mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-21 02:08:48 +02:00
Add BLACKLIST action
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
e6933f4c8d
commit
9c3a82f628
39
Shorewall/Actions/action.BLACKLIST
Normal file
39
Shorewall/Actions/action.BLACKLIST
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
#
|
||||||
|
# Shorewall - /usr/share/shorewall/action.BLACKLIST
|
||||||
|
#
|
||||||
|
# This action:
|
||||||
|
#
|
||||||
|
# - Adds the sender to the dynamic blacklist ipset
|
||||||
|
# - Optionally acts on the packet (default is DROP)
|
||||||
|
#
|
||||||
|
# Parameters:
|
||||||
|
#
|
||||||
|
# 1 - Action to take after adding the packet. Default is DROP.
|
||||||
|
# Pass -- if you don't want to take any action.
|
||||||
|
# 2 - Timeout for ipset entry. Default is the timeout specified in
|
||||||
|
# DYNAMIC_BLACKLIST or the one specified when the ipset was created.
|
||||||
|
#
|
||||||
|
###############################################################################
|
||||||
|
?if ! "$SW_DBL_IPSET"
|
||||||
|
? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
|
||||||
|
?endif
|
||||||
|
|
||||||
|
DEFAULTS DROP,-
|
||||||
|
|
||||||
|
#ACTION SOURCE DEST PROTO DPORT SPORT
|
||||||
|
#
|
||||||
|
# Add to the blacklist
|
||||||
|
#
|
||||||
|
?if passed(@2)
|
||||||
|
ADD($SW_DBL_IPSET:src:@2)
|
||||||
|
?elsif $SW_DBL_TIMEOUT
|
||||||
|
ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
|
||||||
|
?else
|
||||||
|
ADD($SW_DBL_IPSET:src)
|
||||||
|
?endif
|
||||||
|
#
|
||||||
|
# Dispose of the packet if asked
|
||||||
|
#
|
||||||
|
?if passed(@1)
|
||||||
|
@1
|
||||||
|
?endif
|
@ -6312,6 +6312,8 @@ sub get_configuration( $$$$ ) {
|
|||||||
$config{ACCOUNTING_TABLE} = 'filter';
|
$config{ACCOUNTING_TABLE} = 'filter';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
|
||||||
|
|
||||||
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
|
||||||
if ( $val =~ /^ipset/ ) {
|
if ( $val =~ /^ipset/ ) {
|
||||||
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
|
||||||
@ -6352,6 +6354,9 @@ sub get_configuration( $$$$ ) {
|
|||||||
|
|
||||||
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
|
||||||
|
|
||||||
|
$variables{SW_DBL_IPSET} = $set;
|
||||||
|
$variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||||
}
|
}
|
||||||
@ -6359,6 +6364,8 @@ sub get_configuration( $$$$ ) {
|
|||||||
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
add_variables( %variables );
|
||||||
|
|
||||||
default_yes_no 'REQUIRE_INTERFACE' , '';
|
default_yes_no 'REQUIRE_INTERFACE' , '';
|
||||||
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
|
default_yes_no 'FORWARD_CLEAR_MARK' , have_capability( 'MARK' ) ? 'Yes' : '';
|
||||||
default_yes_no 'COMPLETE' , '';
|
default_yes_no 'COMPLETE' , '';
|
||||||
|
@ -28,6 +28,7 @@ A_Reject # Audited Default action for REJECT policy
|
|||||||
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
allowInvalid inline # Accepts packets in the INVALID conntrack state
|
||||||
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
|
||||||
AutoBLL noinline # Helper for AutoBL
|
AutoBLL noinline # Helper for AutoBL
|
||||||
|
BLACKLIST logjump # Add sender to the dynamic blacklist
|
||||||
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
|
||||||
DNSAmp # Matches one-question recursive DNS queries
|
DNSAmp # Matches one-question recursive DNS queries
|
||||||
Drop # Default Action for DROP policy
|
Drop # Default Action for DROP policy
|
||||||
|
Loading…
x
Reference in New Issue
Block a user