From b28d49a397994aad1a81b62bfec56f68775d0335 Mon Sep 17 00:00:00 2001
From: teastep <teastep@fbd18981-670d-0410-9b5c-8dc0c1a9a2bb>
Date: Wed, 15 Sep 2004 20:04:36 +0000
Subject: [PATCH] DELAYBLACKLISTLOAD

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
---
 Shorewall2/changelog.txt    |  2 ++
 Shorewall2/firewall         | 17 +++++++++++------
 Shorewall2/releasenotes.txt |  9 +++++++++
 Shorewall2/shorewall.conf   |  8 ++++++++
 4 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/Shorewall2/changelog.txt b/Shorewall2/changelog.txt
index 9912e4936..4da0a21bd 100644
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@@ -81,3 +81,5 @@ Changes since 2.0.3
 38) Added RETAIN_ALIASES option.
 
 39) Relax OpenVPN source port restrictions.
+
+40) Implement DELAYBLACKLISTLOAD.
diff --git a/Shorewall2/firewall b/Shorewall2/firewall
index 8d1ab301d..9f9fc2f7d 100755
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@@ -5132,11 +5132,12 @@ setup_blacklist() {
 
 	[ "$disposition" = REJECT ] && disposition=reject
 
-	while read networks protocol ports; do
-	    expandv networks protocol ports
-	    process_blacklist_rec
-	done < $TMP_DIR/blacklist
-
+	if [ -n "$DELAYBLACKLISTLOAD" ]; then
+	    while read networks protocol ports; do
+		expandv networks protocol ports
+		process_blacklist_rec
+	    done < $TMP_DIR/blacklist
+	fi
     fi
 }
 
@@ -5148,7 +5149,7 @@ refresh_blacklist() {
     local disposition=$BLACKLIST_DISPOSITION
 
     if qt iptables -L blacklst -n ; then
-	echo "Refreshing Black List..."
+	echo "Loading Black List..."
 
 	strip_file blacklist $f
 
@@ -6278,6 +6279,8 @@ define_firewall() # $1 = Command (Start or Restart)
 
     run_user_exit start
 
+    [ -n "$DELAYBLACKLISTLOAD" ] &&          refresh_blacklist
+
     createchain shorewall no
 
     date > $STATEDIR/restarted
@@ -6761,6 +6764,7 @@ do_initialize() {
     DYNAMIC_ZONES=
     PKTTYPE=
     RETAIN_ALIASES=
+    DELAYBLACKLISTLOAD=
 
     RESTOREBASE=
     TMP_DIR=
@@ -6936,6 +6940,7 @@ do_initialize() {
     PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
     STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
     RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
+    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
     #
     # Strip the files that we use often
     #
diff --git a/Shorewall2/releasenotes.txt b/Shorewall2/releasenotes.txt
index b0ae50b11..0ac2bcbdb 100755
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@@ -486,3 +486,12 @@ New Features:
     addresses added during "shorewall start" are still deleted at a
     subsequent "shorewall stop" or "shorewall restart".
 
+17) Users with a large black list (from /etc/shorewall/blacklist) may 
+    want to set the new DELAYBLACKLISTLOAD option in
+    shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
+    enable new connections before loading the blacklist rules. While
+    this may allow connections from blacklisted hosts to slip by during
+    construction of the blacklist, it can substantially reduce the time
+    that all new connections are disabled during "shorewall [re]start".
+
+
diff --git a/Shorewall2/shorewall.conf b/Shorewall2/shorewall.conf
index 65fad315b..b6b5e9db8 100755
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@@ -579,6 +579,14 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes
 
+#
+# Users with a large blacklist find that "shorwall [re]start" takes a long
+# time and that new connections are disabled during that time. By setting
+# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
+# before loading the blacklist.
+
+DELAYBLACKLISTLOAD=No
+
 # MODULE NAME SUFFIX
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally