首頁 探索 說明
登入
kotoyuuko
/
ansible-proxy-chain
1
0
複刻 0
檔案 問題管理 0 合併請求 0 Wiki
目錄樹: 13b6345f20
分支列表 標籤列表
ansible-proxy-c...
/
openspec
/
specs
/
geoblock-cn
/
spec.md

spec.md 2.6 KB
文件歷史 原始文件

ADDED Requirements

Requirement: ipset and iptables are installed on all servers

The geoblock role SHALL ensure ipset and iptables packages are installed.

Scenario: Packages installed

  • WHEN the geoblock role runs
  • THEN ipset and iptables are installed and available

Requirement: China IP CIDR list is downloaded

The geoblock role SHALL download the aggregated China CIDR list from ipdeny.com to a local file on each server.

Scenario: Initial download

  • WHEN the geoblock role runs for the first time
  • THEN the CN aggregated zone file is downloaded to a configurable path (default: /etc/geoblock/cn.zone)

Requirement: ipset is populated with China CIDR ranges

The geoblock role SHALL create an ipset named cn-block of type hash:net and populate it with all CIDRs from the downloaded zone file.

Scenario: ipset created and loaded

  • WHEN the geoblock update script runs
  • THEN an ipset named cn-block exists containing all China CIDR entries
  • THEN the set is created atomically (build temp set, swap, destroy old)

Requirement: iptables blocks outbound to China IPs

The geoblock role SHALL add an iptables OUTPUT chain rule that drops packets matching the cn-block ipset.

Scenario: Outbound to China IP is dropped

  • WHEN the server attempts to send a packet to an IP in the cn-block ipset
  • THEN the packet is dropped by iptables

Scenario: Outbound to non-China IP is allowed

  • WHEN the server attempts to send a packet to an IP NOT in the cn-block ipset
  • THEN the packet is allowed through

Requirement: CN IP list is refreshed daily via cron

The geoblock role SHALL configure a cron job that re-downloads the CN zone file and reloads the ipset daily.

Scenario: Daily refresh

  • WHEN the cron job fires
  • THEN the latest CN zone file is downloaded
  • THEN the ipset is atomically reloaded with updated data

Requirement: ipset is restored on boot

The geoblock role SHALL configure a systemd service that runs at boot to restore the ipset and iptables rule, ensuring the block survives reboots.

Scenario: Server reboots

  • WHEN the server restarts
  • THEN the geoblock systemd service loads the CN zone into ipset
  • THEN the iptables OUTPUT rule referencing cn-block is applied

Requirement: Geoblock role is applied to all servers

The geoblock role SHALL be applied to both relay and landing servers via site.yml.

Scenario: Both servers have geoblock

  • WHEN site.yml is run
  • THEN the geoblock role runs on hosts in both relay and landing groups