Update blacklisting article:

- ipset-based blacklisting
- BLACKLIST policy and action

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/install.sh

@@ -369,7 +369,7 @@ fi
 #
 install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall
-echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/shorewall"
 #
 # Install wait4ifup
 #

Shorewall-core/lib.cli

@@ -78,29 +78,6 @@ showchain() # $1 = name of chain
     fi
 }
 
-#
-# The 'awk' hack that compensates for bugs in iptables-save (or rather in the extension modules).
-#
-
-iptablesbug()
-{
-    if [ $g_family -eq 4 ]; then
-	if qt mywhich awk ; then
-	    awk 'BEGIN           { sline=""; };\
-             /^-[jg]/            { print sline $0; next };\
-             /-m policy.*-[jg] / { print $0; next };\
-             /-m policy/         { sline=$0; next };\
-             /--mask ff/         { sub( /--mask ff/, "--mask 0xff" ) };\
-                                 { print ; sline="" }'
-        else
-	    echo "   WARNING: You don't have 'awk' on this system so the output of the save command may be unusable" >&2
-	    cat
-	fi
-    else
-	cat
-    fi
-}
-
 #
 # Validate the value of RESTOREFILE
 #
@@ -1150,6 +1127,11 @@ show_macros() {
     done
 }
 
+show_an_action() {
+    echo "Shorewall $SHOREWALL_VERSION Action $1 at $g_hostname - $(date)"
+    cat ${directory}/action.$1
+}
+
 show_a_macro() {
     echo "Shorewall $SHOREWALL_VERSION Macro $1 at $g_hostname - $(date)"
     cat ${directory}/macro.$1
@@ -1458,12 +1440,35 @@ show_command() {
 		    ;;
 	    	*)
 		    case $1 in
+			action)
+			    [ $# -lt 2 ] && fatal_error 'Missing <action>'
+			    [ $# -gt 2 ] && too_many_arguments $2
+
+			    for directory in $(split $CONFIG_PATH); do
+				if [ -f ${directory}/action.$2 ]; then
+				    eval show_an_action $2 $g_pager
+				    return
+				fi
+			    done
+
+			    case $2 in
+				allowBcast|dropBcast|dropNotSyn|rejNotSyn|allowinUPnp|forwardUPnP|Limit)
+				    echo "   WARNING: $2 is a built-in action" >&2
+				    ;;
+				*)
+				    echo "   WARNING: Action $2 not found" >&2
+				    ;;
+			    esac
+
+			    return
+			    ;;
 			actions)
 			    [ $# -gt 1 ] && too_many_arguments $2
 			    eval show_actions_sorted $g_pager
 			    return
 			    ;;
 			macro)
+			    [ $# -lt 2 ] && fatal_error 'Missing <macro>'
 			    [ $# -ne 2 ] && too_many_arguments $2
 			    for directory in $(split $CONFIG_PATH); do
 				if [ -f ${directory}/macro.$2 ]; then
@@ -4291,6 +4296,7 @@ usage() # $1 = exit status
     echo "   savesets"
     echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
     ecko "   [ show | list | ls ] actions"
+    ecko "   [ show | list | ls ] action <action>"
     echo "   [ show | list | ls ] arptables"
     echo "   [ show | list | ls ] [ -f ] capabilities"
     echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"

Shorewall-core/manpages/shorewall.xml

@@ -685,6 +685,31 @@
       <arg choice="plain"><option>capabilities</option></arg>
     </cmdsynopsis>
 
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg choice="plain"><option>{actions|macros}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall[6]</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>options</arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>action</option><arg
+      choice="plain"><replaceable>action</replaceable></arg></arg>
+    </cmdsynopsis>
+
     <cmdsynopsis>
       <command>shorewall[6][-lite]</command>
 
@@ -695,7 +720,7 @@
       <arg choice="req"><option>show | list | ls </option></arg>
 
       <arg
-      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|ipa|ipsec|macros|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks</option></arg>
     </cmdsynopsis>
 
     <cmdsynopsis>
@@ -2415,12 +2440,23 @@
           arguments:</para>
 
           <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">action
+              <replaceable>action</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Lists the named action file. Available on Shorewall and
+                Shorewall6 only.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">actions</emphasis></term>
 
               <listitem>
                 <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
+                standard and user-defined). Available on Shorewall and
+                Shorewall6 only.</para>
               </listitem>
             </varlistentry>
 

Shorewall/Actions/action.A_Drop

@@ -12,6 +12,7 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
+?require AUDIT_TARGET
 ###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DPORT	SPORT
 #

Shorewall/Actions/action.A_REJECT

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.A_REJECT!

@@ -22,8 +22,9 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# A_REJECTWITH[([<option>])] where <option> is a valid REJECT option.#
+# A_REJECT[([<option>])] where <option> is a valid REJECT option.#
 ###############################################################################
+?require AUDIT_TARGET
 
 DEFAULTS -
 

Shorewall/Actions/action.BLACKLIST

@@ -0,0 +1,50 @@
+#
+# Shorewall - /usr/share/shorewall/action.BLACKLIST
+#
+# This action:
+#
+#   - Adds the sender to the dynamic blacklist ipset
+#   - Optionally acts on the packet (default is DROP)
+#
+# Parameters:
+#
+# 1 - Action to take after adding the packet. Default is DROP.
+#     Pass -- if you don't want to take any action.
+# 2 - Timeout for ipset entry. Default is the timeout specified in
+#     DYNAMIC_BLACKLIST or the one specified when the ipset was created.
+#
+###############################################################################
+# Note -- This action is defined with the 'section' option, so the first
+#         parameter is always the section name. That means that in the
+#         following text, the first parameter passed in the rule is actually
+#         @2.
+###############################################################################
+?if $1 eq 'BLACKLIST'
+   ?if $BLACKLIST_LOGLEVEL
+       blacklog
+   ?else
+       $BLACKLIST_DISPOSITION
+   ?endif
+?else
+   ?if ! "$SW_DBL_IPSET"
+   ?   error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
+   ?endif
+
+   DEFAULTS -,DROP,-
+   #
+   # Add to the blacklist
+   #
+   ?if passed(@3)
+       ADD($SW_DBL_IPSET:src:@3)
+   ?elsif $SW_DBL_TIMEOUT
+       ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
+   ?else
+       ADD($SW_DBL_IPSET:src)
+   ?endif
+   #
+   # Dispose of the packet if asked
+   #
+   ?if passed(@2)
+      @2
+   ?endif
+?endif

Shorewall/Actions/action.Drop

@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.

Shorewall/Actions/action.Reject

@@ -20,7 +20,7 @@
 #     depending on the setting of the first parameter.
 # 4 - Action to take with required ICMP packets. Default is ACCEPT or
 #     A_ACCEPT depending on the first parameter.
-# 5 - Action to take with late UDP replies (UDP source port 53). Default
+# 5 - Action to take with late DNS replies (UDP source port 53). Default
 #     is DROP or A_DROP depending on the first parameter.
 # 6 - Action to take with UPnP packets. Default is DROP or A_DROP
 #     depending on the first parameter.

