diff --git a/Shorewall/Actions/action.BLACKLIST b/Shorewall/Actions/action.BLACKLIST
index 9327d3a06..2bcdeb769 100644
--- a/Shorewall/Actions/action.BLACKLIST
+++ b/Shorewall/Actions/action.BLACKLIST
@@ -14,26 +14,37 @@
# DYNAMIC_BLACKLIST or the one specified when the ipset was created.
#
###############################################################################
-?if ! "$SW_DBL_IPSET"
-? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
-?endif
-
-DEFAULTS DROP,-
-
-#ACTION SOURCE DEST PROTO DPORT SPORT
-#
-# Add to the blacklist
-#
-?if passed(@2)
- ADD($SW_DBL_IPSET:src:@2)
-?elsif $SW_DBL_TIMEOUT
- ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+# Note -- This action is defined with the 'section' option, so the first
+# parameter is always the section name. That means that in the
+# following text, the first parameter passed in the rule is actually
+# @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+ ?if $BLACKLIST_LOGLEVEL
+ blacklog
+ ?else
+ $BLACKLIST_DISPOSITION
+ ?endif
?else
- ADD($SW_DBL_IPSET:src)
-?endif
-#
-# Dispose of the packet if asked
-#
-?if passed(@1)
- @1
+ ?if ! "$SW_DBL_IPSET"
+ ? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+ ?endif
+
+ DEFAULTS -,DROP,-
+ #
+ # Add to the blacklist
+ #
+ ?if passed(@3)
+ ADD($SW_DBL_IPSET:src:@3)
+ ?elsif $SW_DBL_TIMEOUT
+ ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+ ?else
+ ADD($SW_DBL_IPSET:src)
+ ?endif
+ #
+ # Dispose of the packet if asked
+ #
+ ?if passed(@2)
+ @2
+ ?endif
?endif
diff --git a/Shorewall/Perl/Shorewall/Rules.pm b/Shorewall/Perl/Shorewall/Rules.pm
index 952300c78..bdc25e4a8 100644
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -233,6 +233,7 @@ use constant { INLINE_OPT => 1 ,
TERMINATING_OPT => 256 ,
AUDIT_OPT => 512 ,
LOGJUMP_OPT => 1024 ,
+ SECTION_OPT => 2048 ,
};
our %options = ( inline => INLINE_OPT ,
@@ -246,6 +247,7 @@ our %options = ( inline => INLINE_OPT ,
terminating => TERMINATING_OPT ,
audit => AUDIT_OPT ,
logjump => LOGJUMP_OPT ,
+ section => SECTION_OPT ,
);
our %reject_options;
@@ -2736,13 +2738,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
#
# Determine the validity of the action
#
- if ( $actiontype = $targets{$basictarget} ) {
- if ( $section == BLACKLIST_SECTION && $basictarget eq 'BLACKLIST' ) {
- assert( $actiontype = find_macro( 'BLACKLIST' ) );
- }
- } else {
- $actiontype = find_macro ( $basictarget );
- }
+ $actiontype = $targets{$basictarget} || find_macro( $basictarget );
if ( $config{ MAPOLDACTIONS } ) {
( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -3150,6 +3146,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
my $actionchain; # Name of the action chain
if ( $actiontype & ACTION ) {
+ #
+ # Handle 'section' option
+ #
+ $param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
#
# Create the action:level:tag:param tuple.
#
diff --git a/Shorewall/actions.std b/Shorewall/actions.std
index a75b3f277..2f3c7197b 100644
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -26,7 +26,7 @@ A_Reject # Audited Default action for REJECT policy
allowInvalid inline # Accepts packets in the INVALID conntrack state
AutoBL noinline # Auto-blacklist IPs that exceed thesholds
AutoBLL noinline # Helper for AutoBL
-BLACKLIST logjump # Add sender to the dynamic blacklist
+BLACKLIST logjump,section # Add sender to the dynamic blacklist
Broadcast noinline,audit # Handles Broadcast/Multicast/Anycast
DNSAmp # Matches one-question recursive DNS queries
Drop # Default Action for DROP policy
diff --git a/Shorewall/manpages/shorewall-actions.xml b/Shorewall/manpages/shorewall-actions.xml
index 5b4f13317..51644d4e4 100644
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -191,6 +191,25 @@
+
+
+
+
+ Added in Shorewall 5.1.1. When specified, this option
+ causes the rules file section name and a comma to be prepended
+ to the parameters passed to the action (if any). Note that
+ this means that the first parameter passed to the action by
+ the user is actually the second parameter to the action. If
+ the action is invoked out of the blrules file, 'BLACKLIST' is
+ used as the section name.
+
+ Given that neither the snat nor the
+ mangle file is sectioned, this parameter
+ has no effect when or
+ is specified.
+
+
+
={||||}
@@ -205,9 +224,9 @@
Added in Shorewall 4.6.4. When used with
- builtin, indicates that the
- built-in action is termiating (i.e., if the action is jumped
- to, the next rule in the chain is not evaluated).
+ , indicates that the built-in action
+ is termiating (i.e., if the action is jumped to, the next rule
+ in the chain is not evaluated).
diff --git a/Shorewall6/manpages/shorewall6-actions.xml b/Shorewall6/manpages/shorewall6-actions.xml
index 941b70fce..be45c1e03 100644
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -192,6 +192,25 @@
+
+
+
+
+ Added in Shorewall 5.1.1. When specified, this option
+ causes the rules file section name and a comma to be prepended
+ to the parameters passed to the action (if any). Note that
+ this means that the first parameter passed to the action by
+ the user is actually the second parameter to the action. If
+ the action is invoked out of the blrules file, 'BLACKLIST' is
+ used as the section name.
+
+ Given that neither the snat nor the
+ mangle file is sectioned, this parameter
+ has no effect when or
+ is specified.
+
+
+
={||||}
@@ -206,9 +225,9 @@
Added in Shorewall 4.6.4. When used with
- builtin, indicates that the
- built-in action is termiating (i.e., if the action is jumped
- to, the next rule in the chain is not evaluated).
+ , indicates that the built-in action
+ is termiating (i.e., if the action is jumped to, the next rule
+ in the chain is not evaluated).