XK Location not found in Location DB and not displayed in UI, but exists in settings file

hjkl · 23 May 2026 20:07

I am unsure if this is the right place to post this, so please move the post to UI if needed.
I see that in CU 200 /var/ipfire/firewall/locationblock contains XK and that also activated (=on) when using Check all in UI

grep -E “^X” /var/ipfire/firewall/locationblock
XD=on
XK=on

But:

location lookup does not find it

location list-networks-by-cc XK
Could not create country

the UI does not display XK
iptables -t filter -L LOCATIONBLOCK does not show XK (probably because there is no entry in location db to create the XK ipset ?!)

ipset list XK
ipset v7.22: The set with the given name does not exist

Are there any other ISO CC in /var/ipfire/firewall/locationblock that are having the same treatment like XK - exists in the settings file, but not in location DB ?

bonnietwin · 24 May 2026 09:13

XK is not a Country Code. It is a user assigned code, in the ISO 3166-1 alpha-2 list, that is used to represent Kosovo for things like the IMF, the SWIFT banking system, certain aspects of the European Community etc.

In terms of country code Kosovo currently is still covered by the Serbia country code of RS.

When Kosovo has completed certain steps, which it is part way through, then it will get its own country code with the X being removed and replaced with another letter.

hjkl · 24 May 2026 09:27

Any reason why XK is in locationblock settings file but not displayed in UI?

What else is in file but not shown in UI?

I am trying to find the best source for all locations IPFire knows - and, important, has them defined in location DB.

bonnietwin · 24 May 2026 09:38

I have no idea.

I don’t know.

The command line command
location list-countries
gives a list of all the two letter country codes defined in the location db.
You can also use
location list-countries --show-name
and get the list of two letter country codes together with the defined name for the country.

bonnietwin · 24 May 2026 09:42

The list of country codes used is also available in the git repo.

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cfgroot/countries.pl;h=8e32316ffac6d1a18354c4e0909daa374049546f;hb=refs/heads/next

EDIT:
That list is only the country codes. The UI then additionally has four other codes that are not part of ISO3166-1
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/cfgroot/location-functions.pl;hb=9b43c3d18aff3b95b4ffd982d71e58994f6a75ae#l26

hjkl · 24 May 2026 12:05

Thank you!
I have changed my script to use as source of truth the location DB instead of settings file from /var/ipfire/firewall

And used location utility to validate that in location DB there are entries - avoid to create an empty ipset in memory

Appreciated!

Use case: I have reversed the logic of LOCATIONBLOCK - now it blocks everything except what is allowed explicitly - saving memory and computing power by checking only the allowed sets. Boot sequence and Apply IPTABLES changes are also much faster (on old APU boxes is very visible): it only needs a fraction of time to generates the ipsets for allowed countries rather than generating tens of ipsets for blocked ones.

iptables -t filter -v -L LOCATIONBLOCK | head -n 10
Chain LOCATIONBLOCK (2 references)
pkts bytes target prot opt in out source destination
7 471 RETURN all – !red0 any anywhere anywhere
0 0 RETURN all – any any 10.0.0.0/8 anywhere
0 0 RETURN all – any any 172.16.0.0/12 anywhere
13 622 RETURN all – any any 192.168.0.0/16 anywhere
0 0 RETURN all – any any 100.64.0.0/10 anywhere
0 0 RETURN all – any any base-address.mcast.net/4 anywhere
0 0 RETURN all – any any anywhere anywhere match-set allow_zone_master src
0 0 DROP all – any any anywhere anywhere

ipset list allow_zone_master

Name: allow_zone_master
Type: list:set
Revision: 3
Header: size 8
Size in memory: 128
References: 1
Number of entries: 1
Members:
allow_cc_DE

hjkl · 26 May 2026 19:03

Here is the new FW LOCATIONBLOCK logic: allow the list, block the rest

I am working on the UI