/[smecontribs]/rpms/smeserver-xt_geoip/contribs9/smeserver-xt_geoip-1.0.1-bz10760-per_serv2.patch
ViewVC logotype

Annotation of /rpms/smeserver-xt_geoip/contribs9/smeserver-xt_geoip-1.0.1-bz10760-per_serv2.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.2 - (hide annotations) (download)
Tue Jul 23 02:00:08 2019 UTC (5 years, 3 months ago) by jpp
Branch: MAIN
CVS Tags: smeserver-xt_geoip-1_0_1-15_el6_sme
Changes since 1.1: +0 -253 lines
* Tue Jul 23 2019 Jean-Philipe Pialasse <tests@pialasse.com> 1.0.1-15.sme
- improved per service filtering [SME: 10760]
- remove A1 forced as default and allow empty filter [SME: 10785]

1 jpp 1.1 diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries
2     --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2017-09-15 14:44:39.000000000 +0200
3     +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/db/configuration/defaults/masq/BadCountries 2019-07-23 02:54:03.000000000 +0200
4     @@ -1 +0,0 @@
5     -A1
6     diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip
7     --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.259411436 +0200
8     +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/locale/en-us/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:20:21.597404763 +0200
9     @@ -197,4 +197,25 @@
10     <trans>Too many countries chosen: {$ctr}</trans>
11     </entry>
12    
13     + <entry>
14     + <base>LABEL_REVERSE_MATCH</base>
15     + <trans>Reject if</trans>
16     + </entry>
17     +
18     + <entry>
19     + <base>DESC_REVERSE_MATCH</base>
20     + <trans>The following option allow to chose if you want reject visitors from the country list (==) which is the default behaviour, or if you want to only let them in (!=).</trans>
21     + </entry>
22     +
23     + <entry>
24     + <base>LABEL_OTHERS</base>
25     + <trans>General filter only for services without rules</trans>
26     + </entry>
27     +
28     + <entry>
29     + <base>DESC_OTHERS</base>
30     + <trans>Choose if you want to have the general filter to apply to all incoming connections or if you do not want to filter ports already defined with a specific service rule. This would allow you to have a service less restricted than the general rule if you enable this.</trans>
31     + </entry>
32     +
33     +
34     </lexicon>
35     diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip
36     --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-23 03:16:53.270411434 +0200
37     +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/40Xt_Geoip 2019-07-22 03:12:53.000000000 +0200
38     @@ -8,14 +8,10 @@
39     my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
40     my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
41     my $port;
42     - my $locPorts;
43     + my @locPorts;
44     my $servStatus;
45     my $locBC;
46     - if ($GP eq 'enabled')
47     - {
48     - if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
49     - {
50     - # to allow reload
51     + # to allow reload
52     $OUT .=<<'EOF';
53     # A blacklist chain for xtables-addons GEOIP
54     /sbin/iptables --new-chain XTGeoIP
55     @@ -24,8 +20,34 @@
56     /sbin/iptables --insert INPUT 1 \
57     -j XTGeoIP
58     EOF
59     +
60     + if ($GP eq 'enabled')
61     + {
62     + if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
63     + {
64     +
65     +# do not block LAN
66     + my $locals = "@locals";
67     + if (@locals)
68     + {
69     + # Make a new local_chk chain and add any networks found in networks db
70     + foreach my $local (@locals)
71     + {
72     + # If the network is a remote vpn subnet, restrict it to the ipsec0
73     + # interface.
