From e0fc80bed552ba9c0673365841f2897fab5dcade Mon Sep 17 00:00:00 2001 From: teastep Date: Sat, 24 Jan 2009 16:36:43 +0000 Subject: [PATCH] Make clear the relationship between logdrop, logreject and BLACKLIST_LOGLEVEL git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9330 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-perl/Shorewall/Compiler.pm | 34 +++++++--- Shorewall-perl/Shorewall/Proc.pm | 2 +- Shorewall-perl/Shorewall/Providers.pm | 4 +- Shorewall-perl/Shorewall/Proxyarp.pm | 2 +- Shorewall-perl/prog.footer | 74 +++++++++++++++----- Shorewall-perl/prog.footer6 | 97 ++++++++++++++++++++------- docs/FAQ.xml | 13 ++++ manpages/shorewall.xml | 8 ++- manpages6/shorewall6.xml | 8 ++- 9 files changed, 183 insertions(+), 59 deletions(-) diff --git a/Shorewall-perl/Shorewall/Compiler.pm b/Shorewall-perl/Shorewall/Compiler.pm index f99e0ade3..7c583280f 100644 --- a/Shorewall-perl/Shorewall/Compiler.pm +++ b/Shorewall-perl/Shorewall/Compiler.pm @@ -415,7 +415,7 @@ EOF if [ -f ${VARDIR}/proxyarp ]; then while read address interface external haveroute; do qt arp -i $external -d $address pub - [ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface + [ -z "${haveroute}${NOTCR}" ] && qt ip route del $address dev $interface f=/proc/sys/net/ipv4/conf/$interface/proxy_arp [ -f $f ] && echo 0 > $f done < ${VARDIR}/proxyarp @@ -709,7 +709,12 @@ sub generate_script_4($) { emit 'load_kernel_modules Yes'; } - emit ''; + emit ( '', + 'if [ -n "$TCRONLY" ]; then' , + ' delete_tc1' , + 'else' ); + + push_indent; if ( $family == F_IPV4 ) { for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { @@ -742,8 +747,7 @@ sub generate_script_4($) { "fi\n" ); } - emit "delete_tc1\n" if $config{CLEAR_TC}; - emit "disable_ipv6\n" if $config{DISABLE_IPV6}; + emit "disable_ipv6\n" if $config{DISABLE_IPV6}; } else { emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', @@ -752,19 +756,25 @@ sub generate_script_4($) { '' ); - emit "delete_tc1\n" if $config{CLEAR_TC}; } - emit ''; + emit qq([ -n "\$NOTCR" ] && delete_tc1\n) if $config{CLEAR_TC}; + + pop_indent; + + emit 'fi'; set_global_variables; emit ''; - emit( 'setup_common_rules', + emit( '[ -n "$TCRONLY" ] && setup_common_rules', '', - 'setup_routing_and_traffic_shaping', - ''); + '[ -n "$NOTCR" ] || setup_routing_and_traffic_shaping', + '', + 'if [ -z "$TCRONLY" ]; then' ); + + push_indent; emit 'cat > ${VARDIR}/proxyarp << __EOF__'; dump_proxy_arp; @@ -834,6 +844,12 @@ EOF fi date > ${VARDIR}/restarted +EOF + + pop_indent; + + emit 'fi'; + emit<<'EOF'; case $COMMAND in start) diff --git a/Shorewall-perl/Shorewall/Proc.pm b/Shorewall-perl/Shorewall/Proc.pm index 5e7f23ca2..79340c3ee 100644 --- a/Shorewall-perl/Shorewall/Proc.pm +++ b/Shorewall-perl/Shorewall/Proc.pm @@ -123,7 +123,7 @@ sub setup_route_filtering() { emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; } - emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache"; + emit "[ -n \"\$NOTCR\" ] || ip -4 route flush cache"; } } diff --git a/Shorewall-perl/Shorewall/Providers.pm b/Shorewall-perl/Shorewall/Providers.pm index 1cf17eaea..b72d9929c 100644 --- a/Shorewall-perl/Shorewall/Providers.pm +++ b/Shorewall-perl/Shorewall/Providers.pm @@ -568,7 +568,7 @@ sub setup_providers() { fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; - emit "\nif [ -z \"\$NOROUTES\" ]; then"; + emit "\nif [ -z \"\$NOTCR\" ]; then"; push_indent; @@ -708,7 +708,7 @@ sub setup_providers() { emit "\nundo_routing"; emit 'restore_default_route'; if ( $config{NULL_ROUTE_RFC1918} ) { - emit "\nif [ -z \"\$NOROUTES\" ]; then"; + emit "\nif [ -z \"\$NOTCR\" ]; then"; push_indent; diff --git a/Shorewall-perl/Shorewall/Proxyarp.pm b/Shorewall-perl/Shorewall/Proxyarp.pm index 85059a27f..15d5b2d70 100644 --- a/Shorewall-perl/Shorewall/Proxyarp.pm +++ b/Shorewall-perl/Shorewall/Proxyarp.pm @@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) { } unless ( $haveroute ) { - emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; + emit "run_ip route replace $address dev $interface"; $haveroute = 1 if $persistent; } diff --git a/Shorewall-perl/prog.footer b/Shorewall-perl/prog.footer index 92cc5d453..9af2674a9 100644 --- a/Shorewall-perl/prog.footer +++ b/Shorewall-perl/prog.footer @@ -23,6 +23,8 @@ fi initialize +[ -n "${PRODUCT:=Shorewall}" ] + finished=0 while [ $finished -eq 0 -a $# -gt 0 ]; do @@ -43,8 +45,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do VERBOSE=$(($VERBOSE - 1 )) option=${option#q} ;; + t) + if [ -n "$NOTCR" ]; then + error_message "The 'n' and 't' options are mutually exclusive" + exit 1 + fi + + TCRONLY=Yes + option=${option#t} + PRODUCT="$PRODUCT Traffic Control and Routing" + ;; n*) - NOROUTES=Yes + if [ -n "$TCRONLY" ]; then + error_message "The 'n' and 't' options are mutually exclusive" + exit 1 + fi + + NOTCR=Yes option=${option#n} ;; *) @@ -62,12 +79,15 @@ done COMMAND="$1" -[ -n "${PRODUCT:=Shorewall}" ] - case "$COMMAND" in start) [ $# -ne 1 ] && usage 2 - if shorewall_is_started; then + if [ -n "$TCRONLY" ]; then + progress_message3 "Starting $PRODUCT...." + define_firewall + status=$? + progress_message3 "done." + elif shorewall6_is_started; then error_message "$PRODUCT is already Running" status=0 else @@ -81,13 +101,20 @@ case "$COMMAND" in stop) [ $# -ne 1 ] && usage 2 progress_message3 "Stopping $PRODUCT...." - stop_firewall + if [ -n "$TCRONLY" ]; then + delete_tc1 + else + stop_firewall + fi status=0 [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK progress_message3 "done." ;; reset) - if ! shorewall_is_started ; then + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'reset'" + status=1 + elif ! shorewall_is_started ; then error_message "$PRODUCT is not running" status=2 elif [ $# -eq 1 ]; then @@ -133,7 +160,10 @@ case "$COMMAND" in ;; refresh) [ $# -ne 1 ] && usage 2 - if shorewall_is_started; then + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'refresh'" + status=1 + elif shorewall_is_started; then progress_message3 "Refreshing $PRODUCT...." define_firewall status=$? @@ -145,19 +175,29 @@ case "$COMMAND" in ;; restore) [ $# -ne 1 ] && usage 2 - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'restart'" + status=1 + else + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + fi ;; clear) [ $# -ne 1 ] && usage 2 - progress_message3 "Clearing $PRODUCT...." - clear_firewall - status=0 - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'clear'" + status=1 + else + progress_message3 "Clearing $PRODUCT...." + clear_firewall + status=0 + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + fi ;; status) [ $# -ne 1 ] && usage 2 diff --git a/Shorewall-perl/prog.footer6 b/Shorewall-perl/prog.footer6 index 4060c0431..a655d2c08 100644 --- a/Shorewall-perl/prog.footer6 +++ b/Shorewall-perl/prog.footer6 @@ -2,7 +2,7 @@ # Give Usage Information # usage() { - echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" + echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -t ] [ start|stop|clear|reset|refresh|restart|status|version ]" exit $1 } ################################################################################ @@ -43,8 +43,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do VERBOSE=$(($VERBOSE - 1 )) option=${option#q} ;; + t) + if [ -n "$NOTCR" ]; then + error_message "The -n and -t options are mutually exclusive" + exit 1 + fi + + TCRONLY=Yes + option=${option#t} + PRODUCT="$PRODUCT Traffic Control and Routing" + ;; n*) - NOROUTES=Yes + if [ -n "$TCRONLY" ]; then + error_message "The -n and -t options are mutually exclusive" + exit 1 + fi + + NOTCR=Yes option=${option#n} ;; *) @@ -72,7 +87,12 @@ else case "$COMMAND" in start) [ $# -ne 1 ] && usage 2 - if shorewall6_is_started; then + if [ -n "$TCRONLY" ]; then + progress_message3 "Starting $PRODUCT...." + define_firewall + status=$? + progress_message3 "done." + elif shorewall6_is_started; then error_message "$PRODUCT is already Running" status=0 else @@ -86,13 +106,20 @@ else stop) [ $# -ne 1 ] && usage 2 progress_message3 "Stopping $PRODUCT...." - stop_firewall + if [ -n "$TCRONLY" ]; then + delete_tc1 + else + stop_firewall + fi status=0 [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK progress_message3 "done." ;; reset) - if ! shorewall6_is_started ; then + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'reset'" + status=1 + elif ! shorewall6_is_started ; then error_message "$PRODUCT is not running" status=2 elif [ $# -eq 1 ]; then @@ -121,23 +148,33 @@ else ;; restart) [ $# -ne 1 ] && usage 2 - if shorewall6_is_started; then + if [ -n "$TCRONLY" ]; then progress_message3 "Restarting $PRODUCT...." + define_firewall + status=$? else - error_message "$PRODUCT is not running" - progress_message3 "Starting $PRODUCT...." + if shorewall6_is_started; then + progress_message3 "Restarting $PRODUCT...." + else + error_message "$PRODUCT is not running" + progress_message3 "Starting $PRODUCT...." + fi + + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi fi - - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + progress_message3 "done." ;; refresh) [ $# -ne 1 ] && usage 2 - if shorewall6_is_started; then + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'refresh'" + status=1 + elif shorewall6_is_started; then progress_message3 "Refreshing $PRODUCT...." define_firewall status=$? @@ -149,19 +186,29 @@ else ;; restore) [ $# -ne 1 ] && usage 2 - define_firewall - status=$? - if [ -n "$SUBSYSLOCK" ]; then - [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK - fi + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'restore'" + status=1 + else + define_firewall + status=$? + if [ -n "$SUBSYSLOCK" ]; then + [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK + fi + fi ;; clear) [ $# -ne 1 ] && usage 2 - progress_message3 "Clearing $PRODUCT...." - clear_firewall - status=0 - [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK - progress_message3 "done." + if [ -n "${NOTCR}$"{TCRONLY} ]; then + error_message "The -n and -t options may not be used with 'restore'" + status=1 + else + progress_message3 "Clearing $PRODUCT...." + clear_firewall + status=0 + [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK + progress_message3 "done." + fi ;; status) [ $# -ne 1 ] && usage 2 diff --git a/docs/FAQ.xml b/docs/FAQ.xml index fcecb5f96..8c4aaa8cf 100644 --- a/docs/FAQ.xml +++ b/docs/FAQ.xml @@ -1611,6 +1611,19 @@ modprobe: Can't locate module iptable_raw Shorewall probes your system to determine the features that it support. They are completely harmless. + +
+ (FAQ 81) logdrop and logreject don't log. + + I love the ability to type 'shorewall logdrop ww.xx.yy.zz' and + >> completely block a particular IP address. However, the log part + doesn't happen. When I look in the logdrop chain, there is no LOG + prefix. + + Answer: You haven't set a value + for BLACKLIST_LOGLEVEL in shorewall.conf (5). +
diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index f4a7149da..f10b3518d 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -919,7 +919,9 @@ Causes traffic from the listed addresses - to be logged then discarded. + to be logged then discarded. Logging occurs at the log level + specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5). @@ -946,7 +948,9 @@ Causes traffic from the listed addresses - to be logged then rejected. + to be logged then rejected. Logging occurs at the log level + specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5). diff --git a/manpages6/shorewall6.xml b/manpages6/shorewall6.xml index ca2721809..8251a2827 100644 --- a/manpages6/shorewall6.xml +++ b/manpages6/shorewall6.xml @@ -721,7 +721,9 @@ Causes traffic from the listed addresses - to be logged then discarded. + to be logged then discarded. Logging occurs at the log level + specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5). @@ -748,7 +750,9 @@ Causes traffic from the listed addresses - to be logged then rejected. + to be logged then rejected. Logging occurs at the log level + specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf (5).