From patchwork Wed Apr 17 05:08:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Stefan Schantl X-Patchwork-Id: 2202 Return-Path: Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail01.ipfire.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by web07.i.ipfire.org (Postfix) with ESMTPS id 629CA85BD82 for ; Tue, 16 Apr 2019 20:08:12 +0100 (BST) Received: from mail01.i.ipfire.org (localhost [IPv6:::1]) by mail01.ipfire.org (Postfix) with ESMTP id 44kFJC3QrZz5160t; Tue, 16 Apr 2019 20:08:11 +0100 (BST) Received: from tuxedo.stevee (213162073058.public.t-mobile.at [213.162.73.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mail01.ipfire.org (Postfix) with ESMTPSA id 44kFJ857Kkz5160t; Tue, 16 Apr 2019 20:08:08 +0100 (BST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904rsa; t=1555441689; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:openpgp:autocrypt; bh=TP4sKC78sDPRvj1W/AaCQ/j3kVBkpgulOSsAARuBc3s=; b=UubhS3G32vPXnDa7X9GLfuY0Qu+iIGepBc+hCxUY6hr++tWXILtoVyaKXBMQHFUY4rT6E8 XB7YSHDemIDaNxPALYnNF0T4GpOr34Oe0vT1A+VznBYhz8FqEn0OtCauBIqh6FWwf203P9 5HJVBd+koYAkfDeLSC3G6tq20E9H+80x6BsD0DyNdkQmSG2deTcF/U4fM3lOMOhtlNIJgM MyM33qgnBsf2trV5XTPNMctVGlZQgprKVC81phk8BZVpauFWUSh3/LpZeZW/jbOcXm3hCy eSOWn346NrMa+yOVtLFnLhXV8veykgRwADNcss45D6/yt7heXIg/bNOpEC+uAw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=201904ed25519; t=1555441689; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:references:openpgp:autocrypt; bh=TP4sKC78sDPRvj1W/AaCQ/j3kVBkpgulOSsAARuBc3s=; b=qnqxhM8izIgJvXrmf/m2vdYPs64Ui9JhiNHNap17QeWfx/ig05sACCAz6BZChpwZ0G5yKX yJttvo9xxPAhNADw== From: Stefan Schantl To: development@lists.ipfire.org Subject: [PATCH] firewall-lib.pl: Populate GeoIP rules only if location is available. Date: Tue, 16 Apr 2019 21:08:05 +0200 Message-Id: <20190416190805.4264-1-stefan.schantl@ipfire.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Authentication-Results: mail01.ipfire.org; auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" In case a GeoIP related firewall rule should be created, the script now will check if the given location is still available. Fixes #12054. Signed-off-by: Stefan Schantl Reviewed-by: Peter Müller --- config/firewall/firewall-lib.pl | 40 ++++++++++++++++++++++++++++----- 1 file changed, 34 insertions(+), 6 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index 118744fd6..59ae096b0 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -70,6 +70,9 @@ my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhasharray("$configsrvgrp", \%customservicegrp); &General::get_aliases(\%aliases); +# Get all available GeoIP locations. +my @available_geoip_locations = &get_geoip_locations(); + sub get_srv_prot { my $val=shift; @@ -456,17 +459,23 @@ sub get_address # Handle rule options with GeoIP as source. } elsif ($key eq "cust_geoip_src") { - # Get external interface. - my $external_interface = &get_external_interface(); + # Check if the given GeoIP location is available. + if(&geoip_location_is_available($value)) { + # Get external interface. + my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + } # Handle rule options with GeoIP as target. } elsif ($key eq "cust_geoip_tgt") { - # Get external interface. - my $external_interface = &get_external_interface(); + # Check if the given GeoIP location is available. + if(&geoip_location_is_available($value)) { + # Get external interface. + my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + } # If nothing was selected, we assume "any". } else { @@ -610,4 +619,23 @@ sub get_geoip_locations() { return &GeoIP::get_geoip_locations(); } +# Function to check if a database of a given GeoIP location is +# available. +sub geoip_location_is_available($) { + my ($location) = @_; + + # Loop through the global array of available GeoIP locations. + foreach my $geoip_location (@available_geoip_locations) { + # Check if the current processed location is the searched one. + if($location eq $geoip_location) { + # If it is part of the array, return "1" - True. + return 1; + } + } + + # If we got here, the given location is not part of the array of available + # zones. Return nothing. + return; +} + return 1;