rules.pl: Use load_location function to load a location set

author Stefan Schantl <stefan.schantl@ipfire.org>

Fri, 14 Apr 2023 18:45:28 +0000 (20:45 +0200)

committer Stefan Schantl <stefan.schantl@ipfire.org>

Sun, 3 Mar 2024 11:56:03 +0000 (12:56 +0100)
author Stefan Schantl <stefan.schantl@ipfire.org>
Fri, 14 Apr 2023 18:45:28 +0000 (20:45 +0200)
committer Stefan Schantl <stefan.schantl@ipfire.org>
Sun, 3 Mar 2024 11:56:03 +0000 (12:56 +0100)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl

index bbd417d305af4f75663c33a118964ea7b8e789d0..7ab3dd04a162e92c559081309a0a34a9698c791e 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -435,8 +435,17 @@ sub buildrules {
                                                 # obtain the set name.
                                                 my ($a, $b, $c, $loc_src, $e) = split(/ /, $source);
  
-                                               # Call function to load the networks list for this country.
-                                               &ipset_restore($loc_src);
+                                               # Call function to load the networks list for this country,
+                                               # in case it is not loaded yet.
+                                               unless($ipset_loaded_sets{$loc_src}) {
+                                                       # Print debug notice.
+                                                       print "Loading set $loc_src\n" if ($DEBUG);
+
+                                                       &Location::Functions::load_location($loc_src);
+
+                                                       # Mark the set as loaded.
+                                                       $ipset_loaded_sets{$loc_src} = "1";
+                                               }
  
                                                 push(@source_options, $source);
                                         } elsif($source) {
@@ -450,8 +459,17 @@ sub buildrules {
                                                 # obtain the set name.
                                                 my ($a, $b, $c, $loc_dst, $e) = split(/ /, $destination);
  
-                                               # Call function to load the networks list for this country.
-                                               &ipset_restore($loc_dst);
+                                               # Call function to load the networks list for this country,
+                                               # if it is not loaded yet.
+                                               unless($ipset_loaded_sets{$loc_dst}) {
+                                                       # Print debug notice.
+                                                       print "Loading set $loc_dst\n" if ($DEBUG);
+
+                                                       &Location::Functions::load_location($loc_dst);
+
+                                                       # Mark the set as loaded.
+                                                       $ipset_loaded_sets{$loc_dst} = "1";
+                                               }
  
                                                 push(@destination_options,  $destination);
                                         } elsif ($destination) {
@@ -698,8 +716,17 @@ sub locationblock {
         # is enabled.
         foreach my $location (@locations) {
                 if(exists $locationsettings{$location} && $locationsettings{$location} eq "on") {
-                       # Call function to load the networks list for this country.
-                       &ipset_restore($location);
+                       # Call function to load the networks list for this country, if not
+                       # loaded yet.
+                       unless($ipset_loaded_sets{$location}) {
+                               # Print debug notice.
+                               print "Loading set $location\n" if ($DEBUG);
+
+                               &Location::Functions::load_location($location);
+
+                               # Mark the set as loaded.
+                               $ipset_loaded_sets{$location} = "1";
+                       }
  
                         # Call iptables and create rule to use the loaded ipset list.
                         run("$IPTABLES -A LOCATIONBLOCK -m set --match-set $location src -j DROP");
@@ -720,8 +747,16 @@ sub drop_hostile_networks () {
         # Exit if there is no red interface.
         return unless($RED_DEV);
  
-       # Call function to load the network list of hostile networks.
-       &ipset_restore($HOSTILE_CCODE);
+       # Call function to load the network list of hostile networks, if not loaded yet.
+       unless ($ipset_loaded_sets{$HOSTILE_CCODE}) {
+               # Print debug notice.
+               print "Loading set $HOSTILE_CCODE\n" if ($DEBUG);
+
+               &Location::Functions::load_location($HOSTILE_CCODE);
+
+               # Mark the set as loaded.
+               $ipset_loaded_sets{$HOSTILE_CCODE} = "1";
+       }
  
         # Check traffic in incoming/outgoing direction and drop if it matches
         run("$IPTABLES -A HOSTILE -i $RED_DEV -m set --match-set $HOSTILE_CCODE src -j HOSTILE_DROP_IN");
author	Stefan Schantl <stefan.schantl@ipfire.org>
	Fri, 14 Apr 2023 18:45:28 +0000 (20:45 +0200)
committer	Stefan Schantl <stefan.schantl@ipfire.org>
	Sun, 3 Mar 2024 11:56:03 +0000 (12:56 +0100)