Fix multiple 'drop/reject' bug

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@727 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall/changelog.txt

@@ -60,3 +60,6 @@ Changes since 1.4.6
     conflict between that facility and rate-limited logging rules.
 
 27) Add User Set capability.
+
+28) Deimplement Smart Blacklisting and fix problem with multiple
+    'drop'/'reject' commands for the same address.

Shorewall/releasenotes.txt

@@ -28,6 +28,12 @@ Problems Corrected since version 1.4.6:
 
 6) Thanks to Henry Yang, LOGRATE and LOGBURST now work again.
 
+7) The 'shorewall reject' and 'shorewall drop' commands now delete any
+   existing rules for the subject IP address before adding a new DROP
+   or REJECT rule. Previously, there could be many rules for the same
+   IP address in the dynamic chain so that multiple 'allow' commands
+   were required to re-enable traffic to/from the address.
+
 Migration Issues:
 
 1) IP Traffic Accounting is changed from Snapshot 20030813. 

Shorewall/shorewall

@@ -861,6 +861,8 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
+	    qt iptables -D dynamic -s $1 -j reject
+	    qt iptables -D dynamic -s $1 -j DROP
 	    iptables -A dynamic -s $1 -j DROP || break 1
 	    echo "$1 Dropped"
 	done
@@ -871,6 +873,8 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
+	    qt iptables -D dynamic -s $1 -j reject
+	    qt iptables -D dynamic -s $1 -j DROP
 	    iptables -A dynamic -s $1 -j reject || break 1
 	    echo "$1 Rejected"
 	done
@@ -881,13 +885,7 @@ case "$1" in
 	mutex_on
 	while [ $# -gt 1 ]; do
 	    shift
-	    if	qt iptables -D dynamic -s $1 -j reject; then
+	    if	qt iptables -D dynamic -s $1 -j reject || qt iptables -D dynamic -s $1 -j DROP; then
-		#
-		# Address was rejected -- silently remove any drop as well
-		#
-		qt iptables -D dynamic -s $1 -j DROP
-		echo "$1 Allowed"
-	    elif qt iptables -D dynamic -s $1 -j DROP; then
 		echo "$1 Allowed"
 	    else
 		echo "$1 Not Dropped or Rejected"