Bug 12054

Summary: GeoIP - Asia/Pacific region (AP) no longer exists, FW issuing errors for GeoIP groups using it
Product: IPFire Reporter: Horace Michael (aka H&M) <horace.michael>
Component: ---Assignee: Stefan Schantl <stefan.schantl>
Status: CLOSED FIXED QA Contact:
Severity: Minor Usability    
Priority: Will affect an average number of users CC: arne.fitzenreiter, michael.tremer, peter.mueller
Version: 2   
Hardware: all   
OS: All   
See Also: https://bugzilla.ipfire.org/show_bug.cgi?id=12076
Attachments: GeoIP Asia-Pacific region (AP)

Description Horace Michael (aka H&M) 2019-04-15 20:00:38 UTC 
Created attachment 672 [details]
GeoIP Asia-Pacific region (AP)

Hello,
I have these error messages at boot - just updated to core 129 from 127 (with not a single problem):

--------Start--------
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'FORWARDFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'FORWARDFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
------END--------

From what I see, the Asia/Pacific region (noted AP) is no longer listed in /usr/share/xt_geoip and also not displayed by /cgi-bin/geoip-block.cgi.

I did used AP in one of the personal GeoIP groups (created with /cgi-bin/fwhosts.cgi) therefore the FW tries to use the AP region...

H&M
Comment 1 Peter Müller 2019-04-16 19:20:40 UTC 
Actually, this problem is worse.

At least for new installed systems, these (pseudo) country codes no longer exist as an option for GeoIP groups: A1, A2, AP, EU

The last one is especially painful as some CDNs such as Akamai are located in that group. Currently, it is impossible to create a GeoIP-based firewall rule allowing such traffic.

At the moment, it does not really look like Maxmind removed these information from their GeoLite DBs, but are shipping them in another format.
Comment 2 Stefan Schantl 2019-04-16 20:09:23 UTC 
Patch has been sent to the development mailing list:

https://patchwork.ipfire.org/patch/2202/
Comment 3 Horace Michael (aka H&M) 2019-04-16 20:42:03 UTC 
Hello,

Can't test the patch - I erased from the GeoIP group the (pseudo) region AP and can't add it back as it not listed anumore by WUI...

But... even if the patch will prevent errors I saw, the WUI will show to the users the missing regions in their GeoIP group making them think that rule is there...

I suggest to mark in WUI  (/cgi-bin/geoip-block.cgi) that region no longer exists and hence user should remove it from the GeoIP group.

Unless user checks (like I do) the boot after each update to detect possible glitches, nobody will ever discover that some regions dissapeared from Maxmind DB...

Thanks!
Comment 4 Peter Müller 2019-05-11 10:07:56 UTC 
The problem of MaxMinds special country codes (A1, A2, EU, AP) is now filed seperately as #12076.
Comment 5 Peter Müller 2019-10-13 10:26:27 UTC 
What is the status of this bug? Has the patch ever made it into the repository?
Comment 6 Peter Müller 2019-10-28 15:10:28 UTC 
That patch never made it into the repository.

@Michael/Arne: Could you please do so when convenient? Thank you.