From daa56b9cc566cecd5668fefcebce4a1934b8c3cf Mon Sep 17 00:00:00 2001 From: John Crisp Date: Wed, 22 Oct 2025 13:46:41 +0200 Subject: [PATCH] xt_geoip 1.3.1-30.sme Fix syntax in masq template for [SME: 12445] --- .../etc/rc.d/init.d/masq/90adjustXt_Geoip | 147 +++++++++--------- smeserver-xt_geoip.spec | 8 +- 2 files changed, 77 insertions(+), 78 deletions(-) diff --git a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip index 844f7f1..48ac297 100644 --- a/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip +++ b/root/etc/e-smith/templates/etc/rc.d/init.d/masq/90adjustXt_Geoip @@ -1,9 +1,9 @@ { my $BC = $masq{BadCountries} || ''; - my $GP = $masq{GeoIP} || 'disabled'; + my $GP = $masq{GeoIP} || 'disabled'; my $KERNEL = `/bin/uname -r`; chomp($KERNEL); - my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko"; + my $PATH_MODULE = "/lib/modules/$KERNEL/extra/xt_geoip.ko"; my $PATH2_MODULE = "/lib/modules/$KERNEL/weak-updates/xt_geoip.ko"; my $PATH3_MODULE = "/lib/modules/$KERNEL/weak-updates/xtables-addons/xt_geoip.ko"; my $port; @@ -11,8 +11,8 @@ my $servStatus; my $locBC; - # to allow reload without locking just after initial install - $OUT .=<<'EOF'; + # to allow reload without locking just after initial install + $OUT .= <<'EOF'; iptables -n --list XTGeoIP >/dev/null 2>&1 test=$? if [[ $test -eq 1 ]] ; then @@ -26,96 +26,91 @@ EOF # Find the current XTGeoIP_$$ chain, and create a new one. - $OUT .=<<'EOF'; + $OUT .= <<'EOF'; OLD_XTGeoIP=$(get_safe_id XTGeoIP filter find) NEW_XTGeoIP=$(get_safe_id XTGeoIP filter new) /sbin/iptables --new-chain $NEW_XTGeoIP EOF - if ( $GP eq 'enabled' ) - { - if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) - { + if ($GP eq 'enabled') { + if (-s $PATH_MODULE || -s $PATH2_MODULE || -s $PATH3_MODULE) { - # do not block Localhost(s) - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s 127.0.0.0/24 -j RETURN\n"; + # do not block Localhost(s) + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s 127.0.0.0/24 -j RETURN\n"; - # do not block LAN - my $locals = "@locals"; - if (@locals) - { - # Make a new local_chk chain and add any networks found in networks db - foreach my $local (@locals) - { - # If the network is a remote vpn subnet, restrict it to the ipsec0 - # interface. - my ($net, $msk) = split /\//, $local; - my $netrec = $nets->get($net); - die "Can't find network $net in networks db!\n" unless $netrec; - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local"; - if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes') - { - $OUT .= " --in-interface ipsec0"; - } - $OUT .= " -j RETURN\n"; - } - } + # do not block LAN + my $locals = "@locals"; - # [SME: 12445] do not block Remote authorized access - # TO DO : allow pin point per service eg this UK ip/network even if UK is filtered + if (@locals) { - (($masq{XTAcceptValidRemoteHosts} || 'enabled') eq 'enabled'){ - foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')){ - my ($ip,$bits) = Net::IPv4Addr::ipv4_parse("$_"); - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $ip/$bits -j RETURN\n" unless "$ip" eq '0.0.0.0'; - } - } + # Make a new local_chk chain and add any networks found in networks db + foreach my $local (@locals) { - my @services = split(/,/, $masq{'XtServices'}); - - foreach my $servName (@services) - { - $port = ${$servName}{'TCPPort'} || ''; - my $servStatus = ${$servName}{'status'} || 'disabled'; - my $servAccess = ${$servName}{'access'} || 'private'; - my $locBC = ${$servName}{'BadCountries'} || ''; - my $reverse = ( ( ${$servName}{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; - if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') { - push @locPorts, $port; - my $multi = ( $port =~ /[,:]/ )? "-m multiport --dports" : "--dport"; - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j NFLOG --nflog-prefix \"GeoIP BAN: $servName\"\n"; - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n"; - } - } + # If the network is a remote vpn subnet, restrict it to the ipsec0 + # interface. + my ($net, $msk) = split /\//, $local; + my $netrec = $nets->get($net); + die "Can't find network $net in networks db!\n" unless $netrec; + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $local"; - # block for all or other ports should move there - if ($BC ne '') { - my $reverse = ( ( $masq{'XTGeoipRev'} || 'disabled' ) eq "enabled" )? "!": ""; - my $others = ( ( $masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0; - @locPorts = () unless $others; - if (@locPorts != 0) { - my $LocPorts = join ',', @locPorts; - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: OTHER\"\n"; - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n"; - } else { - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: ALL\"\n"; - $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n"; - } + if (($netrec->prop('remoteVPNSubnet') || 'no') eq 'yes') { + $OUT .= " --in-interface ipsec0"; + } + $OUT .= " -j RETURN\n"; + } ## end foreach my $local (@locals) + } ## end if (@locals) + + # [SME: 12445] do not block Remote authorized access + # TO DO : allow pin point per service eg this UK ip/network even if UK is filtered + if (($masq{XTAcceptValidRemoteHosts} || 'enabled') eq 'enabled') { + foreach (split /[,;]/, (${'httpd-admin'}{'ValidFrom'} || '')) { + my ($ip, $bits) = Net::IPv4Addr::ipv4_parse("$_"); + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -s $ip/$bits -j RETURN\n" unless "$ip" eq '0.0.0.0'; } - $OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" . - " -j RETURN\n"; + } ## end if (($masq{XTAcceptValidRemoteHosts...})) + + my @services = split(/,/, $masq{'XtServices'}); + + foreach my $servName (@services) { + $port = ${$servName}{'TCPPort'} || ''; + my $servStatus = ${$servName}{'status'} || 'disabled'; + my $servAccess = ${$servName}{'access'} || 'private'; + my $locBC = ${$servName}{'BadCountries'} || ''; + my $reverse = ((${$servName}{'XTGeoipRev'} || 'disabled') eq "enabled") ? "!" : ""; + + if ($port ne '' and $servStatus eq 'enabled' and $servAccess eq 'public' and $locBC ne '') { + push @locPorts, $port; + my $multi = ($port =~ /[,:]/) ? "-m multiport --dports" : "--dport"; + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j NFLOG --nflog-prefix \"GeoIP BAN: $servName\"\n"; + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -m geoip $reverse --src-cc $locBC -p tcp $multi $port -j DROP\n"; + } ## end if ($port ne '' and $servStatus...) + } ## end foreach my $servName (@services) + + # block for all or other ports should move there + if ($BC ne '') { + my $reverse = (($masq{'XTGeoipRev'} || 'disabled') eq "enabled") ? "!" : ""; + my $others = (($masq{'XTGeoipOther'} || 'disabled') eq "enabled") ? 1 : 0; + @locPorts = () unless $others; + + if (@locPorts != 0) { + my $LocPorts = join ',', @locPorts; + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: OTHER\"\n"; + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip -m multiport ! --dports $LocPorts $reverse --src-cc $BC -j DROP\n"; + } else { + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j NFLOG --nflog-prefix \"GeoIP BAN: ALL\"\n"; + $OUT .= " /sbin/iptables -A \$NEW_XTGeoIP -p tcp -m geoip $reverse --src-cc $BC -j DROP\n"; + } + } ## end if ($BC ne '') + $OUT .= " /sbin/iptables --append \$NEW_XTGeoIP" . " -j RETURN\n"; ## end of add - - } - } - + } ## end if (-s $PATH_MODULE ||...) + } ## end if ($GP eq 'enabled') # Having created a new XTGeoIP chain, activate it and destroy the old. - $OUT .=<<'EOF'; + $OUT .= <<'EOF'; /sbin/iptables --replace XTGeoIP 1 \ --jump $NEW_XTGeoIP /sbin/iptables --flush $OLD_XTGeoIP /sbin/iptables --delete-chain $OLD_XTGeoIP EOF - } diff --git a/smeserver-xt_geoip.spec b/smeserver-xt_geoip.spec index 6d8f71e..e1684a1 100644 --- a/smeserver-xt_geoip.spec +++ b/smeserver-xt_geoip.spec @@ -1,6 +1,6 @@ %define name smeserver-xt_geoip %define version 1.3.1 -%define release 29 +%define release 30 Summary: smserver rpm to setup database, update and configuration for xt_geoip module with a panel. Name: %{name} @@ -78,7 +78,11 @@ rm -rf %{name}-%{version} %changelog -* Tue Oct 21 2025 John Crisp 1.3.1-29.sme +* Wed Oct 22 2025 John Crisp 1.3.1-30.sme +- Fix error in patch for [SME: 12445] +- Tidy template + +* Tue Oct 21 2025 John Crisp 1.3.1-29.sme - Fix SmartMatch errors [SME: 13240] - Fix panel errors [SME: 13173] - Do not block remote access authorized [SME: 12445]