Document parameterized actions

2024-12-22 06:10:42 +01:00 · 2010-12-26 08:59:31 -08:00 · 2010-12-26 08:59:31 -08:00 · 31bd00e42e
commit 31bd00e42e
parent 4fdec73808
3 changed files with 44 additions and 8 deletions
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.16 RC 1
+
+1)  Complete parameterized actions.
+
 Changes in Shorewall 4.4.16 Beta 6

 1)  Don't let root match wildcard.
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@ -1,6 +1,6 @@
 ----------------------------------------------------------------------------
                      S H O R E W A L L  4 . 4 . 1 6
-                                   R C  1
+                                B E T A  7
 ----------------------------------------------------------------------------

 I.    PROBLEMS CORRECTED IN THIS RELEASE
@ -14,6 +14,10 @@ VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES
  I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

+Beta 7
+
+None.
+
 Beta 6

 1)  Previously, the root of a wildcard name erroneously matched that
@ -120,11 +124,14 @@ Beta 1
    and in macros invoked from Actions. Additionally, Macros used in
    Actions are now free to invoke other actions.

-4)  There is now limited support for parameterized actions. Currently,
-    the parameters are only available to extensions scripts. See
+4)  There is now support for parameterized actions. The parameters are
+    available to extensions scripts. See
    http://www.shorewall.net/Actions.html#Extension for more
    information.

+    Within the action body, the parameter values are available in $1,
+    $2, etc.
+
 ----------------------------------------------------------------------------
             I V.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@ -224,6 +224,31 @@ ACCEPT   -              -               tcp     135,139,445

      <para>When using Shorewall 4.4.16 or later, there are no restrictions
      regarding which targets can be used within your action.</para>
+
+      <para>Additionally, it is possible to pass parameters to an action, when
+      it is invoked in the rules file or in another action.</para>
+
+      <para>Here's a trivial example:</para>
+
+      <para>/etc/shorewall/action.A:</para>
+
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+#                                      PORT(S) PORT(S) DEST
+FORMAT 2
+$1             -       -       tcp     80      -       1.2.3.4</programlisting>
+
+      <para>/etc/shorewall/rules:</para>
+
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+#                                      PORT(S) PORT(S) DEST
+
+A(REDIRECT)    net     fw</programlisting>
+
+      <para>The above is equivalent to this rule:</para>
+
+      <programlisting>#TARGET        SOURCE  DEST    PROTO   DEST    SOURCE  ORIGINAL
+#                                      PORT(S) PORT(S) DEST
+REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
    </section>

    <section>
@ -578,7 +603,7 @@ add_rule $chainref, '-d 224.0.0.0/4 -j DROP';
 Limit:none:SSHA,3,60   net               $FW            tcp         22</programlisting>

    <para>Using Shorewall 4.4.16 or later, you can also invoke the action this
-    way: </para>
+    way:</para>

    <programlisting>#ACTION                SOURCE            DEST           PROTO       DEST PORT(S)
 Limit(SSHA,3,60):none  net               $FW            tcp         22</programlisting>
@ -625,13 +650,13 @@ Limit(SSH,3,60):info   net               $FW            tcp         22</programl

      <programlisting>use Shorewall::Chains;

-@params = split /,/, $tag unless @params;
+@params = split( /,/, $tag ), $tag='' unless @params;

 fatal_error 'Limit rules must include &lt;list name&gt;,&lt;max connections&gt;,&lt;interval&gt; as the log tag or params' unless @params == 3;

-my $list = $tag[0];
+my $list = $params[0];

-for ( @tag[1,2] ) {
+for ( @params[1,2] ) {
    fatal_error 'Max connections and interval in Limit rules must be numeric (' . $_ . ')' unless /^\d+$/
 }

@ -641,7 +666,7 @@ add_rule $chainref, "-m recent --name $list --set";

 if ( $level ) {
    my $xchainref = new_chain 'filter' , "$chainref-&gt;{name}%";
-    log_rule_limit $level, $xchainref, $params[0], 'DROP', '', '', 'add', '';
+    log_rule_limit $level, $xchainref, $params[0], 'DROP', $tag, '', 'add', '';
    add_rule $xchainref, '-j DROP';
    add_rule $chainref,  "-m recent --name $list --update --seconds $params[2] --hitcount $count -j $xchainref-&gt;{name}";
 } else {