]> git.ipfire.org Git - ipfire-2.x.git/blobdiff - config/firewall/rules.pl
Merge remote-tracking branch 'earl/tor' into next
[ipfire-2.x.git] / config / firewall / rules.pl
index cd2f3a63590cb2428d7ba9e0fbcbc7f3bf4fa22e..daa95651bbecaf02d70bf143856dd6546f082c29 100644 (file)
@@ -89,8 +89,16 @@ sub main {
        # Flush all chains.
        &flush();
 
-       # Reload firewall rules.
-       &preparerules();
+       # Prepare firewall rules.
+       if (! -z  "${General::swroot}/firewall/input"){
+               &buildrules(\%configinputfw);
+       }
+       if (! -z  "${General::swroot}/firewall/outgoing"){
+               &buildrules(\%configoutgoingfw);
+       }
+       if (! -z  "${General::swroot}/firewall/config"){
+               &buildrules(\%configfwdfw);
+       }
 
        # Load P2P block rules.
        &p2pblock();
@@ -100,6 +108,11 @@ sub main {
 
        # Reload firewall policy.
        run("/usr/sbin/firewall-policy");
+
+       #Reload firewall.local if present
+       if ( -f '/etc/sysconfig/firewall.local'){
+               run("/etc/sysconfig/firewall.local reload");
+       }
 }
 
 sub run {
@@ -150,18 +163,6 @@ sub flush {
        run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX");
 }
 
-sub preparerules {
-       if (! -z  "${General::swroot}/firewall/input"){
-               &buildrules(\%configinputfw);
-       }
-       if (! -z  "${General::swroot}/firewall/outgoing"){
-               &buildrules(\%configoutgoingfw);
-       }
-       if (! -z  "${General::swroot}/firewall/config"){
-               &buildrules(\%configfwdfw);
-       }
-}
-
 sub buildrules {
        my $hash = shift;
 
@@ -368,13 +369,17 @@ sub buildrules {
                                        my @source_options = ();
                                        if ($source =~ /mac/) {
                                                push(@source_options, $source);
-                                       } elsif ($source) {
+                                       } elsif ($source =~ /-m geoip/) {
+                                               push(@source_options, $source);
+                                       } elsif($source) {
                                                push(@source_options, ("-s", $source));
                                        }
 
                                        # Prepare destination options.
                                        my @destination_options = ();
-                                       if ($destination) {
+                                       if ($destination =~ /-m geoip/) {
+                                               push(@destination_options,  $destination);
+                                       } elsif ($destination) {
                                                push(@destination_options, ("-d", $destination));
                                        }
 
@@ -516,10 +521,6 @@ sub buildrules {
                        }
                }
        }
-       #Reload firewall.local if present
-       if ( -f '/etc/sysconfig/firewall.local'){
-               run("/etc/sysconfig/firewall.local reload");
-       }
 }
 
 # Formats the given timestamp into the iptables format which is "hh:mm" UTC.
@@ -579,14 +580,15 @@ sub p2pblock {
 
 sub geoipblock {
        my %geoipsettings = ();
+       $geoipsettings{'GEOIPBLOCK_ENABLED'} = "off";
+
+       # Flush iptables chain.
+       run("$IPTABLES -F GEOIPBLOCK");
 
        # Check if the geoip settings file exists
        if (-e "$geoipfile") {
                # Read settings file
                &General::readhash("$geoipfile", \%geoipsettings);
-       } else {
-               # Exit submodule, go on processing the remaining script
-               return;
        }
 
        # If geoip blocking is not enabled, we are finished here.
@@ -598,9 +600,6 @@ sub geoipblock {
        # Get supported locations.
        my @locations = &fwlib::get_geoip_locations();
 
-       # Create iptables chain.
-       run("$IPTABLES -F GEOIPBLOCK");
-
        # Loop through all supported geoip locations and
        # create iptables rules, if blocking this country
        # is enabled.