Author Topic: mod_geoip and documentation mismatch  (Read 2037 times)

Offline cmerriman

  • Regular User
  • **
  • Posts: 37
    • View Profile
mod_geoip and documentation mismatch
« on: August 13, 2013, 02:03:54 am »
Let me preface this by saying that I am fine the way the module is working now.  I have a single GeoIpAllowFilter directive and want any non-matching connection to be denied. However, in testing the new GeoIpPolicy directive I found some issues.

Platform: proftpd 1.3.5rc3 and mod_geoip/0.5

A GeoIpPolicy of "allow,deny" is not honored if there is a GeoIpAllowFilter directive that does not match the client. The trace output states that the GeoIpPolicy is being interpreted as per the documentation, but the connection is still refused, even though there is no GeoIpDenyFilter.

Relative configuration:
Code: [Select]
GeoIPEngine on
GeoIPTable /usr/local/share/GeoIP/GeoIP.dat
GeoIpAllowFilter CountryCode (AF)
GeoIpPolicy allow,deny

trace.log:
Code: [Select]
2013-08-12 14:25:41,105 [23406] <geoip:15>: loaded default GeoIP table: GEO-106FREE 20110601 Build 1 Copyright (c) 2011 MaxMind Inc All Rights Reserved (type 1)
2013-08-12 14:25:41,105 [23406] <geoip:8>: x.x.x.x: 2-Letter country code: US
2013-08-12 14:25:41,105 [23406] <geoip:8>: x.x.x.x: 3-Letter country code: USA
2013-08-12 14:25:41,105 [23406] <geoip:8>: x.x.x.x: Country name: United States
2013-08-12 14:25:41,105 [23406] <geoip:8>: x.x.x.x : Continent name: NA
2013-08-12 14:25:41,105 [23406] <geoip:8>: using policy of allowing connections unless rejected by GeoIPDenyFilters
2013-08-12 14:25:41,105 [23406] <regexp:9>: executing POSIX regex '(AF)' against subject 'US'
2013-08-12 14:25:41,105 [23406] <geoip:12>: CountryCode filter value US did not match GeoIPAllowFilter pattern '(AF)'
2013-08-12 14:25:41,105 [23406] <event:8>: dispatching event 'core.exit' to core (at 0x4153c0, use cache = false)

geoip.log:
Code: [Select]
2013-08-12 14:25:41,105 countryAccess[23406]: CountryCode filter value 'US' did not match GeoIPAllowFilter pattern '(AF)'
2013-08-12 14:25:41,105 countryAccess[23406]: connection from x.x.x.x denied due to GeoIP filter/policy

As best I can tell, this is related to the return statement at line 173 of mod_geoip.c which effectively closes the connection at the first non-matching GeoIpAllowFilter.

It appears that the current process is:
If a client does not match a GeoIpAllowFilter directive, the access is denied.
If a client matches a GeoIpDenyFilter directive, the access is denied.
If the GeoIpPolicy is 'allow,deny' then the access is allowed.  However by this time any explicit Deny has already been processed, so the directive is moot.
If the GeoIpPolicy is 'deny,allow' AND there is no active GeoIpAllowFilter directive, then the access is denied.
Otherwise, allow access.  To reach this point there must be no matching GeoIpDenyFilter AND ( the client must match every GeoIpAllowFilter OR ( there is no GeoIpAllowFilter directive AND the GeoIpPolicy is 'deny,allow'') ).

Along with this, I found that the configuration
Code: [Select]
GeoIpAllowFilter CountryCode (AF)
GeoIpAllowFilter CountryCode (US)

will deny all access.  The return statement at line 173 is executed when the client fails to match a GeoIpAllowFilter directive.  Since the GeoIp database will not return two different country codes for the client, at least one of the directives will cause the client to be denied.

This is contrary to the documentation:
Multiple GeoIPAllowFilter directives in the configuration are supported; if any filter matches the connecting client, the connection will be allowed.

To repeat, the module is working for me exactly as I need.  It just doesn't match the documentation.



Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: mod_geoip and documentation mismatch
« Reply #1 on: August 13, 2013, 10:15:16 pm »
I reproduced this behavior; I think that the mod_geoip documentation is correct, and its the handling of GeoIPAllowFilter which is flawed.  But just to be clear, do you (as a concerned mod_geoip user) think that:

  GeoIpAllowFilter CountryCode (AF)
  GeoIpAllowFilter CountryCode (US)

should work?  I have a patch which fixes this mod_geoip behavior; I just want to ensure that it is not breaking other expectations you might have.

And thanks for reporting this issue!

Offline cmerriman

  • Regular User
  • **
  • Posts: 37
    • View Profile
Re: mod_geoip and documentation mismatch
« Reply #2 on: August 14, 2013, 11:59:40 am »
I actually prefer and use the form:

   GeoIpAllowFilter CountryCode (AF|US)

But, yes, I would expect multiple GeoIpAllowFilter directives to work like multiple Allow directives.

As an aside, http://www.castaglia.org/proftpd/modules/mod_geoip.html does not have the latest version that lists GeoIpPolicy.



Offline castaglia

  • Administrator
  • Support Hero
  • *****
  • Posts: 5253
    • View Profile
    • http://www.castaglia.org/
Re: mod_geoip and documentation mismatch
« Reply #3 on: August 14, 2013, 04:12:09 pm »
I agree, using a single Filter directive whose regex encompasses multiple cases is better.   The handling of multiple GeoIPAllowFilter directives should now be fixed in the mod_geoip code in CVS.

The mod_geoip docs on castagla.org are outdated, now that mod_geoip is distributed with the proftpd source.  I'll be updating my website accordingly.

 

sighted planning