From 3c1cff079436a5896559793629baadb3c73cedc4 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Thu, 16 Sep 2010 06:55:48 -0700
Subject: [PATCH] First steps toward zone-based blacklisting

---
 Shorewall/Perl/Shorewall/Rules.pm |  4 +++-
 Shorewall/Perl/Shorewall/Zones.pm | 37 +++++++++++++++++--------------
 2 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 48124064f..d4f05e7e0 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 our $macro_nest_level;
 our $current_param;
@@ -1851,6 +1851,8 @@ sub generate_matrix() {
 	#
 	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
 
+	add_jump( $frwd_ref, $filter_table->{blacklst}, 0 ) if $zoneref->{options}{in}{blacklist};
+
 	if ( have_ipsec ) {
 	    #
 	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
diff --git a/Shorewall/Perl/Shorewall/Zones.pm b/Shorewall/Perl/Shorewall/Zones.pm
index a92571b45..76eb41b56 100644
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -84,7 +84,7 @@ our @EXPORT = qw( NOTHING
 		 );
 
 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_13';
+our $VERSION = '4.4_14';
 
 #
 # IPSEC Option types
@@ -299,6 +299,7 @@ sub initialize( $ ) {
 sub parse_zone_option_list($$)
 {
     my %validoptions = ( mss          => NUMERIC,
+			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -311,7 +312,7 @@ sub parse_zone_option_list($$)
     #
     # Hash of options that have their own key in the returned hash.
     #
-    my %key = ( mss => 'mss' );
+    my %key = ( mss => 1 , blacklist => 'blacklist' );
 
     my ( $list, $zonetype ) = @_;
     my %h;
@@ -344,7 +345,7 @@ sub parse_zone_option_list($$)
 	    }
 
 	    if ( $key{$e} ) {
-		$h{$e} = $val;
+		$h{$e} = $val || 1;
 	    } else {
 		fatal_error "The \"$e\" option may only be specified for ipsec zones" unless $zonetype == IPSEC;
 		$options .= $invert;
@@ -435,20 +436,22 @@ sub process_zone( \$ ) {
 	}
     }
 
-    $zones{$zone} = { type       => $type,
-		      parents    => \@parents,
-		      bridge     => '',
-		      options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
-				      in      => parse_zone_option_list( $in_options || '', $type ) ,
-				      out     => parse_zone_option_list( $out_options || '', $type ) ,
-				      complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
-				      nested  => @parents > 0 ,
-				      super   => 0 ,
-				    } ,
-		      interfaces => {} ,
-		      children   => [] ,
-		      hosts      => {}
-		    };
+    my $zoneref = $zones{$zone} = { type       => $type,
+				    parents    => \@parents,
+				    bridge     => '',
+				    options    => { in_out  => parse_zone_option_list( $options || '', $type ) ,
+						    in      => parse_zone_option_list( $in_options || '', $type ) ,
+						    out     => parse_zone_option_list( $out_options || '', $type ) ,
+						    complex => ( $type == IPSEC || $options ne '-' || $in_options ne '-' || $out_options ne '-' ) ,
+						    nested  => @parents > 0 ,
+						    super   => 0 ,
+						  } ,
+				    interfaces => {} ,
+				    children   => [] ,
+				    hosts      => {}
+				  };
+
+    $zoneref->{options}{in}{blacklist} = $zoneref->{options}{out}{blacklist} = 1 if $zoneref->{options}{in_out}{blacklist};
 
     return $zone;