From: Michael Tremer <michael.tremer@ipfire.org>
Date: Wed, 14 Oct 2020 10:35:41 +0000 (+0000)
Subject: Merge branch 'master' into next
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cbd0df20ed3a1089e21110d2bf200cbea3ac063a;hp=64c8811dee6120fe4e2f803d7361f7eeef61b341;p=people%2Fpmueller%2Fipfire-2.x.git

Merge branch 'master' into next
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index cad53a1d79..c2641a92d3 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
 
 my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
 
+my @PRIVATE_NETWORKS = (
+	"10.0.0.0/8",
+	"172.16.0.0/12",
+	"192.168.0.0/16",
+	"100.64.0.0/10",
+);
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -621,6 +628,16 @@ sub locationblock {
 		return;
 	}
 
+	# Only check the RED interface
+	if ($defaultNetworks{'RED_DEV'} ne "") {
+		run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN");
+	}
+
+	# Do not check any private address space
+	foreach my $network (@PRIVATE_NETWORKS) {
+		run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN");
+	}
+
 	# Loop through all supported locations and
 	# create iptables rules, if blocking for this country
 	# is enabled.
diff --git a/config/rootfiles/oldcore/151/filelists/files b/config/rootfiles/oldcore/151/filelists/files
index 8223d97de5..9910e1bf94 100644
--- a/config/rootfiles/oldcore/151/filelists/files
+++ b/config/rootfiles/oldcore/151/filelists/files
@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi
 srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/bin/probenic.sh
+usr/lib/firewall/rules.pl
 usr/local/bin/ipsecctrl
 var/ipfire/general-functions.pl
 var/ipfire/langs