Make BLACKLIST work correctly in the blrules file

- Add the 'section' action option

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Actions/action.BLACKLIST

@@ -14,18 +14,28 @@
 #     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
 #
 ###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOGLEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
    ?if ! "$SW_DBL_IPSET"
    ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
    ?endif
 
-DEFAULTS DROP,-
+   DEFAULTS -,DROP,-
-
-#ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
    #
    # Add to the blacklist
    #
-?if passed(@2)
+   ?if passed(@3)
-    ADD($SW_DBL_IPSET:src:@2)
+       ADD($SW_DBL_IPSET:src:@3)
    ?elsif $SW_DBL_TIMEOUT
        ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
    ?else
@@ -34,6 +44,7 @@ DEFAULTS DROP,-
    #
    # Dispose of the packet if asked
    #
-?if passed(@1)
+   ?if passed(@2)
-   @1
+      @2
+   ?endif
 ?endif

Shorewall/Perl/Shorewall/Rules.pm

@@ -233,6 +233,7 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
+	       SECTION_OPT          => 2048 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -246,6 +247,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
+		 section     => SECTION_OPT ,
     );
 
 our %reject_options;
@@ -2736,13 +2738,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Determine the validity of the action
     #
-    if ( $actiontype = $targets{$basictarget} ) {
+    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
-	if ( $section == BLACKLIST_SECTION && $basictarget eq 'BLACKLIST' ) {
-	    assert( $actiontype = find_macro( 'BLACKLIST' ) );
-	}
-    } else {
-	$actiontype = find_macro ( $basictarget );
-    }
 
     if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -3150,6 +3146,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Handle 'section' option
+	#
+	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#

Shorewall/actions.std

@@ -26,7 +26,7 @@ A_Reject			# Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
 AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
 AutoBLL	     noinline		# Helper for AutoBL
-BLACKLIST    logjump		# Add sender to the dynamic blacklist
+BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
 Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
 DNSAmp				# Matches one-question recursive DNS queries
 Drop				# Default Action for DROP policy

Shorewall/manpages/shorewall-actions.xml

@@ -191,6 +191,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified. </para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -205,9 +224,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
+                <option>builtin</option>, indicates that the built-in action
-                built-in action is termiating (i.e., if the action is jumped
+                is termiating (i.e., if the action is jumped to, the next rule
-                to, the next rule in the chain is not evaluated).</para>
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-actions.xml

@@ -192,6 +192,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -206,9 +225,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
+                <option>builtin</option>, indicates that the built-in action
-                built-in action is termiating (i.e., if the action is jumped
+                is termiating (i.e., if the action is jumped to, the next rule
-                to, the next rule in the chain is not evaluated).</para>
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>