Since libloc is built as a tree we cannot simply exclude any address
space in the middle of it. Therefore we create some firewall rules
which simply avoid checking non-globally routable address space.
Fixes: #12499
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
+my @PRIVATE_NETWORKS = (
+ "10.0.0.0/8",
+ "172.16.0.0/12",
+ "192.168.0.0/16",
+ "100.64.0.0/10",
+);
+
my %fwdfwsettings=();
my %fwoptions = ();
my %defaultNetworks=();
my %fwdfwsettings=();
my %fwoptions = ();
my %defaultNetworks=();
+ # Only check the RED interface
+ if ($defaultNetworks{'RED_DEV'} ne "") {
+ run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN");
+ }
+
+ # Do not check any private address space
+ foreach my $network (@PRIVATE_NETWORKS) {
+ run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN");
+ }
+
# Loop through all supported locations and
# create iptables rules, if blocking for this country
# is enabled.
# Loop through all supported locations and
# create iptables rules, if blocking for this country
# is enabled.
srv/web/ipfire/cgi-bin/pakfire.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/bin/probenic.sh
srv/web/ipfire/cgi-bin/pakfire.cgi
srv/web/ipfire/cgi-bin/vpnmain.cgi
usr/bin/probenic.sh
+usr/lib/firewall/rules.pl
usr/local/bin/ipsecctrl
var/ipfire/general-functions.pl
var/ipfire/langs
usr/local/bin/ipsecctrl
var/ipfire/general-functions.pl
var/ipfire/langs