Make clear the relationship between logdrop, logreject and BLACKLIST_LOGLEVEL

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9330 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-24 16:36:43 +00:00
parent 827ad9a86c
commit e0fc80bed5
9 changed files with 183 additions and 59 deletions

View File

@ -415,7 +415,7 @@ EOF
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
[ -z "${haveroute}${NOTCR}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
@ -709,7 +709,12 @@ sub generate_script_4($) {
emit 'load_kernel_modules Yes';
}
emit '';
emit ( '',
'if [ -n "$TCRONLY" ]; then' ,
' delete_tc1' ,
'else' );
push_indent;
if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
@ -742,7 +747,6 @@ sub generate_script_4($) {
"fi\n" );
}
emit "delete_tc1\n" if $config{CLEAR_TC};
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else {
@ -752,19 +756,25 @@ sub generate_script_4($) {
''
);
emit "delete_tc1\n" if $config{CLEAR_TC};
}
emit '';
emit qq([ -n "\$NOTCR" ] && delete_tc1\n) if $config{CLEAR_TC};
pop_indent;
emit 'fi';
set_global_variables;
emit '';
emit( 'setup_common_rules',
emit( '[ -n "$TCRONLY" ] && setup_common_rules',
'',
'setup_routing_and_traffic_shaping',
'');
'[ -n "$NOTCR" ] || setup_routing_and_traffic_shaping',
'',
'if [ -z "$TCRONLY" ]; then' );
push_indent;
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
@ -834,6 +844,12 @@ EOF
fi
date > ${VARDIR}/restarted
EOF
pop_indent;
emit 'fi';
emit<<'EOF';
case $COMMAND in
start)

View File

@ -123,7 +123,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
}
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
emit "[ -n \"\$NOTCR\" ] || ip -4 route flush cache";
}
}

View File

@ -568,7 +568,7 @@ sub setup_providers() {
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
emit "\nif [ -z \"\$NOROUTES\" ]; then";
emit "\nif [ -z \"\$NOTCR\" ]; then";
push_indent;
@ -708,7 +708,7 @@ sub setup_providers() {
emit "\nundo_routing";
emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) {
emit "\nif [ -z \"\$NOROUTES\" ]; then";
emit "\nif [ -z \"\$NOTCR\" ]; then";
push_indent;

View File

@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
}
unless ( $haveroute ) {
emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
emit "run_ip route replace $address dev $interface";
$haveroute = 1 if $persistent;
}

View File

@ -23,6 +23,8 @@ fi
initialize
[ -n "${PRODUCT:=Shorewall}" ]
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -43,8 +45,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
t)
if [ -n "$NOTCR" ]; then
error_message "The 'n' and 't' options are mutually exclusive"
exit 1
fi
TCRONLY=Yes
option=${option#t}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*)
NOROUTES=Yes
if [ -n "$TCRONLY" ]; then
error_message "The 'n' and 't' options are mutually exclusive"
exit 1
fi
NOTCR=Yes
option=${option#n}
;;
*)
@ -62,12 +79,15 @@ done
COMMAND="$1"
[ -n "${PRODUCT:=Shorewall}" ]
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if shorewall_is_started; then
if [ -n "$TCRONLY" ]; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
@ -81,13 +101,20 @@ case "$COMMAND" in
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
if [ -n "$TCRONLY" ]; then
delete_tc1
else
stop_firewall
fi
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if ! shorewall_is_started ; then
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'reset'"
status=1
elif ! shorewall_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
@ -133,7 +160,10 @@ case "$COMMAND" in
;;
refresh)
[ $# -ne 1 ] && usage 2
if shorewall_is_started; then
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'refresh'"
status=1
elif shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
@ -145,19 +175,29 @@ case "$COMMAND" in
;;
restore)
[ $# -ne 1 ] && usage 2
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'restart'"
status=1
else
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;;
clear)
[ $# -ne 1 ] && usage 2
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'clear'"
status=1
else
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
fi
;;
status)
[ $# -ne 1 ] && usage 2

View File

@ -2,7 +2,7 @@
# Give Usage Information
#
usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -t ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
@ -43,8 +43,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
t)
if [ -n "$NOTCR" ]; then
error_message "The -n and -t options are mutually exclusive"
exit 1
fi
TCRONLY=Yes
option=${option#t}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*)
NOROUTES=Yes
if [ -n "$TCRONLY" ]; then
error_message "The -n and -t options are mutually exclusive"
exit 1
fi
NOTCR=Yes
option=${option#n}
;;
*)
@ -72,7 +87,12 @@ else
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
if shorewall6_is_started; then
if [ -n "$TCRONLY" ]; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
@ -86,13 +106,20 @@ else
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
if [ -n "$TCRONLY" ]; then
delete_tc1
else
stop_firewall
fi
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
if ! shorewall6_is_started ; then
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'reset'"
status=1
elif ! shorewall6_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
@ -121,6 +148,11 @@ else
;;
restart)
[ $# -ne 1 ] && usage 2
if [ -n "$TCRONLY" ]; then
progress_message3 "Restarting $PRODUCT...."
define_firewall
status=$?
else
if shorewall6_is_started; then
progress_message3 "Restarting $PRODUCT...."
else
@ -133,11 +165,16 @@ else
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
progress_message3 "done."
;;
refresh)
[ $# -ne 1 ] && usage 2
if shorewall6_is_started; then
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'refresh'"
status=1
elif shorewall6_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
@ -149,19 +186,29 @@ else
;;
restore)
[ $# -ne 1 ] && usage 2
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'restore'"
status=1
else
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;;
clear)
[ $# -ne 1 ] && usage 2
if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'restore'"
status=1
else
progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
fi
;;
status)
[ $# -ne 1 ] && usage 2

View File

@ -1611,6 +1611,19 @@ modprobe: Can't locate module iptable_raw</programlisting>
Shorewall probes your system to determine the features that it support.
They are completely harmless.</para>
</section>
<section id="faq81">
<title>(FAQ 81) logdrop and logreject don't log.</title>
<para>I love the ability to type 'shorewall logdrop ww.xx.yy.zz' and
&gt;&gt; completely block a particular IP address. However, the log part
doesn't happen. When I look in the logdrop chain, there is no LOG
prefix.</para>
<para><emphasis role="bold">Answer</emphasis>: You haven't set a value
for BLACKLIST_LOGLEVEL in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</section>
</section>
<section id="Routing">

View File

@ -919,7 +919,9 @@
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para>
to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem>
</varlistentry>
@ -946,7 +948,9 @@
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para>
to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem>
</varlistentry>

View File

@ -721,7 +721,9 @@
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para>
to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
</listitem>
</varlistentry>
@ -748,7 +750,9 @@
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para>
to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
</listitem>
</varlistentry>