extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-08-18 04:35:33 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ipset-based blacklisting

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
2016-04-10 16:07:56 -07:00
parent ef10515a42
commit 05e4049174
12 changed files with 354 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

66
Shorewall-core/lib.cli
View File

@@ -340,6 +340,7 @@ show_classifiers() {
# Display blacklist chains # Display blacklist chains
# #
show_bl() { show_bl() {
[ -n "$g_blacklistipset" ] && ipset -L $
$g_tool -L $g_ipt_options | \ $g_tool -L $g_ipt_options | \
awk 'BEGIN {prnt=0; }; awk 'BEGIN {prnt=0; };
/^$/ {if (prnt == 1) print ""; prnt=0; }; /^$/ {if (prnt == 1) print ""; prnt=0; };
@@ -3444,6 +3445,30 @@ reject_command() {
fi fi
} }
blacklist_command() {
local family
[ $# -gt 0 ] || fatal_error "Missing address"
[ -z "$g_blacklistipset" ] && fatal_error "The blacklist command is not supported in the current $g_product configuration"
case ${IPSET:=ipset} in
*/*)
if [ ! -x "$IPSET" ]; then
fatal_error "IPSET=$IPSET does not exist or is not executable"
fi
;;
*)
IPSET="$(mywhich $IPSET)"
[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
;;
esac
$IPSET -A $g_blacklistipset $@ || fatal_error "Address $1 not blacklisted"
return 0
}
save_command() { save_command() {
local finished local finished
finished=0 finished=0
@@ -3793,6 +3818,38 @@ get_config() {
g_pager="| $g_pager" g_pager="| $g_pager"
fi fi
if [ -n "$DYNAMIC_BLACKLIST" ]; then
case $DYNAMIC_BLACKLIST in
[Nn]o)
DYNAMIC_BLACKLIST='';
;;
[Yy]es)
;;
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
g_blacklistipset=SW_DBL$g_family
;;
ipset:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
ipset,src-dst:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
ipset-only:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
ipset-only,src-dst:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
*)
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
;;
esac
fi
lib=$(find_file lib.cli-user) lib=$(find_file lib.cli-user)
[ -f $lib ] && . $lib [ -f $lib ] && . $lib
@@ -3983,6 +4040,7 @@ usage() # $1 = exit status
echo "where <command> is one of:" echo "where <command> is one of:"
echo " add <interface>[:<host-list>] ... <zone>" echo " add <interface>[:<host-list>] ... <zone>"
echo " allow <address> ..." echo " allow <address> ..."
echo " blacklist <address> [ <option> ... ]"
ecko " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]" ecko " [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ -i ] [ <directory> ]"
echo " clear" echo " clear"
ecko " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]" ecko " [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ -i ] [ <directory name> ] [ <path name> ]"
@@ -4134,6 +4192,7 @@ shorewall_cli() {
g_loopback= g_loopback=
g_compiled= g_compiled=
g_pager= g_pager=
g_blacklistipset=
VERBOSE= VERBOSE=
VERBOSITY=1 VERBOSITY=1
@@ -4325,6 +4384,13 @@ shorewall_cli() {
fatal_error "$g_product is not running" fatal_error "$g_product is not running"
fi fi
;; ;;
blacklist)
get_config Yes
shift
[ -n "$g_nolock" ] || mutex_on
blacklist_command $@
[ -n "$g_nolock" ] || mutex_off
;;
run) run)
[ $# -gt 1 ] || fatal_error "Missing function name" [ $# -gt 1 ] || fatal_error "Missing function name"
get_config Yes get_config Yes

32
Shorewall-lite/manpages/shorewall-lite.xml
View File

@@ -47,6 +47,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>blacklist</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
@@ -693,6 +706,25 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis>
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
... ]</term>
<listitem>
<para>Added in Shorewall 5.0.8 and requires
DYNAMIC_BLACKLIST=ipset.. in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
Causes packets from the given host or network
<replaceable>address</replaceable> to be dropped, based on the
setting of BLACKLIST in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
<replaceable>address</replaceable> along with any
<replaceable>option</replaceable>s are passed to the <command>ipset
add</command> command.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">call <replaceable>function</replaceable> [ <term><emphasis role="bold">call <replaceable>function</replaceable> [
<replaceable>parameter</replaceable> ... ]</emphasis></term> <replaceable>parameter</replaceable> ... ]</emphasis></term>

