v0.6.1

This is another fairly big release, featuring the following main changes:

• Fix a regression introduced in v0.6.0 which caused the -fetch script to not not use the built-in feature of comparing entries counts between the fetched list for each country code and the previous list, and avoid using a list where the count dropped significantly
• Fix a regression introduced in v0.6.0 which caused the nftables or iptables rule counters to not be preserved when updating the ip lists under some circumstances
• Simplify logic and improve error handling in the -run script
• Simplify logic and improve error handling in the -manage script
• Fix a regression introduced in v0.6.0 which caused firewall rules coherence check to be performed 3 times after certain actions
• Fix incorrect permissions set for the config file and the backup files
• Fix check-ip-in-source not working unless run from the distribution directory
• Improve error handling in the -install script
• In whitelist mode, always allow DHCP-related communication to/from private ip ranges (limited to DHCP-specific ports) for both ipv4 and ipv6 (only ipv6 was allowed previously)
• In whitelist mode, always allow ipv4 link-local addresses (only ipv6 link-local addresses were allowed previously) - thanks @genekellyjr for reporting the issue.
• Now link-local addresses, LAN addresses (if configured) and trusted addresses (if configured) are combined in one ipset and only one rule is created for the combined set, per geoblocking direction and ip family
• The geoip-shell status command now reports allowed addresses (the 3 categories above combined) separately for each geoblocking direction
• The -detect-lan script has been reworked into a library. LAN subnets detection is now performed more efficiently
• Update and improve documentation

Full Changelog: v0.6.0...v0.6.1

v0.6.0

This release is a pretty big one. The most important change is complete implementation of outbound geoblocking. This required so many changes that almost all main scripts have been at least partially rewritten, same for the large library scripts.

Lots of other changes to the code have been made in order to make the logic more straightforward where possible and improve performance, in particular in the code handling loading of ip lists into the firewall.

Because the logic which handles arguments processing in the -manage script got too complex, I decided to remove certain features which in my opinion are not very important. Specifically, the add and remove commands have been removed. Changing the country codes can still be done via the command geoip-shell configure -c <country_codes>. This command will trigger all ip lists to be re-fetched, so it is not as fast as the add and remove commands, but then I believe that in the vast majority of cases users do not need to change the country codes often. If you feel that this is a major loss, please let me know and I will consider re-implementing these commands.

That said, changing certain configuration options will work much faster with this version. For example, changing the ports would trigger ip lists re-fetch with the older versions. With v0.6.0, as long as ip lists backup is enabled, ipsets are loaded from backup and firewall rules are recreated taking into consideration the options change.

In addition, the -install script no longer accepts any geoblocking configuration options. Now its purpose is purely to install geoip-shell. After installation, it still calls the -manage script which by default starts the interactive setup. All previous configuration options (and then some) are still available via the command geoip-shell configure after installation.

The -manage script now accepts geoblocking direction option (-D <inbound|outbound>) which serves as a modifier for 3 other options: -m <geoblocking_mode>, -c <country_codes> and -p <ports_expression>. The docs have been updated with examples and detailed explanation of how this works. In order to preserve the usage experience of the older versions, I made the direction modifier optional. When it is omitted, the above 3 options work as before, setting configuration for inbound geoblocking. When the -D outbound option is specified, following direction-specific options (-m, -c and -p) set configuration for outbound geoblocking.

Geoblocking mode for each direction can now be set to disable. This will remove all firewall rules and loaded ip sets for that direction. Technically, you can set geoblocking mode to disable for both geoblocking directions - this will disable geoblocking completely. This was already possible with the geoip-shell off command previously. The difference is that geoip-shell off will leave all loaded ip sets and firewall rules intact, except the geoblocking enable rule which gets removed.

When running the interactive setup without the option -D outbound, geoip-shell will not suggest to enable and configure outbound geoblocking. This in order to both preserve the previous usage experience and to prevent users from accidentally blocking the machine from accessing the Internet.

I have tested this version extensively in multiple operating systems and fixed all bugs I could find. However because of the sheer number of changes, there may be more bugs. If you find one, please let me know by opening an issue.

Full Changelog: v0.5.11...v0.6.0

v0.5.11

This is a small bugfix release.