74     + my ($net, $msk) = split /\//, $local;
75     + my $netrec = $nets->get($net);
76     + die "Can't find network $net in networks db!\n" unless $netrec;
77     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -s $local";
78     + if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
79     + {
80     + $OUT .= " --in-interface ipsec0";
81     + }
82     + $OUT .= " -j RETURN\n";
83     + }
84     + }
85     +
86     ##adding here for service specific
87     - $locPorts='';
88    
89     my @services = split(/,/, $masq{'XtServices'});
90     foreach my $servName (@services)
91     @@ -34,22 +56,27 @@
92     my $servStatus = ${$servName}{'status'} || 'disabled';
93     my $servAccess = ${$servName}{'access'} || 'private';
94     my $locBC = ${$servName}{'BadCountries'} || '';
95     + my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
96     if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
97     - $locPorts .= "$port,";
98     - $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
99     - $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
100     + push @locPorts, $port;
101     + my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
102     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
103     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
104     }
105     }
106    
107     # block for other or all should move there
108     if ($BC ne '') {
109     - if ($locPorts ne '') {
110     - $locPorts = substr $locPorts, 0, -1;
111     - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
112     - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
113     + my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
114     + my $others = ( ( $masq{'XTGeoipOther'} || 'enabled') eq "disabled") ? 1 : 0;
115     + @locPorts = () unless $others;
116     + if (@locPorts != 0) {
117     + my $LocPorts = join ',', @locPorts;
118     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
119     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
120     } else {
121     - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
122     - $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip --src-cc $BC -j DROP\n";
123     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
124     + $OUT .= " /sbin/iptables -A XTGeoIP_1 -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
125     }
126     }
127     $OUT .= " /sbin/iptables --append XTGeoIP_1" .
128     diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip
129     --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-23 03:16:53.293411435 +0200
130     +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip 2019-07-22 00:35:29.000000000 +0200
131     @@ -7,11 +7,11 @@
132     my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko";
133     my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko";
134     my $port;
135     - my $locPorts;
136     + my @locPorts;
137     my $servStatus;
138     my $locBC;
139    
140     - # to allow reload without locking just after initial install
141     + # to allow reload without locking just after initial install
142     $OUT .=<<'EOF';
143     iptables -n --list XTGeoIP >/dev/null 2>&1
144     test=$?
145     @@ -36,8 +36,28 @@
146     {
147     if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE)
148     {
149     - # add content here
150     - $locPorts = '';
151     +
152     +# do not block LAN
153     + my $locals = "@locals";
154     + if (@locals)
155     + {
156     + # Make a new local_chk chain and add any networks found in networks db
157     + foreach my $local (@locals)
158     + {
159     + # If the network is a remote vpn subnet, restrict it to the ipsec0
160     + # interface.
161     + my ($net, $msk) = split /\//, $local;
162     + my $netrec = $nets->get($net);
163     + die "Can't find network $net in networks db!\n" unless $netrec;
164     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local";
165     + if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes')
166     + {
167     + $OUT .= " --in-interface ipsec0";
168     + }
169     + $OUT .= " -j RETURN\n";
170     + }
171     + }
172     +
173     my @services = split(/,/, $masq{'XtServices'});
174    
175     foreach my $servName (@services)
176     @@ -46,33 +66,27 @@
177     my $servStatus = ${$servName}{'status'} || 'disabled';
178     my $servAccess = ${$servName}{'access'} || 'private';
179     my $locBC = ${$servName}{'BadCountries'} || '';
180     + my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
181     if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') {
182     - $locPorts .= "$port,";
183     - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
184     - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
185     + push @locPorts, $port;
186     + my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport";
187     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j ULOG --ulog-prefix \"GeoIP BAN: $servName\"\n";
188     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n";
189     }
190     }
191    
192     - ##adding here for service specific
193     - # imaps 993
194     - #$locBC = $imaps{BadCountries} || '';
195     - #$servStatus = $imaps{'status'} || 'disabled';
196     - #$port = $imaps{'TCPPort'} || '993';
197     - #if ($servStatus eq 'enabled' and $locBC ne '') {
198     - # $locPorts .= "${port},";
199     - # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j ULOG --ulog-prefix \"GeoIP BAN: IMAPS\"\n";
200     - # $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip --src-cc $locBC -p tcp --dport $port -j DROP\n";
201     - #}
202     -
203     # block for all or other ports should move there
204     if ($BC ne '') {
205     - if ($locPorts ne '') {
206     - $locPorts = substr $locPorts, 0, -1;
207     - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
208     - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $locPorts --src-cc $BC -j DROP\n";
209     + my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": "";
210     + my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0;
211     + @locPorts = () unless $others;
212     + if (@locPorts != 0) {
213     + my $LocPorts = join ',', @locPorts;
214     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: OTHER\"\n";
215     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n";
216     } else {
217     - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
218     - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip --src-cc $BC -j DROP\n";
219     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j ULOG --ulog-prefix \"GeoIP BAN: ALL\"\n";
220     + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n";
221     }
222     }
223     $OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" .
