* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. d0353b73c7a4cb6ec569d36e7f07d44fd20b0680
@ 2022-02-16 17:07 Peter Müller
0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2022-02-16 17:07 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 69307 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via d0353b73c7a4cb6ec569d36e7f07d44fd20b0680 (commit)
via 9dd886fa57ef70980d5c248ffa6601a5f1721df8 (commit)
via 063ec85aed659be9da022d597fe0315ed52e9669 (commit)
via 97fe0c082312c52817d7be9e98d2e07a870b8977 (commit)
via 7987879e21b7fb5369b9b74d3173ff3949d7f89a (commit)
via 3071989cfc346a4abd49b8c35409f1b553b37b2f (commit)
via 8796d41a4ddff08ea18f049944eca3e21f193498 (commit)
via 52c8eaac4b2c714964970cb1cd9088a6fc9a40a9 (commit)
via 0b2d66c7a0a83ced6425c34505f595f5854720f6 (commit)
via 31c64b9d0df0599f1f3f47975ad7c6c11ebdd288 (commit)
via b6e4ebe86fd553123f295fec919409b963150544 (commit)
via f14000733b01a8c00fe4ebea1a235aee0de05eae (commit)
via 5108775b590250a96f3053705aa878e16b332cf2 (commit)
via 0564b0c7c98cac0e07f04f8d9e026d9f033fd012 (commit)
via 50e43059554a6a1c9ca8579b5347a9f98bc99ffb (commit)
via 278289690d50d6f28926742e29f5b005293132eb (commit)
via edad13b46b864150f49dcb42580a4ebcf35ca3f0 (commit)
via 07106467b83e9be97ce207ce919ad45ab2df4bba (commit)
via 0df1d268edc94df13f6f5e610e69a2bd63d79918 (commit)
via 6babb404cc63d6f5c25d64be8e4370b7cb009c2c (commit)
via 3d8868807506331a1c4fe160748fa0635bac2a95 (commit)
via bbeb2a5067f72d0f4073a7a183ed6f1f3477765c (commit)
via 19e5c03f1525b907d62b3a72d586e89ab6e551d1 (commit)
via a5f22bf03cebf33f78bd4ebd1686f8f506789fb9 (commit)
via 28965d275ba92f82d583ca9436415e0cb02fe355 (commit)
via ceedba20de1185f24d6abe38bafebdf461be271d (commit)
via 5fd4dfe0026f918ba30fa2abd736e86555261ec1 (commit)
via 6e40963459eca547f1857d4e518d920518ff23a5 (commit)
from bccde9948bbf5cee53da5f89ee90c202ca7ed8b0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit d0353b73c7a4cb6ec569d36e7f07d44fd20b0680
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Wed Feb 16 17:06:03 2022 +0000
perl-Net-HTTP: Fix rootfile
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 9dd886fa57ef70980d5c248ffa6601a5f1721df8
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:25:18 2022 +0000
Core Update 165: Sort filelist of rm command for better readability
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 063ec85aed659be9da022d597fe0315ed52e9669
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:24:08 2022 +0000
Core Update 165: Delete files from xtables-addons
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 97fe0c082312c52817d7be9e98d2e07a870b8977
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 20:08:53 2022 +0100
xtables-addons: Drop package.
None of the provided modules are in use, so this package
safely can be dropped.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 7987879e21b7fb5369b9b74d3173ff3949d7f89a
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:18:31 2022 +0000
firewall: Get rid of xt_geoip for DROP_HOSTILE
This is required to drop xtables-addons altogether.
Cc: Stefan Schantl <stefan.schantl(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 3071989cfc346a4abd49b8c35409f1b553b37b2f
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:15:53 2022 +0000
Core Update 165: Ship changes related to P2P block removal
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 8796d41a4ddff08ea18f049944eca3e21f193498
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 20:05:27 2022 +0100
firewall: Drop P2P chains from initscript.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 52c8eaac4b2c714964970cb1cd9088a6fc9a40a9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 20:03:07 2022 +0100
firewall.menu: Drop entry for P2P-Block.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0b2d66c7a0a83ced6425c34505f595f5854720f6
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 20:03:06 2022 +0100
p2p-block.cgi: Drop CGI.
The support for creating P2P based rules has been removed from the
firewall. So this CGI file is not longer needed.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 31c64b9d0df0599f1f3f47975ad7c6c11ebdd288
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 20:03:05 2022 +0100
configroot: Drop config file for p2protocols.
The support for creating P2P based rules has been removed from the
firewall. So this file is not longer needed.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit b6e4ebe86fd553123f295fec919409b963150544
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 20:03:04 2022 +0100
firewall: Drop support for blocking P2P protocols.
The main P2P (peer-to-peer) aera has passed for several year now, so
this kind of feature is realy out-dated.
The feature only supports a handfull of P2P protocols (mostly unencrypted)
for applications, which have been superseeded by various other
applications and protocols.
So, this fairly is not longer required and safely can be dropped.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Acked-by: Peter Müller <peter.mueller(a)ipfire.org>
Acked-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit f14000733b01a8c00fe4ebea1a235aee0de05eae
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:11:28 2022 +0000
Core Update 165: Ship ipset-related changes and restart the firewall engine
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 5108775b590250a96f3053705aa878e16b332cf2
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:56 2022 +0100
libloc: Export DB in ipset compatible format.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0564b0c7c98cac0e07f04f8d9e026d9f033fd012
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:55 2022 +0100
rules.pl: Add workaround to hide a warning about an only once used variable.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 50e43059554a6a1c9ca8579b5347a9f98bc99ffb
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:54 2022 +0100
rules.pl: Check if an ipset db file exists before call to restore it.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 278289690d50d6f28926742e29f5b005293132eb
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:53 2022 +0100
rules.pl: Do not try to restore the same ipset multiple times.
When an ipset list get restored, this now will be documented in a hash
and this hash also will be checked before restoring a list if this has
not be done previously.
This will prevent from restoring the same list multiple times.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit edad13b46b864150f49dcb42580a4ebcf35ca3f0
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:52 2022 +0100
update-location-database: Export database to ipset compatible format now.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 07106467b83e9be97ce207ce919ad45ab2df4bba
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:51 2022 +0100
rules.pl: Move to ipset based data for location based firewall rules.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 0df1d268edc94df13f6f5e610e69a2bd63d79918
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:50 2022 +0100
rules.pl: Move to ipset based data for LOCATIONBLOCK feature.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 6babb404cc63d6f5c25d64be8e4370b7cb009c2c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:49 2022 +0100
rules.pl: Add tiny ipset_restore function.
This helper function is used to load a previously exported list of
networks for a given country code into the ipset module, so it can be
used for any kind of firewall rules.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 3d8868807506331a1c4fe160748fa0635bac2a95
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:48 2022 +0100
rules.pl: Destroy all ipset lists on rule reload.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit bbeb2a5067f72d0f4073a7a183ed6f1f3477765c
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:47 2022 +0100
rules.pl: Move flush of LOCATIONBLOCK into main flush() function.
It is required to get rid of all ipset based rules before all of
the loaded ipset lists can be destroyed.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 19e5c03f1525b907d62b3a72d586e89ab6e551d1
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:46 2022 +0100
location-functions.pl: Remove ending backslash from location_dir variable.
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit a5f22bf03cebf33f78bd4ebd1686f8f506789fb9
Author: Stefan Schantl <stefan.schantl(a)ipfire.org>
Date: Mon Feb 14 19:42:45 2022 +0100
location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/".
Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 28965d275ba92f82d583ca9436415e0cb02fe355
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:04:48 2022 +0000
Core Update 165: Ship gdbm
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit ceedba20de1185f24d6abe38bafebdf461be271d
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Tue Feb 15 10:36:18 2022 +0100
gdbm: Update to version 1.23
- Update from 1.20 to 1.23
- Update of rootfile not required
- Changelog
Version 1.23, 2022-02-04
* Bucket cache switched from balanced tree to hash table
Change suggested by Terence Kelly.
* Speed up flushing the changed buckets on disk
* New option codes for gdbm_setopt
** GDBM_GETDBFORMAT
Return the database format.
** GDBM_GETDIRDEPTH
Return the directory depth, i.e. the number of initial (most significant)
bits in hash value that are interpreted as index to the directory.
** GDBM_GETBUCKETSIZE
Return maximum number of keys per bucket.
** GDBM_GETCACHEAUTO
Return the status of the automatic cache adjustment.
** GDBM_SETCACHEAUTO
Enable or disable automatic cache adjustment.
Version 1.22, 2021-10-19
* Fix file header validation
* Fix key verification in sequential access
* Fix testing with DejaGNU 1.6.3
* Fix stack overflow in print_usage
* Fix a leak of avail entry on pushing a new avail block
The leak would occur if the original avail table had odd number of entries.
* New gdbmtool variables: errorexit, errormask, trace, timing
"Errorexit" and "errormask" control which GDBM errors would cause the
program termination and emitting a diagnostic message,
correspondingly. Both variables are comma-delimited lists of error
codes.
The "trace" variable enables tracing of the gdbmtool commands.
The "timing" variable, when set, instructs gdbmtool to print time
spent in each command it runs.
