Add support for generating GeoIP-based firewall rules.

author Alexander Marx <amarx@ipfire.org>

Tue, 17 Feb 2015 16:01:42 +0000 (17:01 +0100)

committer Stefan Schantl <stefan.schantl@ipfire.org>

Tue, 17 Feb 2015 17:00:52 +0000 (18:00 +0100)
author Alexander Marx <amarx@ipfire.org>
Tue, 17 Feb 2015 16:01:42 +0000 (17:01 +0100)
committer Stefan Schantl <stefan.schantl@ipfire.org>
Tue, 17 Feb 2015 17:00:52 +0000 (18:00 +0100)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl

old mode 100755 (executable)

new mode 100644 (file)

index f73d84f..b389fac
--- a/config/firewall/firewall-lib.pl
+++ b/config/firewall/firewall-lib.pl
@@ -27,6 +27,7 @@ package fwlib;
  my %customnetwork=();
  my %customhost=();
  my %customgrp=();
+my %customgeoipgrp=();
  my %customservice=();
  my %customservicegrp=();
  my %ccdnet=();
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
  my $confignet          = "${General::swroot}/fwhosts/customnetworks";
  my $confighost         = "${General::swroot}/fwhosts/customhosts";
  my $configgrp          = "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp     = "${General::swroot}/fwhosts/customgeoipgrp";
  my $configsrv          = "${General::swroot}/fwhosts/customservices";
  my $configsrvgrp       = "${General::swroot}/fwhosts/customservicegrp";
  my $configccdnet       = "${General::swroot}/ovpn/ccd.conf";
@@ -59,6 +61,7 @@ my $netsettings               = "${General::swroot}/ethernet/settings";
  &General::readhasharray("$confignet", \%customnetwork);
  &General::readhasharray("$confighost", \%customhost);
  &General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
  &General::readhasharray("$configccdnet", \%ccdnet);
  &General::readhasharray("$configccdhost", \%ccdhost);
  &General::readhasharray("$configipsec", \%ipsecconf);
@@ -295,6 +298,17 @@ sub get_addresses
                         if ($customgrp{$grp}[0] eq $value) {
                                 my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
  
+                               if (@address) {
+                                       push(@addresses, @address);
+                               }
+                       }
+               }
+       }elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
+               $value=substr($value,6);
+               foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
+                       if ($customgeoipgrp{$grp}[0] eq $value) {
+                               my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
+
                                 if (@address) {
                                         push(@addresses, @address);
                                 }
@@ -414,6 +428,20 @@ sub get_address
                         }
                 }
  
+       # Handle rule options with GeoIP as source.
+       } elsif ($key eq "cust_geoip_src") {
+               # Get external interface.
+               my $external_interface = &get_external_interface();
+
+               push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+
+       # Handle rule options with GeoIP as target.
+       } elsif ($key eq "cust_geoip_tgt") {
+               # Get external interface.
+               my $external_interface = &get_external_interface();
+
+               push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+
         # If nothing was selected, we assume "any".
         } else {
                 push(@ret, ["0/0", ""]);
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl

index cd2f3a63590cb2428d7ba9e0fbcbc7f3bf4fa22e..a12ab56670f92342527cc4748349fc0301cbde2e 100644 (file)
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -368,13 +368,17 @@ sub buildrules {
                                         my @source_options = ();
                                         if ($source =~ /mac/) {
                                                 push(@source_options, $source);
-                                       } elsif ($source) {
+                                       } elsif ($source =~ /-m geoip/) {
+                                               push(@source_options, $source);
+                                       } elsif($source) {
                                                 push(@source_options, ("-s", $source));
                                         }
  
                                         # Prepare destination options.
                                         my @destination_options = ();
-                                       if ($destination) {
+                                       if ($destination =~ /-m geoip/) {
+                                               push(@destination_options,  $destination);
+                                       } elsif ($destination) {
                                                 push(@destination_options, ("-d", $destination));
                                         }
author	Alexander Marx <amarx@ipfire.org>
	Tue, 17 Feb 2015 16:01:42 +0000 (17:01 +0100)
committer	Stefan Schantl <stefan.schantl@ipfire.org>
	Tue, 17 Feb 2015 17:00:52 +0000 (18:00 +0100)
config/firewall/firewall-lib.pl	[changed mode: 0755->0644]	patch \| blob \| blame \| history
config/firewall/rules.pl		patch \| blob \| blame \| history