Fix blacklist handling

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@5557 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

New/Shorewall/Rules.pm

@@ -154,10 +154,30 @@ sub setup_syn_flood_chains() {
 
 sub setup_blacklist() {
 
+    my $hosts = find_hosts_by_option 'blacklist';
+
+    if ( @$hosts ) {
+
 	my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
 
 	progress_message2 "   Setting up Blacklist...";
 
+	new_standard_chain 'blacklst';
+
+	my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
+
+	if ( $level ) {
+	    my $chainref = new_standard_chain 'blacklog';
+	
+	    log_rule_limit( $level , $chainref , 'blacklst' , $disposition , "$env{LOGLIMIT}" , '', 'add',	'' );
+	
+	    add_rule $chainref, "-j $target" ;
+
+	    $target = 'blacklog';
+	}
+
+	if ( -s "$ENV{TMP_DIR}/blacklist" ) {
+
 	    open BL, "$ENV{TMP_DIR}/blacklist" or fatal_error "Unable to open stripped blacklist file: $!";
 
 	    progress_message( "      Processing " . find_file 'blacklist' . '...' );
@@ -177,18 +197,17 @@ sub setup_blacklist() {
 		    $networks ,
 		    '' ,
 		    '' ,
-	    '-j ' . ($disposition eq 'REJECT' ? 'reject' : $disposition),
-	    $level ,
+		    "-j $target" ,
+		    '' ,
 		    $disposition ,
 		    '';
 	
 		progress_message "         \"$line\" added to blacklist";
 	    }
+	}
 
 	close BL;
 
-    my $hosts = find_hosts_by_option 'blacklist';
-
 	my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
     
 	for my $hostref ( @$hosts ) {
@@ -204,6 +223,7 @@ sub setup_blacklist() {
 
 	    progress_message "   Blacklisting enabled on ${interface}:${network}";
 	}
+    }
 }
 
 sub process_criticalhosts() {
@@ -363,9 +383,14 @@ sub add_common_rules() {
 
     my $rejectref = new_standard_chain 'reject';
 
+    $level = $env{BLACKLIST_LOG_LEVEL} || 'info';
+
+    add_rule_pair new_standard_chain( 'logdrop' ),   ' ' , 'DROP'   , $level ;
+    add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ;
+
     new_standard_chain 'dynamic';
 
-    my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID' : '';
+    my $state = $config{BLACKLISTNEWONLY} ? '-m state --state NEW,INVALID ' : '';
     
     for $interface ( @interfaces ) {
 	for $chain ( input_chain $interface , forward_chain $interface ) {
@@ -375,11 +400,6 @@ sub add_common_rules() {
 	new_standard_chain output_chain( $interface );
     }
 
-    $level = $env{BLACKLIST_LOG_LEVEL} || 'info';
-
-    add_rule_pair new_standard_chain( 'logdrop' ),   ' ' , 'DROP'   , $level ;
-    add_rule_pair new_standard_chain( 'logreject' ), ' ' , 'REJECT' , $level ;
-
     setup_blacklist;
 
     $list = find_hosts_by_option 'nosmurfs';

New/compiler.pl

@@ -329,8 +329,8 @@ stop_firewall() {
 	    emit "
     for chain in INPUT OUTPUT; do
 	setpolicy \$chain DROP
-    done";
-	    emit '';
+    done
+";
 	} else {
 	    emit "
     for chain in INPUT OUTPUT; do
@@ -339,9 +339,8 @@ stop_firewall() {
 
     setpolicy FORWARD DROP
 
-    deleteallchains";
-
-	    emit '';
+    deleteallchains
+";
 
 	    for my $hosts ( @$criticalhosts ) {
                 my ( $interface, $host ) = ( split /,/, $hosts );
@@ -357,9 +356,9 @@ stop_firewall() {
 
     for chain in INPUT FORWARD; do
 	setcontinue \$chain
-    done";
+    done
+";
 
-	    emit '';
 	}
     } elsif ( ! $config{ADMINISABSENTMINDED} ) {
 	emit "
@@ -380,9 +379,8 @@ stop_firewall() {
 
     for chain in INPUT FORWARD; do
 	setcontinue \$chain
-    done";
-
-	emit '';
+    done
+";
     }
 
     push_indent;