Shorewall/Macros/macro.BLACKLIST

@@ -1,13 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.blacklist
-#
-# This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif

Shorewall/Macros/macro.Drop

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Drop
-#
-# This macro generates the same rules as the Drop default action
-# It is used in place of action.Drop when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Drop	net	all
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' DROP
-#
-DROP	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Drop Microsoft noise so that it doesn't clutter up the log.
-#
-DROP	-	-	udp	135,445
-DROP	-	-	udp	137:139
-DROP	-	-	udp	1024:	137
-DROP	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Macros/macro.Reject

@@ -1,49 +0,0 @@
-#
-# Shorewall -- /usr/share/shorewall/macro.Reject
-#
-# This macro generates the same rules as the Reject default action
-# It is used in place of action.Reject when USE_ACTIONS=No.
-#
-# Example:
-#
-#	Reject	loc	fw
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DPORT	SPORT	ORIGDEST	RATE	USER
-#
-# Don't log 'auth' REJECT
-#
-REJECT	-	-	tcp	113
-#
-# Drop Broadcasts so they don't clutter up the log
-# (broadcasts must *not* be rejected).
-#
-dropBcast
-#
-# ACCEPT critical ICMP types
-#
-ACCEPT	-	-	icmp	fragmentation-needed
-ACCEPT	-	-	icmp	time-exceeded
-#
-# Drop packets that are in the INVALID state -- these are usually ICMP packets
-# and just confuse people when they appear in the log (these ICMPs cannot be
-# rejected).
-#
-dropInvalid
-#
-# Reject Microsoft noise so that it doesn't clutter up the log.
-#
-REJECT	-	-	udp	135,445
-REJECT	-	-	udp	137:139
-REJECT	-	-	udp	1024:	137
-REJECT	-	-	tcp	135,139,445
-DROP	-	-	udp	1900
-#
-# Drop 'newnotsyn' traffic so that it doesn't get logged.
-#
-dropNotSyn
-#
-# Drop late-arriving DNS replies. These are just a nuisance and clutter up
-# the log.
-#
-DROP	-	-	udp	-	53

Shorewall/Perl/Shorewall/Config.pm

@@ -748,7 +748,7 @@ sub initialize( $;$$) {
 		    TC_SCRIPT               => '',
 		    EXPORT                  => 0,
 		    KLUDGEFREE              => '',
-		    VERSION                 => "5.0.9-Beta2",
+		    VERSION                 => "5.1.1-RC1",
 		    CAPVERSION              => 50100 ,
 		    BLACKLIST_LOG_TAG       => '',
 		    RELATED_LOG_TAG         => '',
@@ -816,6 +816,7 @@ sub initialize( $;$$) {
 	  ACCEPT_DEFAULT => undef,
 	  QUEUE_DEFAULT => undef,
 	  NFQUEUE_DEFAULT => undef,
+	  BLACKLIST_DEFAULT => undef,
 	  #
 	  # RSH/RCP Commands
 	  #
@@ -904,6 +905,7 @@ sub initialize( $;$$) {
 	  VERBOSE_MESSAGES => undef ,
 	  ZERO_MARKS => undef ,
 	  FIREWALL => undef ,
+	  BALANCE_PROVIDERS => undef ,
 	  #
 	  # Packet Disposition
 	  #
@@ -2710,13 +2712,13 @@ sub directive_info( $$$$ ) {
 # Add quotes to the passed value if the passed 'first part' has an odd number of quotes
 # Return an expression that concatenates $first, $val and $rest
 #
-sub join_parts( $$$ ) {
-    my ( $first, $val, $rest ) = @_;
+sub join_parts( $$$$ ) {
+    my ( $first, $val, $rest, $just_expand ) = @_;
 
     $val = '' unless defined $val;
-    $val = "'$val'" unless ( $val =~ /^-?\d+$/               ||    # Value is numeric
-			     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
-			       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
+    $val = "'$val'" unless $just_expand || ( $val =~ /^-?\d+$/               ||    # Value is numeric
+					     ( ( ( $first =~ tr/"/"/ ) & 1 ) ||    # There are an odd number of double quotes preceding the value
+					       ( ( $first =~ tr/'/'/ ) & 1 ) ) );  # There are an odd number of single quotes preceding the value
     join( '', $first, $val, $rest );
 }
 
@@ -2769,7 +2771,7 @@ sub evaluate_expression( $$$$ ) {
 		     exists $capdesc{$var}   ? have_capability( $var ) : '' );
 	}
 
-	$expression = join_parts( $first, $val, $rest );
+	$expression = join_parts( $first, $val, $rest, $just_expand );
 	directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
     }
 
@@ -2780,7 +2782,7 @@ sub evaluate_expression( $$$$ ) {
 	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparams{$var} : $chain;
 	    $usedcaller = USEDCALLER if $var eq 'caller';
-	    $expression = join_parts( $first, $val, $rest );
+	    $expression = join_parts( $first, $val, $rest , $just_expand );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
     }
@@ -2852,7 +2854,7 @@ sub process_compiler_directive( $$$$ ) {
 
     print "CD===> $line\n" if $debug;
 
-    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+)(.*)$/i;
+    directive_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF|SET\s+|RESET\s+|FORMAT\s+|COMMENT\s*|ERROR\s+|WARNING\s+|INFO\s+|WARNING!\s+|INFO!\s+|REQUIRE\s+)(.*)$/i;
 
     my ($keyword, $expression) = ( uc $1, $2 );
 
@@ -3040,6 +3042,12 @@ sub process_compiler_directive( $$$$ ) {
 			      $linenumber ) unless $omitting;
 	  } ,
 
+	  REQUIRE => sub() {
+	      fatal_error "?REQUIRE may only be used within action files" unless $actparams{0};
+	      fatal_error "Unknown capability ($expression}" unless $capabilities{$expression};
+	      require_capability( $expression, "The $actparams{action} action", 's' );
+	  } ,
+
 	);
 
     if ( my $function = $directives{$keyword} ) {
@@ -3753,7 +3761,7 @@ sub read_a_line($) {
 	    #
 	    # Handle directives
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO)/i ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF|SET|RESET|FORMAT|COMMENT|ERROR|WARNING|INFO|REQUIRE)/i ) {
 		$omitting = process_compiler_directive( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -5279,6 +5287,13 @@ sub update_config_file( $ ) {
     }
 
     update_default( 'USE_DEFAULT_RT', 'No' );
+
+    if ( $config{USE_DEFAULT_RT} eq '' || $config{USE_DEFAULT_RT} =~ /^no$/i ) {
+	update_default( 'BALANCE_PROVIDERS', 'No' );
+    } else {
+	update_default( 'BALANCE_PROVIDERS', 'Yes' );
+    }
+
     update_default( 'EXPORTMODULES',  'No' );
     update_default( 'RESTART',        'reload' );
     update_default( 'PAGER',          $shorewallrc1{DEFAULT_PAGER} );
@@ -6282,19 +6297,11 @@ sub get_configuration( $$$$ ) {
     require_capability 'COMMENTS', 'TRACK_RULES=Yes', 's' if $config{TRACK_RULES};
 
     default_yes_no 'MANGLE_ENABLED'             , have_capability( 'MANGLE_ENABLED' ) ? 'Yes' : '';
+    default_yes_no 'USE_DEFAULT_RT'             , '';
     default_yes_no 'RESTORE_DEFAULT_ROUTE'      , 'Yes';
     default_yes_no 'AUTOMAKE'                   , '';
     default_yes_no 'TRACK_PROVIDERS'            , '';
-
-    if ( supplied( $val = $config{USE_DEFAULT_RT} ) ) {
-	if ( lc( $val ) eq 'exact' ) {
-	    $config{USE_DEFAULT_RT} = 'exact';
-	} else {
-	    default_yes_no 'USE_DEFAULT_RT' , '';
-	}
-    } else {
-	default_yes_no 'USE_DEFAULT_RT' , '';
-    }
+    default_yes_no 'BALANCE_PROVIDERS'          , $config{USE_DEFAULT_RT} ? 'Yes' : '';
 
     unless ( ( $config{NULL_ROUTE_RFC1918} || '' ) =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
 	default_yes_no( 'NULL_ROUTE_RFC1918', '' );
@@ -6311,6 +6318,8 @@ sub get_configuration( $$$$ ) {
 	$config{ACCOUNTING_TABLE} = 'filter';
     }
 
+    my %variables = ( SW_DBL_IPSET => '', SW_DBL_TIMEOUT => 0 );
+
     if ( supplied( $val = $config{DYNAMIC_BLACKLIST} ) ) {
 	if ( $val =~ /^ipset/ ) {
 	    my %simple_options = ( 'src-dst' => 1, 'disconnect' => 1 );
@@ -6351,6 +6360,9 @@ sub get_configuration( $$$$ ) {
 
 	    require_capability( 'IPSET_V5', 'DYNAMIC_BLACKLIST=ipset...', 's' );
 
+	    $variables{SW_DBL_IPSET}   = $set;
+	    $variables{SW_DBL_TIMEOUT} = $globals{DBL_TIMEOUT};
+
 	} else {
 	    default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
 	}
@@ -6358,6 +6370,8 @@ sub get_configuration( $$$$ ) {
 	default_yes_no( 'DYNAMIC_BLACKLIST', 'Yes' );
     }
 
+    add_variables( %variables );
+
     default_yes_no 'REQUIRE_INTERFACE'          , '';
     default_yes_no 'FORWARD_CLEAR_MARK'         , have_capability( 'MARK' ) ? 'Yes' : '';
     default_yes_no 'COMPLETE'                   , '';
@@ -6625,11 +6639,12 @@ sub get_configuration( $$$$ ) {
     default 'RESTOREFILE'           , 'restore';
     default 'DROP_DEFAULT'          , 'Drop';
     default 'REJECT_DEFAULT'        , 'Reject';
+    default 'BLACKLIST_DEFAULT'     , 'Drop';
     default 'QUEUE_DEFAULT'         , 'none';
     default 'NFQUEUE_DEFAULT'       , 'none';
     default 'ACCEPT_DEFAULT'        , 'none';
 
-    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
+    for my $default ( qw/DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT ACCEPT_DEFAULT/ ) {
 	$config{$default} = 'none' if "\L$config{$default}" eq 'none';
     }
 

Shorewall/Perl/Shorewall/Providers.pm

@@ -519,11 +519,11 @@ sub process_a_provider( $ ) {
     my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what, $hostroute, $persistent );
 
     if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                         $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
-	( 0,      0                       , 0 ,        0,        0,                                        1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what ,      $hostroute,        $persistent ) =
+	( 0,      0                       , 0 ,        0,        0,                                  1                                  , ''  , 0       , 0,      0,     'interface', 0,                 0);
     } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                         $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} eq 'Yes' ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
+	( $loose, $track,                   $balance , $default, $default_balance,                   $optional,                           $mtu, $tproxy , $local, $load, $what      , $hostroute,        $persistent  )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{BALANCE_PROVIDERS} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider',  1,                 0);
     }
 
     unless ( $options eq '-' ) {
@@ -603,39 +603,39 @@ sub process_a_provider( $ ) {
 
     fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
 
-    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
-	fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	fatal_error "'persistent' is not valid with 'local"    if $persistent;
-    } elsif ( $tproxy ) {
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
-	$mark = $globals{TPROXY_MARK};
-    } elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
-	if ( $config{USE_DEFAULT_RT} ) {
-	    if ( $rf ) {
-		fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
-	    } else {
-		fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
-	    }
-	} else {
-	    unless ( $balance ) {
+    unless ( $pseudo ) {
+	if ( $local ) {
+	    fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'omitted';
+	    fatal_error "'track' not valid with 'local'"           if $track;
+	    fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
+	    fatal_error "'persistent' is not valid with 'local"    if $persistent;
+	} elsif ( $tproxy ) {
+	    fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
+	    fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'omitted';
+	    fatal_error "'track' not valid with 'tproxy'"          if $track;
+	    fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
+	    fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
+	    fatal_error "'persistent' is not valid with 'tproxy"   if $persistent;
+	    $mark = $globals{TPROXY_MARK};
+	} elsif ( ( my $rf = ( $config{ROUTE_FILTER} eq 'on' ) ) || $interfaceref->{options}{routefilter} ) {
+	    if ( $config{USE_DEFAULT_RT} ) {
 		if ( $rf ) {
-		    fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
+		    fatal_error "There may be no providers when ROUTE_FILTER=Yes and USE_DEFAULT_RT=Yes";
 		} else {
-		    fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
+		    fatal_error "Providers interfaces may not specify 'routefilter' when USE_DEFAULT_RT=Yes";
+		}
+	    } else {
+		unless ( $balance ) {
+		    if ( $rf ) {
+			fatal_error "The 'balance' option is required when ROUTE_FILTER=Yes";
+		    } else {
+			fatal_error "Provider interfaces may not specify 'routefilter' without 'balance' or 'primary'";
+		    }
 		}
 	    }
 	}
     }
 
-
-
     my $val = 0;
     my $pref;
 

Shorewall/Perl/Shorewall/Rules.pm

@@ -233,6 +233,7 @@ use constant { INLINE_OPT           => 1 ,
 	       TERMINATING_OPT      => 256 ,
 	       AUDIT_OPT            => 512 ,
 	       LOGJUMP_OPT          => 1024 ,
+	       SECTION_OPT          => 2048 ,
 };
 
 our %options = ( inline      => INLINE_OPT ,
@@ -246,6 +247,7 @@ our %options = ( inline      => INLINE_OPT ,
 		 terminating => TERMINATING_OPT ,
 		 audit       => AUDIT_OPT ,
 		 logjump     => LOGJUMP_OPT ,
+		 section     => SECTION_OPT ,
     );
 
 our %reject_options;
@@ -309,11 +311,12 @@ sub initialize( $ ) {
     # This is updated from the *_DEFAULT settings in shorewall.conf. Those settings were stored
     # in the %config hash when shorewall[6].conf was processed.
     #
-    %default_actions  = ( DROP     => 'none' ,
-		 	  REJECT   => 'none' ,
-			  ACCEPT   => 'none' ,
-			  QUEUE    => 'none' ,
-			  NFQUEUE  => 'none' ,
+    %default_actions  = ( DROP      => 'none' ,
+		 	  REJECT    => 'none' ,
+			  BLACKLIST => 'none' ,
+			  ACCEPT    => 'none' ,
+			  QUEUE     => 'none' ,
+			  NFQUEUE   => 'none' ,
 			);
     #
     # These are set to 1 as sections are encountered.
@@ -679,6 +682,8 @@ sub process_a_policy1($$$$$$$) {
 	    if $clientwild || $serverwild;
 	fatal_error "NONE policy not allowed to/from firewall zone"
 	    if ( zone_type( $client ) == FIREWALL ) || ( zone_type( $server ) == FIREWALL );
+    } elsif ( $policy eq 'BLACKLIST' ) {
+	fatal_error 'BLACKLIST policies require ipset-based dynamic blacklisting' unless $config{DYNAMIC_BLACKLIST} =~ /^ipset/;
     }
 
     unless ( $clientwild || $serverwild ) {
@@ -817,24 +822,26 @@ sub process_policies()
     our %validpolicies = (
 			  ACCEPT => undef,
 			  REJECT => undef,
-			  DROP   => undef,
+			  DROP	 => undef,
 			  CONTINUE => undef,
+			  BLACKLIST => undef,
 			  QUEUE => undef,
 			  NFQUEUE => undef,
 			  NONE => undef
 			  );
 
-    our %map = ( DROP_DEFAULT    => 'DROP' ,
-		 REJECT_DEFAULT  => 'REJECT' ,
-		 ACCEPT_DEFAULT  => 'ACCEPT' ,
-		 QUEUE_DEFAULT   => 'QUEUE' ,
-		 NFQUEUE_DEFAULT => 'NFQUEUE' );
+    our %map = ( DROP_DEFAULT      => 'DROP' ,
+		 REJECT_DEFAULT    => 'REJECT' ,
+		 BLACKLIST_DEFAULT => 'BLACKLIST' ,
+		 ACCEPT_DEFAULT    => 'ACCEPT' ,
+		 QUEUE_DEFAULT     => 'QUEUE' ,
+		 NFQUEUE_DEFAULT   => 'NFQUEUE' );
 
     my $zone;
     my $firewall = firewall_zone;
     our @zonelist = $config{EXPAND_POLICIES} ? all_zones : ( all_zones, 'all' );
 
-    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
+    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT BLACKLIST_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
 
 	unless ( $action eq 'none' ) {
@@ -951,7 +958,20 @@ sub add_policy_rules( $$$$$ ) {
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
 
-	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	if ( $target eq 'BLACKLIST' ) {
+	    my ( $dbl_type, $dbl_ipset, $dbl_level, $dbl_tag ) = split( ':', $config{DYNAMIC_BLACKLIST} );
+
+	    if ( my $timeout = $globals{DBL_TIMEOUT} ) {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist --timeout $timeout" );
+	    } else {
+		add_ijump( $chainref, j => "SET --add-set $dbl_ipset src --exist" );
+	    }
+
+	    $target = 'DROP';
+	} else {
+	    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
+	}
+
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
     }
 }
@@ -2718,7 +2738,7 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     #
     # Determine the validity of the action
     #
-    $actiontype = ( $targets{$basictarget} || find_macro ( $basictarget ) );
+    $actiontype = $targets{$basictarget} || find_macro( $basictarget );
 
     if ( $config{ MAPOLDACTIONS } ) {
 	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
@@ -3126,6 +3146,10 @@ sub process_rule ( $$$$$$$$$$$$$$$$$$$$ ) {
     my $actionchain; # Name of the action chain
 
     if ( $actiontype & ACTION ) {
+	#
+	# Handle 'section' option
+	#
+	$param = supplied $param ? join( ',' , $section_rmap{$section}, $param ) : $section_rmap{$section} if $actions{$basictarget}{options} & SECTION_OPT;
 	#
 	# Create the action:level:tag:param tuple.
 	#

Shorewall/Samples/Universal/shorewall.conf

@@ -108,6 +108,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -140,6 +141,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -240,7 +243,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall/Samples/one-interface/shorewall.conf

@@ -119,6 +119,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -151,6 +152,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -251,7 +254,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall/Samples/three-interfaces/shorewall.conf

@@ -116,6 +116,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -148,6 +149,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -248,7 +251,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall/Samples/two-interfaces/shorewall.conf

@@ -119,6 +119,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -151,6 +152,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -251,7 +254,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall/actions.std

@@ -9,44 +9,43 @@
 # Builtin Actions are:
 #
 ?if 0
-A_ACCEPT                        # Audits then accepts a connection request
-A_DROP                          # Audits then drops a connection request
-allowBcast		        # Silently Allow Broadcast/multicast
-dropBcast		        # Silently Drop Broadcast/multicast
-dropNotSyn		        # Silently Drop Non-syn TCP packets
-rejNotSyn		        # Silently Reject Non-syn TCP packets
-allowinUPnP	                # Allow UPnP inbound (to firewall) traffic
-forwardUPnP	                # Allow traffic that upnpd has redirected from 'upnp' interfaces.
-Limit                           # Limit the rate of connections from each individual IP address
+allowBcast			# Silently Allow Broadcast/multicast
+dropBcast			# Silently Drop Broadcast/multicast
+dropNotSyn			# Silently Drop Non-syn TCP packets
+rejNotSyn			# Silently Reject Non-syn TCP packets
+allowinUPnP			# Allow UPnP inbound (to firewall) traffic
+forwardUPnP			# Allow traffic that upnpd has redirected from 'upnp' interfaces.
+Limit				# Limit the rate of connections from each individual IP address
 ?endif
 ###############################################################################
 #ACTION
-A_Drop 		                # Audited Default Action for DROP policy
-A_REJECT     noinline,logjump   # Audits then rejects a connection request
-A_REJECT!    inline             # Audits then rejects a connection request
-A_Reject	                # Audited Default action for REJECT policy
+A_Drop				# Audited Default Action for DROP policy
+A_REJECT     noinline,logjump	# Audits then rejects a connection request
+A_REJECT!    inline		# Audits then rejects a connection request
+A_Reject			# Audited Default action for REJECT policy
 allowInvalid inline		# Accepts packets in the INVALID conntrack state
-AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
-AutoBLL      noinline           # Helper for AutoBL
-Broadcast    noinline,audit     # Handles Broadcast/Multicast/Anycast
-DNSAmp                          # Matches one-question recursive DNS queries
-Drop		                # Default Action for DROP policy
+AutoBL	     noinline		# Auto-blacklist IPs that exceed thesholds
+AutoBLL	     noinline		# Helper for AutoBL
+BLACKLIST    logjump,section	# Add sender to the dynamic blacklist
+Broadcast    noinline,audit	# Handles Broadcast/Multicast/Anycast
+DNSAmp				# Matches one-question recursive DNS queries
+Drop				# Default Action for DROP policy
 dropInvalid  inline		# Drops packets in the INVALID conntrack state
-DropSmurfs   noinline           # Drop smurf packets
+DropSmurfs   noinline		# Drop smurf packets
 Established  inline,\		# Handles packets in the ESTABLISHED state
-	     state=ESTABLISHED  #
+	     state=ESTABLISHED	#
 GlusterFS    inline		# Handles GlusterFS
-IfEvent      noinline           # Perform an action based on an event
-Invalid      inline,audit,\     # Handles packets in the INVALID conntrack state
-             state=INVALID      #
+IfEvent	     noinline		# Perform an action based on an event
+Invalid	     inline,audit,\	# Handles packets in the INVALID conntrack state
+	     state=INVALID	#
 New	     inline,state=NEW	# Handles packets in the NEW conntrack state
-NotSyn       inline,audit       # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject                          # Default Action for REJECT policy
-Related      inline,\		# Handles packets in the RELATED conntrack state
-             state=RELATED      #
+NotSyn	     inline,audit	# Handles TCP packets which do not have SYN=1 and ACK=0
+Reject				# Default Action for REJECT policy
+Related	     inline,\		# Handles packets in the RELATED conntrack state
+	     state=RELATED	#
 ResetEvent   inline		# Reset an Event
-RST	     inline,audit       # Handle packets with RST set
+RST	     inline,audit	# Handle packets with RST set
 SetEvent     inline		# Initialize an event
-TCPFlags    			# Handle bad flag combinations.
-Untracked    inline,\           # Handles packets in the UNTRACKED conntrack state
-	     state=UNTRACKED    #
+TCPFlags			# Handle bad flag combinations.
+Untracked    inline,\		# Handles packets in the UNTRACKED conntrack state
+	     state=UNTRACKED	#

Shorewall/configfiles/shorewall.conf

@@ -108,6 +108,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -140,6 +141,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -240,7 +243,7 @@ TRACK_PROVIDERS=No
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall/lib.cli-std

@@ -443,20 +443,21 @@ compiler() {
     fi
 
     options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
-    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
-    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
-    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
-    [ -n "$g_export" ] && options="$options --export"
-    [ -n "$g_shorewalldir" ] && options="$options --directory=$g_shorewalldir"
-    [ -n "$g_timestamp" ] && options="$options --timestamp"
-    [ -n "$g_test" ] && options="$options --test"
-    [ -n "$g_preview" ] && options="$options --preview"
+
+    [ -n "$shorewallrc1" ]     && options="$options --shorewallrc1=${shorewallrc1}"
+    [ -n "$STARTUP_LOG" ]      && options="$options --log=$STARTUP_LOG"
+    [ -n "$LOG_VERBOSITY" ]    && options="$options --log_verbosity=$LOG_VERBOSITY";
+    [ -n "$g_export" ]         && options="$options --export"
+    [ -n "$g_shorewalldir" ]   && options="$options --directory=$g_shorewalldir"
+    [ -n "$g_timestamp" ]      && options="$options --timestamp"
+    [ -n "$g_test" ]           && options="$options --test"
+    [ -n "$g_preview" ]        && options="$options --preview"
     [ "$g_debugging" = trace ] && options="$options --debug"
-    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
-    [ -n "$g_confess" ] && options="$options --confess"
-    [ -n "$g_update" ] && options="$options --update"
-    [ -n "$g_annotate" ] && options="$options --annotate"
-    [ -n "$g_inline" ] && options="$options --inline"
+    [ -n "$g_refreshchains" ]  && options="$options --refresh=$g_refreshchains"
+    [ -n "$g_confess" ]        && options="$options --confess"
+    [ -n "$g_update" ]         && options="$options --update"
+    [ -n "$g_annotate" ]       && options="$options --annotate"
+    [ -n "$g_inline" ]         && options="$options --inline"
 
     if [ -n "$PERL" ]; then
 	if [ ! -x "$PERL" ]; then

Shorewall/manpages/shorewall-actions.xml

@@ -191,6 +191,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified. </para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -205,9 +224,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall/manpages/shorewall-policy.xml

@@ -115,6 +115,7 @@
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
         role="bold">REJECT</emphasis>|<emphasis
+        role="bold">BLACKLIST</emphasis>|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,6 +178,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 

Shorewall/manpages/shorewall-providers.xml

@@ -209,13 +209,15 @@
                 where <replaceable>weight</replaceable> is the weight of the
                 route out of this interface.</para>
 
-                <para>The setting <option>balance=1</option> is the default
-                when USE_DEFAULT_RT=Yes in and neither
-                <option>balance</option>[=], <option>primary</option>,
-                <option>fallback</option>, <option>loose</option> nor
-                <option>tproxy</option> is specified. To suppress this
-                behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
-                later).</para>
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall/manpages/shorewall.conf.xml

@@ -117,6 +117,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -176,6 +186,9 @@
 
             <member>REJECT_DEFAULT="Reject"</member>
 
+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
@@ -443,6 +456,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
+          determines whether the <option>balance</option> provider option (see
+          <ulink
+          url="shorewall-providers.html">shorewall-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
+          <option>balance</option> option is assumed unless the
+          <option>fallback</option>, <option>loose</option>,
+          <option>load</option> or <option>tproxy</option> option is
+          specified. If this option is not set or is set to the empty value,
+          then the default value is the value of USE_DEFAULT_RT.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2307,10 +2338,9 @@ INLINE          -       -       -       ;; -j REJECT
 
           <para>RESTORE_DEFAULT_ROUTE=No is appropriate when you don't want a
           default route in the main table (USE_DEFAULT_RT=No) or in the
-          default table (USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact) when
-          there are no balance providers available. In that case,
-          RESTORE_DEFAULT_ROUTE=No will cause any default route in the
-          relevant table to be deleted.</para>
+          default table (USE_DEFAULT_RT=Yes) when there are no balance
+          providers available. In that case, RESTORE_DEFAULT_ROUTE=No will
+          cause any default route in the relevant table to be deleted.</para>
         </listitem>
       </varlistentry>
 
@@ -2806,8 +2836,7 @@ INLINE          -       -       -       ;; -j REJECT
 
       <varlistentry>
         <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
-        role="bold">No|Exact</emphasis>]</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>When set to 'Yes', this option causes the Shorewall multi-ISP
@@ -2818,8 +2847,7 @@ INLINE          -       -       -       ;; -j REJECT
           the Shorewall-generated routing rules. So changes to the main table
           will affect the routing of packets by default.</para>
 
-          <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
-          5.1.1 or later):</para>
+          <para>When USE_DEFAULT_RT=Yes:</para>
 
           <orderedlist>
             <listitem>
@@ -2834,11 +2862,12 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para>The <emphasis role="bold">balance</emphasis> provider
-              option is assumed unless <emphasis role="bold">loose</emphasis>,
-              <option>fallback</option>,<option> load=</option> or
-              <option>tproxy</option> is specified for the provider or unless
-              USE_DEFAULT_RT=Exact.</para>
+              <para>If running Shorewall 5.1.0 or earlier or if
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">balance</emphasis> provider option is
+              assumed unless the <option>fallback</option>,
+              <option>loose</option>, <option>load</option> or
+              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

Shorewall6/Samples6/Universal/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,7 +214,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall6/Samples6/one-interface/shorewall6.conf

@@ -106,6 +106,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -134,6 +135,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -212,7 +215,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall6/Samples6/three-interfaces/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,7 +214,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall6/Samples6/two-interfaces/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT="none"
+BLACKLIST_DEFAULT="Drop"
 DROP_DEFAULT="Drop"
 NFQUEUE_DEFAULT="none"
 QUEUE_DEFAULT="none"
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"
@@ -211,7 +214,7 @@ TRACK_PROVIDERS=Yes
 
 TRACK_RULES=No
 
-USE_DEFAULT_RT=Exact
+USE_DEFAULT_RT=Yes
 
 USE_PHYSICAL_NAMES=No
 

Shorewall6/configfiles/shorewall6.conf

@@ -105,6 +105,7 @@ TC=
 ###############################################################################
 
 ACCEPT_DEFAULT=none
+BLACKLIST_DEFAULT=Drop
 DROP_DEFAULT=Drop
 NFQUEUE_DEFAULT=none
 QUEUE_DEFAULT=none
@@ -133,6 +134,8 @@ AUTOHELPERS=Yes
 
 AUTOMAKE=Yes
 
+BALANCE_PROVIDERS=No
+
 BASIC_FILTERS=No
 
 BLACKLIST="NEW,INVALID,UNTRACKED"

Shorewall6/manpages/shorewall6-actions.xml

@@ -192,6 +192,25 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><option>section</option></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1. When specified, this option
+                causes the rules file section name and a comma to be prepended
+                to the parameters passed to the action (if any). Note that
+                this means that the first parameter passed to the action by
+                the user is actually the second parameter to the action. If
+                the action is invoked out of the blrules file, 'BLACKLIST' is
+                used as the section name.</para>
+
+                <para>Given that neither the <filename>snat</filename> nor the
+                <filename>mangle</filename> file is sectioned, this parameter
+                has no effect when <option>mangle</option> or
+                <option>nat</option> is specified.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><option>state</option>={<option>UNTRACKED</option>|<option>NEW</option>|<option>ESTABLISHED</option>|<option>RELATED</option>|<option>INVALID</option>}</term>
 
@@ -206,9 +225,9 @@
 
               <listitem>
                 <para>Added in Shorewall 4.6.4. When used with
-                <replaceable>builtin</replaceable>, indicates that the
-                built-in action is termiating (i.e., if the action is jumped
-                to, the next rule in the chain is not evaluated).</para>
+                <option>builtin</option>, indicates that the built-in action
+                is termiating (i.e., if the action is jumped to, the next rule
+                in the chain is not evaluated).</para>
               </listitem>
             </varlistentry>
           </variablelist>

Shorewall6/manpages/shorewall6-policy.xml

@@ -114,7 +114,7 @@
         <term><emphasis role="bold">POLICY</emphasis> - {<emphasis
         role="bold">ACCEPT</emphasis>|<emphasis
         role="bold">DROP</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|BLACKLIST|<emphasis
         role="bold">CONTINUE</emphasis>|<emphasis
         role="bold">QUEUE</emphasis>|<emphasis
         role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber1</emphasis>[:<replaceable>queuenumber2</replaceable>])]|<emphasis
@@ -177,6 +177,19 @@
               </listitem>
             </varlistentry>
 
+            <varlistentry>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 5.1.1 and requires that the
+                DYNAMIC_BLACKLIST setting in <ulink
+                url="/manpages/shorewall.conf.html">shorewall6.conf</ulink>(5)
+                specifies ipset-based dynamic blacklisting. The SOURCE IP
+                address is added to the blacklist ipset and the connection
+                request is ignored.</para>
+              </listitem>
+            </varlistentry>
+
             <varlistentry>
               <term><emphasis role="bold">QUEUE</emphasis></term>
 

Shorewall6/manpages/shorewall6-providers.xml

@@ -174,13 +174,15 @@
                 route out of this interface. Prior to Shorewall 5.0.13, only
                 one provider can specify this option.</para>
 
-                <para>The setting <option>balance=1</option> is the default
-                when USE_DEFAULT_RT=Yes in and neither
-                <option>balance</option>[=], <option>primary</option>,
-                <option>fallback</option>[=], <option>loose</option> nor
-                <option>tproxy</option> is specified. To suppress this
-                behavior, set USE_DEFAULT_RT=Strict (Shorewall 5.1.1 or
-                later).</para>
+                <para>Prior to Shorewall 5.1.1, when USE_DEFAULT_RT=Yes,
+                <option>balance=1</option> is assumed unless the
+                <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified. Beginning with Shorewall 5.1.1, when
+                BALANCE_PROVIDERS=Yes, <option>balance=1</option> is assumed
+                unless the <option>fallback</option>, <option>loose</option>,
+                <option>load</option> or <option>tproxy</option> option is
+                specified.</para>
               </listitem>
             </varlistentry>
 

Shorewall6/manpages/shorewall6.conf.xml

@@ -103,6 +103,16 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis
+        role="bold">BLACKLIST_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
+        role="bold">none</emphasis>}</term>
+
+        <listitem>
+          <para/>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis
         role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
@@ -164,6 +174,9 @@
 
             <member>REJECT_DEFAULT="Reject"</member>
 
+            <member>BLACKLIST_DEFAULT="Drop" (added in Shorewall
+            5.1.1)</member>
+
             <member>ACCEPT_DEFAULT="none"</member>
 
             <member>QUEUE_DEFAULT="none"</member>
@@ -374,6 +387,24 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term><emphasis role="bold">BALANCE_PROVIDERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.1.1. When USE_DEFAULT_RT=Yes, this option
+          determines whether the <option>balance</option> provider option (see
+          <ulink
+          url="shorewall6-providers.html">shorewall6-providers(5)</ulink>) is
+          the default. When BALANCE_PROVIDERS=Yes, then the
+          <option>balance</option> option is assumed unless the
+          <option>fallback</option>, <option>loose</option>,
+          <option>load</option> or <option>tproxy</option> option is
+          specified. If this option is not set or is set to the empty value,
+          then the default value is the value of USE_DEFAULT_RT.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term><emphasis role="bold">BASIC_FILTERS=</emphasis>[<emphasis
         role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2448,8 +2479,7 @@ INLINE          -       -       -       ;; -j REJECT
 
       <varlistentry>
         <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis
-        role="bold">No</emphasis>|Exact]</term>
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
 
         <listitem>
           <para>Added in Shorewall6 4.4.25. When set to 'Yes', this option
@@ -2461,8 +2491,7 @@ INLINE          -       -       -       ;; -j REJECT
           changes to the main table will affect the routing of packets by
           default.</para>
 
-          <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall
-          5.1.1 or later):</para>
+          <para>When USE_DEFAULT_RT=Yes:</para>
 
           <orderedlist>
             <listitem>
@@ -2477,11 +2506,12 @@ INLINE          -       -       -       ;; -j REJECT
             </listitem>
 
             <listitem>
-              <para>The <emphasis role="bold">balance</emphasis> provider
-              option is assumed unless <emphasis role="bold">loose</emphasis>,
-              <option>fallback</option>,<option> load=</option> or
-              <option>tproxy</option> is specified for the provider or unless
-              USE_DEFAULT_RT=Exact.</para>
+              <para>If running Shorewall 5.1.0 or earlier or if
+              BALANCE_PROVIDERS=Yes (Shorewall 5.1.1 or later), then the
+              <emphasis role="bold">balance</emphasis> provider option is
+              assumed unless the <option>fallback</option>,
+              <option>loose</option>, <option>load</option> or
+              <option>tproxy</option> option is specified.</para>
             </listitem>
 
             <listitem>

docs/MultiISP.xml

@@ -219,16 +219,14 @@
       <para>The behavior and configuration of Multiple ISP support is
       dependent on the setting of USE_DEFAULT_RT in shorewall[6].conf.</para>
 
-      <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact (Shorewall 5.1.1
-      and later), packets are first routed through the main routing table
-      <emphasis>which does not contain a default route</emphasis>. Packets
-      which fail to be routed by an entry in the main table are then passed to
-      shorewall-defined routing tables based on your Multi-ISP configuration.
-      The advantage of this approach is that dynamic changes to the ip
-      configuration, such as VPNs going up and down, do not require
-      notificaiton of Shorewall. USE_DEFAULT_RT=No (USE_DEFAULT_RT=Exact in
-      Shorewall 5.1.1 and later) is now the default and use of
-      USE_DEFAULT_RT=No is deprecated.</para>
+      <para>When USE_DEFAULT_RT=Yes, packets are first routed through the main
+      routing table <emphasis>which does not contain a default
+      route</emphasis>. Packets which fail to be routed by an entry in the
+      main table are then passed to shorewall-defined routing tables based on
+      your Multi-ISP configuration. The advantage of this approach is that
+      dynamic changes to the ip configuration, such as VPNs going up and down,
+      do not require notificaiton of Shorewall. USE_DEFAULT_RT is now the
+      default and use of USE_DEFAULT_RT=No is deprecated.</para>
 
       <para>When USE_DEFAULT_RT=No, packets are routed via Shorewall-generated
       routing tables. As a consequence, the main routing table must be copied
@@ -321,10 +319,9 @@
             <para>Gives the name or number of a routing table to duplicate.
             May be 'main' or the name or number of a previously declared
             provider. This field should be be specified as '-' when
-            USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact in
-            <filename>shorewall.conf. When USE_DEFAULT_RT=No (not
-            recommended), this column is normally specified as
-            <option>main</option>.</filename></para>
+            USE_DEFAULT_RT=Yes in <filename>shorewall.conf. When
+            USE_DEFAULT_RT=No (not recommended), this column is normally
+            specified as <option>main</option>.</filename></para>
           </listitem>
         </varlistentry>
 
@@ -487,6 +484,18 @@ fi</programlisting>
                         url="FAQ.htm#faq58">FAQ 58</ulink>.</para>
                       </note></para>
                   </important>
+
+                  <para>Prior to Shorewall 5.1.1, <emphasis
+                  role="bold">balance=1</emphasis> is the default when
+                  USE_DEFAULT_RT=Yes and neither the
+                  <option>fallback</option>, <option>loose</option>,
+                  <option>load</option> or <option>tproxy</option> option is
+                  specified. Beginning with Shorewall 5.1.1, <emphasis
+                  role="bold">balance=1</emphasis> is the default when both
+                  USE_DEFAULT_RT=Yes and BALANCE_PROVIDERS=Yes and neither the
+                  <option>fallback</option>, <option>loose</option>,
+                  <option>load</option> nor <option>tproxy</option> option is
+                  specified.</para>
                 </listitem>
               </varlistentry>
 
@@ -698,8 +707,7 @@ fi</programlisting>
       interfaces should be routed through the main table using entries in
       <filename>/etc/shorewall/rtrules</filename> (see Example 2 <link
       linkend="Examples">below</link>) or by using <link
-      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes or
-      USE_DEFAULT_RT=Exact</link> (recommended)</para>
+      linkend="USE_DEFAULT_RT">USE_DEFAULT_RT=Yes</link> (recommended)</para>
 
       <para>In addition:</para>
 
@@ -911,8 +919,8 @@ DROP:info        net:192.168.1.0/24         all</programlisting>
       <title id="Example">Legacy Example</title>
 
       <para>This section describes the legacy method of configuring multiple
-      uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes or
-      USE_DEFAULT_RT=Exact configuration described <link
+      uplinks. It is deprecated in favor of the USE_DEFAULT_RT=Yes
+      configuration described <link
       linkend="USE_DEFAULT_RT">below</link>.</para>
 
       <para>The configuration in the figure at the top of this section would
@@ -944,8 +952,7 @@ eth1             0.0.0.0/0         130.252.99.27</programlisting>
     </section>
 
     <section id="Example2">
-      <title id="Example99">Example using USE_DEFAULT_RT=Yes or
-      USE_DEFAULT_RT=Exact</title>
+      <title id="Example99">Example using USE_DEFAULT_RT=Yes</title>
 
       <para>This section shows the differences in configuring the above
       example with USE_DEFAULT_RT=Yes. The changes are confined to the
@@ -1219,12 +1226,12 @@ gateway:~ #</programlisting>
         VPN clients (including but not limited to OpenVPN in routed mode and
         PPTP), the VPN software adds a host route to the <emphasis
         role="bold">main</emphasis> table for each VPN client. The best
-        approach is to use USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact as
-        described <link linkend="USE_DEFAULT_RT">below</link>. If that isn't
-        possible, you must add a routing rule in the 1000-1999 range to
-        specify the <emphasis role="bold">main</emphasis> table for traffic
-        addressed to those clients. See<link linkend="Openvpn"> Example
-        2</link> below.</para>
+        approach is to use USE_DEFAULT_RT=Yes as described <link
+        linkend="USE_DEFAULT_RT">below</link>. If that isn't possible, you
+        must add a routing rule in the 1000-1999 range to specify the
+        <emphasis role="bold">main</emphasis> table for traffic addressed to
+        those clients. See<link linkend="Openvpn"> Example 2</link>
+        below.</para>
 
         <para>If you have an IPSEC gateway on your firewall, be sure to
         arrange for ESP packets to be routed out of the same interface that
@@ -1794,9 +1801,9 @@ lillycat: #</programlisting>
       route rules such as described in <link linkend="Openvpn">one of the
       examples above</link> necessary.</para>
 
-      <para>USE_DEFAULT_RT=Yes and USE_DEFAULT_RT=Exact work around that
-      problem by passing packets through the main table first rather than
-      last. This has a number of implications:</para>
+      <para>USE_DEFAULT_RT=Yes works around that problem by passing packets
+      through the main table first rather than last. This has a number of
+      implications:</para>
 
       <orderedlist>
         <listitem>
@@ -1807,12 +1814,9 @@ lillycat: #</programlisting>
         </listitem>
 
         <listitem>
-          <para>When USE_DEFAULT_RT=Yes, the <emphasis
-          role="bold">balance</emphasis> option is assumed for all interfaces
-          that do not have the <emphasis role="bold">loose</emphasis>,
-          <emphasis role="bold">primary</emphasis>, <emphasis
-          role="bold">fallback</emphasis> or <emphasis
-          role="bold">tproxy</emphasis> option. When you want both <emphasis
+          <para>The <emphasis role="bold">balance</emphasis> option is assumed
+          for all interfaces that do not have the <emphasis
+          role="bold">loose</emphasis> option. When you want both <emphasis
           role="bold">balance</emphasis> and <emphasis
           role="bold">loose</emphasis>, both must be specified.</para>
         </listitem>
@@ -1906,9 +1910,8 @@ shorewall     2    2    -        eth0    192.168.1.254 track,balance=2,optional<
       <section>
         <title>DHCP with USE_DEFAULT_RT</title>
 
-        <para>When USE_DEFAULT_RT=Yes or USE_DEFAULT_RT=Exact, you don't want
-        your DHCP client inserting a default route into the main routing
-        table.</para>
+        <para>When USE_DEFAULT_RT=Yes, you don't want your DHCP client
+        inserting a default route into the main routing table.</para>
 
         <section>
           <title>Debian</title>

docs/blacklisting_support.xml

@@ -109,7 +109,7 @@ DROP            net:200.55.14.18        all
   </section>
 
   <section>
-    <title>Dynamic Blacklisting</title>
+    <title>Chain-based Dynamic Blacklisting</title>
 
     <para>Beginning with Shorewall 4.4.7, dynamic blacklisting is enabled by
     setting DYNAMIC_BLACKLIST=Yes in <filename>shorewall.conf</filename>.
@@ -176,4 +176,103 @@ DROP            net:200.55.14.18        all
       </listitem>
     </itemizedlist>
   </section>
+
+  <section>
+    <title>Ipset-based Dynamic Blacklisting</title>
+
+    <para>Beginning with Shorewall 5.0.8, it is possible to use an ipset to
+    hold blacklisted addresses. The DYNAMIC_BLACKLIST option was expanded
+    to:</para>
+
+    <para><emphasis role="bold">DYNAMIC_BLACKLIST=</emphasis>{<emphasis
+    role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>||<emphasis
+    role="bold">ipset</emphasis>[<emphasis
+    role="bold">-only</emphasis>][<replaceable>,option</replaceable>[,...]][:[<replaceable>setname</replaceable>][:<replaceable>log_level</replaceable>|:l<replaceable>og_tag</replaceable>]]]}</para>
+
+    <para>When <option>ipset</option> or <option>ipset-only</option> is
+    specified, the <command>shorewall blacklist</command> command is used to
+    blacklist a single host or a network. The <command>allow</command> command
+    is used to remove entries from the ipset. The name of the set
+    (<replaceable>setname</replaceable>) and the level
+    (<replaceable>log_level</replaceable>), if any, at which blacklisted
+    traffic is to be logged may also be specified. The default set name is
+    SW_DBL4 and the default log level is <option>none</option> (no logging).
+    If <option>ipset-only</option> is given, then chain-based dynamic
+    blacklisting is disabled just as if DYNAMIC_BLACKLISTING=No had been
+    specified.</para>
+
+    <para>Possible <replaceable>option</replaceable>s are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>src-dst</term>
+
+        <listitem>
+          <para>Normally, only packets whose source address matches an entry
+          in the ipset are dropped. If <option>src-dst</option> is included,
+          then packets whose destination address matches an entry in the ipset
+          are also dropped.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>disconnect</option></term>
+
+        <listitem>
+          <para>The <option>disconnect</option> option was added in Shorewall
+          5.0.13 and requires that the conntrack utility be installed on the
+          firewall system. When an address is blacklisted using the
+          <command>blacklist</command> command, all connections originating
+          from that address are disconnected. if the <option>src-dst</option>
+          option was also specified, then all connections to that address are
+          also disconnected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><option>timeout</option>=<replaceable>seconds</replaceable></term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.13. Normally, Shorewall creates the
+          dynamic blacklisting ipset with timeout 0 which means that entries
+          are permanent. If you want entries in the set that are not accessed
+          for a period of time to be deleted from the set, you may specify
+          that period using this option. Note that the
+          <command>blacklist</command> command can override the ipset's
+          timeout setting.</para>
+
+          <important>
+            <para>Once the dynamic blacklisting ipset has been created,
+            changing this option setting requires a complete restart of the
+            firewall; <command>shorewall restart</command> if RESTART=restart,
+            otherwise <command>shorewall stop &amp;&amp; shorewall
+            start</command></para>
+          </important>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>When ipset-based dynamic blacklisting is enabled, the contents of
+    the blacklist will be preserved over
+    <command>stop</command>/<command>reboot</command>/<command>start</command>
+    sequences if SAVE_IPSETS=Yes, SAVE_IPSETS=ipv4 or if
+    <replaceable>setname</replaceable> is included in the list of sets to be
+    saved in SAVE_IPSETS.</para>
+  </section>
+
+  <section>
+    <title>BLACKLIST Policy and Action</title>
+
+    <para>Beginning with Shorewall 5.1.1, it is possible to specify BLACKLIST
+    in the POLICY column of <ulink
+    url="manpages/shorewall-policies.html">shorewall-policies</ulink>(5) when
+    ipset-based dynamic blacklisting is being used. When a packet is disposed
+    of via the BLACKLIST policy, the packet's sender is added to the dynamic
+    blacklist ipset and the packet is dropped.</para>
+
+    <para>Also available beginning with Shorewall 5.1.1 is a BLACKLIST action
+    for use in the rules file, macros and filter table actions. Execute the
+    <command>shorewall show action BLACKLIST</command> command for
+    details.</para>
+  </section>
 </article>

docs/configuration_file_basics.xml

@@ -1992,6 +1992,14 @@ SSH(ACCEPT)    net:$MYIP      $FW
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>@action(@{action})</term>
+
+        <listitem>
+          <para>Expands to the name of the action being compiled.</para>
+        </listitem>
+      </varlistentry>
+
       <varlistentry>
         <term>@disposition (@{disposition})</term>