firewall: Filter only on RED and exclude any private address space

Since libloc is built as a tree we cannot simply exclude any address
space in the middle of it. Therefore we create some firewall rules
which simply avoid checking non-globally routable address space.

Fixes: #12499
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config/firewall/rules.pl

@@ -48,6 +48,13 @@ my @PROTOCOLS_WITH_PORTS = ("tcp", "udp");
 
 my @VALID_TARGETS = ("ACCEPT", "DROP", "REJECT");
 
+my @PRIVATE_NETWORKS = (
+	"10.0.0.0/8",
+	"172.16.0.0/12",
+	"192.168.0.0/16",
+	"100.64.0.0/10",
+);
+
 my %fwdfwsettings=();
 my %fwoptions = ();
 my %defaultNetworks=();
@@ -621,6 +628,16 @@ sub locationblock {
 		return;
 	}
 
+	# Only check the RED interface
+	if ($defaultNetworks{'RED_DEV'} ne "") {
+		run("$IPTABLES -A LOCATIONBLOCK ! -i $defaultNetworks{'RED_DEV'} -j RETURN");
+	}
+
+	# Do not check any private address space
+	foreach my $network (@PRIVATE_NETWORKS) {
+		run("$IPTABLES -A LOCATIONBLOCK -s $network -j RETURN");
+	}
+
 	# Loop through all supported locations and
 	# create iptables rules, if blocking for this country
 	# is enabled.

config/rootfiles/core/151/filelists/files

@@ -10,6 +10,7 @@ srv/web/ipfire/cgi-bin/ipinfo.cgi
 srv/web/ipfire/cgi-bin/pakfire.cgi
 srv/web/ipfire/cgi-bin/vpnmain.cgi
 usr/bin/probenic.sh
+usr/lib/firewall/rules.pl
 usr/local/bin/ipsecctrl
 var/ipfire/general-functions.pl
 var/ipfire/langs