Merge branch 'next-geoip' into core-90-geoip

config/cfgroot/general-functions.pl

@@ -17,6 +17,7 @@ package General;
 use strict;
 use Socket;
 use IO::Socket;
+use Locale::Country;
 use Net::SSLeay;
 use Net::IPv4Addr qw(:all);
 $|=1; # line buffering

config/cfgroot/geoip-functions.pl

@@ -0,0 +1,90 @@
+#!/usr/bin/perl -w
+############################################################################
+#                                                                          #
+# This file is part of the IPFire Firewall.                                #
+#                                                                          #
+# IPFire is free software; you can redistribute it and/or modify           #
+# it under the terms of the GNU General Public License as published by     #
+# the Free Software Foundation; either version 2 of the License, or        #
+# (at your option) any later version.                                      #
+#                                                                          #
+# IPFire is distributed in the hope that it will be useful,                #
+# but WITHOUT ANY WARRANTY; without even the implied warranty of           #
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the            #
+# GNU General Public License for more details.                             #
+#                                                                          #
+# You should have received a copy of the GNU General Public License        #
+# along with IPFire; if not, write to the Free Software                    #
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307 USA #
+#                                                                          #
+# Copyright (C) 2015 IPFire Team <info@ipfire.org>.                        #
+#                                                                          #
+############################################################################
+
+package GeoIP;
+
+use Locale::Country;
+
+# Function to get the flag icon for a specified country code.
+sub get_flag_icon($) {
+	my ($input) = @_;
+
+	# Webserver's root dir. (Required for generating full path)
+	my $webroot = "/srv/web/ipfire/html";
+
+	# Directory which contains the flag icons.
+	my $flagdir = "/images/flags";
+
+	# File extension of the country flags.
+	my $ext = "png";
+
+	# Remove whitespaces.
+	chomp($input);
+
+	# Convert given country code to lower case.
+	my $ccode = lc($input);
+
+	# Generate filename, based on the contry code in lower case
+	# and the defined file extension.
+	my $file = join('.', $ccode,$ext);
+
+	# Generate path inside webroot to the previously generated file.
+	my $flag_icon = join('/', $flagdir,$file);
+
+	# Generate absolute path to the icon file.
+	my $absolute_path = join('', $webroot,$flag_icon);
+ 
+	# Check if the a icon file exists.
+	if (-e "$absolute_path") {
+		# Return content of flag_icon.
+		return $flag_icon;
+	}
+}
+
+# Function to get the county name by a given country code.
+sub get_full_country_name($) {
+	my ($input) = @_;
+	my $name;
+
+	# Remove whitespaces.
+	chomp($input);
+
+	# Convert input into lower case format.
+	my $code = lc($input);
+
+	# Handle country codes which are not in the list.
+	if ($code eq "a1") { $name = "Anonymous Proxy" }
+	elsif ($code eq "a2") { $name = "Satellite Provider" }
+	elsif ($code eq "o1") { $name = "Other Country" }
+	elsif ($code eq "ap") { $name = "Asia/Pacific Region" }
+	elsif ($code eq "eu") { $name = "Europe" }
+	elsif ($code eq "yu") { $name = "Yugoslavia" }
+	else {
+		# Use perl built-in module to get the country code.
+		$name = &Locale::Country::code2country($code);
+	}
+
+	return $name;
+}
+
+1;

config/cfgroot/header.pl

@@ -263,7 +263,7 @@ sub getcgihash {
 	return if ($ENV{'REQUEST_METHOD'} ne 'POST');
 	if (!$params->{'wantfile'}) {
 		$CGI::DISABLE_UPLOADS = 1;
-		$CGI::POST_MAX        = 512 * 1024;
+		$CGI::POST_MAX        = 1024 * 1024;
 	} else {
 		$CGI::POST_MAX = 10 * 1024 * 1024;
 	}

config/cron/crontab

@@ -57,3 +57,6 @@ HOME=/
 # Re-read firewall rules every Sunday in March, October and November to take care of daylight saving time
 00 3 * 3 0          /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
 00 2 * 10-11 0      /usr/local/bin/timezone-transition /usr/local/bin/firewallctrl
+
+# Update GeoIP database once a month.
+%monthly,random * * * [ -f "/var/ipfire/red/active" ] && /usr/local/bin/xt_geoip_update >/dev/null 2>&1

config/firewall/firewall-lib.pl

@@ -27,6 +27,7 @@ package fwlib;
 my %customnetwork=();
 my %customhost=();
 my %customgrp=();
+my %customgeoipgrp=();
 my %customservice=();
 my %customservicegrp=();
 my %ccdnet=();
@@ -42,6 +43,7 @@ require '/var/ipfire/general-functions.pl';
 my $confignet		= "${General::swroot}/fwhosts/customnetworks";
 my $confighost		= "${General::swroot}/fwhosts/customhosts";
 my $configgrp 		= "${General::swroot}/fwhosts/customgroups";
+my $configgeoipgrp 	= "${General::swroot}/fwhosts/customgeoipgrp";
 my $configsrv 		= "${General::swroot}/fwhosts/customservices";
 my $configsrvgrp	= "${General::swroot}/fwhosts/customservicegrp";
 my $configccdnet 	= "${General::swroot}/ovpn/ccd.conf";
@@ -59,6 +61,7 @@ my $netsettings		= "${General::swroot}/ethernet/settings";
 &General::readhasharray("$confignet", \%customnetwork);
 &General::readhasharray("$confighost", \%customhost);
 &General::readhasharray("$configgrp", \%customgrp);
+&General::readhasharray("$configgeoipgrp", \%customgeoipgrp);
 &General::readhasharray("$configccdnet", \%ccdnet);
 &General::readhasharray("$configccdhost", \%ccdhost);
 &General::readhasharray("$configipsec", \%ipsecconf);
@@ -295,6 +298,17 @@ sub get_addresses
 			if ($customgrp{$grp}[0] eq $value) {
 				my @address = &get_address($customgrp{$grp}[3], $customgrp{$grp}[2], $type);
 
+				if (@address) {
+					push(@addresses, @address);
+				}
+			}
+		}
+	}elsif ($addr_type ~~ ["cust_geoip_src", "cust_geoip_tgt"] && $value =~ "group:") {
+		$value=substr($value,6);
+		foreach my $grp (sort {$a <=> $b} keys %customgeoipgrp) {
+			if ($customgeoipgrp{$grp}[0] eq $value) {
+				my @address = &get_address($addr_type, $customgeoipgrp{$grp}[2], $type);
+
 				if (@address) {
 					push(@addresses, @address);
 				}
@@ -414,6 +428,20 @@ sub get_address
 			}
 		}
 
+	# Handle rule options with GeoIP as source.
+	} elsif ($key eq "cust_geoip_src") {
+		# Get external interface.
+		my $external_interface = &get_external_interface();
+
+		push(@ret, ["-m geoip --src-cc $value", "$external_interface"]);
+
+	# Handle rule options with GeoIP as target.
+	} elsif ($key eq "cust_geoip_tgt") {
+		# Get external interface.
+		my $external_interface = &get_external_interface();
+
+		push(@ret, ["-m geoip --dst-cc $value", "$external_interface"]);
+
 	# If nothing was selected, we assume "any".
 	} else {
 		push(@ret, ["0/0", ""]);
@@ -552,4 +580,37 @@ sub get_internal_firewall_ip_address
 	return 0;
 }
 
+sub get_geoip_locations() {
+	# Path to the directory which contains the binary geoip
+	# databases.
+	my $directory="/usr/share/xt_geoip/LE";
+
+	# Array to store the final country list.
+	my @country_codes = ();
+
+	# Open location and do a directory listing.
+	opendir(DIR, "$directory");
+	my @locations = readdir(DIR);
+	closedir(DIR);
+
+	# Loop through the directory listing, and cut of the file extensions.
+	foreach my $location (sort @locations) {
+		# skip . and ..
+		next if($location =~ /^\.$/);
+		next if($location =~ /^\.\.$/);
+
+		# Remove whitespaces.
+		chomp($location);
+
+		# Cut-off file extension.
+		my ($country_code, $extension) = split(/\./, $location);
+
+		# Add country code to array.
+		push(@country_codes, $country_code);
+	}
+
+	# Return final array.
+	return @country_codes;
+}
+
 return 1;

