Add GeoIP support

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.base

@@ -28,7 +28,7 @@
 #
 
 SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40502
+SHOREWALL_CAPVERSION=40504
 
 [ -n "${g_program:=shorewall}" ]
 

Shorewall-core/lib.cli

@@ -1994,6 +1994,7 @@ determine_capabilities() {
     IMQ_TARGET=
     DSCP_MATCH=
     DSCP_TARGET=
+    GEOIP_MATCH=
 
     chain=fooX$$
 
@@ -2202,6 +2203,7 @@ determine_capabilities() {
     qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
     qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
     qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
+    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
 
     if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -2316,6 +2318,7 @@ report_capabilities() {
 	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
+	report_capability "Geo IP match" $GEOIP_MATCH
 
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2406,6 +2409,7 @@ report_capabilities1() {
     report_capability1 IMQ_TARGET
     report_capability1 DSCP_MATCH
     report_capability1 DSCP_TARGET
+    report_capability1 GEOIP_MATCH
 
     echo CAPVERSION=$SHOREWALL_CAPVERSION
     echo KERNELVERSION=$KERNELVERSION

Shorewall/Perl/Shorewall/Chains.pm

@@ -79,6 +79,7 @@ our @EXPORT = qw(
 
 		    %chain_table
 		    %helpers
+		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table

Shorewall/Perl/Shorewall/Config.pm

@@ -54,6 +54,7 @@ our @EXPORT = qw(
 		 progress_message3
 
 		 supplied
+		 split_list
 
 		 get_action_params
 		 get_action_chain
@@ -306,6 +307,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IMQ_TARGET      => 'IMQ Target',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
+		 GEOIP_MATCH     => 'GeoIP Match' ,
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -513,7 +515,7 @@ sub initialize( $;$ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40502 ,
+		    CAPVERSION => 40504 ,
 		  );
     #
     # From shorewall.conf file
@@ -744,6 +746,7 @@ sub initialize( $;$ ) {
 	       IMQ_TARGET => undef,
 	       DSCP_MATCH => undef,
 	       DSCP_TARGET => undef,
+	       GEOIP_MATCH => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -3075,6 +3078,10 @@ sub Dscp_Target() {
     have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }
 
+sub GeoIP_Match() {
+    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
+}
+
 our %detect_capability =
     ( ACCOUNT_TARGET =>\&Account_Target,
       AUDIT_TARGET => \&Audit_Target,
@@ -3094,6 +3101,7 @@ our %detect_capability =
       EXMARK => \&Exmark,
       FLOW_FILTER => \&Flow_Filter,
       FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
+      GEOIP_MATCH => \&GeoIP_Match,
       GOTO_TARGET => \&Goto_Target,
       HASHLIMIT_MATCH => \&Hashlimit_Match,
       HEADER_MATCH => \&Header_Match,
@@ -3271,7 +3279,7 @@ sub determine_capabilities() {
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-
+	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );

Shorewall/action.GeoIP

@@ -0,0 +1,324 @@
+#
+# Shorewall 4 - GeoIP Action
+#
+#    /usr/share/shorewall/action.GeoIP
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012- Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   GeoIP[(<countries>[,{<action>|-}][,{src|dst}][,{audit|-}])]
+#
+#       Where <countries> is a list of one or more ISO 3166 Country Codes (see table
+#       below).
+#
+#       Default action is to do nothing, so either an <action> must be specified or
+#       the parameter list must be followed by :<loglevel> to generate a logging rule.
+#       (e.g., GeoIP(US):info).
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS -,-,src,-
+
+BEGIN PERL;
+
+use Shorewall::Chains;
+
+my ( $countries, $action, $srcdst, $audit ) = get_action_params( 4 );
+
+our %isocodes = (
+		 A1 => "Anonymous Proxy" ,
+		 A2 => "Satellite Provider" ,
+		 AD => "Andorra" ,
+		 AE => "United Arab Emirates" ,
+		 AF => "Afghanistan" ,
+		 AG => "Antigua and Barbuda" ,
+		 AI => "Anguilla" ,
+		 AL => "Albania" ,
+		 AM => "Armenia" ,
+		 AN => "Netherlands Antilles" ,
+		 AO => "Angola" ,
+		 AP => "Asia/Pacific Region" ,
+		 AQ => "Antarctica" ,
+		 AR => "Argentina" ,
+		 AS => "American Samoa" ,
+		 AT => "Austria" ,
+		 AU => "Australia" ,
+		 AW => "Aruba" ,
+		 AX => "Aland Islands" ,
+		 AZ => "Azerbaijan" ,
+		 BA => "Bosnia and Herzegovina" ,
+		 BB => "Barbados" ,
+		 BD => "Bangladesh" ,
+		 BE => "Belgium" ,
+		 BF => "Burkina Faso" ,
+		 BG => "Bulgaria" ,
+		 BH => "Bahrain" ,
+		 BI => "Burundi" ,
+		 BJ => "Benin" ,
+		 BM => "Bermuda" ,
+		 BN => "Brunei Darussalam" ,
+		 BO => "Bolivia" ,
+		 BR => "Brazil" ,
+		 BS => "Bahamas" ,
+		 BT => "Bhutan" ,
+		 BV => "Bouvet Island" ,
+		 BW => "Botswana" ,
+		 BY => "Belarus" ,
+		 BZ => "Belize" ,
+		 CA => "Canada" ,
+		 CC => "Cocos (Keeling) Islands" ,
+		 CD => "Congo, The Democratic Republic of the" ,
+		 CF => "Central African Republic" ,
+		 CG => "Congo" ,
+		 CH => "Switzerland" ,
+		 CI => "Cote D'Ivoire" ,
+		 CK => "Cook Islands" ,
+		 CL => "Chile" ,
+		 CM => "Cameroon" ,
+		 CN => "China" ,
+		 CO => "Colombia" ,
+		 CR => "Costa Rica" ,
+		 CU => "Cuba" ,
+		 CV => "Cape Verde" ,
+		 CX => "Christmas Island" ,
+		 CY => "Cyprus" ,
+		 CZ => "Czech Republic" ,
+		 DE => "Germany" ,
+		 DJ => "Djibouti" ,
+		 DK => "Denmark" ,
+		 DM => "Dominica" ,
+		 DO => "Dominican Republic" ,
+		 DZ => "Algeria" ,
+		 EC => "Ecuador" ,
+		 EE => "Estonia" ,
+		 EG => "Egypt" ,
+		 EH => "Western Sahara" ,
+		 ER => "Eritrea" ,
+		 ES => "Spain" ,
+		 ET => "Ethiopia" ,
+		 EU => "Europe" ,
+		 FI => "Finland" ,
+		 FJ => "Fiji" ,
+		 FK => "Falkland Islands (Malvinas)" ,
+		 FM => "Micronesia, Federated States of" ,
+		 FO => "Faroe Islands" ,
+		 FR => "France" ,
+		 GA => "Gabon" ,
+		 GB => "United Kingdom" ,
+		 GD => "Grenada" ,
+		 GE => "Georgia" ,
+		 GF => "French Guiana" ,
+		 GG => "Guernsey" ,
+		 GH => "Ghana" ,
+		 GI => "Gibraltar" ,
+		 GL => "Greenland" ,
+		 GM => "Gambia" ,
+		 GN => "Guinea" ,
+		 GP => "Guadeloupe" ,
+		 GQ => "Equatorial Guinea" ,
+		 GR => "Greece" ,
+		 GS => "South Georgia and the South Sandwich Islands" ,
+		 GT => "Guatemala" ,
+		 GU => "Guam" ,
+		 GW => "Guinea-Bissau" ,
+		 GY => "Guyana" ,
+		 HK => "Hong Kong" ,
+		 HN => "Honduras" ,
+		 HR => "Croatia" ,
+		 HT => "Haiti" ,
+		 HU => "Hungary" ,
+		 ID => "Indonesia" ,
+		 IE => "Ireland" ,
+		 IL => "Israel" ,
+		 IM => "Isle of Man" ,
+		 IN => "India" ,
+		 IO => "British Indian Ocean Territory" ,
+		 IQ => "Iraq" ,
+		 IR => "Iran, Islamic Republic of" ,
+		 IS => "Iceland" ,
+		 IT => "Italy" ,
+		 JE => "Jersey" ,
+		 JM => "Jamaica" ,
+		 JO => "Jordan" ,
+		 JP => "Japan" ,
+		 KE => "Kenya" ,
+		 KG => "Kyrgyzstan" ,
+		 KH => "Cambodia" ,
+		 KI => "Kiribati" ,
+		 KM => "Comoros" ,
+		 KN => "Saint Kitts and Nevis" ,
+		 KP => "Korea, Democratic People's Republic of" ,
+		 KR => "Korea, Republic of" ,
+		 KW => "Kuwait" ,
+		 KY => "Cayman Islands" ,
+		 KZ => "Kazakhstan" ,
+		 LA => "Lao People's Democratic Republic" ,
+		 LB => "Lebanon" ,
+		 LC => "Saint Lucia" ,
+		 LI => "Liechtenstein" ,
+		 LK => "Sri Lanka" ,
+		 LR => "Liberia" ,
+		 LS => "Lesotho" ,
+		 LT => "Lithuania" ,
+		 LU => "Luxembourg" ,
+		 LV => "Latvia" ,
+		 LY => "Libyan Arab Jamahiriya" ,
+		 MA => "Morocco" ,
+		 MC => "Monaco" ,
+		 MD => "Moldova, Republic of" ,
+		 ME => "Montenegro" ,
+		 MG => "Madagascar" ,
+		 MH => "Marshall Islands" ,
+		 MK => "Macedonia" ,
+		 ML => "Mali" ,
+		 MM => "Myanmar" ,
+		 MN => "Mongolia" ,
+		 MO => "Macau" ,
+		 MP => "Northern Mariana Islands" ,
+		 MQ => "Martinique" ,
+		 MR => "Mauritania" ,
+		 MS => "Montserrat" ,
+		 MT => "Malta" ,
+		 MU => "Mauritius" ,
+		 MV => "Maldives" ,
+		 MW => "Malawi" ,
+		 MX => "Mexico" ,
+		 MY => "Malaysia" ,
+		 MZ => "Mozambique" ,
+		 NA => "Namibia" ,
+		 NC => "New Caledonia" ,
+		 NE => "Niger" ,
+		 NF => "Norfolk Island" ,
+		 NG => "Nigeria" ,
+		 NI => "Nicaragua" ,
+		 NL => "Netherlands" ,
+		 NO => "Norway" ,
+		 NP => "Nepal" ,
+		 NR => "Nauru" ,
+		 NU => "Niue" ,
+		 NZ => "New Zealand" ,
+		 OM => "Oman" ,
+		 PA => "Panama" ,
+		 PE => "Peru" ,
+		 PF => "French Polynesia" ,
+		 PG => "Papua New Guinea" ,
+		 PH => "Philippines" ,
+		 PK => "Pakistan" ,
+		 PL => "Poland" ,
+		 PM => "Saint Pierre and Miquelon" ,
+		 PR => "Puerto Rico" ,
+		 PS => "Palestinian Territory, Occupied" ,
+		 PT => "Portugal" ,
+		 PW => "Palau" ,
+		 PY => "Paraguay" ,
+		 QA => "Qatar" ,
+		 RE => "Reunion" ,
+		 RO => "Romania" ,
+		 RS => "Serbia" ,
+		 RU => "Russian Federation" ,
+		 RW => "Rwanda" ,
+		 SA => "Saudi Arabia" ,
+		 SB => "Solomon Islands" ,
+		 SC => "Seychelles" ,
