Pass INVALID ICMPs through the blacklist chains

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Shorewall2/changelog.txt

@@ -32,3 +32,5 @@ Changes since 2.0.2
 
 15) Fix rules that have bridge ports in both SOURCE and DEST. Update
     comments in the rules file WRT "all" in SOURCE or DEST.
+
+16) Pass INVALID icmp packets through the blacklisting chains.

Shorewall2/firewall

@@ -4496,7 +4496,7 @@ setup_blacklist() {
 
 	createchain blacklst no
 
-	[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+	[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
 	
 	for host in $hosts; do
 	    interface=${host%%:*}
@@ -4851,7 +4851,7 @@ initialize_netfilter () {
 	fi
     fi
 
-    [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
+    [ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
 
     echo "Creating Interface Chains..."
 

Shorewall2/releasenotes.txt

@@ -1,4 +1,4 @@
-Shorewall 2.0.3 RC1
+Shorewall 2.0.3 RC2
 
 ----------------------------------------------------------------------
 Problems Corrected since 2.0.2
@@ -39,6 +39,11 @@ Problems Corrected since 2.0.2
     "all" in the SOURCE or DEST column does not affect intra-zone
     traffic.
 
+12) With BLACKLISTNEWONLY=Yes, ICMP packets with state INVALID are now
+    passed through the blacklisting chains. Without this change, it is
+    not possible to blacklist hosts that are mounting certain types of
+    ICMP-based DOS attacks.
+
 -----------------------------------------------------------------------
 Issues when migrating from Shorewall 2.0.2 to Shorewall 2.0.3: