2017-01-19 23:08:15 +01:00
|
|
|
#
|
|
|
|
|
# Shorewall - /usr/share/shorewall/action.BLACKLIST
|
|
|
|
|
#
|
|
|
|
|
# This action:
|
|
|
|
|
#
|
|
|
|
|
# - Adds the sender to the dynamic blacklist ipset
|
|
|
|
|
# - Optionally acts on the packet (default is DROP)
|
|
|
|
|
#
|
|
|
|
|
# Parameters:
|
|
|
|
|
#
|
|
|
|
|
# 1 - Action to take after adding the packet. Default is DROP.
|
|
|
|
|
# Pass -- if you don't want to take any action.
|
|
|
|
|
# 2 - Timeout for ipset entry. Default is the timeout specified in
|
|
|
|
|
# DYNAMIC_BLACKLIST or the one specified when the ipset was created.
|
|
|
|
|
#
|
|
|
|
|
###############################################################################
|
2017-01-24 00:03:02 +01:00
|
|
|
# Note -- This action is defined with the 'section' option, so the first
|
|
|
|
|
# parameter is always the section name. That means that in the
|
|
|
|
|
# following text, the first parameter passed in the rule is actually
|
|
|
|
|
# @2.
|
|
|
|
|
###############################################################################
|
|
|
|
|
?if $1 eq 'BLACKLIST'
|
2017-03-03 19:14:30 +01:00
|
|
|
?if $BLACKLIST_LOG_LEVEL
|
2017-01-24 00:03:02 +01:00
|
|
|
blacklog
|
|
|
|
|
?else
|
|
|
|
|
$BLACKLIST_DISPOSITION
|
|
|
|
|
?endif
|
2017-01-19 23:08:15 +01:00
|
|
|
?else
|
2017-01-24 00:03:02 +01:00
|
|
|
?if ! "$SW_DBL_IPSET"
|
|
|
|
|
? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
|
|
|
|
|
?endif
|
|
|
|
|
|
|
|
|
|
DEFAULTS -,DROP,-
|
|
|
|
|
#
|
|
|
|
|
# Add to the blacklist
|
|
|
|
|
#
|
|
|
|
|
?if passed(@3)
|
|
|
|
|
ADD($SW_DBL_IPSET:src:@3)
|
|
|
|
|
?elsif $SW_DBL_TIMEOUT
|
|
|
|
|
ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
|
|
|
|
|
?else
|
|
|
|
|
ADD($SW_DBL_IPSET:src)
|
|
|
|
|
?endif
|
|
|
|
|
#
|
|
|
|
|
# Dispose of the packet if asked
|
|
|
|
|
#
|
|
|
|
|
?if passed(@2)
|
|
|
|
|
@2
|
|
|
|
|
?endif
|
2017-01-19 23:08:15 +01:00
|
|
|
?endif
|
