More updates to the macro document

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2714 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2005-09-20 22:16:12 +00:00
parent ae60b56f41
commit 4309521d0c

View File

@ -21,7 +21,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-09-12</pubdate> <pubdate>2005-09-20</pubdate>
<copyright> <copyright>
<year>2005</year> <year>2005</year>
@ -121,7 +121,7 @@ PARAM - - tcp 135,139,445
<listitem> <listitem>
<para>Copy /usr/share/shorewall/macro.template to <para>Copy /usr/share/shorewall/macro.template to
<filename>/etc/shorewall/macro.ActionName</filename> (for example, if <filename>/etc/shorewall/macro.MacroName</filename> (for example, if
your new macro name is <quote>Foo</quote> then copy your new macro name is <quote>Foo</quote> then copy
<filename>/usr/share/shorewall/macro.template</filename> to <filename>/usr/share/shorewall/macro.template</filename> to
<filename>/etc/shorewall/macro.Foo</filename>).</para> <filename>/etc/shorewall/macro.Foo</filename>).</para>
@ -137,7 +137,8 @@ PARAM - - tcp 135,139,445
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE, <para>ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
LOG, QUEUE, PARAM or an action name.</para> LOG, QUEUE, PARAM or an action name. Note that a macro may not invoke
another macro.</para>
<simplelist> <simplelist>
<member>ACCEPT - allow the connection request</member> <member>ACCEPT - allow the connection request</member>
@ -189,9 +190,6 @@ PARAM - - tcp 135,139,445
<para>The ACTION may optionally be followed by ":" and a syslog log <para>The ACTION may optionally be followed by ":" and a syslog log
level (e.g, REJECT:info or DNAT:debug). This causes the packet to be level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
logged at the specified level.</para> logged at the specified level.</para>
<para>(<ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>).</para>
</listitem> </listitem>
<listitem> <listitem>
@ -404,4 +402,30 @@ bar:debug</programlisting>
</listitem> </listitem>
</orderedlist> </orderedlist>
</section> </section>
<section>
<title>How do I know if I should create an Action or a Macro?</title>
<para>While actions and macros perform similar functions, in any given
case you will generally find that one is more appropriate than the
other.</para>
<orderedlist>
<listitem>
<para>You can not associate an Extension Script with a macro <ulink
url="Actions.html#Extension">the way that you can with an
Action</ulink>. So if you need access to iptables features not
directly supported by Shorewall then you must use an action.</para>
</listitem>
<listitem>
<para>Macros are expanded in-line while each action is it's own chain.
So if there are a lot of rules involved in your new action/macro then
it is generally better to use an action than a macro. Only the packets
selected when you invoke the action are directed to the corresponding
chain. On the other hand, if there are only one or two rules involved
in what you want to do then a macro is more efficient.</para>
</listitem>
</orderedlist>
</section>
</article> </article>