14
Shorewall/Perl/Shorewall/Chains.pm
View File

@@ -8254,8 +8254,8 @@ sub ensure_ipset( $ ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
if ( have_capability 'IPSET_V5' ) { if ( have_capability 'IPSET_V5' ) {
emit ( qq( if ! qt \$IPSET -L $set -n; then) , emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") , qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
qq( \$IPSET -N $set hash:ip family inet) , qq( \$IPSET -N $set hash:net family inet timeout 0) ,
qq( fi) ); qq( fi) );
} else { } else {
emit ( qq( if ! qt \$IPSET -L $set -n; then) , emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
@@ -8265,8 +8265,8 @@ sub ensure_ipset( $ ) {
} }
} else { } else {
emit ( qq( if ! qt \$IPSET -L $set -n; then) , emit ( qq( if ! qt \$IPSET -L $set -n; then) ,
qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") , qq( error_message "WARNING: ipset $set does not exist; creating it as an hash:net set") ,
qq( \$IPSET -N $set hash:ip family inet6) , qq( \$IPSET -N $set hash:net family inet6 timeout 0) ,
qq( fi) ); qq( fi) );
} }
} }
@@ -8277,7 +8277,7 @@ sub ensure_ipset( $ ) {
sub create_save_ipsets() { sub create_save_ipsets() {
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones\n#", emit( "#\n#Save the ipsets specified by the SAVE_IPSETS setting and by dynamic zones and blacklisting\n#",
'save_ipsets() {' ); 'save_ipsets() {' );
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
@@ -8360,7 +8360,7 @@ sub create_save_ipsets() {
sub load_ipsets() { sub load_ipsets() {
my @ipsets = all_ipsets; my @ipsets = all_ipsets; #Dynamic Zone IPSETS
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit ( '', ); emit ( '', );
@@ -8425,8 +8425,6 @@ sub load_ipsets() {
emit ( '' ); emit ( '' );
} }
} else { } else {
ensure_ipset( $_ ) for @ipsets;
emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' , emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' ,
' $IPSET flush' , ' $IPSET flush' ,
' $IPSET destroy' , ' $IPSET destroy' ,

42
Shorewall/Perl/Shorewall/Config.pm
View File

@@ -161,6 +161,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
set_section_function set_section_function
clear_section_function clear_section_function
directive_callback directive_callback
add_ipset
all_ipsets
$product $product
$Product $Product
@@ -673,6 +675,7 @@ our $section_function; #Function Reference for handling ?section
our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl(). our $evals = 0; # Number of times eval() called out of evaluate_expression() or embedded_perl().
our %ipsets; # All required IPsets
# #
# Files located via find_file() # Files located via find_file()
# #
@@ -1073,6 +1076,7 @@ sub initialize( $;$$) {
%actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' ); %actparams = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => '' );
$parmsmodified = 0; $parmsmodified = 0;
$usedcaller = 0; $usedcaller = 0;
%ipsets = ();
%helpers_enabled = ( %helpers_enabled = (
amanda => 1, amanda => 1,
@@ -1171,6 +1175,14 @@ sub initialize( $;$$) {
my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec ); my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
sub add_ipset( $ ) {
$ipsets{$_[0]} = 1;
}
sub all_ipsets() {
sort keys %ipsets;
}
# #
# Create 'currentlineinfo' # Create 'currentlineinfo'
# #
@@ -5991,7 +6003,33 @@ sub get_configuration( $$$$ ) {
$config{ACCOUNTING_TABLE} = 'filter'; $config{ACCOUNTING_TABLE} = 'filter';
} }
default_yes_no 'DYNAMIC_BLACKLIST' , 'Yes'; if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) {
my ( $key, $set, $level, $tag, $rest ) = split( ':', $val , 5 );
fatal_error "Invalid DYNAMIC_BLACKLIST setting ( $val )" if $key !~ /^ipset(?:-only)?(?:,src-dst)?$/ || defined $rest;
if ( supplied( $set ) ) {
fatal_error "Invalid DYNAMIC_BLACKLIST ipset name" unless $set =~ /^[A-Za-z][\w-]*/;
} else {
$set = 'SW_DBL' . $family;
}
add_ipset( $set );
$level = validate_level( $level );
$tag = '' unless defined $tag;
$config{DYNAMIC_BLACKLIST} = join( ':', $key, $set, $level, $tag );
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
} else {
default_yes_no( 'DYNAMIC_BLACKLIST' , 'Yes' );
}
}
default_yes_no 'REQUIRE_INTERFACE' , ''; default_yes_no 'REQUIRE_INTERFACE' , '';
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : ''; default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
default_yes_no 'COMPLETE' , ''; default_yes_no 'COMPLETE' , '';
@@ -6503,7 +6541,7 @@ sub generate_aux_config() {
emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#"; emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";
for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART) ) { for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE WORKAROUNDS RESTART DYNAMIC_BLACKLIST) ) {
conditionally_add_option $option; conditionally_add_option $option;
} }

