diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm
index f99e0ade3..7c583280f 100644
--- a/Shorewall-perl/Shorewall/Compiler.pm
+++ b/Shorewall-perl/Shorewall/Compiler.pm
@@ -415,7 +415,7 @@ EOF
if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do
qt arp -i $external -d $address pub
- [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface
+ [ -z "${haveroute}${NOTCR}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp
@@ -709,7 +709,12 @@ sub generate_script_4($) {
emit 'load_kernel_modules Yes';
}
- emit '';
+ emit ( '',
+ 'if [ -n "$TCRONLY" ]; then' ,
+ ' delete_tc1' ,
+ 'else' );
+
+ push_indent;
if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
@@ -742,8 +747,7 @@ sub generate_script_4($) {
"fi\n" );
}
- emit "delete_tc1\n" if $config{CLEAR_TC};
- emit "disable_ipv6\n" if $config{DISABLE_IPV6};
+ emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else {
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
@@ -752,19 +756,25 @@ sub generate_script_4($) {
''
);
- emit "delete_tc1\n" if $config{CLEAR_TC};
}
- emit '';
+ emit qq([ -n "\$NOTCR" ] && delete_tc1\n) if $config{CLEAR_TC};
+
+ pop_indent;
+
+ emit 'fi';
set_global_variables;
emit '';
- emit( 'setup_common_rules',
+ emit( '[ -n "$TCRONLY" ] && setup_common_rules',
'',
- 'setup_routing_and_traffic_shaping',
- '');
+ '[ -n "$NOTCR" ] || setup_routing_and_traffic_shaping',
+ '',
+ 'if [ -z "$TCRONLY" ]; then' );
+
+ push_indent;
emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp;
@@ -834,6 +844,12 @@ EOF
fi
date > ${VARDIR}/restarted
+EOF
+
+ pop_indent;
+
+ emit 'fi';
+ emit<<'EOF';
case $COMMAND in
start)
diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm
index 5e7f23ca2..79340c3ee 100644
--- a/Shorewall-perl/Shorewall/Proc.pm
+++ b/Shorewall-perl/Shorewall/Proc.pm
@@ -123,7 +123,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
}
- emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache";
+ emit "[ -n \"\$NOTCR\" ] || ip -4 route flush cache";
}
}
diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm
index 1cf17eaea..b72d9929c 100644
--- a/Shorewall-perl/Shorewall/Providers.pm
+++ b/Shorewall-perl/Shorewall/Providers.pm
@@ -568,7 +568,7 @@ sub setup_providers() {
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
- emit "\nif [ -z \"\$NOROUTES\" ]; then";
+ emit "\nif [ -z \"\$NOTCR\" ]; then";
push_indent;
@@ -708,7 +708,7 @@ sub setup_providers() {
emit "\nundo_routing";
emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) {
- emit "\nif [ -z \"\$NOROUTES\" ]; then";
+ emit "\nif [ -z \"\$NOTCR\" ]; then";
push_indent;
diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm
index 85059a27f..15d5b2d70 100644
--- a/Shorewall-perl/Shorewall/Proxyarp.pm
+++ b/Shorewall-perl/Shorewall/Proxyarp.pm
@@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
}
unless ( $haveroute ) {
- emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
+ emit "run_ip route replace $address dev $interface";
$haveroute = 1 if $persistent;
}
diff --git a/Shorewall-perl/prog.footer b/Shorewall-perl/prog.footer
index 92cc5d453..9af2674a9 100644
--- a/Shorewall-perl/prog.footer
+++ b/Shorewall-perl/prog.footer
@@ -23,6 +23,8 @@ fi
initialize
+[ -n "${PRODUCT:=Shorewall}" ]
+
finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -43,8 +45,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
+ t)
+ if [ -n "$NOTCR" ]; then
+ error_message "The 'n' and 't' options are mutually exclusive"
+ exit 1
+ fi
+
+ TCRONLY=Yes
+ option=${option#t}
+ PRODUCT="$PRODUCT Traffic Control and Routing"
+ ;;
n*)
- NOROUTES=Yes
+ if [ -n "$TCRONLY" ]; then
+ error_message "The 'n' and 't' options are mutually exclusive"
+ exit 1
+ fi
+
+ NOTCR=Yes
option=${option#n}
;;
*)
@@ -62,12 +79,15 @@ done
COMMAND="$1"
-[ -n "${PRODUCT:=Shorewall}" ]
-
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
- if shorewall_is_started; then
+ if [ -n "$TCRONLY" ]; then
+ progress_message3 "Starting $PRODUCT...."
+ define_firewall
+ status=$?
+ progress_message3 "done."
+ elif shorewall6_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
@@ -81,13 +101,20 @@ case "$COMMAND" in
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
- stop_firewall
+ if [ -n "$TCRONLY" ]; then
+ delete_tc1
+ else
+ stop_firewall
+ fi
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
- if ! shorewall_is_started ; then
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'reset'"
+ status=1
+ elif ! shorewall_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
@@ -133,7 +160,10 @@ case "$COMMAND" in
;;
refresh)
[ $# -ne 1 ] && usage 2
- if shorewall_is_started; then
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'refresh'"
+ status=1
+ elif shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
@@ -145,19 +175,29 @@ case "$COMMAND" in
;;
restore)
[ $# -ne 1 ] && usage 2
- define_firewall
- status=$?
- if [ -n "$SUBSYSLOCK" ]; then
- [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
- fi
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'restart'"
+ status=1
+ else
+ define_firewall
+ status=$?
+ if [ -n "$SUBSYSLOCK" ]; then
+ [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+ fi
+ fi
;;
clear)
[ $# -ne 1 ] && usage 2
- progress_message3 "Clearing $PRODUCT...."
- clear_firewall
- status=0
- [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
- progress_message3 "done."
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'clear'"
+ status=1
+ else
+ progress_message3 "Clearing $PRODUCT...."
+ clear_firewall
+ status=0
+ [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+ progress_message3 "done."
+ fi
;;
status)
[ $# -ne 1 ] && usage 2
diff --git a/Shorewall-perl/prog.footer6 b/Shorewall-perl/prog.footer6
index 4060c0431..a655d2c08 100644
--- a/Shorewall-perl/prog.footer6
+++ b/Shorewall-perl/prog.footer6
@@ -2,7 +2,7 @@
# Give Usage Information
#
usage() {
- echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+ echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -t ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1
}
################################################################################
@@ -43,8 +43,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 ))
option=${option#q}
;;
+ t)
+ if [ -n "$NOTCR" ]; then
+ error_message "The -n and -t options are mutually exclusive"
+ exit 1
+ fi
+
+ TCRONLY=Yes
+ option=${option#t}
+ PRODUCT="$PRODUCT Traffic Control and Routing"
+ ;;
n*)
- NOROUTES=Yes
+ if [ -n "$TCRONLY" ]; then
+ error_message "The -n and -t options are mutually exclusive"
+ exit 1
+ fi
+
+ NOTCR=Yes
option=${option#n}
;;
*)
@@ -72,7 +87,12 @@ else
case "$COMMAND" in
start)
[ $# -ne 1 ] && usage 2
- if shorewall6_is_started; then
+ if [ -n "$TCRONLY" ]; then
+ progress_message3 "Starting $PRODUCT...."
+ define_firewall
+ status=$?
+ progress_message3 "done."
+ elif shorewall6_is_started; then
error_message "$PRODUCT is already Running"
status=0
else
@@ -86,13 +106,20 @@ else
stop)
[ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...."
- stop_firewall
+ if [ -n "$TCRONLY" ]; then
+ delete_tc1
+ else
+ stop_firewall
+ fi
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
;;
reset)
- if ! shorewall6_is_started ; then
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'reset'"
+ status=1
+ elif ! shorewall6_is_started ; then
error_message "$PRODUCT is not running"
status=2
elif [ $# -eq 1 ]; then
@@ -121,23 +148,33 @@ else
;;
restart)
[ $# -ne 1 ] && usage 2
- if shorewall6_is_started; then
+ if [ -n "$TCRONLY" ]; then
progress_message3 "Restarting $PRODUCT...."
+ define_firewall
+ status=$?
else
- error_message "$PRODUCT is not running"
- progress_message3 "Starting $PRODUCT...."
+ if shorewall6_is_started; then
+ progress_message3 "Restarting $PRODUCT...."
+ else
+ error_message "$PRODUCT is not running"
+ progress_message3 "Starting $PRODUCT...."
+ fi
+
+ define_firewall
+ status=$?
+ if [ -n "$SUBSYSLOCK" ]; then
+ [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+ fi
fi
-
- define_firewall
- status=$?
- if [ -n "$SUBSYSLOCK" ]; then
- [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
- fi
+
progress_message3 "done."
;;
refresh)
[ $# -ne 1 ] && usage 2
- if shorewall6_is_started; then
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'refresh'"
+ status=1
+ elif shorewall6_is_started; then
progress_message3 "Refreshing $PRODUCT...."
define_firewall
status=$?
@@ -149,19 +186,29 @@ else
;;
restore)
[ $# -ne 1 ] && usage 2
- define_firewall
- status=$?
- if [ -n "$SUBSYSLOCK" ]; then
- [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
- fi
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'restore'"
+ status=1
+ else
+ define_firewall
+ status=$?
+ if [ -n "$SUBSYSLOCK" ]; then
+ [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+ fi
+ fi
;;
clear)
[ $# -ne 1 ] && usage 2
- progress_message3 "Clearing $PRODUCT...."
- clear_firewall
- status=0
- [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
- progress_message3 "done."
+ if [ -n "${NOTCR}$"{TCRONLY} ]; then
+ error_message "The -n and -t options may not be used with 'restore'"
+ status=1
+ else
+ progress_message3 "Clearing $PRODUCT...."
+ clear_firewall
+ status=0
+ [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+ progress_message3 "done."
+ fi
;;
status)
[ $# -ne 1 ] && usage 2
diff --git a/docs/FAQ.xml b/docs/FAQ.xml
index fcecb5f96..8c4aaa8cf 100644
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1611,6 +1611,19 @@ modprobe: Can't locate module iptable_raw
Shorewall probes your system to determine the features that it support.
They are completely harmless.
+
+
+ (FAQ 81) logdrop and logreject don't log.
+
+ I love the ability to type 'shorewall logdrop ww.xx.yy.zz' and
+ >> completely block a particular IP address. However, the log part
+ doesn't happen. When I look in the logdrop chain, there is no LOG
+ prefix.
+
+ Answer: You haven't set a value
+ for BLACKLIST_LOGLEVEL in shorewall.conf (5).
+
diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml
index f4a7149da..f10b3518d 100644
--- a/manpages/shorewall.xml
+++ b/manpages/shorewall.xml
@@ -919,7 +919,9 @@
Causes traffic from the listed addresses
- to be logged then discarded.
+ to be logged then discarded. Logging occurs at the log level
+ specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5).
@@ -946,7 +948,9 @@
Causes traffic from the listed addresses
- to be logged then rejected.
+ to be logged then rejected. Logging occurs at the log level
+ specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5).
diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml
index ca2721809..8251a2827 100644
--- a/manpages6/shorewall6.xml
+++ b/manpages6/shorewall6.xml
@@ -721,7 +721,9 @@
Causes traffic from the listed addresses
- to be logged then discarded.
+ to be logged then discarded. Logging occurs at the log level
+ specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5).
@@ -748,7 +750,9 @@
Causes traffic from the listed addresses
- to be logged then rejected.
+ to be logged then rejected. Logging occurs at the log level
+ specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5).