From patchwork Wed Apr 17 05:08:05 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 2202
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.i.ipfire.org [172.28.1.200])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mail01.ipfire.org",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by web07.i.ipfire.org (Postfix) with ESMTPS id 629CA85BD82
	for <patchwork@web07.i.ipfire.org>;
	Tue, 16 Apr 2019 20:08:12 +0100 (BST)
Received: from mail01.i.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 44kFJC3QrZz5160t;
	Tue, 16 Apr 2019 20:08:11 +0100 (BST)
Received: from tuxedo.stevee (213162073058.public.t-mobile.at
	[213.162.73.58])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 44kFJ857Kkz5160t;
	Tue, 16 Apr 2019 20:08:08 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904rsa;
	t=1555441689; h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	content-type:content-transfer-encoding:content-transfer-encoding:
	in-reply-to:references:openpgp:autocrypt;
	bh=TP4sKC78sDPRvj1W/AaCQ/j3kVBkpgulOSsAARuBc3s=;
	b=UubhS3G32vPXnDa7X9GLfuY0Qu+iIGepBc+hCxUY6hr++tWXILtoVyaKXBMQHFUY4rT6E8
	XB7YSHDemIDaNxPALYnNF0T4GpOr34Oe0vT1A+VznBYhz8FqEn0OtCauBIqh6FWwf203P9
	5HJVBd+koYAkfDeLSC3G6tq20E9H+80x6BsD0DyNdkQmSG2deTcF/U4fM3lOMOhtlNIJgM
	MyM33qgnBsf2trV5XTPNMctVGlZQgprKVC81phk8BZVpauFWUSh3/LpZeZW/jbOcXm3hCy
	eSOWn346NrMa+yOVtLFnLhXV8veykgRwADNcss45D6/yt7heXIg/bNOpEC+uAw==
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=201904ed25519; t=1555441689;
	h=from:from:sender:reply-to:subject:subject:date:date:
	message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	content-type:content-transfer-encoding:content-transfer-encoding:
	in-reply-to:references:openpgp:autocrypt;
	bh=TP4sKC78sDPRvj1W/AaCQ/j3kVBkpgulOSsAARuBc3s=;
	b=qnqxhM8izIgJvXrmf/m2vdYPs64Ui9JhiNHNap17QeWfx/ig05sACCAz6BZChpwZ0G5yKX
	yJttvo9xxPAhNADw==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] firewall-lib.pl: Populate GeoIP rules only if location is
	available.
Date: Tue, 16 Apr 2019 21:08:05 +0200
Message-Id: <20190416190805.4264-1-stefan.schantl@ipfire.org>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Authentication-Results: mail01.ipfire.org;
	auth=pass smtp.auth=stevee smtp.mailfrom=stefan.schantl@ipfire.org
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

In case a GeoIP related firewall rule should be created, the script
now will check if the given location is still available.

Fixes #12054.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/firewall/firewall-lib.pl | 40 ++++++++++++++++++++++++++++-----
 1 file changed, 34 insertions(+), 6 deletions(-)

diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl
index 118744fd6..59ae096b0 100644
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -70,6 +70,9 @@ my $netsettings		= "${General::swroot}/ethernet/settings";
 &General::readhasharray("$configsrvgrp", \%customservicegrp);
 &General::get_aliases(\%aliases);
 
+# Get all available GeoIP locations.
+my @available_geoip_locations = &get_geoip_locations();
+
 sub get_srv_prot
 {
 	my $val=shift;
@@ -456,17 +459,23 @@ sub get_address
 
 	# Handle rule options with GeoIP as source.
 	} elsif ($key eq "cust_geoip_src") {
-		# Get external interface.
-		my $external_interface = &get_external_interface();
+		# Check if the given GeoIP location is available.
+		if(&geoip_location_is_available($value)) {
+			# Get external interface.
+			my $external_interface = &get_external_interface();
 
-		push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+			push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+		}
 
 	# Handle rule options with GeoIP as target.
 	} elsif ($key eq "cust_geoip_tgt") {
-		# Get external interface.
-		my $external_interface = &get_external_interface();
+		# Check if the given GeoIP location is available.
+		if(&geoip_location_is_available($value)) {
+			# Get external interface.
+			my $external_interface = &get_external_interface();
 
-		push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+			push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+		}
 
 	# If nothing was selected, we assume "any".
 	} else {
@@ -610,4 +619,23 @@ sub get_geoip_locations() {
 	return &GeoIP::get_geoip_locations();
 }
 
+# Function to check if a database of a given GeoIP location is
+# available.
+sub geoip_location_is_available($) {
+	my ($location) = @_;
+
+	# Loop through the global array of available GeoIP locations.
+	foreach my $geoip_location (@available_geoip_locations) {
+		# Check if the current processed location is the searched one.
+		if($location eq $geoip_location) {
+			# If it is part of the array, return "1" - True.
+			return 1;
+		}
+	}
+
+	# If we got here, the given location is not part of the array of available
+	# zones. Return nothing.
+	return;
+}
+
 return 1;