config/firewall/geoipblock

@@ -0,0 +1 @@
+GEOIPBLOCK_ENABLED=off

config/firewall/rules.pl

@@ -60,6 +60,7 @@ my $configfwdfw		= "${General::swroot}/firewall/config";
 my $configinput	    = "${General::swroot}/firewall/input";
 my $configoutgoing  = "${General::swroot}/firewall/outgoing";
 my $p2pfile			= "${General::swroot}/firewall/p2protocols";
+my $geoipfile		= "${General::swroot}/firewall/geoipblock";
 my $configgrp		= "${General::swroot}/fwhosts/customgroups";
 my $netsettings		= "${General::swroot}/ethernet/settings";
 
@@ -102,6 +103,9 @@ sub main {
 	# Load P2P block rules.
 	&p2pblock();
 
+	# Load GeoIP block rules.
+	&geoipblock();
+
 	# Reload firewall policy.
 	run("/usr/sbin/firewall-policy");
 
@@ -365,13 +369,17 @@ sub buildrules {
 					my @source_options = ();
 					if ($source =~ /mac/) {
 						push(@source_options, $source);
-					} elsif ($source) {
+					} elsif ($source =~ /-m geoip/) {
+						push(@source_options, $source);
+					} elsif($source) {
 						push(@source_options, ("-s", $source));
 					}
 
 					# Prepare destination options.
 					my @destination_options = ();
-					if ($destination) {
+					if ($destination =~ /-m geoip/) {
+						push(@destination_options,  $destination);
+					} elsif ($destination) {
 						push(@destination_options, ("-d", $destination));
 					}
 
@@ -570,6 +578,43 @@ sub p2pblock {
 	}
 }
 
+sub geoipblock {
+	my %geoipsettings = ();
+
+	# Check if the geoip settings file exists
+	if (-e "$geoipfile") {
+		# Read settings file
+		&General::readhash("$geoipfile", \%geoipsettings);
+	} else {
+		# Drop active rules.
+		run("$IPTABLES -F GEOIPBLOCK");
+
+		# Exit submodule, go on processing the remaining script
+		return;
+	}
+
+	# If geoip blocking is not enabled, we are finished here.
+	if ($geoipsettings{'GEOIPBLOCK_ENABLED'} ne "on") {
+		# Exit submodule. Process remaining script.
+		return;
+	}
+
+	# Get supported locations.
+	my @locations = &fwlib::get_geoip_locations();
+
+	# Flush iptables chain.
+	run("$IPTABLES -F GEOIPBLOCK");
+
+	# Loop through all supported geoip locations and
+	# create iptables rules, if blocking this country
+	# is enabled.
+	foreach my $location (@locations) {
+		if($geoipsettings{$location} eq "on") {
+			run("$IPTABLES -A GEOIPBLOCK -m geoip --src-cc $location -j DROP");
+		}
+	}
+}
+
 sub get_protocols {
 	my $hash = shift;
 	my $key = shift;

config/menu/50-firewall.menu

@@ -22,6 +22,12 @@
 				'title' => "P2P-Block",
 				'enabled' => 1,
 				};
+    $subfirewall->{'50.geoipblock'} = {
+				'caption' => $Lang::tr{'geoipblock'},
+				'uri' => '/cgi-bin/geoip-block.cgi',
+				'title' => $Lang::tr{'geoipblock'},
+				'enabled' => 1,
+				};
     $subfirewall->{'60.wireless'} = {
 				'caption' => $Lang::tr{'blue access'},
 				'uri' => '/cgi-bin/wireless.cgi',

config/rootfiles/common/Locale-Country

@@ -1,13 +1,50 @@
-#usr/lib/perl5/site_perl/5.12.3/Locale
-usr/lib/perl5/site_perl/5.12.3/Locale/Constants.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Constants.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Country.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Country.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Currency.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Currency.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Language.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Language.pod
-usr/lib/perl5/site_perl/5.12.3/Locale/Script.pm
-usr/lib/perl5/site_perl/5.12.3/Locale/Script.pod
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Locale-Codes
-#usr/lib/perl5/site_perl/5.12.3/MACHINE-linux-thread-multi/auto/Locale-Codes/.packlist
+#usr/lib/perl5/5.12.3/Locale/Codes
+usr/lib/perl5/5.12.3/Locale/Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes.pod
+usr/lib/perl5/5.12.3/Locale/Codes/API.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Changes.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Constants.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Constants.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Country.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Country.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Country_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Country_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Currency_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Currency_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangExt_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangFam_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar.pod
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/LangVar_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Language_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Language_Retired.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script.pod
+usr/lib/perl5/5.12.3/Locale/Codes/Script_Codes.pm
+usr/lib/perl5/5.12.3/Locale/Codes/Script_Retired.pm
+#usr/lib/perl5/5.12.3/i586-linux-thread-multi/auto/Locale
+#usr/lib/perl5/5.12.3/i586-linux-thread-multi/auto/Locale/Codes
+#usr/lib/perl5/5.12.3/i586-linux-thread-multi/auto/Locale/Codes/.packlist
+#usr/share/man/man3/Locale::Codes.3
+#usr/share/man/man3/Locale::Codes::API.3
+#usr/share/man/man3/Locale::Codes::Changes.3
+#usr/share/man/man3/Locale::Codes::Constants.3
+#usr/share/man/man3/Locale::Codes::Country.3
+#usr/share/man/man3/Locale::Codes::Currency.3
+#usr/share/man/man3/Locale::Codes::LangExt.3
+#usr/share/man/man3/Locale::Codes::LangFam.3
+#usr/share/man/man3/Locale::Codes::LangFam_Retired.3
+#usr/share/man/man3/Locale::Codes::LangVar.3
+#usr/share/man/man3/Locale::Codes::Language.3
+#usr/share/man/man3/Locale::Codes::Script.3

config/rootfiles/common/perl-Text-CSV_XS

@@ -0,0 +1,8 @@
+#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/Text
+usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/Text/CSV_XS.pm
+#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Text
+#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Text/CSV_XS
+#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Text/CSV_XS/.packlist
+#usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Text/CSV_XS/CSV_XS.bs
+usr/lib/perl5/site_perl/5.12.3/i586-linux-thread-multi/auto/Text/CSV_XS/CSV_XS.so
+#usr/share/man/man3/Text::CSV_XS.3

config/rootfiles/common/stage2

@@ -101,6 +101,8 @@ usr/local/bin/timecheck
 usr/local/bin/timezone-transition
 usr/local/bin/update-bootloader
 usr/local/bin/update-lang-cache
+usr/local/bin/xt_geoip_build
+usr/local/bin/xt_geoip_update
 #usr/local/include
 #usr/local/lib
 #usr/local/lib/sse2
@@ -120,6 +122,7 @@ usr/local/bin/update-lang-cache
 #usr/local/share/man/man8
 #usr/local/share/misc
 #usr/local/share/terminfo
+#usr/local/share/xt_geoip
 #usr/local/share/zoneinfo
 #usr/local/src
 #usr/sbin
@@ -142,6 +145,7 @@ usr/share/doc/licenses/GPLv3
 #usr/share/man/man8
 #usr/share/misc
 #usr/share/terminfo
+#usr/share/xt_geoip
 #usr/share/zoneinfo
 #var
 #var/cache

config/rootfiles/common/xtables-addons

@@ -0,0 +1,7 @@
+lib/xtables/libxt_geoip.so
+#usr/libexec/xtables-addons
+usr/libexec/xtables-addons/xt_geoip_build
+usr/libexec/xtables-addons/xt_geoip_dl
+#usr/share/man/man1/xt_geoip_build.1
+#usr/share/man/man1/xt_geoip_dl.1
+#usr/share/man/man8/xtables-addons.8

config/xtables-addons/mconfig

@@ -0,0 +1,24 @@
+# -*- Makefile -*-
+#
+build_ACCOUNT=n
+build_CHAOS=n
+build_DELUDE=n
+build_DHCPMAC=n
+build_DNETMAP=n
+build_ECHO=n
+build_IPMARK=n
+build_LOGMARK=n
+build_SYSRQ=n
+build_TARPIT=n
+build_condition=n
+build_fuzzy=n
+build_geoip=m
+build_gradm=n
+build_iface=n
+build_ipp2p=n
+build_ipv4options=n
+build_length2=n
+build_lscan=n
+build_pknock=n
+build_psd=n
+build_quota2=n