43
Shorewall/Perl/Shorewall/Misc.pm
View File

@@ -674,6 +674,11 @@ sub add_common_rules ( $ ) {
my $level = $config{BLACKLIST_LOG_LEVEL}; my $level = $config{BLACKLIST_LOG_LEVEL};
my $tag = $globals{BLACKLIST_LOG_TAG}; my $tag = $globals{BLACKLIST_LOG_TAG};
my $rejectref = $filter_table->{reject}; my $rejectref = $filter_table->{reject};
my $dbl_type;
my $dbl_ipset;
my $dbl_level;
my $dbl_tag;
my $dbl_target;
if ( $config{REJECT_ACTION} ) { if ( $config{REJECT_ACTION} ) {
process_reject_action; process_reject_action;
@@ -723,11 +728,34 @@ sub add_common_rules ( $ ) {
# #
create_docker_rules if $config{DOCKER}; create_docker_rules if $config{DOCKER};
if ( $config{DYNAMIC_BLACKLIST} ) { if ( my $val = $config{DYNAMIC_BLACKLIST} ) {
add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag); ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $val );
add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE ); unless ( $dbl_type =~ /^ipset-only/ ) {
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' ); add_rule_pair( set_optflags( new_standard_chain( 'logdrop' ) , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP' , $level , $tag);
add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level , $tag);
$dynamicref = set_optflags( new_standard_chain( 'dynamic' ) , DONT_OPTIMIZE );
add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
}
if ( $dbl_ipset ) {
if ( $dbl_level ) {
my $chainref = set_optflags( new_standard_chain( $dbl_target = 'dbl_log' ) , DONT_OPTIMIZE | DONT_DELETE );
log_rule_limit( $dbl_level,
$chainref,
'dbl_log',
'DROP',
$globals{LOGLIMIT},
$dbl_tag,
'add',
'',
$origin{DYNAMIC_BLACKLIST} );
add_ijump_extended( $chainref, j => 'DROP', $origin{DYNAMIC_BLACKLIST} );
} else {
$dbl_target = 'DROP';
}
}
} }
setup_mss; setup_mss;
@@ -831,6 +859,11 @@ sub add_common_rules ( $ ) {
} }
} }
if ( $dbl_ipset ) {
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset src" );
add_ijump_extended( $filter_table->{input_option_chain($interface)}, j => $dbl_target, $origin{DYNAMIC_BLACKLIST}, @state, set => "--match-set $dbl_ipset dst" ) if $dbl_type =~ /,src-dst$/;
}
for ( option_chains( $interface ) ) { for ( option_chains( $interface ) ) {
add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref; add_ijump_extended( $filter_table->{$_}, j => $dynamicref, $origin{DYNAMIC_BLACKLIST}, @state ) if $dynamicref;
add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT}; add_ijump_extended( $filter_table->{$_}, j => 'ACCEPT', $origin{FASTACCEPT}, state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};

11
Shorewall/Perl/Shorewall/Zones.pm
View File

@@ -103,7 +103,6 @@ our @EXPORT = ( qw( NOTHING
find_hosts_by_option find_hosts_by_option
find_zone_hosts_by_option find_zone_hosts_by_option
find_zones_by_option find_zones_by_option
all_ipsets
have_ipsec have_ipsec
), ),
); );
@@ -210,7 +209,6 @@ our @interfaces;
our %interfaces; our %interfaces;
our %roots; our %roots;
our @bport_zones; our @bport_zones;
our %ipsets;
our %basemap; our %basemap;
our %basemap1; our %basemap1;
our %mapbase; our %mapbase;
@@ -326,7 +324,6 @@ sub initialize( $$ ) {
%roots = (); %roots = ();
%interfaces = (); %interfaces = ();
@bport_zones = (); @bport_zones = ();
%ipsets = ();
%basemap = (); %basemap = ();
%basemap1 = (); %basemap1 = ();
%mapbase = (); %mapbase = ();
@@ -1344,7 +1341,7 @@ sub process_interface( $$ ) {
my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}"; my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
$ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared}; $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};
$netsref = [ "+$ipset" ]; $netsref = [ "+$ipset" ];
$ipsets{$ipset} = 1; add_ipset($ipset);
} }
if ( $options{bridge} ) { if ( $options{bridge} ) {
@@ -2153,7 +2150,7 @@ sub process_host( ) {
$hosts = "+$set"; $hosts = "+$set";
$optionsref->{dynamic} = 1; $optionsref->{dynamic} = 1;
$ipsets{$set} = 1; add_ipset($set);
} }
# #
@@ -2273,8 +2270,4 @@ sub find_zones_by_option( $$ ) {
\@zns; \@zns;
} }
sub all_ipsets() {
sort keys %ipsets;
}
1; 1;

32
Shorewall/lib.cli-std
View File

@@ -333,6 +333,38 @@ get_config() {
g_pager="| $g_pager" g_pager="| $g_pager"
fi fi
if [ -n "$DYNAMIC_BLACKLIST" ]; then
case $DYNAMIC_BLACKLIST in
[Nn]o)
DYNAMIC_BLACKLIST='';
;;
[Yy]es)
;;
ipset|ipset::*|ipset-only|ipset-only::*|ipset,src-dst|ipset-only,src-dst::*)
g_blacklistipset=SW_DBL$g_family
;;
ipset:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
ipset,src-dst:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset,src-dst:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
ipset-only:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
ipset-only,src-dst:[a-zA-Z]*)
g_blacklistipset=${DYNAMIC_BLACKLIST#ipset-only,src-dst:}
g_blacklistipset=${g_blacklistipset%%:*}
;;
*)
fatal_error "Invalid value ($DYNAMIC_BLACKLIST) for DYNAMIC_BLACKLIST"
;;
esac
fi
lib=$(find_file lib.cli-user) lib=$(find_file lib.cli-user)
[ -f $lib ] && . $lib [ -f $lib ] && . $lib

26
Shorewall/manpages/shorewall.conf.xml
View File

@@ -761,15 +761,31 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>||<emphasis
role="bold">ipset</emphasis>[<emphasis
role="bold">-only</emphasis>][,<emphasis
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.7. When set to <emphasis <para>Added in Shorewall 4.4.7. When set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>, role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
dynamic blacklisting using the <command>shorewall drop</command>, chain-based dynamic blacklisting using the <command>shorewall6
<command>shorewall reject</command>, <command>shorewall drop</command>, <command>shorewall6 reject</command>,
logdrop</command> and <command>shorewall logreject</command> is <command>shorewall6 logdrop</command> and <command>shorewall6
disabled. Default is <emphasis role="bold">Yes</emphasis>.</para> logreject</command> is disabled. Default is <emphasis
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
ipset-based dynamic blacklisting is also supported. The name of the
set (<replaceable>setname</replaceable>) and the level
(<replaceable>log_level</replaceable>), if any, at which blacklisted
traffic is to be logged may also be specified. The default set name
is SW_DBL4 and the default log level is <option>none</option> (no
logging). if <option>ipset-only</option> is given, then chain-based
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
had been specified. Normally, only packets whose source address
matches an entry in the ipsec are dropped. If
<option>src-dst</option> is included, then packets whose destination
address matches an entry in the ipset are also dropped.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

