From mboxrd@z Thu Jan 1 00:00:00 1970 From: Peter =?utf-8?q?M=C3=BCller?= To: development@lists.ipfire.org Subject: Re: [PATCH] location-functions.pl: Recognise XD / LOC_NETWORK_FLAG_DROP Date: Wed, 13 Oct 2021 18:21:57 +0200 Message-ID: <7137bf0b-aa99-d555-b38c-cbbb7e33339a@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1281367295481277673==" List-Id: --===============1281367295481277673== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Michael, thanks for your reply. > Thank you. >=20 > Do we want to make this is a more convenient option somewhere in the UI in = the future? Yes. My imagination of bug #12031 is to have three new checkboxes on the fire= wall options CGI to drop all traffic from and to (a) IP networks not being globally routable ("martians") (b) publicly routable yet unallocated IP networks ("bogons") (c) and IP networks having the LOC_NETWORK_FLAG_DROP flag set on the RED interface. I think it is wise to split this up, since some people might need (a), but no= t (b) - Arne told me yesterday some mobile ISPs use public IP space internally -, and migh= t not want to enable (c) for whatever reason. One size never fits all. (a) is something we (I) can implement straight away. As soon as this patch ha= s been merged, (c) is no longer an issue, too. (b) is currently blocked due to bug #12691. And of course there will be a blog article about this. \o/ Thanks, and best regards, Peter M=C3=BCller >=20 > -Michael >=20 > Reviewed-by: Michael Tremer >=20 >> On 10 Oct 2021, at 18:13, Peter M=C3=BCller w= rote: >> >> This enables creating firewall rules using the special country code "XD" >> for hostile networks safe to drop and ipinfo.cgi to display a meaningful >> text for IP addresses having this flag set. >> >> At the moment, the "LOC_NETWORK_FLAG_DROP" is not yet populated, but >> will be in the future (as soon as libloc 0.9.9 is released and running >> in production). >> >> Signed-off-by: Peter M=C3=BCller >> --- >> config/cfgroot/location-functions.pl | 6 ++++-- >> 1 file changed, 4 insertions(+), 2 deletions(-) >> >> diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/locatio= n-functions.pl >> index fb97eb589..4d44ce24d 100644 >> --- a/config/cfgroot/location-functions.pl >> +++ b/config/cfgroot/location-functions.pl >> @@ -2,7 +2,7 @@ >> ##########################################################################= ##### >> # = # >> # IPFire.org - A linux based firewall = # >> -# Copyright (C) 2007-2020 IPFire Team = # >> +# Copyright (C) 2007-2021 IPFire Team = # >> # = # >> # This program is free software: you can redistribute it and/or modify = # >> # it under the terms of the GNU General Public License as published by = # >> @@ -29,6 +29,7 @@ my %not_iso_3166_location =3D ( >> "A1" =3D> "Anonymous Proxy", >> "A2" =3D> "Satellite Provider", >> "A3" =3D> "Worldwide Anycast Instance", >> + "XD" =3D> "Hostile networks safe to drop", >> ); >> >> # Hash which contains possible network flags and their mapped location cod= es. >> @@ -36,10 +37,11 @@ my %network_flags =3D ( >> "LOC_NETWORK_FLAG_ANONYMOUS_PROXY" =3D> "A1", >> "LOC_NETWORK_FLAG_SATELLITE_PROVIDER" =3D> "A2", >> "LOC_NETWORK_FLAG_ANYCAST" =3D> "A3", >> + "LOC_NETWORK_FLAG_DROP" =3D> "XD", >> ); >> >> # Array which contains special country codes. >> -my @special_locations =3D ( "A1", "A2", "A3" ); >> +my @special_locations =3D ( "A1", "A2", "A3", "XD" ); >> >> # Directory where the libloc database and keyfile lives. >> our $location_dir =3D "/var/lib/location/"; >> --=20 >> 2.26.2 >=20 --===============1281367295481277673==--