This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via d0353b73c7a4cb6ec569d36e7f07d44fd20b0680 (commit) via 9dd886fa57ef70980d5c248ffa6601a5f1721df8 (commit) via 063ec85aed659be9da022d597fe0315ed52e9669 (commit) via 97fe0c082312c52817d7be9e98d2e07a870b8977 (commit) via 7987879e21b7fb5369b9b74d3173ff3949d7f89a (commit) via 3071989cfc346a4abd49b8c35409f1b553b37b2f (commit) via 8796d41a4ddff08ea18f049944eca3e21f193498 (commit) via 52c8eaac4b2c714964970cb1cd9088a6fc9a40a9 (commit) via 0b2d66c7a0a83ced6425c34505f595f5854720f6 (commit) via 31c64b9d0df0599f1f3f47975ad7c6c11ebdd288 (commit) via b6e4ebe86fd553123f295fec919409b963150544 (commit) via f14000733b01a8c00fe4ebea1a235aee0de05eae (commit) via 5108775b590250a96f3053705aa878e16b332cf2 (commit) via 0564b0c7c98cac0e07f04f8d9e026d9f033fd012 (commit) via 50e43059554a6a1c9ca8579b5347a9f98bc99ffb (commit) via 278289690d50d6f28926742e29f5b005293132eb (commit) via edad13b46b864150f49dcb42580a4ebcf35ca3f0 (commit) via 07106467b83e9be97ce207ce919ad45ab2df4bba (commit) via 0df1d268edc94df13f6f5e610e69a2bd63d79918 (commit) via 6babb404cc63d6f5c25d64be8e4370b7cb009c2c (commit) via 3d8868807506331a1c4fe160748fa0635bac2a95 (commit) via bbeb2a5067f72d0f4073a7a183ed6f1f3477765c (commit) via 19e5c03f1525b907d62b3a72d586e89ab6e551d1 (commit) via a5f22bf03cebf33f78bd4ebd1686f8f506789fb9 (commit) via 28965d275ba92f82d583ca9436415e0cb02fe355 (commit) via ceedba20de1185f24d6abe38bafebdf461be271d (commit) via 5fd4dfe0026f918ba30fa2abd736e86555261ec1 (commit) via 6e40963459eca547f1857d4e518d920518ff23a5 (commit) from bccde9948bbf5cee53da5f89ee90c202ca7ed8b0 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit d0353b73c7a4cb6ec569d36e7f07d44fd20b0680 Author: Peter Müller peter.mueller@ipfire.org Date: Wed Feb 16 17:06:03 2022 +0000
perl-Net-HTTP: Fix rootfile
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 9dd886fa57ef70980d5c248ffa6601a5f1721df8 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:25:18 2022 +0000
Core Update 165: Sort filelist of rm command for better readability
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 063ec85aed659be9da022d597fe0315ed52e9669 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:24:08 2022 +0000
Core Update 165: Delete files from xtables-addons
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 97fe0c082312c52817d7be9e98d2e07a870b8977 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 20:08:53 2022 +0100
xtables-addons: Drop package.
None of the provided modules are in use, so this package safely can be dropped.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org
commit 7987879e21b7fb5369b9b74d3173ff3949d7f89a Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:18:31 2022 +0000
firewall: Get rid of xt_geoip for DROP_HOSTILE
This is required to drop xtables-addons altogether.
Cc: Stefan Schantl stefan.schantl@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 3071989cfc346a4abd49b8c35409f1b553b37b2f Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:15:53 2022 +0000
Core Update 165: Ship changes related to P2P block removal
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 8796d41a4ddff08ea18f049944eca3e21f193498 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 20:05:27 2022 +0100
firewall: Drop P2P chains from initscript.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 52c8eaac4b2c714964970cb1cd9088a6fc9a40a9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 20:03:07 2022 +0100
firewall.menu: Drop entry for P2P-Block.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org
commit 0b2d66c7a0a83ced6425c34505f595f5854720f6 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 20:03:06 2022 +0100
p2p-block.cgi: Drop CGI.
The support for creating P2P based rules has been removed from the firewall. So this CGI file is not longer needed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org
commit 31c64b9d0df0599f1f3f47975ad7c6c11ebdd288 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 20:03:05 2022 +0100
configroot: Drop config file for p2protocols.
The support for creating P2P based rules has been removed from the firewall. So this file is not longer needed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org
commit b6e4ebe86fd553123f295fec919409b963150544 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 20:03:04 2022 +0100
firewall: Drop support for blocking P2P protocols.
The main P2P (peer-to-peer) aera has passed for several year now, so this kind of feature is realy out-dated.
The feature only supports a handfull of P2P protocols (mostly unencrypted) for applications, which have been superseeded by various other applications and protocols.
So, this fairly is not longer required and safely can be dropped.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Acked-by: Peter Müller peter.mueller@ipfire.org Acked-by: Michael Tremer michael.tremer@ipfire.org
commit f14000733b01a8c00fe4ebea1a235aee0de05eae Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:11:28 2022 +0000
Core Update 165: Ship ipset-related changes and restart the firewall engine
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 5108775b590250a96f3053705aa878e16b332cf2 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:56 2022 +0100
libloc: Export DB in ipset compatible format.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 0564b0c7c98cac0e07f04f8d9e026d9f033fd012 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:55 2022 +0100
rules.pl: Add workaround to hide a warning about an only once used variable.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 50e43059554a6a1c9ca8579b5347a9f98bc99ffb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:54 2022 +0100
rules.pl: Check if an ipset db file exists before call to restore it.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 278289690d50d6f28926742e29f5b005293132eb Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:53 2022 +0100
rules.pl: Do not try to restore the same ipset multiple times.
When an ipset list get restored, this now will be documented in a hash and this hash also will be checked before restoring a list if this has not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit edad13b46b864150f49dcb42580a4ebcf35ca3f0 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:52 2022 +0100
update-location-database: Export database to ipset compatible format now.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 07106467b83e9be97ce207ce919ad45ab2df4bba Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:51 2022 +0100
rules.pl: Move to ipset based data for location based firewall rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 0df1d268edc94df13f6f5e610e69a2bd63d79918 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:50 2022 +0100
rules.pl: Move to ipset based data for LOCATIONBLOCK feature.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 6babb404cc63d6f5c25d64be8e4370b7cb009c2c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:49 2022 +0100
rules.pl: Add tiny ipset_restore function.
This helper function is used to load a previously exported list of networks for a given country code into the ipset module, so it can be used for any kind of firewall rules.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 3d8868807506331a1c4fe160748fa0635bac2a95 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:48 2022 +0100
rules.pl: Destroy all ipset lists on rule reload.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit bbeb2a5067f72d0f4073a7a183ed6f1f3477765c Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:47 2022 +0100
rules.pl: Move flush of LOCATIONBLOCK into main flush() function.
It is required to get rid of all ipset based rules before all of the loaded ipset lists can be destroyed.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 19e5c03f1525b907d62b3a72d586e89ab6e551d1 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:46 2022 +0100
location-functions.pl: Remove ending backslash from location_dir variable.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit a5f22bf03cebf33f78bd4ebd1686f8f506789fb9 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Mon Feb 14 19:42:45 2022 +0100
location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/".
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 28965d275ba92f82d583ca9436415e0cb02fe355 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:04:48 2022 +0000
Core Update 165: Ship gdbm
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit ceedba20de1185f24d6abe38bafebdf461be271d Author: Adolf Belka adolf.belka@ipfire.org Date: Tue Feb 15 10:36:18 2022 +0100
gdbm: Update to version 1.23
- Update from 1.20 to 1.23 - Update of rootfile not required - Changelog Version 1.23, 2022-02-04 * Bucket cache switched from balanced tree to hash table Change suggested by Terence Kelly. * Speed up flushing the changed buckets on disk * New option codes for gdbm_setopt ** GDBM_GETDBFORMAT Return the database format. ** GDBM_GETDIRDEPTH Return the directory depth, i.e. the number of initial (most significant) bits in hash value that are interpreted as index to the directory. ** GDBM_GETBUCKETSIZE Return maximum number of keys per bucket. ** GDBM_GETCACHEAUTO Return the status of the automatic cache adjustment. ** GDBM_SETCACHEAUTO Enable or disable automatic cache adjustment. Version 1.22, 2021-10-19 * Fix file header validation * Fix key verification in sequential access * Fix testing with DejaGNU 1.6.3 * Fix stack overflow in print_usage * Fix a leak of avail entry on pushing a new avail block The leak would occur if the original avail table had odd number of entries. * New gdbmtool variables: errorexit, errormask, trace, timing "Errorexit" and "errormask" control which GDBM errors would cause the program termination and emitting a diagnostic message, correspondingly. Both variables are comma-delimited lists of error codes. The "trace" variable enables tracing of the gdbmtool commands. The "timing" variable, when set, instructs gdbmtool to print time spent in each command it runs. * New gdbmtool options: -t (--trace), and -T (--timing) Version 1.21, 2021-09-02 * Crash tolerance By default it is possible for an abrupt crash (e.g., power failure, OS kernel panic, or application process crash) to corrupt the gdbm database file. A new Linux-only mechanism enables applications to recover the database state corresponding to the most recent successful gdbm_sync() call before the crash. See the chapter 17 "Crash Tolerance" in the GDBM manual. * New database file format: numsync The new "numsync" database format is designed to better support crash tolerance. To create a database in numsync format, the gdbm_open (or gdbm_fd_open) function must be given the GDBM_NEWDB|GDBM_NUMSYNC flags. The GDBM_NUMSYNC flag also takes effect when used together with GDBM_WRCREAT, provided that the new file is created. New function gdbm_convert() is provided for converting the databases from standard GDBM format to numsync and vice versa. The gdbmtool tool can also be used for converting databases between these two formats. * Changes in gdbmtool ** Fix string output in non-ASCII encodings Printable multi-byte sequences are correctly represented on output. This also fixes octal representation of unprintable characters. ** The filename variable This variable supplies the name of database file for use in "open" command, if the latter is called without arguments. If "open" is called with the file name argument, the "filename" variable is initialized to this value. ** The fd variable If set, its value must be an open file descriptor referring to a GDBM database file. The "open" command will use gdbm_fd_open function to use this file. Upon closing the database, this descriptor will be closed and the variable will be unset. The file descriptor to use can also be supplied using the -d (--db-descriptor) command line option. ** The format variable Defines the format in which new databases will be created. Allowed values are: "standard" (default) and "numsync". ** New commands: upgrade and downgrade The "upgrade" command converts current database to the numsync (extended) format. The "downgrade" command converts current database to the standard format. ** New command: snapshot The "snapshot" command is part of the new crash tolerance support. Given the names of two snapshot files, it analyzes them and selects the one to be used for database recovery. See the GDBM manual, section 17.5 "Manual crash recovery" for a detailed discussion of its use.
Signed-off-by: Adolf Belka adolf.belka@ipfire.org Reviewed-by: Peter Müller peter.mueller@ipfire.org
commit 5fd4dfe0026f918ba30fa2abd736e86555261ec1 Author: Peter Müller peter.mueller@ipfire.org Date: Tue Feb 15 18:04:00 2022 +0000
Core Update 165: Ship ovpnclients.dat
Signed-off-by: Peter Müller peter.mueller@ipfire.org
commit 6e40963459eca547f1857d4e518d920518ff23a5 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Feb 15 13:40:27 2022 +0000
ovpnclients.dat: Fix adjusting input dates
This patch changes that we no longer interpret any dates put in by the user as UTC. They used to be converted into localtime because, although they have already been in local time.
This went unnoticed since in Europe we are close (enough) to UTC that there is no significant discrepancy on the report. However, being in North America is enough to generate confusing reports.
Reported-by: Paul kairis@gmail.com Fixes: #12768 Tested-by: Jon Murphy jon.murphy@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/cfgroot/location-functions.pl | 4 +- config/firewall/firewall-lib.pl | 4 +- config/firewall/p2protocols | 9 - config/firewall/rules.pl | 91 ++-- config/menu/50-firewall.menu | 6 - config/rootfiles/common/configroot | 1 - config/rootfiles/common/libloc | 517 +++++++++++---------- config/rootfiles/common/perl-Net-HTTP | 2 + config/rootfiles/common/web-user-interface | 1 - config/rootfiles/common/xtables-addons | 44 -- config/rootfiles/core/165/filelists/files | 6 + .../{oldcore/164 => core/165}/filelists/gdbm | 0 config/rootfiles/core/165/update.sh | 34 +- html/cgi-bin/logs.cgi/ovpnclients.dat | 16 +- html/cgi-bin/p2p-block.cgi | 154 ------ lfs/configroot | 1 - lfs/gdbm | 4 +- lfs/libloc | 11 +- lfs/xtables-addons | 118 ----- make.sh | 2 - src/initscripts/system/firewall | 14 +- src/scripts/update-location-database | 4 +- 22 files changed, 390 insertions(+), 653 deletions(-) delete mode 100644 config/firewall/p2protocols delete mode 100644 config/rootfiles/common/xtables-addons copy config/rootfiles/{oldcore/164 => core/165}/filelists/gdbm (100%) delete mode 100644 html/cgi-bin/p2p-block.cgi delete mode 100644 lfs/xtables-addons
Difference in files: diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl index 4d44ce24d..46e27c04a 100644 --- a/config/cfgroot/location-functions.pl +++ b/config/cfgroot/location-functions.pl @@ -44,7 +44,7 @@ my %network_flags = ( my @special_locations = ( "A1", "A2", "A3", "XD" );
# Directory where the libloc database and keyfile lives. -our $location_dir = "/var/lib/location/"; +our $location_dir = "/var/lib/location";
# Libloc database file. our $database = "$location_dir/database.db"; @@ -53,7 +53,7 @@ our $database = "$location_dir/database.db"; our $keyfile = "$location_dir/signing-key.pem";
# Directory which contains the exported databases. -our $xt_geoip_db_directory = "/usr/share/xt_geoip/"; +our $ipset_db_directory = "$location_dir/ipset";
# Create libloc database handle. my $db_handle = &init(); diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index e7ec30ae0..f4089a3a0 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
- push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]); }
# Handle rule options with a location as target. @@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
- push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]); }
# If nothing was selected, we assume "any". diff --git a/config/firewall/p2protocols b/config/firewall/p2protocols deleted file mode 100644 index d8998095c..000000000 --- a/config/firewall/p2protocols +++ /dev/null @@ -1,9 +0,0 @@ -Applejuice;apple;on; -Ares;ares;on; -Bittorrent;bit;on; -DirectConnect;dc;on; -Edonkey;edk;on; -Gnutella;gnu;on; -KaZaA;kazaa;on; -SoulSeek;soul;on; -WinMX;winmx;on; diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 9d280045a..25d01e0e3 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl"; my $DEBUG = 0;
my $IPTABLES = "iptables --wait"; +my $IPSET = "ipset";
# iptables chains my $CHAIN_INPUT = "INPUTFW"; @@ -69,13 +70,11 @@ my %confignatfw=(); my %locationsettings = ( "LOCATIONBLOCK_ENABLED" => "off" ); - -my @p2ps=(); +my %loaded_ipset_lists=();
my $configfwdfw = "${General::swroot}/firewall/config"; my $configinput = "${General::swroot}/firewall/input"; my $configoutgoing = "${General::swroot}/firewall/outgoing"; -my $p2pfile = "${General::swroot}/firewall/p2protocols"; my $locationfile = "${General::swroot}/firewall/locationblock"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; @@ -107,6 +106,10 @@ my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"}; my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"}; my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+#workaround to suppress a warning when a variable is used only once +my @dummy = ( $Location::Functions::ipset_db_directory ); +undef (@dummy); + # MAIN &main();
@@ -114,6 +117,9 @@ sub main { # Flush all chains. &flush();
+ # Destroy all existing ipsets. + run("$IPSET destroy"); + # Prepare firewall rules. if (! -z "${General::swroot}/firewall/input"){ &buildrules(%configinputfw); @@ -125,9 +131,6 @@ sub main { &buildrules(%configfwdfw); }
- # Load P2P block rules. - &p2pblock(); - # Load Location block rules. &locationblock();
@@ -186,6 +189,9 @@ sub flush { run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); + + # Flush LOCATIONBLOCK chain. + run("$IPTABLES -F LOCATIONBLOCK"); }
sub buildrules { @@ -394,7 +400,19 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } elsif ($source =~ /-m geoip/) { + } elsif ($source =~ /-m set/) { + # Grab location code from hash. + my $loc_src = $$hash{$key}[4]; + + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$loc_src}) { + # Call function to load the networks list for this country. + &ipset_restore($loc_src); + + # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$loc_src} = "1"; + } + push(@source_options, $source); } elsif($source) { push(@source_options, ("-s", $source)); @@ -402,7 +420,19 @@ sub buildrules {
# Prepare destination options. my @destination_options = (); - if ($destination =~ /-m geoip/) { + if ($destination =~ /-m set/) { + # Grab location code from hash. + my $loc_dst = $$hash{$key}[6]; + + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$loc_dst}) { + # Call function to load the networks list for this country. + &ipset_restore($loc_dst); + + # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$loc_dst} = "1"; + } + push(@destination_options, $destination); } elsif ($destination) { push(@destination_options, ("-d", $destination)); @@ -620,26 +650,8 @@ sub time_convert_to_minutes { return ($hrs * 60) + $min; }
-sub p2pblock { - open(FILE, "<$p2pfile") or die "Unable to read $p2pfile"; - my @protocols = (); - foreach my $p2pentry (<FILE>) { - my @p2pline = split(/;/, $p2pentry); - next unless ($p2pline[2] eq "off"); - - push(@protocols, "--$p2pline[1]"); - } - close(FILE); - - run("$IPTABLES -F P2PBLOCK"); - if (@protocols) { - run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP"); - } -} - sub locationblock { - # Flush iptables chain. - run("$IPTABLES -F LOCATIONBLOCK"); + # The LOCATIONBLOCK chain now gets flushed by the flush() function.
# If location blocking is not enabled, we are finished here. if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") { @@ -665,7 +677,17 @@ sub locationblock { # is enabled. foreach my $location (@locations) { if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") { - run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP"); + # Check if the network list for this country already has been loaded. + unless($loaded_ipset_lists{$location}) { + # Call function to load the networks list for this country. + &ipset_restore($location); + + # Store to the hash that this list has been loaded. + $loaded_ipset_lists{$location} = "1"; + } + + # Call iptables and create rule to use the loaded ipset list. + run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP"); } } } @@ -882,3 +904,16 @@ sub firewall_is_in_subnet {
return 0; } + +sub ipset_restore ($) { + my ($ccode) = @_; + + my $file_prefix = "ipset4"; + my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix"; + + # Check if the generated file exists. + if (-f $db_file) { + # Run ipset and restore the list of the given country code. + run("$IPSET restore < $db_file"); + } +} diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu index 6ae9687dc..aa67d9007 100644 --- a/config/menu/50-firewall.menu +++ b/config/menu/50-firewall.menu @@ -21,12 +21,6 @@ 'title' => "$Lang::tr{'intrusion detection system'}", 'enabled' => 1, }; - $subfirewall->{'50.p2p'} = { - 'caption' => $Lang::tr{'p2p block'}, - 'uri' => '/cgi-bin/p2p-block.cgi', - 'title' => "P2P-Block", - 'enabled' => 1, - }; $subfirewall->{'60.locationblock'} = { 'caption' => $Lang::tr{'locationblock'}, 'uri' => '/cgi-bin/location-block.cgi', diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot index 904c718c3..fef5ffbcf 100644 --- a/config/rootfiles/common/configroot +++ b/config/rootfiles/common/configroot @@ -63,7 +63,6 @@ var/ipfire/firewall #var/ipfire/firewall/input #var/ipfire/firewall/locationblock #var/ipfire/firewall/outgoing -#var/ipfire/firewall/p2protocols #var/ipfire/firewall/settings var/ipfire/fwhosts #var/ipfire/fwhosts/customgroups diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc index 3cfc92706..a87635912 100644 --- a/config/rootfiles/common/libloc +++ b/config/rootfiles/common/libloc @@ -36,264 +36,265 @@ usr/lib/python3.10/site-packages/location/i18n.py usr/lib/python3.10/site-packages/location/logger.py #usr/share/locale/de/LC_MESSAGES/libloc.mo #usr/share/man/man3/Location.3 -usr/share/xt_geoip/A1.iv4 -usr/share/xt_geoip/A2.iv4 -usr/share/xt_geoip/A3.iv4 -usr/share/xt_geoip/AD.iv4 -usr/share/xt_geoip/AE.iv4 -usr/share/xt_geoip/AF.iv4 -usr/share/xt_geoip/AG.iv4 -usr/share/xt_geoip/AI.iv4 -usr/share/xt_geoip/AL.iv4 -usr/share/xt_geoip/AM.iv4 -usr/share/xt_geoip/AN.iv4 -usr/share/xt_geoip/AO.iv4 -usr/share/xt_geoip/AP.iv4 -usr/share/xt_geoip/AQ.iv4 -usr/share/xt_geoip/AR.iv4 -usr/share/xt_geoip/AS.iv4 -usr/share/xt_geoip/AT.iv4 -usr/share/xt_geoip/AU.iv4 -usr/share/xt_geoip/AW.iv4 -usr/share/xt_geoip/AX.iv4 -usr/share/xt_geoip/AZ.iv4 -usr/share/xt_geoip/BA.iv4 -usr/share/xt_geoip/BB.iv4 -usr/share/xt_geoip/BD.iv4 -usr/share/xt_geoip/BE.iv4 -usr/share/xt_geoip/BF.iv4 -usr/share/xt_geoip/BG.iv4 -usr/share/xt_geoip/BH.iv4 -usr/share/xt_geoip/BI.iv4 -usr/share/xt_geoip/BJ.iv4 -usr/share/xt_geoip/BL.iv4 -usr/share/xt_geoip/BM.iv4 -usr/share/xt_geoip/BN.iv4 -usr/share/xt_geoip/BO.iv4 -usr/share/xt_geoip/BQ.iv4 -usr/share/xt_geoip/BR.iv4 -usr/share/xt_geoip/BS.iv4 -usr/share/xt_geoip/BT.iv4 -usr/share/xt_geoip/BV.iv4 -usr/share/xt_geoip/BW.iv4 -usr/share/xt_geoip/BY.iv4 -usr/share/xt_geoip/BZ.iv4 -usr/share/xt_geoip/CA.iv4 -usr/share/xt_geoip/CC.iv4 -usr/share/xt_geoip/CD.iv4 -usr/share/xt_geoip/CF.iv4 -usr/share/xt_geoip/CG.iv4 -usr/share/xt_geoip/CH.iv4 -usr/share/xt_geoip/CI.iv4 -usr/share/xt_geoip/CK.iv4 -usr/share/xt_geoip/CL.iv4 -usr/share/xt_geoip/CM.iv4 -usr/share/xt_geoip/CN.iv4 -usr/share/xt_geoip/CO.iv4 -usr/share/xt_geoip/CR.iv4 -usr/share/xt_geoip/CS.iv4 -usr/share/xt_geoip/CU.iv4 -usr/share/xt_geoip/CV.iv4 -usr/share/xt_geoip/CW.iv4 -usr/share/xt_geoip/CX.iv4 -usr/share/xt_geoip/CY.iv4 -usr/share/xt_geoip/CZ.iv4 -usr/share/xt_geoip/DE.iv4 -usr/share/xt_geoip/DJ.iv4 -usr/share/xt_geoip/DK.iv4 -usr/share/xt_geoip/DM.iv4 -usr/share/xt_geoip/DO.iv4 -usr/share/xt_geoip/DZ.iv4 -usr/share/xt_geoip/EC.iv4 -usr/share/xt_geoip/EE.iv4 -usr/share/xt_geoip/EG.iv4 -usr/share/xt_geoip/EH.iv4 -usr/share/xt_geoip/ER.iv4 -usr/share/xt_geoip/ES.iv4 -usr/share/xt_geoip/ET.iv4 -usr/share/xt_geoip/EU.iv4 -usr/share/xt_geoip/FI.iv4 -usr/share/xt_geoip/FJ.iv4 -usr/share/xt_geoip/FK.iv4 -usr/share/xt_geoip/FM.iv4 -usr/share/xt_geoip/FO.iv4 -usr/share/xt_geoip/FR.iv4 -usr/share/xt_geoip/FX.iv4 -usr/share/xt_geoip/GA.iv4 -usr/share/xt_geoip/GB.iv4 -usr/share/xt_geoip/GD.iv4 -usr/share/xt_geoip/GE.iv4 -usr/share/xt_geoip/GF.iv4 -usr/share/xt_geoip/GG.iv4 -usr/share/xt_geoip/GH.iv4 -usr/share/xt_geoip/GI.iv4 -usr/share/xt_geoip/GL.iv4 -usr/share/xt_geoip/GM.iv4 -usr/share/xt_geoip/GN.iv4 -usr/share/xt_geoip/GP.iv4 -usr/share/xt_geoip/GQ.iv4 -usr/share/xt_geoip/GR.iv4 -usr/share/xt_geoip/GS.iv4 -usr/share/xt_geoip/GT.iv4 -usr/share/xt_geoip/GU.iv4 -usr/share/xt_geoip/GW.iv4 -usr/share/xt_geoip/GY.iv4 -usr/share/xt_geoip/HK.iv4 -usr/share/xt_geoip/HM.iv4 -usr/share/xt_geoip/HN.iv4 -usr/share/xt_geoip/HR.iv4 -usr/share/xt_geoip/HT.iv4 -usr/share/xt_geoip/HU.iv4 -usr/share/xt_geoip/ID.iv4 -usr/share/xt_geoip/IE.iv4 -usr/share/xt_geoip/IL.iv4 -usr/share/xt_geoip/IM.iv4 -usr/share/xt_geoip/IN.iv4 -usr/share/xt_geoip/IO.iv4 -usr/share/xt_geoip/IQ.iv4 -usr/share/xt_geoip/IR.iv4 -usr/share/xt_geoip/IS.iv4 -usr/share/xt_geoip/IT.iv4 -usr/share/xt_geoip/JE.iv4 -usr/share/xt_geoip/JM.iv4 -usr/share/xt_geoip/JO.iv4 -usr/share/xt_geoip/JP.iv4 -usr/share/xt_geoip/KE.iv4 -usr/share/xt_geoip/KG.iv4 -usr/share/xt_geoip/KH.iv4 -usr/share/xt_geoip/KI.iv4 -usr/share/xt_geoip/KM.iv4 -usr/share/xt_geoip/KN.iv4 -usr/share/xt_geoip/KP.iv4 -usr/share/xt_geoip/KR.iv4 -usr/share/xt_geoip/KW.iv4 -usr/share/xt_geoip/KY.iv4 -usr/share/xt_geoip/KZ.iv4 -usr/share/xt_geoip/LA.iv4 -usr/share/xt_geoip/LB.iv4 -usr/share/xt_geoip/LC.iv4 -usr/share/xt_geoip/LI.iv4 -usr/share/xt_geoip/LK.iv4 -usr/share/xt_geoip/LR.iv4 -usr/share/xt_geoip/LS.iv4 -usr/share/xt_geoip/LT.iv4 -usr/share/xt_geoip/LU.iv4 -usr/share/xt_geoip/LV.iv4 -usr/share/xt_geoip/LY.iv4 -usr/share/xt_geoip/MA.iv4 -usr/share/xt_geoip/MC.iv4 -usr/share/xt_geoip/MD.iv4 -usr/share/xt_geoip/ME.iv4 -usr/share/xt_geoip/MF.iv4 -usr/share/xt_geoip/MG.iv4 -usr/share/xt_geoip/MH.iv4 -usr/share/xt_geoip/MK.iv4 -usr/share/xt_geoip/ML.iv4 -usr/share/xt_geoip/MM.iv4 -usr/share/xt_geoip/MN.iv4 -usr/share/xt_geoip/MO.iv4 -usr/share/xt_geoip/MP.iv4 -usr/share/xt_geoip/MQ.iv4 -usr/share/xt_geoip/MR.iv4 -usr/share/xt_geoip/MS.iv4 -usr/share/xt_geoip/MT.iv4 -usr/share/xt_geoip/MU.iv4 -usr/share/xt_geoip/MV.iv4 -usr/share/xt_geoip/MW.iv4 -usr/share/xt_geoip/MX.iv4 -usr/share/xt_geoip/MY.iv4 -usr/share/xt_geoip/MZ.iv4 -usr/share/xt_geoip/NA.iv4 -usr/share/xt_geoip/NC.iv4 -usr/share/xt_geoip/NE.iv4 -usr/share/xt_geoip/NF.iv4 -usr/share/xt_geoip/NG.iv4 -usr/share/xt_geoip/NI.iv4 -usr/share/xt_geoip/NL.iv4 -usr/share/xt_geoip/NO.iv4 -usr/share/xt_geoip/NP.iv4 -usr/share/xt_geoip/NR.iv4 -usr/share/xt_geoip/NU.iv4 -usr/share/xt_geoip/NZ.iv4 -usr/share/xt_geoip/OM.iv4 -usr/share/xt_geoip/PA.iv4 -usr/share/xt_geoip/PE.iv4 -usr/share/xt_geoip/PF.iv4 -usr/share/xt_geoip/PG.iv4 -usr/share/xt_geoip/PH.iv4 -usr/share/xt_geoip/PK.iv4 -usr/share/xt_geoip/PL.iv4 -usr/share/xt_geoip/PM.iv4 -usr/share/xt_geoip/PN.iv4 -usr/share/xt_geoip/PR.iv4 -usr/share/xt_geoip/PS.iv4 -usr/share/xt_geoip/PT.iv4 -usr/share/xt_geoip/PW.iv4 -usr/share/xt_geoip/PY.iv4 -usr/share/xt_geoip/QA.iv4 -usr/share/xt_geoip/RE.iv4 -usr/share/xt_geoip/RO.iv4 -usr/share/xt_geoip/RS.iv4 -usr/share/xt_geoip/RU.iv4 -usr/share/xt_geoip/RW.iv4 -usr/share/xt_geoip/SA.iv4 -usr/share/xt_geoip/SB.iv4 -usr/share/xt_geoip/SC.iv4 -usr/share/xt_geoip/SD.iv4 -usr/share/xt_geoip/SE.iv4 -usr/share/xt_geoip/SG.iv4 -usr/share/xt_geoip/SH.iv4 -usr/share/xt_geoip/SI.iv4 -usr/share/xt_geoip/SJ.iv4 -usr/share/xt_geoip/SK.iv4 -usr/share/xt_geoip/SL.iv4 -usr/share/xt_geoip/SM.iv4 -usr/share/xt_geoip/SN.iv4 -usr/share/xt_geoip/SO.iv4 -usr/share/xt_geoip/SR.iv4 -usr/share/xt_geoip/SS.iv4 -usr/share/xt_geoip/ST.iv4 -usr/share/xt_geoip/SV.iv4 -usr/share/xt_geoip/SX.iv4 -usr/share/xt_geoip/SY.iv4 -usr/share/xt_geoip/SZ.iv4 -usr/share/xt_geoip/TC.iv4 -usr/share/xt_geoip/TD.iv4 -usr/share/xt_geoip/TF.iv4 -usr/share/xt_geoip/TG.iv4 -usr/share/xt_geoip/TH.iv4 -usr/share/xt_geoip/TJ.iv4 -usr/share/xt_geoip/TK.iv4 -usr/share/xt_geoip/TL.iv4 -usr/share/xt_geoip/TM.iv4 -usr/share/xt_geoip/TN.iv4 -usr/share/xt_geoip/TO.iv4 -usr/share/xt_geoip/TR.iv4 -usr/share/xt_geoip/TT.iv4 -usr/share/xt_geoip/TV.iv4 -usr/share/xt_geoip/TW.iv4 -usr/share/xt_geoip/TZ.iv4 -usr/share/xt_geoip/UA.iv4 -usr/share/xt_geoip/UG.iv4 -usr/share/xt_geoip/UM.iv4 -usr/share/xt_geoip/US.iv4 -usr/share/xt_geoip/UY.iv4 -usr/share/xt_geoip/UZ.iv4 -usr/share/xt_geoip/VA.iv4 -usr/share/xt_geoip/VC.iv4 -usr/share/xt_geoip/VE.iv4 -usr/share/xt_geoip/VG.iv4 -usr/share/xt_geoip/VI.iv4 -usr/share/xt_geoip/VN.iv4 -usr/share/xt_geoip/VU.iv4 -usr/share/xt_geoip/WF.iv4 -usr/share/xt_geoip/WS.iv4 -usr/share/xt_geoip/XD.iv4 -usr/share/xt_geoip/YE.iv4 -usr/share/xt_geoip/YT.iv4 -usr/share/xt_geoip/ZA.iv4 -usr/share/xt_geoip/ZM.iv4 -usr/share/xt_geoip/ZW.iv4 #var/lib/location var/lib/location/database.db +var/lib/location/ipset +var/lib/location/ipset/A1.ipset4 +var/lib/location/ipset/A2.ipset4 +var/lib/location/ipset/A3.ipset4 +var/lib/location/ipset/AD.ipset4 +var/lib/location/ipset/AE.ipset4 +var/lib/location/ipset/AF.ipset4 +var/lib/location/ipset/AG.ipset4 +var/lib/location/ipset/AI.ipset4 +var/lib/location/ipset/AL.ipset4 +var/lib/location/ipset/AM.ipset4 +var/lib/location/ipset/AN.ipset4 +var/lib/location/ipset/AO.ipset4 +var/lib/location/ipset/AP.ipset4 +var/lib/location/ipset/AQ.ipset4 +var/lib/location/ipset/AR.ipset4 +var/lib/location/ipset/AS.ipset4 +var/lib/location/ipset/AT.ipset4 +var/lib/location/ipset/AU.ipset4 +var/lib/location/ipset/AW.ipset4 +var/lib/location/ipset/AX.ipset4 +var/lib/location/ipset/AZ.ipset4 +var/lib/location/ipset/BA.ipset4 +var/lib/location/ipset/BB.ipset4 +var/lib/location/ipset/BD.ipset4 +var/lib/location/ipset/BE.ipset4 +var/lib/location/ipset/BF.ipset4 +var/lib/location/ipset/BG.ipset4 +var/lib/location/ipset/BH.ipset4 +var/lib/location/ipset/BI.ipset4 +var/lib/location/ipset/BJ.ipset4 +var/lib/location/ipset/BL.ipset4 +var/lib/location/ipset/BM.ipset4 +var/lib/location/ipset/BN.ipset4 +var/lib/location/ipset/BO.ipset4 +var/lib/location/ipset/BQ.ipset4 +var/lib/location/ipset/BR.ipset4 +var/lib/location/ipset/BS.ipset4 +var/lib/location/ipset/BT.ipset4 +var/lib/location/ipset/BV.ipset4 +var/lib/location/ipset/BW.ipset4 +var/lib/location/ipset/BY.ipset4 +var/lib/location/ipset/BZ.ipset4 +var/lib/location/ipset/CA.ipset4 +var/lib/location/ipset/CC.ipset4 +var/lib/location/ipset/CD.ipset4 +var/lib/location/ipset/CF.ipset4 +var/lib/location/ipset/CG.ipset4 +var/lib/location/ipset/CH.ipset4 +var/lib/location/ipset/CI.ipset4 +var/lib/location/ipset/CK.ipset4 +var/lib/location/ipset/CL.ipset4 +var/lib/location/ipset/CM.ipset4 +var/lib/location/ipset/CN.ipset4 +var/lib/location/ipset/CO.ipset4 +var/lib/location/ipset/CR.ipset4 +var/lib/location/ipset/CS.ipset4 +var/lib/location/ipset/CU.ipset4 +var/lib/location/ipset/CV.ipset4 +var/lib/location/ipset/CW.ipset4 +var/lib/location/ipset/CX.ipset4 +var/lib/location/ipset/CY.ipset4 +var/lib/location/ipset/CZ.ipset4 +var/lib/location/ipset/DE.ipset4 +var/lib/location/ipset/DJ.ipset4 +var/lib/location/ipset/DK.ipset4 +var/lib/location/ipset/DM.ipset4 +var/lib/location/ipset/DO.ipset4 +var/lib/location/ipset/DZ.ipset4 +var/lib/location/ipset/EC.ipset4 +var/lib/location/ipset/EE.ipset4 +var/lib/location/ipset/EG.ipset4 +var/lib/location/ipset/EH.ipset4 +var/lib/location/ipset/ER.ipset4 +var/lib/location/ipset/ES.ipset4 +var/lib/location/ipset/ET.ipset4 +var/lib/location/ipset/EU.ipset4 +var/lib/location/ipset/FI.ipset4 +var/lib/location/ipset/FJ.ipset4 +var/lib/location/ipset/FK.ipset4 +var/lib/location/ipset/FM.ipset4 +var/lib/location/ipset/FO.ipset4 +var/lib/location/ipset/FR.ipset4 +var/lib/location/ipset/FX.ipset4 +var/lib/location/ipset/GA.ipset4 +var/lib/location/ipset/GB.ipset4 +var/lib/location/ipset/GD.ipset4 +var/lib/location/ipset/GE.ipset4 +var/lib/location/ipset/GF.ipset4 +var/lib/location/ipset/GG.ipset4 +var/lib/location/ipset/GH.ipset4 +var/lib/location/ipset/GI.ipset4 +var/lib/location/ipset/GL.ipset4 +var/lib/location/ipset/GM.ipset4 +var/lib/location/ipset/GN.ipset4 +var/lib/location/ipset/GP.ipset4 +var/lib/location/ipset/GQ.ipset4 +var/lib/location/ipset/GR.ipset4 +var/lib/location/ipset/GS.ipset4 +var/lib/location/ipset/GT.ipset4 +var/lib/location/ipset/GU.ipset4 +var/lib/location/ipset/GW.ipset4 +var/lib/location/ipset/GY.ipset4 +var/lib/location/ipset/HK.ipset4 +var/lib/location/ipset/HM.ipset4 +var/lib/location/ipset/HN.ipset4 +var/lib/location/ipset/HR.ipset4 +var/lib/location/ipset/HT.ipset4 +var/lib/location/ipset/HU.ipset4 +var/lib/location/ipset/ID.ipset4 +var/lib/location/ipset/IE.ipset4 +var/lib/location/ipset/IL.ipset4 +var/lib/location/ipset/IM.ipset4 +var/lib/location/ipset/IN.ipset4 +var/lib/location/ipset/IO.ipset4 +var/lib/location/ipset/IQ.ipset4 +var/lib/location/ipset/IR.ipset4 +var/lib/location/ipset/IS.ipset4 +var/lib/location/ipset/IT.ipset4 +var/lib/location/ipset/JE.ipset4 +var/lib/location/ipset/JM.ipset4 +var/lib/location/ipset/JO.ipset4 +var/lib/location/ipset/JP.ipset4 +var/lib/location/ipset/KE.ipset4 +var/lib/location/ipset/KG.ipset4 +var/lib/location/ipset/KH.ipset4 +var/lib/location/ipset/KI.ipset4 +var/lib/location/ipset/KM.ipset4 +var/lib/location/ipset/KN.ipset4 +var/lib/location/ipset/KP.ipset4 +var/lib/location/ipset/KR.ipset4 +var/lib/location/ipset/KW.ipset4 +var/lib/location/ipset/KY.ipset4 +var/lib/location/ipset/KZ.ipset4 +var/lib/location/ipset/LA.ipset4 +var/lib/location/ipset/LB.ipset4 +var/lib/location/ipset/LC.ipset4 +var/lib/location/ipset/LI.ipset4 +var/lib/location/ipset/LK.ipset4 +var/lib/location/ipset/LR.ipset4 +var/lib/location/ipset/LS.ipset4 +var/lib/location/ipset/LT.ipset4 +var/lib/location/ipset/LU.ipset4 +var/lib/location/ipset/LV.ipset4 +var/lib/location/ipset/LY.ipset4 +var/lib/location/ipset/MA.ipset4 +var/lib/location/ipset/MC.ipset4 +var/lib/location/ipset/MD.ipset4 +var/lib/location/ipset/ME.ipset4 +var/lib/location/ipset/MF.ipset4 +var/lib/location/ipset/MG.ipset4 +var/lib/location/ipset/MH.ipset4 +var/lib/location/ipset/MK.ipset4 +var/lib/location/ipset/ML.ipset4 +var/lib/location/ipset/MM.ipset4 +var/lib/location/ipset/MN.ipset4 +var/lib/location/ipset/MO.ipset4 +var/lib/location/ipset/MP.ipset4 +var/lib/location/ipset/MQ.ipset4 +var/lib/location/ipset/MR.ipset4 +var/lib/location/ipset/MS.ipset4 +var/lib/location/ipset/MT.ipset4 +var/lib/location/ipset/MU.ipset4 +var/lib/location/ipset/MV.ipset4 +var/lib/location/ipset/MW.ipset4 +var/lib/location/ipset/MX.ipset4 +var/lib/location/ipset/MY.ipset4 +var/lib/location/ipset/MZ.ipset4 +var/lib/location/ipset/NA.ipset4 +var/lib/location/ipset/NC.ipset4 +var/lib/location/ipset/NE.ipset4 +var/lib/location/ipset/NF.ipset4 +var/lib/location/ipset/NG.ipset4 +var/lib/location/ipset/NI.ipset4 +var/lib/location/ipset/NL.ipset4 +var/lib/location/ipset/NO.ipset4 +var/lib/location/ipset/NP.ipset4 +var/lib/location/ipset/NR.ipset4 +var/lib/location/ipset/NU.ipset4 +var/lib/location/ipset/NZ.ipset4 +var/lib/location/ipset/OM.ipset4 +var/lib/location/ipset/PA.ipset4 +var/lib/location/ipset/PE.ipset4 +var/lib/location/ipset/PF.ipset4 +var/lib/location/ipset/PG.ipset4 +var/lib/location/ipset/PH.ipset4 +var/lib/location/ipset/PK.ipset4 +var/lib/location/ipset/PL.ipset4 +var/lib/location/ipset/PM.ipset4 +var/lib/location/ipset/PN.ipset4 +var/lib/location/ipset/PR.ipset4 +var/lib/location/ipset/PS.ipset4 +var/lib/location/ipset/PT.ipset4 +var/lib/location/ipset/PW.ipset4 +var/lib/location/ipset/PY.ipset4 +var/lib/location/ipset/QA.ipset4 +var/lib/location/ipset/RE.ipset4 +var/lib/location/ipset/RO.ipset4 +var/lib/location/ipset/RS.ipset4 +var/lib/location/ipset/RU.ipset4 +var/lib/location/ipset/RW.ipset4 +var/lib/location/ipset/SA.ipset4 +var/lib/location/ipset/SB.ipset4 +var/lib/location/ipset/SC.ipset4 +var/lib/location/ipset/SD.ipset4 +var/lib/location/ipset/SE.ipset4 +var/lib/location/ipset/SG.ipset4 +var/lib/location/ipset/SH.ipset4 +var/lib/location/ipset/SI.ipset4 +var/lib/location/ipset/SJ.ipset4 +var/lib/location/ipset/SK.ipset4 +var/lib/location/ipset/SL.ipset4 +var/lib/location/ipset/SM.ipset4 +var/lib/location/ipset/SN.ipset4 +var/lib/location/ipset/SO.ipset4 +var/lib/location/ipset/SR.ipset4 +var/lib/location/ipset/SS.ipset4 +var/lib/location/ipset/ST.ipset4 +var/lib/location/ipset/SV.ipset4 +var/lib/location/ipset/SX.ipset4 +var/lib/location/ipset/SY.ipset4 +var/lib/location/ipset/SZ.ipset4 +var/lib/location/ipset/TC.ipset4 +var/lib/location/ipset/TD.ipset4 +var/lib/location/ipset/TF.ipset4 +var/lib/location/ipset/TG.ipset4 +var/lib/location/ipset/TH.ipset4 +var/lib/location/ipset/TJ.ipset4 +var/lib/location/ipset/TK.ipset4 +var/lib/location/ipset/TL.ipset4 +var/lib/location/ipset/TM.ipset4 +var/lib/location/ipset/TN.ipset4 +var/lib/location/ipset/TO.ipset4 +var/lib/location/ipset/TR.ipset4 +var/lib/location/ipset/TT.ipset4 +var/lib/location/ipset/TV.ipset4 +var/lib/location/ipset/TW.ipset4 +var/lib/location/ipset/TZ.ipset4 +var/lib/location/ipset/UA.ipset4 +var/lib/location/ipset/UG.ipset4 +var/lib/location/ipset/UM.ipset4 +var/lib/location/ipset/US.ipset4 +var/lib/location/ipset/UY.ipset4 +var/lib/location/ipset/UZ.ipset4 +var/lib/location/ipset/VA.ipset4 +var/lib/location/ipset/VC.ipset4 +var/lib/location/ipset/VE.ipset4 +var/lib/location/ipset/VG.ipset4 +var/lib/location/ipset/VI.ipset4 +var/lib/location/ipset/VN.ipset4 +var/lib/location/ipset/VU.ipset4 +var/lib/location/ipset/WF.ipset4 +var/lib/location/ipset/WS.ipset4 +var/lib/location/ipset/XD.ipset4 +var/lib/location/ipset/YE.ipset4 +var/lib/location/ipset/YT.ipset4 +var/lib/location/ipset/ZA.ipset4 +var/lib/location/ipset/ZM.ipset4 +var/lib/location/ipset/ZW.ipset4 var/lib/location/signing-key.pem diff --git a/config/rootfiles/common/perl-Net-HTTP b/config/rootfiles/common/perl-Net-HTTP index 4c09cd61f..a61d6d216 100644 --- a/config/rootfiles/common/perl-Net-HTTP +++ b/config/rootfiles/common/perl-Net-HTTP @@ -1,8 +1,10 @@ +#usr/lib/perl5/site_perl/5.32.1/Net #usr/lib/perl5/site_perl/5.32.1/Net/HTTP usr/lib/perl5/site_perl/5.32.1/Net/HTTP.pm usr/lib/perl5/site_perl/5.32.1/Net/HTTP/Methods.pm usr/lib/perl5/site_perl/5.32.1/Net/HTTP/NB.pm usr/lib/perl5/site_perl/5.32.1/Net/HTTPS.pm +#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Net #usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Net/HTTP #usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Net/HTTP/.packlist #usr/share/man/man3/Net::HTTP.3 diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface index a908053b1..a5973f9e4 100644 --- a/config/rootfiles/common/web-user-interface +++ b/config/rootfiles/common/web-user-interface @@ -62,7 +62,6 @@ srv/web/ipfire/cgi-bin/netovpnrw.cgi srv/web/ipfire/cgi-bin/netovpnsrv.cgi srv/web/ipfire/cgi-bin/optionsfw.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi -srv/web/ipfire/cgi-bin/p2p-block.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/pppsetup.cgi srv/web/ipfire/cgi-bin/proxy.cgi diff --git a/config/rootfiles/common/xtables-addons b/config/rootfiles/common/xtables-addons deleted file mode 100644 index 51b0d208d..000000000 --- a/config/rootfiles/common/xtables-addons +++ /dev/null @@ -1,44 +0,0 @@ -lib/xtables/libxt_ACCOUNT.so -lib/xtables/libxt_CHAOS.so -lib/xtables/libxt_DELUDE.so -lib/xtables/libxt_DHCPMAC.so -lib/xtables/libxt_DNETMAP.so -lib/xtables/libxt_ECHO.so -lib/xtables/libxt_IPMARK.so -lib/xtables/libxt_LOGMARK.so -lib/xtables/libxt_PROTO.so -lib/xtables/libxt_SYSRQ.so -lib/xtables/libxt_TARPIT.so -lib/xtables/libxt_condition.so -lib/xtables/libxt_dhcpmac.so -lib/xtables/libxt_fuzzy.so -lib/xtables/libxt_geoip.so -lib/xtables/libxt_gradm.so -lib/xtables/libxt_iface.so -lib/xtables/libxt_ipp2p.so -lib/xtables/libxt_ipv4options.so -lib/xtables/libxt_length2.so -lib/xtables/libxt_lscan.so -lib/xtables/libxt_pknock.so -lib/xtables/libxt_psd.so -lib/xtables/libxt_quota2.so -usr/bin/xt_geoip_query -#usr/lib/libxt_ACCOUNT_cl.la -#usr/lib/libxt_ACCOUNT_cl.so -usr/lib/libxt_ACCOUNT_cl.so.0 -usr/lib/libxt_ACCOUNT_cl.so.0.0.0 -#usr/libexec/xtables-addons -#usr/libexec/xtables-addons/xt_geoip_build -#usr/libexec/xtables-addons/xt_geoip_build_maxmind -#usr/libexec/xtables-addons/xt_geoip_dl -#usr/libexec/xtables-addons/xt_geoip_dl_maxmind -usr/sbin/iptaccount -usr/sbin/pknlusr -#usr/share/man/man1/xt_geoip_build.1 -#usr/share/man/man1/xt_geoip_build_maxmind.1 -#usr/share/man/man1/xt_geoip_dl.1 -#usr/share/man/man1/xt_geoip_dl_maxmind.1 -#usr/share/man/man1/xt_geoip_query.1 -#usr/share/man/man8/iptaccount.8 -#usr/share/man/man8/pknlusr.8 -#usr/share/man/man8/xtables-addons.8 diff --git a/config/rootfiles/core/165/filelists/files b/config/rootfiles/core/165/filelists/files index 2b400507a..3e1059ca0 100644 --- a/config/rootfiles/core/165/filelists/files +++ b/config/rootfiles/core/165/filelists/files @@ -1,12 +1,18 @@ +etc/rc.d/init.d/firewall opt/pakfire/etc/pakfire.conf opt/pakfire/lib/functions.pl srv/web/ipfire/cgi-bin/backup.cgi srv/web/ipfire/cgi-bin/firewall.cgi +srv/web/ipfire/cgi-bin/logs.cgi/ovpnclients.dat srv/web/ipfire/cgi-bin/media.cgi srv/web/ipfire/cgi-bin/pakfire.cgi srv/web/ipfire/cgi-bin/qos.cgi srv/web/ipfire/html/themes/ipfire/include/css/style.css usr/lib/firewall/firewall-lib.pl +usr/lib/firewall/rules.pl +usr/local/bin/update-location-database usr/sbin/setup var/ipfire/ids-functions.pl +var/ipfire/location-functions.pl var/ipfire/main/manualpages +var/ipfire/menu.d/50-firewall.menu diff --git a/config/rootfiles/core/165/filelists/gdbm b/config/rootfiles/core/165/filelists/gdbm new file mode 120000 index 000000000..ecf63bf59 --- /dev/null +++ b/config/rootfiles/core/165/filelists/gdbm @@ -0,0 +1 @@ +../../../common/gdbm \ No newline at end of file diff --git a/config/rootfiles/core/165/update.sh b/config/rootfiles/core/165/update.sh index 7e534672d..7371d047a 100644 --- a/config/rootfiles/core/165/update.sh +++ b/config/rootfiles/core/165/update.sh @@ -53,6 +53,31 @@ fi
# Remove files rm -rvf \ + /lib/xtables/libxt_ACCOUNT.so \ + /lib/xtables/libxt_CHAOS.so \ + /lib/xtables/libxt_condition.so \ + /lib/xtables/libxt_DELUDE.so \ + /lib/xtables/libxt_dhcpmac.so \ + /lib/xtables/libxt_DHCPMAC.so \ + /lib/xtables/libxt_DNETMAP.so \ + /lib/xtables/libxt_ECHO.so \ + /lib/xtables/libxt_fuzzy.so \ + /lib/xtables/libxt_geoip.so \ + /lib/xtables/libxt_gradm.so \ + /lib/xtables/libxt_iface.so \ + /lib/xtables/libxt_IPMARK.so \ + /lib/xtables/libxt_ipp2p.so \ + /lib/xtables/libxt_ipv4options.so \ + /lib/xtables/libxt_length2.so \ + /lib/xtables/libxt_LOGMARK.so \ + /lib/xtables/libxt_lscan.so \ + /lib/xtables/libxt_pknock.so \ + /lib/xtables/libxt_PROTO.so \ + /lib/xtables/libxt_psd.so \ + /lib/xtables/libxt_quota2.so \ + /lib/xtables/libxt_SYSRQ.so \ + /lib/xtables/libxt_TARPIT.so \ + /srv/web/ipfire/cgi-bin/p2p-block.cgi \ /usr/bin/2to3-3.8 \ /usr/bin/easy_install-3.8 \ /usr/bin/idle3.8 \ @@ -60,9 +85,15 @@ rm -rvf \ /usr/bin/pydoc3.8 \ /usr/bin/python3.8 \ /usr/bin/python3.8-config \ + /usr/bin/xt_geoip_query \ /usr/lib/libpython3.8.so \ /usr/lib/libpython3.8.so.1.0 \ - /usr/lib/python3.8/ + /usr/lib/libxt_ACCOUNT_cl.so* \ + /usr/lib/python3.8/ \ + /usr/sbin/iptaccount \ + /usr/sbin/pknlusr \ + /usr/share/xt_geoip/ \ + /var/ipfire/firewall/p2protocols
# Stop services
@@ -80,6 +111,7 @@ ldconfig
