From 47c914a86b5302614fe4220cf77946e91c98926f Mon Sep 17 00:00:00 2001 From: teastep Date: Sun, 24 Aug 2003 15:36:13 +0000 Subject: [PATCH] Fix multiple 'drop/reject' bug git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@727 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall/changelog.txt | 3 +++ Shorewall/releasenotes.txt | 6 ++++++ Shorewall/shorewall | 12 +++++------- 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index d8fb2ad03..881046e81 100755 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -60,3 +60,6 @@ Changes since 1.4.6 conflict between that facility and rate-limited logging rules. 27) Add User Set capability. + +28) Deimplement Smart Blacklisting and fix problem with multiple + 'drop'/'reject' commands for the same address. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index fa10d370e..c0465cc2f 100755 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -28,6 +28,12 @@ Problems Corrected since version 1.4.6: 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again. +7) The 'shorewall reject' and 'shorewall drop' commands now delete any + existing rules for the subject IP address before adding a new DROP + or REJECT rule. Previously, there could be many rules for the same + IP address in the dynamic chain so that multiple 'allow' commands + were required to re-enable traffic to/from the address. + Migration Issues: 1) IP Traffic Accounting is changed from Snapshot 20030813. diff --git a/Shorewall/shorewall b/Shorewall/shorewall index c7aae4149..a3f78332c 100755 --- a/Shorewall/shorewall +++ b/Shorewall/shorewall @@ -861,6 +861,8 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift + qt iptables -D dynamic -s $1 -j reject + qt iptables -D dynamic -s $1 -j DROP iptables -A dynamic -s $1 -j DROP || break 1 echo "$1 Dropped" done @@ -871,6 +873,8 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift + qt iptables -D dynamic -s $1 -j reject + qt iptables -D dynamic -s $1 -j DROP iptables -A dynamic -s $1 -j reject || break 1 echo "$1 Rejected" done @@ -881,13 +885,7 @@ case "$1" in mutex_on while [ $# -gt 1 ]; do shift - if qt iptables -D dynamic -s $1 -j reject; then - # - # Address was rejected -- silently remove any drop as well - # - qt iptables -D dynamic -s $1 -j DROP - echo "$1 Allowed" - elif qt iptables -D dynamic -s $1 -j DROP; then + if qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then echo "$1 Allowed" else echo "$1 Not Dropped or Rejected"