mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-22 15:43:30 +01:00
Add DROP support in tcrules
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
472ecc661f
commit
e14d92c5ac
@ -304,7 +304,13 @@ our %tccmd;
|
||||
mark => NOMARK,
|
||||
mask => '',
|
||||
connmark => 0,
|
||||
}
|
||||
},
|
||||
DROP => { match => sub( $ ) { $_[0] eq 'DROP' },
|
||||
target => 'DROP',
|
||||
mark => NOMARK,
|
||||
mask => '',
|
||||
connmark => 0
|
||||
},
|
||||
);
|
||||
}
|
||||
|
||||
@ -559,7 +565,13 @@ our %tccmd;
|
||||
}
|
||||
|
||||
$cmd = '';
|
||||
}
|
||||
},
|
||||
DROP => sub()
|
||||
{
|
||||
assert ( $cmd eq 'DROP' );
|
||||
$target = 'DROP';
|
||||
$cmd = '';
|
||||
},
|
||||
);
|
||||
|
||||
if ( $source ) {
|
||||
|
@ -397,6 +397,13 @@
|
||||
follow.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DROP</emphasis></para>
|
||||
|
||||
<para>Added in Shorewall 4.5.21.4. Causes matching packets to be
|
||||
discarded.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
|
||||
@ -903,8 +910,8 @@ Normal-Service => 0x00</programlisting>
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
@ -1139,8 +1146,8 @@ Normal-Service => 0x00</programlisting>
|
||||
</emphasis><emphasis>helper</emphasis></term>
|
||||
|
||||
<listitem>
|
||||
<para>Names a Netfilter protocol <firstterm>helper</firstterm> module
|
||||
such as <option>ftp</option>, <option>sip</option>,
|
||||
<para>Names a Netfilter protocol <firstterm>helper</firstterm>
|
||||
module such as <option>ftp</option>, <option>sip</option>,
|
||||
<option>amanda</option>, etc. A packet will match if it was accepted
|
||||
by the named helper module.</para>
|
||||
|
||||
@ -1233,10 +1240,10 @@ Normal-Service => 0x00</programlisting>
|
||||
4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all
|
||||
SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0</programlisting>
|
||||
|
||||
<para>If a packet hasn't been classified (packet mark is 0), copy the
|
||||
connection mark to the packet mark. If the packet mark is set, we're
|
||||
done. If the packet is P2P, set the packet mark to 4. If the packet
|
||||
mark has been set, save it to the connection mark.</para>
|
||||
<para>If a packet hasn't been classified (packet mark is 0), copy
|
||||
the connection mark to the packet mark. If the packet mark is set,
|
||||
we're done. If the packet is P2P, set the packet mark to 4. If the
|
||||
packet mark has been set, save it to the connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
@ -402,6 +402,13 @@
|
||||
it from any rules that follow.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">DROP</emphasis></para>
|
||||
|
||||
<para>Added in Shorewall 4.5.21.4. Causes matching packets to be
|
||||
discarded.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis
|
||||
role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
|
||||
@ -779,8 +786,8 @@ Normal-Service => 0x00</programlisting>
|
||||
<emphasis>port range</emphasis>s; if the protocol is <emphasis
|
||||
role="bold">ipv6-icmp</emphasis>, this column is interpreted as the
|
||||
destination icmp-type(s). ICMP types may be specified as a numeric
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or
|
||||
a typename. See <ulink
|
||||
type, a numeric type and code separated by a slash (e.g., 3/4), or a
|
||||
typename. See <ulink
|
||||
url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
|
||||
|
||||
<para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
|
||||
@ -1151,10 +1158,10 @@ Normal-Service => 0x00</programlisting>
|
||||
4 ::/0 ::/0 ipp2p:all
|
||||
SAVE ::/0 ::/0 all - - - !0</programlisting>
|
||||
|
||||
<para>If a packet hasn't been classified (packet mark is 0), copy the
|
||||
connection mark to the packet mark. If the packet mark is set, we're
|
||||
done. If the packet is P2P, set the packet mark to 4. If the packet
|
||||
mark has been set, save it to the connection mark.</para>
|
||||
<para>If a packet hasn't been classified (packet mark is 0), copy
|
||||
the connection mark to the packet mark. If the packet mark is set,
|
||||
we're done. If the packet is P2P, set the packet mark to 4. If the
|
||||
packet mark has been set, save it to the connection mark.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
|
Loading…
Reference in New Issue
Block a user