diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index bf7fb14b3..c409669d5 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -49,6 +49,7 @@ our @EXPORT = qw(
assert
currentlineinfo
clear_currentfilename
+ validate_level
progress_message
progress_message_nocompress
@@ -128,7 +129,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
pop_action_params
default_action_params
read_a_line
- validate_level
which
qt
ensure_config_path
diff --git a/Shorewall/action.AutoBL b/Shorewall/action.AutoBL
new file mode 100644
index 000000000..c33201ed5
--- /dev/null
+++ b/Shorewall/action.AutoBL
@@ -0,0 +1,59 @@
+#
+# Shorewall version 4 - Auto Blacklist Action
+#
+# Parameters are:
+#
+# Event - Name of the event to associate with this blacklist
+# Interval
+# Count - Interval and number of Packets to trigger blacklisting
+# Default is 60 seconds and 5 packets.
+# Successive - If a matching packet arrives within this many
+# seconds of the preceding one, it should be logged
+# and dealt with according to the Disposition and
+# Log Level parameters below. Default is 2 seconds.
+# Blacklist time - Number of seconds to blacklist
+# Default is 300 (5 minutes)
+# Disposition - Disposition of blacklisted packets
+# Default is DROP
+# Log Level - Level to Log Rejects
+# Default is info (6)
+#
+?format 2
+DEFAULTS -,60,5,2,300,DROP,info
+
+?begin perl
+my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
+
+fatal_error "The event name parameter to AutoBL is required" unless supplied $event;
+fatal_error "Invalid interval ($interval) passed to AutoBL" unless $interval =~ /^\d+$/ && $interval;
+fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $successive =~ /^\d+$/;
+fatal_error "Invalid packet count ($count) passed to AutoBL" unless $count =~ /^\d+$/ && $count;
+fatal_error "Invalid blacklist time ($bltime) passed to AutoBL" unless $bltime =~ /^\d+$/ && $bltime;
+validate_level( $level );
+
+?end perl
+###############################################################################
+#TARGET SOURCE DEST PROTO DPORT SPORT
+#
+# Silently reject the client if blacklisted
+#
+IfEvent(${1}_BL,$6,$5,1,src,check:reap)
+#
+# Blacklist if M attempts in the last N seconds
+#
+IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
+#
+# Log and reject if the client has tried to connect
+# in the last N seconds
+#
+?if $4
+IfEvent($1,$6:$7,$4,1,-,update,Added)
+?endif
+#
+# Un-blacklist the client
+#
+ResetEvent(${1}_BL,LOG:$7,-,Removed)
+#
+# Set the event and accept the connection
+#
+SetEvent($1,ACCEPT,src)
diff --git a/Shorewall/action.AutoBLL b/Shorewall/action.AutoBLL
new file mode 100644
index 000000000..7259d4c44
--- /dev/null
+++ b/Shorewall/action.AutoBLL
@@ -0,0 +1,20 @@
+#
+# Shorewall version 4 - Auto Blacklisting Logger Action
+#
+# Arguments are
+#
+# Event: Name of the blacklisted event
+# Disposition: What to do with packets
+# Level: Log level and optional tag for logging.
+###############################################################################
+#TARGET SOURCE DEST PROTO DPORT SPORT
+#
+# Log the Reject
+#
+?if "$3" ne 'none'
+LOG:$3
+?endif
+#
+# And set the AutoBL Event for the SOURCE IP address
+#
+SetEvent(${1}_BL,$2,src)
diff --git a/Shorewall/actions.std b/Shorewall/actions.std
index 2caeaf62b..41b5f779d 100644
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -28,6 +28,8 @@
A_Drop # Audited Default Action for DROP policy
A_Reject # Audited Default action for REJECT policy
allowInvalid inline # Accepts packets in the INVALID conntrack state
+AutoBL noinline # Auto-blacklist IPs that exceed thesholds
+AutoBLL noinline # Helper for AutoBL
Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state
diff --git a/Shorewall6/actions.std b/Shorewall6/actions.std
index f3d87e98c..00f853def 100644
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -20,6 +20,8 @@ A_Reject # Audited Default Action for REJECT policy
A_AllowICMPs # Audited Accept needed ICMP6 types
AllowICMPs # Accept needed ICMP6 types
allowInvalid inline # Accepts packets in the INVALID conntrack state
+AutoBL noinline # Auto-blacklist IPs that exceed thesholds
+AutoBLL noinline # Helper for AutoBL
Broadcast noinline # Handles Broadcast/Multicast/Anycast
Drop # Default Action for DROP policy
dropInvalid inline # Drops packets in the INVALID conntrack state
diff --git a/docs/Events.xml b/docs/Events.xml
index 21b1ecd45..77fd33ee4 100644
--- a/docs/Events.xml
+++ b/docs/Events.xml
@@ -551,6 +551,107 @@ SSHLIMIT net $FW tcp 22
+
+ Generalized Automatic Blacklisting
+
+ The above two actions are generalized in the AutoBL and AutoBLL
+ actions released in Shorewall 4.5.19. Only AutoBL is invoked directly
+ from your rules file; AutoBL invoked AutoBLL internally.
+
+
+ AutoBL
+
+ AutoBL(
+ event, [
+ Interval ], [
+ hitcount ], [
+ successive ], [
+ blacklist-time ], [
+ disposition ], [
+ log_level ] )
+
+
+
+ event
+
+
+ Name of the event. The blacklisting event itself will be
+ event_BL (analogous to SSH_COUNTER
+ above).
+
+
+
+
+ interval
+
+
+ Interval, in seconds, over which hits are to be counted.
+ Default is 60 seconds.
+
+
+
+
+ hitcount
+
+
+ Number of matching packets that will trigger automatic
+ blacklisting when they arrive in
+ interval seconds. Default is
+ 5.
+
+
+
+
+ successive
+
+
+ If a matching packet arrives within this many seconds of
+ the preceding one, it should be logged according to
+ log_level and handled according to
+ the disposition. If successive
+ packets are not to be considered, enter 0. Default is 2
+ seconds.
+
+
+
+
+ blacklist-time
+
+
+ Time, in seconds, that the source IP address is to be
+ blacklisted. Default is 300 (5 minutes).
+
+
+
+
+ disposition
+
+
+ The disposition of blacklisted packets. Default is
+ DROP.
+
+
+
+
+ log_level
+
+
+ Log level at which packets are to be logged. Default is
+ info.
+
+
+
+
+ To duplicate the SSHLIMIT entry in
+ /etc/shorewall/rules shown above:
+
+ #ACTION SOURCE DEST PROTO DEST
+# PORT(S)
+AutoBL(SSH,-,-,-,REJECT,warn)\
+ net $FW tcp 22
+
+
+