore the list of the given country code.
-	run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
+	my $file_prefix = "ipset4";
+	my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
+
+	# Check if the generated file exists.
+	if (-f $db_file) {
+		# Run ipset and restore the list of the given country code.
+		run("$IPSET restore < $db_file");
+	}
 }
-- 
2.30.2

[PATCH 11/12] rules.pl: Add workaround to hide a warning about an only once used variable.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 659 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 162781f7a..c0878059a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -109,6 +109,10 @@ my $POLICY_INPUT_ACTION    = $fwoptions{"FWPOLICY2"};
 my $POLICY_FORWARD_ACTION  = $fwoptions{"FWPOLICY"};
 my $POLICY_OUTPUT_ACTION   = $fwoptions{"FWPOLICY1"};
 
+#workaround to suppress a warning when a variable is used only once
+my @dummy = ( $Location::Functions::ipset_db_directory );
+undef (@dummy);
+
 # MAIN
 &main();
 
-- 
2.30.2

[PATCH 12/12] libloc: Export DB in ipset compatible format.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 17375 bytes --]

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/rootfiles/common/libloc | 517 +++++++++++++++++----------------
 lfs/libloc                     |  11 +-
 2 files changed, 266 insertions(+), 262 deletions(-)

diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc
index 43f9efd9e..64ccfef16 100644
--- a/config/rootfiles/common/libloc
+++ b/config/rootfiles/common/libloc
@@ -36,264 +36,265 @@ usr/lib/python3.8/site-packages/location/i18n.py
 usr/lib/python3.8/site-packages/location/logger.py
 #usr/share/locale/de/LC_MESSAGES/libloc.mo
 #usr/share/man/man3/Location.3
-usr/share/xt_geoip/A1.iv4
-usr/share/xt_geoip/A2.iv4
-usr/share/xt_geoip/A3.iv4
-usr/share/xt_geoip/AD.iv4
-usr/share/xt_geoip/AE.iv4
-usr/share/xt_geoip/AF.iv4
-usr/share/xt_geoip/AG.iv4
-usr/share/xt_geoip/AI.iv4
-usr/share/xt_geoip/AL.iv4
-usr/share/xt_geoip/AM.iv4
-usr/share/xt_geoip/AN.iv4
-usr/share/xt_geoip/AO.iv4
-usr/share/xt_geoip/AP.iv4
-usr/share/xt_geoip/AQ.iv4
-usr/share/xt_geoip/AR.iv4
-usr/share/xt_geoip/AS.iv4
-usr/share/xt_geoip/AT.iv4
-usr/share/xt_geoip/AU.iv4
-usr/share/xt_geoip/AW.iv4
-usr/share/xt_geoip/AX.iv4
-usr/share/xt_geoip/AZ.iv4
-usr/share/xt_geoip/BA.iv4
-usr/share/xt_geoip/BB.iv4
-usr/share/xt_geoip/BD.iv4
-usr/share/xt_geoip/BE.iv4
-usr/share/xt_geoip/BF.iv4
-usr/share/xt_geoip/BG.iv4
-usr/share/xt_geoip/BH.iv4
-usr/share/xt_geoip/BI.iv4
-usr/share/xt_geoip/BJ.iv4
-usr/share/xt_geoip/BL.iv4
-usr/share/xt_geoip/BM.iv4
-usr/share/xt_geoip/BN.iv4
-usr/share/xt_geoip/BO.iv4
-usr/share/xt_geoip/BQ.iv4
-usr/share/xt_geoip/BR.iv4
-usr/share/xt_geoip/BS.iv4
-usr/share/xt_geoip/BT.iv4
-usr/share/xt_geoip/BV.iv4
-usr/share/xt_geoip/BW.iv4
-usr/share/xt_geoip/BY.iv4
-usr/share/xt_geoip/BZ.iv4
-usr/share/xt_geoip/CA.iv4
-usr/share/xt_geoip/CC.iv4
-usr/share/xt_geoip/CD.iv4
-usr/share/xt_geoip/CF.iv4
-usr/share/xt_geoip/CG.iv4
-usr/share/xt_geoip/CH.iv4
-usr/share/xt_geoip/CI.iv4
-usr/share/xt_geoip/CK.iv4
-usr/share/xt_geoip/CL.iv4
-usr/share/xt_geoip/CM.iv4
-usr/share/xt_geoip/CN.iv4
-usr/share/xt_geoip/CO.iv4
-usr/share/xt_geoip/CR.iv4
-usr/share/xt_geoip/CS.iv4
-usr/share/xt_geoip/CU.iv4
-usr/share/xt_geoip/CV.iv4
-usr/share/xt_geoip/CW.iv4
-usr/share/xt_geoip/CX.iv4
-usr/share/xt_geoip/CY.iv4
-usr/share/xt_geoip/CZ.iv4
-usr/share/xt_geoip/DE.iv4
-usr/share/xt_geoip/DJ.iv4
-usr/share/xt_geoip/DK.iv4
-usr/share/xt_geoip/DM.iv4
-usr/share/xt_geoip/DO.iv4
-usr/share/xt_geoip/DZ.iv4
-usr/share/xt_geoip/EC.iv4
-usr/share/xt_geoip/EE.iv4
-usr/share/xt_geoip/EG.iv4
-usr/share/xt_geoip/EH.iv4
-usr/share/xt_geoip/ER.iv4
-usr/share/xt_geoip/ES.iv4
-usr/share/xt_geoip/ET.iv4
-usr/share/xt_geoip/EU.iv4
-usr/share/xt_geoip/FI.iv4
-usr/share/xt_geoip/FJ.iv4
-usr/share/xt_geoip/FK.iv4
-usr/share/xt_geoip/FM.iv4
-usr/share/xt_geoip/FO.iv4
-usr/share/xt_geoip/FR.iv4
-usr/share/xt_geoip/FX.iv4
-usr/share/xt_geoip/GA.iv4
-usr/share/xt_geoip/GB.iv4
-usr/share/xt_geoip/GD.iv4
-usr/share/xt_geoip/GE.iv4
-usr/share/xt_geoip/GF.iv4
-usr/share/xt_geoip/GG.iv4
-usr/share/xt_geoip/GH.iv4
-usr/share/xt_geoip/GI.iv4
-usr/share/xt_geoip/GL.iv4
-usr/share/xt_geoip/GM.iv4
-usr/share/xt_geoip/GN.iv4
-usr/share/xt_geoip/GP.iv4
-usr/share/xt_geoip/GQ.iv4
-usr/share/xt_geoip/GR.iv4
-usr/share/xt_geoip/GS.iv4
-usr/share/xt_geoip/GT.iv4
-usr/share/xt_geoip/GU.iv4
-usr/share/xt_geoip/GW.iv4
-usr/share/xt_geoip/GY.iv4
-usr/share/xt_geoip/HK.iv4
-usr/share/xt_geoip/HM.iv4
-usr/share/xt_geoip/HN.iv4
-usr/share/xt_geoip/HR.iv4
-usr/share/xt_geoip/HT.iv4
-usr/share/xt_geoip/HU.iv4
-usr/share/xt_geoip/ID.iv4
-usr/share/xt_geoip/IE.iv4
-usr/share/xt_geoip/IL.iv4
-usr/share/xt_geoip/IM.iv4
-usr/share/xt_geoip/IN.iv4
-usr/share/xt_geoip/IO.iv4
-usr/share/xt_geoip/IQ.iv4
-usr/share/xt_geoip/IR.iv4
-usr/share/xt_geoip/IS.iv4
-usr/share/xt_geoip/IT.iv4
-usr/share/xt_geoip/JE.iv4
-usr/share/xt_geoip/JM.iv4
-usr/share/xt_geoip/JO.iv4
-usr/share/xt_geoip/JP.iv4
-usr/share/xt_geoip/KE.iv4
-usr/share/xt_geoip/KG.iv4
-usr/share/xt_geoip/KH.iv4
-usr/share/xt_geoip/KI.iv4
-usr/share/xt_geoip/KM.iv4
-usr/share/xt_geoip/KN.iv4
-usr/share/xt_geoip/KP.iv4
-usr/share/xt_geoip/KR.iv4
-usr/share/xt_geoip/KW.iv4
-usr/share/xt_geoip/KY.iv4
-usr/share/xt_geoip/KZ.iv4
-usr/share/xt_geoip/LA.iv4
-usr/share/xt_geoip/LB.iv4
-usr/share/xt_geoip/LC.iv4
-usr/share/xt_geoip/LI.iv4
-usr/share/xt_geoip/LK.iv4
-usr/share/xt_geoip/LR.iv4
-usr/share/xt_geoip/LS.iv4
-usr/share/xt_geoip/LT.iv4
-usr/share/xt_geoip/LU.iv4
-usr/share/xt_geoip/LV.iv4
-usr/share/xt_geoip/LY.iv4
-usr/share/xt_geoip/MA.iv4
-usr/share/xt_geoip/MC.iv4
-usr/share/xt_geoip/MD.iv4
-usr/share/xt_geoip/ME.iv4
-usr/share/xt_geoip/MF.iv4
-usr/share/xt_geoip/MG.iv4
-usr/share/xt_geoip/MH.iv4
-usr/share/xt_geoip/MK.iv4
-usr/share/xt_geoip/ML.iv4
-usr/share/xt_geoip/MM.iv4
-usr/share/xt_geoip/MN.iv4
-usr/share/xt_geoip/MO.iv4
-usr/share/xt_geoip/MP.iv4
-usr/share/xt_geoip/MQ.iv4
-usr/share/xt_geoip/MR.iv4
-usr/share/xt_geoip/MS.iv4
-usr/share/xt_geoip/MT.iv4
-usr/share/xt_geoip/MU.iv4
-usr/share/xt_geoip/MV.iv4
-usr/share/xt_geoip/MW.iv4
-usr/share/xt_geoip/MX.iv4
-usr/share/xt_geoip/MY.iv4
-usr/share/xt_geoip/MZ.iv4
-usr/share/xt_geoip/NA.iv4
-usr/share/xt_geoip/NC.iv4
-usr/share/xt_geoip/NE.iv4
-usr/share/xt_geoip/NF.iv4
-usr/share/xt_geoip/NG.iv4
-usr/share/xt_geoip/NI.iv4
-usr/share/xt_geoip/NL.iv4
-usr/share/xt_geoip/NO.iv4
-usr/share/xt_geoip/NP.iv4
-usr/share/xt_geoip/NR.iv4
-usr/share/xt_geoip/NU.iv4
-usr/share/xt_geoip/NZ.iv4
-usr/share/xt_geoip/OM.iv4
-usr/share/xt_geoip/PA.iv4
-usr/share/xt_geoip/PE.iv4
-usr/share/xt_geoip/PF.iv4
-usr/share/xt_geoip/PG.iv4
-usr/share/xt_geoip/PH.iv4
-usr/share/xt_geoip/PK.iv4
-usr/share/xt_geoip/PL.iv4
-usr/share/xt_geoip/PM.iv4
-usr/share/xt_geoip/PN.iv4
-usr/share/xt_geoip/PR.iv4
-usr/share/xt_geoip/PS.iv4
-usr/share/xt_geoip/PT.iv4
-usr/share/xt_geoip/PW.iv4
-usr/share/xt_geoip/PY.iv4
-usr/share/xt_geoip/QA.iv4
-usr/share/xt_geoip/RE.iv4
-usr/share/xt_geoip/RO.iv4
-usr/share/xt_geoip/RS.iv4
-usr/share/xt_geoip/RU.iv4
-usr/share/xt_geoip/RW.iv4
-usr/share/xt_geoip/SA.iv4
-usr/share/xt_geoip/SB.iv4
-usr/share/xt_geoip/SC.iv4
-usr/share/xt_geoip/SD.iv4
-usr/share/xt_geoip/SE.iv4
-usr/share/xt_geoip/SG.iv4
-usr/share/xt_geoip/SH.iv4
-usr/share/xt_geoip/SI.iv4
-usr/share/xt_geoip/SJ.iv4
-usr/share/xt_geoip/SK.iv4
-usr/share/xt_geoip/SL.iv4
-usr/share/xt_geoip/SM.iv4
-usr/share/xt_geoip/SN.iv4
-usr/share/xt_geoip/SO.iv4
-usr/share/xt_geoip/SR.iv4
-usr/share/xt_geoip/SS.iv4
-usr/share/xt_geoip/ST.iv4
-usr/share/xt_geoip/SV.iv4
-usr/share/xt_geoip/SX.iv4
-usr/share/xt_geoip/SY.iv4
-usr/share/xt_geoip/SZ.iv4
-usr/share/xt_geoip/TC.iv4
-usr/share/xt_geoip/TD.iv4
-usr/share/xt_geoip/TF.iv4
-usr/share/xt_geoip/TG.iv4
-usr/share/xt_geoip/TH.iv4
-usr/share/xt_geoip/TJ.iv4
-usr/share/xt_geoip/TK.iv4
-usr/share/xt_geoip/TL.iv4
-usr/share/xt_geoip/TM.iv4
-usr/share/xt_geoip/TN.iv4
-usr/share/xt_geoip/TO.iv4
-usr/share/xt_geoip/TR.iv4
-usr/share/xt_geoip/TT.iv4
-usr/share/xt_geoip/TV.iv4
-usr/share/xt_geoip/TW.iv4
-usr/share/xt_geoip/TZ.iv4
-usr/share/xt_geoip/UA.iv4
-usr/share/xt_geoip/UG.iv4
-usr/share/xt_geoip/UM.iv4
-usr/share/xt_geoip/US.iv4
-usr/share/xt_geoip/UY.iv4
-usr/share/xt_geoip/UZ.iv4
-usr/share/xt_geoip/VA.iv4
-usr/share/xt_geoip/VC.iv4
-usr/share/xt_geoip/VE.iv4
-usr/share/xt_geoip/VG.iv4
-usr/share/xt_geoip/VI.iv4
-usr/share/xt_geoip/VN.iv4
-usr/share/xt_geoip/VU.iv4
-usr/share/xt_geoip/WF.iv4
-usr/share/xt_geoip/WS.iv4
-usr/share/xt_geoip/XD.iv4
-usr/share/xt_geoip/YE.iv4
-usr/share/xt_geoip/YT.iv4
-usr/share/xt_geoip/ZA.iv4
-usr/share/xt_geoip/ZM.iv4
-usr/share/xt_geoip/ZW.iv4
 #var/lib/location
 var/lib/location/database.db
+var/lib/location/ipset
+var/lib/location/ipset/A1.ipset4
+var/lib/location/ipset/A2.ipset4
+var/lib/location/ipset/A3.ipset4
+var/lib/location/ipset/AD.ipset4
+var/lib/location/ipset/AE.ipset4
+var/lib/location/ipset/AF.ipset4
+var/lib/location/ipset/AG.ipset4
+var/lib/location/ipset/AI.ipset4
+var/lib/location/ipset/AL.ipset4
+var/lib/location/ipset/AM.ipset4
+var/lib/location/ipset/AN.ipset4
+var/lib/location/ipset/AO.ipset4
+var/lib/location/ipset/AP.ipset4
+var/lib/location/ipset/AQ.ipset4
+var/lib/location/ipset/AR.ipset4
+var/lib/location/ipset/AS.ipset4
+var/lib/location/ipset/AT.ipset4
+var/lib/location/ipset/AU.ipset4
+var/lib/location/ipset/AW.ipset4
+var/lib/location/ipset/AX.ipset4
+var/lib/location/ipset/AZ.ipset4
+var/lib/location/ipset/BA.ipset4
+var/lib/location/ipset/BB.ipset4
+var/lib/location/ipset/BD.ipset4
+var/lib/location/ipset/BE.ipset4
+var/lib/location/ipset/BF.ipset4
+var/lib/location/ipset/BG.ipset4
+var/lib/location/ipset/BH.ipset4
+var/lib/location/ipset/BI.ipset4
+var/lib/location/ipset/BJ.ipset4
+var/lib/location/ipset/BL.ipset4
+var/lib/location/ipset/BM.ipset4
+var/lib/location/ipset/BN.ipset4
+var/lib/location/ipset/BO.ipset4
+var/lib/location/ipset/BQ.ipset4
+var/lib/location/ipset/BR.ipset4
+var/lib/location/ipset/BS.ipset4
+var/lib/location/ipset/BT.ipset4
+var/lib/location/ipset/BV.ipset4
+var/lib/location/ipset/BW.ipset4
+var/lib/location/ipset/BY.ipset4
+var/lib/location/ipset/BZ.ipset4
+var/lib/location/ipset/CA.ipset4
+var/lib/location/ipset/CC.ipset4
+var/lib/location/ipset/CD.ipset4
+var/lib/location/ipset/CF.ipset4
+var/lib/location/ipset/CG.ipset4
+var/lib/location/ipset/CH.ipset4
+var/lib/location/ipset/CI.ipset4
+var/lib/location/ipset/CK.ipset4
+var/lib/location/ipset/CL.ipset4
+var/lib/location/ipset/CM.ipset4
+var/lib/location/ipset/CN.ipset4
+var/lib/location/ipset/CO.ipset4
+var/lib/location/ipset/CR.ipset4
+var/lib/location/ipset/CS.ipset4
+var/lib/location/ipset/CU.ipset4
+var/lib/location/ipset/CV.ipset4
+var/lib/location/ipset/CW.ipset4
+var/lib/location/ipset/CX.ipset4
+var/lib/location/ipset/CY.ipset4
+var/lib/location/ipset/CZ.ipset4
+var/lib/location/ipset/DE.ipset4
+var/lib/location/ipset/DJ.ipset4
+var/lib/location/ipset/DK.ipset4
+var/lib/location/ipset/DM.ipset4
+var/lib/location/ipset/DO.ipset4
+var/lib/location/ipset/DZ.ipset4
+var/lib/location/ipset/EC.ipset4
+var/lib/location/ipset/EE.ipset4
+var/lib/location/ipset/EG.ipset4
+var/lib/location/ipset/EH.ipset4
+var/lib/location/ipset/ER.ipset4
+var/lib/location/ipset/ES.ipset4
+var/lib/location/ipset/ET.ipset4
+var/lib/location/ipset/EU.ipset4
+var/lib/location/ipset/FI.ipset4
+var/lib/location/ipset/FJ.ipset4
+var/lib/location/ipset/FK.ipset4
+var/lib/location/ipset/FM.ipset4
+var/lib/location/ipset/FO.ipset4
+var/lib/location/ipset/FR.ipset4
+var/lib/location/ipset/FX.ipset4
+var/lib/location/ipset/GA.ipset4
+var/lib/location/ipset/GB.ipset4
+var/lib/location/ipset/GD.ipset4
+var/lib/location/ipset/GE.ipset4
+var/lib/location/ipset/GF.ipset4
+var/lib/location/ipset/GG.ipset4
+var/lib/location/ipset/GH.ipset4
+var/lib/location/ipset/GI.ipset4
+var/lib/location/ipset/GL.ipset4
+var/lib/location/ipset/GM.ipset4
+var/lib/location/ipset/GN.ipset4
+var/lib/location/ipset/GP.ipset4
+var/lib/location/ipset/GQ.ipset4
+var/lib/location/ipset/GR.ipset4
+var/lib/location/ipset/GS.ipset4
+var/lib/location/ipset/GT.ipset4
+var/lib/location/ipset/GU.ipset4
+var/lib/location/ipset/GW.ipset4
+var/lib/location/ipset/GY.ipset4
+var/lib/location/ipset/HK.ipset4
+var/lib/location/ipset/HM.ipset4
+var/lib/location/ipset/HN.ipset4
+var/lib/location/ipset/HR.ipset4
+var/lib/location/ipset/HT.ipset4
+var/lib/location/ipset/HU.ipset4
+var/lib/location/ipset/ID.ipset4
+var/lib/location/ipset/IE.ipset4
+var/lib/location/ipset/IL.ipset4
+var/lib/location/ipset/IM.ipset4
+var/lib/location/ipset/IN.ipset4
+var/lib/location/ipset/IO.ipset4
+var/lib/location/ipset/IQ.ipset4
+var/lib/location/ipset/IR.ipset4
+var/lib/location/ipset/IS.ipset4
+var/lib/location/ipset/IT.ipset4
+var/lib/location/ipset/JE.ipset4
+var/lib/location/ipset/JM.ipset4
+var/lib/location/ipset/JO.ipset4
+var/lib/location/ipset/JP.ipset4
+var/lib/location/ipset/KE.ipset4
+var/lib/location/ipset/KG.ipset4
+var/lib/location/ipset/KH.ipset4
+var/lib/location/ipset/KI.ipset4
+var/lib/location/ipset/KM.ipset4
+var/lib/location/ipset/KN.ipset4
+var/lib/location/ipset/KP.ipset4
+var/lib/location/ipset/KR.ipset4
+var/lib/location/ipset/KW.ipset4
+var/lib/location/ipset/KY.ipset4
+var/lib/location/ipset/KZ.ipset4
+var/lib/location/ipset/LA.ipset4
+var/lib/location/ipset/LB.ipset4
+var/lib/location/ipset/LC.ipset4
+var/lib/location/ipset/LI.ipset4
+var/lib/location/ipset/LK.ipset4
+var/lib/location/ipset/LR.ipset4
+var/lib/location/ipset/LS.ipset4
+var/lib/location/ipset/LT.ipset4
+var/lib/location/ipset/LU.ipset4
+var/lib/location/ipset/LV.ipset4
+var/lib/location/ipset/LY.ipset4
+var/lib/location/ipset/MA.ipset4
+var/lib/location/ipset/MC.ipset4
+var/lib/location/ipset/MD.ipset4
+var/lib/location/ipset/ME.ipset4
+var/lib/location/ipset/MF.ipset4
+var/lib/location/ipset/MG.ipset4
+var/lib/location/ipset/MH.ipset4
+var/lib/location/ipset/MK.ipset4
+var/lib/location/ipset/ML.ipset4
+var/lib/location/ipset/MM.ipset4
+var/lib/location/ipset/MN.ipset4
+var/lib/location/ipset/MO.ipset4
+var/lib/location/ipset/MP.ipset4
+var/lib/location/ipset/MQ.ipset4
+var/lib/location/ipset/MR.ipset4
+var/lib/location/ipset/MS.ipset4
+var/lib/location/ipset/MT.ipset4
+var/lib/location/ipset/MU.ipset4
+var/lib/location/ipset/MV.ipset4
+var/lib/location/ipset/MW.ipset4
+var/lib/location/ipset/MX.ipset4
+var/lib/location/ipset/MY.ipset4
+var/lib/location/ipset/MZ.ipset4
+var/lib/location/ipset/NA.ipset4
+var/lib/location/ipset/NC.ipset4
+var/lib/location/ipset/NE.ipset4
+var/lib/location/ipset/NF.ipset4
+var/lib/location/ipset/NG.ipset4
+var/lib/location/ipset/NI.ipset4
+var/lib/location/ipset/NL.ipset4
+var/lib/location/ipset/NO.ipset4
+var/lib/location/ipset/NP.ipset4
+var/lib/location/ipset/NR.ipset4
+var/lib/location/ipset/NU.ipset4
+var/lib/location/ipset/NZ.ipset4
+var/lib/location/ipset/OM.ipset4
+var/lib/location/ipset/PA.ipset4
+var/lib/location/ipset/PE.ipset4
+var/lib/location/ipset/PF.ipset4
+var/lib/location/ipset/PG.ipset4
+var/lib/location/ipset/PH.ipset4
+var/lib/location/ipset/PK.ipset4
+var/lib/location/ipset/PL.ipset4
+var/lib/location/ipset/PM.ipset4
+var/lib/location/ipset/PN.ipset4
+var/lib/location/ipset/PR.ipset4
+var/lib/location/ipset/PS.ipset4
+var/lib/location/ipset/PT.ipset4
+var/lib/location/ipset/PW.ipset4
+var/lib/location/ipset/PY.ipset4
+var/lib/location/ipset/QA.ipset4
+var/lib/location/ipset/RE.ipset4
+var/lib/location/ipset/RO.ipset4
+var/lib/location/ipset/RS.ipset4
+var/lib/location/ipset/RU.ipset4
+var/lib/location/ipset/RW.ipset4
+var/lib/location/ipset/SA.ipset4
+var/lib/location/ipset/SB.ipset4
+var/lib/location/ipset/SC.ipset4
+var/lib/location/ipset/SD.ipset4
+var/lib/location/ipset/SE.ipset4
+var/lib/location/ipset/SG.ipset4
+var/lib/location/ipset/SH.ipset4
+var/lib/location/ipset/SI.ipset4
+var/lib/location/ipset/SJ.ipset4
+var/lib/location/ipset/SK.ipset4
+var/lib/location/ipset/SL.ipset4
+var/lib/location/ipset/SM.ipset4
+var/lib/location/ipset/SN.ipset4
+var/lib/location/ipset/SO.ipset4
+var/lib/location/ipset/SR.ipset4
+var/lib/location/ipset/SS.ipset4
+var/lib/location/ipset/ST.ipset4
+var/lib/location/ipset/SV.ipset4
+var/lib/location/ipset/SX.ipset4
+var/lib/location/ipset/SY.ipset4
+var/lib/location/ipset/SZ.ipset4
+var/lib/location/ipset/TC.ipset4
+var/lib/location/ipset/TD.ipset4
+var/lib/location/ipset/TF.ipset4
+var/lib/location/ipset/TG.ipset4
+var/lib/location/ipset/TH.ipset4
+var/lib/location/ipset/TJ.ipset4
+var/lib/location/ipset/TK.ipset4
+var/lib/location/ipset/TL.ipset4
+var/lib/location/ipset/TM.ipset4
+var/lib/location/ipset/TN.ipset4
+var/lib/location/ipset/TO.ipset4
+var/lib/location/ipset/TR.ipset4
+var/lib/location/ipset/TT.ipset4
+var/lib/location/ipset/TV.ipset4
+var/lib/location/ipset/TW.ipset4
+var/lib/location/ipset/TZ.ipset4
+var/lib/location/ipset/UA.ipset4
+var/lib/location/ipset/UG.ipset4
+var/lib/location/ipset/UM.ipset4
+var/lib/location/ipset/US.ipset4
+var/lib/location/ipset/UY.ipset4
+var/lib/location/ipset/UZ.ipset4
+var/lib/location/ipset/VA.ipset4
+var/lib/location/ipset/VC.ipset4
+var/lib/location/ipset/VE.ipset4
+var/lib/location/ipset/VG.ipset4
+var/lib/location/ipset/VI.ipset4
+var/lib/location/ipset/VN.ipset4
+var/lib/location/ipset/VU.ipset4
+var/lib/location/ipset/WF.ipset4
+var/lib/location/ipset/WS.ipset4
+var/lib/location/ipset/XD.ipset4
+var/lib/location/ipset/YE.ipset4
+var/lib/location/ipset/YT.ipset4
+var/lib/location/ipset/ZA.ipset4
+var/lib/location/ipset/ZM.ipset4
+var/lib/location/ipset/ZW.ipset4
 var/lib/location/signing-key.pem
diff --git a/lfs/libloc b/lfs/libloc
index 99f0c30bd..1de135b52 100644
--- a/lfs/libloc
+++ b/lfs/libloc
@@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	cd $(DIR_APP) && rm -f /var/lib/location/database.db
 	cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
 
-	# Launch location util and export all locations in xt_geoip format.
+	# Create directory for ipset databases.
+	cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset
+
+	# Launch location util and export all locations in ipset compatible format.
 	cd $(DIR_APP) && /usr/bin/location export \
-		--directory=/usr/share/xt_geoip \
+		--directory=/var/lib/location/ipset \
 		--family=ipv4 \
-		--format=xt_geoip
+		--format=ipset
 
 	# Remove exported IPv6 zones.
-	cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6
+	cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
 
 	@rm -rf $(DIR_APP)
 	@$(POSTBUILD)
-- 
2.30.2

Re: [PATCH 01/12] location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/".

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 811 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/cfgroot/location-functions.pl | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl
> index 4d44ce24d..f86464933 100644
> --- a/config/cfgroot/location-functions.pl
> +++ b/config/cfgroot/location-functions.pl
> @@ -53,7 +53,7 @@ our $database = "$location_dir/database.db";
>  our $keyfile = "$location_dir/signing-key.pem";
>  
>  # Directory which contains the exported databases.
> -our $xt_geoip_db_directory = "/usr/share/xt_geoip/";
> +our $ipset_db_directory = "$location_dir/ipset";
>  
>  # Create libloc database handle.
>  my $db_handle = &init();

Re: [PATCH 02/12] location-functions.pl: Remove ending backslash from location_dir variable.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 790 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/cfgroot/location-functions.pl | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl
> index f86464933..46e27c04a 100644
> --- a/config/cfgroot/location-functions.pl
> +++ b/config/cfgroot/location-functions.pl
> @@ -44,7 +44,7 @@ my %network_flags = (
>  my @special_locations = ( "A1", "A2", "A3", "XD" );
>  
>  # Directory where the libloc database and keyfile lives.
> -our $location_dir = "/var/lib/location/";
> +our $location_dir = "/var/lib/location";
>  
>  # Libloc database file.
>  our $database = "$location_dir/database.db";

Re: [PATCH 03/12] rules.pl: Move flush of LOCATIONBLOCK into main flush() function.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1152 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> It is required to get rid of all ipset based rules before all of
> the loaded ipset lists can be destroyed.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 6 ++++--
>  1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 9d280045a..f685d08a7 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -186,6 +186,9 @@ sub flush {
>  	run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE");
>  	run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION");
>  	run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
> +
> +	# Flush LOCATIONBLOCK chain.
> +	run("$IPTABLES -F LOCATIONBLOCK");
>  }
>  
>  sub buildrules {
> @@ -638,8 +641,7 @@ sub p2pblock {
>  }
>  
>  sub locationblock {
> -	# Flush iptables chain.
> -	run("$IPTABLES -F LOCATIONBLOCK");
> +	# The LOCATIONBLOCK chain now gets flushed by the flush() function.
>  
>  	# If location blocking is not enabled, we are finished here.
>  	if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {

Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 849 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index f685d08a7..da01b8775 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
>  my $DEBUG = 0;
>  
>  my $IPTABLES = "iptables --wait";
> +my $IPSET = "ipset";
>  
>  # iptables chains
>  my $CHAIN_INPUT           = "INPUTFW";
> @@ -114,6 +115,9 @@ sub main {
>  	# Flush all chains.
>  	&flush();
>  
> +	# Destroy all existing ipsets.
> +	run("$IPSET destroy");
> +
>  	# Prepare firewall rules.
>  	if (! -z  "${General::swroot}/firewall/input"){
>  		&buildrules(\%configinputfw);

Re: [PATCH 05/12] rules.pl: Add tiny ipset_restore function.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 865 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> This helper function is used to load a previously exported list of
> networks for a given country code into the ipset module, so it can be
> used for any kind of firewall rules.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 7 +++++++
>  1 file changed, 7 insertions(+)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index da01b8775..5b1153b08 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -888,3 +888,10 @@ sub firewall_is_in_subnet {
>  
>  	return 0;
>  }
> +
> +sub ipset_restore ($) {
> +	my ($ccode) = @_;
> +
> +	# Run ipset and restore the list of the given country code.
> +	run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
> +}

Re: [PATCH 06/12] rules.pl: Move to ipset based data for LOCATIONBLOCK feature.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 949 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 6 +++++-
>  1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 5b1153b08..e009c1838 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -671,7 +671,11 @@ sub locationblock {
>  	# is enabled.
>  	foreach my $location (@locations) {
>  		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
> -			run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP");
> +			# Call function to load the networks list for this country.
> +			&ipset_restore($location);
> +
> +			# Call iptables and create rule to use the loaded ipset list.
> +			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
>  		}
>  	}
>  }

Re: [PATCH 07/12] rules.pl: Move to ipset based data for location based firewall rules.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 2478 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/firewall-lib.pl |  4 ++--
>  config/firewall/rules.pl        | 16 ++++++++++++++--
>  2 files changed, 16 insertions(+), 4 deletions(-)
> 
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
> index bc0b30ca5..13f0c9971 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -466,7 +466,7 @@ sub get_address
>  			# Get external interface.
>  			my $external_interface = &get_external_interface();
>  
> -			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
>  		}
>  
>  	# Handle rule options with a location as target.
> @@ -476,7 +476,7 @@ sub get_address
>  			# Get external interface.
>  			my $external_interface = &get_external_interface();
>  
> -			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
>  		}
>  
>  	# If nothing was selected, we assume "any".
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index e009c1838..d533ffb42 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -401,7 +401,13 @@ sub buildrules {
>  					my @source_options = ();
>  					if ($source =~ /mac/) {
>  						push(@source_options, $source);
> -					} elsif ($source =~ /-m geoip/) {
> +					} elsif ($source =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_src = $$hash{$key}[4];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_src);
> +
>  						push(@source_options, $source);
>  					} elsif($source) {
>  						push(@source_options, ("-s", $source));
> @@ -409,7 +415,13 @@ sub buildrules {
>  
>  					# Prepare destination options.
>  					my @destination_options = ();
> -					if ($destination =~ /-m geoip/) {
> +					if ($destination =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_dst = $$hash{$key}[6];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_dst);
> +
>  						push(@destination_options,  $destination);
>  					} elsif ($destination) {
>  						push(@destination_options, ("-d", $destination));

Re: [PATCH 08/12] update-location-database: Export database to ipset compatible format now.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1047 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  src/scripts/update-location-database | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database
> index 06b22d101..d41a0a947 100644
> --- a/src/scripts/update-location-database
> +++ b/src/scripts/update-location-database
> @@ -42,8 +42,8 @@ fi
>  
>  # Get the latest location database from server.
>  if /usr/bin/location update --cron=$UPDATE_INTERVAL; then
> -	# Call location and export all countries in xt_geoip compatible format.
> -	if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then
> +	# Call location and export all countries in an ipset compatible format.
> +	if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
>  
>  		# Call initscript to reload the firewall.
>  		/etc/init.d/firewall reload

Re: [PATCH 09/12] rules.pl: Do not try to restore the same ipset multiple times.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3017 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> When an ipset list get restored, this now will be documented in a hash
> and this hash also will be checked before restoring a list if this has
> not be done previously.
> 
> This will prevent from restoring the same list multiple times.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 31 +++++++++++++++++++++++++------
>  1 file changed, 25 insertions(+), 6 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index d533ffb42..29990ee67 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -70,6 +70,7 @@ my %confignatfw=();
>  my %locationsettings = (
>  	"LOCATIONBLOCK_ENABLED" => "off"
>  );
> +my %loaded_ipset_lists=();
>  
>  my @p2ps=();
>  
> @@ -405,8 +406,14 @@ sub buildrules {
>  						# Grab location code from hash.
>  						my $loc_src = $$hash{$key}[4];
>  
> -						# Call function to load the networks list for this country.
> -						&ipset_restore($loc_src);
> +						# Check if the network list for this country already has been loaded.
> +						unless($loaded_ipset_lists{$loc_src}) {
> +							# Call function to load the networks list for this country.
> +							&ipset_restore($loc_src);
> +
> +							# Store to the hash that this list has been loaded.
> +							$loaded_ipset_lists{$loc_src} = "1";
> +						}
>  
>  						push(@source_options, $source);
>  					} elsif($source) {
> @@ -419,8 +426,14 @@ sub buildrules {
>  						# Grab location code from hash.
>  						my $loc_dst = $$hash{$key}[6];
>  
> -						# Call function to load the networks list for this country.
> -						&ipset_restore($loc_dst);
> +						# Check if the network list for this country already has been loaded.
> +						unless($loaded_ipset_lists{$loc_dst}) {
> +							# Call function to load the networks list for this country.
> +							&ipset_restore($loc_dst);
> +
> +							# Store to the hash that this list has been loaded.
> +							$loaded_ipset_lists{$loc_dst} = "1";
> +						}
>  
>  						push(@destination_options,  $destination);
>  					} elsif ($destination) {
> @@ -683,8 +696,14 @@ sub locationblock {
>  	# is enabled.
>  	foreach my $location (@locations) {
>  		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
> -			# Call function to load the networks list for this country.
> -			&ipset_restore($location);
> +			# Check if the network list for this country already has been loaded.
> +			unless($loaded_ipset_lists{$location}) {
> +				# Call function to load the networks list for this country.
> +				&ipset_restore($location);
> +
> +				# Store to the hash that this list has been loaded.
> +				$loaded_ipset_lists{$location} = "1";
> +			}
>  
>  			# Call iptables and create rule to use the loaded ipset list.
>  			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");

Re: [PATCH 10/12] rules.pl: Check if an ipset db file exists before call to restore it.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 968 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 10 ++++++++--
>  1 file changed, 8 insertions(+), 2 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 29990ee67..162781f7a 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -927,6 +927,12 @@ sub firewall_is_in_subnet {
>  sub ipset_restore ($) {
>  	my ($ccode) = @_;
>  
> -	# Run ipset and restore the list of the given country code.
> -	run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
> +	my $file_prefix = "ipset4";
> +	my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
> +
> +	# Check if the generated file exists.
> +	if (-f $db_file) {
> +		# Run ipset and restore the list of the given country code.
> +		run("$IPSET restore < $db_file");
> +	}
>  }

