diff src/syslogconfig.cpp @ 24:ec051169fdfd

don't flush input chain, use -D option instead
author carl
date Wed, 01 Feb 2006 10:33:58 -0800
parents 0d65c3de34fd
children 28fec0c67646
line wrap: on
line diff
--- a/src/syslogconfig.cpp	Sun Jan 08 13:05:22 2006 -0800
+++ b/src/syslogconfig.cpp	Wed Feb 01 10:33:58 2006 -0800
@@ -103,14 +103,13 @@
 
 
 void IPR::leak(int amount, CONFIG &con) {
-	bool ch = false;
 	for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) {
 		int    ip = (*i).first;
 		bucket &b = (*i).second;
 		if (b.count <= amount) {
 			if (b.latch) {
 				update(ip, false, NULL, 0);
-				ch = true;
+				changed(con, ip, false);
 			}
 			violations.erase(i++);
 		}
@@ -119,7 +118,6 @@
 			i++;
 		}
 	}
-	if (ch) changed(con, 0, false);
 }
 
 
@@ -148,21 +146,12 @@
 		}
 	}
 	else {
-		// releasing some ip, redo the table
-		snprintf(buf, maxlen, "%s -F INPUT", iptables);
-		system(buf);
-		for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) {
-			int    ip = (*i).first;
-			bucket &b = (*i).second;
-			if (con.looking(ip) && (b.count > t)) {
 				in_addr ad;
 				ad.s_addr = htonl(ip);
-				snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad));
+		snprintf(buf, maxlen, "%s -D INPUT --src %s --jump DROP", iptables, inet_ntoa(ad));
 				system(buf);
 			}
 		}
-	}
-}
 
 
 ////////////////////////////////////////////////