From e14d92c5acb4af24c9265b1295d8a660e763885f Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 4 Nov 2013 10:50:11 -0800 Subject: [PATCH] Add DROP support in tcrules Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Tc.pm | 16 +++++++++++++-- Shorewall/manpages/shorewall-tcrules.xml | 23 ++++++++++++++-------- Shorewall6/manpages/shorewall6-tcrules.xml | 19 ++++++++++++------ 3 files changed, 42 insertions(+), 16 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Tc.pm b/Shorewall/Perl/Shorewall/Tc.pm index 04bcb1d89..486028f13 100644 --- a/Shorewall/Perl/Shorewall/Tc.pm +++ b/Shorewall/Perl/Shorewall/Tc.pm @@ -304,7 +304,13 @@ our %tccmd; mark => NOMARK, mask => '', connmark => 0, - } + }, + DROP => { match => sub( $ ) { $_[0] eq 'DROP' }, + target => 'DROP', + mark => NOMARK, + mask => '', + connmark => 0 + }, ); } @@ -559,7 +565,13 @@ our %tccmd; } $cmd = ''; - } + }, + DROP => sub() + { + assert ( $cmd eq 'DROP' ); + $target = 'DROP'; + $cmd = ''; + }, ); if ( $source ) { diff --git a/Shorewall/manpages/shorewall-tcrules.xml b/Shorewall/manpages/shorewall-tcrules.xml index 5f0117363..101a9da32 100644 --- a/Shorewall/manpages/shorewall-tcrules.xml +++ b/Shorewall/manpages/shorewall-tcrules.xml @@ -397,6 +397,13 @@ follow. + + DROP + + Added in Shorewall 4.5.21.4. Causes matching packets to be + discarded. + + DSCP(dscp) @@ -903,8 +910,8 @@ Normal-Service => 0x00 port ranges; if the protocol is icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or - a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, @@ -1139,8 +1146,8 @@ Normal-Service => 0x00 helper - Names a Netfilter protocol helper module - such as , , + Names a Netfilter protocol helper + module such as , , , etc. A packet will match if it was accepted by the named helper module. @@ -1233,10 +1240,10 @@ Normal-Service => 0x00 4:T 0.0.0.0/0 0.0.0.0/0 ipp2p:all SAVE:T 0.0.0.0/0 0.0.0.0/0 all - - - !0 - If a packet hasn't been classified (packet mark is 0), copy the - connection mark to the packet mark. If the packet mark is set, we're - done. If the packet is P2P, set the packet mark to 4. If the packet - mark has been set, save it to the connection mark. + If a packet hasn't been classified (packet mark is 0), copy + the connection mark to the packet mark. If the packet mark is set, + we're done. If the packet is P2P, set the packet mark to 4. If the + packet mark has been set, save it to the connection mark. diff --git a/Shorewall6/manpages/shorewall6-tcrules.xml b/Shorewall6/manpages/shorewall6-tcrules.xml index 6c30ff652..62580b8df 100644 --- a/Shorewall6/manpages/shorewall6-tcrules.xml +++ b/Shorewall6/manpages/shorewall6-tcrules.xml @@ -402,6 +402,13 @@ it from any rules that follow. + + DROP + + Added in Shorewall 4.5.21.4. Causes matching packets to be + discarded. + + DSCP(dscp) @@ -779,8 +786,8 @@ Normal-Service => 0x00 port ranges; if the protocol is ipv6-icmp, this column is interpreted as the destination icmp-type(s). ICMP types may be specified as a numeric - type, a numeric type and code separated by a slash (e.g., 3/4), or - a typename. See http://www.shorewall.net/configuration_file_basics.htm#ICMP. If the protocol is ipp2p, @@ -1151,10 +1158,10 @@ Normal-Service => 0x00 4 ::/0 ::/0 ipp2p:all SAVE ::/0 ::/0 all - - - !0 - If a packet hasn't been classified (packet mark is 0), copy the - connection mark to the packet mark. If the packet mark is set, we're - done. If the packet is P2P, set the packet mark to 4. If the packet - mark has been set, save it to the connection mark. + If a packet hasn't been classified (packet mark is 0), copy + the connection mark to the packet mark. If the packet mark is set, + we're done. If the packet is P2P, set the packet mark to 4. If the + packet mark has been set, save it to the connection mark.