Re: [PATCH 12/12] libloc: Export DB in ipset compatible format.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 19102 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/rootfiles/common/libloc | 517 +++++++++++++++++----------------
>  lfs/libloc                     |  11 +-
>  2 files changed, 266 insertions(+), 262 deletions(-)
> 
> diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc
> index 43f9efd9e..64ccfef16 100644
> --- a/config/rootfiles/common/libloc
> +++ b/config/rootfiles/common/libloc
> @@ -36,264 +36,265 @@ usr/lib/python3.8/site-packages/location/i18n.py
>  usr/lib/python3.8/site-packages/location/logger.py
>  #usr/share/locale/de/LC_MESSAGES/libloc.mo
>  #usr/share/man/man3/Location.3
> -usr/share/xt_geoip/A1.iv4
> -usr/share/xt_geoip/A2.iv4
> -usr/share/xt_geoip/A3.iv4
> -usr/share/xt_geoip/AD.iv4
> -usr/share/xt_geoip/AE.iv4
> -usr/share/xt_geoip/AF.iv4
> -usr/share/xt_geoip/AG.iv4
> -usr/share/xt_geoip/AI.iv4
> -usr/share/xt_geoip/AL.iv4
> -usr/share/xt_geoip/AM.iv4
> -usr/share/xt_geoip/AN.iv4
> -usr/share/xt_geoip/AO.iv4
> -usr/share/xt_geoip/AP.iv4
> -usr/share/xt_geoip/AQ.iv4
> -usr/share/xt_geoip/AR.iv4
> -usr/share/xt_geoip/AS.iv4
> -usr/share/xt_geoip/AT.iv4
> -usr/share/xt_geoip/AU.iv4
> -usr/share/xt_geoip/AW.iv4
> -usr/share/xt_geoip/AX.iv4
> -usr/share/xt_geoip/AZ.iv4
> -usr/share/xt_geoip/BA.iv4
> -usr/share/xt_geoip/BB.iv4
> -usr/share/xt_geoip/BD.iv4
> -usr/share/xt_geoip/BE.iv4
> -usr/share/xt_geoip/BF.iv4
> -usr/share/xt_geoip/BG.iv4
> -usr/share/xt_geoip/BH.iv4
> -usr/share/xt_geoip/BI.iv4
> -usr/share/xt_geoip/BJ.iv4
> -usr/share/xt_geoip/BL.iv4
> -usr/share/xt_geoip/BM.iv4
> -usr/share/xt_geoip/BN.iv4
> -usr/share/xt_geoip/BO.iv4
> -usr/share/xt_geoip/BQ.iv4
> -usr/share/xt_geoip/BR.iv4
> -usr/share/xt_geoip/BS.iv4
> -usr/share/xt_geoip/BT.iv4
> -usr/share/xt_geoip/BV.iv4
> -usr/share/xt_geoip/BW.iv4
> -usr/share/xt_geoip/BY.iv4
> -usr/share/xt_geoip/BZ.iv4
> -usr/share/xt_geoip/CA.iv4
> -usr/share/xt_geoip/CC.iv4
> -usr/share/xt_geoip/CD.iv4
> -usr/share/xt_geoip/CF.iv4
> -usr/share/xt_geoip/CG.iv4
> -usr/share/xt_geoip/CH.iv4
> -usr/share/xt_geoip/CI.iv4
> -usr/share/xt_geoip/CK.iv4
> -usr/share/xt_geoip/CL.iv4
> -usr/share/xt_geoip/CM.iv4
> -usr/share/xt_geoip/CN.iv4
> -usr/share/xt_geoip/CO.iv4
> -usr/share/xt_geoip/CR.iv4
> -usr/share/xt_geoip/CS.iv4
> -usr/share/xt_geoip/CU.iv4
> -usr/share/xt_geoip/CV.iv4
> -usr/share/xt_geoip/CW.iv4
> -usr/share/xt_geoip/CX.iv4
> -usr/share/xt_geoip/CY.iv4
> -usr/share/xt_geoip/CZ.iv4
> -usr/share/xt_geoip/DE.iv4
> -usr/share/xt_geoip/DJ.iv4
> -usr/share/xt_geoip/DK.iv4
> -usr/share/xt_geoip/DM.iv4
> -usr/share/xt_geoip/DO.iv4
> -usr/share/xt_geoip/DZ.iv4
> -usr/share/xt_geoip/EC.iv4
> -usr/share/xt_geoip/EE.iv4
> -usr/share/xt_geoip/EG.iv4
> -usr/share/xt_geoip/EH.iv4
> -usr/share/xt_geoip/ER.iv4
> -usr/share/xt_geoip/ES.iv4
> -usr/share/xt_geoip/ET.iv4
> -usr/share/xt_geoip/EU.iv4
> -usr/share/xt_geoip/FI.iv4
> -usr/share/xt_geoip/FJ.iv4
> -usr/share/xt_geoip/FK.iv4
> -usr/share/xt_geoip/FM.iv4
> -usr/share/xt_geoip/FO.iv4
> -usr/share/xt_geoip/FR.iv4
> -usr/share/xt_geoip/FX.iv4
> -usr/share/xt_geoip/GA.iv4
> -usr/share/xt_geoip/GB.iv4
> -usr/share/xt_geoip/GD.iv4
> -usr/share/xt_geoip/GE.iv4
> -usr/share/xt_geoip/GF.iv4
> -usr/share/xt_geoip/GG.iv4
> -usr/share/xt_geoip/GH.iv4
> -usr/share/xt_geoip/GI.iv4
> -usr/share/xt_geoip/GL.iv4
> -usr/share/xt_geoip/GM.iv4
> -usr/share/xt_geoip/GN.iv4
> -usr/share/xt_geoip/GP.iv4
> -usr/share/xt_geoip/GQ.iv4
> -usr/share/xt_geoip/GR.iv4
> -usr/share/xt_geoip/GS.iv4
> -usr/share/xt_geoip/GT.iv4
> -usr/share/xt_geoip/GU.iv4
> -usr/share/xt_geoip/GW.iv4
> -usr/share/xt_geoip/GY.iv4
> -usr/share/xt_geoip/HK.iv4
> -usr/share/xt_geoip/HM.iv4
> -usr/share/xt_geoip/HN.iv4
> -usr/share/xt_geoip/HR.iv4
> -usr/share/xt_geoip/HT.iv4
> -usr/share/xt_geoip/HU.iv4
> -usr/share/xt_geoip/ID.iv4
> -usr/share/xt_geoip/IE.iv4
> -usr/share/xt_geoip/IL.iv4
> -usr/share/xt_geoip/IM.iv4
> -usr/share/xt_geoip/IN.iv4
> -usr/share/xt_geoip/IO.iv4
> -usr/share/xt_geoip/IQ.iv4
> -usr/share/xt_geoip/IR.iv4
> -usr/share/xt_geoip/IS.iv4
> -usr/share/xt_geoip/IT.iv4
> -usr/share/xt_geoip/JE.iv4
> -usr/share/xt_geoip/JM.iv4
> -usr/share/xt_geoip/JO.iv4
> -usr/share/xt_geoip/JP.iv4
> -usr/share/xt_geoip/KE.iv4
> -usr/share/xt_geoip/KG.iv4
> -usr/share/xt_geoip/KH.iv4
> -usr/share/xt_geoip/KI.iv4
> -usr/share/xt_geoip/KM.iv4
> -usr/share/xt_geoip/KN.iv4
> -usr/share/xt_geoip/KP.iv4
> -usr/share/xt_geoip/KR.iv4
> -usr/share/xt_geoip/KW.iv4
> -usr/share/xt_geoip/KY.iv4
> -usr/share/xt_geoip/KZ.iv4
> -usr/share/xt_geoip/LA.iv4
> -usr/share/xt_geoip/LB.iv4
> -usr/share/xt_geoip/LC.iv4
> -usr/share/xt_geoip/LI.iv4
> -usr/share/xt_geoip/LK.iv4
> -usr/share/xt_geoip/LR.iv4
> -usr/share/xt_geoip/LS.iv4
> -usr/share/xt_geoip/LT.iv4
> -usr/share/xt_geoip/LU.iv4
> -usr/share/xt_geoip/LV.iv4
> -usr/share/xt_geoip/LY.iv4
> -usr/share/xt_geoip/MA.iv4
> -usr/share/xt_geoip/MC.iv4
> -usr/share/xt_geoip/MD.iv4
> -usr/share/xt_geoip/ME.iv4
> -usr/share/xt_geoip/MF.iv4
> -usr/share/xt_geoip/MG.iv4
> -usr/share/xt_geoip/MH.iv4
> -usr/share/xt_geoip/MK.iv4
> -usr/share/xt_geoip/ML.iv4
> -usr/share/xt_geoip/MM.iv4
> -usr/share/xt_geoip/MN.iv4
> -usr/share/xt_geoip/MO.iv4
> -usr/share/xt_geoip/MP.iv4
> -usr/share/xt_geoip/MQ.iv4
> -usr/share/xt_geoip/MR.iv4
> -usr/share/xt_geoip/MS.iv4
> -usr/share/xt_geoip/MT.iv4
> -usr/share/xt_geoip/MU.iv4
> -usr/share/xt_geoip/MV.iv4
> -usr/share/xt_geoip/MW.iv4
> -usr/share/xt_geoip/MX.iv4
> -usr/share/xt_geoip/MY.iv4
> -usr/share/xt_geoip/MZ.iv4
> -usr/share/xt_geoip/NA.iv4
> -usr/share/xt_geoip/NC.iv4
> -usr/share/xt_geoip/NE.iv4
> -usr/share/xt_geoip/NF.iv4
> -usr/share/xt_geoip/NG.iv4
> -usr/share/xt_geoip/NI.iv4
> -usr/share/xt_geoip/NL.iv4
> -usr/share/xt_geoip/NO.iv4
> -usr/share/xt_geoip/NP.iv4
> -usr/share/xt_geoip/NR.iv4
> -usr/share/xt_geoip/NU.iv4
> -usr/share/xt_geoip/NZ.iv4
> -usr/share/xt_geoip/OM.iv4
> -usr/share/xt_geoip/PA.iv4
> -usr/share/xt_geoip/PE.iv4
> -usr/share/xt_geoip/PF.iv4
> -usr/share/xt_geoip/PG.iv4
> -usr/share/xt_geoip/PH.iv4
> -usr/share/xt_geoip/PK.iv4
> -usr/share/xt_geoip/PL.iv4
> -usr/share/xt_geoip/PM.iv4
> -usr/share/xt_geoip/PN.iv4
> -usr/share/xt_geoip/PR.iv4
> -usr/share/xt_geoip/PS.iv4
> -usr/share/xt_geoip/PT.iv4
> -usr/share/xt_geoip/PW.iv4
> -usr/share/xt_geoip/PY.iv4
> -usr/share/xt_geoip/QA.iv4
> -usr/share/xt_geoip/RE.iv4
> -usr/share/xt_geoip/RO.iv4
> -usr/share/xt_geoip/RS.iv4
> -usr/share/xt_geoip/RU.iv4
> -usr/share/xt_geoip/RW.iv4
> -usr/share/xt_geoip/SA.iv4
> -usr/share/xt_geoip/SB.iv4
> -usr/share/xt_geoip/SC.iv4
> -usr/share/xt_geoip/SD.iv4
> -usr/share/xt_geoip/SE.iv4
> -usr/share/xt_geoip/SG.iv4
> -usr/share/xt_geoip/SH.iv4
> -usr/share/xt_geoip/SI.iv4
> -usr/share/xt_geoip/SJ.iv4
> -usr/share/xt_geoip/SK.iv4
> -usr/share/xt_geoip/SL.iv4
> -usr/share/xt_geoip/SM.iv4
> -usr/share/xt_geoip/SN.iv4
> -usr/share/xt_geoip/SO.iv4
> -usr/share/xt_geoip/SR.iv4
> -usr/share/xt_geoip/SS.iv4
> -usr/share/xt_geoip/ST.iv4
> -usr/share/xt_geoip/SV.iv4
> -usr/share/xt_geoip/SX.iv4
> -usr/share/xt_geoip/SY.iv4
> -usr/share/xt_geoip/SZ.iv4
> -usr/share/xt_geoip/TC.iv4
> -usr/share/xt_geoip/TD.iv4
> -usr/share/xt_geoip/TF.iv4
> -usr/share/xt_geoip/TG.iv4
> -usr/share/xt_geoip/TH.iv4
> -usr/share/xt_geoip/TJ.iv4
> -usr/share/xt_geoip/TK.iv4
> -usr/share/xt_geoip/TL.iv4
> -usr/share/xt_geoip/TM.iv4
> -usr/share/xt_geoip/TN.iv4
> -usr/share/xt_geoip/TO.iv4
> -usr/share/xt_geoip/TR.iv4
> -usr/share/xt_geoip/TT.iv4
> -usr/share/xt_geoip/TV.iv4
> -usr/share/xt_geoip/TW.iv4
> -usr/share/xt_geoip/TZ.iv4
> -usr/share/xt_geoip/UA.iv4
> -usr/share/xt_geoip/UG.iv4
> -usr/share/xt_geoip/UM.iv4
> -usr/share/xt_geoip/US.iv4
> -usr/share/xt_geoip/UY.iv4
> -usr/share/xt_geoip/UZ.iv4
> -usr/share/xt_geoip/VA.iv4
> -usr/share/xt_geoip/VC.iv4
> -usr/share/xt_geoip/VE.iv4
> -usr/share/xt_geoip/VG.iv4
> -usr/share/xt_geoip/VI.iv4
> -usr/share/xt_geoip/VN.iv4
> -usr/share/xt_geoip/VU.iv4
> -usr/share/xt_geoip/WF.iv4
> -usr/share/xt_geoip/WS.iv4
> -usr/share/xt_geoip/XD.iv4
> -usr/share/xt_geoip/YE.iv4
> -usr/share/xt_geoip/YT.iv4
> -usr/share/xt_geoip/ZA.iv4
> -usr/share/xt_geoip/ZM.iv4
> -usr/share/xt_geoip/ZW.iv4
>  #var/lib/location
>  var/lib/location/database.db
> +var/lib/location/ipset
> +var/lib/location/ipset/A1.ipset4
> +var/lib/location/ipset/A2.ipset4
> +var/lib/location/ipset/A3.ipset4
> +var/lib/location/ipset/AD.ipset4
> +var/lib/location/ipset/AE.ipset4
> +var/lib/location/ipset/AF.ipset4
> +var/lib/location/ipset/AG.ipset4
> +var/lib/location/ipset/AI.ipset4
> +var/lib/location/ipset/AL.ipset4
> +var/lib/location/ipset/AM.ipset4
> +var/lib/location/ipset/AN.ipset4
> +var/lib/location/ipset/AO.ipset4
> +var/lib/location/ipset/AP.ipset4
> +var/lib/location/ipset/AQ.ipset4
> +var/lib/location/ipset/AR.ipset4
> +var/lib/location/ipset/AS.ipset4
> +var/lib/location/ipset/AT.ipset4
> +var/lib/location/ipset/AU.ipset4
> +var/lib/location/ipset/AW.ipset4
> +var/lib/location/ipset/AX.ipset4
> +var/lib/location/ipset/AZ.ipset4
> +var/lib/location/ipset/BA.ipset4
> +var/lib/location/ipset/BB.ipset4
> +var/lib/location/ipset/BD.ipset4
> +var/lib/location/ipset/BE.ipset4
> +var/lib/location/ipset/BF.ipset4
> +var/lib/location/ipset/BG.ipset4
> +var/lib/location/ipset/BH.ipset4
> +var/lib/location/ipset/BI.ipset4
> +var/lib/location/ipset/BJ.ipset4
> +var/lib/location/ipset/BL.ipset4
> +var/lib/location/ipset/BM.ipset4
> +var/lib/location/ipset/BN.ipset4
> +var/lib/location/ipset/BO.ipset4
> +var/lib/location/ipset/BQ.ipset4
> +var/lib/location/ipset/BR.ipset4
> +var/lib/location/ipset/BS.ipset4
> +var/lib/location/ipset/BT.ipset4
> +var/lib/location/ipset/BV.ipset4
> +var/lib/location/ipset/BW.ipset4
> +var/lib/location/ipset/BY.ipset4
> +var/lib/location/ipset/BZ.ipset4
> +var/lib/location/ipset/CA.ipset4
> +var/lib/location/ipset/CC.ipset4
> +var/lib/location/ipset/CD.ipset4
> +var/lib/location/ipset/CF.ipset4
> +var/lib/location/ipset/CG.ipset4
> +var/lib/location/ipset/CH.ipset4
> +var/lib/location/ipset/CI.ipset4
> +var/lib/location/ipset/CK.ipset4
> +var/lib/location/ipset/CL.ipset4
> +var/lib/location/ipset/CM.ipset4
> +var/lib/location/ipset/CN.ipset4
> +var/lib/location/ipset/CO.ipset4
> +var/lib/location/ipset/CR.ipset4
> +var/lib/location/ipset/CS.ipset4
> +var/lib/location/ipset/CU.ipset4
> +var/lib/location/ipset/CV.ipset4
> +var/lib/location/ipset/CW.ipset4
> +var/lib/location/ipset/CX.ipset4
> +var/lib/location/ipset/CY.ipset4
> +var/lib/location/ipset/CZ.ipset4
> +var/lib/location/ipset/DE.ipset4
> +var/lib/location/ipset/DJ.ipset4
> +var/lib/location/ipset/DK.ipset4
> +var/lib/location/ipset/DM.ipset4
> +var/lib/location/ipset/DO.ipset4
> +var/lib/location/ipset/DZ.ipset4
> +var/lib/location/ipset/EC.ipset4
> +var/lib/location/ipset/EE.ipset4
> +var/lib/location/ipset/EG.ipset4
> +var/lib/location/ipset/EH.ipset4
> +var/lib/location/ipset/ER.ipset4
> +var/lib/location/ipset/ES.ipset4
> +var/lib/location/ipset/ET.ipset4
> +var/lib/location/ipset/EU.ipset4
> +var/lib/location/ipset/FI.ipset4
> +var/lib/location/ipset/FJ.ipset4
> +var/lib/location/ipset/FK.ipset4
> +var/lib/location/ipset/FM.ipset4
> +var/lib/location/ipset/FO.ipset4
> +var/lib/location/ipset/FR.ipset4
> +var/lib/location/ipset/FX.ipset4
> +var/lib/location/ipset/GA.ipset4
> +var/lib/location/ipset/GB.ipset4
> +var/lib/location/ipset/GD.ipset4
> +var/lib/location/ipset/GE.ipset4
> +var/lib/location/ipset/GF.ipset4
> +var/lib/location/ipset/GG.ipset4
> +var/lib/location/ipset/GH.ipset4
> +var/lib/location/ipset/GI.ipset4
> +var/lib/location/ipset/GL.ipset4
> +var/lib/location/ipset/GM.ipset4
> +var/lib/location/ipset/GN.ipset4
> +var/lib/location/ipset/GP.ipset4
> +var/lib/location/ipset/GQ.ipset4
> +var/lib/location/ipset/GR.ipset4
> +var/lib/location/ipset/GS.ipset4
> +var/lib/location/ipset/GT.ipset4
> +var/lib/location/ipset/GU.ipset4
> +var/lib/location/ipset/GW.ipset4
> +var/lib/location/ipset/GY.ipset4
> +var/lib/location/ipset/HK.ipset4
> +var/lib/location/ipset/HM.ipset4
> +var/lib/location/ipset/HN.ipset4
> +var/lib/location/ipset/HR.ipset4
> +var/lib/location/ipset/HT.ipset4
> +var/lib/location/ipset/HU.ipset4
> +var/lib/location/ipset/ID.ipset4
> +var/lib/location/ipset/IE.ipset4
> +var/lib/location/ipset/IL.ipset4
> +var/lib/location/ipset/IM.ipset4
> +var/lib/location/ipset/IN.ipset4
> +var/lib/location/ipset/IO.ipset4
> +var/lib/location/ipset/IQ.ipset4
> +var/lib/location/ipset/IR.ipset4
> +var/lib/location/ipset/IS.ipset4
> +var/lib/location/ipset/IT.ipset4
> +var/lib/location/ipset/JE.ipset4
> +var/lib/location/ipset/JM.ipset4
> +var/lib/location/ipset/JO.ipset4
> +var/lib/location/ipset/JP.ipset4
> +var/lib/location/ipset/KE.ipset4
> +var/lib/location/ipset/KG.ipset4
> +var/lib/location/ipset/KH.ipset4
> +var/lib/location/ipset/KI.ipset4
> +var/lib/location/ipset/KM.ipset4
> +var/lib/location/ipset/KN.ipset4
> +var/lib/location/ipset/KP.ipset4
> +var/lib/location/ipset/KR.ipset4
> +var/lib/location/ipset/KW.ipset4
> +var/lib/location/ipset/KY.ipset4
> +var/lib/location/ipset/KZ.ipset4
> +var/lib/location/ipset/LA.ipset4
> +var/lib/location/ipset/LB.ipset4
> +var/lib/location/ipset/LC.ipset4
> +var/lib/location/ipset/LI.ipset4
> +var/lib/location/ipset/LK.ipset4
> +var/lib/location/ipset/LR.ipset4
> +var/lib/location/ipset/LS.ipset4
> +var/lib/location/ipset/LT.ipset4
> +var/lib/location/ipset/LU.ipset4
> +var/lib/location/ipset/LV.ipset4
> +var/lib/location/ipset/LY.ipset4
> +var/lib/location/ipset/MA.ipset4
> +var/lib/location/ipset/MC.ipset4
> +var/lib/location/ipset/MD.ipset4
> +var/lib/location/ipset/ME.ipset4
> +var/lib/location/ipset/MF.ipset4
> +var/lib/location/ipset/MG.ipset4
> +var/lib/location/ipset/MH.ipset4
> +var/lib/location/ipset/MK.ipset4
> +var/lib/location/ipset/ML.ipset4
> +var/lib/location/ipset/MM.ipset4
> +var/lib/location/ipset/MN.ipset4
> +var/lib/location/ipset/MO.ipset4
> +var/lib/location/ipset/MP.ipset4
> +var/lib/location/ipset/MQ.ipset4
> +var/lib/location/ipset/MR.ipset4
> +var/lib/location/ipset/MS.ipset4
> +var/lib/location/ipset/MT.ipset4
> +var/lib/location/ipset/MU.ipset4
> +var/lib/location/ipset/MV.ipset4
> +var/lib/location/ipset/MW.ipset4
> +var/lib/location/ipset/MX.ipset4
> +var/lib/location/ipset/MY.ipset4
> +var/lib/location/ipset/MZ.ipset4
> +var/lib/location/ipset/NA.ipset4
> +var/lib/location/ipset/NC.ipset4
> +var/lib/location/ipset/NE.ipset4
> +var/lib/location/ipset/NF.ipset4
> +var/lib/location/ipset/NG.ipset4
> +var/lib/location/ipset/NI.ipset4
> +var/lib/location/ipset/NL.ipset4
> +var/lib/location/ipset/NO.ipset4
> +var/lib/location/ipset/NP.ipset4
> +var/lib/location/ipset/NR.ipset4
> +var/lib/location/ipset/NU.ipset4
> +var/lib/location/ipset/NZ.ipset4
> +var/lib/location/ipset/OM.ipset4
> +var/lib/location/ipset/PA.ipset4
> +var/lib/location/ipset/PE.ipset4
> +var/lib/location/ipset/PF.ipset4
> +var/lib/location/ipset/PG.ipset4
> +var/lib/location/ipset/PH.ipset4
> +var/lib/location/ipset/PK.ipset4
> +var/lib/location/ipset/PL.ipset4
> +var/lib/location/ipset/PM.ipset4
> +var/lib/location/ipset/PN.ipset4
> +var/lib/location/ipset/PR.ipset4
> +var/lib/location/ipset/PS.ipset4
> +var/lib/location/ipset/PT.ipset4
> +var/lib/location/ipset/PW.ipset4
> +var/lib/location/ipset/PY.ipset4
> +var/lib/location/ipset/QA.ipset4
> +var/lib/location/ipset/RE.ipset4
> +var/lib/location/ipset/RO.ipset4
> +var/lib/location/ipset/RS.ipset4
> +var/lib/location/ipset/RU.ipset4
> +var/lib/location/ipset/RW.ipset4
> +var/lib/location/ipset/SA.ipset4
> +var/lib/location/ipset/SB.ipset4
> +var/lib/location/ipset/SC.ipset4
> +var/lib/location/ipset/SD.ipset4
> +var/lib/location/ipset/SE.ipset4
> +var/lib/location/ipset/SG.ipset4
> +var/lib/location/ipset/SH.ipset4
> +var/lib/location/ipset/SI.ipset4
> +var/lib/location/ipset/SJ.ipset4
> +var/lib/location/ipset/SK.ipset4
> +var/lib/location/ipset/SL.ipset4
> +var/lib/location/ipset/SM.ipset4
> +var/lib/location/ipset/SN.ipset4
> +var/lib/location/ipset/SO.ipset4
> +var/lib/location/ipset/SR.ipset4
> +var/lib/location/ipset/SS.ipset4
> +var/lib/location/ipset/ST.ipset4
> +var/lib/location/ipset/SV.ipset4
> +var/lib/location/ipset/SX.ipset4
> +var/lib/location/ipset/SY.ipset4
> +var/lib/location/ipset/SZ.ipset4
> +var/lib/location/ipset/TC.ipset4
> +var/lib/location/ipset/TD.ipset4
> +var/lib/location/ipset/TF.ipset4
> +var/lib/location/ipset/TG.ipset4
> +var/lib/location/ipset/TH.ipset4
> +var/lib/location/ipset/TJ.ipset4
> +var/lib/location/ipset/TK.ipset4
> +var/lib/location/ipset/TL.ipset4
> +var/lib/location/ipset/TM.ipset4
> +var/lib/location/ipset/TN.ipset4
> +var/lib/location/ipset/TO.ipset4
> +var/lib/location/ipset/TR.ipset4
> +var/lib/location/ipset/TT.ipset4
> +var/lib/location/ipset/TV.ipset4
> +var/lib/location/ipset/TW.ipset4
> +var/lib/location/ipset/TZ.ipset4
> +var/lib/location/ipset/UA.ipset4
> +var/lib/location/ipset/UG.ipset4
> +var/lib/location/ipset/UM.ipset4
> +var/lib/location/ipset/US.ipset4
> +var/lib/location/ipset/UY.ipset4
> +var/lib/location/ipset/UZ.ipset4
> +var/lib/location/ipset/VA.ipset4
> +var/lib/location/ipset/VC.ipset4
> +var/lib/location/ipset/VE.ipset4
> +var/lib/location/ipset/VG.ipset4
> +var/lib/location/ipset/VI.ipset4
> +var/lib/location/ipset/VN.ipset4
> +var/lib/location/ipset/VU.ipset4
> +var/lib/location/ipset/WF.ipset4
> +var/lib/location/ipset/WS.ipset4
> +var/lib/location/ipset/XD.ipset4
> +var/lib/location/ipset/YE.ipset4
> +var/lib/location/ipset/YT.ipset4
> +var/lib/location/ipset/ZA.ipset4
> +var/lib/location/ipset/ZM.ipset4
> +var/lib/location/ipset/ZW.ipset4
>  var/lib/location/signing-key.pem
> diff --git a/lfs/libloc b/lfs/libloc
> index 99f0c30bd..1de135b52 100644
> --- a/lfs/libloc
> +++ b/lfs/libloc
> @@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>  	cd $(DIR_APP) && rm -f /var/lib/location/database.db
>  	cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
>  
> -	# Launch location util and export all locations in xt_geoip format.
> +	# Create directory for ipset databases.
> +	cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset
> +
> +	# Launch location util and export all locations in ipset compatible format.
>  	cd $(DIR_APP) && /usr/bin/location export \
> -		--directory=/usr/share/xt_geoip \
> +		--directory=/var/lib/location/ipset \
>  		--family=ipv4 \
> -		--format=xt_geoip
> +		--format=ipset
>  
>  	# Remove exported IPv6 zones.
> -	cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6
> +	cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
>  
>  	@rm -rf $(DIR_APP)
>  	@$(POSTBUILD)

Re: [PATCH 11/12] rules.pl: Add workaround to hide a warning about an only once used variable.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 784 bytes --]

Ugly, but I see why this is necessary.

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 162781f7a..c0878059a 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -109,6 +109,10 @@ my $POLICY_INPUT_ACTION    = $fwoptions{"FWPOLICY2"};
>  my $POLICY_FORWARD_ACTION  = $fwoptions{"FWPOLICY"};
>  my $POLICY_OUTPUT_ACTION   = $fwoptions{"FWPOLICY1"};
>  
> +#workaround to suppress a warning when a variable is used only once
> +my @dummy = ( $Location::Functions::ipset_db_directory );
> +undef (@dummy);
> +
>  # MAIN
>  &main();
>  

Re: [PATCH 11/12] rules.pl: Add workaround to hide a warning about an only once used variable.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 969 bytes --]

Is it not possible to disable this kind of warning entirely?

It is a stupid idea.

Does declaring the variable as some sort of constant help?

-Michael

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 162781f7a..c0878059a 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -109,6 +109,10 @@ my $POLICY_INPUT_ACTION    = $fwoptions{"FWPOLICY2"};
> my $POLICY_FORWARD_ACTION  = $fwoptions{"FWPOLICY"};
> my $POLICY_OUTPUT_ACTION   = $fwoptions{"FWPOLICY1"};
> 
> +#workaround to suppress a warning when a variable is used only once
> +my @dummy = ( $Location::Functions::ipset_db_directory );
> +undef (@dummy);
> +
> # MAIN
> &main();
> 
> -- 
> 2.30.2
> 

Re: [PATCH 12/12] libloc: Export DB in ipset compatible format.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 19793 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 21:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> 
>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> ---
>> config/rootfiles/common/libloc | 517 +++++++++++++++++----------------
>> lfs/libloc                     |  11 +-
>> 2 files changed, 266 insertions(+), 262 deletions(-)
>> 
>> diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc
>> index 43f9efd9e..64ccfef16 100644
>> --- a/config/rootfiles/common/libloc
>> +++ b/config/rootfiles/common/libloc
>> @@ -36,264 +36,265 @@ usr/lib/python3.8/site-packages/location/i18n.py
>> usr/lib/python3.8/site-packages/location/logger.py
>> #usr/share/locale/de/LC_MESSAGES/libloc.mo
>> #usr/share/man/man3/Location.3
>> -usr/share/xt_geoip/A1.iv4
>> -usr/share/xt_geoip/A2.iv4
>> -usr/share/xt_geoip/A3.iv4
>> -usr/share/xt_geoip/AD.iv4
>> -usr/share/xt_geoip/AE.iv4
>> -usr/share/xt_geoip/AF.iv4
>> -usr/share/xt_geoip/AG.iv4
>> -usr/share/xt_geoip/AI.iv4
>> -usr/share/xt_geoip/AL.iv4
>> -usr/share/xt_geoip/AM.iv4
>> -usr/share/xt_geoip/AN.iv4
>> -usr/share/xt_geoip/AO.iv4
>> -usr/share/xt_geoip/AP.iv4
>> -usr/share/xt_geoip/AQ.iv4
>> -usr/share/xt_geoip/AR.iv4
>> -usr/share/xt_geoip/AS.iv4
>> -usr/share/xt_geoip/AT.iv4
>> -usr/share/xt_geoip/AU.iv4
>> -usr/share/xt_geoip/AW.iv4
>> -usr/share/xt_geoip/AX.iv4
>> -usr/share/xt_geoip/AZ.iv4
>> -usr/share/xt_geoip/BA.iv4
>> -usr/share/xt_geoip/BB.iv4
>> -usr/share/xt_geoip/BD.iv4
>> -usr/share/xt_geoip/BE.iv4
>> -usr/share/xt_geoip/BF.iv4
>> -usr/share/xt_geoip/BG.iv4
>> -usr/share/xt_geoip/BH.iv4
>> -usr/share/xt_geoip/BI.iv4
>> -usr/share/xt_geoip/BJ.iv4
>> -usr/share/xt_geoip/BL.iv4
>> -usr/share/xt_geoip/BM.iv4
>> -usr/share/xt_geoip/BN.iv4
>> -usr/share/xt_geoip/BO.iv4
>> -usr/share/xt_geoip/BQ.iv4
>> -usr/share/xt_geoip/BR.iv4
>> -usr/share/xt_geoip/BS.iv4
>> -usr/share/xt_geoip/BT.iv4
>> -usr/share/xt_geoip/BV.iv4
>> -usr/share/xt_geoip/BW.iv4
>> -usr/share/xt_geoip/BY.iv4
>> -usr/share/xt_geoip/BZ.iv4
>> -usr/share/xt_geoip/CA.iv4
>> -usr/share/xt_geoip/CC.iv4
>> -usr/share/xt_geoip/CD.iv4
>> -usr/share/xt_geoip/CF.iv4
>> -usr/share/xt_geoip/CG.iv4
>> -usr/share/xt_geoip/CH.iv4
>> -usr/share/xt_geoip/CI.iv4
>> -usr/share/xt_geoip/CK.iv4
>> -usr/share/xt_geoip/CL.iv4
>> -usr/share/xt_geoip/CM.iv4
>> -usr/share/xt_geoip/CN.iv4
>> -usr/share/xt_geoip/CO.iv4
>> -usr/share/xt_geoip/CR.iv4
>> -usr/share/xt_geoip/CS.iv4
>> -usr/share/xt_geoip/CU.iv4
>> -usr/share/xt_geoip/CV.iv4
>> -usr/share/xt_geoip/CW.iv4
>> -usr/share/xt_geoip/CX.iv4
>> -usr/share/xt_geoip/CY.iv4
>> -usr/share/xt_geoip/CZ.iv4
>> -usr/share/xt_geoip/DE.iv4
>> -usr/share/xt_geoip/DJ.iv4
>> -usr/share/xt_geoip/DK.iv4
>> -usr/share/xt_geoip/DM.iv4
>> -usr/share/xt_geoip/DO.iv4
>> -usr/share/xt_geoip/DZ.iv4
>> -usr/share/xt_geoip/EC.iv4
>> -usr/share/xt_geoip/EE.iv4
>> -usr/share/xt_geoip/EG.iv4
>> -usr/share/xt_geoip/EH.iv4
>> -usr/share/xt_geoip/ER.iv4
>> -usr/share/xt_geoip/ES.iv4
>> -usr/share/xt_geoip/ET.iv4
>> -usr/share/xt_geoip/EU.iv4
>> -usr/share/xt_geoip/FI.iv4
>> -usr/share/xt_geoip/FJ.iv4
>> -usr/share/xt_geoip/FK.iv4
>> -usr/share/xt_geoip/FM.iv4
>> -usr/share/xt_geoip/FO.iv4
>> -usr/share/xt_geoip/FR.iv4
>> -usr/share/xt_geoip/FX.iv4
>> -usr/share/xt_geoip/GA.iv4
>> -usr/share/xt_geoip/GB.iv4
>> -usr/share/xt_geoip/GD.iv4
>> -usr/share/xt_geoip/GE.iv4
>> -usr/share/xt_geoip/GF.iv4
>> -usr/share/xt_geoip/GG.iv4
>> -usr/share/xt_geoip/GH.iv4
>> -usr/share/xt_geoip/GI.iv4
>> -usr/share/xt_geoip/GL.iv4
>> -usr/share/xt_geoip/GM.iv4
>> -usr/share/xt_geoip/GN.iv4
>> -usr/share/xt_geoip/GP.iv4
>> -usr/share/xt_geoip/GQ.iv4
>> -usr/share/xt_geoip/GR.iv4
>> -usr/share/xt_geoip/GS.iv4
>> -usr/share/xt_geoip/GT.iv4
>> -usr/share/xt_geoip/GU.iv4
>> -usr/share/xt_geoip/GW.iv4
>> -usr/share/xt_geoip/GY.iv4
>> -usr/share/xt_geoip/HK.iv4
>> -usr/share/xt_geoip/HM.iv4
>> -usr/share/xt_geoip/HN.iv4
>> -usr/share/xt_geoip/HR.iv4
>> -usr/share/xt_geoip/HT.iv4
>> -usr/share/xt_geoip/HU.iv4
>> -usr/share/xt_geoip/ID.iv4
>> -usr/share/xt_geoip/IE.iv4
>> -usr/share/xt_geoip/IL.iv4
>> -usr/share/xt_geoip/IM.iv4
>> -usr/share/xt_geoip/IN.iv4
>> -usr/share/xt_geoip/IO.iv4
>> -usr/share/xt_geoip/IQ.iv4
>> -usr/share/xt_geoip/IR.iv4
>> -usr/share/xt_geoip/IS.iv4
>> -usr/share/xt_geoip/IT.iv4
>> -usr/share/xt_geoip/JE.iv4
>> -usr/share/xt_geoip/JM.iv4
>> -usr/share/xt_geoip/JO.iv4
>> -usr/share/xt_geoip/JP.iv4
>> -usr/share/xt_geoip/KE.iv4
>> -usr/share/xt_geoip/KG.iv4
>> -usr/share/xt_geoip/KH.iv4
>> -usr/share/xt_geoip/KI.iv4
>> -usr/share/xt_geoip/KM.iv4
>> -usr/share/xt_geoip/KN.iv4
>> -usr/share/xt_geoip/KP.iv4
>> -usr/share/xt_geoip/KR.iv4
>> -usr/share/xt_geoip/KW.iv4
>> -usr/share/xt_geoip/KY.iv4
>> -usr/share/xt_geoip/KZ.iv4
>> -usr/share/xt_geoip/LA.iv4
>> -usr/share/xt_geoip/LB.iv4
>> -usr/share/xt_geoip/LC.iv4
>> -usr/share/xt_geoip/LI.iv4
>> -usr/share/xt_geoip/LK.iv4
>> -usr/share/xt_geoip/LR.iv4
>> -usr/share/xt_geoip/LS.iv4
>> -usr/share/xt_geoip/LT.iv4
>> -usr/share/xt_geoip/LU.iv4
>> -usr/share/xt_geoip/LV.iv4
>> -usr/share/xt_geoip/LY.iv4
>> -usr/share/xt_geoip/MA.iv4
>> -usr/share/xt_geoip/MC.iv4
>> -usr/share/xt_geoip/MD.iv4
>> -usr/share/xt_geoip/ME.iv4
>> -usr/share/xt_geoip/MF.iv4
>> -usr/share/xt_geoip/MG.iv4
>> -usr/share/xt_geoip/MH.iv4
>> -usr/share/xt_geoip/MK.iv4
>> -usr/share/xt_geoip/ML.iv4
>> -usr/share/xt_geoip/MM.iv4
>> -usr/share/xt_geoip/MN.iv4
>> -usr/share/xt_geoip/MO.iv4
>> -usr/share/xt_geoip/MP.iv4
>> -usr/share/xt_geoip/MQ.iv4
>> -usr/share/xt_geoip/MR.iv4
>> -usr/share/xt_geoip/MS.iv4
>> -usr/share/xt_geoip/MT.iv4
>> -usr/share/xt_geoip/MU.iv4
>> -usr/share/xt_geoip/MV.iv4
>> -usr/share/xt_geoip/MW.iv4
>> -usr/share/xt_geoip/MX.iv4
>> -usr/share/xt_geoip/MY.iv4
>> -usr/share/xt_geoip/MZ.iv4
>> -usr/share/xt_geoip/NA.iv4
>> -usr/share/xt_geoip/NC.iv4
>> -usr/share/xt_geoip/NE.iv4
>> -usr/share/xt_geoip/NF.iv4
>> -usr/share/xt_geoip/NG.iv4
>> -usr/share/xt_geoip/NI.iv4
>> -usr/share/xt_geoip/NL.iv4
>> -usr/share/xt_geoip/NO.iv4
>> -usr/share/xt_geoip/NP.iv4
>> -usr/share/xt_geoip/NR.iv4
>> -usr/share/xt_geoip/NU.iv4
>> -usr/share/xt_geoip/NZ.iv4
>> -usr/share/xt_geoip/OM.iv4
>> -usr/share/xt_geoip/PA.iv4
>> -usr/share/xt_geoip/PE.iv4
>> -usr/share/xt_geoip/PF.iv4
>> -usr/share/xt_geoip/PG.iv4
>> -usr/share/xt_geoip/PH.iv4
>> -usr/share/xt_geoip/PK.iv4
>> -usr/share/xt_geoip/PL.iv4
>> -usr/share/xt_geoip/PM.iv4
>> -usr/share/xt_geoip/PN.iv4
>> -usr/share/xt_geoip/PR.iv4
>> -usr/share/xt_geoip/PS.iv4
>> -usr/share/xt_geoip/PT.iv4
>> -usr/share/xt_geoip/PW.iv4
>> -usr/share/xt_geoip/PY.iv4
>> -usr/share/xt_geoip/QA.iv4
>> -usr/share/xt_geoip/RE.iv4
>> -usr/share/xt_geoip/RO.iv4
>> -usr/share/xt_geoip/RS.iv4
>> -usr/share/xt_geoip/RU.iv4
>> -usr/share/xt_geoip/RW.iv4
>> -usr/share/xt_geoip/SA.iv4
>> -usr/share/xt_geoip/SB.iv4
>> -usr/share/xt_geoip/SC.iv4
>> -usr/share/xt_geoip/SD.iv4
>> -usr/share/xt_geoip/SE.iv4
>> -usr/share/xt_geoip/SG.iv4
>> -usr/share/xt_geoip/SH.iv4
>> -usr/share/xt_geoip/SI.iv4
>> -usr/share/xt_geoip/SJ.iv4
>> -usr/share/xt_geoip/SK.iv4
>> -usr/share/xt_geoip/SL.iv4
>> -usr/share/xt_geoip/SM.iv4
>> -usr/share/xt_geoip/SN.iv4
>> -usr/share/xt_geoip/SO.iv4
>> -usr/share/xt_geoip/SR.iv4
>> -usr/share/xt_geoip/SS.iv4
>> -usr/share/xt_geoip/ST.iv4
>> -usr/share/xt_geoip/SV.iv4
>> -usr/share/xt_geoip/SX.iv4
>> -usr/share/xt_geoip/SY.iv4
>> -usr/share/xt_geoip/SZ.iv4
>> -usr/share/xt_geoip/TC.iv4
>> -usr/share/xt_geoip/TD.iv4
>> -usr/share/xt_geoip/TF.iv4
>> -usr/share/xt_geoip/TG.iv4
>> -usr/share/xt_geoip/TH.iv4
>> -usr/share/xt_geoip/TJ.iv4
>> -usr/share/xt_geoip/TK.iv4
>> -usr/share/xt_geoip/TL.iv4
>> -usr/share/xt_geoip/TM.iv4
>> -usr/share/xt_geoip/TN.iv4
>> -usr/share/xt_geoip/TO.iv4
>> -usr/share/xt_geoip/TR.iv4
>> -usr/share/xt_geoip/TT.iv4
>> -usr/share/xt_geoip/TV.iv4
>> -usr/share/xt_geoip/TW.iv4
>> -usr/share/xt_geoip/TZ.iv4
>> -usr/share/xt_geoip/UA.iv4
>> -usr/share/xt_geoip/UG.iv4
>> -usr/share/xt_geoip/UM.iv4
>> -usr/share/xt_geoip/US.iv4
>> -usr/share/xt_geoip/UY.iv4
>> -usr/share/xt_geoip/UZ.iv4
>> -usr/share/xt_geoip/VA.iv4
>> -usr/share/xt_geoip/VC.iv4
>> -usr/share/xt_geoip/VE.iv4
>> -usr/share/xt_geoip/VG.iv4
>> -usr/share/xt_geoip/VI.iv4
>> -usr/share/xt_geoip/VN.iv4
>> -usr/share/xt_geoip/VU.iv4
>> -usr/share/xt_geoip/WF.iv4
>> -usr/share/xt_geoip/WS.iv4
>> -usr/share/xt_geoip/XD.iv4
>> -usr/share/xt_geoip/YE.iv4
>> -usr/share/xt_geoip/YT.iv4
>> -usr/share/xt_geoip/ZA.iv4
>> -usr/share/xt_geoip/ZM.iv4
>> -usr/share/xt_geoip/ZW.iv4
>> #var/lib/location
>> var/lib/location/database.db
>> +var/lib/location/ipset
>> +var/lib/location/ipset/A1.ipset4
>> +var/lib/location/ipset/A2.ipset4
>> +var/lib/location/ipset/A3.ipset4
>> +var/lib/location/ipset/AD.ipset4
>> +var/lib/location/ipset/AE.ipset4
>> +var/lib/location/ipset/AF.ipset4
>> +var/lib/location/ipset/AG.ipset4
>> +var/lib/location/ipset/AI.ipset4
>> +var/lib/location/ipset/AL.ipset4
>> +var/lib/location/ipset/AM.ipset4
>> +var/lib/location/ipset/AN.ipset4
>> +var/lib/location/ipset/AO.ipset4
>> +var/lib/location/ipset/AP.ipset4
>> +var/lib/location/ipset/AQ.ipset4
>> +var/lib/location/ipset/AR.ipset4
>> +var/lib/location/ipset/AS.ipset4
>> +var/lib/location/ipset/AT.ipset4
>> +var/lib/location/ipset/AU.ipset4
>> +var/lib/location/ipset/AW.ipset4
>> +var/lib/location/ipset/AX.ipset4
>> +var/lib/location/ipset/AZ.ipset4
>> +var/lib/location/ipset/BA.ipset4
>> +var/lib/location/ipset/BB.ipset4
>> +var/lib/location/ipset/BD.ipset4
>> +var/lib/location/ipset/BE.ipset4
>> +var/lib/location/ipset/BF.ipset4
>> +var/lib/location/ipset/BG.ipset4
>> +var/lib/location/ipset/BH.ipset4
>> +var/lib/location/ipset/BI.ipset4
>> +var/lib/location/ipset/BJ.ipset4
>> +var/lib/location/ipset/BL.ipset4
>> +var/lib/location/ipset/BM.ipset4
>> +var/lib/location/ipset/BN.ipset4
>> +var/lib/location/ipset/BO.ipset4
>> +var/lib/location/ipset/BQ.ipset4
>> +var/lib/location/ipset/BR.ipset4
>> +var/lib/location/ipset/BS.ipset4
>> +var/lib/location/ipset/BT.ipset4
>> +var/lib/location/ipset/BV.ipset4
>> +var/lib/location/ipset/BW.ipset4
>> +var/lib/location/ipset/BY.ipset4
>> +var/lib/location/ipset/BZ.ipset4
>> +var/lib/location/ipset/CA.ipset4
>> +var/lib/location/ipset/CC.ipset4
>> +var/lib/location/ipset/CD.ipset4
>> +var/lib/location/ipset/CF.ipset4
>> +var/lib/location/ipset/CG.ipset4
>> +var/lib/location/ipset/CH.ipset4
>> +var/lib/location/ipset/CI.ipset4
>> +var/lib/location/ipset/CK.ipset4
>> +var/lib/location/ipset/CL.ipset4
>> +var/lib/location/ipset/CM.ipset4
>> +var/lib/location/ipset/CN.ipset4
>> +var/lib/location/ipset/CO.ipset4
>> +var/lib/location/ipset/CR.ipset4
>> +var/lib/location/ipset/CS.ipset4
>> +var/lib/location/ipset/CU.ipset4
>> +var/lib/location/ipset/CV.ipset4
>> +var/lib/location/ipset/CW.ipset4
>> +var/lib/location/ipset/CX.ipset4
>> +var/lib/location/ipset/CY.ipset4
>> +var/lib/location/ipset/CZ.ipset4
>> +var/lib/location/ipset/DE.ipset4
>> +var/lib/location/ipset/DJ.ipset4
>> +var/lib/location/ipset/DK.ipset4
>> +var/lib/location/ipset/DM.ipset4
>> +var/lib/location/ipset/DO.ipset4
>> +var/lib/location/ipset/DZ.ipset4
>> +var/lib/location/ipset/EC.ipset4
>> +var/lib/location/ipset/EE.ipset4
>> +var/lib/location/ipset/EG.ipset4
>> +var/lib/location/ipset/EH.ipset4
>> +var/lib/location/ipset/ER.ipset4
>> +var/lib/location/ipset/ES.ipset4
>> +var/lib/location/ipset/ET.ipset4
>> +var/lib/location/ipset/EU.ipset4
>> +var/lib/location/ipset/FI.ipset4
>> +var/lib/location/ipset/FJ.ipset4
>> +var/lib/location/ipset/FK.ipset4
>> +var/lib/location/ipset/FM.ipset4
>> +var/lib/location/ipset/FO.ipset4
>> +var/lib/location/ipset/FR.ipset4
>> +var/lib/location/ipset/FX.ipset4
>> +var/lib/location/ipset/GA.ipset4
>> +var/lib/location/ipset/GB.ipset4
>> +var/lib/location/ipset/GD.ipset4
>> +var/lib/location/ipset/GE.ipset4
>> +var/lib/location/ipset/GF.ipset4
>> +var/lib/location/ipset/GG.ipset4
>> +var/lib/location/ipset/GH.ipset4
>> +var/lib/location/ipset/GI.ipset4
>> +var/lib/location/ipset/GL.ipset4
>> +var/lib/location/ipset/GM.ipset4
>> +var/lib/location/ipset/GN.ipset4
>> +var/lib/location/ipset/GP.ipset4
>> +var/lib/location/ipset/GQ.ipset4
>> +var/lib/location/ipset/GR.ipset4
>> +var/lib/location/ipset/GS.ipset4
>> +var/lib/location/ipset/GT.ipset4
>> +var/lib/location/ipset/GU.ipset4
>> +var/lib/location/ipset/GW.ipset4
>> +var/lib/location/ipset/GY.ipset4
>> +var/lib/location/ipset/HK.ipset4
>> +var/lib/location/ipset/HM.ipset4
>> +var/lib/location/ipset/HN.ipset4
>> +var/lib/location/ipset/HR.ipset4
>> +var/lib/location/ipset/HT.ipset4
>> +var/lib/location/ipset/HU.ipset4
>> +var/lib/location/ipset/ID.ipset4
>> +var/lib/location/ipset/IE.ipset4
>> +var/lib/location/ipset/IL.ipset4
>> +var/lib/location/ipset/IM.ipset4
>> +var/lib/location/ipset/IN.ipset4
>> +var/lib/location/ipset/IO.ipset4
>> +var/lib/location/ipset/IQ.ipset4
>> +var/lib/location/ipset/IR.ipset4
>> +var/lib/location/ipset/IS.ipset4
>> +var/lib/location/ipset/IT.ipset4
>> +var/lib/location/ipset/JE.ipset4
>> +var/lib/location/ipset/JM.ipset4
>> +var/lib/location/ipset/JO.ipset4
>> +var/lib/location/ipset/JP.ipset4
>> +var/lib/location/ipset/KE.ipset4
>> +var/lib/location/ipset/KG.ipset4
>> +var/lib/location/ipset/KH.ipset4
>> +var/lib/location/ipset/KI.ipset4
>> +var/lib/location/ipset/KM.ipset4
>> +var/lib/location/ipset/KN.ipset4
>> +var/lib/location/ipset/KP.ipset4
>> +var/lib/location/ipset/KR.ipset4
>> +var/lib/location/ipset/KW.ipset4
>> +var/lib/location/ipset/KY.ipset4
>> +var/lib/location/ipset/KZ.ipset4
>> +var/lib/location/ipset/LA.ipset4
>> +var/lib/location/ipset/LB.ipset4
>> +var/lib/location/ipset/LC.ipset4
>> +var/lib/location/ipset/LI.ipset4
>> +var/lib/location/ipset/LK.ipset4
>> +var/lib/location/ipset/LR.ipset4
>> +var/lib/location/ipset/LS.ipset4
>> +var/lib/location/ipset/LT.ipset4
>> +var/lib/location/ipset/LU.ipset4
>> +var/lib/location/ipset/LV.ipset4
>> +var/lib/location/ipset/LY.ipset4
>> +var/lib/location/ipset/MA.ipset4
>> +var/lib/location/ipset/MC.ipset4
>> +var/lib/location/ipset/MD.ipset4
>> +var/lib/location/ipset/ME.ipset4
>> +var/lib/location/ipset/MF.ipset4
>> +var/lib/location/ipset/MG.ipset4
>> +var/lib/location/ipset/MH.ipset4
>> +var/lib/location/ipset/MK.ipset4
>> +var/lib/location/ipset/ML.ipset4
>> +var/lib/location/ipset/MM.ipset4
>> +var/lib/location/ipset/MN.ipset4
>> +var/lib/location/ipset/MO.ipset4
>> +var/lib/location/ipset/MP.ipset4
>> +var/lib/location/ipset/MQ.ipset4
>> +var/lib/location/ipset/MR.ipset4
>> +var/lib/location/ipset/MS.ipset4
>> +var/lib/location/ipset/MT.ipset4
>> +var/lib/location/ipset/MU.ipset4
>> +var/lib/location/ipset/MV.ipset4
>> +var/lib/location/ipset/MW.ipset4
>> +var/lib/location/ipset/MX.ipset4
>> +var/lib/location/ipset/MY.ipset4
>> +var/lib/location/ipset/MZ.ipset4
>> +var/lib/location/ipset/NA.ipset4
>> +var/lib/location/ipset/NC.ipset4
>> +var/lib/location/ipset/NE.ipset4
>> +var/lib/location/ipset/NF.ipset4
>> +var/lib/location/ipset/NG.ipset4
>> +var/lib/location/ipset/NI.ipset4
>> +var/lib/location/ipset/NL.ipset4
>> +var/lib/location/ipset/NO.ipset4
>> +var/lib/location/ipset/NP.ipset4
>> +var/lib/location/ipset/NR.ipset4
>> +var/lib/location/ipset/NU.ipset4
>> +var/lib/location/ipset/NZ.ipset4
>> +var/lib/location/ipset/OM.ipset4
>> +var/lib/location/ipset/PA.ipset4
>> +var/lib/location/ipset/PE.ipset4
>> +var/lib/location/ipset/PF.ipset4
>> +var/lib/location/ipset/PG.ipset4
>> +var/lib/location/ipset/PH.ipset4
>> +var/lib/location/ipset/PK.ipset4
>> +var/lib/location/ipset/PL.ipset4
>> +var/lib/location/ipset/PM.ipset4
>> +var/lib/location/ipset/PN.ipset4
>> +var/lib/location/ipset/PR.ipset4
>> +var/lib/location/ipset/PS.ipset4
>> +var/lib/location/ipset/PT.ipset4
>> +var/lib/location/ipset/PW.ipset4
>> +var/lib/location/ipset/PY.ipset4
>> +var/lib/location/ipset/QA.ipset4
>> +var/lib/location/ipset/RE.ipset4
>> +var/lib/location/ipset/RO.ipset4
>> +var/lib/location/ipset/RS.ipset4
>> +var/lib/location/ipset/RU.ipset4
>> +var/lib/location/ipset/RW.ipset4
>> +var/lib/location/ipset/SA.ipset4
>> +var/lib/location/ipset/SB.ipset4
>> +var/lib/location/ipset/SC.ipset4
>> +var/lib/location/ipset/SD.ipset4
>> +var/lib/location/ipset/SE.ipset4
>> +var/lib/location/ipset/SG.ipset4
>> +var/lib/location/ipset/SH.ipset4
>> +var/lib/location/ipset/SI.ipset4
>> +var/lib/location/ipset/SJ.ipset4
>> +var/lib/location/ipset/SK.ipset4
>> +var/lib/location/ipset/SL.ipset4
>> +var/lib/location/ipset/SM.ipset4
>> +var/lib/location/ipset/SN.ipset4
>> +var/lib/location/ipset/SO.ipset4
>> +var/lib/location/ipset/SR.ipset4
>> +var/lib/location/ipset/SS.ipset4
>> +var/lib/location/ipset/ST.ipset4
>> +var/lib/location/ipset/SV.ipset4
>> +var/lib/location/ipset/SX.ipset4
>> +var/lib/location/ipset/SY.ipset4
>> +var/lib/location/ipset/SZ.ipset4
>> +var/lib/location/ipset/TC.ipset4
>> +var/lib/location/ipset/TD.ipset4
>> +var/lib/location/ipset/TF.ipset4
>> +var/lib/location/ipset/TG.ipset4
>> +var/lib/location/ipset/TH.ipset4
>> +var/lib/location/ipset/TJ.ipset4
>> +var/lib/location/ipset/TK.ipset4
>> +var/lib/location/ipset/TL.ipset4
>> +var/lib/location/ipset/TM.ipset4
>> +var/lib/location/ipset/TN.ipset4
>> +var/lib/location/ipset/TO.ipset4
>> +var/lib/location/ipset/TR.ipset4
>> +var/lib/location/ipset/TT.ipset4
>> +var/lib/location/ipset/TV.ipset4
>> +var/lib/location/ipset/TW.ipset4
>> +var/lib/location/ipset/TZ.ipset4
>> +var/lib/location/ipset/UA.ipset4
>> +var/lib/location/ipset/UG.ipset4
>> +var/lib/location/ipset/UM.ipset4
>> +var/lib/location/ipset/US.ipset4
>> +var/lib/location/ipset/UY.ipset4
>> +var/lib/location/ipset/UZ.ipset4
>> +var/lib/location/ipset/VA.ipset4
>> +var/lib/location/ipset/VC.ipset4
>> +var/lib/location/ipset/VE.ipset4
>> +var/lib/location/ipset/VG.ipset4
>> +var/lib/location/ipset/VI.ipset4
>> +var/lib/location/ipset/VN.ipset4
>> +var/lib/location/ipset/VU.ipset4
>> +var/lib/location/ipset/WF.ipset4
>> +var/lib/location/ipset/WS.ipset4
>> +var/lib/location/ipset/XD.ipset4
>> +var/lib/location/ipset/YE.ipset4
>> +var/lib/location/ipset/YT.ipset4
>> +var/lib/location/ipset/ZA.ipset4
>> +var/lib/location/ipset/ZM.ipset4
>> +var/lib/location/ipset/ZW.ipset4
>> var/lib/location/signing-key.pem
>> diff --git a/lfs/libloc b/lfs/libloc
>> index 99f0c30bd..1de135b52 100644
>> --- a/lfs/libloc
>> +++ b/lfs/libloc
>> @@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
>> 	cd $(DIR_APP) && rm -f /var/lib/location/database.db
>> 	cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
>> 
>> -	# Launch location util and export all locations in xt_geoip format.
>> +	# Create directory for ipset databases.
>> +	cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset
>> +
>> +	# Launch location util and export all locations in ipset compatible format.
>> 	cd $(DIR_APP) && /usr/bin/location export \
>> -		--directory=/usr/share/xt_geoip \
>> +		--directory=/var/lib/location/ipset \
>> 		--family=ipv4 \
>> -		--format=xt_geoip
>> +		--format=ipset
>> 
>> 	# Remove exported IPv6 zones.
>> -	cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6
>> +	cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
>> 
>> 	@rm -rf $(DIR_APP)
>> 	@$(POSTBUILD)

Re: [PATCH 10/12] rules.pl: Check if an ipset db file exists before call to restore it.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1136 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 21:06, Peter Müller <peter.mueller(a)ipfire.org> wrote:
> 
> Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
> 
>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> ---
>> config/firewall/rules.pl | 10 ++++++++--
>> 1 file changed, 8 insertions(+), 2 deletions(-)
>> 
>> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
>> index 29990ee67..162781f7a 100644
>> --- a/config/firewall/rules.pl
>> +++ b/config/firewall/rules.pl
>> @@ -927,6 +927,12 @@ sub firewall_is_in_subnet {
>> sub ipset_restore ($) {
>> 	my ($ccode) = @_;
>> 
>> -	# Run ipset and restore the list of the given country code.
>> -	run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
>> +	my $file_prefix = "ipset4";
>> +	my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
>> +
>> +	# Check if the generated file exists.
>> +	if (-f $db_file) {
>> +		# Run ipset and restore the list of the given country code.
>> +		run("$IPSET restore < $db_file");
>> +	}
>> }

Re: [PATCH 09/12] rules.pl: Do not try to restore the same ipset multiple times.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3297 bytes --]

Hello,

I would have implemented this differently.

Would it not be better to perform the check in ipset_restore() so that you won’t have to copy the code to everywhere you call ipset_restore?

This solution bloats the code slightly.

-Michael

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> When an ipset list get restored, this now will be documented in a hash
> and this hash also will be checked before restoring a list if this has
> not be done previously.
> 
> This will prevent from restoring the same list multiple times.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 31 +++++++++++++++++++++++++------
> 1 file changed, 25 insertions(+), 6 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index d533ffb42..29990ee67 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -70,6 +70,7 @@ my %confignatfw=();
> my %locationsettings = (
> 	"LOCATIONBLOCK_ENABLED" => "off"
> );
> +my %loaded_ipset_lists=();
> 
> my @p2ps=();
> 
> @@ -405,8 +406,14 @@ sub buildrules {
> 						# Grab location code from hash.
> 						my $loc_src = $$hash{$key}[4];
> 
> -						# Call function to load the networks list for this country.
> -						&ipset_restore($loc_src);
> +						# Check if the network list for this country already has been loaded.
> +						unless($loaded_ipset_lists{$loc_src}) {
> +							# Call function to load the networks list for this country.
> +							&ipset_restore($loc_src);
> +
> +							# Store to the hash that this list has been loaded.
> +							$loaded_ipset_lists{$loc_src} = "1";
> +						}
> 
> 						push(@source_options, $source);
> 					} elsif($source) {
> @@ -419,8 +426,14 @@ sub buildrules {
> 						# Grab location code from hash.
> 						my $loc_dst = $$hash{$key}[6];
> 
> -						# Call function to load the networks list for this country.
> -						&ipset_restore($loc_dst);
> +						# Check if the network list for this country already has been loaded.
> +						unless($loaded_ipset_lists{$loc_dst}) {
> +							# Call function to load the networks list for this country.
> +							&ipset_restore($loc_dst);
> +
> +							# Store to the hash that this list has been loaded.
> +							$loaded_ipset_lists{$loc_dst} = "1";
> +						}
> 
> 						push(@destination_options,  $destination);
> 					} elsif ($destination) {
> @@ -683,8 +696,14 @@ sub locationblock {
> 	# is enabled.
> 	foreach my $location (@locations) {
> 		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
> -			# Call function to load the networks list for this country.
> -			&ipset_restore($location);
> +			# Check if the network list for this country already has been loaded.
> +			unless($loaded_ipset_lists{$location}) {
> +				# Call function to load the networks list for this country.
> +				&ipset_restore($location);
> +
> +				# Store to the hash that this list has been loaded.
> +				$loaded_ipset_lists{$location} = "1";
> +			}
> 
> 			# Call iptables and create rule to use the loaded ipset list.
> 			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
> -- 
> 2.30.2
> 

Re: [PATCH 08/12] update-location-database: Export database to ipset compatible format now.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> src/scripts/update-location-database | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database
> index 06b22d101..d41a0a947 100644
> --- a/src/scripts/update-location-database
> +++ b/src/scripts/update-location-database
> @@ -42,8 +42,8 @@ fi
> 
> # Get the latest location database from server.
> if /usr/bin/location update --cron=$UPDATE_INTERVAL; then
> -	# Call location and export all countries in xt_geoip compatible format.
> -	if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then
> +	# Call location and export all countries in an ipset compatible format.
> +	if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
> 
> 		# Call initscript to reload the firewall.
> 		/etc/init.d/firewall reload
> -- 
> 2.30.2
> 

Re: [PATCH 07/12] rules.pl: Move to ipset based data for location based firewall rules.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2561 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/firewall-lib.pl |  4 ++--
> config/firewall/rules.pl        | 16 ++++++++++++++--
> 2 files changed, 16 insertions(+), 4 deletions(-)
> 
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
> index bc0b30ca5..13f0c9971 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -466,7 +466,7 @@ sub get_address
> 			# Get external interface.
> 			my $external_interface = &get_external_interface();
> 
> -			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
> 		}
> 
> 	# Handle rule options with a location as target.
> @@ -476,7 +476,7 @@ sub get_address
> 			# Get external interface.
> 			my $external_interface = &get_external_interface();
> 
> -			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
> 		}
> 
> 	# If nothing was selected, we assume "any".
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index e009c1838..d533ffb42 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -401,7 +401,13 @@ sub buildrules {
> 					my @source_options = ();
> 					if ($source =~ /mac/) {
> 						push(@source_options, $source);
> -					} elsif ($source =~ /-m geoip/) {
> +					} elsif ($source =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_src = $$hash{$key}[4];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_src);
> +
> 						push(@source_options, $source);
> 					} elsif($source) {
> 						push(@source_options, ("-s", $source));
> @@ -409,7 +415,13 @@ sub buildrules {
> 
> 					# Prepare destination options.
> 					my @destination_options = ();
> -					if ($destination =~ /-m geoip/) {
> +					if ($destination =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_dst = $$hash{$key}[6];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_dst);
> +
> 						push(@destination_options,  $destination);
> 					} elsif ($destination) {
> 						push(@destination_options, ("-d", $destination));
> -- 
> 2.30.2
> 

Re: [PATCH 06/12] rules.pl: Move to ipset based data for LOCATIONBLOCK feature.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1051 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 5b1153b08..e009c1838 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -671,7 +671,11 @@ sub locationblock {
> 	# is enabled.
> 	foreach my $location (@locations) {
> 		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
> -			run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP");
> +			# Call function to load the networks list for this country.
> +			&ipset_restore($location);
> +
> +			# Call iptables and create rule to use the loaded ipset list.
> +			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
> 		}
> 	}
> }
> -- 
> 2.30.2
> 

Re: [PATCH 05/12] rules.pl: Add tiny ipset_restore function.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 970 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> This helper function is used to load a previously exported list of
> networks for a given country code into the ipset module, so it can be
> used for any kind of firewall rules.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 7 +++++++
> 1 file changed, 7 insertions(+)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index da01b8775..5b1153b08 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -888,3 +888,10 @@ sub firewall_is_in_subnet {
> 
> 	return 0;
> }
> +
> +sub ipset_restore ($) {
> +	my ($ccode) = @_;
> +
> +	# Run ipset and restore the list of the given country code.
> +	run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
> +}
> -- 
> 2.30.2
> 

Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1042 bytes --]

Hello,

Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?

-Michael

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 4 ++++
> 1 file changed, 4 insertions(+)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index f685d08a7..da01b8775 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
> my $DEBUG = 0;
> 
> my $IPTABLES = "iptables --wait";
> +my $IPSET = "ipset";
> 
> # iptables chains
> my $CHAIN_INPUT           = "INPUTFW";
> @@ -114,6 +115,9 @@ sub main {
> 	# Flush all chains.
> 	&flush();
> 
> +	# Destroy all existing ipsets.
> +	run("$IPSET destroy");
> +
> 	# Prepare firewall rules.
> 	if (! -z  "${General::swroot}/firewall/input"){
> 		&buildrules(\%configinputfw);
> -- 
> 2.30.2
> 

Re: [PATCH 03/12] rules.pl: Move flush of LOCATIONBLOCK into main flush() function.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 1282 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
> 
> It is required to get rid of all ipset based rules before all of
> the loaded ipset lists can be destroyed.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
> config/firewall/rules.pl | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 9d280045a..f685d08a7 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -186,6 +186,9 @@ sub flush {
> 	run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE");
> 	run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION");
> 	run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
> +
> +	# Flush LOCATIONBLOCK chain.
> +	run("$IPTABLES -F LOCATIONBLOCK");
> }
> 
> sub buildrules {
> @@ -638,8 +641,7 @@ sub p2pblock {
> }
> 
> sub locationblock {
> -	# Flush iptables chain.
> -	run("$IPTABLES -F LOCATIONBLOCK");
> +	# The LOCATIONBLOCK chain now gets flushed by the flush() function.
> 
> 	# If location blocking is not enabled, we are finished here.
> 	if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {
> -- 
> 2.30.2
> 

Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Tim FitzGeorge]

[-- Attachment #1: Type: text/plain, Size: 1844 bytes --]

Hello,

I'm concerned about this as well.  Depending on when it does the ipset destroy it may be OK (for example as part of shutting down the system or prior to rebuilding the firewall from scratch, as in these cases it either won't matter or the OP blocklist ipsets will be reloaded), but in general I would consider it a bad idea to delete all the ipsets whether or not you 'own' them - each 'package' should only touch it's own 'property', while this just deletes all the ipsets regardless.

Having said that, I think it will probably be alright as according to the documentation ipset destroy won't delete lists which have references to them, and the IP blocklist ipsets should always have references.

Tim

On 15/02/2022 12:41, Michael Tremer wrote:
> Hello,
>
> Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
>
> -Michael
>
>> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>>
>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> ---
>> config/firewall/rules.pl | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
>> index f685d08a7..da01b8775 100644
>> --- a/config/firewall/rules.pl
>> +++ b/config/firewall/rules.pl
>> @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
>> my $DEBUG = 0;
>>
>> my $IPTABLES = "iptables --wait";
>> +my $IPSET = "ipset";
>>
>> # iptables chains
>> my $CHAIN_INPUT           = "INPUTFW";
>> @@ -114,6 +115,9 @@ sub main {
>> 	# Flush all chains.
>> 	&flush();
>>
>> +	# Destroy all existing ipsets.
>> +	run("$IPSET destroy");
>> +
>> 	# Prepare firewall rules.
>> 	if (! -z  "${General::swroot}/firewall/input"){
>> 		&buildrules(\%configinputfw);
>> -- 
>> 2.30.2
>>
>

Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

Hello Tim,

> On 15 Feb 2022, at 19:28, Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk> wrote:
> 
> Hello,
> 
> I'm concerned about this as well.  Depending on when it does the ipset destroy it may be OK (for example as part of shutting down the system or prior to rebuilding the firewall from scratch, as in these cases it either won't matter or the OP blocklist ipsets will be reloaded), but in general I would consider it a bad idea to delete all the ipsets whether or not you 'own' them - each 'package' should only touch it's own 'property', while this just deletes all the ipsets regardless.

This is quite hard to implement though. We could in theory iterate over all possible country codes and try to delete all sets, but that seems to be a very slow and not elegant solution to the problem.

> Having said that, I think it will probably be alright as according to the documentation ipset destroy won't delete lists which have references to them, and the IP blocklist ipsets should always have references.

This is good for us though. If we can consider the “destroy” command to be more of a cleanup and it is safe to call it, then we should not run into any trouble here.

@Stefan: Can you confirm that any sets that are still referenced elsewhere won’t be destroyed and that there is no ugly output that could alarm anyone?

-Michael

> 
> Tim
> 
> On 15/02/2022 12:41, Michael Tremer wrote:
>> Hello,
>> 
>> Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
>> 
>> -Michael
>> 
>>> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wrote:
>>> 
>>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>>> ---
>>> config/firewall/rules.pl | 4 ++++
>>> 1 file changed, 4 insertions(+)
>>> 
>>> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
>>> index f685d08a7..da01b8775 100644
>>> --- a/config/firewall/rules.pl
>>> +++ b/config/firewall/rules.pl
>>> @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
>>> my $DEBUG = 0;
>>> 
>>> my $IPTABLES = "iptables --wait";
>>> +my $IPSET = "ipset";
>>> 
>>> # iptables chains
>>> my $CHAIN_INPUT           = "INPUTFW";
>>> @@ -114,6 +115,9 @@ sub main {
>>> 	# Flush all chains.
>>> 	&flush();
>>> 
>>> +	# Destroy all existing ipsets.
>>> +	run("$IPSET destroy");
>>> +
>>> 	# Prepare firewall rules.
>>> 	if (! -z  "${General::swroot}/firewall/input"){
>>> 		&buildrules(\%configinputfw);
>>> -- 
>>> 2.30.2
>>> 
>> 
> 

Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 3193 bytes --]

Hello Michael, Hello Tim,

thanks for your feedback and discussion.
> Hello Tim,
> 
> > On 15 Feb 2022, at 19:28, Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
> > wrote:
> > 
> > Hello,
> > 
> > I'm concerned about this as well.  Depending on when it does the
> > ipset destroy it may be OK (for example as part of shutting down
> > the system or prior to rebuilding the firewall from scratch, as in
> > these cases it either won't matter or the OP blocklist ipsets will
> > be reloaded), but in general I would consider it a bad idea to
> > delete all the ipsets whether or not you 'own' them - each
> > 'package' should only touch it's own 'property', while this just
> > deletes all the ipsets regardless.
> 
> This is quite hard to implement though. We could in theory iterate
> over all possible country codes and try to delete all sets, but that
> seems to be a very slow and not elegant solution to the problem.
> 
> > Having said that, I think it will probably be alright as according
> > to the documentation ipset destroy won't delete lists which have
> > references to them, and the IP blocklist ipsets should always have
> > references.
> 
> This is good for us though. If we can consider the “destroy” command
> to be more of a cleanup and it is safe to call it, then we should not
> run into any trouble here.
> 
> @Stefan: Can you confirm that any sets that are still referenced
> elsewhere won’t be destroyed and that there is no ugly output that
> could alarm anyone?

I did not have a look at Tim's code at the moment, nor some testing of
his feature so I'm unable to say yes or no, for both of your questions.

I'll dig into this at the weekend and phone back what I got.

-Stefan

> 
> -Michael
> 
> > 
> > Tim
> > 
> > On 15/02/2022 12:41, Michael Tremer wrote:
> > > Hello,
> > > 
> > > Looking at the other patchset that implements IP blocklists,
> > > could this interfere with this in any way?
> > > 
> > > -Michael
> > > 
> > > > On 14 Feb 2022, at 18:42, Stefan Schantl <
> > > > stefan.schantl(a)ipfire.org> wrote:
> > > > 
> > > > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > > > ---
> > > > config/firewall/rules.pl | 4 ++++
> > > > 1 file changed, 4 insertions(+)
> > > > 
> > > > diff --git a/config/firewall/rules.pl
> > > > b/config/firewall/rules.pl
> > > > index f685d08a7..da01b8775 100644
> > > > --- a/config/firewall/rules.pl
> > > > +++ b/config/firewall/rules.pl
> > > > @@ -31,6 +31,7 @@ require "${General::swroot}/location-
> > > > functions.pl";
> > > > my $DEBUG = 0;
> > > > 
> > > > my $IPTABLES = "iptables --wait";
> > > > +my $IPSET = "ipset";
> > > > 
> > > > # iptables chains
> > > > my $CHAIN_INPUT           = "INPUTFW";
> > > > @@ -114,6 +115,9 @@ sub main {
> > > >         # Flush all chains.
> > > >         &flush();
> > > > 
> > > > +       # Destroy all existing ipsets.
> > > > +       run("$IPSET destroy");
> > > > +
> > > >         # Prepare firewall rules.
> > > >         if (! -z  "${General::swroot}/firewall/input"){
> > > >                 &buildrules(\%configinputfw);
> > > > -- 
> > > > 2.30.2
> > > > 
> > > 
> > 
> 

Re: [PATCH 09/12] rules.pl: Do not try to restore the same ipset multiple times.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 6929 bytes --]

Hello Michael,

thanks for reviewing and your feedback.

You are absolutely right, it would give us much cleaner code when
moving this kind of check into the ipset_restore() function.

I'll send a patch for this.

Best regards,

-Stefan
> Hello,
> 
> I would have implemented this differently.
> 
> Would it not be better to perform the check in ipset_restore() so
> that you won’t have to copy the code to everywhere you call
> ipset_restore?
> 
> This solution bloats the code slightly.
> 
> -Michael
> 
> > On 14 Feb 2022, at 18:42, Stefan Schantl
> > <stefan.schantl(a)ipfire.org> wrote:
> > 
> > When an ipset list get restored, this now will be documented in a
> > hash
> > and this hash also will be checked before restoring a list if this
> > has
> > not be done previously.
> > 
> > This will prevent from restoring the same list multiple times.
> > 
> > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > ---
> > config/firewall/rules.pl | 31 +++++++++++++++++++++++++------
> > 1 file changed, 25 insertions(+), 6 deletions(-)
> > 
> > diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> > index d533ffb42..29990ee67 100644
> > --- a/config/firewall/rules.pl
> > +++ b/config/firewall/rules.pl
> > @@ -70,6 +70,7 @@ my %confignatfw=();
> > my %locationsettings = (
> >         "LOCATIONBLOCK_ENABLED" => "off"
> > );
> > +my %loaded_ipset_lists=();
> > 
> > my @p2ps=();
> > 
> > @@ -405,8 +406,14 @@ sub buildrules {
> >                                                 # Grab location
> > code from hash.
> >                                                 my $loc_src =
> > $$hash{$key}[4];
> > 
> > -                                               # Call function to
> > load the networks list for this country.
> > -
> >                                                &ipset_restore($loc_s
> > rc);
> > +                                               # Check if the
> > network list for this country already has been loaded.
> > +                                               unless($loaded_ipse
> > t_lists{$loc_src}) {
> > +                                                       # Call
> > function to load the networks list for this country.
> > +                                                       &ipset_rest
> > ore($loc_src);
> > +
> > +                                                       # Store to
> > the hash that this list has been loaded.
> > +                                                       $loaded_ips
> > et_lists{$loc_src} = "1";
> > +                                               }
> > 
> >                                                 push(@source_option
> > s, $source);
> >                                         } elsif($source) {
> > @@ -419,8 +426,14 @@ sub buildrules {
> >                                                 # Grab location
> > code from hash.
> >                                                 my $loc_dst =
> > $$hash{$key}[6];
> > 
> > -                                               # Call function to
> > load the networks list for this country.
> > -
> >                                                &ipset_restore($loc_d
> > st);
> > +                                               # Check if the
> > network list for this country already has been loaded.
> > +                                               unless($loaded_ipse
> > t_lists{$loc_dst}) {
> > +                                                       # Call
> > function to load the networks list for this country.
> > +                                                       &ipset_rest
> > ore($loc_dst);
> > +
> > +                                                       # Store to
> > the hash that this list has been loaded.
> > +                                                       $loaded_ips
> > et_lists{$loc_dst} = "1";
> > +                                               }
> > 
> >                                                 push(@destination_o
> > ptions,  $destination);
> >                                         } elsif ($destination) {
> > @@ -683,8 +696,14 @@ sub locationblock {
> >         # is enabled.
> >         foreach my $location (@locations) {
> >                 if(exists $locationsettings{$location} &&
> > $locationsettings{$location} eq "on") {
> > -                       # Call function to load the networks list
> > for this country.
> > -                       &ipset_restore($location);
> > +                       # Check if the network list for this
> > country already has been loaded.
> > +                       unless($loaded_ipset_lists{$location}) {
> > +                               # Call function to load the
> > networks list for this country.
> > +                               &ipset_restore($location);
> > +
> > +                               # Store to the hash that this list
> > has been loaded.
> > +                               $loaded_ipset_lists{$location} =
> > "1";
> > +                       }
> > 
> >                         # Call iptables and create rule to use the
> > loaded ipset list.
> >                         run("$IPTABLES -A LOCATIONBLOCK -m set --
> > match-set CC_$location src -j DROP");
> > -- 
> > 2.30.2
> > 
> 

[PATCH] rules.pl: Adjust check against loading the same lists multiple times.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 3359 bytes --]

This check now has been moved to the ipset_restore() function, which
will help to keep the code clean and maintain-able.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 config/firewall/rules.pl | 43 ++++++++++++++++------------------------
 1 file changed, 17 insertions(+), 26 deletions(-)

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 25d01e0e3..927c1f2ba 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -404,14 +404,8 @@ sub buildrules {
 						# Grab location code from hash.
 						my $loc_src = $$hash{$key}[4];
 
-						# Check if the network list for this country already has been loaded.
-						unless($loaded_ipset_lists{$loc_src}) {
-							# Call function to load the networks list for this country.
-							&ipset_restore($loc_src);
-
-							# Store to the hash that this list has been loaded.
-							$loaded_ipset_lists{$loc_src} = "1";
-						}
+						# Call function to load the networks list for this country.
+						&ipset_restore($loc_src);
 
 						push(@source_options, $source);
 					} elsif($source) {
@@ -424,14 +418,8 @@ sub buildrules {
 						# Grab location code from hash.
 						my $loc_dst = $$hash{$key}[6];
 
-						# Check if the network list for this country already has been loaded.
-						unless($loaded_ipset_lists{$loc_dst}) {
-							# Call function to load the networks list for this country.
-							&ipset_restore($loc_dst);
-
-							# Store to the hash that this list has been loaded.
-							$loaded_ipset_lists{$loc_dst} = "1";
-						}
+						# Call function to load the networks list for this country.
+						&ipset_restore($loc_dst);
 
 						push(@destination_options,  $destination);
 					} elsif ($destination) {
@@ -677,14 +665,8 @@ sub locationblock {
 	# is enabled.
 	foreach my $location (@locations) {
 		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
-			# Check if the network list for this country already has been loaded.
-			unless($loaded_ipset_lists{$location}) {
-				# Call function to load the networks list for this country.
-				&ipset_restore($location);
-
-				# Store to the hash that this list has been loaded.
-				$loaded_ipset_lists{$location} = "1";
-			}
+			# Call function to load the networks list for this country.
+			&ipset_restore($location);
 
 			# Call iptables and create rule to use the loaded ipset list.
 			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
@@ -906,14 +888,23 @@ sub firewall_is_in_subnet {
 }
 
 sub ipset_restore ($) {
-	my ($ccode) = @_;
+	my ($list) = @_;
 
 	my $file_prefix = "ipset4";
-	my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
+	my $db_file = "$Location::Functions::ipset_db_directory/$list.$file_prefix";
+
+	# Check if the network list already has been loaded.
+	if($loaded_ipset_lists{$list}) {
+		# It already has been loaded - so there is nothing to do.
+		return;
+	}
 
 	# Check if the generated file exists.
 	if (-f $db_file) {
 		# Run ipset and restore the list of the given country code.
 		run("$IPSET restore < $db_file");
+
+		# Store the restored list name to the hash to prevent from loading it again.
+		$loaded_ipset_lists{$list} = "1";
 	}
 }
-- 
2.30.2

Re: [PATCH] rules.pl: Adjust check against loading the same lists multiple times.

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 3581 bytes --]

Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>

> This check now has been moved to the ipset_restore() function, which
> will help to keep the code clean and maintain-able.
> 
> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/rules.pl | 43 ++++++++++++++++------------------------
>  1 file changed, 17 insertions(+), 26 deletions(-)
> 
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index 25d01e0e3..927c1f2ba 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -404,14 +404,8 @@ sub buildrules {
>  						# Grab location code from hash.
>  						my $loc_src = $$hash{$key}[4];
>  
> -						# Check if the network list for this country already has been loaded.
> -						unless($loaded_ipset_lists{$loc_src}) {
> -							# Call function to load the networks list for this country.
> -							&ipset_restore($loc_src);
> -
> -							# Store to the hash that this list has been loaded.
> -							$loaded_ipset_lists{$loc_src} = "1";
> -						}
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_src);
>  
>  						push(@source_options, $source);
>  					} elsif($source) {
> @@ -424,14 +418,8 @@ sub buildrules {
>  						# Grab location code from hash.
>  						my $loc_dst = $$hash{$key}[6];
>  
> -						# Check if the network list for this country already has been loaded.
> -						unless($loaded_ipset_lists{$loc_dst}) {
> -							# Call function to load the networks list for this country.
> -							&ipset_restore($loc_dst);
> -
> -							# Store to the hash that this list has been loaded.
> -							$loaded_ipset_lists{$loc_dst} = "1";
> -						}
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_dst);
>  
>  						push(@destination_options,  $destination);
>  					} elsif ($destination) {
> @@ -677,14 +665,8 @@ sub locationblock {
>  	# is enabled.
>  	foreach my $location (@locations) {
>  		if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
> -			# Check if the network list for this country already has been loaded.
> -			unless($loaded_ipset_lists{$location}) {
> -				# Call function to load the networks list for this country.
> -				&ipset_restore($location);
> -
> -				# Store to the hash that this list has been loaded.
> -				$loaded_ipset_lists{$location} = "1";
> -			}
> +			# Call function to load the networks list for this country.
> +			&ipset_restore($location);
>  
>  			# Call iptables and create rule to use the loaded ipset list.
>  			run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
> @@ -906,14 +888,23 @@ sub firewall_is_in_subnet {
>  }
>  
>  sub ipset_restore ($) {
> -	my ($ccode) = @_;
> +	my ($list) = @_;
>  
>  	my $file_prefix = "ipset4";
> -	my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
> +	my $db_file = "$Location::Functions::ipset_db_directory/$list.$file_prefix";
> +
> +	# Check if the network list already has been loaded.
> +	if($loaded_ipset_lists{$list}) {
> +		# It already has been loaded - so there is nothing to do.
> +		return;
> +	}
>  
>  	# Check if the generated file exists.
>  	if (-f $db_file) {
>  		# Run ipset and restore the list of the given country code.
>  		run("$IPSET restore < $db_file");
> +
> +		# Store the restored list name to the hash to prevent from loading it again.
> +		$loaded_ipset_lists{$list} = "1";
>  	}
>  }

Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.

[Stefan Schantl]

[-- Attachment #1: Type: text/plain, Size: 4999 bytes --]

Hello List,

as promised, I had a look at Tim's blacklisting code and talked on the
phone with Michael and Peter how to handle all this "ipset load and
destroy stuff" in a good way.

So we talked about, how to deal with all the different scripts and
places where ipset sets are involved. We agreed that it would be the
best to handle them at a central place (script) and decided the easiest
way would be the perl-based firewall script which is used to generate
and create the firewall rules. (rules.pl)

We also talked about how the IP blocklist feature become a core
component of IPFire and to integrate it into this. I'll give more
details about this in the related discussion on this list. 

While discussing about this we came across that the dynamic approach of
loading and destroying sets  which Tim is using in his code is very
lovely and so decided to adopt it in a very similar way.

This results in two first patches which have been sent to the
development mailing list.

The first one will allow the firewall engine to dynamically destroy
(unload) ipset sets if they are not longer required.

https://patchwork.ipfire.org/project/ipfire/patch/20220227134903.1828-1-stefan.schantl(a)ipfire.org/

The second patch is a fist step of moving all "ipset" related rules
into the same script.  

https://patchwork.ipfire.org/project/ipfire/patch/20220227134903.1828-2-stefan.schantl(a)ipfire.org/

Best regards,

-Stefan

> Hello Michael, Hello Tim,
> 
> thanks for your feedback and discussion.
> > Hello Tim,
> > 
> > > On 15 Feb 2022, at 19:28, Tim FitzGeorge <ipfr(a)tfitzgeorge.me.uk>
> > > wrote:
> > > 
> > > Hello,
> > > 
> > > I'm concerned about this as well.  Depending on when it does the
> > > ipset destroy it may be OK (for example as part of shutting down
> > > the system or prior to rebuilding the firewall from scratch, as
> > > in
> > > these cases it either won't matter or the OP blocklist ipsets
> > > will
> > > be reloaded), but in general I would consider it a bad idea to
> > > delete all the ipsets whether or not you 'own' them - each
> > > 'package' should only touch it's own 'property', while this just
> > > deletes all the ipsets regardless.
> > 
> > This is quite hard to implement though. We could in theory iterate
> > over all possible country codes and try to delete all sets, but
> > that
> > seems to be a very slow and not elegant solution to the problem.
> > 
> > > Having said that, I think it will probably be alright as
> > > according
> > > to the documentation ipset destroy won't delete lists which have
> > > references to them, and the IP blocklist ipsets should always
> > > have
> > > references.
> > 
> > This is good for us though. If we can consider the “destroy”
> > command
> > to be more of a cleanup and it is safe to call it, then we should
> > not
> > run into any trouble here.
> > 
> > @Stefan: Can you confirm that any sets that are still referenced
> > elsewhere won’t be destroyed and that there is no ugly output that
> > could alarm anyone?
> 
> I did not have a look at Tim's code at the moment, nor some testing
> of
> his feature so I'm unable to say yes or no, for both of your
> questions.
> 
> I'll dig into this at the weekend and phone back what I got.
> 
> -Stefan
> 
> > 
> > -Michael
> > 
> > > 
> > > Tim
> > > 
> > > On 15/02/2022 12:41, Michael Tremer wrote:
> > > > Hello,
> > > > 
> > > > Looking at the other patchset that implements IP blocklists,
> > > > could this interfere with this in any way?
> > > > 
> > > > -Michael
> > > > 
> > > > > On 14 Feb 2022, at 18:42, Stefan Schantl <
> > > > > stefan.schantl(a)ipfire.org> wrote:
> > > > > 
> > > > > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > > > > ---
> > > > > config/firewall/rules.pl | 4 ++++
> > > > > 1 file changed, 4 insertions(+)
> > > > > 
> > > > > diff --git a/config/firewall/rules.pl
> > > > > b/config/firewall/rules.pl
> > > > > index f685d08a7..da01b8775 100644
> > > > > --- a/config/firewall/rules.pl
> > > > > +++ b/config/firewall/rules.pl
> > > > > @@ -31,6 +31,7 @@ require "${General::swroot}/location-
> > > > > functions.pl";
> > > > > my $DEBUG = 0;
> > > > > 
> > > > > my $IPTABLES = "iptables --wait";
> > > > > +my $IPSET = "ipset";
> > > > > 
> > > > > # iptables chains
> > > > > my $CHAIN_INPUT           = "INPUTFW";
> > > > > @@ -114,6 +115,9 @@ sub main {
> > > > >         # Flush all chains.
> > > > >         &flush();
> > > > > 
> > > > > +       # Destroy all existing ipsets.
> > > > > +       run("$IPSET destroy");
> > > > > +
> > > > >         # Prepare firewall rules.
> > > > >         if (! -z  "${General::swroot}/firewall/input"){
> > > > >                 &buildrules(\%configinputfw);
> > > > > -- 
> > > > > 2.30.2
> > > > > 
> > > > 
> > > 
> > 
> 
>