diff --git a/Shorewall/Perl/Shorewall/Actions.pm b/Shorewall/Perl/Shorewall/Actions.pm
index d23f3b87a..20604fb00 100644
--- a/Shorewall/Perl/Shorewall/Actions.pm
+++ b/Shorewall/Perl/Shorewall/Actions.pm
@@ -437,8 +437,6 @@ sub find_logactionchain( $ ) {
fatal_error "Fatal error in find_logactionchain" unless $logactionchains{"$action:$level"};
}
-sub process_action1( $$ );
-
#
# The functions process_actions1-3() implement the three phases of action processing.
#
@@ -508,7 +506,10 @@ sub process_actions1() {
while ( read_a_line ) {
my ($wholetarget, @rest ) = split_line1 1, 13, 'action file' , $rule_commands;
-
+ #
+ # When passed an action name in the first argument, process_rule_common() only
+ # deals with the target and the parameter.
+ #
process_rule_common( $action ,
$wholetarget ,
'' , # Current Param
diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt
index afd6acb65..41ab9cd92 100644
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -10,6 +10,8 @@ Changes in Shorewall 4.4.16 Beta 5
5) Allow DNAT and REDIRECT in actions.
+6) Remove kludgy restrictions regarding Macros and Actions.
+
Changes in Shorewall 4.4.16 Beta 4
1) Only issue get_params() warnings under 'trace'
diff --git a/docs/Actions.xml b/docs/Actions.xml
index 26064f2ba..d0c35c279 100644
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -213,194 +213,206 @@ ACCEPT - - tcp 135,139,445
- Beginning with Shorewall 4.4.16, the columns
- in action.template are the same as those in shorewall-rules (5).
- The first non-commentary line in the template must be
+
+ Shorewall 4.4.16 and Later.
- FORMAT 2
+ Beginning with Shorewall 4.4.16, the columns in action.template
+ are the same as those in shorewall-rules (5). The first non-commentary
+ line in the template must be
- Prior to 4.4.16, columns in the action.template
- file were as follows:
+ FORMAT 2
-
-
- TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
- an <action> where
- <action> is a previously-defined action
- (that is, it must precede the action being defined in this file in
- your /etc/shorewall/actions file). These actions
- have the same meaning as they do in the
- /etc/shorewall/rules file (CONTINUE terminates
- processing of the current action and returns to the point where that
- action was invoked). The TARGET may optionally be followed by a colon
- (:) and a syslog log level (e.g, REJECT:info or
- ACCEPT:debugging). This causes the packet to be logged at the
- specified level. You may also specify ULOG (must be in upper case) as
- a log level. This will log to the ULOG target for routing to a
- separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
+ When using Shorewall 4.4.16 or later, there are no restrictions
+ regarding which targets can be used within your action.
+
- You may also use a macro in
- your action provided that the macro's expansion only results in the
- ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
- /usr/share/shorewall/action.Drop for an example
- of an action that users macros extensively.
-
+
+ Shorewall 4.4.15 and Earlier.
-
- SOURCE - Source hosts to which the rule applies. A
- comma-separated list of subnets and/or hosts. Hosts may be specified
- by IP or MAC address; MAC addresses must begin with ~
- and must use - as a separator.
+ Prior to 4.4.16, columns in the
+ action.template file were as follows:
- Alternatively, clients may be specified by interface name. For
- example, eth1 specifies a client that communicates with the firewall
- system through eth1. This may be optionally followed by another colon
- (:) and an IP/MAC/subnet address as described above
- (e.g., eth1:192.168.1.5).
-
+
+
+ TARGET - Must be ACCEPT, DROP, REJECT, LOG, CONTINUE, QUEUE or
+ an <action> where
+ <action> is a previously-defined action
+ (that is, it must precede the action being defined in this file in
+ your /etc/shorewall/actions file). These
+ actions have the same meaning as they do in the
+ /etc/shorewall/rules file (CONTINUE terminates
+ processing of the current action and returns to the point where that
+ action was invoked). The TARGET may optionally be followed by a
+ colon (:) and a syslog log level (e.g, REJECT:info or
+ ACCEPT:debugging). This causes the packet to be logged at the
+ specified level. You may also specify ULOG (must be in upper case)
+ as a log level. This will log to the ULOG target for routing to a
+ separate log through use of ulogd (http://www.netfilter.org/projects/ulogd/index.html).
