[SSHGuard-users] Blacklist behaviour with hell list

[kaycee gb <kis...@ho...>]

Hello,

I use sshguard for some time now. After some weeks I started digging in the
code and found this list explanation in blocker.c about fundamental data
structures. 

> * -b). After blacklisting, the block of an attacker is released, because it$ 
> *  has already been blocked permanently.

>From this, I understand that information about attacker blacklisted is cleared
from memory/lists/running process. 

The point is that after I remove the attacker's address from firewall rules,
new "attacks" are not detected and can go smoothly. 

I think it has something to do with the code here:
>    /* address already blocked? (can happen for 100 reasons) */$
>    if (blocklist_contains(attack)) {$
>        sshguard_log(LOG_INFO, "%s has already been blocked.",$
>                attack.address.value);$
>        return;$
>    }

sshguard thinks that address is already blocked but shouldn't that address be
released and remove from hell list when blacklisting ?

In addition, when restarting, blacklist list is updated correctly from
blacklist.db and hell list is not touched. That seems more in adequation with
the explanation above. 

Where am I wrong ? 

K.