# Start services telinit u +/etc/rc.d/init.d/firewall restart
# This update needs a reboot... touch /var/run/need_reboot diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat index 5e2c1ff49..100573214 100755 --- a/html/cgi-bin/logs.cgi/ovpnclients.dat +++ b/html/cgi-bin/logs.cgi/ovpnclients.dat @@ -115,16 +115,16 @@ my $database_query = qq( common_name, SUM( STRFTIME('%s', ( CASE - WHEN DATETIME(COALESCE(disconnected_at, CURRENT_TIMESTAMP), 'localtime') < DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds') + WHEN DATETIME(COALESCE(disconnected_at, CURRENT_TIMESTAMP), 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds') THEN DATETIME(COALESCE(disconnected_at, CURRENT_TIMESTAMP), 'localtime') - ELSE DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds') + ELSE DATETIME('$to_datestring', 'start of day', '+86399 seconds') END ), 'utc') - STRFTIME('%s', ( CASE - WHEN DATETIME(connected_at, 'localtime') > DATETIME('$from_datestring', 'localtime', 'start of day') + WHEN DATETIME(connected_at, 'localtime') > DATETIME('$from_datestring', 'start of day') THEN DATETIME(connected_at, 'localtime') - ELSE DATETIME('$from_datestring', 'localtime', 'start of day') + ELSE DATETIME('$from_datestring', 'start of day') END ), 'utc') ) AS duration @@ -133,10 +133,10 @@ my $database_query = qq( ( disconnected_at IS NULL OR - DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'localtime', 'start of day') + DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'start of day') ) AND - DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds') + DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds') GROUP BY common_name ORDER BY common_name, duration DESC; ); @@ -148,9 +148,9 @@ if ($cgiparams{'CONNECTION_NAME'}) { WHERE common_name = '$cgiparams{"CONNECTION_NAME"}' AND ( - DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'localtime', 'start of day') + DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'start of day') AND - DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds') + DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds') ) ORDER BY connected_at; ); diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi deleted file mode 100644 index d14725504..000000000 --- a/html/cgi-bin/p2p-block.cgi +++ /dev/null @@ -1,154 +0,0 @@ -#!/usr/bin/perl -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2013 # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### -# Author: Alexander Marx (Amarx@ipfire.org) # -############################################################################### - -use strict; -no warnings 'uninitialized'; -# enable only the following on debugging purpose -#use warnings; -#use CGI::Carp 'fatalsToBrowser'; - -require '/var/ipfire/general-functions.pl'; -require "${General::swroot}/lang.pl"; -require "${General::swroot}/header.pl"; - -my $errormessage = ''; -my $notice; -my $p2pfile = "${General::swroot}/firewall/p2protocols"; - -my @p2ps = (); -my %fwdfwsettings = (); -my %color = (); -my %mainsettings = (); - -&General::readhash("${General::swroot}/main/settings", %mainsettings); -&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", %color); - -&Header::showhttpheaders(); -&Header::getcgihash(%fwdfwsettings); - -if ($fwdfwsettings{'ACTION'} eq 'togglep2p') { - open( FILE, "<$p2pfile") or die "Unable to read $p2pfile"; - @p2ps = <FILE>; - close FILE; - open( FILE, ">$p2pfile") or die "Unable to write $p2pfile"; - foreach my $p2pentry (sort @p2ps) { - my @p2pline = split( /;/, $p2pentry); - if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) { - if ($p2pline[2] eq 'on') { - $p2pline[2] = 'off'; - } else { - $p2pline[2] = 'on'; - } - } - print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n"; - } - close FILE; - - &General::firewall_config_changed(); - - $notice = $Lang::tr{'p2p block save notice'}; -} - -&Header::openpage($Lang::tr{'p2p block'}, 1, ''); -&Header::openbigbox('100%', 'center', $errormessage); - -if ($notice) { - &Header::openbox('100%', 'left', $Lang::tr{'notice'}); - print "<font class='base'>$notice</font>"; - &Header::closebox(); -} - -my $gif; - -open(FILE, "<$p2pfile") or die "Unable to read $p2pfile"; -@p2ps = <FILE>; -close FILE; - -&Header::openbox('100%', 'center',); -print <<END; - <table width='35%' class='tbl'> - <tr> - <th align='center' colspan='2' bgcolor='$color{'color22'}' > - <b>$Lang::tr{'protocol'}</b> - </th> - <th align='center' bgcolor='$color{'color22'}' > - <b>$Lang::tr{'status'}</b> - </th> - </tr> -END -my $lines=0; -my $col=""; -foreach my $p2pentry (sort @p2ps) { - my @p2pline = split( /;/, $p2pentry); - if ($p2pline[2] eq 'on') { - $gif = "/images/on.gif" - } else { - $gif = "/images/off.gif" - } - if ($lines % 2) { - print "<tr>"; - $col="bgcolor='$color{'color20'}'"; } - else { - print "<tr>"; - $col="bgcolor='$color{'color22'}'"; } - print <<END; - <td align='center' colspan='2' $col> - $p2pline[0]: - </td> - <td align='center' $col> - <form method='post' action='$ENV{'SCRIPT_NAME'}'> - <input type='hidden' name='P2PROT' value='$p2pline[1]'> - <input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;'> - <input type='hidden' name='ACTION' value='togglep2p'> - </form> - </td> - </tr> -END -$lines++; -} - -print <<END; -</table><table> - <tr> - <td> - <img src='/images/on.gif'> - </td> - <td> - $Lang::tr{'outgoing firewall p2p allow'} - </td> - </tr> - <tr> - <td> - <img src='/images/off.gif'> - </td> - <td> - $Lang::tr{'outgoing firewall p2p deny'} - </td> - </tr> - </table> -END - -&Header::closebox(); - -&Header::closebigbox(); -&Header::closepage(); diff --git a/lfs/configroot b/lfs/configroot index 9f3188aab..b836767c1 100644 --- a/lfs/configroot +++ b/lfs/configroot @@ -105,7 +105,6 @@ $(TARGET) : cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz cp $(DIR_SRC)/config/firewall/convert-portfw /usr/sbin/convert-portfw - cp $(DIR_SRC)/config/firewall/p2protocols $(CONFIG_ROOT)/firewall/p2protocols cp $(DIR_SRC)/config/firewall/firewall-policy /usr/sbin/firewall-policy cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices diff --git a/lfs/gdbm b/lfs/gdbm index 6f96d2f3c..fa1b2d860 100644 --- a/lfs/gdbm +++ b/lfs/gdbm @@ -24,7 +24,7 @@
include Config
-VER = 1.20 +VER = 1.23
THISAPP = gdbm-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 006c19b8b60828fd6916a16f3496bd3c +$(DL_FILE)_MD5 = 8551961e36bf8c70b7500d255d3658ec
install : $(TARGET)
diff --git a/lfs/libloc b/lfs/libloc index 99f0c30bd..1de135b52 100644 --- a/lfs/libloc +++ b/lfs/libloc @@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) cd $(DIR_APP) && rm -f /var/lib/location/database.db cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
- # Launch location util and export all locations in xt_geoip format. + # Create directory for ipset databases. + cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset + + # Launch location util and export all locations in ipset compatible format. cd $(DIR_APP) && /usr/bin/location export \ - --directory=/usr/share/xt_geoip \ + --directory=/var/lib/location/ipset \ --family=ipv4 \ - --format=xt_geoip + --format=ipset
# Remove exported IPv6 zones. - cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6 + cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
@rm -rf $(DIR_APP) @$(POSTBUILD) diff --git a/lfs/xtables-addons b/lfs/xtables-addons deleted file mode 100644 index fdea1ffcd..000000000 --- a/lfs/xtables-addons +++ /dev/null @@ -1,118 +0,0 @@ -############################################################################### -# # -# IPFire.org - A linux based firewall # -# Copyright (C) 2007-2021 IPFire Team info@ipfire.org # -# # -# This program is free software: you can redistribute it and/or modify # -# it under the terms of the GNU General Public License as published by # -# the Free Software Foundation, either version 3 of the License, or # -# (at your option) any later version. # -# # -# This program is distributed in the hope that it will be useful, # -# but WITHOUT ANY WARRANTY; without even the implied warranty of # -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # -# GNU General Public License for more details. # -# # -# You should have received a copy of the GNU General Public License # -# along with this program. If not, see http://www.gnu.org/licenses/. # -# # -############################################################################### - -############################################################################### -# Definitions -############################################################################### - -include Config - -VERSUFIX = ipfire$(KCFG) -MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/extra/ - -VER = 3.18 - -THISAPP = xtables-addons-$(VER) -DL_FILE = $(THISAPP).tar.xz -DL_FROM = $(URL_IPFIRE) -DIR_APP = $(DIR_SRC)/$(THISAPP) - -ifeq "$(USPACE)" "1" - TARGET = $(DIR_INFO)/$(THISAPP) -else - TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX) -endif - -############################################################################### -# Top-level Rules -############################################################################### - -objects = $(DL_FILE) - -$(DL_FILE) = $(DL_FROM)/$(DL_FILE) - -$(DL_FILE)_MD5 = 755471b1dc6808f274f914fa11552698 - -install : $(TARGET) - -check : $(patsubst %,$(DIR_CHK)/%,$(objects)) - -download :$(patsubst %,$(DIR_DL)/%,$(objects)) - -md5 : $(subst %,%_MD5,$(objects)) - -dist: - $(PAK) - -############################################################################### -# Downloading, checking, md5sum -############################################################################### - -$(patsubst %,$(DIR_CHK)/%,$(objects)) : - @$(CHECK) - -$(patsubst %,$(DIR_DL)/%,$(objects)) : - @$(LOAD) - -$(subst %,%_MD5,$(objects)) : - @$(MD5) - -############################################################################### -# Installation Details -############################################################################### - -$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) - @$(PREBUILD) - @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) - - # Only build the specified modules. -# cp -avf $(DIR_SRC)/config/xtables-addons/mconfig \ -# $(DIR_APP)/mconfig - -# Check if we build the modules for a kernel or the userspace parts. -ifeq "$(USPACE)" "1" - cd $(DIR_APP) && ./configure \ - --prefix=/usr \ - --without-kbuild - - cd $(DIR_APP) && make $(MAKETUNING) - cd $(DIR_APP) && make install -else - cd $(DIR_APP) && ./configure \ - --with-kbuild=/lib/modules/$$(uname -r)$(KCFG)/build - cd $(DIR_APP) && make $(MAKETUNING) - - # Install the built kernel modules. - mkdir -p $(MODPATH) - cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \ - /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \ - /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \ - /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \ - $$f; \ - xz $$f; \ - install -m 644 $$f.xz $(MODPATH); \ - done -endif - - # Create directory for the databases. - mkdir -pv /usr/share/xt_geoip/ - - @rm -rf $(DIR_APP) - @$(POSTBUILD) diff --git a/make.sh b/make.sh index 606fbc9b0..4dd068e4b 100755 --- a/make.sh +++ b/make.sh @@ -1196,10 +1196,8 @@ buildipfire() { lfsmake2 rtl8812au KCFG="" lfsmake2 rtl8822bu KCFG="" lfsmake2 xradio KCFG="" - lfsmake2 xtables-addons KCFG="" lfsmake2 linux-initrd KCFG=""
- lfsmake2 xtables-addons USPACE="1" lfsmake2 libgpg-error lfsmake2 libgcrypt lfsmake2 libassuan diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index fc355cd5d..adb2240bb 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -147,19 +147,13 @@ iptables_init() { iptables -N HOSTILE if [ "$DROPHOSTILE" == "on" ]; then iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " - iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j HOSTILE - iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j HOSTILE - iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j HOSTILE - iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j HOSTILE + iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE + iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE + iptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILE + iptables -A OUTPUT -o $IFACE -m set --match-set CC_XD src -j HOSTILE fi iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
- # P2PBLOCK - iptables -N P2PBLOCK - iptables -A INPUT -j P2PBLOCK - iptables -A FORWARD -j P2PBLOCK - iptables -A OUTPUT -j P2PBLOCK - # IPS (Guardian) chains iptables -N GUARDIAN iptables -A INPUT -j GUARDIAN diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database index 06b22d101..d41a0a947 100644 --- a/src/scripts/update-location-database +++ b/src/scripts/update-location-database @@ -42,8 +42,8 @@ fi
# Get the latest location database from server. if /usr/bin/location update --cron=$UPDATE_INTERVAL; then - # Call location and export all countries in xt_geoip compatible format. - if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then + # Call location and export all countries in an ipset compatible format. + if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
# Call initscript to reload the firewall. /etc/init.d/firewall reload
hooks/post-receive -- IPFire 2.x development tree