Firewall: T4299: add geoip matching criteria

2025-10-26 08:41:46 +01:00 · 2022-06-28 11:31:07 -03:00 · 2022-06-28 11:31:07 -03:00 · bd66e4fb6f
commit bd66e4fb6f
parent cdf8b8a71d
1 changed files with 24 additions and 0 deletions
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@ -323,6 +323,22 @@ There are a lot of matching criteria against which the package can be tested.
      set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
      set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202

+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
+   <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+   country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+   country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+   country-code <country>
+
+Match IP addresses based on its geolocation. More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.

 .. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
   <mac-address>
@ -806,3 +822,11 @@ Example Partial Config
         }
     }
  }
+
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+   Command used to update GeoIP database and firewall sets.