geoip-shell: update to v0.5.2

Changes since v0.5:

Bugfixes:
- bugfix: 'geoip-shell on' command errors out on iptables-based systems
- bugfix: when changing the update cron schedule, old cron job does not get removed
- bugfix: in some edge cases, the update cron job may not be created
- bugfix: incorrect mask bits used when creating a rule allowing ipv6 link-local connections (/8 instead of /10)
- bugfix: geoip-shell-fetch.sh: fix running without root permissions

Improvements:
- nftables variant: attach the base chain to the prerouting netfilter hook with priority -141 (rather than -150) to make rules processing deterministic when other rules exist which have priority 'mangle' (-150), making it easier to create custom rules which will be processed before geoip-shell rules
- include information on currently used firewall backend utility (nftables or iptables) in the status report
- avoid unnecessary re-fetching of ip lists when running 'geoip-shell configure'
- randomize the default update schedule's minute between 10 and 20 (previously was always 15)
- randomize the automatic update second between 0 and 59
- improve console messages and the status report
- update and improve the general documentation
- improve OpenWrt-specific documentation

Signed-off-by: Anton Khazan <antonk.d3v@gmail.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/net/geoip-shell/NOTES.md b/net/geoip-shell/NOTES.md
index 6bd0ebcbf..e6f2c5cc3 100644
--- a/net/geoip-shell/NOTES.md
+++ b/net/geoip-shell/NOTES.md
@@ -14,7 +14,7 @@
 
     ### **nftables**
     - With **nftables**, all firewall rules created by geoip-shell are in the table named `geoip-shell`, family "inet", which is a term nftables uses for tables applying to both ip families. The `geoip-shell` table includes rules for both ip families and any nftables sets geoip-shell creates. geoip-shell creates 2 chains in that table: `GEOIP-BASE` and `GEOIP-SHELL`. The base chain attaches to netfilter's `prerouting` hook and has a rule which directs traffic to the `GEOIP-SHELL` chain. That rule is the geoip-shell "enable" rule for nftables-based systems which acts exactly like the "enable" rule in the iptables-based systems, except it applies to both ip families.
-    - **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during installation, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain.
+    - **nftables** allows for more control over which network interfaces each rule applies to, so when certain network interfaces are specified during initial setup, geoip-shell specifies these interfaces directly in the rules inside the `GEOIP-SHELL` chain, and so (contrary to iptables-based systems) there is no need in an additional chain.
     - **nftables** features atomic rules updates, meaning that when issuing multiple nftables commands at once, if any command fails, all changes get cancelled and the system remains in the same state as before. geoip-shell utilizes this feature for fault-tolerance and to completely eliminate time when geoip blocking is disabled during an update of the sets or rules.
     - **nftables** current version (up to 1.0.8 and probably 1.0.9) has some bugs related to unnecessarily high transient memory consumption when performing certain actions, including adding new sets. These bugs are known and for the most part, already have patches implemented which should eventually roll out to the distributions. This mostly matters for embedded hardware with less than 512MB of memory. geoip-shell works around these bugs as much as possible. One of the workarounds is to avoid using the atomic replacement feature for nftables sets. Instead, when updating sets, geoip-shell first adds new sets one by one, then atomically applies all other changes, including rules changes and removing the old sets. In case of an error during any stage of this process, all changes get cancelled, old rules and sets remain in place and geoip-shell then destroys the new sets. This is less efficient but with current versions of nftables, this actually lowers the minimum memory bar for the embedded devices. Once a new version of nftables will be rolled out to the distros, geoip-shell will adapt the algorithm accordingly.
 
@@ -27,7 +27,7 @@
 
 3) geoip-shell uses RIPE as the default source for ip lists. RIPE is a regional registry, and as such, is expected to stay online and free for the foreseeable future. However, RIPE may be fairly slow in some regions. For that reason, I implemented support for fetching ip lists from ipdeny. ipdeny provides aggregated ip lists, meaning in short that there are less entries for same effective geoip blocking, so the machine which these lists are installed on has to do less work when processing incoming connection requests. All ip lists the suite fetches from ipdeny are aggregated lists.
 
-4) The scripts intended as user interface are: **-install**, **-uninstall**, **-manage** (also called by running '**geoip-shell**' after installation) and **check-ip-in-registry.sh**. The -manage script saves the config to a file and implements coherence checks between that file and the actual firewall state. While you can run the other scripts individually, if you make changes to firewall geoip rules, next time you run the -manage script it may insist on reverting those changes since they are not reflected in the config file. The **-backup** script can be used individually. By default, it creates a backup of geoip-shell state after every successful action involving changes to or updates of the ip lists. If you encounter issues, you can use it with the 'restore' command to restore geoip-shell to its previous state. It also restores the config, so the -manage script will not mind.
+4) The script intended as user interface is **geoip-shell-manage.sh** (also called by running **geoip-shell**).
 
 5) How to manually check firewall rules created by geoip-shell:
     - With nftables: `nft -t list table inet geoip-shell`. This will display all geoip-shell rules and sets.