-
- DEST - Location of Server. Same as above with the exception that
- MAC addresses are not allowed.
-
+ You may also use a macro in
+ your action provided that the macro's expansion only results in the
+ ACTIONs ACCEPT, DROP, REJECT, LOG, CONTINUE, or QUEUE. See
+ /usr/share/shorewall/action.Drop for an example
+ of an action that users macros extensively.
+
-
- PROTO - Protocol - Must be tcp,
- udp, icmp, a protocol number, or
- all.
-
+
+ SOURCE - Source hosts to which the rule applies. A
+ comma-separated list of subnets and/or hosts. Hosts may be specified
+ by IP or MAC address; MAC addresses must begin with ~
+ and must use - as a separator.
-
- DEST PORT(S) - Destination Ports. A comma-separated list of Port
- names (from /etc/services), port numbers or port
- ranges; if the protocol is icmp, this column is
- interpreted as the destination icmp-type(s).
+ Alternatively, clients may be specified by interface name. For
+ example, eth1 specifies a client that communicates with the firewall
+ system through eth1. This may be optionally followed by another
+ colon (:) and an IP/MAC/subnet address as described
+ above (e.g., eth1:192.168.1.5).
+
- A port range is expressed as <low
- port>:<high port>.
+
+ DEST - Location of Server. Same as above with the exception
+ that MAC addresses are not allowed.
+
- This column is ignored if PROTO = all, but must
- be entered if any of the following fields are supplied. In that case,
- it is suggested that this field contain -.
-
+
+ PROTO - Protocol - Must be tcp,
+ udp, icmp, a protocol number, or
+ all.
+
-
- SOURCE PORT(S) - Port(s) used by the client. If omitted, any
- source port is acceptable. Specified as a comma-separated list of port
- names, port numbers or port ranges.
+
+ DEST PORT(S) - Destination Ports. A comma-separated list of
+ Port names (from /etc/services), port numbers
+ or port ranges; if the protocol is icmp, this column
+ is interpreted as the destination icmp-type(s).
- If you don't want to restrict client ports but need to specify
- any of the subsequent fields, then place - in this
- column.
-
+ A port range is expressed as <low
+ port>:<high port>.
-
- RATE LIMIT - You may rate-limit the rule by placing a value in
- this column:
+ This column is ignored if PROTO = all, but must
+ be entered if any of the following fields are supplied. In that
+ case, it is suggested that this field contain
+ -.
+
- <rate>/<interval>[:<burst>]where
- <rate> is the number of connections per
- <interval> (sec or
- min) and <burst> is the
- largest burst permitted. If no <burst> is
- given, a value of 5 is assumed. There may be no whitespace embedded in
- the specification.
+
+ SOURCE PORT(S) - Port(s) used by the client. If omitted, any
+ source port is acceptable. Specified as a comma-separated list of
+ port names, port numbers or port ranges.
- Example: 10/sec:20
-
+ If you don't want to restrict client ports but need to specify
+ any of the subsequent fields, then place - in this
+ column.
+
-
- USER/GROUP - For output rules (those with the firewall as their
- source), you may control connections based on the effective UID and/or
- GID of the process requesting the connection. This column can contain
- any of the following:
+
+ RATE LIMIT - You may rate-limit the rule by placing a value in
+ this column:
-
- [!]<user number>[:]
+ <rate>/<interval>[:<burst>]where
+ <rate> is the number of connections per
+ <interval> (sec or
+ min) and <burst> is the
+ largest burst permitted. If no <burst> is
+ given, a value of 5 is assumed. There may be no whitespace embedded
+ in the specification.
- [!]<user name>[:]
+ Example: 10/sec:20
+
- [!]:<group number>
+
+ USER/GROUP - For output rules (those with the firewall as
+ their source), you may control connections based on the effective
+ UID and/or GID of the process requesting the connection. This column
+ can contain any of the following:
- [!]:<group name>
+
+ [!]<user number>[:]
- [!]<user
- number>:<group
- number>
+ [!]<user name>[:]
- [!]<user
- name>:<group
- number>
+ [!]:<group number>
- [!]<user
- inumber>:<group
- name>
+ [!]:<group name>
- [!]<user
- name>:<group name>
+ [!]<user
+ number>:<group
+ number>
- [!]+<program name> (Note: support
- for this form was removed from Netfilter in kernel version
- 2.6.14).
-
-
+ [!]<user
+ name>:<group
+ number>
-
- MARK
+ [!]<user
+ inumber>:<group
+ name>
-
- [!]<value>[/<mask>][:C]
-
+ [!]<user
+ name>:<group
+ name>
- Defines a test on the existing packet or connection mark. The
- rule will match only if the test returns true.
+ [!]+<program name> (Note:
+ support for this form was removed from Netfilter in kernel version
+ 2.6.14).
+
+
- If you don’t want to define a test but need to specify anything
- in the subsequent columns, place a - in this
- field.
- ! — Inverts the test (not equal)
+
+ MARK
- <value> — Value of the packet
- or connection mark.
+
+ [!]<value>[/<mask>][:C]
+
- <mask> —A mask to be applied to
- the mark before testing.
+ Defines a test on the existing packet or connection mark. The
+ rule will match only if the test returns true.
- :C — Designates a connection mark. If omitted, the packet
- mark’s value is tested. This option is only supported by
- Shorewall-perl
-
-
-
+ If you don’t want to define a test but need to specify
+ anything in the subsequent columns, place a - in this
+ field.
+ ! — Inverts the test (not equal)
- Omitted column entries should be entered using a dash
- (-).
+ <value> — Value of the packet
+ or connection mark.
- Example:
+ <mask> —A mask to be applied
+ to the mark before testing.
- /etc/shorewall/actions:
+ :C — Designates a connection mark. If omitted, the
+ packet mark’s value is tested. This option is only supported by
+ Shorewall-perl
+
+
+
- #ACTION COMMENT (place '# ' below the 'C' in comment followed by
+ Omitted column entries should be entered using a dash
+ (-).
+
+ Example:
+
+ /etc/shorewall/actions:
+
+ #ACTION COMMENT (place '# ' below the 'C' in comment followed by
# v a comment describing the action)
LogAndAccept # LOG and ACCEPT a connectionNote: If your
- /etc/shorewall/actions file doesn't have an
- indication where to place the comment, put the # in column
- 21.
+ role="bold">Note: If your
+ /etc/shorewall/actions file doesn't have an
+ indication where to place the comment, put the # in
+ column 21.
- /etc/shorewall/action.LogAndAccept LOG:info
+ /etc/shorewall/action.LogAndAccept LOG:info
ACCEPT
- Placing a comment on the line causes the comment to appear in the
- output of the shorewall show actions command.
+ Placing a comment on the line causes the comment to appear in the
+ output of the shorewall show actions command.
- To use your action, in /etc/shorewall/rules you
- might do something like:
+ To use your action, in /etc/shorewall/rules
+ you might do something like:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22
+
diff --git a/docs/Macros.xml b/docs/Macros.xml
index 0b8890c15..c51f18b1e 100644
--- a/docs/Macros.xml
+++ b/docs/Macros.xml
@@ -277,411 +277,425 @@ ACCEPT fw loc tcp 135,139,445
- Beginning with Shorewall 4.4.16, the columns
- in macro.template are the same as those in shorewall-rules (5).
- The first non-commentary line in the template must be
+
+ Shorewall 4.4.16 and Later
- FORMAT 2
+ Beginning with Shorewall 4.4.16, the columns in macro.template are
+ the same as those in shorewall-rules (5). The first non-commentary line
+ in the template must be
- Before 4.4.16, columns in the macro.template file were as
- follows:
+ FORMAT 2
-
-
- ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE,
- LOG, QUEUE, PARAM or an action name. Note that a macro may not invoke
- another macro.
+ There are no restrictions regarding the ACTIONs that can be
+ performed in a macro.
+
-
- ACCEPT - allow the connection request
+
+ Shorewall 4.4.15 and Earlier
- ACCEPT+ - like ACCEPT but also excludes the connection from
- any subsequent DNAT[-] or REDIRECT[-] rules.
+ Before 4.4.16, columns in the macro.template file were as
+ follows:
- NONAT - Excludes the connection from any subsequent DNAT[-]
- or REDIRECT[-] rules but doesn't generate a rule to accept the
- traffic.
+
+
+ ACTION - ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT,
+ CONTINUE, LOG, QUEUE, PARAM or an action name. Note that a macro may
+ not invoke another macro.
- DROP - ignore the request
+
+ ACCEPT - allow the connection request
- REJECT - disallow the request and return an icmp unreachable
- or an RST packet.
+ ACCEPT+ - like ACCEPT but also excludes the connection
+ from any subsequent DNAT[-] or REDIRECT[-] rules.
- DNAT - Forward the request to another address (and
- optionally another port).
+ NONAT - Excludes the connection from any subsequent
+ DNAT[-] or REDIRECT[-] rules but doesn't generate a rule to accept
+ the traffic.
- DNAT- - Advanced users only. Like DNAT but only generates
- the DNAT iptables rule and not the companion ACCEPT rule.
+ DROP - ignore the request
- SAME - Similar to DNAT except that the port may not be
- remapped and when multiple server addresses are listed, all requests
- from a given remote system go to the same server.
+ REJECT - disallow the request and return an icmp
+ unreachable or an RST packet.
- SAME- - Advanced users only. Like SAME but only generates
- the SAME iptables rule and not the companion ACCEPT rule.
+ DNAT - Forward the request to another address (and
+ optionally another port).
- REDIRECT - Redirect the request to a local port on the
- firewall.
+ DNAT- - Advanced users only. Like DNAT but only generates
+ the DNAT iptables rule and not the companion ACCEPT rule.
- REDIRECT- - Advanced users only. Like REDIRECT but only
- generates the REDIRECT iptables rule and not the companion ACCEPT
- rule.
+ SAME - Similar to DNAT except that the port may not be
+ remapped and when multiple server addresses are listed, all
+ requests from a given remote system go to the same
+ server.
- CONTINUE - (For experts only). Do not process any of the
- following rules for this (source zone,destination zone). If The
- source and/or destination If the address falls into a zone defined
- later in /etc/shorewall/zones, this connection request will be
- passed to the rules defined for that (those) zone(s).
+ SAME- - Advanced users only. Like SAME but only generates
+ the SAME iptables rule and not the companion ACCEPT rule.
- LOG - Simply log the packet and continue.
+ REDIRECT - Redirect the request to a local port on the
+ firewall.
- QUEUE - Queue the packet to a user-space application such as
- ftwall (http://p2pwall.sf.net).
-
+ REDIRECT- - Advanced users only. Like REDIRECT but only
+ generates the REDIRECT iptables rule and not the companion ACCEPT
+ rule.
- The ACTION may optionally be followed by ":" and a syslog log
- level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
- logged at the specified level.
-
+ CONTINUE - (For experts only). Do not process any of the
+ following rules for this (source zone,destination zone). If The
+ source and/or destination If the address falls into a zone defined
+ later in /etc/shorewall/zones, this connection request will be
+ passed to the rules defined for that (those) zone(s).
-
- SOURCE - Source hosts to which the rule applies. A
- comma-separated list of subnets and/or hosts. Hosts may be specified
- by IP or MAC address; mac addresses must begin with ~
- and must use - as a separator.
+ LOG - Simply log the packet and continue.
- Alternatively, clients may be specified by interface name. For
- example, eth1 specifies a client that communicates with the firewall
- system through eth1. This may be optionally followed by another colon
- (:) and an IP/MAC/subnet address as described above
- (e.g. eth1:192.168.1.5).
+ QUEUE - Queue the packet to a user-space application such
+ as ftwall (http://p2pwall.sf.net).
+
- May also contain 'DEST' as described above.
-
+ The ACTION may optionally be followed by ":" and a syslog log
+ level (e.g, REJECT:info or DNAT:debug). This causes the packet to be
+ logged at the specified level.
+
-
- DEST - Location of Server. Same as above with the exception that
- MAC addresses are not allowed.
+
+ SOURCE - Source hosts to which the rule applies. A
+ comma-separated list of subnets and/or hosts. Hosts may be specified
+ by IP or MAC address; mac addresses must begin with ~
+ and must use - as a separator.
- Unlike in the SOURCE column, you may specify a range of up to
- 256 IP addresses using the syntax <first
- ip>-<last ip>.
+ Alternatively, clients may be specified by interface name. For
+ example, eth1 specifies a client that communicates with the firewall
+ system through eth1. This may be optionally followed by another
+ colon (:) and an IP/MAC/subnet address as described
+ above (e.g. eth1:192.168.1.5).
- May also contain 'SOURCE' as described above.
-
+ May also contain 'DEST' as described above.
+
-
- PROTO - Protocol - Must be tcp,
- udp, icmp, a number, or
- all.
-
+
+ DEST - Location of Server. Same as above with the exception
+ that MAC addresses are not allowed.
-
- DEST PORT(S) - Destination Ports. A comma-separated list of Port
- names (from /etc/services), port numbers or port
- ranges; if the protocol is icmp, this column is
- interpreted as the destination icmp-type(s).
+ Unlike in the SOURCE column, you may specify a range of up to
+ 256 IP addresses using the syntax <first
+ ip>-<last ip>.
- A port range is expressed as <low
- port>:<high port>.
+ May also contain 'SOURCE' as described above.
+
- This column is ignored if PROTOCOL = all but must be entered if
- any of the following fields are supplied. In that case, it is
- suggested that this field contain -.
+
+ PROTO - Protocol - Must be tcp,
+ udp, icmp, a number, or
+ all.
+
- If your kernel contains multi-port match support, then only a
- single Netfilter rule will be generated if in this list and in the
- CLIENT PORT(S) list below:
+
+ DEST PORT(S) - Destination Ports. A comma-separated list of
+ Port names (from /etc/services), port numbers
+ or port ranges; if the protocol is icmp, this column
+ is interpreted as the destination icmp-type(s).
-
-
- There are 15 or less ports listed.
-
+ A port range is expressed as <low
+ port>:<high port>.
-
- No port ranges are included.
-
-
+ This column is ignored if PROTOCOL = all but must be entered
+ if any of the following fields are supplied. In that case, it is
+ suggested that this field contain -.
- Otherwise, a separate rule will be generated for each
- port.
-
+ If your kernel contains multi-port match support, then only a
+ single Netfilter rule will be generated if in this list and in the
+ CLIENT PORT(S) list below:
-
- SOURCE PORT(S) - Port(s) used by the client. If omitted, any
- source port is acceptable. Specified as a comma-separated list of port
- names, port numbers or port ranges.
-
- If you don't want to restrict client ports but need to specify
- an ADDRESS in the next column, then place "-" in this column.
-
- If your kernel contains multi-port match support, then only a
- single Netfilter rule will be generated if in this list and in the
- DEST PORT(S) list above:
-
-
-
- There are 15 or less ports listed.
-
-
-
- No port ranges are included.
-
-
-
- Otherwise, a separate rule will be generated for each
- port.
-
-
-
- ORIGINAL DEST (Shorewall-perl 4.2.0 and later)
-
- To use this column, you must include 'FORMAT 2' as the first
- non-comment line in your macro file.
-
- If ACTION is DNAT[-] or REDIRECT[-] then if this column is
- included and is different from the IP address given in the DEST
- column, then connections destined for that address will be forwarded
- to the IP and port specified in the DEST column.
-
- A comma-separated list of addresses may also be used. This is
- most useful with the REDIRECT target where you want to redirect
- traffic destined for particular set of hosts. Finally, if the list of
- addresses begins with "!" (exclusion) then the rule will be followed
- only if the original destination address in the connection request
- does not match any of the addresses listed.
-
- For other actions, this column may be included and may contain
- one or more addresses (host or network) separated by commas. Address
- ranges are not allowed. When this column is supplied, rules are
- generated that require that the original destination address matches
- one of the listed addresses. This feature is most useful when you want
- to generate a filter rule that corresponds to a DNAT- or REDIRECT-
- rule. In this usage, the list of addresses should not begin with
- "!".
-
- It is also possible to specify a set of addresses then exclude
- part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
- specifies the addresses 192.168.1.0-182.168.1.15 and
- 192.168.1.32-192.168.1.255. See shorewall-exclusion(5).
-
- See http://shorewall.net/PortKnocking.html
- for an example of using an entry in this column with a user-defined
- action rule.
-
-
-
- RATE LIMIT - You may rate-limit the rule by placing a value in
- this column:
-
- <rate>/<interval>[:<burst>]where
- <rate> is the number of connections per
- <interval> (sec or
- min) and <burst> is the
- largest burst permitted. If no <burst> is
- given, a value of 5 is assumed. There may be no whitespace embedded in
- the specification.
-
- Example: 10/sec:20
-
-
-
- USER/GROUP - For output rules (those with the firewall as their
- source), you may control connections based on the effective UID and/or
- GID of the process requesting the connection. This column can contain
- any of the following:
-
-
- [!]<user number>[:]
-
- [!]<user name>[:]
-
- [!]:<group number>
-
- [!]:<group name>
-
- [!]<user
- number>:<group
- number>
-
- [!]<user
- name>:<group
- number>
-
- [!]<user
- inumber>:<group
- name>
-
- [!]<user
- name>:<group name>
-
- [!]+<program name> (Note: support
- for this form was removed from Netfilter in kernel version
- 2.6.14).