Bugs fixed:

• fix regression introduced in v0.5.9 where rule counters are not preserved after ip list updates
• fix uninstall script printing irrelevant error when run without root permissions

Full Changelog: v0.5.10...v0.5.11

v0.5.10

This is a relatively small bugfix/maintenance release with following main changes:

• fetch: fix compatibility with older curl versions which do not support the '--fail-early' option
• fetch: improve SSL support detection on OpenWrt
• fetch: improve handling of cases where no utilities with SSL support are found on OpenWrt
• manage: action 'configure': Improve cron-related checks and error and info messages
• OpenWrt/makefile: set correct permissions for symlink, add error checking

Full Changelog: v0.5.9...v0.5.10

v0.5.9

Main changes in this release:

• Fixed nftables sets creation on systems which enforce short nftables set names
• Minor improvements to logic involved with processing noblock, nopersist, force_cron_persist options, issue a warning when installing with these options set to true
• Fixed persistence on OpenWrt when installing via the install script (installation via opkg was unaffected)
• Use slightly lower value for minimum system memory required for 'performance' nftables sets default policy

Full Changelog: v0.5.8...v0.5.9

v0.5.8

This release improves compatibility with some Busybox-based systems and fixes a couple of bugs.
Main changes:

• install: support the -F option to force using cron-based persistence on Busybox-based systems. Specifically this allows to use cron-based persistence on Alpine Linux and possibly on some other systems (read Documentation/SETUP.md for detailed explanation of this feature).
• Fixed regression introduced in v0.5.7 which would prevent correct detection of running cron daemon under certain conditions
• Improved compatibility with cron daemons: cronie, fcron, dcron
• Minor code optimizations

Full Changelog: v0.5.7...v0.5.8

v0.5.7

This release mainly focuses on usability and compatibility improvements and bug fixes.

Bugs fixed:

• Firewall backend gets reset in config when reinstalling/updating geoip-shell
• In some cases the data directory is created then deleted during fresh installation
• The data directory path can be changed to one of the reserved paths
• If installation is interrupted before setup is completed and then the install script is run again, some errors are printed
• A warning is printed with newer versions of GNU grep
• With some shells, the -run script fails
• On OpenWrt, default data directory is incorrectly set to '/tmp/geoip-shell' rather than '/tmp/geoip-shell-data'

Compatibility improvements:

• Support running with the AT&T Korn shell
• Support additional cron daemons: cronie, dcron, fcron
• Support detecting, checking and starting the cron daemon with OpenRC
• Support Gentoo with OpenRC
• Support changing the datadir when the 'find' utility is non-GNU

Usability improvements:

• At first setup, print which firewall backend geoip-shell is configured for

Full Changelog: v0.5.6...v0.5.7

v0.5.6

This release focuses on reliability improvements.

Main changes:

• When automatic backup is enabled, perform backup before upgrade or reinstallation
• Improved error messages when the firewall utility (nftables/iptables+ipset) is not detected
• Improved error messages in certain cases when fetch or application of ip lists fails
• Improved handling of missing or corrupted config
• Improved logic for recovery from fault conditions
• Connection check: increase timeout from 7s to 10s
• Simpler logic for detecting OpenWrt and loading the required library

Full Changelog: v0.5.5...v0.5.6

v0.5.5

This is mainly a bugfix release.

Bugs fixed:

• fetch: fix parsing of json files from RIPE where one of the ip families has no subnets
• fetch: fail gracefully when no applicable ip list id's found
• manage: fail gracefully when no applicable ip list id's found
• manage: fix ip lists restore from config and from backup when requested changes fail
• fix handling country codes which only have subnets in one ip family (exclusions can now be specified in the iplist-exclusions.conf file)
• fix handling of ip lists which only have 1 element

Full Changelog: v0.5.4...v0.5.5

v0.5.4

This release focuses on bug fixes and on reliability and usability improvements.

Main changes:

• reimplemented connectivity check which now relies on the same utility as used for normal ip lists download (curl/wget/uclient-fetch)
• improved console and error messages
• improved handling of missing or corrupted config files when uninstalling
• downloaded ip lists directory changed from /tmp to /tmp/geoip-shell

Bug fixes:

• fix connectivity check failing when the nslookup utility is missing or on systems which only allow specific DNS servers
• fix certain potential errors in the -apply script not handled correctly on OpenWrt
• fix geoip-shell data directory unnecessarily deleted and then recreated during initial setup
• fix duplicate warning messages when fetch fails
• fix incorrect units for packets and bytes count reported by geoip-shell status -V on nftables-based systems

Full Changelog: v0.5.3...v0.5.4