extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

DELAYBLACKLISTLOAD

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-09-15 20:04:36 +00:00
parent 8c87b44242
commit b28d49a397
4 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall2/changelog.txt
View File

@ -81,3 +81,5 @@ Changes since 2.0.3
38) Added RETAIN_ALIASES option. 38) Added RETAIN_ALIASES option.
39) Relax OpenVPN source port restrictions. 39) Relax OpenVPN source port restrictions.
40) Implement DELAYBLACKLISTLOAD.

17
Shorewall2/firewall
View File

@ -5132,11 +5132,12 @@ setup_blacklist() {
[ "$disposition" = REJECT ] && disposition=reject [ "$disposition" = REJECT ] && disposition=reject
while read networks protocol ports; do if [ -n "$DELAYBLACKLISTLOAD" ]; then
expandv networks protocol ports while read networks protocol ports; do
process_blacklist_rec expandv networks protocol ports
done < $TMP_DIR/blacklist process_blacklist_rec
done < $TMP_DIR/blacklist
fi
fi fi
} }
@ -5148,7 +5149,7 @@ refresh_blacklist() {
local disposition=$BLACKLIST_DISPOSITION local disposition=$BLACKLIST_DISPOSITION
if qt iptables -L blacklst -n ; then if qt iptables -L blacklst -n ; then
echo "Refreshing Black List..." echo "Loading Black List..."
strip_file blacklist $f strip_file blacklist $f
@ -6278,6 +6279,8 @@ define_firewall() # $1 = Command (Start or Restart)
run_user_exit start run_user_exit start
[ -n "$DELAYBLACKLISTLOAD" ] && refresh_blacklist
createchain shorewall no createchain shorewall no
date > $STATEDIR/restarted date > $STATEDIR/restarted
@ -6761,6 +6764,7 @@ do_initialize() {
DYNAMIC_ZONES= DYNAMIC_ZONES=
PKTTYPE= PKTTYPE=
RETAIN_ALIASES= RETAIN_ALIASES=
DELAYBLACKLISTLOAD=
RESTOREBASE= RESTOREBASE=
TMP_DIR= TMP_DIR=
@ -6936,6 +6940,7 @@ do_initialize() {
PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE) PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED) STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES) RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
# #
# Strip the files that we use often # Strip the files that we use often
# #

9
Shorewall2/releasenotes.txt
View File

@ -486,3 +486,12 @@ New Features:
addresses added during "shorewall start" are still deleted at a addresses added during "shorewall start" are still deleted at a
subsequent "shorewall stop" or "shorewall restart". subsequent "shorewall stop" or "shorewall restart".
17) Users with a large black list (from /etc/shorewall/blacklist) may
want to set the new DELAYBLACKLISTLOAD option in
shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
enable new connections before loading the blacklist rules. While
this may allow connections from blacklisted hosts to slip by during
construction of the blacklist, it can substantially reduce the time
that all new connections are disabled during "shorewall [re]start".

8
Shorewall2/shorewall.conf
View File

@ -579,6 +579,14 @@ ADMINISABSENTMINDED=Yes
# #
BLACKLISTNEWONLY=Yes BLACKLISTNEWONLY=Yes
#
# Users with a large blacklist find that "shorwall [re]start" takes a long
# time and that new connections are disabled during that time. By setting
# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
# before loading the blacklist.
DELAYBLACKLISTLOAD=No
# MODULE NAME SUFFIX # MODULE NAME SUFFIX
# #
# When loading a module named in /etc/shorewall/modules, Shorewall normally # When loading a module named in /etc/shorewall/modules, Shorewall normally