* New gdbmtool options: -t (--trace), and -T (--timing)
Version 1.21, 2021-09-02
* Crash tolerance
By default it is possible for an abrupt crash (e.g., power failure,
OS kernel panic, or application process crash) to corrupt the gdbm
database file. A new Linux-only mechanism enables applications to
recover the database state corresponding to the most recent
successful gdbm_sync() call before the crash. See the chapter 17
"Crash Tolerance" in the GDBM manual.
* New database file format: numsync
The new "numsync" database format is designed to better support
crash tolerance. To create a database in numsync format, the gdbm_open
(or gdbm_fd_open) function must be given the GDBM_NEWDB|GDBM_NUMSYNC
flags. The GDBM_NUMSYNC flag also takes effect when used together
with GDBM_WRCREAT, provided that the new file is created.
New function gdbm_convert() is provided for converting the databases
from standard GDBM format to numsync and vice versa.
The gdbmtool tool can also be used for converting databases between
these two formats.
* Changes in gdbmtool
** Fix string output in non-ASCII encodings
Printable multi-byte sequences are correctly represented on output.
This also fixes octal representation of unprintable characters.
** The filename variable
This variable supplies the name of database file for use in "open"
command, if the latter is called without arguments. If "open" is
called with the file name argument, the "filename" variable is
initialized to this value.
** The fd variable
If set, its value must be an open file descriptor referring to a
GDBM database file. The "open" command will use gdbm_fd_open
function to use this file. Upon closing the database, this
descriptor will be closed and the variable will be unset.
The file descriptor to use can also be supplied using the
-d (--db-descriptor) command line option.
** The format variable
Defines the format in which new databases will be created. Allowed
values are: "standard" (default) and "numsync".
** New commands: upgrade and downgrade
The "upgrade" command converts current database to the numsync
(extended) format. The "downgrade" command converts current database
to the standard format.
** New command: snapshot
The "snapshot" command is part of the new crash tolerance support.
Given the names of two snapshot files, it analyzes them and selects
the one to be used for database recovery. See the GDBM manual,
section 17.5 "Manual crash recovery" for a detailed discussion of its
use.
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Reviewed-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 5fd4dfe0026f918ba30fa2abd736e86555261ec1
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Tue Feb 15 18:04:00 2022 +0000
Core Update 165: Ship ovpnclients.dat
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
commit 6e40963459eca547f1857d4e518d920518ff23a5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Feb 15 13:40:27 2022 +0000
ovpnclients.dat: Fix adjusting input dates
This patch changes that we no longer interpret any dates put in by the
user as UTC. They used to be converted into localtime because, although
they have already been in local time.
This went unnoticed since in Europe we are close (enough) to UTC that
there is no significant discrepancy on the report. However, being in
North America is enough to generate confusing reports.
Reported-by: Paul <kairis(a)gmail.com>
Fixes: #12768
Tested-by: Jon Murphy <jon.murphy(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/cfgroot/location-functions.pl | 4 +-
config/firewall/firewall-lib.pl | 4 +-
config/firewall/p2protocols | 9 -
config/firewall/rules.pl | 91 ++--
config/menu/50-firewall.menu | 6 -
config/rootfiles/common/configroot | 1 -
config/rootfiles/common/libloc | 517 +++++++++++----------
config/rootfiles/common/perl-Net-HTTP | 2 +
config/rootfiles/common/web-user-interface | 1 -
config/rootfiles/common/xtables-addons | 44 --
config/rootfiles/core/165/filelists/files | 6 +
.../{oldcore/164 => core/165}/filelists/gdbm | 0
config/rootfiles/core/165/update.sh | 34 +-
html/cgi-bin/logs.cgi/ovpnclients.dat | 16 +-
html/cgi-bin/p2p-block.cgi | 154 ------
lfs/configroot | 1 -
lfs/gdbm | 4 +-
lfs/libloc | 11 +-
lfs/xtables-addons | 118 -----
make.sh | 2 -
src/initscripts/system/firewall | 14 +-
src/scripts/update-location-database | 4 +-
22 files changed, 390 insertions(+), 653 deletions(-)
delete mode 100644 config/firewall/p2protocols
delete mode 100644 config/rootfiles/common/xtables-addons
copy config/rootfiles/{oldcore/164 => core/165}/filelists/gdbm (100%)
delete mode 100644 html/cgi-bin/p2p-block.cgi
delete mode 100644 lfs/xtables-addons
Difference in files:
diff --git a/config/cfgroot/location-functions.pl b/config/cfgroot/location-functions.pl
index 4d44ce24d..46e27c04a 100644
--- a/config/cfgroot/location-functions.pl
+++ b/config/cfgroot/location-functions.pl
@@ -44,7 +44,7 @@ my %network_flags = (
my @special_locations = ( "A1", "A2", "A3", "XD" );
# Directory where the libloc database and keyfile lives.
-our $location_dir = "/var/lib/location/";
+our $location_dir = "/var/lib/location";
# Libloc database file.
our $database = "$location_dir/database.db";
@@ -53,7 +53,7 @@ our $database = "$location_dir/database.db";
our $keyfile = "$location_dir/signing-key.pem";
# Directory which contains the exported databases.
-our $xt_geoip_db_directory = "/usr/share/xt_geoip/";
+our $ipset_db_directory = "$location_dir/ipset";
# Create libloc database handle.
my $db_handle = &init();
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index e7ec30ae0..f4089a3a0 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -466,7 +466,7 @@ sub get_address
# Get external interface.
my $external_interface = &get_external_interface();
- push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+ push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
}
# Handle rule options with a location as target.
@@ -476,7 +476,7 @@ sub get_address
# Get external interface.
my $external_interface = &get_external_interface();
- push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+ push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
}
# If nothing was selected, we assume "any".
diff --git a/config/firewall/p2protocols b/config/firewall/p2protocols
deleted file mode 100644
index d8998095c..000000000
--- a/config/firewall/p2protocols
+++ /dev/null
@@ -1,9 +0,0 @@
-Applejuice;apple;on;
-Ares;ares;on;
-Bittorrent;bit;on;
-DirectConnect;dc;on;
-Edonkey;edk;on;
-Gnutella;gnu;on;
-KaZaA;kazaa;on;
-SoulSeek;soul;on;
-WinMX;winmx;on;
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 9d280045a..25d01e0e3 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
my $DEBUG = 0;
my $IPTABLES = "iptables --wait";
+my $IPSET = "ipset";
# iptables chains
my $CHAIN_INPUT = "INPUTFW";
@@ -69,13 +70,11 @@ my %confignatfw=();
my %locationsettings = (
"LOCATIONBLOCK_ENABLED" => "off"
);
-
-my @p2ps=();
+my %loaded_ipset_lists=();
my $configfwdfw = "${General::swroot}/firewall/config";
my $configinput = "${General::swroot}/firewall/input";
my $configoutgoing = "${General::swroot}/firewall/outgoing";
-my $p2pfile = "${General::swroot}/firewall/p2protocols";
my $locationfile = "${General::swroot}/firewall/locationblock";
my $configgrp = "${General::swroot}/fwhosts/customgroups";
my $netsettings = "${General::swroot}/ethernet/settings";
@@ -107,6 +106,10 @@ my $POLICY_INPUT_ACTION = $fwoptions{"FWPOLICY2"};
my $POLICY_FORWARD_ACTION = $fwoptions{"FWPOLICY"};
my $POLICY_OUTPUT_ACTION = $fwoptions{"FWPOLICY1"};
+#workaround to suppress a warning when a variable is used only once
+my @dummy = ( $Location::Functions::ipset_db_directory );
+undef (@dummy);
+
# MAIN
&main();
@@ -114,6 +117,9 @@ sub main {
# Flush all chains.
&flush();
+ # Destroy all existing ipsets.
+ run("$IPSET destroy");
+
# Prepare firewall rules.
if (! -z "${General::swroot}/firewall/input"){
&buildrules(\%configinputfw);
@@ -125,9 +131,6 @@ sub main {
&buildrules(\%configfwdfw);
}
- # Load P2P block rules.
- &p2pblock();
-
# Load Location block rules.
&locationblock();
@@ -186,6 +189,9 @@ sub flush {
run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE");
run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION");
run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
+
+ # Flush LOCATIONBLOCK chain.
+ run("$IPTABLES -F LOCATIONBLOCK");
}
sub buildrules {
@@ -394,7 +400,19 @@ sub buildrules {
my @source_options = ();
if ($source =~ /mac/) {
push(@source_options, $source);
- } elsif ($source =~ /-m geoip/) {
+ } elsif ($source =~ /-m set/) {
+ # Grab location code from hash.
+ my $loc_src = $$hash{$key}[4];
+
+ # Check if the network list for this country already has been loaded.
+ unless($loaded_ipset_lists{$loc_src}) {
+ # Call function to load the networks list for this country.
+ &ipset_restore($loc_src);
+
+ # Store to the hash that this list has been loaded.
+ $loaded_ipset_lists{$loc_src} = "1";
+ }
+
push(@source_options, $source);
} elsif($source) {
push(@source_options, ("-s", $source));
@@ -402,7 +420,19 @@ sub buildrules {
# Prepare destination options.
my @destination_options = ();
- if ($destination =~ /-m geoip/) {
+ if ($destination =~ /-m set/) {
+ # Grab location code from hash.
