Add BLACKLIST policy

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2017-01-18 10:55:15 -08:00 · 2017-01-18 10:55:15 -08:00 · e6933f4c8d
commit e6933f4c8d
parent cc3b8793e0
16 changed files with 98 additions and 15 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -816,6 +816,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
+	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@ -6625,11 +6626,12 @@ sub get_configuration( $$$$ ) {
    default 'RESTOREFILE'           , 'restore';
    default 'DROP_DEFAULT'          , 'Drop';
    default 'REJECT_DEFAULT'        , 'Reject';
+    default 'BLACKLIST_DEFAULT'     , 'Drop';
    default 'QUEUE_DEFAULT'         , 'none';
    default 'NFQUEUE_DEFAULT'       , 'none';
    default 'ACCEPT_DEFAULT'        , 'none';

-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
    }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@ -309,11 +309,12 @@ sub initialize( $ ) {
    # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
    # in the %config hash when shorewall[6].conf was processed.
    #
-    %default_actions  = ( DROP     => 'none' ,
-		 	  REJECT   => 'none' ,
-			  ACCEPT   => 'none' ,
-			  QUEUE    => 'none' ,
-			  NFQUEUE  => 'none' ,
+    %default_actions  = ( DROP      => 'none' ,
+		 	  REJECT    => 'none' ,
+			  BLACKLIST => 'none' ,
+			  ACCEPT    => 'none' ,
+			  QUEUE     => 'none' ,
+			  NFQUEUE   => 'none' ,
 			);
    #
    # These are set to 1 as sections are encountered.
@ -679,6 +680,8 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
+    } elsif ( $policy eq 'BLACKLIST' ) {
+	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
    }

    unless ( $clientwild || $serverwild ) {
@ -817,24 +820,26 @@ sub process_policies()
    our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP   => undef,
+			  DROP	 => undef,
 			  CONTINUE => undef,
+			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );

-    our %map = ( DROP_DEFAULT    => 'DROP' ,
-		 REJECT_DEFAULT  => 'REJECT' ,
-		 ACCEPT_DEFAULT  => 'ACCEPT' ,
-		 QUEUE_DEFAULT   => 'QUEUE' ,
-		 NFQUEUE_DEFAULT => 'NFQUEUE' );
+    our %map = ( DROP_DEFAULT      => 'DROP' ,
+		 REJECT_DEFAULT    => 'REJECT' ,
+		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
+		 ACCEPT_DEFAULT    => 'ACCEPT' ,
+		 QUEUE_DEFAULT     => 'QUEUE' ,
+		 NFQUEUE_DEFAULT   => 'NFQUEUE' );

    my $zone;
    my $firewall = firewall_zone;
    our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );

-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};

 	unless ( $action eq 'none' ) {
@ -951,7 +956,20 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;

-	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	if ( $target eq 'BLACKLIST' ) {
+	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
+
+	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
+	    } else {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
+	    }
+
+	    $target = 'DROP';
+	} else {
+	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	}
+
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
 }
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@ -108,6 +108,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@ -119,6 +119,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@ -116,6 +116,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@ -119,6 +119,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@ -108,6 +108,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@ -115,6 +115,7 @@
        role="bold">ACCEPT</emphasis>|<emphasis
        role="bold">DROP</emphasis>|<emphasis
        role="bold">REJECT</emphasis>|<emphasis
+        role="bold">BLACKLIST</emphasis>|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@ -177,6 +178,19 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@ -117,6 +117,16 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@ -176,6 +186,9 @@

            <member>REJECT_DEFAULT="Reject"</member>

+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
            <member>ACCEPT_DEFAULT="none"</member>

            <member>QUEUE_DEFAULT="none"</member>
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@ -105,6 +105,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@ -106,6 +106,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@ -105,6 +105,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@ -105,6 +105,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@ -105,6 +105,7 @@ TC=
 ###############################################################################

 ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@ -114,7 +114,7 @@
        <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
        role="bold">ACCEPT</emphasis>|<emphasis
        role="bold">DROP</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
        role="bold">CONTINUE</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@ -177,6 +177,19 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@ -103,6 +103,16 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@ -164,6 +174,9 @@

            <member>REJECT_DEFAULT="Reject"</member>

+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
            <member>ACCEPT_DEFAULT="none"</member>

            <member>QUEUE_DEFAULT="none"</member>