#
# Shorewall - /usr/share/shorewall/action.BLACKLIST
#
# This action:
#
#   - Adds the sender to the dynamic blacklist ipset
#   - Optionally acts on the packet (default is DROP)
#
# Parameters:
#
# 1 - Action to take after adding the packet. Default is DROP.
#     Pass -- if you don't want to take any action.
# 2 - Timeout for ipset entry. Default is the timeout specified in
#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
#
###############################################################################
# Note -- This action is defined with the 'section' option, so the first
#         parameter is always the section name. That means that in the
#         following text, the first parameter passed in the rule is actually
#         @2.
###############################################################################
?if $1 eq 'BLACKLIST'
   ?if $BLACKLIST_LOG_LEVEL
       blacklog
   ?else
       $BLACKLIST_DISPOSITION
   ?endif
?else
   ?if ! "$SW_DBL_IPSET"
   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
   ?endif

   DEFAULTS -,DROP,-
   #
   # Add to the blacklist
   #
   ?if passed(@3)
       ADD($SW_DBL_IPSET:src:@3)
   ?elsif $SW_DBL_TIMEOUT
       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
   ?else
       ADD($SW_DBL_IPSET:src)
   ?endif
   #
   # Dispose of the packet if asked
   #
   ?if passed(@2)
      @2
   ?endif
?endif