extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-21 02:08:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add BLACKLIST action

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2017-01-19 14:08:15 -08:00
parent e6933f4c8d
commit 9c3a82f628
No known key found for this signature in database
GPG Key ID: 96E6B3F2423A4D10
3 changed files with 78 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Shorewall/Actions/action.BLACKLIST Normal file
View File

@ -0,0 +1,39 @@
#
# Shorewall - /usr/share/shorewall/action.BLACKLIST
#
# This action:
#
# - Adds the sender to the dynamic blacklist ipset
# - Optionally acts on the packet (default is DROP)
#
# Parameters:
#
# 1 - Action to take after adding the packet. Default is DROP.
# Pass -- if you don't want to take any action.
# 2 - Timeout for ipset entry. Default is the timeout specified in
# DYNAMIC_BLACKLIST or the one specified when the ipset was created.
#
###############################################################################
?if ! "$SW_DBL_IPSET"
? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
?endif
DEFAULTS DROP,-
#ACTION SOURCE DEST PROTO DPORT SPORT
#
# Add to the blacklist
#
?if passed(@2)
ADD($SW_DBL_IPSET:src:@2)
?elsif $SW_DBL_TIMEOUT
ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
?else
ADD($SW_DBL_IPSET:src)
?endif
#
# Dispose of the packet if asked
#
?if passed(@1)
@1
?endif

7
Shorewall/Perl/Shorewall/Config.pm
View File

@ -6312,6 +6312,8 @@ sub get_configuration( $$$$ ) {
$config{ACCOUNTING_TABLE} = 'filter'; $config{ACCOUNTING_TABLE} = 'filter';
} }
my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) { if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
if ( $val =~ /^ipset/ ) { if ( $val =~ /^ipset/ ) {
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 ); my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@ -6352,6 +6354,9 @@ sub get_configuration( $$$$ ) {
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' ); require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
$variables{SW_DBL_IPSET} = $set;
$variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
} else { } else {
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
} }
@ -6359,6 +6364,8 @@ sub get_configuration( $$$$ ) {
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' ); default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
} }
add_variables( %variables );
default_yes_no 'REQUIRE_INTERFACE' , ''; default_yes_no 'REQUIRE_INTERFACE' , '';
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : ''; default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
default_yes_no 'COMPLETE' , ''; default_yes_no 'COMPLETE' , '';

1
Shorewall/actions.std
View File

@ -28,6 +28,7 @@ A_Reject # Audited Default action for REJECT policy
allowInvalid inline # Accepts packets in the INVALID conntrack state allowInvalid inline # Accepts packets in the INVALID conntrack state
AutoBL noinline # Auto-blacklist IPs that exceed thesholds AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL AutoBLL noinline # Helper for AutoBL
BLACKLIST logjump # Add sender to the dynamic blacklist
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
DNSAmp # Matches one-question recursive DNS queries DNSAmp # Matches one-question recursive DNS queries
Drop # Default Action for DROP policy Drop # Default Action for DROP policy