224     diff -Nur smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip
225     --- smeserver-xt_geoip-1.0.1.old/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 03:16:53.279411436 +0200
226     +++ smeserver-xt_geoip-1.0.1/root/etc/e-smith/web/functions/xt_geoip 2019-07-23 02:18:09.000000000 +0200
227     @@ -81,7 +81,7 @@
228     <field
229     type="literal"
230     id="badcountries"
231     - value="get_badcountries()">
232     + value="get_badcountries(1)">
233     <label>LABEL_BADCOUNTRIES_STATUS</label>
234     </field>
235    
236     @@ -102,7 +102,6 @@
237     <field type="literal" id="service_label" value="">
238     <description>SERVICE_DESCRIPTION</description>
239     </field>
240     -
241     <subroutine src="print_custom_button('PER_SERVICE_GEOIP', 'Service', '')"/>
242    
243     <field type="literal" id="stats_label" value="">
244     @@ -128,10 +127,20 @@
245     <description>DESC_GEOIP</description>
246     </field>
247    
248     + <field
249     + type="select"
250     + id="masq_reverse"
251     + options="'enabled' => '!=', 'disabled' => '=='"
252     + value="get_reverse('masq','XTGeoipRev')">
253     + <label>LABEL_REVERSE_MATCH</label>
254     + <description>DESC_REVERSE_MATCH</description>
255     + </field>
256     +
257     <field
258     type="text"
259     id="masq_badcountries"
260     size="64"
261     + value="get_badcountries(0)"
262     validation="must_exist()">
263     <label>LABEL_BADCOUNTRIES</label>
264     <description>DESC_BADCOUNTRIES</description>
265     @@ -140,9 +149,18 @@
266     <field
267     type="literal"
268     id="badcountries"
269     - value="get_badcountries()">
270     + value="get_badcountries(1)">
271     <label>LABEL_BADCOUNTRIES_STATUS</label>
272     </field>
273     +
274     + <field
275     + type="select"
276     + id="masq_others"
277     + options="'enabled' => 'enabled', 'disabled' => 'disabled'"
278     + value="get_reverse('masq','XTGeoipOther')">
279     + <label>LABEL_OTHERS</label>
280     + <description>DESC_OTHERS</description>
281     + </field>
282    
283     <field
284     type="select"
285     @@ -163,7 +181,7 @@
286     <field
287     type="literal"
288     id="badcountries"
289     - value="get_badcountries()">
290     + value="get_badcountries(1)">
291     <label>LABEL_BADCOUNTRIES_STATUS</label>
292     </field>
293     <subroutine src="print_service_table()" />
294     @@ -187,14 +205,24 @@
295     <field
296     type="literal"
297     id="badcountries"
298     - value="get_badcountries()">
299     + value="get_badcountries(1)">
300     <label>LABEL_BADCOUNTRIES_STATUS</label>
301     </field>
302    
303     + <field
304     + type="select"
305     + id="masq_srv_reverse"
306     + options="'enabled' => '!=', 'disabled' => '=='"
307     + value="get_reverse('','XTGeoipRev')">
308     + <label>LABEL_REVERSE_MATCH</label>
309     + <description>DESC_REVERSE_MATCH</description>
310     + </field>
311     +
312     <field
313     type="text"
314     id="masq_srv_badcountries"
315     size="64"
316     + value="get_srv_badcountries(0)"
317     validation="srv_must_exist()">
318     <label>LABEL_BADCOUNTRIES</label>
319     <description>DESC_BADCOUNTRIES</description>
320     @@ -203,7 +231,7 @@
321     <field
322     type="literal"
323     id="srv_badcountries"
324     - value="get_srv_badcountries()">
325     + value="get_srv_badcountries(1)">
326     <label>LABEL_SERV_BADCOUNTRIES_STATUS</label>
327     </field>
328    

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed