No more access to ipfire - Core 150 | Location-Filter

Hi all,

first, thanks to everybody who reported this and helping other community members experiencing the same problem.

Technically, the root cause for this is a combination of two bugs:

  1. The xt_geoip kernel module we continue to use after migrating from the GeoIP database to libloc consumes a list of networks, not a tree, hence causing mismatches in case of overlapping networks.
  2. In order to generate as accurate results for AFRINIC, APNIC and RIPE as we can, we have changed the generation script of the location database on Monday night, becoming effective Tuesday morning. Unfortunately, some of those RIRs publish networks such as 0.0.0.0/5, which are currently garbage and of no use.
    We filtered out anything that is not globally routable as such (e. g. 10.0.0.0/8), but those large networks covering other RFC 1918 IP space (172.16.0.0/12 and 192.168.0.0/16) slipped through. Because of (1), xt_geoip interprets them as a match for a large chunk of the IPv4 address space, causing the outage you observed.

To prevent this topic to be scattered across several threads, I am now going to close duplicates - please post your question here so we can all easily keep track of it.

The technical/development aspect of this issue is tracked at bug #12499.

We will keep you updated (it is probably going to be a long night for us :expressionless: ), in the meanwhile, please stay patient and - just to have it mentioned - avoid the temptation of ranting at us - it won’t bring you the fix faster. :slight_smile:

Thanks, and best regards,
Peter Müller

10 Likes