# HG changeset patch
# User carl
# Date 1138818838 28800
# Node ID ec051169fdfdc57cd45fedfc58a0a837431c2e60
# Parent  048cd6e642bc8e4b7ac92ba2874d71dcacfdb7b9
don't flush input chain, use -D option instead


diff -r 048cd6e642bc -r ec051169fdfd ChangeLog
--- a/ChangeLog	Sun Jan 08 13:05:22 2006 -0800
+++ b/ChangeLog	Wed Feb 01 10:33:58 2006 -0800
@@ -1,5 +1,8 @@
     $Id$
 
+1.2 2006-02-01
+    Don't flush the table to remove entries, use -D option to iptables.
+
 1.1 2006-01-08
     Add syslog entries when new ip addresses are blocked or released.
 
diff -r 048cd6e642bc -r ec051169fdfd src/syslogconfig.cpp
--- a/src/syslogconfig.cpp	Sun Jan 08 13:05:22 2006 -0800
+++ b/src/syslogconfig.cpp	Wed Feb 01 10:33:58 2006 -0800
@@ -103,14 +103,13 @@
 
 
 void IPR::leak(int amount, CONFIG &con) {
-	bool ch = false;
 	for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); ) {
 		int    ip = (*i).first;
 		bucket &b = (*i).second;
 		if (b.count <= amount) {
 			if (b.latch) {
 				update(ip, false, NULL, 0);
-				ch = true;
+				changed(con, ip, false);
 			}
 			violations.erase(i++);
 		}
@@ -119,7 +118,6 @@
 			i++;
 		}
 	}
-	if (ch) changed(con, 0, false);
 }
 
 
@@ -148,21 +146,12 @@
 		}
 	}
 	else {
-		// releasing some ip, redo the table
-		snprintf(buf, maxlen, "%s -F INPUT", iptables);
-		system(buf);
-		for (ip_buckets::iterator i=violations.begin(); i!=violations.end(); i++) {
-			int    ip = (*i).first;
-			bucket &b = (*i).second;
-			if (con.looking(ip) && (b.count > t)) {
 				in_addr ad;
 				ad.s_addr = htonl(ip);
-				snprintf(buf, maxlen, "count=%d %s -A INPUT --src %s --jump DROP", b.count, iptables, inet_ntoa(ad));
+		snprintf(buf, maxlen, "%s -D INPUT --src %s --jump DROP", iptables, inet_ntoa(ad));
 				system(buf);
 			}
 		}
-	}
-}
 
 
 ////////////////////////////////////////////////
diff -r 048cd6e642bc -r ec051169fdfd xml/syslog2iptables.in
--- a/xml/syslog2iptables.in	Sun Jan 08 13:05:22 2006 -0800
+++ b/xml/syslog2iptables.in	Wed Feb 01 10:33:58 2006 -0800
@@ -110,6 +110,22 @@
             </para>
         </refsect1>
 
+        <refsect1 id='todo.1'>
+            <title>TODO</title>
+            <para>
+                The following ideas are under consideration.
+            </para>
+            <para>
+                Add a global configuration option for the single iptables table
+                name, rather than the current fixed INPUT name.
+            </para>
+            <para>
+                Add a configuration option for the iptables table name in the
+                pattern statement. This implies handling multiple tables, so each
+                table needs its own map of ip addresses and bucket values.
+            </para>
+        </refsect1>
+
         <refsect1 id='copyright.1'>
             <title>Copyright</title>
             <para>