Merge branch 'master' of ssh://git.ipfire.org/pub/git/ipfire-2.x into seventeen-geoip
authorStefan Schantl <stefan.schantl@ipfire.org>
Sat, 14 Feb 2015 11:34:31 +0000 (12:34 +0100)
committerStefan Schantl <stefan.schantl@ipfire.org>
Sat, 14 Feb 2015 11:34:31 +0000 (12:34 +0100)
Conflicts:
make.sh

1  2 
config/firewall/rules.pl
config/rootfiles/common/stage2
lfs/stage2
make.sh

diff --combined config/firewall/rules.pl
index 834e248,97b8897..cd2f3a6
mode 100644,100755..100644
@@@ -60,7 -60,6 +60,7 @@@ my $configfwdfw               = "${General::swroot}/
  my $configinput           = "${General::swroot}/firewall/input";
  my $configoutgoing  = "${General::swroot}/firewall/outgoing";
  my $p2pfile                   = "${General::swroot}/firewall/p2protocols";
 +my $geoipfile         = "${General::swroot}/firewall/geoipblock";
  my $configgrp         = "${General::swroot}/fwhosts/customgroups";
  my $netsettings               = "${General::swroot}/ethernet/settings";
  
@@@ -95,9 -94,6 +95,9 @@@ sub main 
        # Load P2P block rules.
        &p2pblock();
  
 +      # Load GeoIP block rules.
 +      &geoipblock();
 +
        # Reload firewall policy.
        run("/usr/sbin/firewall-policy");
  }
@@@ -284,7 -280,7 +284,7 @@@ sub buildrules 
                # Concurrent connection limit
                my @ratelimit_options = ();
  
-               if (($elements gt 34) && ($$hash{$key}[32] eq 'ON')) {
+               if (($elements ge 34) && ($$hash{$key}[32] eq 'ON')) {
                        my $conn_limit = $$hash{$key}[33];
  
                        if ($conn_limit ge 1) {
                }
  
                # Ratelimit
-               if (($elements gt 37) && ($$hash{$key}[34] eq 'ON')) {
+               if (($elements ge 37) && ($$hash{$key}[34] eq 'ON')) {
                        my $rate_limit = "$$hash{$key}[35]/$$hash{$key}[36]";
  
-                               if ($rate_limit) {
-                                       push(@ratelimit_options, ("-m", "limit"));
-                                       push(@ratelimit_options, ("--limit", $rate_limit));
-                               }
+                       if ($rate_limit) {
+                               push(@ratelimit_options, ("-m", "limit"));
+                               push(@ratelimit_options, ("--limit", $rate_limit));
+                       }
                }
  
                # Check which protocols are used in this rule and so that we can
                                                push(@source_options, ("-s", $source));
                                        }
  
-                                       if ($source_intf) {
-                                               push(@source_options, ("-i", $source_intf));
-                                       }
                                        # Prepare destination options.
                                        my @destination_options = ();
                                        if ($destination) {
                                                push(@destination_options, ("-d", $destination));
                                        }
  
-                                       if ($destination_intf) {
-                                               push(@destination_options, ("-o", $destination_intf));
-                                       }
                                        # Add time constraint options.
                                        push(@options, @time_options);
  
                                                }
                                        }
  
+                                       # Add source and destination interface to the filter rules.
+                                       # These are supposed to help filtering forged packets that originate
+                                       # from BLUE with an IP address from GREEN for instance.
+                                       if ($source_intf) {
+                                               push(@source_options, ("-i", $source_intf));
+                                       }
+                                       if ($destination_intf) {
+                                               push(@destination_options, ("-o", $destination_intf));
+                                       }
                                        push(@options, @source_options);
                                        push(@options, @destination_options);
  
@@@ -574,40 -573,6 +577,40 @@@ sub p2pblock 
        }
  }
  
 +sub geoipblock {
 +      my %geoipsettings = ();
 +
 +      # Check if the geoip settings file exists
 +      if (-e "$geoipfile") {
 +              # Read settings file
 +              &General::readhash("$geoipfile", \%geoipsettings);
 +      } else {
 +              # Exit submodule, go on processing the remaining script
 +              return;
 +      }
 +
 +      # If geoip blocking is not enabled, we are finished here.
 +      if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
 +              # Exit submodule. Process remaining script.
 +              return;
 +      }
 +
 +      # Get supported locations.
 +      my @locations = &fwlib::get_geoip_locations();
 +
 +      # Create iptables chain.
 +      run("$IPTABLES -F GEOIPBLOCK");
 +
 +      # Loop through all supported geoip locations and
 +      # create iptables rules, if blocking this country
 +      # is enabled.
 +      foreach my $location (@locations) {
 +              if($geoipsettings{$location} eq "on") {
 +                      run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
 +              }
 +      }
 +}
 +
  sub get_protocols {
        my $hash = shift;
        my $key = shift;
@@@ -20,6 -20,7 +20,7 @@@ etc/ld.so.con
  etc/logrotate.conf
  etc/mime.types
  etc/modprobe.d
+ etc/modprobe.d/btmrvl_sdio.conf
  etc/modprobe.d/cfg80211.conf
  etc/modprobe.d/pcspeaker.conf
  etc/modules.conf
@@@ -45,6 -46,11 +46,11 @@@ etc/system-releas
  #home
  home/nobody
  #lib
+ #lib/firmware
+ #lib/firmware/brcm
+ lib/firmware/brcm/brcmfmac4329-sdio.txt
+ lib/firmware/brcm/brcmfmac4330-sdio.txt
+ lib/firmware/brcm/brcmfmac43362-sdio.txt
  #media
  media/cdrom
  media/floppy
@@@ -60,6 -66,7 +66,7 @@@ root/.bash_logou
  root/.bash_profile
  root/.bashrc
  root/ipfire
+ run
  #sbin
  #srv
  #usr/bin
@@@ -94,7 -101,7 +101,7 @@@ usr/local/bin/scanh
  usr/local/bin/settime
  usr/local/bin/timecheck
  usr/local/bin/timezone-transition
- #usr/local/bin/uname
+ usr/local/bin/update-bootloader
  usr/local/bin/update-lang-cache
  #usr/local/include
  #usr/local/lib
@@@ -136,9 -143,7 +143,8 @@@ usr/share/doc/licenses/GPLv
  #usr/share/man/man8
  #usr/share/misc
  #usr/share/terminfo
 +#usr/share/xt_geoip
  #usr/share/zoneinfo
- run
  #var
  #var/cache
  var/empty
diff --combined lfs/stage2
@@@ -49,13 -49,13 +49,13 @@@ $(TARGET) 
        @$(PREBUILD)
  
        # Create directories
-       -mkdir -pv /{bin,boot,etc/opt,etc/modprobe.d,home,lib,mnt,opt,run}
+       -mkdir -pv /{bin,boot,etc/opt,etc/modprobe.d,home,lib/firmware/brcm,mnt,opt,run}
        -mkdir -pv /{media/{floppy,cdrom,usbkey},sbin,srv,var}
        -install -dv -m 0750 /root
        -install -dv -m 1777 /tmp /var/tmp
        -mkdir -pv /usr/{,local/}{bin,include,lib{,/sse2},sbin,src}
        -mkdir -pv /usr/{,local/}share/{doc,info,locale,man}
 -      -mkdir -v  /usr/{,local/}share/{misc,terminfo,zoneinfo}
 +      -mkdir -v  /usr/{,local/}share/{misc,terminfo,xt_geoip,zoneinfo}
        -mkdir -pv /usr/{,local/}share/man/man{1..8}
        #-for dir in /usr /usr/local; do \
        #  ln -sv share/{man,doc,info} $$dir; \
@@@ -75,6 -75,7 +75,7 @@@
  
