Implement REAP_OPTION capability

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -2260,6 +2260,7 @@ determine_capabilities() {
     PHYSDEV_BRIDGE=
     IPRANGE_MATCH=
     RECENT_MATCH=
+    REAP_OPTION=
     OWNER_MATCH=
     OWNER_NAME_MATCH=
     IPSET_MATCH=
@@ -2429,7 +2430,11 @@ determine_capabilities() {
 	fi
     fi
 
-    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
+	RECENT_MATCH=Yes
+	qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
+    fi
+
     qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
 
     local name
@@ -2676,6 +2681,7 @@ report_capabilities_unsorted() {
     report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
     report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
     report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option'
     report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
     report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
     if [ -n "$IPSET_MATCH" ]; then
@@ -2797,6 +2803,7 @@ report_capabilities_unsorted1() {
     report_capability1 LENGTH_MATCH
     report_capability1 IPRANGE_MATCH
     report_capability1 RECENT_MATCH
+    report_capability1 REAP_OPTION
     report_capability1 OWNER_MATCH
     report_capability1 OWNER_NAME_MATCH
     report_capability1 IPSET_MATCH

Shorewall/Perl/Shorewall/Config.pm

@@ -316,6 +316,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 LENGTH_MATCH    => 'Packet length Match',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
+                 REAP_OPTION     => 'Recent Match "--reap" option',
 		 OWNER_MATCH     => 'Owner Match',
 		 OWNER_NAME_MATCH
 		                 => 'Owner Name Match',
@@ -947,6 +948,7 @@ sub initialize( $;$$) {
 	       MASQUERADE_TGT => undef,
 	       UDPLITEREDIRECT => undef,
 	       NEW_TOS_MATCH => undef,
+	       REAP_OPTION => undef,
 
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -3819,6 +3821,11 @@ sub Recent_Match() {
     qt1( "$iptables $iptablesw -A $sillyname -m recent --update -j ACCEPT" );
 }
 
+sub Reap_Option() {
+    ( have_capability( 'RECENT_MATCH' ) &&
+      qt1( "$iptables $iptablesw -A $sillyname -m recent --rcheck --seconds 10 --reap" ) );
+}
+
 sub Owner_Match() {
     qt1( "$iptables $iptablesw -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
 }
@@ -4286,6 +4293,7 @@ our %detect_capability =
       RAW_TABLE => \&Raw_Table,
       RAWPOST_TABLE => \&Rawpost_Table,
       REALM_MATCH => \&Realm_Match,
+      REAP_OPTION => \&Reap_Option,
       RECENT_MATCH => \&Recent_Match,
       RPFILTER_MATCH => \&RPFilter_Match,
       SANE_HELPER => \&SANE_Helper,
@@ -4385,6 +4393,7 @@ sub determine_capabilities() {
 
 	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
 	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
+	$capabilities{REAP_OPTION}     = detect_capability( 'REAP_OPTION' );
 	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
 	$capabilities{OWNER_NAME_MATCH}
                                        = detect_capability( 'OWNER_NAME_MATCH' );

Shorewall/action.AutoBL

@@ -22,6 +22,9 @@
 DEFAULTS -,60,5,2,300,DROP,info
 
 ?begin perl
+
+use Shorewall::Config;
+
 my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
 
 fatal_error "The event name parameter to AutoBL is required"            unless supplied $event;
@@ -37,11 +40,16 @@ validate_level( $level );
 #
 # Silently reject the client if blacklisted
 #
-IfEvent(${1}_BL,$6,$5,1,src,check:reap)
+?if $REAP_OPTION
+?set check_param 'check:reap'
+?else
+?set check_param 'check'
+?endif
+IfEvent(${1}_BL,$6,$5,1,src,$check_param)
 #
 # Blacklist if M attempts in the last N seconds
 #
-IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
+IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,$check_param)
 #
 # Log and reject if the client has tried to connect
 # in the last N seconds

Shorewall/action.IfEvent

@@ -97,7 +97,8 @@ set_action_name_to_caller;
 require_capability 'RECENT_MATCH', 'Use of events', 's';
 
 if ( $command & $REAP_OPT ) {
-    fatal_error "${command}reap requires a time limit" if ! $duration;
+    require_capability( 'REAP_OPTION', q(The 'reap' option), 's' );
+    fatal_error "${command}reap requires a time limit" unless $duration;
     $duration .= '--reap ';
 }