Add BLACKLIST action

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2025-06-21 02:08:48 +02:00 · 2017-01-19 14:08:15 -08:00 · 2017-01-19 14:08:15 -08:00 · 9c3a82f628
commit 9c3a82f628
parent e6933f4c8d
3 changed files with 78 additions and 31 deletions
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@ -0,0 +1,39 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+?if ! "$SW_DBL_IPSET"
+?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+?endif
+
+DEFAULTS DROP,-
+
+#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Add to the blacklist
+#
+?if passed(@2)
+    ADD($SW_DBL_IPSET:src:@2)
+?elsif $SW_DBL_TIMEOUT
+    ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+?else
+    ADD($SW_DBL_IPSET:src)
+?endif
+#
+# Dispose of the packet if asked
+#
+?if passed(@1)
+   @1
+?endif
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -6312,6 +6312,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
    }

+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
    if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@ -6352,6 +6354,9 @@ sub get_configuration( $$$$ ) {

 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );

+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@ -6359,6 +6364,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
    }

+    add_variables( %variables );
+
    default_yes_no 'REQUIRE_INTERFACE'          , '';
    default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
    default_yes_no 'COMPLETE'                   , '';
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@ -28,6 +28,7 @@ A_Reject	                # Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
+BLACKLIST    logjump		# Add sender to the dynamic blacklist
 Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy