Add DROP support in tcrules

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall/Perl/Shorewall/Tc.pm

@@ -304,7 +304,13 @@ our  %tccmd;
 				 mark      => NOMARK,
 				 mask      => '',
 				 connmark  => 0,
-			       }
+			       },
+		   DROP =>      { match     => sub( $ ) { $_[0] eq 'DROP' },
+				 target    => 'DROP',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
 		 );
     }
 
@@ -559,7 +565,13 @@ our  %tccmd;
 					   }
 
 					   $cmd = '';
-				       }
+				       },
+		       DROP     => sub()
+		                       {
+					   assert ( $cmd eq 'DROP' );
+					   $target = 'DROP';
+					   $cmd = '';
+				       },
 		     );
 
     if ( $source ) {

Shorewall/manpages/shorewall-tcrules.xml

@@ -397,6 +397,13 @@
               follow.</para>
             </listitem>
 
+            <listitem>
+              <para><emphasis role="bold">DROP</emphasis></para>
+
+              <para>Added in Shorewall 4.5.21.4. Causes matching packets to be
+              discarded.</para>
+            </listitem>
+
             <listitem>
               <para><emphasis
               role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@@ -903,8 +910,8 @@ Normal-Service       =&gt; 0x00</programlisting>
           <emphasis>port range</emphasis>s; if the protocol is <emphasis
           role="bold">icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
-          a typename. See <ulink
+          typename. See <ulink
           url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
 
           <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
@@ -1139,8 +1146,8 @@ Normal-Service       =&gt; 0x00</programlisting>
         </emphasis><emphasis>helper</emphasis></term>
 
         <listitem>
-          <para>Names a Netfilter protocol <firstterm>helper</firstterm> module
+          <para>Names a Netfilter protocol <firstterm>helper</firstterm>
-          such as <option>ftp</option>, <option>sip</option>,
+          module such as <option>ftp</option>, <option>sip</option>,
           <option>amanda</option>, etc. A packet will match if it was accepted
           by the named helper module.</para>
 
@@ -1233,10 +1240,10 @@ Normal-Service       =&gt; 0x00</programlisting>
        4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
        SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>
 
-          <para>If a packet hasn't been classified (packet mark is 0), copy the
+          <para>If a packet hasn't been classified (packet mark is 0), copy
-          connection mark to the packet mark. If the packet mark is set, we're
+          the connection mark to the packet mark. If the packet mark is set,
-          done. If the packet is P2P, set the packet mark to 4. If the packet
+          we're done. If the packet is P2P, set the packet mark to 4. If the
-          mark has been set, save it to the connection mark.</para>
+          packet mark has been set, save it to the connection mark.</para>
         </listitem>
       </varlistentry>
 

Shorewall6/manpages/shorewall6-tcrules.xml

@@ -402,6 +402,13 @@
               it from any rules that follow.</para>
             </listitem>
 
+            <listitem>
+              <para><emphasis role="bold">DROP</emphasis></para>
+
+              <para>Added in Shorewall 4.5.21.4. Causes matching packets to be
+              discarded.</para>
+            </listitem>
+
             <listitem>
               <para><emphasis
               role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@@ -779,8 +786,8 @@ Normal-Service       =&gt; 0x00</programlisting>
           <emphasis>port range</emphasis>s; if the protocol is <emphasis
           role="bold">ipv6-icmp</emphasis>, this column is interpreted as the
           destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
-          a typename. See <ulink
+          typename. See <ulink
           url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>
 
           <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
@@ -1151,10 +1158,10 @@ Normal-Service       =&gt; 0x00</programlisting>
        4         ::/0      ::/0         ipp2p:all
        SAVE      ::/0      ::/0         all     -             -       -       !0</programlisting>
 
-          <para>If a packet hasn't been classified (packet mark is 0), copy the
+          <para>If a packet hasn't been classified (packet mark is 0), copy
-          connection mark to the packet mark. If the packet mark is set, we're
+          the connection mark to the packet mark. If the packet mark is set,
-          done. If the packet is P2P, set the packet mark to 4. If the packet
+          we're done. If the packet is P2P, set the packet mark to 4. If the
-          mark has been set, save it to the connection mark.</para>
+          packet mark has been set, save it to the connection mark.</para>
         </listitem>
       </varlistentry>
     </variablelist>