From 17e25932f075fa87dd1a934d8fb08ae812bfa9a8 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Tue, 15 May 2012 11:14:28 -0700 Subject: [PATCH] Fixes for GeoIP - Correct check for valid ACTION - Add to Shorewall6/actions.std - Only use geoip once per invocation Signed-off-by: Tom Eastep --- Shorewall/action.GeoIP | 24 ++++++++++++++++++------ Shorewall6/actions.std | 1 + 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/Shorewall/action.GeoIP b/Shorewall/action.GeoIP index f31fe9d2c..2b3ec8d08 100644 --- a/Shorewall/action.GeoIP +++ b/Shorewall/action.GeoIP @@ -38,7 +38,8 @@ DEFAULTS -,-,src,- BEGIN PERL; -use Shorewall::Chains; +use strict; +use Shorewall::Chains qw(:DEFAULT :internal); my ( $countries, $action, $srcdst, $audit ) = get_action_params( 4 ); @@ -300,21 +301,32 @@ my $chainref = get_action_chain; my ( $level, $tag ) = get_action_logging; my $target = require_audit ( $action , $audit ); -fatal_error "Either an action or a log level must be specified" unless $target || $level ne ''; - $countries =~ s/\|/,/g; +my @countries = split_list $countries, 'cc'; -for ( split_list $countries, 'cc' ) { +for ( @countries ) { fatal_error "Unknown ISO 3661 Country Code ($_)" unless $isocodes{$_}; } -log_rule_limit $level, $chainref, 'GeoIP' , $target ? $target : 'LOG' , '', $tag, 'add', "-m geoip --${srcdst}-cc $countries" if $level ne ''; +$tag = $countries[0] unless $tag || @countries > 1; if ( $target ne '' ) { my $targettype = $targets{$target} || 0; fatal_error "Unknown ACTION ($target)" unless $targettype; - fatal_error "The $target action may not be passed to GeoIP" unless $targettype | (STANDARD | CHAIN ); + fatal_error "The $target action may not be passed to GeoIP" if ( ! $targettype & (STANDARD | CHAIN | ACTION ) ) || ( $targettype & ( NATRULE | NONAT ) ); + + if ( $level ne '' ) { + my $chain1ref = ensure_filter_chain( newlogchain('filter' ), 0 ); + log_rule_limit $level, $chain1ref, $chainref->{name}, $target ? $target : 'LOG' , '', $tag, 'add', ''; + add_ijump( $chain1ref, j => $target ); + $target = $chain1ref->{name}; + } + add_ijump $chainref , j => $target, geoip => "--${srcdst}-cc $countries"; +} elsif ( $level ne '' ) { + log_rule_limit $level, $chainref, 'GeoIP' , $target ? $target : 'LOG' , '', $tag, 'add', "-m geoip --${srcdst}-cc $countries"; +} else { + fatal_error "Either an action or a log level must be specified"; } allow_optimize( $chainref ); diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std index 3526f92c9..68785d250 100644 --- a/Shorewall6/actions.std +++ b/Shorewall6/actions.std @@ -26,6 +26,7 @@ AllowICMPs # Accept needed ICMP6 types Broadcast # Handles Broadcast/Multicast/Anycast Drop # Default Action for DROP policy DropSmurfs # Handles packets with a broadcast source address +GeoIP # Match packets by ISO 3166 Country Code Invalid # Handles packets in the INVALID conntrack state NotSyn # Handles TCP packets that do not have SYN=1 and ACK=0 Reject # Default Action for REJECT policy