+ my $loc_dst = $$hash{$key}[6];
+
+ # Check if the network list for this country already has been loaded.
+ unless($loaded_ipset_lists{$loc_dst}) {
+ # Call function to load the networks list for this country.
+ &ipset_restore($loc_dst);
+
+ # Store to the hash that this list has been loaded.
+ $loaded_ipset_lists{$loc_dst} = "1";
+ }
+
push(@destination_options, $destination);
} elsif ($destination) {
push(@destination_options, ("-d", $destination));
@@ -620,26 +650,8 @@ sub time_convert_to_minutes {
return ($hrs * 60) + $min;
}
-sub p2pblock {
- open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
- my @protocols = ();
- foreach my $p2pentry (<FILE>) {
- my @p2pline = split(/\;/, $p2pentry);
- next unless ($p2pline[2] eq "off");
-
- push(@protocols, "--$p2pline[1]");
- }
- close(FILE);
-
- run("$IPTABLES -F P2PBLOCK");
- if (@protocols) {
- run("$IPTABLES -A P2PBLOCK -m ipp2p @protocols -j DROP");
- }
-}
-
sub locationblock {
- # Flush iptables chain.
- run("$IPTABLES -F LOCATIONBLOCK");
+ # The LOCATIONBLOCK chain now gets flushed by the flush() function.
# If location blocking is not enabled, we are finished here.
if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") {
@@ -665,7 +677,17 @@ sub locationblock {
# is enabled.
foreach my $location (@locations) {
if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
- run("$IPTABLES -A LOCATIONBLOCK -m geoip --src-cc $location -j DROP");
+ # Check if the network list for this country already has been loaded.
+ unless($loaded_ipset_lists{$location}) {
+ # Call function to load the networks list for this country.
+ &ipset_restore($location);
+
+ # Store to the hash that this list has been loaded.
+ $loaded_ipset_lists{$location} = "1";
+ }
+
+ # Call iptables and create rule to use the loaded ipset list.
+ run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j DROP");
}
}
}
@@ -882,3 +904,16 @@ sub firewall_is_in_subnet {
return 0;
}
+
+sub ipset_restore ($) {
+ my ($ccode) = @_;
+
+ my $file_prefix = "ipset4";
+ my $db_file = "$Location::Functions::ipset_db_directory/$ccode.$file_prefix";
+
+ # Check if the generated file exists.
+ if (-f $db_file) {
+ # Run ipset and restore the list of the given country code.
+ run("$IPSET restore < $db_file");
+ }
+}
diff --git a/config/menu/50-firewall.menu b/config/menu/50-firewall.menu
index 6ae9687dc..aa67d9007 100644
--- a/config/menu/50-firewall.menu
+++ b/config/menu/50-firewall.menu
@@ -21,12 +21,6 @@
'title' => "$Lang::tr{'intrusion detection system'}",
'enabled' => 1,
};
- $subfirewall->{'50.p2p'} = {
- 'caption' => $Lang::tr{'p2p block'},
- 'uri' => '/cgi-bin/p2p-block.cgi',
- 'title' => "P2P-Block",
- 'enabled' => 1,
- };
$subfirewall->{'60.locationblock'} = {
'caption' => $Lang::tr{'locationblock'},
'uri' => '/cgi-bin/location-block.cgi',
diff --git a/config/rootfiles/common/configroot b/config/rootfiles/common/configroot
index 904c718c3..fef5ffbcf 100644
--- a/config/rootfiles/common/configroot
+++ b/config/rootfiles/common/configroot
@@ -63,7 +63,6 @@ var/ipfire/firewall
#var/ipfire/firewall/input
#var/ipfire/firewall/locationblock
#var/ipfire/firewall/outgoing
-#var/ipfire/firewall/p2protocols
#var/ipfire/firewall/settings
var/ipfire/fwhosts
#var/ipfire/fwhosts/customgroups
diff --git a/config/rootfiles/common/libloc b/config/rootfiles/common/libloc
index 3cfc92706..a87635912 100644
--- a/config/rootfiles/common/libloc
+++ b/config/rootfiles/common/libloc
@@ -36,264 +36,265 @@ usr/lib/python3.10/site-packages/location/i18n.py
usr/lib/python3.10/site-packages/location/logger.py
#usr/share/locale/de/LC_MESSAGES/libloc.mo
#usr/share/man/man3/Location.3
-usr/share/xt_geoip/A1.iv4
-usr/share/xt_geoip/A2.iv4
-usr/share/xt_geoip/A3.iv4
-usr/share/xt_geoip/AD.iv4
-usr/share/xt_geoip/AE.iv4
-usr/share/xt_geoip/AF.iv4
-usr/share/xt_geoip/AG.iv4
-usr/share/xt_geoip/AI.iv4
-usr/share/xt_geoip/AL.iv4
-usr/share/xt_geoip/AM.iv4
-usr/share/xt_geoip/AN.iv4
-usr/share/xt_geoip/AO.iv4
-usr/share/xt_geoip/AP.iv4
-usr/share/xt_geoip/AQ.iv4
-usr/share/xt_geoip/AR.iv4
-usr/share/xt_geoip/AS.iv4
-usr/share/xt_geoip/AT.iv4
-usr/share/xt_geoip/AU.iv4
-usr/share/xt_geoip/AW.iv4
-usr/share/xt_geoip/AX.iv4
-usr/share/xt_geoip/AZ.iv4
-usr/share/xt_geoip/BA.iv4
-usr/share/xt_geoip/BB.iv4
-usr/share/xt_geoip/BD.iv4
-usr/share/xt_geoip/BE.iv4
-usr/share/xt_geoip/BF.iv4
-usr/share/xt_geoip/BG.iv4
-usr/share/xt_geoip/BH.iv4
-usr/share/xt_geoip/BI.iv4
-usr/share/xt_geoip/BJ.iv4
-usr/share/xt_geoip/BL.iv4
-usr/share/xt_geoip/BM.iv4
-usr/share/xt_geoip/BN.iv4
-usr/share/xt_geoip/BO.iv4
-usr/share/xt_geoip/BQ.iv4
-usr/share/xt_geoip/BR.iv4
-usr/share/xt_geoip/BS.iv4
-usr/share/xt_geoip/BT.iv4
-usr/share/xt_geoip/BV.iv4
-usr/share/xt_geoip/BW.iv4
-usr/share/xt_geoip/BY.iv4
-usr/share/xt_geoip/BZ.iv4
-usr/share/xt_geoip/CA.iv4
-usr/share/xt_geoip/CC.iv4
-usr/share/xt_geoip/CD.iv4
-usr/share/xt_geoip/CF.iv4
-usr/share/xt_geoip/CG.iv4
-usr/share/xt_geoip/CH.iv4
-usr/share/xt_geoip/CI.iv4
-usr/share/xt_geoip/CK.iv4
-usr/share/xt_geoip/CL.iv4
-usr/share/xt_geoip/CM.iv4
-usr/share/xt_geoip/CN.iv4
-usr/share/xt_geoip/CO.iv4
-usr/share/xt_geoip/CR.iv4
-usr/share/xt_geoip/CS.iv4
-usr/share/xt_geoip/CU.iv4
-usr/share/xt_geoip/CV.iv4
-usr/share/xt_geoip/CW.iv4
-usr/share/xt_geoip/CX.iv4
-usr/share/xt_geoip/CY.iv4
-usr/share/xt_geoip/CZ.iv4
-usr/share/xt_geoip/DE.iv4
-usr/share/xt_geoip/DJ.iv4
-usr/share/xt_geoip/DK.iv4
-usr/share/xt_geoip/DM.iv4
-usr/share/xt_geoip/DO.iv4
-usr/share/xt_geoip/DZ.iv4
-usr/share/xt_geoip/EC.iv4
-usr/share/xt_geoip/EE.iv4
-usr/share/xt_geoip/EG.iv4
-usr/share/xt_geoip/EH.iv4
-usr/share/xt_geoip/ER.iv4
-usr/share/xt_geoip/ES.iv4
-usr/share/xt_geoip/ET.iv4
-usr/share/xt_geoip/EU.iv4
-usr/share/xt_geoip/FI.iv4
-usr/share/xt_geoip/FJ.iv4
-usr/share/xt_geoip/FK.iv4
-usr/share/xt_geoip/FM.iv4
-usr/share/xt_geoip/FO.iv4
-usr/share/xt_geoip/FR.iv4
-usr/share/xt_geoip/FX.iv4
-usr/share/xt_geoip/GA.iv4
-usr/share/xt_geoip/GB.iv4
-usr/share/xt_geoip/GD.iv4
-usr/share/xt_geoip/GE.iv4
-usr/share/xt_geoip/GF.iv4
-usr/share/xt_geoip/GG.iv4
-usr/share/xt_geoip/GH.iv4
-usr/share/xt_geoip/GI.iv4
-usr/share/xt_geoip/GL.iv4
-usr/share/xt_geoip/GM.iv4
-usr/share/xt_geoip/GN.iv4
-usr/share/xt_geoip/GP.iv4
-usr/share/xt_geoip/GQ.iv4
-usr/share/xt_geoip/GR.iv4
-usr/share/xt_geoip/GS.iv4
-usr/share/xt_geoip/GT.iv4
-usr/share/xt_geoip/GU.iv4
-usr/share/xt_geoip/GW.iv4
-usr/share/xt_geoip/GY.iv4
-usr/share/xt_geoip/HK.iv4
-usr/share/xt_geoip/HM.iv4
-usr/share/xt_geoip/HN.iv4
-usr/share/xt_geoip/HR.iv4
-usr/share/xt_geoip/HT.iv4
-usr/share/xt_geoip/HU.iv4
-usr/share/xt_geoip/ID.iv4
-usr/share/xt_geoip/IE.iv4
-usr/share/xt_geoip/IL.iv4
-usr/share/xt_geoip/IM.iv4
-usr/share/xt_geoip/IN.iv4
-usr/share/xt_geoip/IO.iv4
-usr/share/xt_geoip/IQ.iv4
-usr/share/xt_geoip/IR.iv4
-usr/share/xt_geoip/IS.iv4
-usr/share/xt_geoip/IT.iv4
-usr/share/xt_geoip/JE.iv4
-usr/share/xt_geoip/JM.iv4
-usr/share/xt_geoip/JO.iv4
-usr/share/xt_geoip/JP.iv4
-usr/share/xt_geoip/KE.iv4
-usr/share/xt_geoip/KG.iv4
-usr/share/xt_geoip/KH.iv4
-usr/share/xt_geoip/KI.iv4
-usr/share/xt_geoip/KM.iv4
-usr/share/xt_geoip/KN.iv4
-usr/share/xt_geoip/KP.iv4
-usr/share/xt_geoip/KR.iv4
-usr/share/xt_geoip/KW.iv4
-usr/share/xt_geoip/KY.iv4
-usr/share/xt_geoip/KZ.iv4
-usr/share/xt_geoip/LA.iv4
-usr/share/xt_geoip/LB.iv4
-usr/share/xt_geoip/LC.iv4
-usr/share/xt_geoip/LI.iv4
-usr/share/xt_geoip/LK.iv4
-usr/share/xt_geoip/LR.iv4
-usr/share/xt_geoip/LS.iv4
-usr/share/xt_geoip/LT.iv4
-usr/share/xt_geoip/LU.iv4
-usr/share/xt_geoip/LV.iv4
-usr/share/xt_geoip/LY.iv4
-usr/share/xt_geoip/MA.iv4
-usr/share/xt_geoip/MC.iv4
-usr/share/xt_geoip/MD.iv4
-usr/share/xt_geoip/ME.iv4
-usr/share/xt_geoip/MF.iv4
-usr/share/xt_geoip/MG.iv4
-usr/share/xt_geoip/MH.iv4
-usr/share/xt_geoip/MK.iv4
-usr/share/xt_geoip/ML.iv4
-usr/share/xt_geoip/MM.iv4
-usr/share/xt_geoip/MN.iv4
-usr/share/xt_geoip/MO.iv4
-usr/share/xt_geoip/MP.iv4
-usr/share/xt_geoip/MQ.iv4
-usr/share/xt_geoip/MR.iv4
-usr/share/xt_geoip/MS.iv4
-usr/share/xt_geoip/MT.iv4
-usr/share/xt_geoip/MU.iv4
-usr/share/xt_geoip/MV.iv4
-usr/share/xt_geoip/MW.iv4
-usr/share/xt_geoip/MX.iv4
-usr/share/xt_geoip/MY.iv4
-usr/share/xt_geoip/MZ.iv4
-usr/share/xt_geoip/NA.iv4
-usr/share/xt_geoip/NC.iv4
-usr/share/xt_geoip/NE.iv4
-usr/share/xt_geoip/NF.iv4
-usr/share/xt_geoip/NG.iv4
-usr/share/xt_geoip/NI.iv4
-usr/share/xt_geoip/NL.iv4
-usr/share/xt_geoip/NO.iv4
-usr/share/xt_geoip/NP.iv4
-usr/share/xt_geoip/NR.iv4
-usr/share/xt_geoip/NU.iv4
-usr/share/xt_geoip/NZ.iv4
-usr/share/xt_geoip/OM.iv4
-usr/share/xt_geoip/PA.iv4
-usr/share/xt_geoip/PE.iv4
-usr/share/xt_geoip/PF.iv4
-usr/share/xt_geoip/PG.iv4
-usr/share/xt_geoip/PH.iv4
-usr/share/xt_geoip/PK.iv4
-usr/share/xt_geoip/PL.iv4
-usr/share/xt_geoip/PM.iv4
-usr/share/xt_geoip/PN.iv4
-usr/share/xt_geoip/PR.iv4
-usr/share/xt_geoip/PS.iv4
-usr/share/xt_geoip/PT.iv4
-usr/share/xt_geoip/PW.iv4
-usr/share/xt_geoip/PY.iv4
-usr/share/xt_geoip/QA.iv4
-usr/share/xt_geoip/RE.iv4
-usr/share/xt_geoip/RO.iv4
-usr/share/xt_geoip/RS.iv4
-usr/share/xt_geoip/RU.iv4
-usr/share/xt_geoip/RW.iv4
-usr/share/xt_geoip/SA.iv4
-usr/share/xt_geoip/SB.iv4
-usr/share/xt_geoip/SC.iv4
-usr/share/xt_geoip/SD.iv4
-usr/share/xt_geoip/SE.iv4
-usr/share/xt_geoip/SG.iv4
-usr/share/xt_geoip/SH.iv4
-usr/share/xt_geoip/SI.iv4
-usr/share/xt_geoip/SJ.iv4
-usr/share/xt_geoip/SK.iv4
-usr/share/xt_geoip/SL.iv4
-usr/share/xt_geoip/SM.iv4
-usr/share/xt_geoip/SN.iv4
-usr/share/xt_geoip/SO.iv4
-usr/share/xt_geoip/SR.iv4
-usr/share/xt_geoip/SS.iv4
-usr/share/xt_geoip/ST.iv4
-usr/share/xt_geoip/SV.iv4
-usr/share/xt_geoip/SX.iv4
-usr/share/xt_geoip/SY.iv4
-usr/share/xt_geoip/SZ.iv4
-usr/share/xt_geoip/TC.iv4
-usr/share/xt_geoip/TD.iv4
-usr/share/xt_geoip/TF.iv4
-usr/share/xt_geoip/TG.iv4
-usr/share/xt_geoip/TH.iv4
-usr/share/xt_geoip/TJ.iv4
-usr/share/xt_geoip/TK.iv4
-usr/share/xt_geoip/TL.iv4
-usr/share/xt_geoip/TM.iv4
-usr/share/xt_geoip/TN.iv4
-usr/share/xt_geoip/TO.iv4
-usr/share/xt_geoip/TR.iv4
-usr/share/xt_geoip/TT.iv4
-usr/share/xt_geoip/TV.iv4
-usr/share/xt_geoip/TW.iv4
-usr/share/xt_geoip/TZ.iv4
-usr/share/xt_geoip/UA.iv4
-usr/share/xt_geoip/UG.iv4
-usr/share/xt_geoip/UM.iv4
-usr/share/xt_geoip/US.iv4
-usr/share/xt_geoip/UY.iv4
-usr/share/xt_geoip/UZ.iv4
-usr/share/xt_geoip/VA.iv4
-usr/share/xt_geoip/VC.iv4
-usr/share/xt_geoip/VE.iv4
-usr/share/xt_geoip/VG.iv4
-usr/share/xt_geoip/VI.iv4
-usr/share/xt_geoip/VN.iv4
-usr/share/xt_geoip/VU.iv4
-usr/share/xt_geoip/WF.iv4
-usr/share/xt_geoip/WS.iv4
-usr/share/xt_geoip/XD.iv4
-usr/share/xt_geoip/YE.iv4
-usr/share/xt_geoip/YT.iv4
-usr/share/xt_geoip/ZA.iv4
-usr/share/xt_geoip/ZM.iv4
-usr/share/xt_geoip/ZW.iv4
#var/lib/location
var/lib/location/database.db
+var/lib/location/ipset
+var/lib/location/ipset/A1.ipset4
+var/lib/location/ipset/A2.ipset4
+var/lib/location/ipset/A3.ipset4
+var/lib/location/ipset/AD.ipset4
+var/lib/location/ipset/AE.ipset4
+var/lib/location/ipset/AF.ipset4
+var/lib/location/ipset/AG.ipset4
+var/lib/location/ipset/AI.ipset4
+var/lib/location/ipset/AL.ipset4
+var/lib/location/ipset/AM.ipset4
+var/lib/location/ipset/AN.ipset4
+var/lib/location/ipset/AO.ipset4
+var/lib/location/ipset/AP.ipset4
+var/lib/location/ipset/AQ.ipset4
+var/lib/location/ipset/AR.ipset4
+var/lib/location/ipset/AS.ipset4
+var/lib/location/ipset/AT.ipset4
+var/lib/location/ipset/AU.ipset4
+var/lib/location/ipset/AW.ipset4
+var/lib/location/ipset/AX.ipset4
+var/lib/location/ipset/AZ.ipset4
+var/lib/location/ipset/BA.ipset4
+var/lib/location/ipset/BB.ipset4
+var/lib/location/ipset/BD.ipset4
+var/lib/location/ipset/BE.ipset4
+var/lib/location/ipset/BF.ipset4
+var/lib/location/ipset/BG.ipset4
+var/lib/location/ipset/BH.ipset4
+var/lib/location/ipset/BI.ipset4
+var/lib/location/ipset/BJ.ipset4
+var/lib/location/ipset/BL.ipset4
+var/lib/location/ipset/BM.ipset4
+var/lib/location/ipset/BN.ipset4
+var/lib/location/ipset/BO.ipset4
+var/lib/location/ipset/BQ.ipset4
+var/lib/location/ipset/BR.ipset4
+var/lib/location/ipset/BS.ipset4
+var/lib/location/ipset/BT.ipset4
+var/lib/location/ipset/BV.ipset4
+var/lib/location/ipset/BW.ipset4
+var/lib/location/ipset/BY.ipset4
+var/lib/location/ipset/BZ.ipset4
+var/lib/location/ipset/CA.ipset4
+var/lib/location/ipset/CC.ipset4
+var/lib/location/ipset/CD.ipset4
+var/lib/location/ipset/CF.ipset4
+var/lib/location/ipset/CG.ipset4
+var/lib/location/ipset/CH.ipset4
+var/lib/location/ipset/CI.ipset4
+var/lib/location/ipset/CK.ipset4
+var/lib/location/ipset/CL.ipset4
+var/lib/location/ipset/CM.ipset4
+var/lib/location/ipset/CN.ipset4
+var/lib/location/ipset/CO.ipset4
+var/lib/location/ipset/CR.ipset4
+var/lib/location/ipset/CS.ipset4
+var/lib/location/ipset/CU.ipset4
+var/lib/location/ipset/CV.ipset4
+var/lib/location/ipset/CW.ipset4
+var/lib/location/ipset/CX.ipset4
+var/lib/location/ipset/CY.ipset4
+var/lib/location/ipset/CZ.ipset4
+var/lib/location/ipset/DE.ipset4
+var/lib/location/ipset/DJ.ipset4
+var/lib/location/ipset/DK.ipset4
+var/lib/location/ipset/DM.ipset4
+var/lib/location/ipset/DO.ipset4
+var/lib/location/ipset/DZ.ipset4
+var/lib/location/ipset/EC.ipset4
+var/lib/location/ipset/EE.ipset4
+var/lib/location/ipset/EG.ipset4
+var/lib/location/ipset/EH.ipset4
+var/lib/location/ipset/ER.ipset4
+var/lib/location/ipset/ES.ipset4
+var/lib/location/ipset/ET.ipset4
+var/lib/location/ipset/EU.ipset4
+var/lib/location/ipset/FI.ipset4
+var/lib/location/ipset/FJ.ipset4
+var/lib/location/ipset/FK.ipset4
+var/lib/location/ipset/FM.ipset4
+var/lib/location/ipset/FO.ipset4
+var/lib/location/ipset/FR.ipset4
+var/lib/location/ipset/FX.ipset4
+var/lib/location/ipset/GA.ipset4
+var/lib/location/ipset/GB.ipset4
+var/lib/location/ipset/GD.ipset4
+var/lib/location/ipset/GE.ipset4
+var/lib/location/ipset/GF.ipset4
+var/lib/location/ipset/GG.ipset4
+var/lib/location/ipset/GH.ipset4
+var/lib/location/ipset/GI.ipset4
+var/lib/location/ipset/GL.ipset4
+var/lib/location/ipset/GM.ipset4
+var/lib/location/ipset/GN.ipset4
+var/lib/location/ipset/GP.ipset4
+var/lib/location/ipset/GQ.ipset4
+var/lib/location/ipset/GR.ipset4
+var/lib/location/ipset/GS.ipset4
+var/lib/location/ipset/GT.ipset4
+var/lib/location/ipset/GU.ipset4
+var/lib/location/ipset/GW.ipset4
+var/lib/location/ipset/GY.ipset4
+var/lib/location/ipset/HK.ipset4
+var/lib/location/ipset/HM.ipset4
+var/lib/location/ipset/HN.ipset4
+var/lib/location/ipset/HR.ipset4
+var/lib/location/ipset/HT.ipset4
+var/lib/location/ipset/HU.ipset4
+var/lib/location/ipset/ID.ipset4
+var/lib/location/ipset/IE.ipset4
+var/lib/location/ipset/IL.ipset4
+var/lib/location/ipset/IM.ipset4
+var/lib/location/ipset/IN.ipset4
+var/lib/location/ipset/IO.ipset4
+var/lib/location/ipset/IQ.ipset4
+var/lib/location/ipset/IR.ipset4
+var/lib/location/ipset/IS.ipset4
+var/lib/location/ipset/IT.ipset4
+var/lib/location/ipset/JE.ipset4
+var/lib/location/ipset/JM.ipset4
+var/lib/location/ipset/JO.ipset4
+var/lib/location/ipset/JP.ipset4
+var/lib/location/ipset/KE.ipset4
+var/lib/location/ipset/KG.ipset4
+var/lib/location/ipset/KH.ipset4
+var/lib/location/ipset/KI.ipset4
+var/lib/location/ipset/KM.ipset4
+var/lib/location/ipset/KN.ipset4
+var/lib/location/ipset/KP.ipset4
+var/lib/location/ipset/KR.ipset4
+var/lib/location/ipset/KW.ipset4
+var/lib/location/ipset/KY.ipset4
+var/lib/location/ipset/KZ.ipset4
+var/lib/location/ipset/LA.ipset4
+var/lib/location/ipset/LB.ipset4
+var/lib/location/ipset/LC.ipset4
+var/lib/location/ipset/LI.ipset4
+var/lib/location/ipset/LK.ipset4
+var/lib/location/ipset/LR.ipset4
+var/lib/location/ipset/LS.ipset4
+var/lib/location/ipset/LT.ipset4
+var/lib/location/ipset/LU.ipset4
+var/lib/location/ipset/LV.ipset4
+var/lib/location/ipset/LY.ipset4
+var/lib/location/ipset/MA.ipset4
+var/lib/location/ipset/MC.ipset4
+var/lib/location/ipset/MD.ipset4
+var/lib/location/ipset/ME.ipset4
+var/lib/location/ipset/MF.ipset4
+var/lib/location/ipset/MG.ipset4
+var/lib/location/ipset/MH.ipset4
+var/lib/location/ipset/MK.ipset4
+var/lib/location/ipset/ML.ipset4
+var/lib/location/ipset/MM.ipset4
+var/lib/location/ipset/MN.ipset4
+var/lib/location/ipset/MO.ipset4
+var/lib/location/ipset/MP.ipset4
+var/lib/location/ipset/MQ.ipset4
+var/lib/location/ipset/MR.ipset4
+var/lib/location/ipset/MS.ipset4
+var/lib/location/ipset/MT.ipset4
+var/lib/location/ipset/MU.ipset4
+var/lib/location/ipset/MV.ipset4
+var/lib/location/ipset/MW.ipset4
+var/lib/location/ipset/MX.ipset4
+var/lib/location/ipset/MY.ipset4
+var/lib/location/ipset/MZ.ipset4
+var/lib/location/ipset/NA.ipset4
+var/lib/location/ipset/NC.ipset4
+var/lib/location/ipset/NE.ipset4
+var/lib/location/ipset/NF.ipset4
+var/lib/location/ipset/NG.ipset4
+var/lib/location/ipset/NI.ipset4
+var/lib/location/ipset/NL.ipset4
+var/lib/location/ipset/NO.ipset4
+var/lib/location/ipset/NP.ipset4
+var/lib/location/ipset/NR.ipset4
+var/lib/location/ipset/NU.ipset4
+var/lib/location/ipset/NZ.ipset4
+var/lib/location/ipset/OM.ipset4
+var/lib/location/ipset/PA.ipset4
+var/lib/location/ipset/PE.ipset4
+var/lib/location/ipset/PF.ipset4
+var/lib/location/ipset/PG.ipset4
+var/lib/location/ipset/PH.ipset4
+var/lib/location/ipset/PK.ipset4
+var/lib/location/ipset/PL.ipset4
+var/lib/location/ipset/PM.ipset4
+var/lib/location/ipset/PN.ipset4
+var/lib/location/ipset/PR.ipset4
+var/lib/location/ipset/PS.ipset4
+var/lib/location/ipset/PT.ipset4
+var/lib/location/ipset/PW.ipset4
+var/lib/location/ipset/PY.ipset4
+var/lib/location/ipset/QA.ipset4
+var/lib/location/ipset/RE.ipset4
+var/lib/location/ipset/RO.ipset4
+var/lib/location/ipset/RS.ipset4
+var/lib/location/ipset/RU.ipset4
+var/lib/location/ipset/RW.ipset4
+var/lib/location/ipset/SA.ipset4
+var/lib/location/ipset/SB.ipset4
+var/lib/location/ipset/SC.ipset4
+var/lib/location/ipset/SD.ipset4
+var/lib/location/ipset/SE.ipset4
+var/lib/location/ipset/SG.ipset4
+var/lib/location/ipset/SH.ipset4
+var/lib/location/ipset/SI.ipset4
+var/lib/location/ipset/SJ.ipset4
+var/lib/location/ipset/SK.ipset4
+var/lib/location/ipset/SL.ipset4
+var/lib/location/ipset/SM.ipset4
+var/lib/location/ipset/SN.ipset4
+var/lib/location/ipset/SO.ipset4
+var/lib/location/ipset/SR.ipset4
+var/lib/location/ipset/SS.ipset4
+var/lib/location/ipset/ST.ipset4
+var/lib/location/ipset/SV.ipset4
+var/lib/location/ipset/SX.ipset4
+var/lib/location/ipset/SY.ipset4
+var/lib/location/ipset/SZ.ipset4
+var/lib/location/ipset/TC.ipset4
+var/lib/location/ipset/TD.ipset4
+var/lib/location/ipset/TF.ipset4
+var/lib/location/ipset/TG.ipset4
+var/lib/location/ipset/TH.ipset4
+var/lib/location/ipset/TJ.ipset4
+var/lib/location/ipset/TK.ipset4
+var/lib/location/ipset/TL.ipset4
+var/lib/location/ipset/TM.ipset4
+var/lib/location/ipset/TN.ipset4
+var/lib/location/ipset/TO.ipset4
+var/lib/location/ipset/TR.ipset4
+var/lib/location/ipset/TT.ipset4
+var/lib/location/ipset/TV.ipset4
+var/lib/location/ipset/TW.ipset4
+var/lib/location/ipset/TZ.ipset4
+var/lib/location/ipset/UA.ipset4
+var/lib/location/ipset/UG.ipset4
+var/lib/location/ipset/UM.ipset4
+var/lib/location/ipset/US.ipset4
+var/lib/location/ipset/UY.ipset4
+var/lib/location/ipset/UZ.ipset4
+var/lib/location/ipset/VA.ipset4
+var/lib/location/ipset/VC.ipset4
+var/lib/location/ipset/VE.ipset4
+var/lib/location/ipset/VG.ipset4
+var/lib/location/ipset/VI.ipset4
+var/lib/location/ipset/VN.ipset4
+var/lib/location/ipset/VU.ipset4
+var/lib/location/ipset/WF.ipset4
+var/lib/location/ipset/WS.ipset4
+var/lib/location/ipset/XD.ipset4
+var/lib/location/ipset/YE.ipset4
+var/lib/location/ipset/YT.ipset4
+var/lib/location/ipset/ZA.ipset4
+var/lib/location/ipset/ZM.ipset4
+var/lib/location/ipset/ZW.ipset4
var/lib/location/signing-key.pem
diff --git a/config/rootfiles/common/perl-Net-HTTP b/config/rootfiles/common/perl-Net-HTTP
index 4c09cd61f..a61d6d216 100644
--- a/config/rootfiles/common/perl-Net-HTTP
+++ b/config/rootfiles/common/perl-Net-HTTP
@@ -1,8 +1,10 @@
+#usr/lib/perl5/site_perl/5.32.1/Net
#usr/lib/perl5/site_perl/5.32.1/Net/HTTP
usr/lib/perl5/site_perl/5.32.1/Net/HTTP.pm
usr/lib/perl5/site_perl/5.32.1/Net/HTTP/Methods.pm
usr/lib/perl5/site_perl/5.32.1/Net/HTTP/NB.pm
usr/lib/perl5/site_perl/5.32.1/Net/HTTPS.pm
+#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Net
#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Net/HTTP
#usr/lib/perl5/site_perl/5.32.1/xxxMACHINExxx-linux-thread-multi/auto/Net/HTTP/.packlist
#usr/share/man/man3/Net::HTTP.3
diff --git a/config/rootfiles/common/web-user-interface b/config/rootfiles/common/web-user-interface
index a908053b1..a5973f9e4 100644
--- a/config/rootfiles/common/web-user-interface
+++ b/config/rootfiles/common/web-user-interface
@@ -62,7 +62,6 @@ srv/web/ipfire/cgi-bin/netovpnrw.cgi
srv/web/ipfire/cgi-bin/netovpnsrv.cgi
srv/web/ipfire/cgi-bin/optionsfw.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
-srv/web/ipfire/cgi-bin/p2p-block.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
srv/web/ipfire/cgi-bin/pppsetup.cgi
srv/web/ipfire/cgi-bin/proxy.cgi
diff --git a/config/rootfiles/common/xtables-addons b/config/rootfiles/common/xtables-addons
deleted file mode 100644
index 51b0d208d..000000000
--- a/config/rootfiles/common/xtables-addons
+++ /dev/null
@@ -1,44 +0,0 @@
-lib/xtables/libxt_ACCOUNT.so
-lib/xtables/libxt_CHAOS.so
-lib/xtables/libxt_DELUDE.so
-lib/xtables/libxt_DHCPMAC.so
-lib/xtables/libxt_DNETMAP.so
-lib/xtables/libxt_ECHO.so
-lib/xtables/libxt_IPMARK.so
-lib/xtables/libxt_LOGMARK.so
-lib/xtables/libxt_PROTO.so
-lib/xtables/libxt_SYSRQ.so
-lib/xtables/libxt_TARPIT.so
-lib/xtables/libxt_condition.so
-lib/xtables/libxt_dhcpmac.so
-lib/xtables/libxt_fuzzy.so
-lib/xtables/libxt_geoip.so
-lib/xtables/libxt_gradm.so
-lib/xtables/libxt_iface.so
-lib/xtables/libxt_ipp2p.so
-lib/xtables/libxt_ipv4options.so
-lib/xtables/libxt_length2.so
-lib/xtables/libxt_lscan.so
-lib/xtables/libxt_pknock.so
-lib/xtables/libxt_psd.so
-lib/xtables/libxt_quota2.so
-usr/bin/xt_geoip_query
-#usr/lib/libxt_ACCOUNT_cl.la
-#usr/lib/libxt_ACCOUNT_cl.so
-usr/lib/libxt_ACCOUNT_cl.so.0
-usr/lib/libxt_ACCOUNT_cl.so.0.0.0
-#usr/libexec/xtables-addons
-#usr/libexec/xtables-addons/xt_geoip_build
-#usr/libexec/xtables-addons/xt_geoip_build_maxmind
-#usr/libexec/xtables-addons/xt_geoip_dl
-#usr/libexec/xtables-addons/xt_geoip_dl_maxmind
-usr/sbin/iptaccount
-usr/sbin/pknlusr
-#usr/share/man/man1/xt_geoip_build.1
-#usr/share/man/man1/xt_geoip_build_maxmind.1
-#usr/share/man/man1/xt_geoip_dl.1
-#usr/share/man/man1/xt_geoip_dl_maxmind.1
-#usr/share/man/man1/xt_geoip_query.1
-#usr/share/man/man8/iptaccount.8
-#usr/share/man/man8/pknlusr.8
-#usr/share/man/man8/xtables-addons.8
diff --git a/config/rootfiles/core/165/filelists/files b/config/rootfiles/core/165/filelists/files
index 2b400507a..3e1059ca0 100644
--- a/config/rootfiles/core/165/filelists/files
+++ b/config/rootfiles/core/165/filelists/files
@@ -1,12 +1,18 @@
+etc/rc.d/init.d/firewall
opt/pakfire/etc/pakfire.conf
opt/pakfire/lib/functions.pl
srv/web/ipfire/cgi-bin/backup.cgi
srv/web/ipfire/cgi-bin/firewall.cgi
+srv/web/ipfire/cgi-bin/logs.cgi/ovpnclients.dat
srv/web/ipfire/cgi-bin/media.cgi
srv/web/ipfire/cgi-bin/pakfire.cgi
srv/web/ipfire/cgi-bin/qos.cgi
srv/web/ipfire/html/themes/ipfire/include/css/style.css
usr/lib/firewall/firewall-lib.pl
+usr/lib/firewall/rules.pl
+usr/local/bin/update-location-database
usr/sbin/setup
var/ipfire/ids-functions.pl
+var/ipfire/location-functions.pl
var/ipfire/main/manualpages
+var/ipfire/menu.d/50-firewall.menu
diff --git a/config/rootfiles/core/165/filelists/gdbm b/config/rootfiles/core/165/filelists/gdbm
new file mode 120000
index 000000000..ecf63bf59
--- /dev/null
+++ b/config/rootfiles/core/165/filelists/gdbm
@@ -0,0 +1 @@
+../../../common/gdbm
\ No newline at end of file
diff --git a/config/rootfiles/core/165/update.sh b/config/rootfiles/core/165/update.sh
index 7e534672d..7371d047a 100644
--- a/config/rootfiles/core/165/update.sh
+++ b/config/rootfiles/core/165/update.sh
@@ -53,6 +53,31 @@ fi
# Remove files
rm -rvf \
+ /lib/xtables/libxt_ACCOUNT.so \
+ /lib/xtables/libxt_CHAOS.so \
+ /lib/xtables/libxt_condition.so \
+ /lib/xtables/libxt_DELUDE.so \
+ /lib/xtables/libxt_dhcpmac.so \
+ /lib/xtables/libxt_DHCPMAC.so \
+ /lib/xtables/libxt_DNETMAP.so \
+ /lib/xtables/libxt_ECHO.so \
+ /lib/xtables/libxt_fuzzy.so \
+ /lib/xtables/libxt_geoip.so \
+ /lib/xtables/libxt_gradm.so \
+ /lib/xtables/libxt_iface.so \
+ /lib/xtables/libxt_IPMARK.so \
+ /lib/xtables/libxt_ipp2p.so \
+ /lib/xtables/libxt_ipv4options.so \
+ /lib/xtables/libxt_length2.so \
+ /lib/xtables/libxt_LOGMARK.so \
+ /lib/xtables/libxt_lscan.so \
+ /lib/xtables/libxt_pknock.so \
+ /lib/xtables/libxt_PROTO.so \
+ /lib/xtables/libxt_psd.so \
+ /lib/xtables/libxt_quota2.so \
+ /lib/xtables/libxt_SYSRQ.so \
+ /lib/xtables/libxt_TARPIT.so \
+ /srv/web/ipfire/cgi-bin/p2p-block.cgi \
/usr/bin/2to3-3.8 \
/usr/bin/easy_install-3.8 \
/usr/bin/idle3.8 \
@@ -60,9 +85,15 @@ rm -rvf \
/usr/bin/pydoc3.8 \
/usr/bin/python3.8 \
/usr/bin/python3.8-config \
+ /usr/bin/xt_geoip_query \
/usr/lib/libpython3.8.so \
/usr/lib/libpython3.8.so.1.0 \
- /usr/lib/python3.8/
+ /usr/lib/libxt_ACCOUNT_cl.so* \
+ /usr/lib/python3.8/ \
+ /usr/sbin/iptaccount \
+ /usr/sbin/pknlusr \
+ /usr/share/xt_geoip/ \
+ /var/ipfire/firewall/p2protocols
# Stop services
@@ -80,6 +111,7 @@ ldconfig
# Start services
telinit u
+/etc/rc.d/init.d/firewall restart
# This update needs a reboot...
touch /var/run/need_reboot
diff --git a/html/cgi-bin/logs.cgi/ovpnclients.dat b/html/cgi-bin/logs.cgi/ovpnclients.dat
index 5e2c1ff49..100573214 100755
--- a/html/cgi-bin/logs.cgi/ovpnclients.dat
+++ b/html/cgi-bin/logs.cgi/ovpnclients.dat
@@ -115,16 +115,16 @@ my $database_query = qq(
common_name, SUM(
STRFTIME('%s', (
CASE
- WHEN DATETIME(COALESCE(disconnected_at, CURRENT_TIMESTAMP), 'localtime') < DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds')
+ WHEN DATETIME(COALESCE(disconnected_at, CURRENT_TIMESTAMP), 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds')
THEN DATETIME(COALESCE(disconnected_at, CURRENT_TIMESTAMP), 'localtime')
- ELSE DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds')
+ ELSE DATETIME('$to_datestring', 'start of day', '+86399 seconds')
END
), 'utc') -
STRFTIME('%s', (
CASE
- WHEN DATETIME(connected_at, 'localtime') > DATETIME('$from_datestring', 'localtime', 'start of day')
+ WHEN DATETIME(connected_at, 'localtime') > DATETIME('$from_datestring', 'start of day')
THEN DATETIME(connected_at, 'localtime')
- ELSE DATETIME('$from_datestring', 'localtime', 'start of day')
+ ELSE DATETIME('$from_datestring', 'start of day')
END
), 'utc')
) AS duration
@@ -133,10 +133,10 @@ my $database_query = qq(
(
disconnected_at IS NULL
OR
- DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'localtime', 'start of day')
+ DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'start of day')
)
AND
- DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds')
+ DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds')
GROUP BY common_name
ORDER BY common_name, duration DESC;
);
@@ -148,9 +148,9 @@ if ($cgiparams{'CONNECTION_NAME'}) {
WHERE
common_name = '$cgiparams{"CONNECTION_NAME"}'
AND (
- DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'localtime', 'start of day')
+ DATETIME(disconnected_at, 'localtime') > DATETIME('$from_datestring', 'start of day')
AND
- DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'localtime', 'start of day', '+86399 seconds')
+ DATETIME(connected_at, 'localtime') < DATETIME('$to_datestring', 'start of day', '+86399 seconds')
)
ORDER BY connected_at;
);
diff --git a/html/cgi-bin/p2p-block.cgi b/html/cgi-bin/p2p-block.cgi
deleted file mode 100644
index d14725504..000000000
--- a/html/cgi-bin/p2p-block.cgi
+++ /dev/null
@@ -1,154 +0,0 @@
-#!/usr/bin/perl
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2013 #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-# Author: Alexander Marx (Amarx(a)ipfire.org) #
-###############################################################################
-
-use strict;
-no warnings 'uninitialized';
-# enable only the following on debugging purpose
-#use warnings;
-#use CGI::Carp 'fatalsToBrowser';
-
-require '/var/ipfire/general-functions.pl';
-require "${General::swroot}/lang.pl";
-require "${General::swroot}/header.pl";
-
-my $errormessage = '';
-my $notice;
-my $p2pfile = "${General::swroot}/firewall/p2protocols";
-
-my @p2ps = ();
-my %fwdfwsettings = ();
-my %color = ();
-my %mainsettings = ();
-
-&General::readhash("${General::swroot}/main/settings", \%mainsettings);
-&General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
-
-&Header::showhttpheaders();
-&Header::getcgihash(\%fwdfwsettings);
-
-if ($fwdfwsettings{'ACTION'} eq 'togglep2p') {
- open( FILE, "<$p2pfile") or die "Unable to read $p2pfile";
- @p2ps = <FILE>;
- close FILE;
- open( FILE, ">$p2pfile") or die "Unable to write $p2pfile";
- foreach my $p2pentry (sort @p2ps) {
- my @p2pline = split( /\;/, $p2pentry);
- if ($p2pline[1] eq $fwdfwsettings{'P2PROT'}) {
- if ($p2pline[2] eq 'on') {
- $p2pline[2] = 'off';
- } else {
- $p2pline[2] = 'on';
- }
- }
- print FILE "$p2pline[0];$p2pline[1];$p2pline[2];\n";
- }
- close FILE;
-
- &General::firewall_config_changed();
-
- $notice = $Lang::tr{'p2p block save notice'};
-}
-
-&Header::openpage($Lang::tr{'p2p block'}, 1, '');
-&Header::openbigbox('100%', 'center', $errormessage);
-
-if ($notice) {
- &Header::openbox('100%', 'left', $Lang::tr{'notice'});
- print "<font class='base'>$notice</font>";
- &Header::closebox();
-}
-
-my $gif;
-
-open(FILE, "<$p2pfile") or die "Unable to read $p2pfile";
-(a)p2ps = <FILE>;
-close FILE;
-
-&Header::openbox('100%', 'center',);
-print <<END;
- <table width='35%' class='tbl'>
- <tr>
- <th align='center' colspan='2' bgcolor='$color{'color22'}' >
- <b>$Lang::tr{'protocol'}</b>
- </th>
- <th align='center' bgcolor='$color{'color22'}' >
- <b>$Lang::tr{'status'}</b>
- </th>
- </tr>
-END
-my $lines=0;
-my $col="";
-foreach my $p2pentry (sort @p2ps) {
- my @p2pline = split( /\;/, $p2pentry);
- if ($p2pline[2] eq 'on') {
- $gif = "/images/on.gif"
- } else {
- $gif = "/images/off.gif"
- }
- if ($lines % 2) {
- print "<tr>";
- $col="bgcolor='$color{'color20'}'"; }
- else {
- print "<tr>";
- $col="bgcolor='$color{'color22'}'"; }
- print <<END;
- <td align='center' colspan='2' $col>
- $p2pline[0]:
- </td>
- <td align='center' $col>
- <form method='post' action='$ENV{'SCRIPT_NAME'}'>
- <input type='hidden' name='P2PROT' value='$p2pline[1]'>
- <input type='image' img src='$gif' alt='$Lang::tr{'click to disable'}' title='$Lang::tr{'fwdfw toggle'}' style='padding-top: 0px; padding-left: 0px; padding-bottom: 0px ;padding-right: 0px ;display: block;'>
- <input type='hidden' name='ACTION' value='togglep2p'>
- </form>
- </td>
- </tr>
-END
-$lines++;
-}
-
-print <<END;
-</table><table>
- <tr>
- <td>
- <img src='/images/on.gif'>
- </td>
- <td>
- $Lang::tr{'outgoing firewall p2p allow'}
- </td>
- </tr>
- <tr>
- <td>
- <img src='/images/off.gif'>
- </td>
- <td>
- $Lang::tr{'outgoing firewall p2p deny'}
- </td>
- </tr>
- </table>
-END
-
-&Header::closebox();
-
-&Header::closebigbox();
-&Header::closepage();
diff --git a/lfs/configroot b/lfs/configroot
index 9f3188aab..b836767c1 100644
--- a/lfs/configroot
+++ b/lfs/configroot
@@ -105,7 +105,6 @@ $(TARGET) :
cp $(DIR_SRC)/config/firewall/convert-outgoingfw /usr/sbin/convert-outgoingfw
cp $(DIR_SRC)/config/firewall/convert-dmz /usr/sbin/convert-dmz
cp $(DIR_SRC)/config/firewall/convert-portfw /usr/sbin/convert-portfw
- cp $(DIR_SRC)/config/firewall/p2protocols $(CONFIG_ROOT)/firewall/p2protocols
cp $(DIR_SRC)/config/firewall/firewall-policy /usr/sbin/firewall-policy
cp $(DIR_SRC)/config/fwhosts/icmp-types $(CONFIG_ROOT)/fwhosts/icmp-types
cp $(DIR_SRC)/config/fwhosts/customservices $(CONFIG_ROOT)/fwhosts/customservices
diff --git a/lfs/gdbm b/lfs/gdbm
index 6f96d2f3c..fa1b2d860 100644
--- a/lfs/gdbm
+++ b/lfs/gdbm
@@ -24,7 +24,7 @@
include Config
-VER = 1.20
+VER = 1.23
THISAPP = gdbm-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_MD5 = 006c19b8b60828fd6916a16f3496bd3c
+$(DL_FILE)_MD5 = 8551961e36bf8c70b7500d255d3658ec
install : $(TARGET)
diff --git a/lfs/libloc b/lfs/libloc
index 99f0c30bd..1de135b52 100644
--- a/lfs/libloc
+++ b/lfs/libloc
@@ -93,14 +93,17 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
cd $(DIR_APP) && rm -f /var/lib/location/database.db
cd $(DIR_APP) && xz -d /var/lib/location/database.db.xz
- # Launch location util and export all locations in xt_geoip format.
+ # Create directory for ipset databases.
+ cd $(DIR_APP) && mkdir -pv /var/lib/location/ipset
+
+ # Launch location util and export all locations in ipset compatible format.
cd $(DIR_APP) && /usr/bin/location export \
- --directory=/usr/share/xt_geoip \
+ --directory=/var/lib/location/ipset \
--family=ipv4 \
- --format=xt_geoip
+ --format=ipset
# Remove exported IPv6 zones.
- cd $(DIR_APP) && rm -rvf /usr/share/xt_geoip/*.iv6
+ cd $(DIR_APP) && rm -rvf /var/lib/location/ipset/*.ipset6
@rm -rf $(DIR_APP)
@$(POSTBUILD)
diff --git a/lfs/xtables-addons b/lfs/xtables-addons
deleted file mode 100644
index fdea1ffcd..000000000
--- a/lfs/xtables-addons
+++ /dev/null
@@ -1,118 +0,0 @@
-###############################################################################
-# #
-# IPFire.org - A linux based firewall #
-# Copyright (C) 2007-2021 IPFire Team <info(a)ipfire.org> #
-# #
-# This program is free software: you can redistribute it and/or modify #
-# it under the terms of the GNU General Public License as published by #
-# the Free Software Foundation, either version 3 of the License, or #
-# (at your option) any later version. #
-# #
-# This program is distributed in the hope that it will be useful, #
-# but WITHOUT ANY WARRANTY; without even the implied warranty of #
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
-# GNU General Public License for more details. #
-# #
-# You should have received a copy of the GNU General Public License #
-# along with this program. If not, see <http://www.gnu.org/licenses/>. #
-# #
-###############################################################################
-
-###############################################################################
-# Definitions
-###############################################################################
-
-include Config
-
-VERSUFIX = ipfire$(KCFG)
-MODPATH = /lib/modules/$(KVER)-$(VERSUFIX)/extra/
-
-VER = 3.18
-
-THISAPP = xtables-addons-$(VER)
-DL_FILE = $(THISAPP).tar.xz
-DL_FROM = $(URL_IPFIRE)
-DIR_APP = $(DIR_SRC)/$(THISAPP)
-
-ifeq "$(USPACE)" "1"
- TARGET = $(DIR_INFO)/$(THISAPP)
-else
- TARGET = $(DIR_INFO)/$(THISAPP)-kmod-$(KVER)-$(VERSUFIX)
-endif
-
-###############################################################################
-# Top-level Rules
-###############################################################################
-
-objects = $(DL_FILE)
-
-$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-
-$(DL_FILE)_MD5 = 755471b1dc6808f274f914fa11552698
-
-install : $(TARGET)
-
-check : $(patsubst %,$(DIR_CHK)/%,$(objects))
-
-download :$(patsubst %,$(DIR_DL)/%,$(objects))
-
-md5 : $(subst %,%_MD5,$(objects))
-
-dist:
- $(PAK)
-
-###############################################################################
-# Downloading, checking, md5sum
-###############################################################################
-
-$(patsubst %,$(DIR_CHK)/%,$(objects)) :
- @$(CHECK)
-
-$(patsubst %,$(DIR_DL)/%,$(objects)) :
- @$(LOAD)
-
-$(subst %,%_MD5,$(objects)) :
- @$(MD5)
-
-###############################################################################
-# Installation Details
-###############################################################################
-
-$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
- @$(PREBUILD)
- @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
-
- # Only build the specified modules.
-# cp -avf $(DIR_SRC)/config/xtables-addons/mconfig \
-# $(DIR_APP)/mconfig
-
-# Check if we build the modules for a kernel or the userspace parts.
-ifeq "$(USPACE)" "1"
- cd $(DIR_APP) && ./configure \
- --prefix=/usr \
- --without-kbuild
-
- cd $(DIR_APP) && make $(MAKETUNING)
- cd $(DIR_APP) && make install
-else
- cd $(DIR_APP) && ./configure \
- --with-kbuild=/lib/modules/$$(uname -r)$(KCFG)/build
- cd $(DIR_APP) && make $(MAKETUNING)
-
- # Install the built kernel modules.
- mkdir -p $(MODPATH)
- cd $(DIR_APP) && for f in $$(ls extensions/*.ko); do \
- /lib/modules/$$(uname -r)$(KCFG)/build/scripts/sign-file sha512 \
- /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.pem \
- /lib/modules/$$(uname -r)$(KCFG)/build/certs/signing_key.x509 \
- $$f; \
- xz $$f; \
- install -m 644 $$f.xz $(MODPATH); \
- done
-endif
-
- # Create directory for the databases.
- mkdir -pv /usr/share/xt_geoip/
-
- @rm -rf $(DIR_APP)
- @$(POSTBUILD)
diff --git a/make.sh b/make.sh
index 606fbc9b0..4dd068e4b 100755
--- a/make.sh
+++ b/make.sh
@@ -1196,10 +1196,8 @@ buildipfire() {
lfsmake2 rtl8812au KCFG=""
lfsmake2 rtl8822bu KCFG=""
lfsmake2 xradio KCFG=""
- lfsmake2 xtables-addons KCFG=""
lfsmake2 linux-initrd KCFG=""
- lfsmake2 xtables-addons USPACE="1"
lfsmake2 libgpg-error
lfsmake2 libgcrypt
lfsmake2 libassuan
diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index fc355cd5d..adb2240bb 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -147,19 +147,13 @@ iptables_init() {
iptables -N HOSTILE
if [ "$DROPHOSTILE" == "on" ]; then
iptables -A HOSTILE -m limit --limit 10/second -j LOG --log-prefix "DROP_HOSTILE "
- iptables -A INPUT -i $IFACE -m geoip --src-cc XD -j HOSTILE
- iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j HOSTILE
- iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j HOSTILE
- iptables -A OUTPUT -o $IFACE -m geoip --src-cc XD -j HOSTILE
+ iptables -A INPUT -i $IFACE -m set --match-set CC_XD src -j HOSTILE
+ iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
+ iptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILE
+ iptables -A OUTPUT -o $IFACE -m set --match-set CC_XD src -j HOSTILE
fi
iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"
- # P2PBLOCK
- iptables -N P2PBLOCK
- iptables -A INPUT -j P2PBLOCK
- iptables -A FORWARD -j P2PBLOCK
- iptables -A OUTPUT -j P2PBLOCK
-
# IPS (Guardian) chains
iptables -N GUARDIAN
iptables -A INPUT -j GUARDIAN
diff --git a/src/scripts/update-location-database b/src/scripts/update-location-database
index 06b22d101..d41a0a947 100644
--- a/src/scripts/update-location-database
+++ b/src/scripts/update-location-database
@@ -42,8 +42,8 @@ fi
# Get the latest location database from server.
if /usr/bin/location update --cron=$UPDATE_INTERVAL; then
- # Call location and export all countries in xt_geoip compatible format.
- if /usr/bin/location export --directory=/usr/share/xt_geoip --family=ipv4 --format=xt_geoip; then
+ # Call location and export all countries in an ipset compatible format.
+ if /usr/bin/location export --directory=/var/lib/location/ipset --family=ipv4 --format=ipset; then
# Call initscript to reload the firewall.
/etc/init.d/firewall reload
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-02-16 17:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-16 17:07 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. d0353b73c7a4cb6ec569d36e7f07d44fd20b0680 Peter Müller
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox