holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Make clear the relationship between logdrop, logreject and BLACKLIST_LOGLEVEL

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@9330 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2009-01-24 16:36:43 +00:00
parent 827ad9a86c
commit e0fc80bed5
9 changed files with 183 additions and 59 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Shorewall-perl/Shorewall/Compiler.pm
View File

@ -415,7 +415,7 @@ EOF
if [ -f ${VARDIR}/proxyarp ]; then if [ -f ${VARDIR}/proxyarp ]; then
while read address interface external haveroute; do while read address interface external haveroute; do
qt arp -i $external -d $address pub qt arp -i $external -d $address pub
[ -z "${haveroute}${NOROUTES}" ] && qt ip route del $address dev $interface [ -z "${haveroute}${NOTCR}" ] && qt ip route del $address dev $interface
f=/proc/sys/net/ipv4/conf/$interface/proxy_arp f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
[ -f $f ] && echo 0 > $f [ -f $f ] && echo 0 > $f
done < ${VARDIR}/proxyarp done < ${VARDIR}/proxyarp
@ -709,7 +709,12 @@ sub generate_script_4($) {
emit 'load_kernel_modules Yes'; emit 'load_kernel_modules Yes';
} }
emit ''; emit ( '',
'if [ -n "$TCRONLY" ]; then' ,
' delete_tc1' ,
'else' );
push_indent;
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) { for my $interface ( @{find_interfaces_by_option 'norfc1918'} ) {
@ -742,8 +747,7 @@ sub generate_script_4($) {
"fi\n" ); "fi\n" );
} }
emit "delete_tc1\n" if $config{CLEAR_TC}; emit "disable_ipv6\n" if $config{DISABLE_IPV6};
emit "disable_ipv6\n" if $config{DISABLE_IPV6};
} else { } else {
emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit', emit ( '[ "$COMMAND" = refresh ] && run_refresh_exit || run_init_exit',
@ -752,19 +756,25 @@ sub generate_script_4($) {
'' ''
); );
emit "delete_tc1\n" if $config{CLEAR_TC};
} }
emit ''; emit qq([ -n "\$NOTCR" ] && delete_tc1\n) if $config{CLEAR_TC};
pop_indent;
emit 'fi';
set_global_variables; set_global_variables;
emit ''; emit '';
emit( 'setup_common_rules', emit( '[ -n "$TCRONLY" ] && setup_common_rules',
'', '',
'setup_routing_and_traffic_shaping', '[ -n "$NOTCR" ] || setup_routing_and_traffic_shaping',
''); '',
'if [ -z "$TCRONLY" ]; then' );
push_indent;
emit 'cat > ${VARDIR}/proxyarp << __EOF__'; emit 'cat > ${VARDIR}/proxyarp << __EOF__';
dump_proxy_arp; dump_proxy_arp;
@ -834,6 +844,12 @@ EOF
fi fi
date > ${VARDIR}/restarted date > ${VARDIR}/restarted
EOF
pop_indent;
emit 'fi';
emit<<'EOF';
case $COMMAND in case $COMMAND in
start) start)

2
Shorewall-perl/Shorewall/Proc.pm
View File

@ -123,7 +123,7 @@ sub setup_route_filtering() {
emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter'; emit 'echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter';
} }
emit "[ -n \"\$NOROUTES\" ] || ip -4 route flush cache"; emit "[ -n \"\$NOTCR\" ] || ip -4 route flush cache";
} }
} }

4
Shorewall-perl/Shorewall/Providers.pm
View File

@ -568,7 +568,7 @@ sub setup_providers() {
fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED}; fatal_error "A non-empty providers file is not permitted with MANGLE_ENABLED=No" unless $config{MANGLE_ENABLED};
emit "\nif [ -z \"\$NOROUTES\" ]; then"; emit "\nif [ -z \"\$NOTCR\" ]; then";
push_indent; push_indent;
@ -708,7 +708,7 @@ sub setup_providers() {
emit "\nundo_routing"; emit "\nundo_routing";
emit 'restore_default_route'; emit 'restore_default_route';
if ( $config{NULL_ROUTE_RFC1918} ) { if ( $config{NULL_ROUTE_RFC1918} ) {
emit "\nif [ -z \"\$NOROUTES\" ]; then"; emit "\nif [ -z \"\$NOTCR\" ]; then";
push_indent; push_indent;

2
Shorewall-perl/Shorewall/Proxyarp.pm
View File

@ -79,7 +79,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
} }
unless ( $haveroute ) { unless ( $haveroute ) {
emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface"; emit "run_ip route replace $address dev $interface";
$haveroute = 1 if $persistent; $haveroute = 1 if $persistent;
} }

74
Shorewall-perl/prog.footer
View File

@ -23,6 +23,8 @@ fi
initialize initialize
[ -n "${PRODUCT:=Shorewall}" ]
finished=0 finished=0
while [ $finished -eq 0 -a $# -gt 0 ]; do while [ $finished -eq 0 -a $# -gt 0 ]; do
@ -43,8 +45,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 )) VERBOSE=$(($VERBOSE - 1 ))
option=${option#q} option=${option#q}
;; ;;
t)
if [ -n "$NOTCR" ]; then
error_message "The 'n' and 't' options are mutually exclusive"
exit 1
fi
TCRONLY=Yes
option=${option#t}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*) n*)
NOROUTES=Yes if [ -n "$TCRONLY" ]; then
error_message "The 'n' and 't' options are mutually exclusive"
exit 1
fi
NOTCR=Yes
option=${option#n} option=${option#n}
;; ;;
*) *)
@ -62,12 +79,15 @@ done
COMMAND="$1" COMMAND="$1"
[ -n "${PRODUCT:=Shorewall}" ]
case "$COMMAND" in case "$COMMAND" in
start) start)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if shorewall_is_started; then if [ -n "$TCRONLY" ]; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
error_message "$PRODUCT is already Running" error_message "$PRODUCT is already Running"
status=0 status=0
else else
@ -81,13 +101,20 @@ case "$COMMAND" in
stop) stop)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...." progress_message3 "Stopping $PRODUCT...."
stop_firewall if [ -n "$TCRONLY" ]; then
delete_tc1
else
stop_firewall
fi
status=0 status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done." progress_message3 "done."
;; ;;
reset) reset)
if ! shorewall_is_started ; then if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'reset'"
status=1
elif ! shorewall_is_started ; then
error_message "$PRODUCT is not running" error_message "$PRODUCT is not running"
status=2 status=2
elif [ $# -eq 1 ]; then elif [ $# -eq 1 ]; then
@ -133,7 +160,10 @@ case "$COMMAND" in
;; ;;
refresh) refresh)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if shorewall_is_started; then if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'refresh'"
status=1
elif shorewall_is_started; then
progress_message3 "Refreshing $PRODUCT...." progress_message3 "Refreshing $PRODUCT...."
define_firewall define_firewall
status=$? status=$?
@ -145,19 +175,29 @@ case "$COMMAND" in
;; ;;
restore) restore)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
define_firewall if [ -n "${NOTCR}$"{TCRONLY} ]; then
status=$? error_message "The -n and -t options may not be used with 'restart'"
if [ -n "$SUBSYSLOCK" ]; then status=1
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK else
fi define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;; ;;
clear) clear)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...." if [ -n "${NOTCR}$"{TCRONLY} ]; then
clear_firewall error_message "The -n and -t options may not be used with 'clear'"
status=0 status=1
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK else
progress_message3 "done." progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
fi
;; ;;
status) status)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2

97
Shorewall-perl/prog.footer6
View File

@ -2,7 +2,7 @@
# Give Usage Information # Give Usage Information
# #
usage() { usage() {
echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]" echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ -t ] [ start|stop|clear|reset|refresh|restart|status|version ]"
exit $1 exit $1
} }
################################################################################ ################################################################################
@ -43,8 +43,23 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
VERBOSE=$(($VERBOSE - 1 )) VERBOSE=$(($VERBOSE - 1 ))
option=${option#q} option=${option#q}
;; ;;
t)
if [ -n "$NOTCR" ]; then
error_message "The -n and -t options are mutually exclusive"
exit 1
fi
TCRONLY=Yes
option=${option#t}
PRODUCT="$PRODUCT Traffic Control and Routing"
;;
n*) n*)
NOROUTES=Yes if [ -n "$TCRONLY" ]; then
error_message "The -n and -t options are mutually exclusive"
exit 1
fi
NOTCR=Yes
option=${option#n} option=${option#n}
;; ;;
*) *)
@ -72,7 +87,12 @@ else
case "$COMMAND" in case "$COMMAND" in
start) start)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if shorewall6_is_started; then if [ -n "$TCRONLY" ]; then
progress_message3 "Starting $PRODUCT...."
define_firewall
status=$?
progress_message3 "done."
elif shorewall6_is_started; then
error_message "$PRODUCT is already Running" error_message "$PRODUCT is already Running"
status=0 status=0
else else
@ -86,13 +106,20 @@ else
stop) stop)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Stopping $PRODUCT...." progress_message3 "Stopping $PRODUCT...."
stop_firewall if [ -n "$TCRONLY" ]; then
delete_tc1
else
stop_firewall
fi
status=0 status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done." progress_message3 "done."
;; ;;
reset) reset)
if ! shorewall6_is_started ; then if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'reset'"
status=1
elif ! shorewall6_is_started ; then
error_message "$PRODUCT is not running" error_message "$PRODUCT is not running"
status=2 status=2
elif [ $# -eq 1 ]; then elif [ $# -eq 1 ]; then
@ -121,23 +148,33 @@ else
;; ;;
restart) restart)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if shorewall6_is_started; then if [ -n "$TCRONLY" ]; then
progress_message3 "Restarting $PRODUCT...." progress_message3 "Restarting $PRODUCT...."
define_firewall
status=$?
else else
error_message "$PRODUCT is not running" if shorewall6_is_started; then
progress_message3 "Starting $PRODUCT...." progress_message3 "Restarting $PRODUCT...."
else
error_message "$PRODUCT is not running"
progress_message3 "Starting $PRODUCT...."
fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi fi
define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
progress_message3 "done." progress_message3 "done."
;; ;;
refresh) refresh)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
if shorewall6_is_started; then if [ -n "${NOTCR}$"{TCRONLY} ]; then
error_message "The -n and -t options may not be used with 'refresh'"
status=1
elif shorewall6_is_started; then
progress_message3 "Refreshing $PRODUCT...." progress_message3 "Refreshing $PRODUCT...."
define_firewall define_firewall
status=$? status=$?
@ -149,19 +186,29 @@ else
;; ;;
restore) restore)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
define_firewall if [ -n "${NOTCR}$"{TCRONLY} ]; then
status=$? error_message "The -n and -t options may not be used with 'restore'"
if [ -n "$SUBSYSLOCK" ]; then status=1
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK else
fi define_firewall
status=$?
if [ -n "$SUBSYSLOCK" ]; then
[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
fi
fi
;; ;;
clear) clear)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2
progress_message3 "Clearing $PRODUCT...." if [ -n "${NOTCR}$"{TCRONLY} ]; then
clear_firewall error_message "The -n and -t options may not be used with 'restore'"
status=0 status=1
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK else
progress_message3 "done." progress_message3 "Clearing $PRODUCT...."
clear_firewall
status=0
[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
progress_message3 "done."
fi
;; ;;
status) status)
[ $# -ne 1 ] && usage 2 [ $# -ne 1 ] && usage 2

13
docs/FAQ.xml
View File

@ -1611,6 +1611,19 @@ modprobe: Can't locate module iptable_raw</programlisting>
Shorewall probes your system to determine the features that it support. Shorewall probes your system to determine the features that it support.
They are completely harmless.</para> They are completely harmless.</para>
</section> </section>
<section id="faq81">
<title>(FAQ 81) logdrop and logreject don't log.</title>
<para>I love the ability to type 'shorewall logdrop ww.xx.yy.zz' and
&gt;&gt; completely block a particular IP address. However, the log part
doesn't happen. When I look in the logdrop chain, there is no LOG
prefix.</para>
<para><emphasis role="bold">Answer</emphasis>: You haven't set a value
for BLACKLIST_LOGLEVEL in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</section>
</section> </section>
<section id="Routing"> <section id="Routing">

8
manpages/shorewall.xml
View File

@ -919,7 +919,9 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para> to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -946,7 +948,9 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para> to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>

8
manpages6/shorewall6.xml
View File

@ -721,7 +721,9 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para> to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -748,7 +750,9 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para> to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>