+		 SD => "Sudan" ,
+		 SE => "Sweden" ,
+		 SG => "Singapore" ,
+		 SH => "Saint Helena" ,
+		 SI => "Slovenia" ,
+		 SJ => "Svalbard and Jan Mayen" ,
+		 SK => "Slovakia" ,
+		 SL => "Sierra Leone" ,
+		 SM => "San Marino" ,
+		 SN => "Senegal" ,
+		 SO => "Somalia" ,
+		 SR => "Suriname" ,
+		 ST => "Sao Tome and Principe" ,
+		 SV => "El Salvador" ,
+		 SY => "Syrian Arab Republic" ,
+		 SZ => "Swaziland" ,
+		 TC => "Turks and Caicos Islands" ,
+		 TD => "Chad" ,
+		 TF => "French Southern Territories" ,
+		 TG => "Togo" ,
+		 TH => "Thailand" ,
+		 TJ => "Tajikistan" ,
+		 TK => "Tokelau" ,
+		 TL => "Timor-Leste" ,
+		 TM => "Turkmenistan" ,
+		 TN => "Tunisia" ,
+		 TO => "Tonga" ,
+		 TR => "Turkey" ,
+		 TT => "Trinidad and Tobago" ,
+		 TV => "Tuvalu" ,
+		 TW => "Taiwan" ,
+		 TZ => "Tanzania, United Republic of" ,
+		 UA => "Ukraine" ,
+		 UG => "Uganda" ,
+		 UM => "United States Minor Outlying Islands" ,
+		 US => "United States" ,
+		 UY => "Uruguay" ,
+		 UZ => "Uzbekistan" ,
+		 VA => "Holy See (Vatican City State)" ,
+		 VC => "Saint Vincent and the Grenadines" ,
+		 VE => "Venezuela" ,
+		 VG => "Virgin Islands, British" ,
+		 VI => "Virgin Islands, U.S." ,
+		 VN => "Vietnam" ,
+		 VU => "Vanuatu" ,
+		 WF => "Wallis and Futuna" ,
+		 WS => "Samoa" ,
+		 YE => "Yemen" ,
+		 YT => "Mayotte" ,
+		 ZA => "South Africa" ,
+		 ZM => "Zambia" ,
+		 ZW => "Zimbabwe" ,
+	     );
+
+require_capability 'GEOIP_MATCH', 'The GeoIP action', 's';
+
+fatal_error "Invalid parameter ($audit) to action GeoIP"   if supplied $audit  && $audit ne 'audit';
+fatal_error "Invalid SRC/DST ($srcdst)"                    if supplied $srcdst && $srcdst !~ /^(src|dst)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+fatal_error "Either an action or a log level must be specified" unless $target || $level ne '';
+
+$countries =~ s/\|/,/g;
+
+for ( split_list $countries, 'cc' ) {
+    fatal_error "Unknown ISO 3661 Country Code ($_)" unless $isocodes{$_};
+}
+
+log_rule_limit $level, $chainref, 'GeoIP' , $target ? $target : 'LOG' , '', $tag, 'add', "-m geoip --${srcdst}-cc $countries" if $level ne '';
+
+if ( $target ne '' ) {
+    my $targettype = $targets{$target} || 0;
+    fatal_error "Unknown ACTION ($target)" unless $targettype;
+    fatal_error "The $target action may not be passed to GeoIP" unless $targettype | (STANDARD | CHAIN );
+    add_ijump $chainref , j => $target, geoip => "--${srcdst}-cc $countries";
+}
+
+allow_optimize( $chainref );
+
+1;
+
+END PERL;

Shorewall/actions.std

@@ -38,6 +38,7 @@ A_Reject	    # Audited Default action for REJECT policy
 Broadcast	    # Handles Broadcast/Multicast/Anycast
 Drop		    # Default Action for DROP policy
 DropSmurfs          # Drop smurf packets
+GeoIP               # Match packets by ISO 3166 Country Code
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy