v0.1.5-nftables

This is mainly a bugfix release.

Changes:

• Save $PATH to config when installing and set it later when loading scripts (fixes weird issues with PATH not set up correctly when running from cron jobs on some systems)
• fixed discrepancies reporting when config ip lists differ from firewall ip lists
• fixed restore from backup
• fixed ipv6 local subnets detection
• prioritize curl over uclient-fetch to avoid SSL issues on OpenWrt
• install: new option: [-a] to autodetect LAN subnets or WAN interfaces
• install: new option: [-t <host|router>] to pre-set device type
• support insecure download when SSL download tool unavailable

Full Changelog: v0.1.4...v0.1.5-nftables

v0.1.5-iptables

First public release of the iptables branch.

v0.1.4

This is a minor release with the following changes:

• use counters on ipset rules and on the whitelist blocking rule
• minor improvements to the status report
• refuse to install with busybox cron, unless nopersistence is enabled (busybox cron doesn't support @ reboot directive - daemon-based persistence will be implemented later)

Full Changelog: v0.1.3...v0.1.4

v0.1.3

This is a feature release with the following changes:

• geoip-shell status: Report detailed ip ranges count for ip sets (triggered by running 'geoip-shell status -v')
• geoip-shell status: Report ip lists source
• geoip-shell status: (for hosts) Report LAN subnets in the whitelist
• geoip-shell status: (for routers) Report network interfaces the rules apply to
• Support policy 'performance' for ip sets (enabled by installing with the '-p' option)
• Improved console output messages
• Improved documentation

Full Changelog: v0.1.2...v0.1.3

v0.1.2

This release is mainly about fine-tuning and minor bug fixes.

Bugs fixed:

• When fetch fails for some of the ip lists and action is 'add', the *-run.sh script doesn't halt application of other ip lists to the firewall
• uclient-fetch may fail to download some ip lists from RIPE because of too short timeout value
• When rules application fails, the corrective action is in some cases too drastic

Fine tuning:

• *-apply.sh: remove ip lists atomically
• *-apply.sh: compacted some code
• More consistent error and console messages across several scripts
• Improved documentation

Full Changelog: v0.1.1...v0.1.2

v0.1.1

This is mainly a bugfix release.

Bugs fixed:

• ctstate established,related rule not placed near the top of the geoip chain
• *apply.sh script errors out when local subnets config is skipped during installation
• geoip on/off state gets reset by the *apply.sh script

Full Changelog: v0.1...v0.1.1

v0.1

First public release with the new name 'geoip-shell'.

What's changed in this project since the last release of geoblocker-bash?

A lot. Main changes:

• All scripts have been translated from Bash to POSIX-compliant shell code.

• nftables support has been implemented, iptables support has been removed.

• very different (and significantly better) structure of firewall rules under the hood.

• Proper support for running on a router has been implemented, alongside support for running on a host.

• Additional features have been implemented, including support by the -manage and -apply scripts of switching geoip on and off while leaving the firewall rules and nftables sets in place.

• The raw ip lists are no longer kept on disk after having been applied. Instead, once the ip lists have been loaded into nftables sets (which also optimizes them), they get dumped back to disk, then compressed by the -backup script. The compressed lists are then used both to restore nftables sets after a reboot and as a backup.

• Virtually every bit of code has been optimized and improved.

• Some complexities in internal logic have been replaced by a more straightforward code, which makes the project more robust and reliable.

• The -fetch and -apply scripts have been almost completely rewritten. The -manage script has been streamlined and partially rewritten. Most other scripts went through significant changes.

• A lot of external dependencies have been removed and their functionality implemented through shell builtins.

• Documentation has been updated and improved.

• 3 new scripts have been added:

• geoip-shell-nft.sh: implements nftables-related functions used in several other scripts

• posix-arrays-a-mini.sh: implements limited support for arrays (used to translate certain bits of the bash code which require arrays)

• ip-regex.sh: holds some common regex's used in multiple scripts

• After all these changes, the resulting code base is leaner by about a third (currently 114KB vs 170KB in geoblocker-bash).

As this is the first public release after massive changes in the code, there might be significant bugs. That said, I am using this code in production and so far it's doing its job.