From 07106467b83e9be97ce207ce919ad45ab2df4bba Mon Sep 17 00:00:00 2001 From: Stefan Schantl Date: Mon, 14 Feb 2022 19:42:51 +0100 Subject: [PATCH] rules.pl: Move to ipset based data for location based firewall rules. MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Stefan Schantl Reviewed-by: Peter Müller Reviewed-by: Michael Tremer --- config/firewall/firewall-lib.pl | 4 ++-- config/firewall/rules.pl | 16 ++++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index e7ec30ae0b..f4089a3a00 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]); } # Handle rule options with a location as target. @@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface(); - push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]); } # If nothing was selected, we assume "any". diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index e009c18380..d533ffb428 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -401,7 +401,13 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } elsif ($source =~ /-m geoip/) { + } elsif ($source =~ /-m set/) { + # Grab location code from hash. + my $loc_src = $$hash{$key}[4]; + + # Call function to load the networks list for this country. + &ipset_restore($loc_src); + push(@source_options, $source); } elsif($source) { push(@source_options, ("-s", $source)); @@ -409,7 +415,13 @@ sub buildrules { # Prepare destination options. my @destination_options = (); - if ($destination =~ /-m geoip/) { + if ($destination =~ /-m set/) { + # Grab location code from hash. + my $loc_dst = $$hash{$key}[6]; + + # Call function to load the networks list for this country. + &ipset_restore($loc_dst); + push(@destination_options, $destination); } elsif ($destination) { push(@destination_options, ("-d", $destination)); -- 2.39.5