From c6ffdd67e291ddd4fadb9d4b2d7e009e7d30804b Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 18 Nov 2012 11:35:40 -0800 Subject: [PATCH] Add DROP target to the conntrack file. Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Raw.pm | 2 +- Shorewall/manpages/shorewall-conntrack.xml | 19 +++++++++++++++++-- Shorewall6/manpages/shorewall6-conntrack.xml | 7 +++++++ 3 files changed, 25 insertions(+), 3 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Raw.pm b/Shorewall/Perl/Shorewall/Raw.pm index 03dca0a80..ae1c02781 100644 --- a/Shorewall/Perl/Shorewall/Raw.pm +++ b/Shorewall/Perl/Shorewall/Raw.pm @@ -80,7 +80,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) { # Netfilter development list # $action = 'CT --notrack' if have_capability 'CT_TARGET'; - } else { + } elsif ( $action ne 'DROP' ) { ( $target, my ( $option, $args, $junk ) ) = split ':', $action, 4; fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT'; diff --git a/Shorewall/manpages/shorewall-conntrack.xml b/Shorewall/manpages/shorewall-conntrack.xml index 33289134e..c9fe273d7 100644 --- a/Shorewall/manpages/shorewall-conntrack.xml +++ b/Shorewall/manpages/shorewall-conntrack.xml @@ -67,8 +67,8 @@ This column is only present when FORMAT = 2. Values other than - NOTRACK require CT Target support in your - iptables and kernel. + NOTRACK or DROP require CT Target support in + your iptables and kernel. @@ -78,6 +78,13 @@ Disables connection tracking for this packet. + + + + Added in Shorewall 4.5.10. Silently discard the + packet. + + :name @@ -143,6 +150,14 @@ + + + + + + + + sane diff --git a/Shorewall6/manpages/shorewall6-conntrack.xml b/Shorewall6/manpages/shorewall6-conntrack.xml index a1eab9dd5..b2087c337 100644 --- a/Shorewall6/manpages/shorewall6-conntrack.xml +++ b/Shorewall6/manpages/shorewall6-conntrack.xml @@ -77,6 +77,13 @@ Disables connection tracking for this packet. + + DROP + + Added in Shorewall 4.5.10. Silently discard the + packet. + + :name