diff mbox series

[07/12] rules.pl: Move to ipset based data for location based firewall rules.

Message ID 20220214184257.2406-7-stefan.schantl@ipfire.org
State Accepted
Commit 07106467b83e9be97ce207ce919ad45ab2df4bba
Headers
Series [01/12] location-functions.pl: Rename and set the location for exported databases to "/var/lib/location/ipset/". |

Commit Message

Stefan Schantl Feb. 14, 2022, 6:42 p.m. UTC 
  Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/firewall/firewall-lib.pl |  4 ++--
 config/firewall/rules.pl        | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 4 deletions(-)

Comments

Peter Müller Feb. 14, 2022, 9:05 p.m. UTC | #1 
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>

> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
>  config/firewall/firewall-lib.pl |  4 ++--
>  config/firewall/rules.pl        | 16 ++++++++++++++--
>  2 files changed, 16 insertions(+), 4 deletions(-)
> 
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
> index bc0b30ca5..13f0c9971 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -466,7 +466,7 @@ sub get_address
>  			# Get external interface.
>  			my $external_interface = &get_external_interface();
>  
> -			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
>  		}
>  
>  	# Handle rule options with a location as target.
> @@ -476,7 +476,7 @@ sub get_address
>  			# Get external interface.
>  			my $external_interface = &get_external_interface();
>  
> -			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
>  		}
>  
>  	# If nothing was selected, we assume "any".
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index e009c1838..d533ffb42 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -401,7 +401,13 @@ sub buildrules {
>  					my @source_options = ();
>  					if ($source =~ /mac/) {
>  						push(@source_options, $source);
> -					} elsif ($source =~ /-m geoip/) {
> +					} elsif ($source =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_src = $$hash{$key}[4];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_src);
> +
>  						push(@source_options, $source);
>  					} elsif($source) {
>  						push(@source_options, ("-s", $source));
> @@ -409,7 +415,13 @@ sub buildrules {
>  
>  					# Prepare destination options.
>  					my @destination_options = ();
> -					if ($destination =~ /-m geoip/) {
> +					if ($destination =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_dst = $$hash{$key}[6];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_dst);
> +
>  						push(@destination_options,  $destination);
>  					} elsif ($destination) {
>  						push(@destination_options, ("-d", $destination));
Michael Tremer Feb. 15, 2022, 12:40 p.m. UTC | #2 
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl@ipfire.org> wrote:
> 
> Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
> ---
> config/firewall/firewall-lib.pl |  4 ++--
> config/firewall/rules.pl        | 16 ++++++++++++++--
> 2 files changed, 16 insertions(+), 4 deletions(-)
> 
> diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
> index bc0b30ca5..13f0c9971 100644
> --- a/config/firewall/firewall-lib.pl
> +++ b/config/firewall/firewall-lib.pl
> @@ -466,7 +466,7 @@ sub get_address
> 			# Get external interface.
> 			my $external_interface = &get_external_interface();
> 
> -			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
> 		}
> 
> 	# Handle rule options with a location as target.
> @@ -476,7 +476,7 @@ sub get_address
> 			# Get external interface.
> 			my $external_interface = &get_external_interface();
> 
> -			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
> +			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
> 		}
> 
> 	# If nothing was selected, we assume "any".
> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> index e009c1838..d533ffb42 100644
> --- a/config/firewall/rules.pl
> +++ b/config/firewall/rules.pl
> @@ -401,7 +401,13 @@ sub buildrules {
> 					my @source_options = ();
> 					if ($source =~ /mac/) {
> 						push(@source_options, $source);
> -					} elsif ($source =~ /-m geoip/) {
> +					} elsif ($source =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_src = $$hash{$key}[4];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_src);
> +
> 						push(@source_options, $source);
> 					} elsif($source) {
> 						push(@source_options, ("-s", $source));
> @@ -409,7 +415,13 @@ sub buildrules {
> 
> 					# Prepare destination options.
> 					my @destination_options = ();
> -					if ($destination =~ /-m geoip/) {
> +					if ($destination =~ /-m set/) {
> +						# Grab location code from hash.
> +						my $loc_dst = $$hash{$key}[6];
> +
> +						# Call function to load the networks list for this country.
> +						&ipset_restore($loc_dst);
> +
> 						push(@destination_options,  $destination);
> 					} elsif ($destination) {
> 						push(@destination_options, ("-d", $destination));
> -- 
> 2.30.2
>
diff mbox series

Patch

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index bc0b30ca5..13f0c9971 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -466,7 +466,7 @@  sub get_address
 			# Get external interface.
 			my $external_interface = &get_external_interface();
 
-			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+			push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
 		}
 
 	# Handle rule options with a location as target.
@@ -476,7 +476,7 @@  sub get_address
 			# Get external interface.
 			my $external_interface = &get_external_interface();
 
-			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+			push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
 		}
 
 	# If nothing was selected, we assume "any".
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index e009c1838..d533ffb42 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -401,7 +401,13 @@  sub buildrules {
 					my @source_options = ();
 					if ($source =~ /mac/) {
 						push(@source_options, $source);
-					} elsif ($source =~ /-m geoip/) {
+					} elsif ($source =~ /-m set/) {
+						# Grab location code from hash.
+						my $loc_src = $$hash{$key}[4];
+
+						# Call function to load the networks list for this country.
+						&ipset_restore($loc_src);
+
 						push(@source_options, $source);
 					} elsif($source) {
 						push(@source_options, ("-s", $source));
@@ -409,7 +415,13 @@  sub buildrules {
 
 					# Prepare destination options.
 					my @destination_options = ();
-					if ($destination =~ /-m geoip/) {
+					if ($destination =~ /-m set/) {
+						# Grab location code from hash.
+						my $loc_dst = $$hash{$key}[6];
+
+						# Call function to load the networks list for this country.
+						&ipset_restore($loc_dst);
+
 						push(@destination_options,  $destination);
 					} elsif ($destination) {
 						push(@destination_options, ("-d", $destination));