Add DROP support in tcrules

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2013-11-04 10:50:11 -08:00 · 2013-11-04 10:50:11 -08:00 · e14d92c5ac
commit e14d92c5ac
parent 472ecc661f
3 changed files with 42 additions and 16 deletions
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@ -304,7 +304,13 @@ our  %tccmd;
 				 mark      => NOMARK,
 				 mask      => '',
 				 connmark  => 0,
-			       }
+			       },
+		   DROP =>      { match     => sub( $ ) { $_[0] eq 'DROP' },
+				 target    => 'DROP',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
 		 );
    }

@ -559,7 +565,13 @@ our  %tccmd;
 					   }

 					   $cmd = '';
-				       }
+				       },
+		       DROP     => sub()
+		                       {
+					   assert ( $cmd eq 'DROP' );
+					   $target = 'DROP';
+					   $cmd = '';
+				       },
 		     );

    if ( $source ) {
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@ -397,6 +397,13 @@
              follow.</para>
            </listitem>

+            <listitem>
+              <para><emphasis role="bold">DROP</emphasis></para>
+
+              <para>Added in Shorewall 4.5.21.4. Causes matching packets to be
+              discarded.</para>
+            </listitem>
+
            <listitem>
              <para><emphasis
              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@ -903,8 +910,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
-          a typename. See <ulink
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
+          typename. See <ulink
          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
@ -1139,8 +1146,8 @@ Normal-Service       =&gt; 0x00</programlisting>
        </emphasis><emphasis>helper</emphasis></term>

        <listitem>
-          <para>Names a Netfilter protocol <firstterm>helper</firstterm> module
-          such as <option>ftp</option>, <option>sip</option>,
+          <para>Names a Netfilter protocol <firstterm>helper</firstterm>
+          module such as <option>ftp</option>, <option>sip</option>,
          <option>amanda</option>, etc. A packet will match if it was accepted
          by the named helper module.</para>

@ -1233,10 +1240,10 @@ Normal-Service       =&gt; 0x00</programlisting>
       4:T         0.0.0.0/0 0.0.0.0/0   ipp2p:all
       SAVE:T      0.0.0.0/0 0.0.0.0/0   all     -             -       -       !0</programlisting>

-          <para>If a packet hasn't been classified (packet mark is 0), copy the
-          connection mark to the packet mark. If the packet mark is set, we're
-          done. If the packet is P2P, set the packet mark to 4. If the packet
-          mark has been set, save it to the connection mark.</para>
+          <para>If a packet hasn't been classified (packet mark is 0), copy
+          the connection mark to the packet mark. If the packet mark is set,
+          we're done. If the packet is P2P, set the packet mark to 4. If the
+          packet mark has been set, save it to the connection mark.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@ -402,6 +402,13 @@
              it from any rules that follow.</para>
            </listitem>

+            <listitem>
+              <para><emphasis role="bold">DROP</emphasis></para>
+
+              <para>Added in Shorewall 4.5.21.4. Causes matching packets to be
+              discarded.</para>
+            </listitem>
+
            <listitem>
              <para><emphasis
              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
@ -779,8 +786,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <emphasis>port range</emphasis>s; if the protocol is <emphasis
          role="bold">ipv6-icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numeric type and code separated by a slash (e.g., 3/4), or
-          a typename. See <ulink
+          type, a numeric type and code separated by a slash (e.g., 3/4), or a
+          typename. See <ulink
          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
@ -1151,10 +1158,10 @@ Normal-Service       =&gt; 0x00</programlisting>
       4         ::/0      ::/0         ipp2p:all
       SAVE      ::/0      ::/0         all     -             -       -       !0</programlisting>

-          <para>If a packet hasn't been classified (packet mark is 0), copy the
-          connection mark to the packet mark. If the packet mark is set, we're
-          done. If the packet is P2P, set the packet mark to 4. If the packet
-          mark has been set, save it to the connection mark.</para>
+          <para>If a packet hasn't been classified (packet mark is 0), copy
+          the connection mark to the packet mark. If the packet mark is set,
+          we're done. If the packet is P2P, set the packet mark to 4. If the
+          packet mark has been set, save it to the connection mark.</para>
        </listitem>
      </varlistentry>
    </variablelist>