[PATCH 01/12] location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/".
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/cfgroot/location-functions.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl index 4d44ce24d..f86464933 100644 --- a/config/cfgroot/location-functions.pl +++ b/config/cfgroot/location-functions.pl @@ -53,7 +53,7 @@ our $database = "$location_dir/database.db"; our $keyfile = "$location_dir/signing-key.pem";
# Directory which contains the exported databases. -our $xt_geoip_db_directory = "/usr/share/xt_geoip/"; +our $ipset_db_directory = "$location_dir/ipset";
# Create libloc database handle. my $db_handle = &init();
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/cfgroot/location-functions.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl index f86464933..46e27c04a 100644 --- a/config/cfgroot/location-functions.pl +++ b/config/cfgroot/location-functions.pl @@ -44,7 +44,7 @@ my %network_flags = ( my @special_locations = ( "A1", "A2", "A3", "XD" );
# Directory where the libloc database and keyfile lives. -our $location_dir = "/var/lib/location/"; +our $location_dir = "/var/lib/location";
# Libloc database file. our $database = "$location_dir/database.db";
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/cfgroot/location-functions.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl index f86464933..46e27c04a 100644 --- a/config/cfgroot/location-functions.pl +++ b/config/cfgroot/location-functions.pl @@ -44,7 +44,7 @@ my %network_flags = ( my @special_locations = ( "A1", "A2", "A3", "XD" );
# Directory where the libloc database and keyfile lives. -our $location_dir = "/var/lib/location/"; +our $location_dir = "/var/lib/location";
# Libloc database file. our $database = "$location_dir/database.db";
It is required to get rid of all ipset based rules before all of the loaded ipset lists can be destroyed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9d280045a..f685d08a7 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -186,6 +186,9 @@ sub flush { run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); + + # Flush LOCATIONBLOCK chain. + run("$IPTABLES -F LOCATIONBLOCK"); }
sub buildrules { @@ -638,8 +641,7 @@ sub p2pblock { }
sub locationblock { - # Flush iptables chain. - run("$IPTABLES -F LOCATIONBLOCK"); + # The LOCATIONBLOCK chain now gets flushed by the flush() function.
# If location blocking is not enabled, we are finished here. if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {
Reviewed-by: Peter Müller peter.mueller@ipfire.org
It is required to get rid of all ipset based rules before all of the loaded ipset lists can be destroyed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9d280045a..f685d08a7 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -186,6 +186,9 @@ sub flush { run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
- # Flush LOCATIONBLOCK chain.
- run("$IPTABLES -F LOCATIONBLOCK");
}
sub buildrules { @@ -638,8 +641,7 @@ sub p2pblock { }
sub locationblock {
- # Flush iptables chain.
- run("$IPTABLES -F LOCATIONBLOCK");
# The LOCATIONBLOCK chain now gets flushed by the flush() function.
# If location blocking is not enabled, we are finished here. if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
It is required to get rid of all ipset based rules before all of the loaded ipset lists can be destroyed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9d280045a..f685d08a7 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -186,6 +186,9 @@ sub flush { run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
- # Flush LOCATIONBLOCK chain.
- run("$IPTABLES -F LOCATIONBLOCK");
}
sub buildrules { @@ -638,8 +641,7 @@ sub p2pblock { }
sub locationblock {
- # Flush iptables chain.
- run("$IPTABLES -F LOCATIONBLOCK");
# The LOCATIONBLOCK chain now gets flushed by the flush() function.
# If location blocking is not enabled, we are finished here. if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {
-- 2.30.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
+ # Destroy all existing ipsets. + run("$IPSET destroy"); + # Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw);
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
- # Destroy all existing ipsets.
- run("$IPSET destroy");
- # Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw);
Hello,
Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
- # Destroy all existing ipsets.
- run("$IPSET destroy");
- # Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw);
-- 2.30.2
Hello,
I'm concerned about this as well. Depending on when it does the ipset destroy it may be OK (for example as part of shutting down the system or prior to rebuilding the firewall from scratch, as in these cases it either won't matter or the OP blocklist ipsets will be reloaded), but in general I would consider it a bad idea to delete all the ipsets whether or not you 'own' them - each 'package' should only touch it's own 'property', while this just deletes all the ipsets regardless.
Having said that, I think it will probably be alright as according to the documentation ipset destroy won't delete lists which have references to them, and the IP blocklist ipsets should always have references.
Tim
On 15/02/2022 12:41, Michael Tremer wrote:
Hello,
Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
- # Destroy all existing ipsets.
- run("$IPSET destroy");
- # Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw);
-- 2.30.2
Hello Tim,
On 15 Feb 2022, at 19:28, Tim FitzGeorge ipfr@tfitzgeorge.me.uk wrote:
Hello,
I'm concerned about this as well. Depending on when it does the ipset destroy it may be OK (for example as part of shutting down the system or prior to rebuilding the firewall from scratch, as in these cases it either won't matter or the OP blocklist ipsets will be reloaded), but in general I would consider it a bad idea to delete all the ipsets whether or not you 'own' them - each 'package' should only touch it's own 'property', while this just deletes all the ipsets regardless.
This is quite hard to implement though. We could in theory iterate over all possible country codes and try to delete all sets, but that seems to be a very slow and not elegant solution to the problem.
Having said that, I think it will probably be alright as according to the documentation ipset destroy won't delete lists which have references to them, and the IP blocklist ipsets should always have references.
This is good for us though. If we can consider the “destroy” command to be more of a cleanup and it is safe to call it, then we should not run into any trouble here.
@Stefan: Can you confirm that any sets that are still referenced elsewhere won’t be destroyed and that there is no ugly output that could alarm anyone?
-Michael
Tim
On 15/02/2022 12:41, Michael Tremer wrote:
Hello,
Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
- # Destroy all existing ipsets.
- run("$IPSET destroy");
- # Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw);
-- 2.30.2
Hello Michael, Hello Tim,
thanks for your feedback and discussion.
Hello Tim,
On 15 Feb 2022, at 19:28, Tim FitzGeorge ipfr@tfitzgeorge.me.uk wrote:
Hello,
I'm concerned about this as well. Depending on when it does the ipset destroy it may be OK (for example as part of shutting down the system or prior to rebuilding the firewall from scratch, as in these cases it either won't matter or the OP blocklist ipsets will be reloaded), but in general I would consider it a bad idea to delete all the ipsets whether or not you 'own' them - each 'package' should only touch it's own 'property', while this just deletes all the ipsets regardless.
This is quite hard to implement though. We could in theory iterate over all possible country codes and try to delete all sets, but that seems to be a very slow and not elegant solution to the problem.
Having said that, I think it will probably be alright as according to the documentation ipset destroy won't delete lists which have references to them, and the IP blocklist ipsets should always have references.
This is good for us though. If we can consider the “destroy” command to be more of a cleanup and it is safe to call it, then we should not run into any trouble here.
@Stefan: Can you confirm that any sets that are still referenced elsewhere won’t be destroyed and that there is no ugly output that could alarm anyone?
I did not have a look at Tim's code at the moment, nor some testing of his feature so I'm unable to say yes or no, for both of your questions.
I'll dig into this at the weekend and phone back what I got.
-Stefan
-Michael
Tim
On 15/02/2022 12:41, Michael Tremer wrote:
Hello,
Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl < stefan.schantl@ipfire.org> wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location- functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
+ # Destroy all existing ipsets. + run("$IPSET destroy");
# Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw); -- 2.30.2
Hello List,
as promised, I had a look at Tim's blacklisting code and talked on the phone with Michael and Peter how to handle all this "ipset load and destroy stuff" in a good way.
So we talked about, how to deal with all the different scripts and places where ipset sets are involved. We agreed that it would be the best to handle them at a central place (script) and decided the easiest way would be the perl-based firewall script which is used to generate and create the firewall rules. (rules.pl)
We also talked about how the IP blocklist feature become a core component of IPFire and to integrate it into this. I'll give more details about this in the related discussion on this list.
While discussing about this we came across that the dynamic approach of loading and destroying sets which Tim is using in his code is very lovely and so decided to adopt it in a very similar way.
This results in two first patches which have been sent to the development mailing list.
The first one will allow the firewall engine to dynamically destroy (unload) ipset sets if they are not longer required.
https://patchwork.ipfire.org/project/ipfire/patch/20220227134903.1828-1-stef...
The second patch is a fist step of moving all "ipset" related rules into the same script.
https://patchwork.ipfire.org/project/ipfire/patch/20220227134903.1828-2-stef...
Best regards,
-Stefan
Hello Michael, Hello Tim,
thanks for your feedback and discussion.
Hello Tim,
On 15 Feb 2022, at 19:28, Tim FitzGeorge ipfr@tfitzgeorge.me.uk wrote:
Hello,
I'm concerned about this as well. Depending on when it does the ipset destroy it may be OK (for example as part of shutting down the system or prior to rebuilding the firewall from scratch, as in these cases it either won't matter or the OP blocklist ipsets will be reloaded), but in general I would consider it a bad idea to delete all the ipsets whether or not you 'own' them - each 'package' should only touch it's own 'property', while this just deletes all the ipsets regardless.
This is quite hard to implement though. We could in theory iterate over all possible country codes and try to delete all sets, but that seems to be a very slow and not elegant solution to the problem.
Having said that, I think it will probably be alright as according to the documentation ipset destroy won't delete lists which have references to them, and the IP blocklist ipsets should always have references.
This is good for us though. If we can consider the “destroy” command to be more of a cleanup and it is safe to call it, then we should not run into any trouble here.
@Stefan: Can you confirm that any sets that are still referenced elsewhere won’t be destroyed and that there is no ugly output that could alarm anyone?
I did not have a look at Tim's code at the moment, nor some testing of his feature so I'm unable to say yes or no, for both of your questions.
I'll dig into this at the weekend and phone back what I got.
-Stefan
-Michael
Tim
On 15/02/2022 12:41, Michael Tremer wrote:
Hello,
Looking at the other patchset that implements IP blocklists, could this interfere with this in any way?
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl < stefan.schantl@ipfire.org> wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index f685d08a7..da01b8775 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location- functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -114,6 +115,9 @@ sub main { # Flush all chains. &flush();
+ # Destroy all existing ipsets. + run("$IPSET destroy");
# Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw); -- 2.30.2
This helper function is used to load a previously exported list of networks for a given country code into the ipset module, so it can be used for any kind of firewall rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index da01b8775..5b1153b08 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -888,3 +888,10 @@ sub firewall_is_in_subnet {
return 0; } + +sub ipset_restore ($) { + my ($ccode) = @_; + + # Run ipset and restore the list of the given country code. + run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4"); +}
Reviewed-by: Peter Müller peter.mueller@ipfire.org
This helper function is used to load a previously exported list of networks for a given country code into the ipset module, so it can be used for any kind of firewall rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index da01b8775..5b1153b08 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -888,3 +888,10 @@ sub firewall_is_in_subnet {
return 0; }
+sub ipset_restore ($) {
- my ($ccode) = @_;
- # Run ipset and restore the list of the given country code.
- run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
+}
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
This helper function is used to load a previously exported list of networks for a given country code into the ipset module, so it can be used for any kind of firewall rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index da01b8775..5b1153b08 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -888,3 +888,10 @@ sub firewall_is_in_subnet {
return 0; }
+sub ipset_restore ($) {
- my ($ccode) = @_;
- # Run ipset and restore the list of the given country code.
- run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
+}
2.30.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 5b1153b08..e009c1838 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -671,7 +671,11 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { - run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP"); + # Call function to load the networks list for this country. + &ipset_restore($location); + + # Call iptables and create rule to use the loaded ipset list. + run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP"); } } }
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 5b1153b08..e009c1838 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -671,7 +671,11 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP");
# Call function to load the networks list for this country.&ipset_restore($location);# Call iptables and create rule to use the loaded ipset list.run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");}
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 5b1153b08..e009c1838 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -671,7 +671,11 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP");
# Call function to load the networks list for this country.&ipset_restore($location);# Call iptables and create rule to use the loaded ipset list.run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");}
2.30.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/firewall-lib.pl | 4 ++-- config/firewall/rules.pl | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index bc0b30ca5..13f0c9971 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
- push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]); }
# Handle rule options with a location as target. @@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
- push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]); }
# If nothing was selected, we assume "any". diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index e009c1838..d533ffb42 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -401,7 +401,13 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } elsif ($source =~ /-m geoip/) { + } elsif ($source =~ /-m set/) { + # Grab location code from hash. + my $loc_src = $$hash{$key}[4]; + + # Call function to load the networks list for this country. + &ipset_restore($loc_src); + push(@source_options, $source); } elsif($source) { push(@source_options, ("-s", $source)); @@ -409,7 +415,13 @@ sub buildrules {
# Prepare destination options. my @destination_options = (); - if ($destination =~ /-m geoip/) { + if ($destination =~ /-m set/) { + # Grab location code from hash. + my $loc_dst = $$hash{$key}[6]; + + # Call function to load the networks list for this country. + &ipset_restore($loc_dst); + push(@destination_options, $destination); } elsif ($destination) { push(@destination_options, ("-d", $destination));
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/firewall-lib.pl | 4 ++-- config/firewall/rules.pl | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index bc0b30ca5..13f0c9971 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);}
# Handle rule options with a location as target.
@@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);}
# If nothing was selected, we assume "any".
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index e009c1838..d533ffb42 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -401,7 +401,13 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source);
} elsif ($source =~ /-m geoip/) {
} elsif ($source =~ /-m set/) {# Grab location code from hash.my $loc_src = $$hash{$key}[4];# Call function to load the networks list for this country.&ipset_restore($loc_src);push(@source_options, $source); } elsif($source) { push(@source_options, ("-s", $source));@@ -409,7 +415,13 @@ sub buildrules {
# Prepare destination options. my @destination_options = ();
if ($destination =~ /-m geoip/) {
if ($destination =~ /-m set/) {# Grab location code from hash.my $loc_dst = $$hash{$key}[6];# Call function to load the networks list for this country.&ipset_restore($loc_dst);push(@destination_options, $destination); } elsif ($destination) { push(@destination_options, ("-d", $destination));
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/firewall-lib.pl | 4 ++-- config/firewall/rules.pl | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index bc0b30ca5..13f0c9971 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);}
# Handle rule options with a location as target.
@@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);}
# If nothing was selected, we assume "any".
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index e009c1838..d533ffb42 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -401,7 +401,13 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source);
} elsif ($source =~ /-m geoip/) {
} elsif ($source =~ /-m set/) {# Grab location code from hash.my $loc_src = $$hash{$key}[4];# Call function to load the networks list for this country.&ipset_restore($loc_src);push(@source_options, $source); } elsif($source) { push(@source_options, ("-s", $source));@@ -409,7 +415,13 @@ sub buildrules {
# Prepare destination options. my @destination_options = ();
if ($destination =~ /-m geoip/) {
if ($destination =~ /-m set/) {# Grab location code from hash.my $loc_dst = $$hash{$key}[6];# Call function to load the networks list for this country.&ipset_restore($loc_dst);push(@destination_options, $destination); } elsif ($destination) { push(@destination_options, ("-d", $destination));-- 2.30.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- src/scripts/update-location-database | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database index 06b22d101..d41a0a947 100644 --- a/src/scripts/update-location-database +++ b/src/scripts/update-location-database @@ -42,8 +42,8 @@ fi
# Get the latest location database from server. if /usr/bin/location update --cron=$UPDATE_INTERVAL; then - # Call location and export all countries in xt_geoip compatible format. - if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then + # Call location and export all countries in an ipset compatible format. + if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
# Call initscript to reload the firewall. /etc/init.d/firewall reload
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
src/scripts/update-location-database | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database index 06b22d101..d41a0a947 100644 --- a/src/scripts/update-location-database +++ b/src/scripts/update-location-database @@ -42,8 +42,8 @@ fi
# Get the latest location database from server. if /usr/bin/location update --cron=$UPDATE_INTERVAL; then
- # Call location and export all countries in xt_geoip compatible format.
- if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then
# Call location and export all countries in an ipset compatible format.
if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
# Call initscript to reload the firewall. /etc/init.d/firewall reload
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
src/scripts/update-location-database | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database index 06b22d101..d41a0a947 100644 --- a/src/scripts/update-location-database +++ b/src/scripts/update-location-database @@ -42,8 +42,8 @@ fi
# Get the latest location database from server. if /usr/bin/location update --cron=$UPDATE_INTERVAL; then
- # Call location and export all countries in xt_geoip compatible format.
- if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then
# Call location and export all countries in an ipset compatible format.
if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
# Call initscript to reload the firewall. /etc/init.d/firewall reload
-- 2.30.2
When an ipset list get restored, this now will be documented in a hash and this hash also will be checked before restoring a list if this has not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index d533ffb42..29990ee67 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,7 @@ my %confignatfw=(); my %locationsettings = ( "LOCATIONBLOCK_ENABLED" => "off" ); +my %loaded_ipset_lists=();
my @p2ps=();
@@ -405,8 +406,14 @@ sub buildrules { # Grab location code from hash. my $loc_src = $$hash{$key}[4];
- # Call function to load the networks list for this country. - &ipset_restore($loc_src); + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$loc_src}) { + # Call function to load the networks list for this country. + &ipset_restore($loc_src); + + # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$loc_src} = "1"; + }
push(@source_options, $source); } elsif($source) { @@ -419,8 +426,14 @@ sub buildrules { # Grab location code from hash. my $loc_dst = $$hash{$key}[6];
- # Call function to load the networks list for this country. - &ipset_restore($loc_dst); + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$loc_dst}) { + # Call function to load the networks list for this country. + &ipset_restore($loc_dst); + + # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$loc_dst} = "1"; + }
push(@destination_options, $destination); } elsif ($destination) { @@ -683,8 +696,14 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { - # Call function to load the networks list for this country. - &ipset_restore($location); + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$location}) { + # Call function to load the networks list for this country. + &ipset_restore($location); + + # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$location} = "1"; + }
# Call iptables and create rule to use the loaded ipset list. run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
Reviewed-by: Peter Müller peter.mueller@ipfire.org
When an ipset list get restored, this now will be documented in a hash and this hash also will be checked before restoring a list if this has not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index d533ffb42..29990ee67 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,7 @@ my %confignatfw=(); my %locationsettings = ( "LOCATIONBLOCK_ENABLED" => "off" ); +my %loaded_ipset_lists=();
my @p2ps=();
@@ -405,8 +406,14 @@ sub buildrules { # Grab location code from hash. my $loc_src = $$hash{$key}[4];
# Call function to load the networks list for this country.&ipset_restore($loc_src);
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$loc_src}) {# Call function to load the networks list for this country.&ipset_restore($loc_src);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$loc_src} = "1";} push(@source_options, $source); } elsif($source) {@@ -419,8 +426,14 @@ sub buildrules { # Grab location code from hash. my $loc_dst = $$hash{$key}[6];
# Call function to load the networks list for this country.&ipset_restore($loc_dst);
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$loc_dst}) {# Call function to load the networks list for this country.&ipset_restore($loc_dst);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$loc_dst} = "1";} push(@destination_options, $destination); } elsif ($destination) {@@ -683,8 +696,14 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
# Call function to load the networks list for this country.&ipset_restore($location);
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$location}) {# Call function to load the networks list for this country.&ipset_restore($location);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$location} = "1";} # Call iptables and create rule to use the loaded ipset list. run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
Hello,
I would have implemented this differently.
Would it not be better to perform the check in ipset_restore() so that you won’t have to copy the code to everywhere you call ipset_restore?
This solution bloats the code slightly.
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
When an ipset list get restored, this now will be documented in a hash and this hash also will be checked before restoring a list if this has not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index d533ffb42..29990ee67 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,7 @@ my %confignatfw=(); my %locationsettings = ( "LOCATIONBLOCK_ENABLED" => "off" ); +my %loaded_ipset_lists=();
my @p2ps=();
@@ -405,8 +406,14 @@ sub buildrules { # Grab location code from hash. my $loc_src = $$hash{$key}[4];
# Call function to load the networks list for this country.&ipset_restore($loc_src);
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$loc_src}) {# Call function to load the networks list for this country.&ipset_restore($loc_src);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$loc_src} = "1";} push(@source_options, $source); } elsif($source) {@@ -419,8 +426,14 @@ sub buildrules { # Grab location code from hash. my $loc_dst = $$hash{$key}[6];
# Call function to load the networks list for this country.&ipset_restore($loc_dst);
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$loc_dst}) {# Call function to load the networks list for this country.&ipset_restore($loc_dst);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$loc_dst} = "1";} push(@destination_options, $destination); } elsif ($destination) {@@ -683,8 +696,14 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
# Call function to load the networks list for this country.&ipset_restore($location);
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$location}) {# Call function to load the networks list for this country.&ipset_restore($location);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$location} = "1";} # Call iptables and create rule to use the loaded ipset list. run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");-- 2.30.2
Hello Michael,
thanks for reviewing and your feedback.
You are absolutely right, it would give us much cleaner code when moving this kind of check into the ipset_restore() function.
I'll send a patch for this.
Best regards,
-Stefan
Hello,
I would have implemented this differently.
Would it not be better to perform the check in ipset_restore() so that you won’t have to copy the code to everywhere you call ipset_restore?
This solution bloats the code slightly.
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
When an ipset list get restored, this now will be documented in a hash and this hash also will be checked before restoring a list if this has not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 31 +++++++++++++++++++++++++------ 1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index d533ffb42..29990ee67 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -70,6 +70,7 @@ my %confignatfw=(); my %locationsettings = ( "LOCATIONBLOCK_ENABLED" => "off" ); +my %loaded_ipset_lists=();
my @p2ps=();
@@ -405,8 +406,14 @@ sub buildrules { # Grab location code from hash. my $loc_src = $$hash{$key}[4];
- # Call function to load the networks list for this country.
&ipset_restore($loc_s rc); + # Check if the network list for this country already has been loaded. + unless($loaded_ipse t_lists{$loc_src}) { + # Call function to load the networks list for this country. + &ipset_rest ore($loc_src);
+ # Store to the hash that this list has been loaded. + $loaded_ips et_lists{$loc_src} = "1"; + }
push(@source_option s, $source); } elsif($source) { @@ -419,8 +426,14 @@ sub buildrules { # Grab location code from hash. my $loc_dst = $$hash{$key}[6];
- # Call function to load the networks list for this country.
&ipset_restore($loc_d st); + # Check if the network list for this country already has been loaded. + unless($loaded_ipse t_lists{$loc_dst}) { + # Call function to load the networks list for this country. + &ipset_rest ore($loc_dst);
+ # Store to the hash that this list has been loaded. + $loaded_ips et_lists{$loc_dst} = "1"; + }
push(@destination_o ptions, $destination); } elsif ($destination) { @@ -683,8 +696,14 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { - # Call function to load the networks list for this country. - &ipset_restore($location); + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$location}) { + # Call function to load the networks list for this country. + &ipset_restore($location);
+ # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$location} = "1"; + }
# Call iptables and create rule to use the loaded ipset list. run("$IPTABLES -A LOCATIONBLOCK -m set -- match-set CC_$location src -j DROP"); -- 2.30.2
This check now has been moved to the ipset_restore() function, which will help to keep the code clean and maintain-able.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 43 ++++++++++++++++------------------------ 1 file changed, 17 insertions(+), 26 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 25d01e0e3..927c1f2ba 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -404,14 +404,8 @@ sub buildrules { # Grab location code from hash. my $loc_src = $$hash{$key}[4];
- # Check if the network list for this country already has been loaded. - unless($loaded_ipset_lists{$loc_src}) { - # Call function to load the networks list for this country. - &ipset_restore($loc_src); - - # Store to the hash that this list has been loaded. - $loaded_ipset_lists{$loc_src} = "1"; - } + # Call function to load the networks list for this country. + &ipset_restore($loc_src);
push(@source_options, $source); } elsif($source) { @@ -424,14 +418,8 @@ sub buildrules { # Grab location code from hash. my $loc_dst = $$hash{$key}[6];
- # Check if the network list for this country already has been loaded. - unless($loaded_ipset_lists{$loc_dst}) { - # Call function to load the networks list for this country. - &ipset_restore($loc_dst); - - # Store to the hash that this list has been loaded. - $loaded_ipset_lists{$loc_dst} = "1"; - } + # Call function to load the networks list for this country. + &ipset_restore($loc_dst);
push(@destination_options, $destination); } elsif ($destination) { @@ -677,14 +665,8 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { - # Check if the network list for this country already has been loaded. - unless($loaded_ipset_lists{$location}) { - # Call function to load the networks list for this country. - &ipset_restore($location); - - # Store to the hash that this list has been loaded. - $loaded_ipset_lists{$location} = "1"; - } + # Call function to load the networks list for this country. + &ipset_restore($location);
# Call iptables and create rule to use the loaded ipset list. run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP"); @@ -906,14 +888,23 @@ sub firewall_is_in_subnet { }
sub ipset_restore ($) { - my ($ccode) = @_; + my ($list) = @_;
my $file_prefix = "ipset4"; - my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix"; + my $db_file = "$Location::Functions::ipset_db_directory/$list.$file_prefix"; + + # Check if the network list already has been loaded. + if($loaded_ipset_lists{$list}) { + # It already has been loaded - so there is nothing to do. + return; + }
# Check if the generated file exists. if (-f $db_file) { # Run ipset and restore the list of the given country code. run("$IPSET restore < $db_file"); + + # Store the restored list name to the hash to prevent from loading it again. + $loaded_ipset_lists{$list} = "1"; } }
Reviewed-by: Peter Müller peter.mueller@ipfire.org
This check now has been moved to the ipset_restore() function, which will help to keep the code clean and maintain-able.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 43 ++++++++++++++++------------------------ 1 file changed, 17 insertions(+), 26 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 25d01e0e3..927c1f2ba 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -404,14 +404,8 @@ sub buildrules { # Grab location code from hash. my $loc_src = $$hash{$key}[4];
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$loc_src}) {# Call function to load the networks list for this country.&ipset_restore($loc_src);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$loc_src} = "1";}
# Call function to load the networks list for this country.&ipset_restore($loc_src); push(@source_options, $source); } elsif($source) {@@ -424,14 +418,8 @@ sub buildrules { # Grab location code from hash. my $loc_dst = $$hash{$key}[6];
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$loc_dst}) {# Call function to load the networks list for this country.&ipset_restore($loc_dst);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$loc_dst} = "1";}
# Call function to load the networks list for this country.&ipset_restore($loc_dst); push(@destination_options, $destination); } elsif ($destination) {@@ -677,14 +665,8 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
# Check if the network list for this country already has been loaded.unless($loaded_ipset_lists{$location}) {# Call function to load the networks list for this country.&ipset_restore($location);# Store to the hash that this list has been loaded.$loaded_ipset_lists{$location} = "1";}
# Call function to load the networks list for this country.&ipset_restore($location); # Call iptables and create rule to use the loaded ipset list. run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");@@ -906,14 +888,23 @@ sub firewall_is_in_subnet { }
sub ipset_restore ($) {
- my ($ccode) = @_;
my ($list) = @_;
my $file_prefix = "ipset4";
- my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
my $db_file = "$Location::Functions::ipset_db_directory/$list.$file_prefix";
# Check if the network list already has been loaded.
if($loaded_ipset_lists{$list}) {
# It already has been loaded - so there is nothing to do.return;}
# Check if the generated file exists. if (-f $db_file) { # Run ipset and restore the list of the given country code. run("$IPSET restore < $db_file");
# Store the restored list name to the hash to prevent from loading it again.$loaded_ipset_lists{$list} = "1";}
}
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 29990ee67..162781f7a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -927,6 +927,12 @@ sub firewall_is_in_subnet { sub ipset_restore ($) { my ($ccode) = @_;
- # Run ipset and restore the list of the given country code. - run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4"); + my $file_prefix = "ipset4"; + my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix"; + + # Check if the generated file exists. + if (-f $db_file) { + # Run ipset and restore the list of the given country code. + run("$IPSET restore < $db_file"); + } }
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 29990ee67..162781f7a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -927,6 +927,12 @@ sub firewall_is_in_subnet { sub ipset_restore ($) { my ($ccode) = @_;
- # Run ipset and restore the list of the given country code.
- run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
- my $file_prefix = "ipset4";
- my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
- # Check if the generated file exists.
- if (-f $db_file) {
# Run ipset and restore the list of the given country code.run("$IPSET restore < $db_file");- }
}
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 21:06, Peter Müller peter.mueller@ipfire.org wrote:
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 29990ee67..162781f7a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -927,6 +927,12 @@ sub firewall_is_in_subnet { sub ipset_restore ($) { my ($ccode) = @_;
- # Run ipset and restore the list of the given country code.
- run("$IPSET restore < $Location::Functions::ipset_db_directory/$ccode.ipset4");
- my $file_prefix = "ipset4";
- my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
- # Check if the generated file exists.
- if (-f $db_file) {
# Run ipset and restore the list of the given country code.run("$IPSET restore < $db_file");- }
}
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 162781f7a..c0878059a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -109,6 +109,10 @@ my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+#workaround to suppress a warning when a variable is used only once +my @dummy = ( $Location::Functions::ipset_db_directory ); +undef (@dummy); + # MAIN &main();
Ugly, but I see why this is necessary.
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 162781f7a..c0878059a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -109,6 +109,10 @@ my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+#workaround to suppress a warning when a variable is used only once +my @dummy = ( $Location::Functions::ipset_db_directory ); +undef (@dummy);
# MAIN &main();
Is it not possible to disable this kind of warning entirely?
It is a stupid idea.
Does declaring the variable as some sort of constant help?
-Michael
On 14 Feb 2022, at 18:42, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/rules.pl | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 162781f7a..c0878059a 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -109,6 +109,10 @@ my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+#workaround to suppress a warning when a variable is used only once +my @dummy = ( $Location::Functions::ipset_db_directory ); +undef (@dummy);
# MAIN &main();
-- 2.30.2
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/rootfiles/common/libloc | 517 +++++++++++++++++---------------- lfs/libloc | 11 +- 2 files changed, 266 insertions(+), 262 deletions(-)
diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc index 43f9efd9e..64ccfef16 100644 --- a/config/rootfiles/common/libloc +++ b/config/rootfiles/common/libloc @@ -36,264 +36,265 @@ usr/lib/python3.8/site-packages/location/i18n.py usr/lib/python3.8/site-packages/location/logger.py #usr/share/locale/de/LC_MESSAGES/libloc.mo #usr/share/man/man3/Location.3 -usr/share/xt_geoip/A1.iv4 -usr/share/xt_geoip/A2.iv4 -usr/share/xt_geoip/A3.iv4 -usr/share/xt_geoip/AD.iv4 -usr/share/xt_geoip/AE.iv4 -usr/share/xt_geoip/AF.iv4 -usr/share/xt_geoip/AG.iv4 -usr/share/xt_geoip/AI.iv4 -usr/share/xt_geoip/AL.iv4 -usr/share/xt_geoip/AM.iv4 -usr/share/xt_geoip/AN.iv4 -usr/share/xt_geoip/AO.iv4 -usr/share/xt_geoip/AP.iv4 -usr/share/xt_geoip/AQ.iv4 -usr/share/xt_geoip/AR.iv4 -usr/share/xt_geoip/AS.iv4 -usr/share/xt_geoip/AT.iv4 -usr/share/xt_geoip/AU.iv4 -usr/share/xt_geoip/AW.iv4 -usr/share/xt_geoip/AX.iv4 -usr/share/xt_geoip/AZ.iv4 -usr/share/xt_geoip/BA.iv4 -usr/share/xt_geoip/BB.iv4 -usr/share/xt_geoip/BD.iv4 -usr/share/xt_geoip/BE.iv4 -usr/share/xt_geoip/BF.iv4 -usr/share/xt_geoip/BG.iv4 -usr/share/xt_geoip/BH.iv4 -usr/share/xt_geoip/BI.iv4 -usr/share/xt_geoip/BJ.iv4 -usr/share/xt_geoip/BL.iv4 -usr/share/xt_geoip/BM.iv4 -usr/share/xt_geoip/BN.iv4 -usr/share/xt_geoip/BO.iv4 -usr/share/xt_geoip/BQ.iv4 -usr/share/xt_geoip/BR.iv4 -usr/share/xt_geoip/BS.iv4 -usr/share/xt_geoip/BT.iv4 -usr/share/xt_geoip/BV.iv4 -usr/share/xt_geoip/BW.iv4 -usr/share/xt_geoip/BY.iv4 -usr/share/xt_geoip/BZ.iv4 -usr/share/xt_geoip/CA.iv4 -usr/share/xt_geoip/CC.iv4 -usr/share/xt_geoip/CD.iv4 -usr/share/xt_geoip/CF.iv4 -usr/share/xt_geoip/CG.iv4 -usr/share/xt_geoip/CH.iv4 -usr/share/xt_geoip/CI.iv4 -usr/share/xt_geoip/CK.iv4 -usr/share/xt_geoip/CL.iv4 -usr/share/xt_geoip/CM.iv4 -usr/share/xt_geoip/CN.iv4 -usr/share/xt_geoip/CO.iv4 -usr/share/xt_geoip/CR.iv4 -usr/share/xt_geoip/CS.iv4 -usr/share/xt_geoip/CU.iv4 -usr/share/xt_geoip/CV.iv4 -usr/share/xt_geoip/CW.iv4 -usr/share/xt_geoip/CX.iv4 -usr/share/xt_geoip/CY.iv4 -usr/share/xt_geoip/CZ.iv4 -usr/share/xt_geoip/DE.iv4 -usr/share/xt_geoip/DJ.iv4 -usr/share/xt_geoip/DK.iv4 -usr/share/xt_geoip/DM.iv4 -usr/share/xt_geoip/DO.iv4 -usr/share/xt_geoip/DZ.iv4 -usr/share/xt_geoip/EC.iv4 -usr/share/xt_geoip/EE.iv4 -usr/share/xt_geoip/EG.iv4 -usr/share/xt_geoip/EH.iv4 -usr/share/xt_geoip/ER.iv4 -usr/share/xt_geoip/ES.iv4 -usr/share/xt_geoip/ET.iv4 -usr/share/xt_geoip/EU.iv4 -usr/share/xt_geoip/FI.iv4 -usr/share/xt_geoip/FJ.iv4 -usr/share/xt_geoip/FK.iv4 -usr/share/xt_geoip/FM.iv4 -usr/share/xt_geoip/FO.iv4 -usr/share/xt_geoip/FR.iv4 -usr/share/xt_geoip/FX.iv4 -usr/share/xt_geoip/GA.iv4 -usr/share/xt_geoip/GB.iv4 -usr/share/xt_geoip/GD.iv4 -usr/share/xt_geoip/GE.iv4 -usr/share/xt_geoip/GF.iv4 -usr/share/xt_geoip/GG.iv4 -usr/share/xt_geoip/GH.iv4 -usr/share/xt_geoip/GI.iv4 -usr/share/xt_geoip/GL.iv4 -usr/share/xt_geoip/GM.iv4 -usr/share/xt_geoip/GN.iv4 -usr/share/xt_geoip/GP.iv4 -usr/share/xt_geoip/GQ.iv4 -usr/share/xt_geoip/GR.iv4 -usr/share/xt_geoip/GS.iv4 -usr/share/xt_geoip/GT.iv4 -usr/share/xt_geoip/GU.iv4 -usr/share/xt_geoip/GW.iv4 -usr/share/xt_geoip/GY.iv4 -usr/share/xt_geoip/HK.iv4 -usr/share/xt_geoip/HM.iv4 -usr/share/xt_geoip/HN.iv4 -usr/share/xt_geoip/HR.iv4 -usr/share/xt_geoip/HT.iv4 -usr/share/xt_geoip/HU.iv4 -usr/share/xt_geoip/ID.iv4 -usr/share/xt_geoip/IE.iv4 -usr/share/xt_geoip/IL.iv4 -usr/share/xt_geoip/IM.iv4 -usr/share/xt_geoip/IN.iv4 -usr/share/xt_geoip/IO.iv4 -usr/share/xt_geoip/IQ.iv4 -usr/share/xt_geoip/IR.iv4 -usr/share/xt_geoip/IS.iv4 -usr/share/xt_geoip/IT.iv4 -usr/share/xt_geoip/JE.iv4 -usr/share/xt_geoip/JM.iv4 -usr/share/xt_geoip/JO.iv4 -usr/share/xt_geoip/JP.iv4 -usr/share/xt_geoip/KE.iv4 -usr/share/xt_geoip/KG.iv4 -usr/share/xt_geoip/KH.iv4 -usr/share/xt_geoip/KI.iv4 -usr/share/xt_geoip/KM.iv4 -usr/share/xt_geoip/KN.iv4 -usr/share/xt_geoip/KP.iv4 -usr/share/xt_geoip/KR.iv4 -usr/share/xt_geoip/KW.iv4 -usr/share/xt_geoip/KY.iv4 -usr/share/xt_geoip/KZ.iv4 -usr/share/xt_geoip/LA.iv4 -usr/share/xt_geoip/LB.iv4 -usr/share/xt_geoip/LC.iv4 -usr/share/xt_geoip/LI.iv4 -usr/share/xt_geoip/LK.iv4 -usr/share/xt_geoip/LR.iv4 -usr/share/xt_geoip/LS.iv4 -usr/share/xt_geoip/LT.iv4 -usr/share/xt_geoip/LU.iv4 -usr/share/xt_geoip/LV.iv4 -usr/share/xt_geoip/LY.iv4 -usr/share/xt_geoip/MA.iv4 -usr/share/xt_geoip/MC.iv4 -usr/share/xt_geoip/MD.iv4 -usr/share/xt_geoip/ME.iv4 -usr/share/xt_geoip/MF.iv4 -usr/share/xt_geoip/MG.iv4 -usr/share/xt_geoip/MH.iv4 -usr/share/xt_geoip/MK.iv4 -usr/share/xt_geoip/ML.iv4 -usr/share/xt_geoip/MM.iv4 -usr/share/xt_geoip/MN.iv4 -usr/share/xt_geoip/MO.iv4 -usr/share/xt_geoip/MP.iv4 -usr/share/xt_geoip/MQ.iv4 -usr/share/xt_geoip/MR.iv4 -usr/share/xt_geoip/MS.iv4 -usr/share/xt_geoip/MT.iv4 -usr/share/xt_geoip/MU.iv4 -usr/share/xt_geoip/MV.iv4 -usr/share/xt_geoip/MW.iv4 -usr/share/xt_geoip/MX.iv4 -usr/share/xt_geoip/MY.iv4 -usr/share/xt_geoip/MZ.iv4 -usr/share/xt_geoip/NA.iv4 -usr/share/xt_geoip/NC.iv4 -usr/share/xt_geoip/NE.iv4 -usr/share/xt_geoip/NF.iv4 -usr/share/xt_geoip/NG.iv4 -usr/share/xt_geoip/NI.iv4 -usr/share/xt_geoip/NL.iv4 -usr/share/xt_geoip/NO.iv4 -usr/share/xt_geoip/NP.iv4 -usr/share/xt_geoip/NR.iv4 -usr/share/xt_geoip/NU.iv4 -usr/share/xt_geoip/NZ.iv4 -usr/share/xt_geoip/OM.iv4 -usr/share/xt_geoip/PA.iv4 -usr/share/xt_geoip/PE.iv4 -usr/share/xt_geoip/PF.iv4 -usr/share/xt_geoip/PG.iv4 -usr/share/xt_geoip/PH.iv4 -usr/share/xt_geoip/PK.iv4 -usr/share/xt_geoip/PL.iv4 -usr/share/xt_geoip/PM.iv4 -usr/share/xt_geoip/PN.iv4 -usr/share/xt_geoip/PR.iv4 -usr/share/xt_geoip/PS.iv4 -usr/share/xt_geoip/PT.iv4 -usr/share/xt_geoip/PW.iv4 -usr/share/xt_geoip/PY.iv4 -usr/share/xt_geoip/QA.iv4 -usr/share/xt_geoip/RE.iv4 -usr/share/xt_geoip/RO.iv4 -usr/share/xt_geoip/RS.iv4 -usr/share/xt_geoip/RU.iv4 -usr/share/xt_geoip/RW.iv4 -usr/share/xt_geoip/SA.iv4 -usr/share/xt_geoip/SB.iv4 -usr/share/xt_geoip/SC.iv4 -usr/share/xt_geoip/SD.iv4 -usr/share/xt_geoip/SE.iv4 -usr/share/xt_geoip/SG.iv4 -usr/share/xt_geoip/SH.iv4 -usr/share/xt_geoip/SI.iv4 -usr/share/xt_geoip/SJ.iv4 -usr/share/xt_geoip/SK.iv4 -usr/share/xt_geoip/SL.iv4 -usr/share/xt_geoip/SM.iv4 -usr/share/xt_geoip/SN.iv4 -usr/share/xt_geoip/SO.iv4 -usr/share/xt_geoip/SR.iv4 -usr/share/xt_geoip/SS.iv4 -usr/share/xt_geoip/ST.iv4 -usr/share/xt_geoip/SV.iv4 -usr/share/xt_geoip/SX.iv4 -usr/share/xt_geoip/SY.iv4 -usr/share/xt_geoip/SZ.iv4 -usr/share/xt_geoip/TC.iv4 -usr/share/xt_geoip/TD.iv4 -usr/share/xt_geoip/TF.iv4 -usr/share/xt_geoip/TG.iv4 -usr/share/xt_geoip/TH.iv4 -usr/share/xt_geoip/TJ.iv4 -usr/share/xt_geoip/TK.iv4 -usr/share/xt_geoip/TL.iv4 -usr/share/xt_geoip/TM.iv4 -usr/share/xt_geoip/TN.iv4 -usr/share/xt_geoip/TO.iv4 -usr/share/xt_geoip/TR.iv4 -usr/share/xt_geoip/TT.iv4 -usr/share/xt_geoip/TV.iv4 -usr/share/xt_geoip/TW.iv4 -usr/share/xt_geoip/TZ.iv4 -usr/share/xt_geoip/UA.iv4 -usr/share/xt_geoip/UG.iv4 -usr/share/xt_geoip/UM.iv4 -usr/share/xt_geoip/US.iv4 -usr/share/xt_geoip/UY.iv4 -usr/share/xt_geoip/UZ.iv4 -usr/share/xt_geoip/VA.iv4 -usr/share/xt_geoip/VC.iv4 -usr/share/xt_geoip/VE.iv4 -usr/share/xt_geoip/VG.iv4 -usr/share/xt_geoip/VI.iv4 -usr/share/xt_geoip/VN.iv4 -usr/share/xt_geoip/VU.iv4 -usr/share/xt_geoip/WF.iv4 -usr/share/xt_geoip/WS.iv4 -usr/share/xt_geoip/XD.iv4 -usr/share/xt_geoip/YE.iv4 -usr/share/xt_geoip/YT.iv4 -usr/share/xt_geoip/ZA.iv4 -usr/share/xt_geoip/ZM.iv4 -usr/share/xt_geoip/ZW.iv4 #var/lib/location var/lib/location/database.db +var/lib/location/ipset +var/lib/location/ipset/A1.ipset4 +var/lib/location/ipset/A2.ipset4 +var/lib/location/ipset/A3.ipset4 +var/lib/location/ipset/AD.ipset4 +var/lib/location/ipset/AE.ipset4 +var/lib/location/ipset/AF.ipset4 +var/lib/location/ipset/AG.ipset4 +var/lib/location/ipset/AI.ipset4 +var/lib/location/ipset/AL.ipset4 +var/lib/location/ipset/AM.ipset4 +var/lib/location/ipset/AN.ipset4 +var/lib/location/ipset/AO.ipset4 +var/lib/location/ipset/AP.ipset4 +var/lib/location/ipset/AQ.ipset4 +var/lib/location/ipset/AR.ipset4 +var/lib/location/ipset/AS.ipset4 +var/lib/location/ipset/AT.ipset4 +var/lib/location/ipset/AU.ipset4 +var/lib/location/ipset/AW.ipset4 +var/lib/location/ipset/AX.ipset4 +var/lib/location/ipset/AZ.ipset4 +var/lib/location/ipset/BA.ipset4 +var/lib/location/ipset/BB.ipset4 +var/lib/location/ipset/BD.ipset4 +var/lib/location/ipset/BE.ipset4 +var/lib/location/ipset/BF.ipset4 +var/lib/location/ipset/BG.ipset4 +var/lib/location/ipset/BH.ipset4 +var/lib/location/ipset/BI.ipset4 +var/lib/location/ipset/BJ.ipset4 +var/lib/location/ipset/BL.ipset4 +var/lib/location/ipset/BM.ipset4 +var/lib/location/ipset/BN.ipset4 +var/lib/location/ipset/BO.ipset4 +var/lib/location/ipset/BQ.ipset4 +var/lib/location/ipset/BR.ipset4 +var/lib/location/ipset/BS.ipset4 +var/lib/location/ipset/BT.ipset4 +var/lib/location/ipset/BV.ipset4 +var/lib/location/ipset/BW.ipset4 +var/lib/location/ipset/BY.ipset4 +var/lib/location/ipset/BZ.ipset4 +var/lib/location/ipset/CA.ipset4 +var/lib/location/ipset/CC.ipset4 +var/lib/location/ipset/CD.ipset4 +var/lib/location/ipset/CF.ipset4 +var/lib/location/ipset/CG.ipset4 +var/lib/location/ipset/CH.ipset4 +var/lib/location/ipset/CI.ipset4 +var/lib/location/ipset/CK.ipset4 +var/lib/location/ipset/CL.ipset4 +var/lib/location/ipset/CM.ipset4 +var/lib/location/ipset/CN.ipset4 +var/lib/location/ipset/CO.ipset4 +var/lib/location/ipset/CR.ipset4 +var/lib/location/ipset/CS.ipset4 +var/lib/location/ipset/CU.ipset4 +var/lib/location/ipset/CV.ipset4 +var/lib/location/ipset/CW.ipset4 +var/lib/location/ipset/CX.ipset4 +var/lib/location/ipset/CY.ipset4 +var/lib/location/ipset/CZ.ipset4 +var/lib/location/ipset/DE.ipset4 +var/lib/location/ipset/DJ.ipset4 +var/lib/location/ipset/DK.ipset4 +var/lib/location/ipset/DM.ipset4 +var/lib/location/ipset/DO.ipset4 +var/lib/location/ipset/DZ.ipset4 +var/lib/location/ipset/EC.ipset4 +var/lib/location/ipset/EE.ipset4 +var/lib/location/ipset/EG.ipset4 +var/lib/location/ipset/EH.ipset4 +var/lib/location/ipset/ER.ipset4 +var/lib/location/ipset/ES.ipset4 +var/lib/location/ipset/ET.ipset4 +var/lib/location/ipset/EU.ipset4 +var/lib/location/ipset/FI.ipset4 +var/lib/location/ipset/FJ.ipset4 +var/lib/location/ipset/FK.ipset4 +var/lib/location/ipset/FM.ipset4 +var/lib/location/ipset/FO.ipset4 +var/lib/location/ipset/FR.ipset4 +var/lib/location/ipset/FX.ipset4 +var/lib/location/ipset/GA.ipset4 +var/lib/location/ipset/GB.ipset4 +var/lib/location/ipset/GD.ipset4 +var/lib/location/ipset/GE.ipset4 +var/lib/location/ipset/GF.ipset4 +var/lib/location/ipset/GG.ipset4 +var/lib/location/ipset/GH.ipset4 +var/lib/location/ipset/GI.ipset4 +var/lib/location/ipset/GL.ipset4 +var/lib/location/ipset/GM.ipset4 +var/lib/location/ipset/GN.ipset4 +var/lib/location/ipset/GP.ipset4 +var/lib/location/ipset/GQ.ipset4 +var/lib/location/ipset/GR.ipset4 +var/lib/location/ipset/GS.ipset4 +var/lib/location/ipset/GT.ipset4 +var/lib/location/ipset/GU.ipset4 +var/lib/location/ipset/GW.ipset4 +var/lib/location/ipset/GY.ipset4 +var/lib/location/ipset/HK.ipset4 +var/lib/location/ipset/HM.ipset4 +var/lib/location/ipset/HN.ipset4 +var/lib/location/ipset/HR.ipset4 +var/lib/location/ipset/HT.ipset4 +var/lib/location/ipset/HU.ipset4 +var/lib/location/ipset/ID.ipset4 +var/lib/location/ipset/IE.ipset4 +var/lib/location/ipset/IL.ipset4 +var/lib/location/ipset/IM.ipset4 +var/lib/location/ipset/IN.ipset4 +var/lib/location/ipset/IO.ipset4 +var/lib/location/ipset/IQ.ipset4 +var/lib/location/ipset/IR.ipset4 +var/lib/location/ipset/IS.ipset4 +var/lib/location/ipset/IT.ipset4 +var/lib/location/ipset/JE.ipset4 +var/lib/location/ipset/JM.ipset4 +var/lib/location/ipset/JO.ipset4 +var/lib/location/ipset/JP.ipset4 +var/lib/location/ipset/KE.ipset4 +var/lib/location/ipset/KG.ipset4 +var/lib/location/ipset/KH.ipset4 +var/lib/location/ipset/KI.ipset4 +var/lib/location/ipset/KM.ipset4 +var/lib/location/ipset/KN.ipset4 +var/lib/location/ipset/KP.ipset4 +var/lib/location/ipset/KR.ipset4 +var/lib/location/ipset/KW.ipset4 +var/lib/location/ipset/KY.ipset4 +var/lib/location/ipset/KZ.ipset4 +var/lib/location/ipset/LA.ipset4 +var/lib/location/ipset/LB.ipset4 +var/lib/location/ipset/LC.ipset4 +var/lib/location/ipset/LI.ipset4 +var/lib/location/ipset/LK.ipset4 +var/lib/location/ipset/LR.ipset4 +var/lib/location/ipset/LS.ipset4 +var/lib/location/ipset/LT.ipset4 +var/lib/location/ipset/LU.ipset4 +var/lib/location/ipset/LV.ipset4 +var/lib/location/ipset/LY.ipset4 +var/lib/location/ipset/MA.ipset4 +var/lib/location/ipset/MC.ipset4 +var/lib/location/ipset/MD.ipset4 +var/lib/location/ipset/ME.ipset4 +var/lib/location/ipset/MF.ipset4 +var/lib/location/ipset/MG.ipset4 +var/lib/location/ipset/MH.ipset4 +var/lib/location/ipset/MK.ipset4 +var/lib/location/ipset/ML.ipset4 +var/lib/location/ipset/MM.ipset4 +var/lib/location/ipset/MN.ipset4 +var/lib/location/ipset/MO.ipset4 +var/lib/location/ipset/MP.ipset4 +var/lib/location/ipset/MQ.ipset4 +var/lib/location/ipset/MR.ipset4 +var/lib/location/ipset/MS.ipset4 +var/lib/location/ipset/MT.ipset4 +var/lib/location/ipset/MU.ipset4 +var/lib/location/ipset/MV.ipset4 +var/lib/location/ipset/MW.ipset4 +var/lib/location/ipset/MX.ipset4 +var/lib/location/ipset/MY.ipset4 +var/lib/location/ipset/MZ.ipset4 +var/lib/location/ipset/NA.ipset4 +var/lib/location/ipset/NC.ipset4 +var/lib/location/ipset/NE.ipset4 +var/lib/location/ipset/NF.ipset4 +var/lib/location/ipset/NG.ipset4 +var/lib/location/ipset/NI.ipset4 +var/lib/location/ipset/NL.ipset4 +var/lib/location/ipset/NO.ipset4 +var/lib/location/ipset/NP.ipset4 +var/lib/location/ipset/NR.ipset4 +var/lib/location/ipset/NU.ipset4 +var/lib/location/ipset/NZ.ipset4 +var/lib/location/ipset/OM.ipset4 +var/lib/location/ipset/PA.ipset4 +var/lib/location/ipset/PE.ipset4 +var/lib/location/ipset/PF.ipset4 +var/lib/location/ipset/PG.ipset4 +var/lib/location/ipset/PH.ipset4 +var/lib/location/ipset/PK.ipset4 +var/lib/location/ipset/PL.ipset4 +var/lib/location/ipset/PM.ipset4 +var/lib/location/ipset/PN.ipset4 +var/lib/location/ipset/PR.ipset4 +var/lib/location/ipset/PS.ipset4 +var/lib/location/ipset/PT.ipset4 +var/lib/location/ipset/PW.ipset4 +var/lib/location/ipset/PY.ipset4 +var/lib/location/ipset/QA.ipset4 +var/lib/location/ipset/RE.ipset4 +var/lib/location/ipset/RO.ipset4 +var/lib/location/ipset/RS.ipset4 +var/lib/location/ipset/RU.ipset4 +var/lib/location/ipset/RW.ipset4 +var/lib/location/ipset/SA.ipset4 +var/lib/location/ipset/SB.ipset4 +var/lib/location/ipset/SC.ipset4 +var/lib/location/ipset/SD.ipset4 +var/lib/location/ipset/SE.ipset4 +var/lib/location/ipset/SG.ipset4 +var/lib/location/ipset/SH.ipset4 +var/lib/location/ipset/SI.ipset4 +var/lib/location/ipset/SJ.ipset4 +var/lib/location/ipset/SK.ipset4 +var/lib/location/ipset/SL.ipset4 +var/lib/location/ipset/SM.ipset4 +var/lib/location/ipset/SN.ipset4 +var/lib/location/ipset/SO.ipset4 +var/lib/location/ipset/SR.ipset4 +var/lib/location/ipset/SS.ipset4 +var/lib/location/ipset/ST.ipset4 +var/lib/location/ipset/SV.ipset4 +var/lib/location/ipset/SX.ipset4 +var/lib/location/ipset/SY.ipset4 +var/lib/location/ipset/SZ.ipset4 +var/lib/location/ipset/TC.ipset4 +var/lib/location/ipset/TD.ipset4 +var/lib/location/ipset/TF.ipset4 +var/lib/location/ipset/TG.ipset4 +var/lib/location/ipset/TH.ipset4 +var/lib/location/ipset/TJ.ipset4 +var/lib/location/ipset/TK.ipset4 +var/lib/location/ipset/TL.ipset4 +var/lib/location/ipset/TM.ipset4 +var/lib/location/ipset/TN.ipset4 +var/lib/location/ipset/TO.ipset4 +var/lib/location/ipset/TR.ipset4 +var/lib/location/ipset/TT.ipset4 +var/lib/location/ipset/TV.ipset4 +var/lib/location/ipset/TW.ipset4 +var/lib/location/ipset/TZ.ipset4 +var/lib/location/ipset/UA.ipset4 +var/lib/location/ipset/UG.ipset4 +var/lib/location/ipset/UM.ipset4 +var/lib/location/ipset/US.ipset4 +var/lib/location/ipset/UY.ipset4 +var/lib/location/ipset/UZ.ipset4 +var/lib/location/ipset/VA.ipset4 +var/lib/location/ipset/VC.ipset4 +var/lib/location/ipset/VE.ipset4 +var/lib/location/ipset/VG.ipset4 +var/lib/location/ipset/VI.ipset4 +var/lib/location/ipset/VN.ipset4 +var/lib/location/ipset/VU.ipset4 +var/lib/location/ipset/WF.ipset4 +var/lib/location/ipset/WS.ipset4 +var/lib/location/ipset/XD.ipset4 +var/lib/location/ipset/YE.ipset4 +var/lib/location/ipset/YT.ipset4 +var/lib/location/ipset/ZA.ipset4 +var/lib/location/ipset/ZM.ipset4 +var/lib/location/ipset/ZW.ipset4 var/lib/location/signing-key.pem diff --git a/lfs/libloc b/lfs/libloc index 99f0c30bd..1de135b52 100644 --- a/lfs/libloc +++ b/lfs/libloc @@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && rm -f /var/lib/location/database.db cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
- # Launch location util and export all locations in xt_geoip format. + # Create directory for ipset databases. + cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset + + # Launch location util and export all locations in ipset compatible format. cd $(DIR_APP) && /usr/bin/location export \ - --directory=/usr/share/xt_geoip \ + --directory=/var/lib/location/ipset \ --family=ipv4 \ - --format=xt_geoip + --format=ipset
# Remove exported IPv6 zones. - cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6 + cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
@rm -rf $(DIR_APP) @$(POSTBUILD)
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/rootfiles/common/libloc | 517 +++++++++++++++++---------------- lfs/libloc | 11 +- 2 files changed, 266 insertions(+), 262 deletions(-)
diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc index 43f9efd9e..64ccfef16 100644 --- a/config/rootfiles/common/libloc +++ b/config/rootfiles/common/libloc @@ -36,264 +36,265 @@ usr/lib/python3.8/site-packages/location/i18n.py usr/lib/python3.8/site-packages/location/logger.py #usr/share/locale/de/LC_MESSAGES/libloc.mo #usr/share/man/man3/Location.3 -usr/share/xt_geoip/A1.iv4 -usr/share/xt_geoip/A2.iv4 -usr/share/xt_geoip/A3.iv4 -usr/share/xt_geoip/AD.iv4 -usr/share/xt_geoip/AE.iv4 -usr/share/xt_geoip/AF.iv4 -usr/share/xt_geoip/AG.iv4 -usr/share/xt_geoip/AI.iv4 -usr/share/xt_geoip/AL.iv4 -usr/share/xt_geoip/AM.iv4 -usr/share/xt_geoip/AN.iv4 -usr/share/xt_geoip/AO.iv4 -usr/share/xt_geoip/AP.iv4 -usr/share/xt_geoip/AQ.iv4 -usr/share/xt_geoip/AR.iv4 -usr/share/xt_geoip/AS.iv4 -usr/share/xt_geoip/AT.iv4 -usr/share/xt_geoip/AU.iv4 -usr/share/xt_geoip/AW.iv4 -usr/share/xt_geoip/AX.iv4 -usr/share/xt_geoip/AZ.iv4 -usr/share/xt_geoip/BA.iv4 -usr/share/xt_geoip/BB.iv4 -usr/share/xt_geoip/BD.iv4 -usr/share/xt_geoip/BE.iv4 -usr/share/xt_geoip/BF.iv4 -usr/share/xt_geoip/BG.iv4 -usr/share/xt_geoip/BH.iv4 -usr/share/xt_geoip/BI.iv4 -usr/share/xt_geoip/BJ.iv4 -usr/share/xt_geoip/BL.iv4 -usr/share/xt_geoip/BM.iv4 -usr/share/xt_geoip/BN.iv4 -usr/share/xt_geoip/BO.iv4 -usr/share/xt_geoip/BQ.iv4 -usr/share/xt_geoip/BR.iv4 -usr/share/xt_geoip/BS.iv4 -usr/share/xt_geoip/BT.iv4 -usr/share/xt_geoip/BV.iv4 -usr/share/xt_geoip/BW.iv4 -usr/share/xt_geoip/BY.iv4 -usr/share/xt_geoip/BZ.iv4 -usr/share/xt_geoip/CA.iv4 -usr/share/xt_geoip/CC.iv4 -usr/share/xt_geoip/CD.iv4 -usr/share/xt_geoip/CF.iv4 -usr/share/xt_geoip/CG.iv4 -usr/share/xt_geoip/CH.iv4 -usr/share/xt_geoip/CI.iv4 -usr/share/xt_geoip/CK.iv4 -usr/share/xt_geoip/CL.iv4 -usr/share/xt_geoip/CM.iv4 -usr/share/xt_geoip/CN.iv4 -usr/share/xt_geoip/CO.iv4 -usr/share/xt_geoip/CR.iv4 -usr/share/xt_geoip/CS.iv4 -usr/share/xt_geoip/CU.iv4 -usr/share/xt_geoip/CV.iv4 -usr/share/xt_geoip/CW.iv4 -usr/share/xt_geoip/CX.iv4 -usr/share/xt_geoip/CY.iv4 -usr/share/xt_geoip/CZ.iv4 -usr/share/xt_geoip/DE.iv4 -usr/share/xt_geoip/DJ.iv4 -usr/share/xt_geoip/DK.iv4 -usr/share/xt_geoip/DM.iv4 -usr/share/xt_geoip/DO.iv4 -usr/share/xt_geoip/DZ.iv4 -usr/share/xt_geoip/EC.iv4 -usr/share/xt_geoip/EE.iv4 -usr/share/xt_geoip/EG.iv4 -usr/share/xt_geoip/EH.iv4 -usr/share/xt_geoip/ER.iv4 -usr/share/xt_geoip/ES.iv4 -usr/share/xt_geoip/ET.iv4 -usr/share/xt_geoip/EU.iv4 -usr/share/xt_geoip/FI.iv4 -usr/share/xt_geoip/FJ.iv4 -usr/share/xt_geoip/FK.iv4 -usr/share/xt_geoip/FM.iv4 -usr/share/xt_geoip/FO.iv4 -usr/share/xt_geoip/FR.iv4 -usr/share/xt_geoip/FX.iv4 -usr/share/xt_geoip/GA.iv4 -usr/share/xt_geoip/GB.iv4 -usr/share/xt_geoip/GD.iv4 -usr/share/xt_geoip/GE.iv4 -usr/share/xt_geoip/GF.iv4 -usr/share/xt_geoip/GG.iv4 -usr/share/xt_geoip/GH.iv4 -usr/share/xt_geoip/GI.iv4 -usr/share/xt_geoip/GL.iv4 -usr/share/xt_geoip/GM.iv4 -usr/share/xt_geoip/GN.iv4 -usr/share/xt_geoip/GP.iv4 -usr/share/xt_geoip/GQ.iv4 -usr/share/xt_geoip/GR.iv4 -usr/share/xt_geoip/GS.iv4 -usr/share/xt_geoip/GT.iv4 -usr/share/xt_geoip/GU.iv4 -usr/share/xt_geoip/GW.iv4 -usr/share/xt_geoip/GY.iv4 -usr/share/xt_geoip/HK.iv4 -usr/share/xt_geoip/HM.iv4 -usr/share/xt_geoip/HN.iv4 -usr/share/xt_geoip/HR.iv4 -usr/share/xt_geoip/HT.iv4 -usr/share/xt_geoip/HU.iv4 -usr/share/xt_geoip/ID.iv4 -usr/share/xt_geoip/IE.iv4 -usr/share/xt_geoip/IL.iv4 -usr/share/xt_geoip/IM.iv4 -usr/share/xt_geoip/IN.iv4 -usr/share/xt_geoip/IO.iv4 -usr/share/xt_geoip/IQ.iv4 -usr/share/xt_geoip/IR.iv4 -usr/share/xt_geoip/IS.iv4 -usr/share/xt_geoip/IT.iv4 -usr/share/xt_geoip/JE.iv4 -usr/share/xt_geoip/JM.iv4 -usr/share/xt_geoip/JO.iv4 -usr/share/xt_geoip/JP.iv4 -usr/share/xt_geoip/KE.iv4 -usr/share/xt_geoip/KG.iv4 -usr/share/xt_geoip/KH.iv4 -usr/share/xt_geoip/KI.iv4 -usr/share/xt_geoip/KM.iv4 -usr/share/xt_geoip/KN.iv4 -usr/share/xt_geoip/KP.iv4 -usr/share/xt_geoip/KR.iv4 -usr/share/xt_geoip/KW.iv4 -usr/share/xt_geoip/KY.iv4 -usr/share/xt_geoip/KZ.iv4 -usr/share/xt_geoip/LA.iv4 -usr/share/xt_geoip/LB.iv4 -usr/share/xt_geoip/LC.iv4 -usr/share/xt_geoip/LI.iv4 -usr/share/xt_geoip/LK.iv4 -usr/share/xt_geoip/LR.iv4 -usr/share/xt_geoip/LS.iv4 -usr/share/xt_geoip/LT.iv4 -usr/share/xt_geoip/LU.iv4 -usr/share/xt_geoip/LV.iv4 -usr/share/xt_geoip/LY.iv4 -usr/share/xt_geoip/MA.iv4 -usr/share/xt_geoip/MC.iv4 -usr/share/xt_geoip/MD.iv4 -usr/share/xt_geoip/ME.iv4 -usr/share/xt_geoip/MF.iv4 -usr/share/xt_geoip/MG.iv4 -usr/share/xt_geoip/MH.iv4 -usr/share/xt_geoip/MK.iv4 -usr/share/xt_geoip/ML.iv4 -usr/share/xt_geoip/MM.iv4 -usr/share/xt_geoip/MN.iv4 -usr/share/xt_geoip/MO.iv4 -usr/share/xt_geoip/MP.iv4 -usr/share/xt_geoip/MQ.iv4 -usr/share/xt_geoip/MR.iv4 -usr/share/xt_geoip/MS.iv4 -usr/share/xt_geoip/MT.iv4 -usr/share/xt_geoip/MU.iv4 -usr/share/xt_geoip/MV.iv4 -usr/share/xt_geoip/MW.iv4 -usr/share/xt_geoip/MX.iv4 -usr/share/xt_geoip/MY.iv4 -usr/share/xt_geoip/MZ.iv4 -usr/share/xt_geoip/NA.iv4 -usr/share/xt_geoip/NC.iv4 -usr/share/xt_geoip/NE.iv4 -usr/share/xt_geoip/NF.iv4 -usr/share/xt_geoip/NG.iv4 -usr/share/xt_geoip/NI.iv4 -usr/share/xt_geoip/NL.iv4 -usr/share/xt_geoip/NO.iv4 -usr/share/xt_geoip/NP.iv4 -usr/share/xt_geoip/NR.iv4 -usr/share/xt_geoip/NU.iv4 -usr/share/xt_geoip/NZ.iv4 -usr/share/xt_geoip/OM.iv4 -usr/share/xt_geoip/PA.iv4 -usr/share/xt_geoip/PE.iv4 -usr/share/xt_geoip/PF.iv4 -usr/share/xt_geoip/PG.iv4 -usr/share/xt_geoip/PH.iv4 -usr/share/xt_geoip/PK.iv4 -usr/share/xt_geoip/PL.iv4 -usr/share/xt_geoip/PM.iv4 -usr/share/xt_geoip/PN.iv4 -usr/share/xt_geoip/PR.iv4 -usr/share/xt_geoip/PS.iv4 -usr/share/xt_geoip/PT.iv4 -usr/share/xt_geoip/PW.iv4 -usr/share/xt_geoip/PY.iv4 -usr/share/xt_geoip/QA.iv4 -usr/share/xt_geoip/RE.iv4 -usr/share/xt_geoip/RO.iv4 -usr/share/xt_geoip/RS.iv4 -usr/share/xt_geoip/RU.iv4 -usr/share/xt_geoip/RW.iv4 -usr/share/xt_geoip/SA.iv4 -usr/share/xt_geoip/SB.iv4 -usr/share/xt_geoip/SC.iv4 -usr/share/xt_geoip/SD.iv4 -usr/share/xt_geoip/SE.iv4 -usr/share/xt_geoip/SG.iv4 -usr/share/xt_geoip/SH.iv4 -usr/share/xt_geoip/SI.iv4 -usr/share/xt_geoip/SJ.iv4 -usr/share/xt_geoip/SK.iv4 -usr/share/xt_geoip/SL.iv4 -usr/share/xt_geoip/SM.iv4 -usr/share/xt_geoip/SN.iv4 -usr/share/xt_geoip/SO.iv4 -usr/share/xt_geoip/SR.iv4 -usr/share/xt_geoip/SS.iv4 -usr/share/xt_geoip/ST.iv4 -usr/share/xt_geoip/SV.iv4 -usr/share/xt_geoip/SX.iv4 -usr/share/xt_geoip/SY.iv4 -usr/share/xt_geoip/SZ.iv4 -usr/share/xt_geoip/TC.iv4 -usr/share/xt_geoip/TD.iv4 -usr/share/xt_geoip/TF.iv4 -usr/share/xt_geoip/TG.iv4 -usr/share/xt_geoip/TH.iv4 -usr/share/xt_geoip/TJ.iv4 -usr/share/xt_geoip/TK.iv4 -usr/share/xt_geoip/TL.iv4 -usr/share/xt_geoip/TM.iv4 -usr/share/xt_geoip/TN.iv4 -usr/share/xt_geoip/TO.iv4 -usr/share/xt_geoip/TR.iv4 -usr/share/xt_geoip/TT.iv4 -usr/share/xt_geoip/TV.iv4 -usr/share/xt_geoip/TW.iv4 -usr/share/xt_geoip/TZ.iv4 -usr/share/xt_geoip/UA.iv4 -usr/share/xt_geoip/UG.iv4 -usr/share/xt_geoip/UM.iv4 -usr/share/xt_geoip/US.iv4 -usr/share/xt_geoip/UY.iv4 -usr/share/xt_geoip/UZ.iv4 -usr/share/xt_geoip/VA.iv4 -usr/share/xt_geoip/VC.iv4 -usr/share/xt_geoip/VE.iv4 -usr/share/xt_geoip/VG.iv4 -usr/share/xt_geoip/VI.iv4 -usr/share/xt_geoip/VN.iv4 -usr/share/xt_geoip/VU.iv4 -usr/share/xt_geoip/WF.iv4 -usr/share/xt_geoip/WS.iv4 -usr/share/xt_geoip/XD.iv4 -usr/share/xt_geoip/YE.iv4 -usr/share/xt_geoip/YT.iv4 -usr/share/xt_geoip/ZA.iv4 -usr/share/xt_geoip/ZM.iv4 -usr/share/xt_geoip/ZW.iv4 #var/lib/location var/lib/location/database.db +var/lib/location/ipset +var/lib/location/ipset/A1.ipset4 +var/lib/location/ipset/A2.ipset4 +var/lib/location/ipset/A3.ipset4 +var/lib/location/ipset/AD.ipset4 +var/lib/location/ipset/AE.ipset4 +var/lib/location/ipset/AF.ipset4 +var/lib/location/ipset/AG.ipset4 +var/lib/location/ipset/AI.ipset4 +var/lib/location/ipset/AL.ipset4 +var/lib/location/ipset/AM.ipset4 +var/lib/location/ipset/AN.ipset4 +var/lib/location/ipset/AO.ipset4 +var/lib/location/ipset/AP.ipset4 +var/lib/location/ipset/AQ.ipset4 +var/lib/location/ipset/AR.ipset4 +var/lib/location/ipset/AS.ipset4 +var/lib/location/ipset/AT.ipset4 +var/lib/location/ipset/AU.ipset4 +var/lib/location/ipset/AW.ipset4 +var/lib/location/ipset/AX.ipset4 +var/lib/location/ipset/AZ.ipset4 +var/lib/location/ipset/BA.ipset4 +var/lib/location/ipset/BB.ipset4 +var/lib/location/ipset/BD.ipset4 +var/lib/location/ipset/BE.ipset4 +var/lib/location/ipset/BF.ipset4 +var/lib/location/ipset/BG.ipset4 +var/lib/location/ipset/BH.ipset4 +var/lib/location/ipset/BI.ipset4 +var/lib/location/ipset/BJ.ipset4 +var/lib/location/ipset/BL.ipset4 +var/lib/location/ipset/BM.ipset4 +var/lib/location/ipset/BN.ipset4 +var/lib/location/ipset/BO.ipset4 +var/lib/location/ipset/BQ.ipset4 +var/lib/location/ipset/BR.ipset4 +var/lib/location/ipset/BS.ipset4 +var/lib/location/ipset/BT.ipset4 +var/lib/location/ipset/BV.ipset4 +var/lib/location/ipset/BW.ipset4 +var/lib/location/ipset/BY.ipset4 +var/lib/location/ipset/BZ.ipset4 +var/lib/location/ipset/CA.ipset4 +var/lib/location/ipset/CC.ipset4 +var/lib/location/ipset/CD.ipset4 +var/lib/location/ipset/CF.ipset4 +var/lib/location/ipset/CG.ipset4 +var/lib/location/ipset/CH.ipset4 +var/lib/location/ipset/CI.ipset4 +var/lib/location/ipset/CK.ipset4 +var/lib/location/ipset/CL.ipset4 +var/lib/location/ipset/CM.ipset4 +var/lib/location/ipset/CN.ipset4 +var/lib/location/ipset/CO.ipset4 +var/lib/location/ipset/CR.ipset4 +var/lib/location/ipset/CS.ipset4 +var/lib/location/ipset/CU.ipset4 +var/lib/location/ipset/CV.ipset4 +var/lib/location/ipset/CW.ipset4 +var/lib/location/ipset/CX.ipset4 +var/lib/location/ipset/CY.ipset4 +var/lib/location/ipset/CZ.ipset4 +var/lib/location/ipset/DE.ipset4 +var/lib/location/ipset/DJ.ipset4 +var/lib/location/ipset/DK.ipset4 +var/lib/location/ipset/DM.ipset4 +var/lib/location/ipset/DO.ipset4 +var/lib/location/ipset/DZ.ipset4 +var/lib/location/ipset/EC.ipset4 +var/lib/location/ipset/EE.ipset4 +var/lib/location/ipset/EG.ipset4 +var/lib/location/ipset/EH.ipset4 +var/lib/location/ipset/ER.ipset4 +var/lib/location/ipset/ES.ipset4 +var/lib/location/ipset/ET.ipset4 +var/lib/location/ipset/EU.ipset4 +var/lib/location/ipset/FI.ipset4 +var/lib/location/ipset/FJ.ipset4 +var/lib/location/ipset/FK.ipset4 +var/lib/location/ipset/FM.ipset4 +var/lib/location/ipset/FO.ipset4 +var/lib/location/ipset/FR.ipset4 +var/lib/location/ipset/FX.ipset4 +var/lib/location/ipset/GA.ipset4 +var/lib/location/ipset/GB.ipset4 +var/lib/location/ipset/GD.ipset4 +var/lib/location/ipset/GE.ipset4 +var/lib/location/ipset/GF.ipset4 +var/lib/location/ipset/GG.ipset4 +var/lib/location/ipset/GH.ipset4 +var/lib/location/ipset/GI.ipset4 +var/lib/location/ipset/GL.ipset4 +var/lib/location/ipset/GM.ipset4 +var/lib/location/ipset/GN.ipset4 +var/lib/location/ipset/GP.ipset4 +var/lib/location/ipset/GQ.ipset4 +var/lib/location/ipset/GR.ipset4 +var/lib/location/ipset/GS.ipset4 +var/lib/location/ipset/GT.ipset4 +var/lib/location/ipset/GU.ipset4 +var/lib/location/ipset/GW.ipset4 +var/lib/location/ipset/GY.ipset4 +var/lib/location/ipset/HK.ipset4 +var/lib/location/ipset/HM.ipset4 +var/lib/location/ipset/HN.ipset4 +var/lib/location/ipset/HR.ipset4 +var/lib/location/ipset/HT.ipset4 +var/lib/location/ipset/HU.ipset4 +var/lib/location/ipset/ID.ipset4 +var/lib/location/ipset/IE.ipset4 +var/lib/location/ipset/IL.ipset4 +var/lib/location/ipset/IM.ipset4 +var/lib/location/ipset/IN.ipset4 +var/lib/location/ipset/IO.ipset4 +var/lib/location/ipset/IQ.ipset4 +var/lib/location/ipset/IR.ipset4 +var/lib/location/ipset/IS.ipset4 +var/lib/location/ipset/IT.ipset4 +var/lib/location/ipset/JE.ipset4 +var/lib/location/ipset/JM.ipset4 +var/lib/location/ipset/JO.ipset4 +var/lib/location/ipset/JP.ipset4 +var/lib/location/ipset/KE.ipset4 +var/lib/location/ipset/KG.ipset4 +var/lib/location/ipset/KH.ipset4 +var/lib/location/ipset/KI.ipset4 +var/lib/location/ipset/KM.ipset4 +var/lib/location/ipset/KN.ipset4 +var/lib/location/ipset/KP.ipset4 +var/lib/location/ipset/KR.ipset4 +var/lib/location/ipset/KW.ipset4 +var/lib/location/ipset/KY.ipset4 +var/lib/location/ipset/KZ.ipset4 +var/lib/location/ipset/LA.ipset4 +var/lib/location/ipset/LB.ipset4 +var/lib/location/ipset/LC.ipset4 +var/lib/location/ipset/LI.ipset4 +var/lib/location/ipset/LK.ipset4 +var/lib/location/ipset/LR.ipset4 +var/lib/location/ipset/LS.ipset4 +var/lib/location/ipset/LT.ipset4 +var/lib/location/ipset/LU.ipset4 +var/lib/location/ipset/LV.ipset4 +var/lib/location/ipset/LY.ipset4 +var/lib/location/ipset/MA.ipset4 +var/lib/location/ipset/MC.ipset4 +var/lib/location/ipset/MD.ipset4 +var/lib/location/ipset/ME.ipset4 +var/lib/location/ipset/MF.ipset4 +var/lib/location/ipset/MG.ipset4 +var/lib/location/ipset/MH.ipset4 +var/lib/location/ipset/MK.ipset4 +var/lib/location/ipset/ML.ipset4 +var/lib/location/ipset/MM.ipset4 +var/lib/location/ipset/MN.ipset4 +var/lib/location/ipset/MO.ipset4 +var/lib/location/ipset/MP.ipset4 +var/lib/location/ipset/MQ.ipset4 +var/lib/location/ipset/MR.ipset4 +var/lib/location/ipset/MS.ipset4 +var/lib/location/ipset/MT.ipset4 +var/lib/location/ipset/MU.ipset4 +var/lib/location/ipset/MV.ipset4 +var/lib/location/ipset/MW.ipset4 +var/lib/location/ipset/MX.ipset4 +var/lib/location/ipset/MY.ipset4 +var/lib/location/ipset/MZ.ipset4 +var/lib/location/ipset/NA.ipset4 +var/lib/location/ipset/NC.ipset4 +var/lib/location/ipset/NE.ipset4 +var/lib/location/ipset/NF.ipset4 +var/lib/location/ipset/NG.ipset4 +var/lib/location/ipset/NI.ipset4 +var/lib/location/ipset/NL.ipset4 +var/lib/location/ipset/NO.ipset4 +var/lib/location/ipset/NP.ipset4 +var/lib/location/ipset/NR.ipset4 +var/lib/location/ipset/NU.ipset4 +var/lib/location/ipset/NZ.ipset4 +var/lib/location/ipset/OM.ipset4 +var/lib/location/ipset/PA.ipset4 +var/lib/location/ipset/PE.ipset4 +var/lib/location/ipset/PF.ipset4 +var/lib/location/ipset/PG.ipset4 +var/lib/location/ipset/PH.ipset4 +var/lib/location/ipset/PK.ipset4 +var/lib/location/ipset/PL.ipset4 +var/lib/location/ipset/PM.ipset4 +var/lib/location/ipset/PN.ipset4 +var/lib/location/ipset/PR.ipset4 +var/lib/location/ipset/PS.ipset4 +var/lib/location/ipset/PT.ipset4 +var/lib/location/ipset/PW.ipset4 +var/lib/location/ipset/PY.ipset4 +var/lib/location/ipset/QA.ipset4 +var/lib/location/ipset/RE.ipset4 +var/lib/location/ipset/RO.ipset4 +var/lib/location/ipset/RS.ipset4 +var/lib/location/ipset/RU.ipset4 +var/lib/location/ipset/RW.ipset4 +var/lib/location/ipset/SA.ipset4 +var/lib/location/ipset/SB.ipset4 +var/lib/location/ipset/SC.ipset4 +var/lib/location/ipset/SD.ipset4 +var/lib/location/ipset/SE.ipset4 +var/lib/location/ipset/SG.ipset4 +var/lib/location/ipset/SH.ipset4 +var/lib/location/ipset/SI.ipset4 +var/lib/location/ipset/SJ.ipset4 +var/lib/location/ipset/SK.ipset4 +var/lib/location/ipset/SL.ipset4 +var/lib/location/ipset/SM.ipset4 +var/lib/location/ipset/SN.ipset4 +var/lib/location/ipset/SO.ipset4 +var/lib/location/ipset/SR.ipset4 +var/lib/location/ipset/SS.ipset4 +var/lib/location/ipset/ST.ipset4 +var/lib/location/ipset/SV.ipset4 +var/lib/location/ipset/SX.ipset4 +var/lib/location/ipset/SY.ipset4 +var/lib/location/ipset/SZ.ipset4 +var/lib/location/ipset/TC.ipset4 +var/lib/location/ipset/TD.ipset4 +var/lib/location/ipset/TF.ipset4 +var/lib/location/ipset/TG.ipset4 +var/lib/location/ipset/TH.ipset4 +var/lib/location/ipset/TJ.ipset4 +var/lib/location/ipset/TK.ipset4 +var/lib/location/ipset/TL.ipset4 +var/lib/location/ipset/TM.ipset4 +var/lib/location/ipset/TN.ipset4 +var/lib/location/ipset/TO.ipset4 +var/lib/location/ipset/TR.ipset4 +var/lib/location/ipset/TT.ipset4 +var/lib/location/ipset/TV.ipset4 +var/lib/location/ipset/TW.ipset4 +var/lib/location/ipset/TZ.ipset4 +var/lib/location/ipset/UA.ipset4 +var/lib/location/ipset/UG.ipset4 +var/lib/location/ipset/UM.ipset4 +var/lib/location/ipset/US.ipset4 +var/lib/location/ipset/UY.ipset4 +var/lib/location/ipset/UZ.ipset4 +var/lib/location/ipset/VA.ipset4 +var/lib/location/ipset/VC.ipset4 +var/lib/location/ipset/VE.ipset4 +var/lib/location/ipset/VG.ipset4 +var/lib/location/ipset/VI.ipset4 +var/lib/location/ipset/VN.ipset4 +var/lib/location/ipset/VU.ipset4 +var/lib/location/ipset/WF.ipset4 +var/lib/location/ipset/WS.ipset4 +var/lib/location/ipset/XD.ipset4 +var/lib/location/ipset/YE.ipset4 +var/lib/location/ipset/YT.ipset4 +var/lib/location/ipset/ZA.ipset4 +var/lib/location/ipset/ZM.ipset4 +var/lib/location/ipset/ZW.ipset4 var/lib/location/signing-key.pem diff --git a/lfs/libloc b/lfs/libloc index 99f0c30bd..1de135b52 100644 --- a/lfs/libloc +++ b/lfs/libloc @@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && rm -f /var/lib/location/database.db cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
- # Launch location util and export all locations in xt_geoip format.
- # Create directory for ipset databases.
- cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset
- # Launch location util and export all locations in ipset compatible format. cd $(DIR_APP) && /usr/bin/location export \
--directory=/usr/share/xt_geoip \
--directory=/var/lib/location/ipset \
--format=xt_geoip
--format=ipset# Remove exported IPv6 zones.
- cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6
cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
@rm -rf $(DIR_APP) @$(POSTBUILD)
Reviewed-by: Michael Tremer michael.tremer@ipfire.org
On 14 Feb 2022, at 21:06, Peter Müller peter.mueller@ipfire.org wrote:
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/rootfiles/common/libloc | 517 +++++++++++++++++---------------- lfs/libloc | 11 +- 2 files changed, 266 insertions(+), 262 deletions(-)
diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc index 43f9efd9e..64ccfef16 100644 --- a/config/rootfiles/common/libloc +++ b/config/rootfiles/common/libloc @@ -36,264 +36,265 @@ usr/lib/python3.8/site-packages/location/i18n.py usr/lib/python3.8/site-packages/location/logger.py #usr/share/locale/de/LC_MESSAGES/libloc.mo #usr/share/man/man3/Location.3 -usr/share/xt_geoip/A1.iv4 -usr/share/xt_geoip/A2.iv4 -usr/share/xt_geoip/A3.iv4 -usr/share/xt_geoip/AD.iv4 -usr/share/xt_geoip/AE.iv4 -usr/share/xt_geoip/AF.iv4 -usr/share/xt_geoip/AG.iv4 -usr/share/xt_geoip/AI.iv4 -usr/share/xt_geoip/AL.iv4 -usr/share/xt_geoip/AM.iv4 -usr/share/xt_geoip/AN.iv4 -usr/share/xt_geoip/AO.iv4 -usr/share/xt_geoip/AP.iv4 -usr/share/xt_geoip/AQ.iv4 -usr/share/xt_geoip/AR.iv4 -usr/share/xt_geoip/AS.iv4 -usr/share/xt_geoip/AT.iv4 -usr/share/xt_geoip/AU.iv4 -usr/share/xt_geoip/AW.iv4 -usr/share/xt_geoip/AX.iv4 -usr/share/xt_geoip/AZ.iv4 -usr/share/xt_geoip/BA.iv4 -usr/share/xt_geoip/BB.iv4 -usr/share/xt_geoip/BD.iv4 -usr/share/xt_geoip/BE.iv4 -usr/share/xt_geoip/BF.iv4 -usr/share/xt_geoip/BG.iv4 -usr/share/xt_geoip/BH.iv4 -usr/share/xt_geoip/BI.iv4 -usr/share/xt_geoip/BJ.iv4 -usr/share/xt_geoip/BL.iv4 -usr/share/xt_geoip/BM.iv4 -usr/share/xt_geoip/BN.iv4 -usr/share/xt_geoip/BO.iv4 -usr/share/xt_geoip/BQ.iv4 -usr/share/xt_geoip/BR.iv4 -usr/share/xt_geoip/BS.iv4 -usr/share/xt_geoip/BT.iv4 -usr/share/xt_geoip/BV.iv4 -usr/share/xt_geoip/BW.iv4 -usr/share/xt_geoip/BY.iv4 -usr/share/xt_geoip/BZ.iv4 -usr/share/xt_geoip/CA.iv4 -usr/share/xt_geoip/CC.iv4 -usr/share/xt_geoip/CD.iv4 -usr/share/xt_geoip/CF.iv4 -usr/share/xt_geoip/CG.iv4 -usr/share/xt_geoip/CH.iv4 -usr/share/xt_geoip/CI.iv4 -usr/share/xt_geoip/CK.iv4 -usr/share/xt_geoip/CL.iv4 -usr/share/xt_geoip/CM.iv4 -usr/share/xt_geoip/CN.iv4 -usr/share/xt_geoip/CO.iv4 -usr/share/xt_geoip/CR.iv4 -usr/share/xt_geoip/CS.iv4 -usr/share/xt_geoip/CU.iv4 -usr/share/xt_geoip/CV.iv4 -usr/share/xt_geoip/CW.iv4 -usr/share/xt_geoip/CX.iv4 -usr/share/xt_geoip/CY.iv4 -usr/share/xt_geoip/CZ.iv4 -usr/share/xt_geoip/DE.iv4 -usr/share/xt_geoip/DJ.iv4 -usr/share/xt_geoip/DK.iv4 -usr/share/xt_geoip/DM.iv4 -usr/share/xt_geoip/DO.iv4 -usr/share/xt_geoip/DZ.iv4 -usr/share/xt_geoip/EC.iv4 -usr/share/xt_geoip/EE.iv4 -usr/share/xt_geoip/EG.iv4 -usr/share/xt_geoip/EH.iv4 -usr/share/xt_geoip/ER.iv4 -usr/share/xt_geoip/ES.iv4 -usr/share/xt_geoip/ET.iv4 -usr/share/xt_geoip/EU.iv4 -usr/share/xt_geoip/FI.iv4 -usr/share/xt_geoip/FJ.iv4 -usr/share/xt_geoip/FK.iv4 -usr/share/xt_geoip/FM.iv4 -usr/share/xt_geoip/FO.iv4 -usr/share/xt_geoip/FR.iv4 -usr/share/xt_geoip/FX.iv4 -usr/share/xt_geoip/GA.iv4 -usr/share/xt_geoip/GB.iv4 -usr/share/xt_geoip/GD.iv4 -usr/share/xt_geoip/GE.iv4 -usr/share/xt_geoip/GF.iv4 -usr/share/xt_geoip/GG.iv4 -usr/share/xt_geoip/GH.iv4 -usr/share/xt_geoip/GI.iv4 -usr/share/xt_geoip/GL.iv4 -usr/share/xt_geoip/GM.iv4 -usr/share/xt_geoip/GN.iv4 -usr/share/xt_geoip/GP.iv4 -usr/share/xt_geoip/GQ.iv4 -usr/share/xt_geoip/GR.iv4 -usr/share/xt_geoip/GS.iv4 -usr/share/xt_geoip/GT.iv4 -usr/share/xt_geoip/GU.iv4 -usr/share/xt_geoip/GW.iv4 -usr/share/xt_geoip/GY.iv4 -usr/share/xt_geoip/HK.iv4 -usr/share/xt_geoip/HM.iv4 -usr/share/xt_geoip/HN.iv4 -usr/share/xt_geoip/HR.iv4 -usr/share/xt_geoip/HT.iv4 -usr/share/xt_geoip/HU.iv4 -usr/share/xt_geoip/ID.iv4 -usr/share/xt_geoip/IE.iv4 -usr/share/xt_geoip/IL.iv4 -usr/share/xt_geoip/IM.iv4 -usr/share/xt_geoip/IN.iv4 -usr/share/xt_geoip/IO.iv4 -usr/share/xt_geoip/IQ.iv4 -usr/share/xt_geoip/IR.iv4 -usr/share/xt_geoip/IS.iv4 -usr/share/xt_geoip/IT.iv4 -usr/share/xt_geoip/JE.iv4 -usr/share/xt_geoip/JM.iv4 -usr/share/xt_geoip/JO.iv4 -usr/share/xt_geoip/JP.iv4 -usr/share/xt_geoip/KE.iv4 -usr/share/xt_geoip/KG.iv4 -usr/share/xt_geoip/KH.iv4 -usr/share/xt_geoip/KI.iv4 -usr/share/xt_geoip/KM.iv4 -usr/share/xt_geoip/KN.iv4 -usr/share/xt_geoip/KP.iv4 -usr/share/xt_geoip/KR.iv4 -usr/share/xt_geoip/KW.iv4 -usr/share/xt_geoip/KY.iv4 -usr/share/xt_geoip/KZ.iv4 -usr/share/xt_geoip/LA.iv4 -usr/share/xt_geoip/LB.iv4 -usr/share/xt_geoip/LC.iv4 -usr/share/xt_geoip/LI.iv4 -usr/share/xt_geoip/LK.iv4 -usr/share/xt_geoip/LR.iv4 -usr/share/xt_geoip/LS.iv4 -usr/share/xt_geoip/LT.iv4 -usr/share/xt_geoip/LU.iv4 -usr/share/xt_geoip/LV.iv4 -usr/share/xt_geoip/LY.iv4 -usr/share/xt_geoip/MA.iv4 -usr/share/xt_geoip/MC.iv4 -usr/share/xt_geoip/MD.iv4 -usr/share/xt_geoip/ME.iv4 -usr/share/xt_geoip/MF.iv4 -usr/share/xt_geoip/MG.iv4 -usr/share/xt_geoip/MH.iv4 -usr/share/xt_geoip/MK.iv4 -usr/share/xt_geoip/ML.iv4 -usr/share/xt_geoip/MM.iv4 -usr/share/xt_geoip/MN.iv4 -usr/share/xt_geoip/MO.iv4 -usr/share/xt_geoip/MP.iv4 -usr/share/xt_geoip/MQ.iv4 -usr/share/xt_geoip/MR.iv4 -usr/share/xt_geoip/MS.iv4 -usr/share/xt_geoip/MT.iv4 -usr/share/xt_geoip/MU.iv4 -usr/share/xt_geoip/MV.iv4 -usr/share/xt_geoip/MW.iv4 -usr/share/xt_geoip/MX.iv4 -usr/share/xt_geoip/MY.iv4 -usr/share/xt_geoip/MZ.iv4 -usr/share/xt_geoip/NA.iv4 -usr/share/xt_geoip/NC.iv4 -usr/share/xt_geoip/NE.iv4 -usr/share/xt_geoip/NF.iv4 -usr/share/xt_geoip/NG.iv4 -usr/share/xt_geoip/NI.iv4 -usr/share/xt_geoip/NL.iv4 -usr/share/xt_geoip/NO.iv4 -usr/share/xt_geoip/NP.iv4 -usr/share/xt_geoip/NR.iv4 -usr/share/xt_geoip/NU.iv4 -usr/share/xt_geoip/NZ.iv4 -usr/share/xt_geoip/OM.iv4 -usr/share/xt_geoip/PA.iv4 -usr/share/xt_geoip/PE.iv4 -usr/share/xt_geoip/PF.iv4 -usr/share/xt_geoip/PG.iv4 -usr/share/xt_geoip/PH.iv4 -usr/share/xt_geoip/PK.iv4 -usr/share/xt_geoip/PL.iv4 -usr/share/xt_geoip/PM.iv4 -usr/share/xt_geoip/PN.iv4 -usr/share/xt_geoip/PR.iv4 -usr/share/xt_geoip/PS.iv4 -usr/share/xt_geoip/PT.iv4 -usr/share/xt_geoip/PW.iv4 -usr/share/xt_geoip/PY.iv4 -usr/share/xt_geoip/QA.iv4 -usr/share/xt_geoip/RE.iv4 -usr/share/xt_geoip/RO.iv4 -usr/share/xt_geoip/RS.iv4 -usr/share/xt_geoip/RU.iv4 -usr/share/xt_geoip/RW.iv4 -usr/share/xt_geoip/SA.iv4 -usr/share/xt_geoip/SB.iv4 -usr/share/xt_geoip/SC.iv4 -usr/share/xt_geoip/SD.iv4 -usr/share/xt_geoip/SE.iv4 -usr/share/xt_geoip/SG.iv4 -usr/share/xt_geoip/SH.iv4 -usr/share/xt_geoip/SI.iv4 -usr/share/xt_geoip/SJ.iv4 -usr/share/xt_geoip/SK.iv4 -usr/share/xt_geoip/SL.iv4 -usr/share/xt_geoip/SM.iv4 -usr/share/xt_geoip/SN.iv4 -usr/share/xt_geoip/SO.iv4 -usr/share/xt_geoip/SR.iv4 -usr/share/xt_geoip/SS.iv4 -usr/share/xt_geoip/ST.iv4 -usr/share/xt_geoip/SV.iv4 -usr/share/xt_geoip/SX.iv4 -usr/share/xt_geoip/SY.iv4 -usr/share/xt_geoip/SZ.iv4 -usr/share/xt_geoip/TC.iv4 -usr/share/xt_geoip/TD.iv4 -usr/share/xt_geoip/TF.iv4 -usr/share/xt_geoip/TG.iv4 -usr/share/xt_geoip/TH.iv4 -usr/share/xt_geoip/TJ.iv4 -usr/share/xt_geoip/TK.iv4 -usr/share/xt_geoip/TL.iv4 -usr/share/xt_geoip/TM.iv4 -usr/share/xt_geoip/TN.iv4 -usr/share/xt_geoip/TO.iv4 -usr/share/xt_geoip/TR.iv4 -usr/share/xt_geoip/TT.iv4 -usr/share/xt_geoip/TV.iv4 -usr/share/xt_geoip/TW.iv4 -usr/share/xt_geoip/TZ.iv4 -usr/share/xt_geoip/UA.iv4 -usr/share/xt_geoip/UG.iv4 -usr/share/xt_geoip/UM.iv4 -usr/share/xt_geoip/US.iv4 -usr/share/xt_geoip/UY.iv4 -usr/share/xt_geoip/UZ.iv4 -usr/share/xt_geoip/VA.iv4 -usr/share/xt_geoip/VC.iv4 -usr/share/xt_geoip/VE.iv4 -usr/share/xt_geoip/VG.iv4 -usr/share/xt_geoip/VI.iv4 -usr/share/xt_geoip/VN.iv4 -usr/share/xt_geoip/VU.iv4 -usr/share/xt_geoip/WF.iv4 -usr/share/xt_geoip/WS.iv4 -usr/share/xt_geoip/XD.iv4 -usr/share/xt_geoip/YE.iv4 -usr/share/xt_geoip/YT.iv4 -usr/share/xt_geoip/ZA.iv4 -usr/share/xt_geoip/ZM.iv4 -usr/share/xt_geoip/ZW.iv4 #var/lib/location var/lib/location/database.db +var/lib/location/ipset +var/lib/location/ipset/A1.ipset4 +var/lib/location/ipset/A2.ipset4 +var/lib/location/ipset/A3.ipset4 +var/lib/location/ipset/AD.ipset4 +var/lib/location/ipset/AE.ipset4 +var/lib/location/ipset/AF.ipset4 +var/lib/location/ipset/AG.ipset4 +var/lib/location/ipset/AI.ipset4 +var/lib/location/ipset/AL.ipset4 +var/lib/location/ipset/AM.ipset4 +var/lib/location/ipset/AN.ipset4 +var/lib/location/ipset/AO.ipset4 +var/lib/location/ipset/AP.ipset4 +var/lib/location/ipset/AQ.ipset4 +var/lib/location/ipset/AR.ipset4 +var/lib/location/ipset/AS.ipset4 +var/lib/location/ipset/AT.ipset4 +var/lib/location/ipset/AU.ipset4 +var/lib/location/ipset/AW.ipset4 +var/lib/location/ipset/AX.ipset4 +var/lib/location/ipset/AZ.ipset4 +var/lib/location/ipset/BA.ipset4 +var/lib/location/ipset/BB.ipset4 +var/lib/location/ipset/BD.ipset4 +var/lib/location/ipset/BE.ipset4 +var/lib/location/ipset/BF.ipset4 +var/lib/location/ipset/BG.ipset4 +var/lib/location/ipset/BH.ipset4 +var/lib/location/ipset/BI.ipset4 +var/lib/location/ipset/BJ.ipset4 +var/lib/location/ipset/BL.ipset4 +var/lib/location/ipset/BM.ipset4 +var/lib/location/ipset/BN.ipset4 +var/lib/location/ipset/BO.ipset4 +var/lib/location/ipset/BQ.ipset4 +var/lib/location/ipset/BR.ipset4 +var/lib/location/ipset/BS.ipset4 +var/lib/location/ipset/BT.ipset4 +var/lib/location/ipset/BV.ipset4 +var/lib/location/ipset/BW.ipset4 +var/lib/location/ipset/BY.ipset4 +var/lib/location/ipset/BZ.ipset4 +var/lib/location/ipset/CA.ipset4 +var/lib/location/ipset/CC.ipset4 +var/lib/location/ipset/CD.ipset4 +var/lib/location/ipset/CF.ipset4 +var/lib/location/ipset/CG.ipset4 +var/lib/location/ipset/CH.ipset4 +var/lib/location/ipset/CI.ipset4 +var/lib/location/ipset/CK.ipset4 +var/lib/location/ipset/CL.ipset4 +var/lib/location/ipset/CM.ipset4 +var/lib/location/ipset/CN.ipset4 +var/lib/location/ipset/CO.ipset4 +var/lib/location/ipset/CR.ipset4 +var/lib/location/ipset/CS.ipset4 +var/lib/location/ipset/CU.ipset4 +var/lib/location/ipset/CV.ipset4 +var/lib/location/ipset/CW.ipset4 +var/lib/location/ipset/CX.ipset4 +var/lib/location/ipset/CY.ipset4 +var/lib/location/ipset/CZ.ipset4 +var/lib/location/ipset/DE.ipset4 +var/lib/location/ipset/DJ.ipset4 +var/lib/location/ipset/DK.ipset4 +var/lib/location/ipset/DM.ipset4 +var/lib/location/ipset/DO.ipset4 +var/lib/location/ipset/DZ.ipset4 +var/lib/location/ipset/EC.ipset4 +var/lib/location/ipset/EE.ipset4 +var/lib/location/ipset/EG.ipset4 +var/lib/location/ipset/EH.ipset4 +var/lib/location/ipset/ER.ipset4 +var/lib/location/ipset/ES.ipset4 +var/lib/location/ipset/ET.ipset4 +var/lib/location/ipset/EU.ipset4 +var/lib/location/ipset/FI.ipset4 +var/lib/location/ipset/FJ.ipset4 +var/lib/location/ipset/FK.ipset4 +var/lib/location/ipset/FM.ipset4 +var/lib/location/ipset/FO.ipset4 +var/lib/location/ipset/FR.ipset4 +var/lib/location/ipset/FX.ipset4 +var/lib/location/ipset/GA.ipset4 +var/lib/location/ipset/GB.ipset4 +var/lib/location/ipset/GD.ipset4 +var/lib/location/ipset/GE.ipset4 +var/lib/location/ipset/GF.ipset4 +var/lib/location/ipset/GG.ipset4 +var/lib/location/ipset/GH.ipset4 +var/lib/location/ipset/GI.ipset4 +var/lib/location/ipset/GL.ipset4 +var/lib/location/ipset/GM.ipset4 +var/lib/location/ipset/GN.ipset4 +var/lib/location/ipset/GP.ipset4 +var/lib/location/ipset/GQ.ipset4 +var/lib/location/ipset/GR.ipset4 +var/lib/location/ipset/GS.ipset4 +var/lib/location/ipset/GT.ipset4 +var/lib/location/ipset/GU.ipset4 +var/lib/location/ipset/GW.ipset4 +var/lib/location/ipset/GY.ipset4 +var/lib/location/ipset/HK.ipset4 +var/lib/location/ipset/HM.ipset4 +var/lib/location/ipset/HN.ipset4 +var/lib/location/ipset/HR.ipset4 +var/lib/location/ipset/HT.ipset4 +var/lib/location/ipset/HU.ipset4 +var/lib/location/ipset/ID.ipset4 +var/lib/location/ipset/IE.ipset4 +var/lib/location/ipset/IL.ipset4 +var/lib/location/ipset/IM.ipset4 +var/lib/location/ipset/IN.ipset4 +var/lib/location/ipset/IO.ipset4 +var/lib/location/ipset/IQ.ipset4 +var/lib/location/ipset/IR.ipset4 +var/lib/location/ipset/IS.ipset4 +var/lib/location/ipset/IT.ipset4 +var/lib/location/ipset/JE.ipset4 +var/lib/location/ipset/JM.ipset4 +var/lib/location/ipset/JO.ipset4 +var/lib/location/ipset/JP.ipset4 +var/lib/location/ipset/KE.ipset4 +var/lib/location/ipset/KG.ipset4 +var/lib/location/ipset/KH.ipset4 +var/lib/location/ipset/KI.ipset4 +var/lib/location/ipset/KM.ipset4 +var/lib/location/ipset/KN.ipset4 +var/lib/location/ipset/KP.ipset4 +var/lib/location/ipset/KR.ipset4 +var/lib/location/ipset/KW.ipset4 +var/lib/location/ipset/KY.ipset4 +var/lib/location/ipset/KZ.ipset4 +var/lib/location/ipset/LA.ipset4 +var/lib/location/ipset/LB.ipset4 +var/lib/location/ipset/LC.ipset4 +var/lib/location/ipset/LI.ipset4 +var/lib/location/ipset/LK.ipset4 +var/lib/location/ipset/LR.ipset4 +var/lib/location/ipset/LS.ipset4 +var/lib/location/ipset/LT.ipset4 +var/lib/location/ipset/LU.ipset4 +var/lib/location/ipset/LV.ipset4 +var/lib/location/ipset/LY.ipset4 +var/lib/location/ipset/MA.ipset4 +var/lib/location/ipset/MC.ipset4 +var/lib/location/ipset/MD.ipset4 +var/lib/location/ipset/ME.ipset4 +var/lib/location/ipset/MF.ipset4 +var/lib/location/ipset/MG.ipset4 +var/lib/location/ipset/MH.ipset4 +var/lib/location/ipset/MK.ipset4 +var/lib/location/ipset/ML.ipset4 +var/lib/location/ipset/MM.ipset4 +var/lib/location/ipset/MN.ipset4 +var/lib/location/ipset/MO.ipset4 +var/lib/location/ipset/MP.ipset4 +var/lib/location/ipset/MQ.ipset4 +var/lib/location/ipset/MR.ipset4 +var/lib/location/ipset/MS.ipset4 +var/lib/location/ipset/MT.ipset4 +var/lib/location/ipset/MU.ipset4 +var/lib/location/ipset/MV.ipset4 +var/lib/location/ipset/MW.ipset4 +var/lib/location/ipset/MX.ipset4 +var/lib/location/ipset/MY.ipset4 +var/lib/location/ipset/MZ.ipset4 +var/lib/location/ipset/NA.ipset4 +var/lib/location/ipset/NC.ipset4 +var/lib/location/ipset/NE.ipset4 +var/lib/location/ipset/NF.ipset4 +var/lib/location/ipset/NG.ipset4 +var/lib/location/ipset/NI.ipset4 +var/lib/location/ipset/NL.ipset4 +var/lib/location/ipset/NO.ipset4 +var/lib/location/ipset/NP.ipset4 +var/lib/location/ipset/NR.ipset4 +var/lib/location/ipset/NU.ipset4 +var/lib/location/ipset/NZ.ipset4 +var/lib/location/ipset/OM.ipset4 +var/lib/location/ipset/PA.ipset4 +var/lib/location/ipset/PE.ipset4 +var/lib/location/ipset/PF.ipset4 +var/lib/location/ipset/PG.ipset4 +var/lib/location/ipset/PH.ipset4 +var/lib/location/ipset/PK.ipset4 +var/lib/location/ipset/PL.ipset4 +var/lib/location/ipset/PM.ipset4 +var/lib/location/ipset/PN.ipset4 +var/lib/location/ipset/PR.ipset4 +var/lib/location/ipset/PS.ipset4 +var/lib/location/ipset/PT.ipset4 +var/lib/location/ipset/PW.ipset4 +var/lib/location/ipset/PY.ipset4 +var/lib/location/ipset/QA.ipset4 +var/lib/location/ipset/RE.ipset4 +var/lib/location/ipset/RO.ipset4 +var/lib/location/ipset/RS.ipset4 +var/lib/location/ipset/RU.ipset4 +var/lib/location/ipset/RW.ipset4 +var/lib/location/ipset/SA.ipset4 +var/lib/location/ipset/SB.ipset4 +var/lib/location/ipset/SC.ipset4 +var/lib/location/ipset/SD.ipset4 +var/lib/location/ipset/SE.ipset4 +var/lib/location/ipset/SG.ipset4 +var/lib/location/ipset/SH.ipset4 +var/lib/location/ipset/SI.ipset4 +var/lib/location/ipset/SJ.ipset4 +var/lib/location/ipset/SK.ipset4 +var/lib/location/ipset/SL.ipset4 +var/lib/location/ipset/SM.ipset4 +var/lib/location/ipset/SN.ipset4 +var/lib/location/ipset/SO.ipset4 +var/lib/location/ipset/SR.ipset4 +var/lib/location/ipset/SS.ipset4 +var/lib/location/ipset/ST.ipset4 +var/lib/location/ipset/SV.ipset4 +var/lib/location/ipset/SX.ipset4 +var/lib/location/ipset/SY.ipset4 +var/lib/location/ipset/SZ.ipset4 +var/lib/location/ipset/TC.ipset4 +var/lib/location/ipset/TD.ipset4 +var/lib/location/ipset/TF.ipset4 +var/lib/location/ipset/TG.ipset4 +var/lib/location/ipset/TH.ipset4 +var/lib/location/ipset/TJ.ipset4 +var/lib/location/ipset/TK.ipset4 +var/lib/location/ipset/TL.ipset4 +var/lib/location/ipset/TM.ipset4 +var/lib/location/ipset/TN.ipset4 +var/lib/location/ipset/TO.ipset4 +var/lib/location/ipset/TR.ipset4 +var/lib/location/ipset/TT.ipset4 +var/lib/location/ipset/TV.ipset4 +var/lib/location/ipset/TW.ipset4 +var/lib/location/ipset/TZ.ipset4 +var/lib/location/ipset/UA.ipset4 +var/lib/location/ipset/UG.ipset4 +var/lib/location/ipset/UM.ipset4 +var/lib/location/ipset/US.ipset4 +var/lib/location/ipset/UY.ipset4 +var/lib/location/ipset/UZ.ipset4 +var/lib/location/ipset/VA.ipset4 +var/lib/location/ipset/VC.ipset4 +var/lib/location/ipset/VE.ipset4 +var/lib/location/ipset/VG.ipset4 +var/lib/location/ipset/VI.ipset4 +var/lib/location/ipset/VN.ipset4 +var/lib/location/ipset/VU.ipset4 +var/lib/location/ipset/WF.ipset4 +var/lib/location/ipset/WS.ipset4 +var/lib/location/ipset/XD.ipset4 +var/lib/location/ipset/YE.ipset4 +var/lib/location/ipset/YT.ipset4 +var/lib/location/ipset/ZA.ipset4 +var/lib/location/ipset/ZM.ipset4 +var/lib/location/ipset/ZW.ipset4 var/lib/location/signing-key.pem diff --git a/lfs/libloc b/lfs/libloc index 99f0c30bd..1de135b52 100644 --- a/lfs/libloc +++ b/lfs/libloc @@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && rm -f /var/lib/location/database.db cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
- # Launch location util and export all locations in xt_geoip format.
- # Create directory for ipset databases.
- cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset
- # Launch location util and export all locations in ipset compatible format. cd $(DIR_APP) && /usr/bin/location export \
--directory=/usr/share/xt_geoip \
--directory=/var/lib/location/ipset \
--format=xt_geoip
--format=ipset# Remove exported IPv6 zones.
- cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6
cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
@rm -rf $(DIR_APP) @$(POSTBUILD)
Reviewed-by: Peter Müller peter.mueller@ipfire.org
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/cfgroot/location-functions.pl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl index 4d44ce24d..f86464933 100644 --- a/config/cfgroot/location-functions.pl +++ b/config/cfgroot/location-functions.pl @@ -53,7 +53,7 @@ our $database = "$location_dir/database.db"; our $keyfile = "$location_dir/signing-key.pem";
# Directory which contains the exported databases. -our $xt_geoip_db_directory = "/usr/share/xt_geoip/"; +our $ipset_db_directory = "$location_dir/ipset";
# Create libloc database handle. my $db_handle = &init();
-
Michael Tremer -
Peter Müller -
Stefan Schantl -
Tim FitzGeorge