IPv4 Source Definitions, Line 1: Invalid GeoIP entry!

jazzl0ver · Jan 27, 2025, 11:31 AM

Hi,

Any ideas why the pfB errors on an attempt to add a GeoIP list?

🔒 Log in to view
The Europe was selected from a dropdown, so it definitely exists..

Thanks in advance!

PS pfSense 2.7.2 CE, pfB v3.2.0_20

Gertjan · Jan 27, 2025, 1:06 PM

@jazzl0ver

Not only 'Europe' ...
Any of these :

🔒 Log in to view

jazzl0ver · Jan 27, 2025, 1:06 PM

@Gertjan right. i was able to work this around by commenting out the input validation:

/*
                        if ($value != 'Disabled' && $_POST["format-{$key_1}"] == 'geoip') {
                                $k_validate = str_replace('_', '', strstr($_POST["url-{$key_1}"], ' ', TRUE));
                                if (empty(pfb_filter($k_validate, PFB_FILTER_ALNUM, 'Category_edit'))) {
                                        $input_errors[] = "{$type} Source Definitions, Line {$line}: "
                                                        . "Invalid GeoIP entry!";
                                }
                        }
*/

in /usr/local/www/pfblockerng/pfblockerng_category_edit.php

michmoor · Jan 27, 2025, 2:30 PM

@jazzl0ver Whats the best way to alert the maintainer?

jazzl0ver · Jan 27, 2025, 3:01 PM

@michmoor is that a sarcasm? meaning I'd better go and create a redmine issue?

michmoor · Jan 27, 2025, 3:02 PM

@jazzl0ver no not at all legit asking.

I ended up creating a redmine for this issue.

smolka_J · Jan 27, 2025, 4:20 PM

Another possible work around, rather than manually creating that rule as ALIAS match from the IPv4 tab, have you tried using the GeoIP tab to set Europe or others as ALIAS match on that tab? I don't get that validation error from the GeoIP tab setting them to any ALIAS variant, could also save from double loading lists.

jazzl0ver · Jan 28, 2025, 7:07 AM

@smolka_J that worked, thanks. but I intended to include several locations as "TheWest" and then use them all with a single firewall rule.

Gertjan · Jan 28, 2025, 7:32 AM

@jazzl0ver said in IPv4 Source Definitions, Line 1: Invalid GeoIP entry!:

"TheWest"

That would be a ... a list with IP networks that covers what, half the "IPv4 Internet" ?
A pretty big list.
A couple of what, millions (?) of firewall IP network entries ... All loaded into pf when it starts and reloads ... and every entry of this list is tested for every packet stream belonging to a potential new firewall state, if a match was found.

Let's say you've use the "TheWest" list as a whitelist list.
So, when a load of connections comes in from a network not on the list (the "East" ^^), the entire list has to be traversed, and at the end the IP gets blocked as no match was found. This means : thousands of times per second the entire 'million' list has to be traversed.
You get where this is going ?

smolka_J · Jan 28, 2025, 7:46 AM

@jazzl0ver Manually adding the local URL for the continent file like /usr/local/share/GeoIP/cc/Europe_v4.txt with format set to Auto does look to work otherwise as the info box notes, just not the autocomplete entry for continents when the state is set to ON for it but individual country entries do seem to work fine for autocomplete otherwise. Strangely enough, if you have the State option set to OFF then autocomplete continent entries do pass validation to save successfully but same message if you change it to ON after. BBCan177 is looking into it

jazzl0ver · Jan 28, 2025, 4:02 PM

@Gertjan i'm aware of all of that, thanks. the thread was about a bug in the pfB, not about the right usage