diff --git a/docs/Actions.xml b/docs/Actions.xml
index 70eb09cf0..8c9bd46b1 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -97,7 +97,7 @@ ACCEPT - - tcp 135,139,445
/etc/shorewall (or somewhere
else on your CONFIG_PATH) and modify the copy.
- Standard Actions have been largely replaced by Standard Actions were largely replaced by macros in Shorewall 3.0 and later major
versions.
@@ -144,41 +144,21 @@ ACCEPT - - tcp 135,139,445
AUTH protocol of client authentication
AUTH is actually pretty silly on today's internet but it's
amazing how many servers still employ it.
- .
+
- If you are running Shorewall 3.2 or earlier, then:
+ Shorewall supports default actions for the ACCEPT, REJECT, DROP and
+ QUEUE policies. These default actions are specified in the
+ /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
+ REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively.
+ Policies whose default is set to a value of "none" have no default
+ action.
-
- Shorewall provides default actions for the REJECT and DROP
- policies. The default action for REJECT is named
- Reject and the default action for DROP is named
- Drop. These associations are made through two
- entries in /usr/share/shorewall/actions.std:
-
- Drop:DROP #Default Action for DROP policy
-Reject:REJECT #Default Action for REJECT policy
-
- These may be overridden by entries in your /etc/shorewall/actions
- file.
-
-
- If you are running Shorewall 3.4 or later, then:
-
-
- Shorewall supports default actions for the ACCEPT, REJECT, DROP
- and QUEUE policies. These default actions are specified in the
- /etc/shorewall/shorewall.conf file using the ACCEPT_DEFAULT,
- REJECT_DEFAULT, DROP_DEFAULT and QUEUE_DEFAULT options respectively.
- Policies whose default is set to a value of "none" have no default
- action.
-
- In addition, the default specified in
- /etc/shorewall/shorewall.conf may be overridden by specifying a
- different default in the POLICY column of /etc/shorewall/policy.
-
+ In addition, the default specified in /etc/shorewall/shorewall.conf
+ may be overridden by specifying a different default in the POLICY column
+ of /etc/shorewall/policy.
Entries in the DROP and REJECT default actions
Limiting Per-IP Connection Rate
-
- Debian users. This feature is broken in the Debian version 3.0.7
- of Shorewall (and possibly in other versions). The file
- /usr/share/shorewall/Limit was inadvertently
- dropped from the .deb. That file may be obtained from Shorewall
- SVN and installed manually.
-
-
Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' action. Limit is invoked with a comma-separated
list in place of a logging tag. The list has three elements:
@@ -654,11 +625,10 @@ bar:debug
- The change in Shorewall 2.1.2 has an effect on extension scripts
- used with user-defined actions. If you define an action 'acton' and you
- have an /etc/shorewall/acton script then when that
- script is invoked, the following three variables will be set for use by
- the script:
+ If you define an action 'acton' and you have an
+ /etc/shorewall/acton script then when that script is
+ invoked, the following three variables will be set for use by the
+ script:
@@ -704,17 +674,18 @@ acton:info:test $FW net
- $chainref is a reference to the chain-table entry for the chain
- where your rules are to be placed.
+ $chainref is a reference to the
+ chain-table entry for the chain where your rules are to be
+ placed.
- $level is the log level. If false, no logging was
- specified.
+ $level is the log level. If
+ false, no logging was specified.
- $tag is the log tag.
+ $tag is the log tag.
diff --git a/docs/shorewall_extension_scripts.xml b/docs/shorewall_extension_scripts.xml
index 98246096c..6ecea824b 100644
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -34,6 +34,12 @@
+
+ This article applies to Shorewall 4.0 and later. If you are running
+ a version of Shorewall earlier than Shorewall 4.0.0 then please see the
+ documentation for that release.
+
+
Extension Scripts
@@ -116,11 +122,10 @@
- maclog -- (Added in Shorewall version 3.2.5) invoked while mac
- filtering rules are being created. It is invoked once for each
- interface having 'maclist' specified and it is invoked just before the
- logging rule is added to the current chain (the name of that chain
- will be in $CHAIN).
+ maclog -- invoked while mac filtering rules are being created.
+ It is invoked once for each interface having 'maclist' specified and
+ it is invoked just before the logging rule is added to the current
+ chain (the name of that chain will be in $CHAIN).
@@ -157,7 +162,7 @@ esac
output on an interface is not allowed by routestopped(8) then
the isuasable script must blow it's own holes in the firewall
- before probing.
+ before probing.
@@ -240,97 +245,8 @@ esac
-
- Shorewall versions 3.0.x and earlier
-
- If you run commands other than iptables that
- must be re-run in order to restore the firewall to its current state
- then you must save the commands to the restore
- file. The restore file is a temporary file in /var/lib/shorewall that will be renamed
- /var/lib/shorewall/restore-base at the successful
- completion of the Shorewall command. The shorewall
- save command combines
- /var/lib/shorewall/restore-base with the output of
- iptables-save to produce the
- /var/lib/shorewall/restore script.
-
- Here are three functions that are useful when running commands
- other than iptables:
-
-
-
- save_command() -- saves the
- passed command to the restore file.
-
- Example: save_command echo Operation Complete
-
- That command would simply write "echo Operation Complete" to
- the restore file.
-
-
-
- run_and_save_command() --
- saves the passed command to the restore file then executes it. The
- return value is the exit status of the command. Example:
- run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"
-
- Note that as in this example, when the command involves file
- redirection then the entire command must be enclosed in quotes. This
- applies to all of the functions described here.
-
-
-
- ensure_and_save_command() --
- runs the passed command. If the command fails, the firewall is
- restored to its prior saved state and the operation is terminated.
- If the command succeeds, the command is written to the restore
- file
-
-
-
-
-
- Shorewall version 3.2.0 - 3.2.8
-
- When compiling your firewall configuration, Shorewall copies most
- extension scripts directly into the "compiled" program where they are
- executed in-line during processing of the start, restart and restore
- commands. When copying a script, Shorewall indents the script to match
- the surrounding code; if you have 'awk' installed on the system where
- the configuration is being compiled, Shorewall can correctly handle line
- continuation in your script ("\" as the last character on a line). If
- you do not have awk, you may not use line continuation in your scripts.
- Also beware that quoted strings continued from one line to another will
- have extra whitespace inserted as a result of indentation.
-
-
- The /etc/shorewall/params script is
- processed during compilation and
- copied into the compiled script as just described. So shell variables
- set during compilation may be used in Shorewall configuration files
- while those set at run-time are available to your other extension
- scripts. Note that if you assign dynamic values to variables, there is
- no guarantee that the value calculated at compile time will be the
- same as what is calculated at run time. This is particularly true if
- you use the shorewall compile command to compile a
- program then run that program at a later time.
-
-
-
- Extension scripts associated with a particular chain or action
- are not copied into the compiled script; they are rather processed
- directly by the compiler using the Bourne shell "." command. For
- example, if A is an action then if /etc/shorewall/A exists then it will be
- processed by the compiler rather than copied into the compiled
- script.
-
-
-
- Shorewall version 3.2.9 (3.4.0 RC2) and later
- (Shorewall-shell)
+ Shorewall-shell
When compiling your firewall configuration, Shorewall copies most
extension scripts directly into the "compiled" program where they are
@@ -381,7 +297,7 @@ esac
- Shorewall-perl (Version 4.0.0 and later)
+ Shorewall-perl
Because the compiler is written in Perl, some of your extension
scripts from earlier versions will no longer work because Shorewall-perl