DELAYBLACKLISTLOAD

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1623 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
2004-09-15 20:04:36 +00:00 · 2004-09-15 20:04:36 +00:00 · b28d49a397
commit b28d49a397
parent 8c87b44242
4 changed files with 30 additions and 6 deletions
--- a/Shorewall2/changelog.txt
+++ b/Shorewall2/changelog.txt
@ -81,3 +81,5 @@ Changes since 2.0.3
 38) Added RETAIN_ALIASES option.

 39) Relax OpenVPN source port restrictions.
+
+40) Implement DELAYBLACKLISTLOAD.
--- a/Shorewall2/firewall
+++ b/Shorewall2/firewall
@ -5132,11 +5132,12 @@ setup_blacklist() {

 	[ "$disposition" = REJECT ] && disposition=reject

-	while read networks protocol ports; do
-	    expandv networks protocol ports
-	    process_blacklist_rec
-	done < $TMP_DIR/blacklist
-
+	if [ -n "$DELAYBLACKLISTLOAD" ]; then
+	    while read networks protocol ports; do
+		expandv networks protocol ports
+		process_blacklist_rec
+	    done < $TMP_DIR/blacklist
+	fi
    fi
 }

@ -5148,7 +5149,7 @@ refresh_blacklist() {
    local disposition=$BLACKLIST_DISPOSITION

    if qt iptables -L blacklst -n ; then
-	echo "Refreshing Black List..."
+	echo "Loading Black List..."

 	strip_file blacklist $f

@ -6278,6 +6279,8 @@ define_firewall() # $1 = Command (Start or Restart)

    run_user_exit start

+    [ -n "$DELAYBLACKLISTLOAD" ] &&          refresh_blacklist
+
    createchain shorewall no

    date > $STATEDIR/restarted
@ -6761,6 +6764,7 @@ do_initialize() {
    DYNAMIC_ZONES=
    PKTTYPE=
    RETAIN_ALIASES=
+    DELAYBLACKLISTLOAD=

    RESTOREBASE=
    TMP_DIR=
@ -6936,6 +6940,7 @@ do_initialize() {
    PKTTYPE=$(added_param_value_no PKTTYPE $PKTTYPE)
    STARTUP_ENABLED=$(added_param_value_yes STARTUP_ENABLED $STARTUP_ENABLED)
    RETAIN_ALIASES=$(added_param_value_no RETAIN_ALIASES $RETAIN_ALIASES)
+    DELAYBLACKLISTLOAD=$(added_param_value_no DELAYBLACKLISTLOAD $DELAYBLACKLISTLOAD)
    #
    # Strip the files that we use often
    #
--- a/Shorewall2/releasenotes.txt
+++ b/Shorewall2/releasenotes.txt
@ -486,3 +486,12 @@ New Features:
    addresses added during "shorewall start" are still deleted at a
    subsequent "shorewall stop" or "shorewall restart".

+17) Users with a large black list (from /etc/shorewall/blacklist) may 
+    want to set the new DELAYBLACKLISTLOAD option in
+    shorewall.conf. When DELAYBLACKLISTLOAD=Yes, Shorewall will
+    enable new connections before loading the blacklist rules. While
+    this may allow connections from blacklisted hosts to slip by during
+    construction of the blacklist, it can substantially reduce the time
+    that all new connections are disabled during "shorewall [re]start".
+
+
--- a/Shorewall2/shorewall.conf
+++ b/Shorewall2/shorewall.conf
@ -579,6 +579,14 @@ ADMINISABSENTMINDED=Yes
 #
 BLACKLISTNEWONLY=Yes

+#
+# Users with a large blacklist find that "shorwall [re]start" takes a long
+# time and that new connections are disabled during that time. By setting
+# DELAYBLACKLISTLOAD=Yes, you can cause Shorewall to enable new connections
+# before loading the blacklist.
+
+DELAYBLACKLISTLOAD=No
+
 # MODULE NAME SUFFIX
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally