extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 07:33:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Document additional parameters to standard default actions and DEFAULT in macro files

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-22 08:05:13 -07:00
parent 62a75cb98d
commit 0d2e2a14d3
3 changed files with 59 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/changelog.txt
View File

@ -6,6 +6,8 @@ Changes in Shorewall 4.4.21 Beta 3
3) Rename read_action_param and change signature. 3) Rename read_action_param and change signature.
4) Add DEFAULT to macro files.
Changes in Shorewall 4.4.21 Beta 2 Changes in Shorewall 4.4.21 Beta 2
1) Implement the 'update' command. 1) Implement the 'update' command.

38
Shorewall/releasenotes.txt
View File

@ -33,14 +33,25 @@ None.
2) FORMAT-2 actions may now specify default parameter values using the 2) FORMAT-2 actions may now specify default parameter values using the
DEFAULTS directive. DEFAULTS directive.
DEFAULTS <def1>,<def2>,... DEFAULTS <def1>,<def2>,...
Where <def1> is the default value for the first parameter, <def2> Where <def1> is the default value for the first parameter, <def2>
is the default value for the second parameter and so on. To specify is the default value for the second parameter and so on. To specify
an empty default, use '-'. an empty default, use '-'.
3) The standard Drop and Reject actions are now parameterized. Each 3) Macros may now specify a default parameter value using the DEFAULT
has three parameters: directive.
DEFAULT <default>
Example macro.Foo -- by default, accepts connections on ficticous
tcp port 'foo'.
DEFAULT ACCEPT
PARAM - - tcp foo
4) The standard Drop and Reject actions are now parameterized. Each
has 5 parameters:
1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited. 1) Pass 'audit' if you want all ACCEPTs, DROPs and REJECTs audited.
Pass '-' otherwise. Pass '-' otherwise.
@ -62,6 +73,21 @@ None.
Reject audit A_REJECT Reject audit A_REJECT
Drop audit A_DROP Drop audit A_DROP
4) The action to be applied to accepted ICMP packets.
FIRST PARAMETER DEFAULT
- ACCEPT
audit A_ACCEPT
5) The action to be applied to UPnP (udp port 1900) and late DNS
replies (udp source port 53)
FIRST PARAMETER DEFAULT
- DROP
audit A_DROP
The parameters can be passed in the POLICY column of the policy The parameters can be passed in the POLICY column of the policy
file. file.
@ -80,7 +106,7 @@ None.
DROP_DEFAULT=Drop(-,DROP) DROP_DEFAULT=Drop(-,DROP)
4) An 'update' command has been added to /sbin/shorewall and 5) An 'update' command has been added to /sbin/shorewall and
/sbin/shorewall6. The command validates the configuration and then /sbin/shorewall6. The command validates the configuration and then
updates the shorewall.conf (shorewall6.conf) file. The updated file updates the shorewall.conf (shorewall6.conf) file. The updated file
will set any new options with their default values and will move will set any new options with their default values and will move
@ -95,7 +121,7 @@ None.
'-a' option that causes the updated file to be annotated with '-a' option that causes the updated file to be annotated with
documentation. documentation.
5) Shorewall6 now supports ipsets. 6) Shorewall6 now supports ipsets.
Unlike iptables, which has separate configurations for IPv4 and Unlike iptables, which has separate configurations for IPv4 and
IPv6, ipset has a single configuration that handles both. This IPv6, ipset has a single configuration that handles both. This
@ -118,7 +144,7 @@ None.
saved ipsets if SAVE_IPSETS=Yes in shorewall.conf saved ipsets if SAVE_IPSETS=Yes in shorewall.conf
(shorewall6.conf). (shorewall6.conf).
6) Shorewall6 now supports dynamic zones: 7) Shorewall6 now supports dynamic zones:
1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces 1) The nets=dynamic option is allowed in /etc/shorewall6/interfaces
2) The HOSTS column of /etc/shorewall6/hosts may now contain 2) The HOSTS column of /etc/shorewall6/hosts may now contain

26
docs/Actions.xml
View File

@ -174,7 +174,7 @@ ACCEPT - - tcp 135,139,445
</important> </important>
<para>Beginning with Shorewall 4.4.21, the standard Drop and Reject <para>Beginning with Shorewall 4.4.21, the standard Drop and Reject
options are parameterized. Each has three parameters as follows:</para> options are parameterized. Each has five parameters as follows:</para>
<informaltable> <informaltable>
<tgroup cols="4"> <tgroup cols="4">
@ -254,6 +254,30 @@ ACCEPT - - tcp 135,139,445
<entry>REJECT or A_REJECT depending on the setting of parameter <entry>REJECT or A_REJECT depending on the setting of parameter
1</entry> 1</entry>
</row> </row>
<row>
<entry>Both</entry>
<entry>4</entry>
<entry>Determines what to do with accepted critical ICMP
packets.</entry>
<entry>ACCEPT or A_ACCEPT depending on the setting of parameter
1</entry>
</row>
<row>
<entry>Both</entry>
<entry>5</entry>
<entry>Determines what to do with late-arriving DNS replies
(source port 53) or UPnP (udp port 1900).</entry>
<entry>DROP or A_DROP depending on the setting of parameter
1.</entry>
</row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>