32
Shorewall/manpages/shorewall.xml
View File

@@ -49,6 +49,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>blacklist</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall</command>
@@ -955,6 +968,25 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis>
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
... ]</term>
<listitem>
<para>Added in Shorewall 5.0.8 and requires
DYNAMIC_BLACKLIST=ipset.. in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).
Causes packets from the given host or network
<replaceable>address</replaceable> to be dropped, based on the
setting of BLACKLIST in <ulink
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5). The
<replaceable>address</replaceable> along with any
<replaceable>option</replaceable>s are passed to the <command>ipset
add</command> command.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">call <replaceable>function</replaceable> [ <term><emphasis role="bold">call <replaceable>function</replaceable> [
<replaceable>parameter</replaceable> ... ]</emphasis></term> <replaceable>parameter</replaceable> ... ]</emphasis></term>

32
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@@ -47,6 +47,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>blacklist</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6-lite</command> <command>shorewall6-lite</command>
@@ -670,6 +683,25 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis>
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
... ]</term>
<listitem>
<para>Added in Shorewall 5.0.8 and requires
DYNAMIC_BLACKLIST=ipset.. in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
Causes packets from the given host or network
<replaceable>address</replaceable> to be dropped, based on the
setting of BLACKLIST in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
The <replaceable>address</replaceable> along with any
<replaceable>option</replaceable>s are passed to the <command>ipset
add</command> command.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">call <replaceable>function</replaceable> [ <term><emphasis role="bold">call <replaceable>function</replaceable> [
<replaceable>parameter</replaceable> ... ]</emphasis></term> <replaceable>parameter</replaceable> ... ]</emphasis></term>

26
Shorewall6/manpages/shorewall6.conf.xml
View File

@@ -623,15 +623,31 @@
<varlistentry> <varlistentry>
<term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis <term><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term> role="bold">Yes</emphasis>|<emphasis
role="bold">No</emphasis>||<emphasis
role="bold">ipset</emphasis>[<emphasis
role="bold">-only</emphasis>][,<emphasis
role="bold">src-dst</emphasis>][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</term>
<listitem> <listitem>
<para>Added in Shorewall 4.4.7. When set to <emphasis <para>Added in Shorewall 4.4.7. When set to <emphasis
role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>, role="bold">No</emphasis> or <emphasis role="bold">no</emphasis>,
dynamic blacklisting using the <command>shorewall6 drop</command>, chain-based dynamic blacklisting using the <command>shorewall6
<command>shorewall6 reject</command>, <command>shorewall6 drop</command>, <command>shorewall6 reject</command>,
logdrop</command> and <command>shorewall6 logreject</command> is <command>shorewall6 logdrop</command> and <command>shorewall6
disabled. Default is <emphasis role="bold">Yes</emphasis>.</para> logreject</command> is disabled. Default is <emphasis
role="bold">Yes</emphasis>. Beginning with Shorewall 5.0.8,
ipset-based dynamic blacklisting is also supported. The name of the
set (<replaceable>setname</replaceable>) and the level
(<replaceable>log_level</replaceable>), if any, at which blacklisted
traffic is to be logged may also be specified. The default set name
is SW_DBL6 and the default log level is <option>none</option> (no
logging). if <option>ipset-only</option> is given, then chain-based
dynamic blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No
had been specified. Normally, only packets whose source address
matches an entry in the ipsec are dropped. If
<option>src-dst</option> is included, then packets whose destination
address matches an entry in the ipset are also dropped.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

32
Shorewall6/manpages/shorewall6.xml
View File

@@ -48,6 +48,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>blacklist</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6</command> <command>shorewall6</command>
@@ -923,6 +936,25 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">blacklist</emphasis>
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
... ]</term>
<listitem>
<para>Added in Shorewall 5.0.8 and requires
DYNAMIC_BLACKLIST=ipset.. in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
Causes packets from the given host or network
<replaceable>address</replaceable> to be dropped, based on the
setting of BLACKLIST in <ulink
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
The <replaceable>address</replaceable> along with any
<replaceable>option</replaceable>s are passed to the <command>ipset
add</command> command.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">call <replaceable>function</replaceable> [ <term><emphasis role="bold">call <replaceable>function</replaceable> [
<replaceable>parameter</replaceable> ... ]</emphasis></term> <replaceable>parameter</replaceable> ... ]</emphasis></term>