From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH 07/12] rules.pl: Move to ipset based data for location
 based firewall rules.
Date: Mon, 14 Feb 2022 21:05:12 +0000
Message-ID: <8934e593-d050-acd4-b449-1fcb0d999a2e@ipfire.org>
In-Reply-To: <20220214184257.2406-7-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2456287049425039233=="
List-Id: <development.lists.ipfire.org>

--===============2456287049425039233==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Reviewed-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> ---
>  config/firewall/firewall-lib.pl |  4 ++--
>  config/firewall/rules.pl        | 16 ++++++++++++++--
>  2 files changed, 16 insertions(+), 4 deletions(-)
>=20
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib=
.pl
> index bc0b30ca5..13f0c9971 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -466,7 +466,7 @@ sub get_address
>  			# Get external interface.
>  			my $external_interface =3D &get_external_interface();
> =20
> -			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
>  		}
> =20
>  	# Handle rule options with a location as target.
> @@ -476,7 +476,7 @@ sub get_address
>  			# Get external interface.
>  			my $external_interface =3D &get_external_interface();
> =20
> -			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
>  		}
> =20
>  	# If nothing was selected, we assume "any".
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index e009c1838..d533ffb42 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -401,7 +401,13 @@ sub buildrules {
>  					my @source_options =3D ();
>  					if ($source =3D~ /mac/) {
>  						push(@source_options, $source);
> -					} elsif ($source =3D~ /-m geoip/) {
> +					} elsif ($source =3D~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_src =3D $$hash{$key}[4];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_src);
> +
>  						push(@source_options, $source);
>  					} elsif($source) {
>  						push(@source_options, ("-s", $source));
> @@ -409,7 +415,13 @@ sub buildrules {
> =20
>  					# Prepare destination options.
>  					my @destination_options =3D ();
> -					if ($destination =3D~ /-m geoip/) {
> +					if ($destination =3D~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_dst =3D $$hash{$key}[6];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_dst);
> +
>  						push(@destination_options,  $destination);
>  					} elsif ($destination) {
>  						push(@destination_options, ("-d", $destination));

--===============2456287049425039233==--