From b9ca2fa60f1ac0127d0bbddb016d0acb578e660d Mon Sep 17 00:00:00 2001 From: Alexander Marx Date: Tue, 17 Feb 2015 17:01:42 +0100 Subject: [PATCH] Add support for generating GeoIP-based firewall rules. This commit adds support to the rules.pl and firewall-lib.pl to generate correct iptables commands for inserting GeoIP-based firewall rules into the kernel. --- config/firewall/firewall-lib.pl | 28 ++++++++++++++++++++++++++++ config/firewall/rules.pl | 8 ++++++-- 2 files changed, 34 insertions(+), 2 deletions(-) mode change 100755 => 100644 config/firewall/firewall-lib.pl diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl old mode 100755 new mode 100644 index f73d84f296..b389fac3c3 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -27,6 +27,7 @@ package fwlib; my %customnetwork=(); my %customhost=(); my %customgrp=(); +my %customgeoipgrp=(); my %customservice=(); my %customservicegrp=(); my %ccdnet=(); @@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl'; my $confignet = "${General::swroot}/fwhosts/customnetworks"; my $confighost = "${General::swroot}/fwhosts/customhosts"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; +my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp"; my $configsrv = "${General::swroot}/fwhosts/customservices"; my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp"; my $configccdnet = "${General::swroot}/ovpn/ccd.conf"; @@ -59,6 +61,7 @@ my $netsettings = "${General::swroot}/ethernet/settings"; &General::readhasharray("$confignet", \%customnetwork); &General::readhasharray("$confighost", \%customhost); &General::readhasharray("$configgrp", \%customgrp); +&General::readhasharray("$configgeoipgrp", \%customgeoipgrp); &General::readhasharray("$configccdnet", \%ccdnet); &General::readhasharray("$configccdhost", \%ccdhost); &General::readhasharray("$configipsec", \%ipsecconf); @@ -295,6 +298,17 @@ sub get_addresses if ($customgrp{$grp}[0] eq $value) { my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type); + if (@address) { + push(@addresses, @address); + } + } + } + }elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") { + $value=substr($value,6); + foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) { + if ($customgeoipgrp{$grp}[0] eq $value) { + my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type); + if (@address) { push(@addresses, @address); } @@ -414,6 +428,20 @@ sub get_address } } + # Handle rule options with GeoIP as source. + } elsif ($key eq "cust_geoip_src") { + # Get external interface. + my $external_interface = &get_external_interface(); + + push(@ret, ["-m geoip --src-cc $value", "$external_interface"]); + + # Handle rule options with GeoIP as target. + } elsif ($key eq "cust_geoip_tgt") { + # Get external interface. + my $external_interface = &get_external_interface(); + + push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]); + # If nothing was selected, we assume "any". } else { push(@ret, ["0/0", ""]); diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index cd2f3a6359..a12ab56670 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -368,13 +368,17 @@ sub buildrules { my @source_options = (); if ($source =~ /mac/) { push(@source_options, $source); - } elsif ($source) { + } elsif ($source =~ /-m geoip/) { + push(@source_options, $source); + } elsif($source) { push(@source_options, ("-s", $source)); } # Prepare destination options. my @destination_options = (); - if ($destination) { + if ($destination =~ /-m geoip/) { + push(@destination_options, $destination); + } elsif ($destination) { push(@destination_options, ("-d", $destination)); } -- 2.39.2