-
-
-
-
- MARK - (Added in Shorewall-4.4.2) Defines a test on the existing
- packet or connection mark. The rule will match only if the test
- returns true. Must be empty or '-' if the macro is to be used within
- an action.
-
- [!]value[/mask][:C]
-
-
-
- !
+
+
+ There are 15 or less ports listed.
+
- Inverts the test (not equal)
+ No port ranges are included.
-
+
-
- value
+ Otherwise, a separate rule will be generated for each
+ port.
+
+
+
+ SOURCE PORT(S) - Port(s) used by the client. If omitted, any
+ source port is acceptable. Specified as a comma-separated list of
+ port names, port numbers or port ranges.
+
+ If you don't want to restrict client ports but need to specify
+ an ADDRESS in the next column, then place "-" in this column.
+
+ If your kernel contains multi-port match support, then only a
+ single Netfilter rule will be generated if in this list and in the
+ DEST PORT(S) list above:
+
+
+
+ There are 15 or less ports listed.
+
- Value of the packet or connection mark.
+ No port ranges are included.
-
+
-
- mask
+ Otherwise, a separate rule will be generated for each
+ port.
+
-
- A mask to be applied to the mark before testing.
-
-
+
+ ORIGINAL DEST (Shorewall-perl 4.2.0 and later)
-
- :C
+ To use this column, you must include 'FORMAT 2' as the first
+ non-comment line in your macro file.
-
- Designates a connection mark. If omitted, the # packet
- mark's value is tested.
-
-
-
-
+ If ACTION is DNAT[-] or REDIRECT[-] then if this column is
+ included and is different from the IP address given in the DEST
+ column, then connections destined for that address will be forwarded
+ to the IP and port specified in the DEST column.
-
- CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
- the macro is to be used within an action.
+ A comma-separated list of addresses may also be used. This is
+ most useful with the REDIRECT target where you want to redirect
+ traffic destined for particular set of hosts. Finally, if the list
+ of addresses begins with "!" (exclusion) then the rule will be
+ followed only if the original destination address in the connection
+ request does not match any of the addresses listed.
- [!]limit[:mask]
+ For other actions, this column may be included and may contain
+ one or more addresses (host or network) separated by commas. Address
+ ranges are not allowed. When this column is supplied, rules are
+ generated that require that the original destination address matches
+ one of the listed addresses. This feature is most useful when you
+ want to generate a filter rule that corresponds to a DNAT- or
+ REDIRECT- rule. In this usage, the list of addresses should not
+ begin with "!".
- May be used to limit the number of simultaneous connections from
- each individual host to limit connections. Requires connlimit match in
- your kernel and iptables. While the limit is only checked on rules
- specifying CONNLIMIT, the number of current connections is calculated
- over all current connections from the SOURCE host. By default, the
- limit is applied to each host but can be
- made to apply to networks of hosts by specifying a
- mask. The mask specifies the width of a
- VLSM mask to be applied to the source address; the number of current
- connections is then taken over all hosts in the subnet
- source-address/mask.
- When ! is specified, the rule matches when the number of connection
- exceeds the limit.
-
+ It is also possible to specify a set of addresses then exclude
+ part of those addresses. For example, 192.168.1.0/24!192.168.1.16/28
+ specifies the addresses 192.168.1.0-182.168.1.15 and
+ 192.168.1.32-192.168.1.255. See shorewall-exclusion(5).
-
- TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
- macro is to be used within an action.
+ See http://shorewall.net/PortKnocking.html
+ for an example of using an entry in this column with a user-defined
+ action rule.
+
- <timeelement>[&...]
+
+ RATE LIMIT - You may rate-limit the rule by placing a value in
+ this column:
- timeelement may be:
+ <rate>/<interval>[:<burst>]where
+ <rate> is the number of connections per
+ <interval> (sec or
+ min) and <burst> is the
+ largest burst permitted. If no <burst> is
+ given, a value of 5 is assumed. There may be no whitespace embedded
+ in the specification.
-
-
- timestart=hh:mm[:ss]
+ Example: 10/sec:20
+
-
- Defines the starting time of day.
