mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 02:55:55 +02:00
Add support for generating GeoIP-based firewall rules.
This commit adds support to the rules.pl and firewall-lib.pl to generate correct iptables commands for inserting GeoIP-based firewall rules into the kernel.
This commit is contained in:
Alexander Marx
committed by
Stefan Schantl
Stefan Schantl
parent
6897c329b5
commit
b9ca2fa60f
28
config/firewall/firewall-lib.pl
Executable file → Normal file
28
config/firewall/firewall-lib.pl
Executable file → Normal file
@@ -27,6 +27,7 @@ package fwlib;
|
||||
my %customnetwork=();
|
||||
my %customhost=();
|
||||
my %customgrp=();
|
||||
my %customgeoipgrp=();
|
||||
my %customservice=();
|
||||
my %customservicegrp=();
|
||||
my %ccdnet=();
|
||||
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
|
||||
my $confignet = "${General::swroot}/fwhosts/customnetworks";
|
||||
my $confighost = "${General::swroot}/fwhosts/customhosts";
|
||||
my $configgrp = "${General::swroot}/fwhosts/customgroups";
|
||||
my $configgeoipgrp = "${General::swroot}/fwhosts/customgeoipgrp";
|
||||
my $configsrv = "${General::swroot}/fwhosts/customservices";
|
||||
my $configsrvgrp = "${General::swroot}/fwhosts/customservicegrp";
|
||||
my $configccdnet = "${General::swroot}/ovpn/ccd.conf";
|
||||
@@ -59,6 +61,7 @@ my $netsettings = "${General::swroot}/ethernet/settings";
|
||||
&General::readhasharray("$confignet", \%customnetwork);
|
||||
&General::readhasharray("$confighost", \%customhost);
|
||||
&General::readhasharray("$configgrp", \%customgrp);
|
||||
&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
|
||||
&General::readhasharray("$configccdnet", \%ccdnet);
|
||||
&General::readhasharray("$configccdhost", \%ccdhost);
|
||||
&General::readhasharray("$configipsec", \%ipsecconf);
|
||||
@@ -295,6 +298,17 @@ sub get_addresses
|
||||
if ($customgrp{$grp}[0] eq $value) {
|
||||
my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
|
||||
|
||||
if (@address) {
|
||||
push(@addresses, @address);
|
||||
}
|
||||
}
|
||||
}
|
||||
}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
|
||||
$value=substr($value,6);
|
||||
foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
|
||||
if ($customgeoipgrp{$grp}[0] eq $value) {
|
||||
my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
|
||||
|
||||
if (@address) {
|
||||
push(@addresses, @address);
|
||||
}
|
||||
@@ -414,6 +428,20 @@ sub get_address
|
||||
}
|
||||
}
|
||||
|
||||
# Handle rule options with GeoIP as source.
|
||||
} elsif ($key eq "cust_geoip_src") {
|
||||
# Get external interface.
|
||||
my $external_interface = &get_external_interface();
|
||||
|
||||
push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
|
||||
|
||||
# Handle rule options with GeoIP as target.
|
||||
} elsif ($key eq "cust_geoip_tgt") {
|
||||
# Get external interface.
|
||||
my $external_interface = &get_external_interface();
|
||||
|
||||
push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
|
||||
|
||||
# If nothing was selected, we assume "any".
|
||||
} else {
|
||||
push(@ret, ["0/0", ""]);
|
||||
|
||||
@@ -368,13 +368,17 @@ sub buildrules {
|
||||
my @source_options = ();
|
||||
if ($source =~ /mac/) {
|
||||
push(@source_options, $source);
|
||||
} elsif ($source) {
|
||||
} elsif ($source =~ /-m geoip/) {
|
||||
push(@source_options, $source);
|
||||
} elsif($source) {
|
||||
push(@source_options, ("-s", $source));
|
||||
}
|
||||
|
||||
# Prepare destination options.
|
||||
my @destination_options = ();
|
||||
if ($destination) {
|
||||
if ($destination =~ /-m geoip/) {
|
||||
push(@destination_options, $destination);
|
||||
} elsif ($destination) {
|
||||
push(@destination_options, ("-d", $destination));
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user