Fix multiple 'drop/reject' bug

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@727 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2024-11-08 08:44:05 +01:00 · 2003-08-24 15:36:13 +00:00 · 2003-08-24 15:36:13 +00:00 · 47c914a86b
commit 47c914a86b
parent 41de5afd06
3 changed files with 14 additions and 7 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -60,3 +60,6 @@ Changes since 1.4.6
    conflict between that facility and rate-limited logging rules.

 27) Add User Set capability.
+
+28) Deimplement Smart Blacklisting and fix problem with multiple
+    'drop'/'reject' commands for the same address.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -28,6 +28,12 @@ Problems Corrected since version 1.4.6:

 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again.

+7) The 'shorewall reject' and 'shorewall drop' commands now delete any
+   existing rules for the subject IP address before adding a new DROP
+   or REJECT rule. Previously, there could be many rules for the same
+   IP address in the dynamic chain so that multiple 'allow' commands
+   were required to re-enable traffic to/from the address.
+
 Migration Issues:

 1) IP Traffic Accounting is changed from Snapshot 20030813. 
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@ -861,6 +861,8 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
+	    qt iptables -D dynamic -s $1 -j reject
+	    qt iptables -D dynamic -s $1 -j DROP
 	    iptables -A dynamic -s $1 -j DROP || break 1
 	    echo "$1 Dropped"
 	done
@ -871,6 +873,8 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
+	    qt iptables -D dynamic -s $1 -j reject
+	    qt iptables -D dynamic -s $1 -j DROP
 	    iptables -A dynamic -s $1 -j reject || break 1
 	    echo "$1 Rejected"
 	done
@ -881,13 +885,7 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    if	qt iptables -D dynamic -s $1 -j reject; then
-		#
-		# Address was rejected -- silently remove any drop as well
-		#
-		qt iptables -D dynamic -s $1 -j DROP
-		echo "$1 Allowed"
-	    elif qt iptables -D dynamic -s $1 -j DROP; then
+	    if	qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
 		echo "$1 Allowed"
 	    else
 		echo "$1 Not Dropped or Rejected"