-
-
+
+ USER/GROUP - For output rules (those with the firewall as
+ their source), you may control connections based on the effective
+ UID and/or GID of the process requesting the connection. This column
+ can contain any of the following:
-
- timestop=hh:mm[:ss]
+
+ [!]<user number>[:]
-
- Defines the ending time of day.
-
-
+ [!]<user name>[:]
-
- utc
+ [!]:<group number>
-
- Times are expressed in Greenwich Mean Time.
-
-
+ [!]:<group name>
-
- localtz
+ [!]<user
+ number>:<group
+ number>
-
- Times are expressed in Local Civil Time (default).
-
-
+ [!]<user
+ name>:<group
+ number>
-
- weekdays=ddd[,ddd]...
+ [!]<user
+ inumber>:<group
+ name>
-
- where ddd is one of
- , ,
- , ,
- , or
-
-
-
+ [!]<user
+ name>:<group
+ name>
-
- monthdays=dd[,dd],...
+ [!]+<program name> (Note:
+ support for this form was removed from Netfilter in kernel version
+ 2.6.14).
+
+
-
- where dd is an ordinal day of
- the month
-
-
+
+ MARK - (Added in Shorewall-4.4.2) Defines a test on the
+ existing packet or connection mark. The rule will match only if the
+ test returns true. Must be empty or '-' if the macro is to be used
+ within an action.
-
- datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]]
+ [!]value[/mask][:C]
-
- Defines the starting date and time.
-
-
+
+
+ !
-
- datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]]
+
+ Inverts the test (not equal)
+
+
-
- Defines the ending date and time.
-
-
-
-
-
+
+ value
- Omitted column entries should be entered using a dash ("-:).
+
+ Value of the packet or connection mark.
+
+
- Example:
+
+ mask
- /etc/shorewall/macro.LogAndAccept LOG:info
+
+ A mask to be applied to the mark before testing.
+
+
+
+
+ :C
+
+
+ Designates a connection mark. If omitted, the # packet
+ mark's value is tested.
+
+
+
+
+
+
+ CONNLIMIT - (Added in Shorewall-4.4.2) Must be empty or '-' if
+ the macro is to be used within an action.
+
+ [!]limit[:mask]
+
+ May be used to limit the number of simultaneous connections
+ from each individual host to limit connections. Requires connlimit
+ match in your kernel and iptables. While the limit is only checked
+ on rules specifying CONNLIMIT, the number of current connections is
+ calculated over all current connections from the SOURCE host. By
+ default, the limit is applied to each
+ host but can be made to apply to networks of hosts by specifying a
+ mask. The mask specifies the width of a
+ VLSM mask to be applied to the source address; the number of current
+ connections is then taken over all hosts in the subnet
+ source-address/mask.
+ When ! is specified, the rule matches when the number of connection
+ exceeds the limit.
+
+
+
+ TIME - (Added in Shorewall-4.4.2) Must be empty or '-' if the
+ macro is to be used within an action.
+
+ <timeelement>[&...]
+
+ timeelement may be:
+
+
+
+ timestart=hh:mm[:ss]
+
+
+ Defines the starting time of day.
+
+
+
+
+ timestop=hh:mm[:ss]
+
+
+ Defines the ending time of day.
+
+
+
+
+ utc
+
+
+ Times are expressed in Greenwich Mean Time.
+
+
+
+
+ localtz
+
+
+ Times are expressed in Local Civil Time
+ (default).
+
+
+
+
+ weekdays=ddd[,ddd]...
+
+
+ where ddd is one of
+ , ,
+ , ,
+ , or
+
+
+
+
+
+ monthdays=dd[,dd],...
+
+
+ where dd is an ordinal day of
+ the month
+
+
+
+
+ datestart=yyyy[-mm[-dd[hh[:mm[:ss]]]]]
+
+
+ Defines the starting date and time.
+
+
+
+
+ datestop=yyyy[-mm[-dd[hh[:mm[:ss]]]]]
+
+
+ Defines the ending date and time.
+
+
+
+
+
+
+ Omitted column entries should be entered using a dash
+ ("-:).
+
+ Example:
+
+ /etc/shorewall/macro.LogAndAccept LOG:info
ACCEPT
- To use your macro, in /etc/shorewall/rules you
- might do something like:
+ To use your macro, in /etc/shorewall/rules
+ you might do something like:
- #ACTION SOURCE DEST PROTO DEST PORT(S)
+ #ACTION SOURCE DEST PROTO DEST PORT(S)
LogAndAccept loc $FW tcp 22
+