- 05 Mar, 2022 3 commits
-
-
Michael Tremer authored
Signed-off-by:Michael Tremer <michael.tremer@ipfire.org>
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This patch adds code to parse any aggregated networks. Bird does not automatically show the last ASN of the path, but we can collect all networks that we can see without any ASN and perform "show route <network> all" on them to gather this information. Signed-off-by:
-
- 03 Mar, 2022 3 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This patch moves creating the "tag" (formerly known as prefix) into the writer class, so that we can modify it based on what output format we have. ipset and nftables will need disjunct names for IPv6 and IPv4 because they cannot handle mixed sets. Signed-off-by: -
Michael Tremer authored
It is possible to filter for what kind of network should be exported. This worked well when the filter list only contained country codes, or when it only contained ASNs. If there was a mix, only networks that match both (i.e. virtually nothing) matched. This patch fixes that we will use for either of them. Signed-off-by:
-
- 02 Mar, 2022 6 commits
-
-
Peter Müller authored
My fault, again. :-/ Reported-by:
Peter Müller <peter.mueller@ipfire.org> Signed-off-by:
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This is useful if you want to pipe output straight into another program. Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
By default, we enabled flattening of the network tree when we export it. However, this is only required for xt_geoip since the other formats can deal with overlapping networks and would even benefit from a shorter list. Therefore this is now only enabled when needed which results in shorter export times (9 seconds instead of 2.5 minutes) and the full ipset is about 20% smaller when loaded into memory than before. Signed-off-by: -
Michael Tremer authored
When we try to load a changed set which might have more entries, a previous maxelem could have been smaller preventing us from adding new entries. We also cannot run the "create" command with a changed maxelem parameter which is why this patch set the value to something that should be large enough for everything. The downside of this is also, that we cannot modify the hashsize when we reload a set, which is probably okay, since sets should not change too much in size and therefore will only run *slightly* less efficient - if at all. Signed-off-by:
-
- 01 Mar, 2022 2 commits
-
-
Michael Tremer authored
IPv6 exports could not be loaded because sets were created as type "inet" instead of "inet6" which is fixed by this patch. Signed-off-by: -
Michael Tremer authored
ipset uses a hash table internally which can be dynamically sized to chose whether more space efficiency or performance is required. Previously to this patch, we always set the size of the hash table to 1024 buckets. Having large sets with almost half a million entries, this is not performing well since we will spend a lot of time in searching the linked list. This will probably perform even slower on systems with smaller cache sizes like the IPFire Mini Appliance. Having more buckets that are sparesely filled, will result in less memory fetches at the cost of more wastage. Throughout the whole IPv4 set, this ranges from about 50 MB for a factor of 4, to about 100 MB for a factor of 0.75. Since memory of this quantity is cheap and since we want to increase throughput, I have chosen to set the fill factor to 0.75. Logistically, it is a little bit complicated to know this in advance when we have to write the header, so we will write the entire file first, and then come back to write the header again. This is required to keep memory consumption down during the export. Signed-off-by:
-
- 25 Feb, 2022 1 commit
-
-
Stefan Schantl authored
Signed-off-by:
Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by:
-
- 16 Feb, 2022 1 commit
-
-
Michael Tremer authored
Signed-off-by:
-
- 11 Feb, 2022 3 commits
-
-
Michael Tremer authored
This change allows to "restore" a file multiple times without problems. If the set already exists, the create command will skip it and we will flush any existing content to load the new one. Signed-off-by:
-
Peter Müller authored
Suggested-by:
-
Peter Müller authored
Reported-by:
-
- 02 Jan, 2022 4 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This isn't pretty but makes substitution rules easier and working correctly. Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by:
-
- 13 Dec, 2021 4 commits
-
-
Peter Müller authored
Apparently, LACNIC does not to proper input validation on supplied country codes, so people can use "UK", while they probably mean "GB" instead. Signed-off-by:
-
Peter Müller authored
This silences a bunch of warnings due to allocations at APNIC having country code set to "ZZ", which are completely irrelevant to us. Signed-off-by:
-
Peter Müller authored
This improves country code accurarcy for suballocations within IP space managed by LACNIC, as the delegated-extended-latest file only provides country code information at the top level of an allocated network. Sadly, lacnic.db.gz does not contain descriptions or names of Autonomous Systems within the space maintained by LACNIC. Signed-off-by:
-
Peter Müller authored
Previously, any present override for a given network or ASN would have caused the SQL statement not to conduct anything at all. Since "is_drop" is the only flag being actually set here, it makes sense to do so in case of already present overrides as well. The effect of this is limited: Our own override files are always considered at last, so in case of conflicts they will be the ultima ratio. This is an intended behaviour, but slipped my mind when I filed bug #12728, so this patch can only be seen as a partial solution - the rest is not a bug, but a feature. :-) Partially fixes: #12728 Signed-off-by:
-
- 23 Nov, 2021 3 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This reverts commit 2ca0603f. Signed-off-by:
-
- 20 Nov, 2021 4 commits
-
-
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
This does not seem to be necessary any more since the build works fine without the switch. Signed-off-by: -
Michael Tremer authored
Signed-off-by: -
Michael Tremer authored
Signed-off-by:
-
- 02 Nov, 2021 2 commits
-
-
Peter Müller authored
A while ago, it was discussed whether or not libloc should become an "opinionated database", i. e. including any information on a network's reputation. In general, this idea was dismissed as libloc is neither intended nor suitable for such tasks, and we do not want to make (political?) decisions like these for various reasons. All we do is to provide a useful location database in a neutral way, and leave it up to our users on how to react on certain results. However, there is a problematic area. Take AS55303 as an example: We _know_ this is to be a dirty network, tampering with RIR data and hijacking IP space, and strongly recommend against processing any connection originating from or directed to it. Since it appears to be loaded with proxies used by miscreants for abusive purposes, all we can do at the time of writing is to flag it as "anonymous proxy", but we lack possibility of telling our users something like "this is not a safe area". The very same goes for known bulletproof ISPs, IP hijackers, and so forth. This patch therefore suggests to populate the "is_drop" flag introduced in libloc 0.9.8 (albeit currently unused in production) with the contents of Spamhaus' DROP lists (https://www.spamhaus.org/drop/), to have at least the baddest of the bad covered. The very same lists are, in fact, included in popular IPS rulesets as well - a decent amount of IPFire users is therefore likely to have them already enabled, but in a very costly way. It is not planned to go further, partly because there is no other feed publicly available, which would come with the same intention, volatility, and FP rate. The third version of this patch makes use of an auxiliary function to sanitise ASNs, hence avoiding boilerplate code, and treats any line starting with a semicolon as a comment, which should be sufficient. Further, extracting ASNs from the ASN-DROP feed is done in a more clear way, avoiding code snippets hard to read. Signed-off-by:
-
Peter Müller authored
The third version of this patch does this in an even more Pythonic way. Signed-off-by:
-
- 25 Oct, 2021 1 commit
-
-
Peter Müller authored
This adds names for - at the time of writing - 421 ASNs which were missing before, as JPNIC does not mirror (all) information back to APNIC. Signed-off-by:
-
- 11 Oct, 2021 1 commit
-
-
Peter Müller authored
* Document "location version" feature. * Improve section for reporting bugs in order to make bug reporting easier. Fixes: #12698 Signed-off-by:
-
- 30 Sep, 2021 2 commits
-
-
Michael Tremer authored
Gramatically, this makes more sense. Signed-off-by: -
Michael Tremer authored
Signed-off-by:
-
