shorewall_code/Shorewall/Actions/action.BLACKLIST
Tom Eastep 70a395892f
Make BLACKLIST work correctly in the blrules file
- Add the 'section' action option

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2017-01-23 15:03:02 -08:00

51 lines
1.4 KiB
Plaintext

#
# Shorewall - /usr/share/shorewall/action.BLACKLIST
#
# This action:
#
# - Adds the sender to the dynamic blacklist ipset
# - Optionally acts on the packet (default is DROP)
#
# Parameters:
#
# 1 - Action to take after adding the packet. Default is DROP.
# Pass -- if you don't want to take any action.
# 2 - Timeout for ipset entry. Default is the timeout specified in
# DYNAMIC_BLACKLIST or the one specified when the ipset was created.
#
###############################################################################
# Note -- This action is defined with the 'section' option, so the first
# parameter is always the section name. That means that in the
# following text, the first parameter passed in the rule is actually
# @2.
###############################################################################
?if $1 eq 'BLACKLIST'
?if $BLACKLIST_LOGLEVEL
blacklog
?else
$BLACKLIST_DISPOSITION
?endif
?else
?if ! "$SW_DBL_IPSET"
? error The BLACKLIST action may only be used with ipset-based dynamic blacklisting
?endif
DEFAULTS -,DROP,-
#
# Add to the blacklist
#
?if passed(@3)
ADD($SW_DBL_IPSET:src:@3)
?elsif $SW_DBL_TIMEOUT
ADD($SW_DBL_IPSET:src:$SW_DBL_TIMEOUT)
?else
ADD($SW_DBL_IPSET:src)
?endif
#
# Dispose of the packet if asked
#
?if passed(@2)
@2
?endif
?endif