From 67ad01a56fb34cd33ea18bf5a52d0eee64670d44 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Sat, 11 Oct 2003 16:06:00 +0000
Subject: [PATCH] Added BLACKLISTNEWONLY

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@765 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall/changelog.txt    |  3 +++
 Shorewall/firewall         | 14 ++++++++++----
 Shorewall/releasenotes.txt | 14 ++++++++++++++
 Shorewall/shorewall.conf   | 22 ++++++++++++++++++++++
 4 files changed, 49 insertions(+), 4 deletions(-)

diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index 2cb5bbf5b..da2732107 100755
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -10,3 +10,6 @@ Changes since 1.4.7
 
 4) Fix error handling after "Unable to determine the routes..."
 
+5) Fix handling of LOGUNCLEAN
+
+6) Added BLACKLISTNEWONLY support.
diff --git a/Shorewall/firewall b/Shorewall/firewall
index 7063d1334..fce3c1867 100755
--- a/Shorewall/firewall
+++ b/Shorewall/firewall
@@ -3590,9 +3590,11 @@ setup_blacklist() {
 
 	createchain blacklst no
 
+	[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+	
 	for interface in $interfaces; do
 	    for chain in `first_chains $interface`; do
-		run_iptables -A $chain -j blacklst
+		run_iptables -A $chain $state -j blacklst
 	    done
 
 	    echo "   Blacklisting enabled on $interface"
@@ -3911,13 +3913,15 @@ initialize_netfilter () {
 	fi
     fi
 
+    [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+
     echo "Creating Interface Chains..."
 
     for interface in $all_interfaces; do
 	createchain `forward_chain $interface` no
-	run_iptables -A `forward_chain $interface` -j dynamic
+	run_iptables -A `forward_chain $interface` $state -j dynamic
 	createchain `input_chain $interface`   no
-	run_iptables -A `input_chain $interface` -j dynamic
+	run_iptables -A `input_chain $interface` $state -j dynamic
     done
 }
 
@@ -4015,7 +4019,7 @@ add_common_rules() {
     if [ -n "$interfaces" ]; then
 	createchain logpkt no
 
-	[ -z"$LOGUNCLEAN" ] && LOGUNCLEAN=info
+	[ -z "$LOGUNCLEAN" ] && LOGUNCLEAN=info
 
 	LOGPARMS="$LOGPARMS --log-ip-options"
 
@@ -5033,6 +5037,7 @@ do_initialize() {
     LOGFORMAT=
     LOGRULENUMBERS=
     ADMINISABSENTMINDED=
+    BLACKLISTNEWONLY=
 
     stopping=
     have_mutex=
@@ -5182,6 +5187,7 @@ do_initialize() {
 	LOGFORMAT="Shorewall:%s:%s:"
     fi
     ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
+    BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
     #
     # Strip the files that we use often
     #
diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt
index 56343e364..762f0a2e7 100755
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -23,6 +23,9 @@ Problems Corrected since version 1.4.6:
 
    Error: Unable to determine the routes routes through interface xxx
 
+4) Handling of the LOGUNCLEAN option in shorewall.conf has been
+   corrected.
+
 Migration Issues:
 
 None.
@@ -47,5 +50,16 @@ New Features:
    Shorewall will only pass connection requests (SYN packets) to user
    space. This is for compatibility with p2pwall.
 
+2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
+   this variable is set to "Yes", the blacklists (dynamic and static)
+   are only consulted for new connection requests. When set to "No"
+   (the default if the variable is not set), the blacklists are
+   consulted on every packet.
+
+   Setting this variable to "No" allows blacklisting to stop existing
+   connections from a newly blacklisted host but is more expensive in
+   terms of packet processing time. This is especially true if the
+   blacklists contain a large number of entries.
+
 
 
diff --git a/Shorewall/shorewall.conf b/Shorewall/shorewall.conf
index a3e05a87f..208c85081 100755
--- a/Shorewall/shorewall.conf
+++ b/Shorewall/shorewall.conf
@@ -463,6 +463,28 @@ NEWNOTSYN=No
 #
 ADMINISABSENTMINDED=Yes
 
+#
+# BLACKLIST Behavior
+#
+# Shorewall offers two types of blacklisting:
+#
+#	- static blacklisting through the /etc/shorewall/blacklist file together
+#	  with the 'blacklist' interface option.
+#	- dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
+#
+# The following variable determines whether the blacklist is checked for each
+# packet or for each new connection.
+#
+#	BLACKLISTNEWONLY=Yes	Only consult blacklists for new connection
+#				requests
+#
+#	BLACKLISTNEWONLY=No	Consult blacklists for all packets.
+#
+# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
+# BLACKLISTNEWONLY=No is assumed.
+#
+BLACKLISTNEWONLY=Yes
+
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################