Bug 12054 - GeoIP - Asia/Pacific region (AP) no longer exists, FW issuing errors for GeoIP groups using it
Summary: GeoIP - Asia/Pacific region (AP) no longer exists, FW issuing errors for GeoI...
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: --- (show other bugs)
Version: 2
Hardware: all All
: Will affect an average number of users Minor Usability
Assignee: Stefan Schantl
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-04-15 20:00 UTC by Horace Michael (aka H&M)
Modified: 2020-01-30 10:23 UTC (History)
3 users (show)

See Also:


Attachments
GeoIP Asia-Pacific region (AP) (7.61 KB, image/png)
2019-04-15 20:00 UTC, Horace Michael (aka H&M)
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Horace Michael (aka H&M) 2019-04-15 20:00:38 UTC
Created attachment 672 [details]
GeoIP Asia-Pacific region (AP)

Hello,
I have these error messages at boot - just updated to core 129 from 127 (with not a single problem):

--------Start--------
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'FORWARDFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'FORWARDFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A FORWARDFW -m geoip --dst-cc AP -o ppp0 -j REJECT
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
iptables v1.6.2: Could not read geoip database
ERROR: iptables --wait -A OUTGOINGFW -m geoip --dst-cc AP -o ppp0 -m limit --limit 10/min --limit-burst 20 -j LOG --log-prefix 'OUTGOINGFW '
Could not open /usr/share/xt_geoip/AP.iv4: No such file or directory
------END--------

From what I see, the Asia/Pacific region (noted AP) is no longer listed in /usr/share/xt_geoip and also not displayed by /cgi-bin/geoip-block.cgi.

I did used AP in one of the personal GeoIP groups (created with /cgi-bin/fwhosts.cgi) therefore the FW tries to use the AP region...

H&M
Comment 1 Peter Müller 2019-04-16 19:20:40 UTC
Actually, this problem is worse.

At least for new installed systems, these (pseudo) country codes no longer exist as an option for GeoIP groups: A1, A2, AP, EU

The last one is especially painful as some CDNs such as Akamai are located in that group. Currently, it is impossible to create a GeoIP-based firewall rule allowing such traffic.

At the moment, it does not really look like Maxmind removed these information from their GeoLite DBs, but are shipping them in another format.
Comment 2 Stefan Schantl 2019-04-16 20:09:23 UTC
Patch has been sent to the development mailing list:

https://patchwork.ipfire.org/patch/2202/
Comment 3 Horace Michael (aka H&M) 2019-04-16 20:42:03 UTC
Hello,

Can't test the patch - I erased from the GeoIP group the (pseudo) region AP and can't add it back as it not listed anumore by WUI...

But... even if the patch will prevent errors I saw, the WUI will show to the users the missing regions in their GeoIP group making them think that rule is there...

I suggest to mark in WUI  (/cgi-bin/geoip-block.cgi) that region no longer exists and hence user should remove it from the GeoIP group.

Unless user checks (like I do) the boot after each update to detect possible glitches, nobody will ever discover that some regions dissapeared from Maxmind DB...

Thanks!
Comment 4 Peter Müller 2019-05-11 10:07:56 UTC
The problem of MaxMinds special country codes (A1, A2, EU, AP) is now filed seperately as #12076.
Comment 5 Peter Müller 2019-10-13 10:26:27 UTC
What is the status of this bug? Has the patch ever made it into the repository?
Comment 6 Peter Müller 2019-10-28 15:10:28 UTC
That patch never made it into the repository.

@Michael/Arne: Could you please do so when convenient? Thank you.