firewall: Get rid of xt_geoip for DROP_HOSTILE

This is required to drop xtables-addons altogether.

Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index 2ac7db09b1f6c7aea97ca0b7362b76daed05dc68..adb2240bbedbc8feecb4ef0b0fa73db3d6f5fd7c 100644 (file)
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -147,10 +147,10 @@ iptables_init() {
        iptables -N HOSTILE
        if [ "$DROPHOSTILE" == "on" ]; then
                iptables -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix "DROP_HOSTILE "
-               iptables -A INPUT   -i $IFACE -m geoip --src-cc XD -j HOSTILE
-               iptables -A FORWARD -i $IFACE -m geoip --src-cc XD -j HOSTILE
-               iptables -A FORWARD -o $IFACE -m geoip --dst-cc XD -j HOSTILE
-               iptables -A OUTPUT  -o $IFACE -m geoip --src-cc XD -j HOSTILE
+               iptables -A INPUT   -i $IFACE -m set --match-set CC_XD src -j HOSTILE
+               iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
+               iptables -A FORWARD -o $IFACE -m set --match-set CC_XD dst -j HOSTILE
+               iptables -A OUTPUT  -o $IFACE -m set --match-set CC_XD src -j HOSTILE
        fi
        iptables -A HOSTILE -j DROP -m comment --comment "DROP_HOSTILE"