This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 1bd6e152c40018054c9cad81000fcb7580153d90 (commit) via 83085ae97c0576b1d038c1c5d52ec7707b543b99 (commit) from bae9b5dcca5aacabab861d4584288cb4ba7fd0c1 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 1bd6e152c40018054c9cad81000fcb7580153d90 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 18 06:07:42 2022 +0100
Core 165: Export location DB in new format.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
commit 83085ae97c0576b1d038c1c5d52ec7707b543b99 Author: Stefan Schantl stefan.schantl@ipfire.org Date: Fri Feb 18 06:03:51 2022 +0100
firewall: Load ipset list before creating rules for DROP_HOSTILE.
Otherwise there is no ipset list use-able and the feature will not work.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org Reviewed-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/rootfiles/core/165/update.sh | 6 ++++++ src/initscripts/system/firewall | 5 +++++ 2 files changed, 11 insertions(+)
Difference in files: diff --git a/config/rootfiles/core/165/update.sh b/config/rootfiles/core/165/update.sh index 7371d047a..564f58606 100644 --- a/config/rootfiles/core/165/update.sh +++ b/config/rootfiles/core/165/update.sh @@ -109,6 +109,12 @@ ldconfig # Filesytem cleanup /usr/local/bin/filesystem-cleanup
+# Export location DB in new format. +/usr/bin/location export \ + --directory=/var/lib/location/ipset \ + --family=ipv4 \ + --format=ipset + # Start services telinit u /etc/rc.d/init.d/firewall restart diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall index adb2240bb..2ae6157aa 100644 --- a/src/initscripts/system/firewall +++ b/src/initscripts/system/firewall @@ -22,6 +22,8 @@ IPS_REPEAT_MASK="0x80000000" IPS_BYPASS_MARK="0x40000000" IPS_BYPASS_MASK="0x40000000"
+IPSET_DB_DIR="/var/lib/location/ipset" + function iptables() { /sbin/iptables --wait "$@" } @@ -146,6 +148,9 @@ iptables_init() { # a technical threat to our users (i. e. listed at Spamhaus DROP et al.) iptables -N HOSTILE if [ "$DROPHOSTILE" == "on" ]; then + # Call ipset and load the list which contains the hostile networks. + ipset restore < $IPSET_DB_DIR/CC_XD.ipset4 + iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE " iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
hooks/post-receive -- IPFire 2.x development tree