        # Config files
        cp -rvf $(DIR_SRC)/config/etc/* /etc;
+       cp -rvf $(DIR_SRC)/config/lib/* /lib;
        touch /etc/{fs,m}tab
        echo "$(NAME) v$(VERSION) - $(SLOGAN)" >  /etc/issue
        echo "===============================" >> /etc/issue
diff --combined make.sh
+++ b/make.sh
@@@ -25,8 -25,8 +25,8 @@@
  NAME="IPFire"                                                 # Software name
  SNAME="ipfire"                                                        # Short name
  VERSION="2.17"                                                        # Version number
- CORE="86"                                                     # Core Level (Filename)
- PAKFIRE_CORE="85"                                             # Core Level (PAKFIRE)
+ CORE="87-rc1"                                                 # Core Level (Filename)
+ PAKFIRE_CORE="86"                                             # Core Level (PAKFIRE)
  GIT_BRANCH=`git rev-parse --abbrev-ref HEAD`                  # Git Branch
  SLOGAN="www.ipfire.org"                                               # Software slogan
  CONFIG_ROOT=/var/ipfire                                               # Configuration rootdir
@@@ -383,7 -383,6 +383,7 @@@ buildipfire() 
    export LOGFILE
    ipfiremake configroot
    ipfiremake backup
 +  ipfiremake pkg-config
    ipfiremake libusb
    ipfiremake libusbx
    ipfiremake libpcap
    ipfiremake multipath-tools
    ipfiremake freetype
    ipfiremake grub
 +  ipfiremake libmnl
 +  ipfiremake iptables
  
    case "${TARGET_ARCH}" in
        i586)
                # x86-pae (Native and new XEN) kernel build
                ipfiremake linux                        KCFG="-pae"
+               ipfiremake backports                    KCFG="-pae"
                ipfiremake cryptodev                    KCFG="-pae"
                ipfiremake e1000e                       KCFG="-pae"
                ipfiremake igb                          KCFG="-pae"
                ipfiremake ixgbe                        KCFG="-pae"
 +              ipfiremake xtables-addons               KCFG="-pae"
                ipfiremake linux-initrd                 KCFG="-pae"
  
                # x86 kernel build
                ipfiremake linux                        KCFG=""
+               ipfiremake backports                    KCFG=""
                ipfiremake cryptodev                    KCFG=""
                ipfiremake e1000e                       KCFG=""
                ipfiremake igb                          KCFG=""
                ipfiremake ixgbe                        KCFG=""
 +              ipfiremake xtables-addons               KCFG=""
                ipfiremake linux-initrd                 KCFG=""
                ;;
  
        armv5tel)
                # arm-rpi (Raspberry Pi) kernel build
                ipfiremake linux                        KCFG="-rpi"
+               ipfiremake backports                    KCFG="-rpi"
                ipfiremake cryptodev                    KCFG="-rpi"
 +              ipfiremake xtables-addons               KCFG="-rpi"
                ipfiremake linux-initrd                 KCFG="-rpi"
  
                # arm multi platform (Panda, Wandboard ...) kernel build
                ipfiremake linux                        KCFG="-multi"
+               ipfiremake backports                    KCFG="-multi"
                ipfiremake cryptodev                    KCFG="-multi"
                ipfiremake e1000e                       KCFG="-multi"
                ipfiremake igb                          KCFG="-multi"
                ipfiremake ixgbe                        KCFG="-multi"
 +              ipfiremake xtables-addons               KCFG="-multi"
                ipfiremake linux-initrd                 KCFG="-multi"
  
                # arm-kirkwood (Dreamplug, ICY-Box ...) kernel build
                ipfiremake linux                        KCFG="-kirkwood"
+               ipfiremake backports                    KCFG="-kirkwood"
                ipfiremake cryptodev                    KCFG="-kirkwood"
                ipfiremake e1000e                       KCFG="-kirkwood"
                ipfiremake igb                          KCFG="-kirkwood"
                ipfiremake ixgbe                        KCFG="-kirkwood"
 +              ipfiremake xtables-addons               KCFG="-kirkwood"
                ipfiremake linux-initrd                 KCFG="-kirkwood"
                ;;
    esac
 -  ipfiremake pkg-config
 +  ipfiremake xtables-addons                   USPACE="1"
    ipfiremake openssl
    ipfiremake openssl-compat
    ipfiremake libgpg-error
    ipfiremake mtools
    ipfiremake initscripts
    ipfiremake whatmask
 -  ipfiremake libmnl
 -  ipfiremake iptables
    ipfiremake conntrack-tools
    ipfiremake libupnp
    ipfiremake ipaddr
    ipfiremake squid-accounting
    ipfiremake pigz
    ipfiremake tmux
 +  ipfiremake perl-Text-CSV_XS
+   ipfiremake swconfig
  }
  
  buildinstaller() {