Add BLACKLIST action

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 07:33:43 +01:00 · 2017-01-19 14:08:15 -08:00 · 2017-01-19 14:08:15 -08:00 · 9c3a82f628
commit 9c3a82f628
parent e6933f4c8d
3 changed files with 78 additions and 31 deletions
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@ -0,0 +1,39 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+?if ! "$SW_DBL_IPSET"
+?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+?endif
+
+DEFAULTS DROP,-
+
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Add to the blacklist
+#
+?if passed(@2)
+    ADD($SW_DBL_IPSET:src:@2)
+?elsif $SW_DBL_TIMEOUT
+    ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+?else
+    ADD($SW_DBL_IPSET:src)
+?endif
+#
+# Dispose of the packet if asked
+#
+?if passed(@1)
+   @1
+?endif
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -6312,6 +6312,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }

+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@ -6352,6 +6354,9 @@ sub get_configuration( $$$$ ) {

 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );

+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@ -6359,6 +6364,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }

+    add_variables( %variables );
+
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -9,44 +9,45 @@
 # Builtin Actions are:
 #
 ?if 0
-A_ACCEPT                        # Audits then accepts a connection request
-A_DROP                          # Audits then drops a connection request
-allowBcast		        # Silently Allow Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
-dropNotSyn		        # Silently Drop Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
-allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-Limit                           # Limit the rate of connections from each individual IP address
+A_ACCEPT			# Audits then accepts a connection request
+A_DROP				# Audits then drops a connection request
+allowBcast			# Silently Allow Broadcast/multicast
+dropBcast			# Silently Drop Broadcast/multicast
+dropNotSyn			# Silently Drop Non-syn TCP packets
+rejNotSyn			# Silently Reject Non-syn TCP packets
+allowinUPnP			# Allow UPnP inbound (to firewall) traffic
+forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit				# Limit the rate of connections from each individual IP address
 ?endif
 ###############################################################################
 #ACTION
-A_Drop 		                # Audited Default Action for DROP policy
-A_REJECT     noinline,logjump   # Audits then rejects a connection request
-A_REJECT!    inline             # Audits then rejects a connection request
-A_Reject	                # Audited Default action for REJECT policy
+A_Drop				# Audited Default Action for DROP policy
+A_REJECT     noinline,logjump	# Audits then rejects a connection request
+A_REJECT!    inline		# Audits then rejects a connection request
+A_Reject			# Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
-AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
-DNSAmp                          # Matches one-question recursive DNS queries
-Drop		                # Default Action for DROP policy
+AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
+AutoBLL	     noinline		# Helper for AutoBL
+BLACKLIST    logjump		# Add sender to the dynamic blacklist
+Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+DNSAmp				# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-DropSmurfs   noinline           # Drop smurf packets
+DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED  #
+	     state=ESTABLISHED	#
 GlusterFS    inline		# Handles GlusterFS
-IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-             state=INVALID      #
+IfEvent	     noinline		# Perform an action based on an event
+Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
+	     state=INVALID	#
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject                          # Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
-             state=RELATED      #
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+Reject				# Default Action for REJECT policy
+Related	     inline,\		# Handles packets in the RELATED conntrack state
+	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit       # Handle packets with RST set
+RST	     inline,audit	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED    #
+TCPFlags			# Handle bad flag combinations.
+Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED	#