From f0372d92091b04cbf0e5f13e038b58e0d7b9564d Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Thu, 23 Mar 2006 16:37:45 +0000
Subject: [PATCH] Add 'logdrop' and 'logreject' commands for dynamic
 blacklisting with logging

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3715 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  2 ++
 Shorewall/compiler         | 10 +++++++++-
 Shorewall/help             | 24 +++++++++++++++++++++---
 Shorewall/releasenotes.txt | 11 +++++++++++
 Shorewall/shorewall        | 36 +++++++++++++++++++++++++++++++++---
 5 files changed, 76 insertions(+), 7 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 086531c16..66672b27f 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -6,6 +6,8 @@ Changes in 3.2.0 Beta 2
 
 3)  Add 'refreshed' extension script.
 
+4)  Implement 'logdrop' and 'logreject'
+
 Changes in 3.1.x. and 3.2.x
 
 1) Removal of dynamic zones.
diff --git a/Shorewall/compiler b/Shorewall/compiler
index 8a44126e7..ffcdda2a8 100755
--- a/Shorewall/compiler
+++ b/Shorewall/compiler
@@ -7261,15 +7261,23 @@ initialize_netfilter () {
 
     createchain reject	no
     createchain dynamic no
+    createchain logdrop no
+    createchain logreject no
     createchain smurfs no
 
+    log_rule ${BLACKLIST_LOGLEVEL:-info} logdrop DROP
+    log_rule ${BLACKLIST_LOGLEVEL:-info} logreject REJECT
+
+    run_iptables -A logdrop   -j DROP
+    run_iptables -A logreject -j reject
+
     indent >&3 << __EOF__
 
 if [ -f /var/lib/shorewall/save ]; then
     progress_message2 "Setting up dynamic rules..."
     while read target ignore1 ignore2 address rest; do
         case \$target in
-            DROP|reject)
+            DROP|reject|logdrop|logreject)
                 run_iptables -A dynamic -s \$address -j \$target
                 ;;
         esac
diff --git a/Shorewall/help b/Shorewall/help
index ff6a3c7a3..372c5298e 100755
--- a/Shorewall/help
+++ b/Shorewall/help
@@ -161,7 +161,7 @@ drop)
 	echo "$1: $1 <address> ...
     Causes packets from the specified <address> to be ignored
 
-    Shorewall allow, drop, reject and save implement dynamic blacklisting.
+    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
 
     See also \"help address\""
 	;;
@@ -215,12 +215,30 @@ iprange)
     equivalent list of network/host addresses."
 	;;
 
+logdrop)
+	echo "$1: $1 <address> ...
+    Causes packets from the specified <address> to be ignored and loged.
+
+    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+
+    See also \"help address\""
+	;;
+
 logwatch)
 	echo "logwatch: logwatch [<refresh interval>]
     Monitors the LOGFILE, $LOGFILE,
     and produces an audible alarm when new Shorewall messages are logged."
 	;;
 
+logreject)
+	echo "$1: $1 <address> ...
+    Causes packets from the specified <address> to be rejected and logged.
+
+    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
+
+    See also \"help address\""
+	;;
+
 refresh)
 	echo "refresh: refresh
     The rules involving the broadcast addresses of firewall interfaces,
@@ -232,7 +250,7 @@ reject)
 	echo "$1: $1 <address> ...
     Causes packets from the specified <address> to be rejected
 
-    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
+    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
 
     See also \"help address\""
 	;;
@@ -283,7 +301,7 @@ save)
     and 'shorewall -f start' commands. If <file name> is not given then the state is saved
     in the file specified by the RESTOREFILE option in shorewall.conf.
 
-    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
+    Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting.
 
     See also \"help restore\" and \"help forget\""
 	;;
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 244d4d0db..dbd0f6214 100644
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -43,6 +43,17 @@ Other changes in 3.2.0 Beta 2
 1)  A 'refreshed' extension script has been added -- it is executed after
     "shorewall refresh" has finished.
 
+2)  Two new dynamic blacklisting commands have been added:
+
+	logdrop -- like 'drop' but causes the dropped packets to be logged.
+
+	logreject -- like 'reject' but causes the rejected packets to be
+	             logged.
+
+    Packets are logged at the BLACKLIST_LOGLEVEL if one was specified at the
+    last "shorewall [re]start"; otherwise, they are logged at the 'info'
+    log level.
+
 Migration Considerations:
 
 1)  A number of macros have been split into two.  The macros affected are:
diff --git a/Shorewall/shorewall b/Shorewall/shorewall
index b2e4d9469..578fef2b3 100755
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -1314,6 +1314,8 @@ usage() # $1 = exit status
     echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
     echo "   ipdecimal { <address> | <integer> }"
     echo "   iprange <address>-<address>"
+    echo "   logdrop <address> ..."
+    echo "   logreject <address> ..."
     echo "   logwatch [<refresh interval>]"
     echo "   refresh"
     echo "   reject <address> ..."
@@ -1777,6 +1779,8 @@ case "$COMMAND" in
 		shift
 		qt $IPTABLES -D dynamic -s $1 -j reject
 		qt $IPTABLES -D dynamic -s $1 -j DROP
+		qt $IPTABLES -D dynamic -s $1 -j logreject
+		qt $IPTABLES -D dynamic -s $1 -j logdrop
 		$IPTABLES -A dynamic -s $1 -j DROP || break 1
 		echo "$1 Dropped"
 	    done
@@ -1786,7 +1790,7 @@ case "$COMMAND" in
 	    exit 2
 	fi
 	;;
-    reject)
+    logdrop)
 	[ -n "$debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
@@ -1795,7 +1799,29 @@ case "$COMMAND" in
 		shift
 		qt $IPTABLES -D dynamic -s $1 -j reject
 		qt $IPTABLES -D dynamic -s $1 -j DROP
-		$IPTABLES -A dynamic -s $1 -j reject || break 1
+		qt $IPTABLES -D dynamic -s $1 -j logreject
+		qt $IPTABLES -D dynamic -s $1 -j logdrop
+		$IPTABLES -A dynamic -s $1 -j logdrop || break 1
+		echo "$1 Dropped"
+	    done
+	    mutex_off
+	else
+	    error_message "ERROR: Shorewall is not started"
+	    exit 2
+	fi
+	;;
+    reject|logreject)
+	[ -n "$debugging" ] && set -x
+	[ $# -eq 1 ] && usage 1
+	if shorewall_is_started ; then
+	    mutex_on
+	    while [ $# -gt 1 ]; do
+		shift
+		qt $IPTABLES -D dynamic -s $1 -j reject
+		qt $IPTABLES -D dynamic -s $1 -j DROP
+		qt $IPTABLES -D dynamic -s $1 -j logreject
+		qt $IPTABLES -D dynamic -s $1 -j logdrop
+		$IPTABLES -A dynamic -s $1 -j $COMMAND || break 1
 		echo "$1 Rejected"
 	    done
 	    mutex_off
@@ -1811,7 +1837,11 @@ case "$COMMAND" in
 	    mutex_on
 	    while [ $# -gt 1 ]; do
 		shift
-		if	qt $IPTABLES -D dynamic -s $1 -j reject || qt $IPTABLES -D dynamic -s $1 -j DROP; then
+		if qt $IPTABLES -D dynamic -s $1 -j reject    ||\
+		   qt $IPTABLES -D dynamic -s $1 -j DROP      ||\
+		   qt $IPTABLES -D dynamic -s $1 -j logdrop   ||\
+		   qt $IPTABLES -D dynamic -s $1 -j logreject
+		then
 		    echo "$1 Allowed"
 		else
 		    echo "$1 Not Dropped or Rejected"